]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: support distinctions among all network address families
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
828dfe1d
EP		 7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13 * Eric Paris <[email protected]>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <[email protected]>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <[email protected]>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <[email protected]>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
63205654 129static struct kmem_cache *file_security_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 140 *
141 */
142static int selinux_secmark_enabled(void)
143{
2be4d74f
CP		 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145}
146
147/**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157static int selinux_peerlbl_enabled(void)
158{
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 160}
161
615e51fd
PM		 162static int selinux_netcache_avc_callback(u32 event)
163{
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171}
172
d84f4f99
DH		 173/*
174 * initialise the security for the init task
175 */
176static void cred_init_security(void)
1da177e4 177{
3b11a1de 178 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 179 struct task_security_struct *tsec;
180
89d155ef 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 182 if (!tsec)
d84f4f99 183 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 184
d84f4f99 185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 186 cred->security = tsec;
1da177e4
LT		 187}
188
88e67f3b
DH		 189/*
190 * get the security ID of a set of credentials
191 */
192static inline u32 cred_sid(const struct cred *cred)
193{
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198}
199
275bb41e 200/*
3b11a1de 201 * get the objective security ID of a task
275bb41e
DH		 202 */
203static inline u32 task_sid(const struct task_struct *task)
204{
275bb41e
DH		 205 u32 sid;
206
207 rcu_read_lock();
88e67f3b 208 sid = cred_sid(__task_cred(task));
275bb41e
DH		 209 rcu_read_unlock();
210 return sid;
211}
212
213/*
3b11a1de 214 * get the subjective security ID of the current task
275bb41e
DH		 215 */
216static inline u32 current_sid(void)
217{
5fb49870 218 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 219
220 return tsec->sid;
221}
222
88e67f3b
DH		 223/* Allocate and free functions for each kind of security blob. */
224
1da177e4
LT		 225static int inode_alloc_security(struct inode *inode)
226{
1da177e4 227 struct inode_security_struct *isec;
275bb41e 228 u32 sid = current_sid();
1da177e4 229
a02fe132 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 231 if (!isec)
232 return -ENOMEM;
233
9287aed2 234 spin_lock_init(&isec->lock);
1da177e4 235 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
275bb41e 239 isec->task_sid = sid;
42059112 240 isec->initialized = LABEL_INVALID;
1da177e4
LT		 241 inode->i_security = isec;
242
243 return 0;
244}
245
5d226df4
AG		 246static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
247
248/*
249 * Try reloading inode security labels that have been marked as invalid. The
250 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 251 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 252 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
253 * when no dentry is available, set it to NULL instead.
254 */
255static int __inode_security_revalidate(struct inode *inode,
256 struct dentry *opt_dentry,
257 bool may_sleep)
258{
259 struct inode_security_struct *isec = inode->i_security;
260
261 might_sleep_if(may_sleep);
262
1ac42476 263 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 264 if (!may_sleep)
265 return -ECHILD;
266
267 /*
268 * Try reloading the inode security label. This will fail if
269 * @opt_dentry is NULL and no dentry for this inode can be
270 * found; in that case, continue using the old label.
271 */
272 inode_doinit_with_dentry(inode, opt_dentry);
273 }
274 return 0;
275}
276
5d226df4
AG		 277static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
278{
279 return inode->i_security;
280}
281
282static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
283{
284 int error;
285
286 error = __inode_security_revalidate(inode, NULL, !rcu);
287 if (error)
288 return ERR_PTR(error);
289 return inode->i_security;
290}
291
83da53c5
AG		 292/*
293 * Get the security label of an inode.
294 */
295static struct inode_security_struct *inode_security(struct inode *inode)
296{
5d226df4 297 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 298 return inode->i_security;
299}
300
2c97165b
PM		 301static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
302{
303 struct inode *inode = d_backing_inode(dentry);
304
305 return inode->i_security;
306}
307
83da53c5
AG		 308/*
309 * Get the security label of a dentry's backing inode.
310 */
311static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
312{
313 struct inode *inode = d_backing_inode(dentry);
314
5d226df4 315 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 316 return inode->i_security;
317}
318
3dc91d43
SR		 319static void inode_free_rcu(struct rcu_head *head)
320{
321 struct inode_security_struct *isec;
322
323 isec = container_of(head, struct inode_security_struct, rcu);
324 kmem_cache_free(sel_inode_cache, isec);
325}
326
1da177e4
LT		 327static void inode_free_security(struct inode *inode)
328{
329 struct inode_security_struct *isec = inode->i_security;
330 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
331
9629d04a
WL		 332 /*
333 * As not all inode security structures are in a list, we check for
334 * empty list outside of the lock to make sure that we won't waste
335 * time taking a lock doing nothing.
336 *
337 * The list_del_init() function can be safely called more than once.
338 * It should not be possible for this function to be called with
339 * concurrent list_add(), but for better safety against future changes
340 * in the code, we use list_empty_careful() here.
341 */
342 if (!list_empty_careful(&isec->list)) {
343 spin_lock(&sbsec->isec_lock);
1da177e4 344 list_del_init(&isec->list);
9629d04a
WL		 345 spin_unlock(&sbsec->isec_lock);
346 }
1da177e4 347
3dc91d43
SR		 348 /*
349 * The inode may still be referenced in a path walk and
350 * a call to selinux_inode_permission() can be made
351 * after inode_free_security() is called. Ideally, the VFS
352 * wouldn't do this, but fixing that is a much harder
353 * job. For now, simply free the i_security via RCU, and
354 * leave the current inode->i_security pointer intact.
355 * The inode will be freed after the RCU grace period too.
356 */
357 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 358}
359
360static int file_alloc_security(struct file *file)
361{
1da177e4 362 struct file_security_struct *fsec;
275bb41e 363 u32 sid = current_sid();
1da177e4 364
63205654 365 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 366 if (!fsec)
367 return -ENOMEM;
368
275bb41e
DH		 369 fsec->sid = sid;
370 fsec->fown_sid = sid;
1da177e4
LT		 371 file->f_security = fsec;
372
373 return 0;
374}
375
376static void file_free_security(struct file *file)
377{
378 struct file_security_struct *fsec = file->f_security;
1da177e4 379 file->f_security = NULL;
63205654 380 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 381}
382
383static int superblock_alloc_security(struct super_block *sb)
384{
385 struct superblock_security_struct *sbsec;
386
89d155ef 387 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 388 if (!sbsec)
389 return -ENOMEM;
390
bc7e982b 391 mutex_init(&sbsec->lock);
1da177e4
LT		 392 INIT_LIST_HEAD(&sbsec->isec_head);
393 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 394 sbsec->sb = sb;
395 sbsec->sid = SECINITSID_UNLABELED;
396 sbsec->def_sid = SECINITSID_FILE;
c312feb2 397 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 398 sb->s_security = sbsec;
399
400 return 0;
401}
402
403static void superblock_free_security(struct super_block *sb)
404{
405 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 406 sb->s_security = NULL;
407 kfree(sbsec);
408}
409
1da177e4
LT		 410/* The file system's label must be initialized prior to use. */
411
eb9ae686 412static const char *labeling_behaviors[7] = {
1da177e4
LT		 413 "uses xattr",
414 "uses transition SIDs",
415 "uses task SIDs",
416 "uses genfs_contexts",
417 "not configured for labeling",
418 "uses mountpoint labeling",
eb9ae686 419 "uses native labeling",
1da177e4
LT		 420};
421
1da177e4
LT		 422static inline int inode_doinit(struct inode *inode)
423{
424 return inode_doinit_with_dentry(inode, NULL);
425}
426
427enum {
31e87930 428 Opt_error = -1,
1da177e4
LT		 429 Opt_context = 1,
430 Opt_fscontext = 2,
c9180a57
EP		 431 Opt_defcontext = 3,
432 Opt_rootcontext = 4,
11689d47 433 Opt_labelsupport = 5,
d355987f 434 Opt_nextmntopt = 6,
1da177e4
LT		 435};
436
d355987f
EP		 437#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
438
a447c093 439static const match_table_t tokens = {
832cbd9a
EP		 440 {Opt_context, CONTEXT_STR "%s"},
441 {Opt_fscontext, FSCONTEXT_STR "%s"},
442 {Opt_defcontext, DEFCONTEXT_STR "%s"},
443 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 444 {Opt_labelsupport, LABELSUPP_STR},
31e87930 445 {Opt_error, NULL},
1da177e4
LT		 446};
447
448#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
449
c312feb2
EP		 450static int may_context_mount_sb_relabel(u32 sid,
451 struct superblock_security_struct *sbsec,
275bb41e 452 const struct cred *cred)
c312feb2 453{
275bb41e 454 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 455 int rc;
456
457 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
458 FILESYSTEM__RELABELFROM, NULL);
459 if (rc)
460 return rc;
461
462 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
463 FILESYSTEM__RELABELTO, NULL);
464 return rc;
465}
466
0808925e
EP		 467static int may_context_mount_inode_relabel(u32 sid,
468 struct superblock_security_struct *sbsec,
275bb41e 469 const struct cred *cred)
0808925e 470{
275bb41e 471 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 472 int rc;
473 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
474 FILESYSTEM__RELABELFROM, NULL);
475 if (rc)
476 return rc;
477
478 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
479 FILESYSTEM__ASSOCIATE, NULL);
480 return rc;
481}
482
b43e725d
EP		 483static int selinux_is_sblabel_mnt(struct super_block *sb)
484{
485 struct superblock_security_struct *sbsec = sb->s_security;
486
d5f3a5f6
MS		 487 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
488 sbsec->behavior == SECURITY_FS_USE_TRANS ||
489 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 490 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 491 /* Special handling. Genfs but also in-core setxattr handler */
492 !strcmp(sb->s_type->name, "sysfs") ||
493 !strcmp(sb->s_type->name, "pstore") ||
494 !strcmp(sb->s_type->name, "debugfs") ||
495 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 496}
497
c9180a57 498static int sb_finish_set_opts(struct super_block *sb)
1da177e4 499{
1da177e4 500 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 501 struct dentry *root = sb->s_root;
c6f493d6 502 struct inode *root_inode = d_backing_inode(root);
c9180a57 503 int rc = 0;
1da177e4 504
c9180a57
EP		 505 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
506 /* Make sure that the xattr handler exists and that no
507 error other than -ENODATA is returned by getxattr on
508 the root directory. -ENODATA is ok, as this may be
509 the first boot of the SELinux kernel before we have
510 assigned xattr values to the filesystem. */
5d6c3191 511 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 512 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
513 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 514 rc = -EOPNOTSUPP;
515 goto out;
516 }
5d6c3191
AG		 517
518 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 519 if (rc < 0 && rc != -ENODATA) {
520 if (rc == -EOPNOTSUPP)
521 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 522 "%s) has no security xattr handler\n",
523 sb->s_id, sb->s_type->name);
c9180a57
EP		 524 else
525 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 526 "%s) getxattr errno %d\n", sb->s_id,
527 sb->s_type->name, -rc);
c9180a57
EP		 528 goto out;
529 }
530 }
1da177e4 531
c9180a57 532 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 533 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
534 sb->s_id, sb->s_type->name);
1da177e4 535
eadcabc6 536 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 537 if (selinux_is_sblabel_mnt(sb))
12f348b9 538 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 539
c9180a57
EP		 540 /* Initialize the root inode. */
541 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 542
c9180a57
EP		 543 /* Initialize any other inodes associated with the superblock, e.g.
544 inodes created prior to initial policy load or inodes created
545 during get_sb by a pseudo filesystem that directly
546 populates itself. */
547 spin_lock(&sbsec->isec_lock);
548next_inode:
549 if (!list_empty(&sbsec->isec_head)) {
550 struct inode_security_struct *isec =
551 list_entry(sbsec->isec_head.next,
552 struct inode_security_struct, list);
553 struct inode *inode = isec->inode;
923190d3 554 list_del_init(&isec->list);
c9180a57
EP		 555 spin_unlock(&sbsec->isec_lock);
556 inode = igrab(inode);
557 if (inode) {
558 if (!IS_PRIVATE(inode))
559 inode_doinit(inode);
560 iput(inode);
561 }
562 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 563 goto next_inode;
564 }
565 spin_unlock(&sbsec->isec_lock);
566out:
567 return rc;
568}
1da177e4 569
c9180a57
EP		 570/*
571 * This function should allow an FS to ask what it's mount security
572 * options were so it can use those later for submounts, displaying
573 * mount options, or whatever.
574 */
575static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 576 struct security_mnt_opts *opts)
c9180a57
EP		 577{
578 int rc = 0, i;
579 struct superblock_security_struct *sbsec = sb->s_security;
580 char *context = NULL;
581 u32 len;
582 char tmp;
1da177e4 583
e0007529 584 security_init_mnt_opts(opts);
1da177e4 585
0d90a7ec 586 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 587 return -EINVAL;
1da177e4 588
c9180a57
EP		 589 if (!ss_initialized)
590 return -EINVAL;
1da177e4 591
af8e50cc
EP		 592 /* make sure we always check enough bits to cover the mask */
593 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
594
0d90a7ec 595 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 596 /* count the number of mount options for this sb */
af8e50cc 597 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 598 if (tmp & 0x01)
e0007529 599 opts->num_mnt_opts++;
c9180a57
EP		 600 tmp >>= 1;
601 }
11689d47 602 /* Check if the Label support flag is set */
0b4bdb35 603 if (sbsec->flags & SBLABEL_MNT)
11689d47 604 opts->num_mnt_opts++;
1da177e4 605
e0007529
EP		 606 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
607 if (!opts->mnt_opts) {
c9180a57
EP		 608 rc = -ENOMEM;
609 goto out_free;
610 }
1da177e4 611
e0007529
EP		 612 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
613 if (!opts->mnt_opts_flags) {
c9180a57
EP		 614 rc = -ENOMEM;
615 goto out_free;
616 }
1da177e4 617
c9180a57
EP		 618 i = 0;
619 if (sbsec->flags & FSCONTEXT_MNT) {
620 rc = security_sid_to_context(sbsec->sid, &context, &len);
621 if (rc)
622 goto out_free;
e0007529
EP		 623 opts->mnt_opts[i] = context;
624 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 625 }
626 if (sbsec->flags & CONTEXT_MNT) {
627 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
628 if (rc)
629 goto out_free;
e0007529
EP		 630 opts->mnt_opts[i] = context;
631 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 632 }
633 if (sbsec->flags & DEFCONTEXT_MNT) {
634 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
635 if (rc)
636 goto out_free;
e0007529
EP		 637 opts->mnt_opts[i] = context;
638 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 639 }
640 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 641 struct dentry *root = sbsec->sb->s_root;
642 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 643
c9180a57
EP		 644 rc = security_sid_to_context(isec->sid, &context, &len);
645 if (rc)
646 goto out_free;
e0007529
EP		 647 opts->mnt_opts[i] = context;
648 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 649 }
12f348b9 650 if (sbsec->flags & SBLABEL_MNT) {
11689d47 651 opts->mnt_opts[i] = NULL;
12f348b9 652 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 653 }
1da177e4 654
e0007529 655 BUG_ON(i != opts->num_mnt_opts);
1da177e4 656
c9180a57
EP		 657 return 0;
658
659out_free:
e0007529 660 security_free_mnt_opts(opts);
c9180a57
EP		 661 return rc;
662}
1da177e4 663
c9180a57
EP		 664static int bad_option(struct superblock_security_struct *sbsec, char flag,
665 u32 old_sid, u32 new_sid)
666{
0d90a7ec
DQ		 667 char mnt_flags = sbsec->flags & SE_MNTMASK;
668
c9180a57 669 /* check if the old mount command had the same options */
0d90a7ec 670 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 671 if (!(sbsec->flags & flag) ||
672 (old_sid != new_sid))
673 return 1;
674
675 /* check if we were passed the same options twice,
676 * aka someone passed context=a,context=b
677 */
0d90a7ec
DQ		 678 if (!(sbsec->flags & SE_SBINITIALIZED))
679 if (mnt_flags & flag)
c9180a57
EP		 680 return 1;
681 return 0;
682}
e0007529 683
c9180a57
EP		 684/*
685 * Allow filesystems with binary mount data to explicitly set mount point
686 * labeling information.
687 */
e0007529 688static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 689 struct security_mnt_opts *opts,
690 unsigned long kern_flags,
691 unsigned long *set_kern_flags)
c9180a57 692{
275bb41e 693 const struct cred *cred = current_cred();
c9180a57 694 int rc = 0, i;
c9180a57 695 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 696 const char *name = sb->s_type->name;
83da53c5 697 struct dentry *root = sbsec->sb->s_root;
2c97165b 698 struct inode_security_struct *root_isec;
c9180a57
EP		 699 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
700 u32 defcontext_sid = 0;
e0007529
EP		 701 char **mount_options = opts->mnt_opts;
702 int *flags = opts->mnt_opts_flags;
703 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 704
705 mutex_lock(&sbsec->lock);
706
707 if (!ss_initialized) {
708 if (!num_opts) {
709 /* Defer initialization until selinux_complete_init,
710 after the initial policy is loaded and the security
711 server is ready to handle calls. */
c9180a57
EP		 712 goto out;
713 }
714 rc = -EINVAL;
744ba35e
EP		 715 printk(KERN_WARNING "SELinux: Unable to set superblock options "
716 "before the security server is initialized\n");
1da177e4 717 goto out;
c9180a57 718 }
649f6e77
DQ		 719 if (kern_flags && !set_kern_flags) {
720 /* Specifying internal flags without providing a place to
721 * place the results is not allowed */
722 rc = -EINVAL;
723 goto out;
724 }
1da177e4 725
e0007529
EP		 726 /*
727 * Binary mount data FS will come through this function twice. Once
728 * from an explicit call and once from the generic calls from the vfs.
729 * Since the generic VFS calls will not contain any security mount data
730 * we need to skip the double mount verification.
731 *
732 * This does open a hole in which we will not notice if the first
733 * mount using this sb set explict options and a second mount using
734 * this sb does not set any security options. (The first options
735 * will be used for both mounts)
736 */
0d90a7ec 737 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 738 && (num_opts == 0))
f5269710 739 goto out;
e0007529 740
2c97165b
PM		 741 root_isec = backing_inode_security_novalidate(root);
742
c9180a57
EP		 743 /*
744 * parse the mount options, check if they are valid sids.
745 * also check if someone is trying to mount the same sb more
746 * than once with different security options.
747 */
748 for (i = 0; i < num_opts; i++) {
749 u32 sid;
11689d47 750
12f348b9 751 if (flags[i] == SBLABEL_MNT)
11689d47 752 continue;
44be2f65 753 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 754 if (rc) {
44be2f65 755 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 756 "(%s) failed for (dev %s, type %s) errno=%d\n",
757 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 758 goto out;
759 }
760 switch (flags[i]) {
761 case FSCONTEXT_MNT:
762 fscontext_sid = sid;
763
764 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
765 fscontext_sid))
766 goto out_double_mount;
767
768 sbsec->flags |= FSCONTEXT_MNT;
769 break;
770 case CONTEXT_MNT:
771 context_sid = sid;
772
773 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
774 context_sid))
775 goto out_double_mount;
776
777 sbsec->flags |= CONTEXT_MNT;
778 break;
779 case ROOTCONTEXT_MNT:
780 rootcontext_sid = sid;
781
782 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
783 rootcontext_sid))
784 goto out_double_mount;
785
786 sbsec->flags |= ROOTCONTEXT_MNT;
787
788 break;
789 case DEFCONTEXT_MNT:
790 defcontext_sid = sid;
791
792 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
793 defcontext_sid))
794 goto out_double_mount;
795
796 sbsec->flags |= DEFCONTEXT_MNT;
797
798 break;
799 default:
800 rc = -EINVAL;
801 goto out;
1da177e4 802 }
c9180a57
EP		 803 }
804
0d90a7ec 805 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 806 /* previously mounted with options, but not on this attempt? */
0d90a7ec 807 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 808 goto out_double_mount;
809 rc = 0;
810 goto out;
811 }
812
089be43e 813 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 814 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
815
8e014720
SS		 816 if (!strcmp(sb->s_type->name, "debugfs") ||
817 !strcmp(sb->s_type->name, "sysfs") ||
818 !strcmp(sb->s_type->name, "pstore"))
134509d5 819 sbsec->flags |= SE_SBGENFS;
c9180a57 820
eb9ae686
DQ		 821 if (!sbsec->behavior) {
822 /*
823 * Determine the labeling behavior to use for this
824 * filesystem type.
825 */
98f700f3 826 rc = security_fs_use(sb);
eb9ae686
DQ		 827 if (rc) {
828 printk(KERN_WARNING
829 "%s: security_fs_use(%s) returned %d\n",
830 __func__, sb->s_type->name, rc);
831 goto out;
832 }
c9180a57 833 }
aad82892
SF		 834
835 /*
836 * If this is a user namespace mount, no contexts are allowed
837 * on the command line and security labels must be ignored.
838 */
839 if (sb->s_user_ns != &init_user_ns) {
840 if (context_sid || fscontext_sid || rootcontext_sid ||
841 defcontext_sid) {
842 rc = -EACCES;
843 goto out;
844 }
845 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
846 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
847 rc = security_transition_sid(current_sid(), current_sid(),
848 SECCLASS_FILE, NULL,
849 &sbsec->mntpoint_sid);
850 if (rc)
851 goto out;
852 }
853 goto out_set_opts;
854 }
855
c9180a57
EP		 856 /* sets the context of the superblock for the fs being mounted. */
857 if (fscontext_sid) {
275bb41e 858 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 859 if (rc)
c9180a57 860 goto out;
1da177e4 861
c9180a57 862 sbsec->sid = fscontext_sid;
c312feb2
EP		 863 }
864
865 /*
866 * Switch to using mount point labeling behavior.
867 * sets the label used on all file below the mountpoint, and will set
868 * the superblock context if not already set.
869 */
eb9ae686
DQ		 870 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
871 sbsec->behavior = SECURITY_FS_USE_NATIVE;
872 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
873 }
874
c9180a57
EP		 875 if (context_sid) {
876 if (!fscontext_sid) {
275bb41e
DH		 877 rc = may_context_mount_sb_relabel(context_sid, sbsec,
878 cred);
b04ea3ce 879 if (rc)
c9180a57
EP		 880 goto out;
881 sbsec->sid = context_sid;
b04ea3ce 882 } else {
275bb41e
DH		 883 rc = may_context_mount_inode_relabel(context_sid, sbsec,
884 cred);
b04ea3ce 885 if (rc)
c9180a57 886 goto out;
b04ea3ce 887 }
c9180a57
EP		 888 if (!rootcontext_sid)
889 rootcontext_sid = context_sid;
1da177e4 890
c9180a57 891 sbsec->mntpoint_sid = context_sid;
c312feb2 892 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 893 }
894
c9180a57 895 if (rootcontext_sid) {
275bb41e
DH		 896 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
897 cred);
0808925e 898 if (rc)
c9180a57 899 goto out;
0808925e 900
c9180a57 901 root_isec->sid = rootcontext_sid;
6f3be9f5 902 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 903 }
904
c9180a57 905 if (defcontext_sid) {
eb9ae686
DQ		 906 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
907 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 908 rc = -EINVAL;
909 printk(KERN_WARNING "SELinux: defcontext option is "
910 "invalid for this filesystem type\n");
911 goto out;
1da177e4
LT		 912 }
913
c9180a57
EP		 914 if (defcontext_sid != sbsec->def_sid) {
915 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 916 sbsec, cred);
c9180a57
EP		 917 if (rc)
918 goto out;
919 }
1da177e4 920
c9180a57 921 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 922 }
923
aad82892 924out_set_opts:
c9180a57 925 rc = sb_finish_set_opts(sb);
1da177e4 926out:
c9180a57 927 mutex_unlock(&sbsec->lock);
1da177e4 928 return rc;
c9180a57
EP		 929out_double_mount:
930 rc = -EINVAL;
931 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 932 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 933 goto out;
1da177e4
LT		 934}
935
094f7b69
JL		 936static int selinux_cmp_sb_context(const struct super_block *oldsb,
937 const struct super_block *newsb)
938{
939 struct superblock_security_struct *old = oldsb->s_security;
940 struct superblock_security_struct *new = newsb->s_security;
941 char oldflags = old->flags & SE_MNTMASK;
942 char newflags = new->flags & SE_MNTMASK;
943
944 if (oldflags != newflags)
945 goto mismatch;
946 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
947 goto mismatch;
948 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
949 goto mismatch;
950 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
951 goto mismatch;
952 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 953 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
954 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 955 if (oldroot->sid != newroot->sid)
956 goto mismatch;
957 }
958 return 0;
959mismatch:
960 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
961 "different security settings for (dev %s, "
962 "type %s)\n", newsb->s_id, newsb->s_type->name);
963 return -EBUSY;
964}
965
966static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 967 struct super_block *newsb)
1da177e4 968{
c9180a57
EP		 969 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
970 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 971
c9180a57
EP		 972 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
973 int set_context = (oldsbsec->flags & CONTEXT_MNT);
974 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 975
0f5e6420
EP		 976 /*
977 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 978 * mount options. thus we can safely deal with this superblock later
0f5e6420 979 */
e8c26255 980 if (!ss_initialized)
094f7b69 981 return 0;
c9180a57 982
c9180a57 983 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 984 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 985
094f7b69 986 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 987 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 988 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 989
c9180a57
EP		 990 mutex_lock(&newsbsec->lock);
991
992 newsbsec->flags = oldsbsec->flags;
993
994 newsbsec->sid = oldsbsec->sid;
995 newsbsec->def_sid = oldsbsec->def_sid;
996 newsbsec->behavior = oldsbsec->behavior;
997
998 if (set_context) {
999 u32 sid = oldsbsec->mntpoint_sid;
1000
1001 if (!set_fscontext)
1002 newsbsec->sid = sid;
1003 if (!set_rootcontext) {
83da53c5 1004 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1005 newisec->sid = sid;
1006 }
1007 newsbsec->mntpoint_sid = sid;
1da177e4 1008 }
c9180a57 1009 if (set_rootcontext) {
83da53c5
AG		 1010 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1011 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1012
c9180a57 1013 newisec->sid = oldisec->sid;
1da177e4
LT		 1014 }
1015
c9180a57
EP		 1016 sb_finish_set_opts(newsb);
1017 mutex_unlock(&newsbsec->lock);
094f7b69 1018 return 0;
c9180a57
EP		 1019}
1020
2e1479d9
AB		 1021static int selinux_parse_opts_str(char *options,
1022 struct security_mnt_opts *opts)
c9180a57 1023{
e0007529 1024 char *p;
c9180a57
EP		 1025 char *context = NULL, *defcontext = NULL;
1026 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1027 int rc, num_mnt_opts = 0;
1da177e4 1028
e0007529 1029 opts->num_mnt_opts = 0;
1da177e4 1030
c9180a57
EP		 1031 /* Standard string-based options. */
1032 while ((p = strsep(&options, "|")) != NULL) {
1033 int token;
1034 substring_t args[MAX_OPT_ARGS];
1da177e4 1035
c9180a57
EP		 1036 if (!*p)
1037 continue;
1da177e4 1038
c9180a57 1039 token = match_token(p, tokens, args);
1da177e4 1040
c9180a57
EP		 1041 switch (token) {
1042 case Opt_context:
1043 if (context || defcontext) {
1044 rc = -EINVAL;
1045 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1046 goto out_err;
1047 }
1048 context = match_strdup(&args[0]);
1049 if (!context) {
1050 rc = -ENOMEM;
1051 goto out_err;
1052 }
1053 break;
1054
1055 case Opt_fscontext:
1056 if (fscontext) {
1057 rc = -EINVAL;
1058 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1059 goto out_err;
1060 }
1061 fscontext = match_strdup(&args[0]);
1062 if (!fscontext) {
1063 rc = -ENOMEM;
1064 goto out_err;
1065 }
1066 break;
1067
1068 case Opt_rootcontext:
1069 if (rootcontext) {
1070 rc = -EINVAL;
1071 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1072 goto out_err;
1073 }
1074 rootcontext = match_strdup(&args[0]);
1075 if (!rootcontext) {
1076 rc = -ENOMEM;
1077 goto out_err;
1078 }
1079 break;
1080
1081 case Opt_defcontext:
1082 if (context || defcontext) {
1083 rc = -EINVAL;
1084 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1085 goto out_err;
1086 }
1087 defcontext = match_strdup(&args[0]);
1088 if (!defcontext) {
1089 rc = -ENOMEM;
1090 goto out_err;
1091 }
1092 break;
11689d47
DQ		 1093 case Opt_labelsupport:
1094 break;
c9180a57
EP		 1095 default:
1096 rc = -EINVAL;
1097 printk(KERN_WARNING "SELinux: unknown mount option\n");
1098 goto out_err;
1da177e4 1099
1da177e4 1100 }
1da177e4 1101 }
c9180a57 1102
e0007529 1103 rc = -ENOMEM;
8931c3bd 1104 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1105 if (!opts->mnt_opts)
1106 goto out_err;
1107
8931c3bd
TH		 1108 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1109 GFP_KERNEL);
e0007529
EP		 1110 if (!opts->mnt_opts_flags) {
1111 kfree(opts->mnt_opts);
1112 goto out_err;
1113 }
1114
c9180a57 1115 if (fscontext) {
e0007529
EP		 1116 opts->mnt_opts[num_mnt_opts] = fscontext;
1117 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1118 }
1119 if (context) {
e0007529
EP		 1120 opts->mnt_opts[num_mnt_opts] = context;
1121 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1122 }
1123 if (rootcontext) {
e0007529
EP		 1124 opts->mnt_opts[num_mnt_opts] = rootcontext;
1125 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1126 }
1127 if (defcontext) {
e0007529
EP		 1128 opts->mnt_opts[num_mnt_opts] = defcontext;
1129 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1130 }
1131
e0007529
EP		 1132 opts->num_mnt_opts = num_mnt_opts;
1133 return 0;
1134
c9180a57
EP		 1135out_err:
1136 kfree(context);
1137 kfree(defcontext);
1138 kfree(fscontext);
1139 kfree(rootcontext);
1da177e4
LT		 1140 return rc;
1141}
e0007529
EP		 1142/*
1143 * string mount options parsing and call set the sbsec
1144 */
1145static int superblock_doinit(struct super_block *sb, void *data)
1146{
1147 int rc = 0;
1148 char *options = data;
1149 struct security_mnt_opts opts;
1150
1151 security_init_mnt_opts(&opts);
1152
1153 if (!data)
1154 goto out;
1155
1156 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1157
1158 rc = selinux_parse_opts_str(options, &opts);
1159 if (rc)
1160 goto out_err;
1161
1162out:
649f6e77 1163 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1164
1165out_err:
1166 security_free_mnt_opts(&opts);
1167 return rc;
1168}
1da177e4 1169
3583a711
AB		 1170static void selinux_write_opts(struct seq_file *m,
1171 struct security_mnt_opts *opts)
2069f457
EP		 1172{
1173 int i;
1174 char *prefix;
1175
1176 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1177 char *has_comma;
1178
1179 if (opts->mnt_opts[i])
1180 has_comma = strchr(opts->mnt_opts[i], ',');
1181 else
1182 has_comma = NULL;
2069f457
EP		 1183
1184 switch (opts->mnt_opts_flags[i]) {
1185 case CONTEXT_MNT:
1186 prefix = CONTEXT_STR;
1187 break;
1188 case FSCONTEXT_MNT:
1189 prefix = FSCONTEXT_STR;
1190 break;
1191 case ROOTCONTEXT_MNT:
1192 prefix = ROOTCONTEXT_STR;
1193 break;
1194 case DEFCONTEXT_MNT:
1195 prefix = DEFCONTEXT_STR;
1196 break;
12f348b9 1197 case SBLABEL_MNT:
11689d47
DQ		 1198 seq_putc(m, ',');
1199 seq_puts(m, LABELSUPP_STR);
1200 continue;
2069f457
EP		 1201 default:
1202 BUG();
a35c6c83 1203 return;
2069f457
EP		 1204 };
1205 /* we need a comma before each option */
1206 seq_putc(m, ',');
1207 seq_puts(m, prefix);
1208 if (has_comma)
1209 seq_putc(m, '\"');
a068acf2 1210 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1211 if (has_comma)
1212 seq_putc(m, '\"');
1213 }
1214}
1215
1216static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1217{
1218 struct security_mnt_opts opts;
1219 int rc;
1220
1221 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1222 if (rc) {
1223 /* before policy load we may get EINVAL, don't show anything */
1224 if (rc == -EINVAL)
1225 rc = 0;
2069f457 1226 return rc;
383795c2 1227 }
2069f457
EP		 1228
1229 selinux_write_opts(m, &opts);
1230
1231 security_free_mnt_opts(&opts);
1232
1233 return rc;
1234}
1235
1da177e4
LT		 1236static inline u16 inode_mode_to_security_class(umode_t mode)
1237{
1238 switch (mode & S_IFMT) {
1239 case S_IFSOCK:
1240 return SECCLASS_SOCK_FILE;
1241 case S_IFLNK:
1242 return SECCLASS_LNK_FILE;
1243 case S_IFREG:
1244 return SECCLASS_FILE;
1245 case S_IFBLK:
1246 return SECCLASS_BLK_FILE;
1247 case S_IFDIR:
1248 return SECCLASS_DIR;
1249 case S_IFCHR:
1250 return SECCLASS_CHR_FILE;
1251 case S_IFIFO:
1252 return SECCLASS_FIFO_FILE;
1253
1254 }
1255
1256 return SECCLASS_FILE;
1257}
1258
13402580
JM		 1259static inline int default_protocol_stream(int protocol)
1260{
1261 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1262}
1263
1264static inline int default_protocol_dgram(int protocol)
1265{
1266 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1267}
1268
1da177e4
LT		 1269static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1270{
da69a530
SS		 1271 int extsockclass = selinux_policycap_extsockclass;
1272
1da177e4
LT		 1273 switch (family) {
1274 case PF_UNIX:
1275 switch (type) {
1276 case SOCK_STREAM:
1277 case SOCK_SEQPACKET:
1278 return SECCLASS_UNIX_STREAM_SOCKET;
1279 case SOCK_DGRAM:
1280 return SECCLASS_UNIX_DGRAM_SOCKET;
1281 }
1282 break;
1283 case PF_INET:
1284 case PF_INET6:
1285 switch (type) {
1286 case SOCK_STREAM:
da69a530 1287 case SOCK_SEQPACKET:
13402580
JM		 1288 if (default_protocol_stream(protocol))
1289 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1290 else if (extsockclass && protocol == IPPROTO_SCTP)
1291 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1292 else
1293 return SECCLASS_RAWIP_SOCKET;
1da177e4 1294 case SOCK_DGRAM:
13402580
JM		 1295 if (default_protocol_dgram(protocol))
1296 return SECCLASS_UDP_SOCKET;
da69a530
SS		 1297 else if (extsockclass && protocol == IPPROTO_ICMP)
1298 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1299 else
1300 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1301 case SOCK_DCCP:
1302 return SECCLASS_DCCP_SOCKET;
13402580 1303 default:
1da177e4
LT		 1304 return SECCLASS_RAWIP_SOCKET;
1305 }
1306 break;
1307 case PF_NETLINK:
1308 switch (protocol) {
1309 case NETLINK_ROUTE:
1310 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1311 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1312 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1313 case NETLINK_NFLOG:
1314 return SECCLASS_NETLINK_NFLOG_SOCKET;
1315 case NETLINK_XFRM:
1316 return SECCLASS_NETLINK_XFRM_SOCKET;
1317 case NETLINK_SELINUX:
1318 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1319 case NETLINK_ISCSI:
1320 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1321 case NETLINK_AUDIT:
1322 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1323 case NETLINK_FIB_LOOKUP:
1324 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1325 case NETLINK_CONNECTOR:
1326 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1327 case NETLINK_NETFILTER:
1328 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1329 case NETLINK_DNRTMSG:
1330 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1331 case NETLINK_KOBJECT_UEVENT:
1332 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1333 case NETLINK_GENERIC:
1334 return SECCLASS_NETLINK_GENERIC_SOCKET;
1335 case NETLINK_SCSITRANSPORT:
1336 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1337 case NETLINK_RDMA:
1338 return SECCLASS_NETLINK_RDMA_SOCKET;
1339 case NETLINK_CRYPTO:
1340 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1341 default:
1342 return SECCLASS_NETLINK_SOCKET;
1343 }
1344 case PF_PACKET:
1345 return SECCLASS_PACKET_SOCKET;
1346 case PF_KEY:
1347 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1348 case PF_APPLETALK:
1349 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1350 }
1351
da69a530
SS		 1352 if (extsockclass) {
1353 switch (family) {
1354 case PF_AX25:
1355 return SECCLASS_AX25_SOCKET;
1356 case PF_IPX:
1357 return SECCLASS_IPX_SOCKET;
1358 case PF_NETROM:
1359 return SECCLASS_NETROM_SOCKET;
1360 case PF_BRIDGE:
1361 return SECCLASS_BRIDGE_SOCKET;
1362 case PF_ATMPVC:
1363 return SECCLASS_ATMPVC_SOCKET;
1364 case PF_X25:
1365 return SECCLASS_X25_SOCKET;
1366 case PF_ROSE:
1367 return SECCLASS_ROSE_SOCKET;
1368 case PF_DECnet:
1369 return SECCLASS_DECNET_SOCKET;
1370 case PF_ATMSVC:
1371 return SECCLASS_ATMSVC_SOCKET;
1372 case PF_RDS:
1373 return SECCLASS_RDS_SOCKET;
1374 case PF_IRDA:
1375 return SECCLASS_IRDA_SOCKET;
1376 case PF_PPPOX:
1377 return SECCLASS_PPPOX_SOCKET;
1378 case PF_LLC:
1379 return SECCLASS_LLC_SOCKET;
1380 case PF_IB:
1381 return SECCLASS_IB_SOCKET;
1382 case PF_MPLS:
1383 return SECCLASS_MPLS_SOCKET;
1384 case PF_CAN:
1385 return SECCLASS_CAN_SOCKET;
1386 case PF_TIPC:
1387 return SECCLASS_TIPC_SOCKET;
1388 case PF_BLUETOOTH:
1389 return SECCLASS_BLUETOOTH_SOCKET;
1390 case PF_IUCV:
1391 return SECCLASS_IUCV_SOCKET;
1392 case PF_RXRPC:
1393 return SECCLASS_RXRPC_SOCKET;
1394 case PF_ISDN:
1395 return SECCLASS_ISDN_SOCKET;
1396 case PF_PHONET:
1397 return SECCLASS_PHONET_SOCKET;
1398 case PF_IEEE802154:
1399 return SECCLASS_IEEE802154_SOCKET;
1400 case PF_CAIF:
1401 return SECCLASS_CAIF_SOCKET;
1402 case PF_ALG:
1403 return SECCLASS_ALG_SOCKET;
1404 case PF_NFC:
1405 return SECCLASS_NFC_SOCKET;
1406 case PF_VSOCK:
1407 return SECCLASS_VSOCK_SOCKET;
1408 case PF_KCM:
1409 return SECCLASS_KCM_SOCKET;
1410 case PF_QIPCRTR:
1411 return SECCLASS_QIPCRTR_SOCKET;
1412#if PF_MAX > 43
1413#error New address family defined, please update this function.
1414#endif
1415 }
1416 }
1417
1da177e4
LT		 1418 return SECCLASS_SOCKET;
1419}
1420
134509d5
SS		 1421static int selinux_genfs_get_sid(struct dentry *dentry,
1422 u16 tclass,
1423 u16 flags,
1424 u32 *sid)
1da177e4 1425{
8e6c9693 1426 int rc;
fc64005c 1427 struct super_block *sb = dentry->d_sb;
8e6c9693 1428 char *buffer, *path;
1da177e4 1429
828dfe1d 1430 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1431 if (!buffer)
1432 return -ENOMEM;
1433
8e6c9693
LAG		 1434 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1435 if (IS_ERR(path))
1436 rc = PTR_ERR(path);
1437 else {
134509d5
SS		 1438 if (flags & SE_SBPROC) {
1439 /* each process gets a /proc/PID/ entry. Strip off the
1440 * PID part to get a valid selinux labeling.
1441 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1442 while (path[1] >= '0' && path[1] <= '9') {
1443 path[1] = '/';
1444 path++;
1445 }
8e6c9693 1446 }
134509d5 1447 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1448 }
1da177e4
LT		 1449 free_page((unsigned long)buffer);
1450 return rc;
1451}
1da177e4
LT		 1452
1453/* The inode's security attributes must be initialized before first use. */
1454static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1455{
1456 struct superblock_security_struct *sbsec = NULL;
1457 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1458 u32 task_sid, sid = 0;
1459 u16 sclass;
1da177e4
LT		 1460 struct dentry *dentry;
1461#define INITCONTEXTLEN 255
1462 char *context = NULL;
1463 unsigned len = 0;
1464 int rc = 0;
1da177e4 1465
6f3be9f5 1466 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1467 return 0;
1da177e4 1468
9287aed2 1469 spin_lock(&isec->lock);
6f3be9f5 1470 if (isec->initialized == LABEL_INITIALIZED)
23970741 1471 goto out_unlock;
1da177e4 1472
13457d07
AG		 1473 if (isec->sclass == SECCLASS_FILE)
1474 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1475
1da177e4 1476 sbsec = inode->i_sb->s_security;
0d90a7ec 1477 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1478 /* Defer initialization until selinux_complete_init,
1479 after the initial policy is loaded and the security
1480 server is ready to handle calls. */
1481 spin_lock(&sbsec->isec_lock);
1482 if (list_empty(&isec->list))
1483 list_add(&isec->list, &sbsec->isec_head);
1484 spin_unlock(&sbsec->isec_lock);
23970741 1485 goto out_unlock;
1da177e4
LT		 1486 }
1487
9287aed2
AG		 1488 sclass = isec->sclass;
1489 task_sid = isec->task_sid;
1490 sid = isec->sid;
1491 isec->initialized = LABEL_PENDING;
1492 spin_unlock(&isec->lock);
1493
1da177e4 1494 switch (sbsec->behavior) {
eb9ae686
DQ		 1495 case SECURITY_FS_USE_NATIVE:
1496 break;
1da177e4 1497 case SECURITY_FS_USE_XATTR:
5d6c3191 1498 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1499 sid = sbsec->def_sid;
1da177e4
LT		 1500 break;
1501 }
1da177e4
LT		 1502 /* Need a dentry, since the xattr API requires one.
1503 Life would be simpler if we could just pass the inode. */
1504 if (opt_dentry) {
1505 /* Called from d_instantiate or d_splice_alias. */
1506 dentry = dget(opt_dentry);
1507 } else {
1508 /* Called from selinux_complete_init, try to find a dentry. */
1509 dentry = d_find_alias(inode);
1510 }
1511 if (!dentry) {
df7f54c0
EP		 1512 /*
1513 * this is can be hit on boot when a file is accessed
1514 * before the policy is loaded. When we load policy we
1515 * may find inodes that have no dentry on the
1516 * sbsec->isec_head list. No reason to complain as these
1517 * will get fixed up the next time we go through
1518 * inode_doinit with a dentry, before these inodes could
1519 * be used again by userspace.
1520 */
9287aed2 1521 goto out;
1da177e4
LT		 1522 }
1523
1524 len = INITCONTEXTLEN;
4cb912f1 1525 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1526 if (!context) {
1527 rc = -ENOMEM;
1528 dput(dentry);
9287aed2 1529 goto out;
1da177e4 1530 }
4cb912f1 1531 context[len] = '\0';
5d6c3191 1532 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1533 if (rc == -ERANGE) {
314dabb8
JM		 1534 kfree(context);
1535
1da177e4 1536 /* Need a larger buffer. Query for the right size. */
5d6c3191 1537 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1538 if (rc < 0) {
1539 dput(dentry);
9287aed2 1540 goto out;
1da177e4 1541 }
1da177e4 1542 len = rc;
4cb912f1 1543 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1544 if (!context) {
1545 rc = -ENOMEM;
1546 dput(dentry);
9287aed2 1547 goto out;
1da177e4 1548 }
4cb912f1 1549 context[len] = '\0';
5d6c3191 1550 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1551 }
1552 dput(dentry);
1553 if (rc < 0) {
1554 if (rc != -ENODATA) {
744ba35e 1555 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1556 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1557 -rc, inode->i_sb->s_id, inode->i_ino);
1558 kfree(context);
9287aed2 1559 goto out;
1da177e4
LT		 1560 }
1561 /* Map ENODATA to the default file SID */
1562 sid = sbsec->def_sid;
1563 rc = 0;
1564 } else {
f5c1d5b2 1565 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1566 sbsec->def_sid,
1567 GFP_NOFS);
1da177e4 1568 if (rc) {
4ba0a8ad
EP		 1569 char *dev = inode->i_sb->s_id;
1570 unsigned long ino = inode->i_ino;
1571
1572 if (rc == -EINVAL) {
1573 if (printk_ratelimit())
1574 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1575 "context=%s. This indicates you may need to relabel the inode or the "
1576 "filesystem in question.\n", ino, dev, context);
1577 } else {
1578 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1579 "returned %d for dev=%s ino=%ld\n",
1580 __func__, context, -rc, dev, ino);
1581 }
1da177e4
LT		 1582 kfree(context);
1583 /* Leave with the unlabeled SID */
1584 rc = 0;
1585 break;
1586 }
1587 }
1588 kfree(context);
1da177e4
LT		 1589 break;
1590 case SECURITY_FS_USE_TASK:
9287aed2 1591 sid = task_sid;
1da177e4
LT		 1592 break;
1593 case SECURITY_FS_USE_TRANS:
1594 /* Default to the fs SID. */
9287aed2 1595 sid = sbsec->sid;
1da177e4
LT		 1596
1597 /* Try to obtain a transition SID. */
9287aed2 1598 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1da177e4 1599 if (rc)
9287aed2 1600 goto out;
1da177e4 1601 break;
c312feb2 1602 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1603 sid = sbsec->mntpoint_sid;
c312feb2 1604 break;
1da177e4 1605 default:
c312feb2 1606 /* Default to the fs superblock SID. */
9287aed2 1607 sid = sbsec->sid;
1da177e4 1608
134509d5 1609 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1610 /* We must have a dentry to determine the label on
1611 * procfs inodes */
1612 if (opt_dentry)
1613 /* Called from d_instantiate or
1614 * d_splice_alias. */
1615 dentry = dget(opt_dentry);
1616 else
1617 /* Called from selinux_complete_init, try to
1618 * find a dentry. */
1619 dentry = d_find_alias(inode);
1620 /*
1621 * This can be hit on boot when a file is accessed
1622 * before the policy is loaded. When we load policy we
1623 * may find inodes that have no dentry on the
1624 * sbsec->isec_head list. No reason to complain as
1625 * these will get fixed up the next time we go through
1626 * inode_doinit() with a dentry, before these inodes
1627 * could be used again by userspace.
1628 */
1629 if (!dentry)
9287aed2
AG		 1630 goto out;
1631 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1632 sbsec->flags, &sid);
f64410ec
PM		 1633 dput(dentry);
1634 if (rc)
9287aed2 1635 goto out;
1da177e4
LT		 1636 }
1637 break;
1638 }
1639
9287aed2
AG		 1640out:
1641 spin_lock(&isec->lock);
1642 if (isec->initialized == LABEL_PENDING) {
1643 if (!sid || rc) {
1644 isec->initialized = LABEL_INVALID;
1645 goto out_unlock;
1646 }
1647
1648 isec->initialized = LABEL_INITIALIZED;
1649 isec->sid = sid;
1650 }
1da177e4 1651
23970741 1652out_unlock:
9287aed2 1653 spin_unlock(&isec->lock);
1da177e4
LT		 1654 return rc;
1655}
1656
1657/* Convert a Linux signal to an access vector. */
1658static inline u32 signal_to_av(int sig)
1659{
1660 u32 perm = 0;
1661
1662 switch (sig) {
1663 case SIGCHLD:
1664 /* Commonly granted from child to parent. */
1665 perm = PROCESS__SIGCHLD;
1666 break;
1667 case SIGKILL:
1668 /* Cannot be caught or ignored */
1669 perm = PROCESS__SIGKILL;
1670 break;
1671 case SIGSTOP:
1672 /* Cannot be caught or ignored */
1673 perm = PROCESS__SIGSTOP;
1674 break;
1675 default:
1676 /* All other signals. */
1677 perm = PROCESS__SIGNAL;
1678 break;
1679 }
1680
1681 return perm;
1682}
1683
d84f4f99
DH		 1684/*
1685 * Check permission between a pair of credentials
1686 * fork check, ptrace check, etc.
1687 */
1688static int cred_has_perm(const struct cred *actor,
1689 const struct cred *target,
1690 u32 perms)
1691{
1692 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1693
1694 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1695}
1696
275bb41e 1697/*
88e67f3b 1698 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1699 * fork check, ptrace check, etc.
1700 * tsk1 is the actor and tsk2 is the target
3b11a1de 1701 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1702 */
1703static int task_has_perm(const struct task_struct *tsk1,
1704 const struct task_struct *tsk2,
1da177e4
LT		 1705 u32 perms)
1706{
275bb41e
DH		 1707 const struct task_security_struct *__tsec1, *__tsec2;
1708 u32 sid1, sid2;
1da177e4 1709
275bb41e
DH		 1710 rcu_read_lock();
1711 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1712 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1713 rcu_read_unlock();
1714 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1715}
1716
3b11a1de
DH		 1717/*
1718 * Check permission between current and another task, e.g. signal checks,
1719 * fork check, ptrace check, etc.
1720 * current is the actor and tsk2 is the target
1721 * - this uses current's subjective creds
1722 */
1723static int current_has_perm(const struct task_struct *tsk,
1724 u32 perms)
1725{
1726 u32 sid, tsid;
1727
1728 sid = current_sid();
1729 tsid = task_sid(tsk);
1730 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1731}
1732
b68e418c
SS		 1733#if CAP_LAST_CAP > 63
1734#error Fix SELinux to handle capabilities > 63.
1735#endif
1736
1da177e4 1737/* Check whether a task is allowed to use a capability. */
6a9de491 1738static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1739 int cap, int audit, bool initns)
1da177e4 1740{
2bf49690 1741 struct common_audit_data ad;
06112163 1742 struct av_decision avd;
b68e418c 1743 u16 sclass;
3699c53c 1744 u32 sid = cred_sid(cred);
b68e418c 1745 u32 av = CAP_TO_MASK(cap);
06112163 1746 int rc;
1da177e4 1747
50c205f5 1748 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1749 ad.u.cap = cap;
1750
b68e418c
SS		 1751 switch (CAP_TO_INDEX(cap)) {
1752 case 0:
8e4ff6f2 1753 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1754 break;
1755 case 1:
8e4ff6f2 1756 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1757 break;
1758 default:
1759 printk(KERN_ERR
1760 "SELinux: out of range capability %d\n", cap);
1761 BUG();
a35c6c83 1762 return -EINVAL;
b68e418c 1763 }
06112163 1764
275bb41e 1765 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1766 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1767 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1768 if (rc2)
1769 return rc2;
1770 }
06112163 1771 return rc;
1da177e4
LT		 1772}
1773
1774/* Check whether a task is allowed to use a system operation. */
1775static int task_has_system(struct task_struct *tsk,
1776 u32 perms)
1777{
275bb41e 1778 u32 sid = task_sid(tsk);
1da177e4 1779
275bb41e 1780 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1781 SECCLASS_SYSTEM, perms, NULL);
1782}
1783
1784/* Check whether a task has a particular permission to an inode.
1785 The 'adp' parameter is optional and allows other audit
1786 data to be passed (e.g. the dentry). */
88e67f3b 1787static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1788 struct inode *inode,
1789 u32 perms,
19e49834 1790 struct common_audit_data *adp)
1da177e4 1791{
1da177e4 1792 struct inode_security_struct *isec;
275bb41e 1793 u32 sid;
1da177e4 1794
e0e81739
DH		 1795 validate_creds(cred);
1796
828dfe1d 1797 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1798 return 0;
1799
88e67f3b 1800 sid = cred_sid(cred);
1da177e4
LT		 1801 isec = inode->i_security;
1802
19e49834 1803 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1804}
1805
1806/* Same as inode_has_perm, but pass explicit audit data containing
1807 the dentry to help the auditing code to more easily generate the
1808 pathname if needed. */
88e67f3b 1809static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1810 struct dentry *dentry,
1811 u32 av)
1812{
c6f493d6 1813 struct inode *inode = d_backing_inode(dentry);
2bf49690 1814 struct common_audit_data ad;
88e67f3b 1815
50c205f5 1816 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1817 ad.u.dentry = dentry;
5d226df4 1818 __inode_security_revalidate(inode, dentry, true);
19e49834 1819 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1820}
1821
1822/* Same as inode_has_perm, but pass explicit audit data containing
1823 the path to help the auditing code to more easily generate the
1824 pathname if needed. */
1825static inline int path_has_perm(const struct cred *cred,
3f7036a0 1826 const struct path *path,
2875fa00
EP		 1827 u32 av)
1828{
c6f493d6 1829 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1830 struct common_audit_data ad;
1831
50c205f5 1832 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1833 ad.u.path = *path;
5d226df4 1834 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1835 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1836}
1837
13f8e981
DH		 1838/* Same as path_has_perm, but uses the inode from the file struct. */
1839static inline int file_path_has_perm(const struct cred *cred,
1840 struct file *file,
1841 u32 av)
1842{
1843 struct common_audit_data ad;
1844
43af5de7
VG		 1845 ad.type = LSM_AUDIT_DATA_FILE;
1846 ad.u.file = file;
19e49834 1847 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1848}
1849
1da177e4
LT		 1850/* Check whether a task can use an open file descriptor to
1851 access an inode in a given way. Check access to the
1852 descriptor itself, and then use dentry_has_perm to
1853 check a particular permission to the file.
1854 Access to the descriptor is implicitly granted if it
1855 has the same SID as the process. If av is zero, then
1856 access to the file is not checked, e.g. for cases
1857 where only the descriptor is affected like seek. */
88e67f3b
DH		 1858static int file_has_perm(const struct cred *cred,
1859 struct file *file,
1860 u32 av)
1da177e4 1861{
1da177e4 1862 struct file_security_struct *fsec = file->f_security;
496ad9aa 1863 struct inode *inode = file_inode(file);
2bf49690 1864 struct common_audit_data ad;
88e67f3b 1865 u32 sid = cred_sid(cred);
1da177e4
LT		 1866 int rc;
1867
43af5de7
VG		 1868 ad.type = LSM_AUDIT_DATA_FILE;
1869 ad.u.file = file;
1da177e4 1870
275bb41e
DH		 1871 if (sid != fsec->sid) {
1872 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1873 SECCLASS_FD,
1874 FD__USE,
1875 &ad);
1876 if (rc)
88e67f3b 1877 goto out;
1da177e4
LT		 1878 }
1879
1880 /* av is zero if only checking access to the descriptor. */
88e67f3b 1881 rc = 0;
1da177e4 1882 if (av)
19e49834 1883 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1884
88e67f3b
DH		 1885out:
1886 return rc;
1da177e4
LT		 1887}
1888
c3c188b2
DH		 1889/*
1890 * Determine the label for an inode that might be unioned.
1891 */
c957f6df
VG		 1892static int
1893selinux_determine_inode_label(const struct task_security_struct *tsec,
1894 struct inode *dir,
1895 const struct qstr *name, u16 tclass,
1896 u32 *_new_isid)
c3c188b2
DH		 1897{
1898 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1899
1900 if ((sbsec->flags & SE_SBINITIALIZED) &&
1901 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1902 *_new_isid = sbsec->mntpoint_sid;
1903 } else if ((sbsec->flags & SBLABEL_MNT) &&
1904 tsec->create_sid) {
1905 *_new_isid = tsec->create_sid;
1906 } else {
20cdef8d 1907 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1908 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1909 name, _new_isid);
1910 }
1911
1912 return 0;
1913}
1914
1da177e4
LT		 1915/* Check whether a task can create a file. */
1916static int may_create(struct inode *dir,
1917 struct dentry *dentry,
1918 u16 tclass)
1919{
5fb49870 1920 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1921 struct inode_security_struct *dsec;
1922 struct superblock_security_struct *sbsec;
275bb41e 1923 u32 sid, newsid;
2bf49690 1924 struct common_audit_data ad;
1da177e4
LT		 1925 int rc;
1926
83da53c5 1927 dsec = inode_security(dir);
1da177e4
LT		 1928 sbsec = dir->i_sb->s_security;
1929
275bb41e 1930 sid = tsec->sid;
275bb41e 1931
50c205f5 1932 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1933 ad.u.dentry = dentry;
1da177e4 1934
275bb41e 1935 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1936 DIR__ADD_NAME | DIR__SEARCH,
1937 &ad);
1938 if (rc)
1939 return rc;
1940
c957f6df
VG		 1941 rc = selinux_determine_inode_label(current_security(), dir,
1942 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1943 if (rc)
1944 return rc;
1da177e4 1945
275bb41e 1946 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1947 if (rc)
1948 return rc;
1949
1950 return avc_has_perm(newsid, sbsec->sid,
1951 SECCLASS_FILESYSTEM,
1952 FILESYSTEM__ASSOCIATE, &ad);
1953}
1954
4eb582cf
ML		 1955/* Check whether a task can create a key. */
1956static int may_create_key(u32 ksid,
1957 struct task_struct *ctx)
1958{
275bb41e 1959 u32 sid = task_sid(ctx);
4eb582cf 1960
275bb41e 1961 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1962}
1963
828dfe1d
EP		 1964#define MAY_LINK 0
1965#define MAY_UNLINK 1
1966#define MAY_RMDIR 2
1da177e4
LT		 1967
1968/* Check whether a task can link, unlink, or rmdir a file/directory. */
1969static int may_link(struct inode *dir,
1970 struct dentry *dentry,
1971 int kind)
1972
1973{
1da177e4 1974 struct inode_security_struct *dsec, *isec;
2bf49690 1975 struct common_audit_data ad;
275bb41e 1976 u32 sid = current_sid();
1da177e4
LT		 1977 u32 av;
1978 int rc;
1979
83da53c5
AG		 1980 dsec = inode_security(dir);
1981 isec = backing_inode_security(dentry);
1da177e4 1982
50c205f5 1983 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1984 ad.u.dentry = dentry;
1da177e4
LT		 1985
1986 av = DIR__SEARCH;
1987 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1988 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1989 if (rc)
1990 return rc;
1991
1992 switch (kind) {
1993 case MAY_LINK:
1994 av = FILE__LINK;
1995 break;
1996 case MAY_UNLINK:
1997 av = FILE__UNLINK;
1998 break;
1999 case MAY_RMDIR:
2000 av = DIR__RMDIR;
2001 break;
2002 default:
744ba35e
EP		 2003 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
2004 __func__, kind);
1da177e4
LT		 2005 return 0;
2006 }
2007
275bb41e 2008 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 2009 return rc;
2010}
2011
2012static inline int may_rename(struct inode *old_dir,
2013 struct dentry *old_dentry,
2014 struct inode *new_dir,
2015 struct dentry *new_dentry)
2016{
1da177e4 2017 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 2018 struct common_audit_data ad;
275bb41e 2019 u32 sid = current_sid();
1da177e4
LT		 2020 u32 av;
2021 int old_is_dir, new_is_dir;
2022 int rc;
2023
83da53c5
AG		 2024 old_dsec = inode_security(old_dir);
2025 old_isec = backing_inode_security(old_dentry);
e36cb0b8 2026 old_is_dir = d_is_dir(old_dentry);
83da53c5 2027 new_dsec = inode_security(new_dir);
1da177e4 2028
50c205f5 2029 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 2030
a269434d 2031 ad.u.dentry = old_dentry;
275bb41e 2032 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 2033 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2034 if (rc)
2035 return rc;
275bb41e 2036 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 2037 old_isec->sclass, FILE__RENAME, &ad);
2038 if (rc)
2039 return rc;
2040 if (old_is_dir && new_dir != old_dir) {
275bb41e 2041 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 2042 old_isec->sclass, DIR__REPARENT, &ad);
2043 if (rc)
2044 return rc;
2045 }
2046
a269434d 2047 ad.u.dentry = new_dentry;
1da177e4 2048 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 2049 if (d_is_positive(new_dentry))
1da177e4 2050 av |= DIR__REMOVE_NAME;
275bb41e 2051 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 2052 if (rc)
2053 return rc;
2c616d4d 2054 if (d_is_positive(new_dentry)) {
83da53c5 2055 new_isec = backing_inode_security(new_dentry);
e36cb0b8 2056 new_is_dir = d_is_dir(new_dentry);
275bb41e 2057 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 2058 new_isec->sclass,
2059 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2060 if (rc)
2061 return rc;
2062 }
2063
2064 return 0;
2065}
2066
2067/* Check whether a task can perform a filesystem operation. */
88e67f3b 2068static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2069 struct super_block *sb,
2070 u32 perms,
2bf49690 2071 struct common_audit_data *ad)
1da177e4 2072{
1da177e4 2073 struct superblock_security_struct *sbsec;
88e67f3b 2074 u32 sid = cred_sid(cred);
1da177e4 2075
1da177e4 2076 sbsec = sb->s_security;
275bb41e 2077 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2078}
2079
2080/* Convert a Linux mode and permission mask to an access vector. */
2081static inline u32 file_mask_to_av(int mode, int mask)
2082{
2083 u32 av = 0;
2084
dba19c60 2085 if (!S_ISDIR(mode)) {
1da177e4
LT		 2086 if (mask & MAY_EXEC)
2087 av |= FILE__EXECUTE;
2088 if (mask & MAY_READ)
2089 av |= FILE__READ;
2090
2091 if (mask & MAY_APPEND)
2092 av |= FILE__APPEND;
2093 else if (mask & MAY_WRITE)
2094 av |= FILE__WRITE;
2095
2096 } else {
2097 if (mask & MAY_EXEC)
2098 av |= DIR__SEARCH;
2099 if (mask & MAY_WRITE)
2100 av |= DIR__WRITE;
2101 if (mask & MAY_READ)
2102 av |= DIR__READ;
2103 }
2104
2105 return av;
2106}
2107
8b6a5a37
EP		 2108/* Convert a Linux file to an access vector. */
2109static inline u32 file_to_av(struct file *file)
2110{
2111 u32 av = 0;
2112
2113 if (file->f_mode & FMODE_READ)
2114 av |= FILE__READ;
2115 if (file->f_mode & FMODE_WRITE) {
2116 if (file->f_flags & O_APPEND)
2117 av |= FILE__APPEND;
2118 else
2119 av |= FILE__WRITE;
2120 }
2121 if (!av) {
2122 /*
2123 * Special file opened with flags 3 for ioctl-only use.
2124 */
2125 av = FILE__IOCTL;
2126 }
2127
2128 return av;
2129}
2130
b0c636b9 2131/*
8b6a5a37 2132 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2133 * open permission.
2134 */
8b6a5a37 2135static inline u32 open_file_to_av(struct file *file)
b0c636b9 2136{
8b6a5a37 2137 u32 av = file_to_av(file);
b0c636b9 2138
49b7b8de
EP		 2139 if (selinux_policycap_openperm)
2140 av |= FILE__OPEN;
2141
b0c636b9
EP		 2142 return av;
2143}
2144
1da177e4
LT		 2145/* Hook functions begin here. */
2146
79af7307
SS		 2147static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2148{
2149 u32 mysid = current_sid();
2150 u32 mgrsid = task_sid(mgr);
2151
2152 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2153 BINDER__SET_CONTEXT_MGR, NULL);
2154}
2155
2156static int selinux_binder_transaction(struct task_struct *from,
2157 struct task_struct *to)
2158{
2159 u32 mysid = current_sid();
2160 u32 fromsid = task_sid(from);
2161 u32 tosid = task_sid(to);
2162 int rc;
2163
2164 if (mysid != fromsid) {
2165 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2166 BINDER__IMPERSONATE, NULL);
2167 if (rc)
2168 return rc;
2169 }
2170
2171 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2172 NULL);
2173}
2174
2175static int selinux_binder_transfer_binder(struct task_struct *from,
2176 struct task_struct *to)
2177{
2178 u32 fromsid = task_sid(from);
2179 u32 tosid = task_sid(to);
2180
2181 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2182 NULL);
2183}
2184
2185static int selinux_binder_transfer_file(struct task_struct *from,
2186 struct task_struct *to,
2187 struct file *file)
2188{
2189 u32 sid = task_sid(to);
2190 struct file_security_struct *fsec = file->f_security;
83da53c5 2191 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2192 struct inode_security_struct *isec;
79af7307
SS		 2193 struct common_audit_data ad;
2194 int rc;
2195
2196 ad.type = LSM_AUDIT_DATA_PATH;
2197 ad.u.path = file->f_path;
2198
2199 if (sid != fsec->sid) {
2200 rc = avc_has_perm(sid, fsec->sid,
2201 SECCLASS_FD,
2202 FD__USE,
2203 &ad);
2204 if (rc)
2205 return rc;
2206 }
2207
83da53c5 2208 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2209 return 0;
2210
20cdef8d 2211 isec = backing_inode_security(dentry);
79af7307
SS		 2212 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2213 &ad);
2214}
2215
9e48858f 2216static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2217 unsigned int mode)
1da177e4 2218{
69f594a3 2219 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2220 u32 sid = current_sid();
2221 u32 csid = task_sid(child);
2222 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2223 }
2224
3b11a1de 2225 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2226}
2227
2228static int selinux_ptrace_traceme(struct task_struct *parent)
2229{
5cd9c58f 2230 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2231}
2232
2233static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2234 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2235{
b1d9e6b0 2236 return current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2237}
2238
d84f4f99
DH		 2239static int selinux_capset(struct cred *new, const struct cred *old,
2240 const kernel_cap_t *effective,
2241 const kernel_cap_t *inheritable,
2242 const kernel_cap_t *permitted)
1da177e4 2243{
d84f4f99 2244 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2245}
2246
5626d3e8
JM		 2247/*
2248 * (This comment used to live with the selinux_task_setuid hook,
2249 * which was removed).
2250 *
2251 * Since setuid only affects the current process, and since the SELinux
2252 * controls are not based on the Linux identity attributes, SELinux does not
2253 * need to control this operation. However, SELinux does control the use of
2254 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2255 */
2256
6a9de491
EP		 2257static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2258 int cap, int audit)
1da177e4 2259{
8e4ff6f2 2260 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2261}
2262
1da177e4
LT		 2263static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2264{
88e67f3b 2265 const struct cred *cred = current_cred();
1da177e4
LT		 2266 int rc = 0;
2267
2268 if (!sb)
2269 return 0;
2270
2271 switch (cmds) {
828dfe1d
EP		 2272 case Q_SYNC:
2273 case Q_QUOTAON:
2274 case Q_QUOTAOFF:
2275 case Q_SETINFO:
2276 case Q_SETQUOTA:
88e67f3b 2277 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2278 break;
2279 case Q_GETFMT:
2280 case Q_GETINFO:
2281 case Q_GETQUOTA:
88e67f3b 2282 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2283 break;
2284 default:
2285 rc = 0; /* let the kernel handle invalid cmds */
2286 break;
1da177e4
LT		 2287 }
2288 return rc;
2289}
2290
2291static int selinux_quota_on(struct dentry *dentry)
2292{
88e67f3b
DH		 2293 const struct cred *cred = current_cred();
2294
2875fa00 2295 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2296}
2297
12b3052c 2298static int selinux_syslog(int type)
1da177e4
LT		 2299{
2300 int rc;
2301
1da177e4 2302 switch (type) {
d78ca3cd
KC		 2303 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2304 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2305 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2306 break;
d78ca3cd
KC		 2307 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2308 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2309 /* Set level of messages printed to console */
2310 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2311 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2312 break;
d78ca3cd
KC		 2313 case SYSLOG_ACTION_CLOSE: /* Close log */
2314 case SYSLOG_ACTION_OPEN: /* Open log */
2315 case SYSLOG_ACTION_READ: /* Read from log */
2316 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2317 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2318 default:
2319 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2320 break;
1da177e4
LT		 2321 }
2322 return rc;
2323}
2324
2325/*
2326 * Check that a process has enough memory to allocate a new virtual
2327 * mapping. 0 means there is enough memory for the allocation to
2328 * succeed and -ENOMEM implies there is not.
2329 *
1da177e4
LT		 2330 * Do not audit the selinux permission check, as this is applied to all
2331 * processes that allocate mappings.
2332 */
34b4e4aa 2333static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2334{
2335 int rc, cap_sys_admin = 0;
1da177e4 2336
b1d9e6b0 2337 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2338 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2339 if (rc == 0)
2340 cap_sys_admin = 1;
2341
b1d9e6b0 2342 return cap_sys_admin;
1da177e4
LT		 2343}
2344
2345/* binprm security operations */
2346
0c6181cb
PM		 2347static u32 ptrace_parent_sid(struct task_struct *task)
2348{
2349 u32 sid = 0;
2350 struct task_struct *tracer;
2351
2352 rcu_read_lock();
2353 tracer = ptrace_parent(task);
2354 if (tracer)
2355 sid = task_sid(tracer);
2356 rcu_read_unlock();
2357
2358 return sid;
2359}
2360
7b0d0b40
SS		 2361static int check_nnp_nosuid(const struct linux_binprm *bprm,
2362 const struct task_security_struct *old_tsec,
2363 const struct task_security_struct *new_tsec)
2364{
2365 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2366 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40
SS		 2367 int rc;
2368
2369 if (!nnp && !nosuid)
2370 return 0; /* neither NNP nor nosuid */
2371
2372 if (new_tsec->sid == old_tsec->sid)
2373 return 0; /* No change in credentials */
2374
2375 /*
2376 * The only transitions we permit under NNP or nosuid
2377 * are transitions to bounded SIDs, i.e. SIDs that are
2378 * guaranteed to only be allowed a subset of the permissions
2379 * of the current SID.
2380 */
2381 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2382 if (rc) {
2383 /*
2384 * On failure, preserve the errno values for NNP vs nosuid.
2385 * NNP: Operation not permitted for caller.
2386 * nosuid: Permission denied to file.
2387 */
2388 if (nnp)
2389 return -EPERM;
2390 else
2391 return -EACCES;
2392 }
2393 return 0;
2394}
2395
a6f76f23 2396static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2397{
a6f76f23
DH		 2398 const struct task_security_struct *old_tsec;
2399 struct task_security_struct *new_tsec;
1da177e4 2400 struct inode_security_struct *isec;
2bf49690 2401 struct common_audit_data ad;
496ad9aa 2402 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2403 int rc;
2404
a6f76f23
DH		 2405 /* SELinux context only depends on initial program or script and not
2406 * the script interpreter */
2407 if (bprm->cred_prepared)
1da177e4
LT		 2408 return 0;
2409
a6f76f23
DH		 2410 old_tsec = current_security();
2411 new_tsec = bprm->cred->security;
83da53c5 2412 isec = inode_security(inode);
1da177e4
LT		 2413
2414 /* Default to the current task SID. */
a6f76f23
DH		 2415 new_tsec->sid = old_tsec->sid;
2416 new_tsec->osid = old_tsec->sid;
1da177e4 2417
28eba5bf 2418 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2419 new_tsec->create_sid = 0;
2420 new_tsec->keycreate_sid = 0;
2421 new_tsec->sockcreate_sid = 0;
1da177e4 2422
a6f76f23
DH		 2423 if (old_tsec->exec_sid) {
2424 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2425 /* Reset exec SID on execve. */
a6f76f23 2426 new_tsec->exec_sid = 0;
259e5e6c 2427
7b0d0b40
SS		 2428 /* Fail on NNP or nosuid if not an allowed transition. */
2429 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2430 if (rc)
2431 return rc;
1da177e4
LT		 2432 } else {
2433 /* Check for a default transition on this program. */
a6f76f23 2434 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2435 SECCLASS_PROCESS, NULL,
2436 &new_tsec->sid);
1da177e4
LT		 2437 if (rc)
2438 return rc;
7b0d0b40
SS		 2439
2440 /*
2441 * Fallback to old SID on NNP or nosuid if not an allowed
2442 * transition.
2443 */
2444 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2445 if (rc)
2446 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2447 }
2448
43af5de7
VG		 2449 ad.type = LSM_AUDIT_DATA_FILE;
2450 ad.u.file = bprm->file;
1da177e4 2451
a6f76f23
DH		 2452 if (new_tsec->sid == old_tsec->sid) {
2453 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2454 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2455 if (rc)
2456 return rc;
2457 } else {
2458 /* Check permissions for the transition. */
a6f76f23 2459 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2460 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2461 if (rc)
2462 return rc;
2463
a6f76f23 2464 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2465 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2466 if (rc)
2467 return rc;
2468
a6f76f23
DH		 2469 /* Check for shared state */
2470 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2471 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2472 SECCLASS_PROCESS, PROCESS__SHARE,
2473 NULL);
2474 if (rc)
2475 return -EPERM;
2476 }
2477
2478 /* Make sure that anyone attempting to ptrace over a task that
2479 * changes its SID has the appropriate permit */
2480 if (bprm->unsafe &
2481 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0c6181cb 2482 u32 ptsid = ptrace_parent_sid(current);
a6f76f23
DH		 2483 if (ptsid != 0) {
2484 rc = avc_has_perm(ptsid, new_tsec->sid,
2485 SECCLASS_PROCESS,
2486 PROCESS__PTRACE, NULL);
2487 if (rc)
2488 return -EPERM;
2489 }
2490 }
1da177e4 2491
a6f76f23
DH		 2492 /* Clear any possibly unsafe personality bits on exec: */
2493 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2494 }
2495
1da177e4
LT		 2496 return 0;
2497}
2498
828dfe1d 2499static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2500{
5fb49870 2501 const struct task_security_struct *tsec = current_security();
275bb41e 2502 u32 sid, osid;
1da177e4
LT		 2503 int atsecure = 0;
2504
275bb41e
DH		 2505 sid = tsec->sid;
2506 osid = tsec->osid;
2507
2508 if (osid != sid) {
1da177e4
LT		 2509 /* Enable secure mode for SIDs transitions unless
2510 the noatsecure permission is granted between
2511 the two SIDs, i.e. ahp returns 0. */
275bb41e 2512 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2513 SECCLASS_PROCESS,
2514 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2515 }
2516
b1d9e6b0 2517 return !!atsecure;
1da177e4
LT		 2518}
2519
c3c073f8
AV		 2520static int match_file(const void *p, struct file *file, unsigned fd)
2521{
2522 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2523}
2524
1da177e4 2525/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2526static inline void flush_unauthorized_files(const struct cred *cred,
2527 struct files_struct *files)
1da177e4 2528{
1da177e4 2529 struct file *file, *devnull = NULL;
b20c8122 2530 struct tty_struct *tty;
24ec839c 2531 int drop_tty = 0;
c3c073f8 2532 unsigned n;
1da177e4 2533
24ec839c 2534 tty = get_current_tty();
1da177e4 2535 if (tty) {
4a510969 2536 spin_lock(&tty->files_lock);
37dd0bd0 2537 if (!list_empty(&tty->tty_files)) {
d996b62a 2538 struct tty_file_private *file_priv;
37dd0bd0 2539
1da177e4 2540 /* Revalidate access to controlling tty.
13f8e981
DH		 2541 Use file_path_has_perm on the tty path directly
2542 rather than using file_has_perm, as this particular
2543 open file may belong to another process and we are
2544 only interested in the inode-based check here. */
d996b62a
NP		 2545 file_priv = list_first_entry(&tty->tty_files,
2546 struct tty_file_private, list);
2547 file = file_priv->file;
13f8e981 2548 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2549 drop_tty = 1;
1da177e4 2550 }
4a510969 2551 spin_unlock(&tty->files_lock);
452a00d2 2552 tty_kref_put(tty);
1da177e4 2553 }
98a27ba4
EB		 2554 /* Reset controlling tty. */
2555 if (drop_tty)
2556 no_tty();
1da177e4
LT		 2557
2558 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2559 n = iterate_fd(files, 0, match_file, cred);
2560 if (!n) /* none found? */
2561 return;
1da177e4 2562
c3c073f8 2563 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2564 if (IS_ERR(devnull))
2565 devnull = NULL;
2566 /* replace all the matching ones with this */
2567 do {
2568 replace_fd(n - 1, devnull, 0);
2569 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2570 if (devnull)
c3c073f8 2571 fput(devnull);
1da177e4
LT		 2572}
2573
a6f76f23
DH		 2574/*
2575 * Prepare a process for imminent new credential changes due to exec
2576 */
2577static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2578{
a6f76f23
DH		 2579 struct task_security_struct *new_tsec;
2580 struct rlimit *rlim, *initrlim;
2581 int rc, i;
d84f4f99 2582
a6f76f23
DH		 2583 new_tsec = bprm->cred->security;
2584 if (new_tsec->sid == new_tsec->osid)
2585 return;
1da177e4 2586
a6f76f23
DH		 2587 /* Close files for which the new task SID is not authorized. */
2588 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2589
a6f76f23
DH		 2590 /* Always clear parent death signal on SID transitions. */
2591 current->pdeath_signal = 0;
0356357c 2592
a6f76f23
DH		 2593 /* Check whether the new SID can inherit resource limits from the old
2594 * SID. If not, reset all soft limits to the lower of the current
2595 * task's hard limit and the init task's soft limit.
2596 *
2597 * Note that the setting of hard limits (even to lower them) can be
2598 * controlled by the setrlimit check. The inclusion of the init task's
2599 * soft limit into the computation is to avoid resetting soft limits
2600 * higher than the default soft limit for cases where the default is
2601 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2602 */
2603 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2604 PROCESS__RLIMITINH, NULL);
2605 if (rc) {
eb2d55a3
ON		 2606 /* protect against do_prlimit() */
2607 task_lock(current);
a6f76f23
DH		 2608 for (i = 0; i < RLIM_NLIMITS; i++) {
2609 rlim = current->signal->rlim + i;
2610 initrlim = init_task.signal->rlim + i;
2611 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2612 }
eb2d55a3 2613 task_unlock(current);
baa73d9e
NP		 2614 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2615 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2616 }
2617}
2618
2619/*
a6f76f23
DH		 2620 * Clean up the process immediately after the installation of new credentials
2621 * due to exec
1da177e4 2622 */
a6f76f23 2623static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2624{
a6f76f23 2625 const struct task_security_struct *tsec = current_security();
1da177e4 2626 struct itimerval itimer;
a6f76f23 2627 u32 osid, sid;
1da177e4
LT		 2628 int rc, i;
2629
a6f76f23
DH		 2630 osid = tsec->osid;
2631 sid = tsec->sid;
2632
2633 if (sid == osid)
1da177e4
LT		 2634 return;
2635
a6f76f23
DH		 2636 /* Check whether the new SID can inherit signal state from the old SID.
2637 * If not, clear itimers to avoid subsequent signal generation and
2638 * flush and unblock signals.
2639 *
2640 * This must occur _after_ the task SID has been updated so that any
2641 * kill done after the flush will be checked against the new SID.
2642 */
2643 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2644 if (rc) {
baa73d9e
NP		 2645 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2646 memset(&itimer, 0, sizeof itimer);
2647 for (i = 0; i < 3; i++)
2648 do_setitimer(i, &itimer, NULL);
2649 }
1da177e4 2650 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2651 if (!fatal_signal_pending(current)) {
2652 flush_sigqueue(&current->pending);
2653 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2654 flush_signal_handlers(current, 1);
2655 sigemptyset(&current->blocked);
9e7c8f8c 2656 recalc_sigpending();
3bcac026 2657 }
1da177e4
LT		 2658 spin_unlock_irq(&current->sighand->siglock);
2659 }
2660
a6f76f23
DH		 2661 /* Wake up the parent if it is waiting so that it can recheck
2662 * wait permission to the new task SID. */
ecd6de3c 2663 read_lock(&tasklist_lock);
0b7570e7 2664 __wake_up_parent(current, current->real_parent);
ecd6de3c 2665 read_unlock(&tasklist_lock);
1da177e4
LT		 2666}
2667
2668/* superblock security operations */
2669
2670static int selinux_sb_alloc_security(struct super_block *sb)
2671{
2672 return superblock_alloc_security(sb);
2673}
2674
2675static void selinux_sb_free_security(struct super_block *sb)
2676{
2677 superblock_free_security(sb);
2678}
2679
2680static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2681{
2682 if (plen > olen)
2683 return 0;
2684
2685 return !memcmp(prefix, option, plen);
2686}
2687
2688static inline int selinux_option(char *option, int len)
2689{
832cbd9a
EP		 2690 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2691 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2692 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2693 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2694 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2695}
2696
2697static inline void take_option(char **to, char *from, int *first, int len)
2698{
2699 if (!*first) {
2700 **to = ',';
2701 *to += 1;
3528a953 2702 } else
1da177e4
LT		 2703 *first = 0;
2704 memcpy(*to, from, len);
2705 *to += len;
2706}
2707
828dfe1d
EP		 2708static inline void take_selinux_option(char **to, char *from, int *first,
2709 int len)
3528a953
CO		 2710{
2711 int current_size = 0;
2712
2713 if (!*first) {
2714 **to = '|';
2715 *to += 1;
828dfe1d 2716 } else
3528a953
CO		 2717 *first = 0;
2718
2719 while (current_size < len) {
2720 if (*from != '"') {
2721 **to = *from;
2722 *to += 1;
2723 }
2724 from += 1;
2725 current_size += 1;
2726 }
2727}
2728
e0007529 2729static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2730{
2731 int fnosec, fsec, rc = 0;
2732 char *in_save, *in_curr, *in_end;
2733 char *sec_curr, *nosec_save, *nosec;
3528a953 2734 int open_quote = 0;
1da177e4
LT		 2735
2736 in_curr = orig;
2737 sec_curr = copy;
2738
1da177e4
LT		 2739 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2740 if (!nosec) {
2741 rc = -ENOMEM;
2742 goto out;
2743 }
2744
2745 nosec_save = nosec;
2746 fnosec = fsec = 1;
2747 in_save = in_end = orig;
2748
2749 do {
3528a953
CO		 2750 if (*in_end == '"')
2751 open_quote = !open_quote;
2752 if ((*in_end == ',' && open_quote == 0) ||
2753 *in_end == '\0') {
1da177e4
LT		 2754 int len = in_end - in_curr;
2755
2756 if (selinux_option(in_curr, len))
3528a953 2757 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2758 else
2759 take_option(&nosec, in_curr, &fnosec, len);
2760
2761 in_curr = in_end + 1;
2762 }
2763 } while (*in_end++);
2764
6931dfc9 2765 strcpy(in_save, nosec_save);
da3caa20 2766 free_page((unsigned long)nosec_save);
1da177e4
LT		 2767out:
2768 return rc;
2769}
2770
026eb167
EP		 2771static int selinux_sb_remount(struct super_block *sb, void *data)
2772{
2773 int rc, i, *flags;
2774 struct security_mnt_opts opts;
2775 char *secdata, **mount_options;
2776 struct superblock_security_struct *sbsec = sb->s_security;
2777
2778 if (!(sbsec->flags & SE_SBINITIALIZED))
2779 return 0;
2780
2781 if (!data)
2782 return 0;
2783
2784 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2785 return 0;
2786
2787 security_init_mnt_opts(&opts);
2788 secdata = alloc_secdata();
2789 if (!secdata)
2790 return -ENOMEM;
2791 rc = selinux_sb_copy_data(data, secdata);
2792 if (rc)
2793 goto out_free_secdata;
2794
2795 rc = selinux_parse_opts_str(secdata, &opts);
2796 if (rc)
2797 goto out_free_secdata;
2798
2799 mount_options = opts.mnt_opts;
2800 flags = opts.mnt_opts_flags;
2801
2802 for (i = 0; i < opts.num_mnt_opts; i++) {
2803 u32 sid;
026eb167 2804
12f348b9 2805 if (flags[i] == SBLABEL_MNT)
026eb167 2806 continue;
44be2f65 2807 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2808 if (rc) {
44be2f65 2809 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2810 "(%s) failed for (dev %s, type %s) errno=%d\n",
2811 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2812 goto out_free_opts;
2813 }
2814 rc = -EINVAL;
2815 switch (flags[i]) {
2816 case FSCONTEXT_MNT:
2817 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2818 goto out_bad_option;
2819 break;
2820 case CONTEXT_MNT:
2821 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2822 goto out_bad_option;
2823 break;
2824 case ROOTCONTEXT_MNT: {
2825 struct inode_security_struct *root_isec;
83da53c5 2826 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2827
2828 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2829 goto out_bad_option;
2830 break;
2831 }
2832 case DEFCONTEXT_MNT:
2833 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2834 goto out_bad_option;
2835 break;
2836 default:
2837 goto out_free_opts;
2838 }
2839 }
2840
2841 rc = 0;
2842out_free_opts:
2843 security_free_mnt_opts(&opts);
2844out_free_secdata:
2845 free_secdata(secdata);
2846 return rc;
2847out_bad_option:
2848 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2849 "during remount (dev %s, type=%s)\n", sb->s_id,
2850 sb->s_type->name);
026eb167
EP		 2851 goto out_free_opts;
2852}
2853
12204e24 2854static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2855{
88e67f3b 2856 const struct cred *cred = current_cred();
2bf49690 2857 struct common_audit_data ad;
1da177e4
LT		 2858 int rc;
2859
2860 rc = superblock_doinit(sb, data);
2861 if (rc)
2862 return rc;
2863
74192246
JM		 2864 /* Allow all mounts performed by the kernel */
2865 if (flags & MS_KERNMOUNT)
2866 return 0;
2867
50c205f5 2868 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2869 ad.u.dentry = sb->s_root;
88e67f3b 2870 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2871}
2872
726c3342 2873static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2874{
88e67f3b 2875 const struct cred *cred = current_cred();
2bf49690 2876 struct common_audit_data ad;
1da177e4 2877
50c205f5 2878 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2879 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2880 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2881}
2882
808d4e3c 2883static int selinux_mount(const char *dev_name,
8a04c43b 2884 const struct path *path,
808d4e3c 2885 const char *type,
828dfe1d
EP		 2886 unsigned long flags,
2887 void *data)
1da177e4 2888{
88e67f3b 2889 const struct cred *cred = current_cred();
1da177e4
LT		 2890
2891 if (flags & MS_REMOUNT)
d8c9584e 2892 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2893 FILESYSTEM__REMOUNT, NULL);
1da177e4 2894 else
2875fa00 2895 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2896}
2897
2898static int selinux_umount(struct vfsmount *mnt, int flags)
2899{
88e67f3b 2900 const struct cred *cred = current_cred();
1da177e4 2901
88e67f3b 2902 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2903 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2904}
2905
2906/* inode security operations */
2907
2908static int selinux_inode_alloc_security(struct inode *inode)
2909{
2910 return inode_alloc_security(inode);
2911}
2912
2913static void selinux_inode_free_security(struct inode *inode)
2914{
2915 inode_free_security(inode);
2916}
2917
d47be3df 2918static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2919 const struct qstr *name, void **ctx,
d47be3df
DQ		 2920 u32 *ctxlen)
2921{
d47be3df
DQ		 2922 u32 newsid;
2923 int rc;
2924
c957f6df
VG		 2925 rc = selinux_determine_inode_label(current_security(),
2926 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2927 inode_mode_to_security_class(mode),
2928 &newsid);
2929 if (rc)
2930 return rc;
d47be3df
DQ		 2931
2932 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2933}
2934
a518b0a5
VG		 2935static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2936 struct qstr *name,
2937 const struct cred *old,
2938 struct cred *new)
2939{
2940 u32 newsid;
2941 int rc;
2942 struct task_security_struct *tsec;
2943
2944 rc = selinux_determine_inode_label(old->security,
2945 d_inode(dentry->d_parent), name,
2946 inode_mode_to_security_class(mode),
2947 &newsid);
2948 if (rc)
2949 return rc;
2950
2951 tsec = new->security;
2952 tsec->create_sid = newsid;
2953 return 0;
2954}
2955
5e41ff9e 2956static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2957 const struct qstr *qstr,
2958 const char **name,
2a7dba39 2959 void **value, size_t *len)
5e41ff9e 2960{
5fb49870 2961 const struct task_security_struct *tsec = current_security();
5e41ff9e 2962 struct superblock_security_struct *sbsec;
275bb41e 2963 u32 sid, newsid, clen;
5e41ff9e 2964 int rc;
9548906b 2965 char *context;
5e41ff9e 2966
5e41ff9e 2967 sbsec = dir->i_sb->s_security;
5e41ff9e 2968
275bb41e
DH		 2969 sid = tsec->sid;
2970 newsid = tsec->create_sid;
2971
c957f6df 2972 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2973 dir, qstr,
2974 inode_mode_to_security_class(inode->i_mode),
2975 &newsid);
2976 if (rc)
2977 return rc;
5e41ff9e 2978
296fddf7 2979 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2980 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2981 struct inode_security_struct *isec = inode->i_security;
2982 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2983 isec->sid = newsid;
6f3be9f5 2984 isec->initialized = LABEL_INITIALIZED;
296fddf7 2985 }
5e41ff9e 2986
12f348b9 2987 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2988 return -EOPNOTSUPP;
2989
9548906b
TH		 2990 if (name)
2991 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2992
570bc1c2 2993 if (value && len) {
12b29f34 2994 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2995 if (rc)
570bc1c2 2996 return rc;
570bc1c2
SS		 2997 *value = context;
2998 *len = clen;
5e41ff9e 2999 }
5e41ff9e 3000
5e41ff9e
SS		 3001 return 0;
3002}
3003
4acdaf27 3004static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 3005{
3006 return may_create(dir, dentry, SECCLASS_FILE);
3007}
3008
1da177e4
LT		 3009static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3010{
1da177e4
LT		 3011 return may_link(dir, old_dentry, MAY_LINK);
3012}
3013
1da177e4
LT		 3014static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3015{
1da177e4
LT		 3016 return may_link(dir, dentry, MAY_UNLINK);
3017}
3018
3019static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3020{
3021 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3022}
3023
18bb1db3 3024static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 3025{
3026 return may_create(dir, dentry, SECCLASS_DIR);
3027}
3028
1da177e4
LT		 3029static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3030{
3031 return may_link(dir, dentry, MAY_RMDIR);
3032}
3033
1a67aafb 3034static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 3035{
1da177e4
LT		 3036 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3037}
3038
1da177e4 3039static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 3040 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 3041{
3042 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3043}
3044
1da177e4
LT		 3045static int selinux_inode_readlink(struct dentry *dentry)
3046{
88e67f3b
DH		 3047 const struct cred *cred = current_cred();
3048
2875fa00 3049 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3050}
3051
bda0be7a
N		 3052static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3053 bool rcu)
1da177e4 3054{
88e67f3b 3055 const struct cred *cred = current_cred();
bda0be7a
N		 3056 struct common_audit_data ad;
3057 struct inode_security_struct *isec;
3058 u32 sid;
1da177e4 3059
bda0be7a
N		 3060 validate_creds(cred);
3061
3062 ad.type = LSM_AUDIT_DATA_DENTRY;
3063 ad.u.dentry = dentry;
3064 sid = cred_sid(cred);
5d226df4
AG		 3065 isec = inode_security_rcu(inode, rcu);
3066 if (IS_ERR(isec))
3067 return PTR_ERR(isec);
bda0be7a
N		 3068
3069 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3070 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3071}
3072
d4cf970d
EP		 3073static noinline int audit_inode_permission(struct inode *inode,
3074 u32 perms, u32 audited, u32 denied,
626b9740 3075 int result,
d4cf970d 3076 unsigned flags)
1da177e4 3077{
b782e0a6 3078 struct common_audit_data ad;
d4cf970d
EP		 3079 struct inode_security_struct *isec = inode->i_security;
3080 int rc;
3081
50c205f5 3082 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3083 ad.u.inode = inode;
3084
3085 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 3086 audited, denied, result, &ad, flags);
d4cf970d
EP		 3087 if (rc)
3088 return rc;
3089 return 0;
3090}
3091
e74f71eb 3092static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3093{
88e67f3b 3094 const struct cred *cred = current_cred();
b782e0a6
EP		 3095 u32 perms;
3096 bool from_access;
cf1dd1da 3097 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3098 struct inode_security_struct *isec;
3099 u32 sid;
3100 struct av_decision avd;
3101 int rc, rc2;
3102 u32 audited, denied;
1da177e4 3103
b782e0a6 3104 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3105 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3106
b782e0a6
EP		 3107 /* No permission to check. Existence test. */
3108 if (!mask)
1da177e4 3109 return 0;
1da177e4 3110
2e334057 3111 validate_creds(cred);
b782e0a6 3112
2e334057
EP		 3113 if (unlikely(IS_PRIVATE(inode)))
3114 return 0;
b782e0a6
EP		 3115
3116 perms = file_mask_to_av(inode->i_mode, mask);
3117
2e334057 3118 sid = cred_sid(cred);
5d226df4
AG		 3119 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3120 if (IS_ERR(isec))
3121 return PTR_ERR(isec);
2e334057
EP		 3122
3123 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3124 audited = avc_audit_required(perms, &avd, rc,
3125 from_access ? FILE__AUDIT_ACCESS : 0,
3126 &denied);
3127 if (likely(!audited))
3128 return rc;
3129
626b9740 3130 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3131 if (rc2)
3132 return rc2;
3133 return rc;
1da177e4
LT		 3134}
3135
3136static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3137{
88e67f3b 3138 const struct cred *cred = current_cred();
bc6a6008 3139 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3140 __u32 av = FILE__WRITE;
1da177e4 3141
bc6a6008
AW		 3142 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3143 if (ia_valid & ATTR_FORCE) {
3144 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3145 ATTR_FORCE);
3146 if (!ia_valid)
3147 return 0;
3148 }
1da177e4 3149
bc6a6008
AW		 3150 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3151 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3152 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3153
44d37ad3
JVS		 3154 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3155 && !(ia_valid & ATTR_FILE))
95dbf739
EP		 3156 av |= FILE__OPEN;
3157
3158 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3159}
3160
3f7036a0 3161static int selinux_inode_getattr(const struct path *path)
1da177e4 3162{
3f7036a0 3163 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3164}
3165
8f0cfa52 3166static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3167{
88e67f3b
DH		 3168 const struct cred *cred = current_cred();
3169
b5376771
SH		 3170 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3171 sizeof XATTR_SECURITY_PREFIX - 1)) {
3172 if (!strcmp(name, XATTR_NAME_CAPS)) {
3173 if (!capable(CAP_SETFCAP))
3174 return -EPERM;
3175 } else if (!capable(CAP_SYS_ADMIN)) {
3176 /* A different attribute in the security namespace.
3177 Restrict to administrator. */
3178 return -EPERM;
3179 }
3180 }
3181
3182 /* Not an attribute we recognize, so just check the
3183 ordinary setattr permission. */
2875fa00 3184 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3185}
3186
8f0cfa52
DH		 3187static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3188 const void *value, size_t size, int flags)
1da177e4 3189{
c6f493d6 3190 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3191 struct inode_security_struct *isec;
1da177e4 3192 struct superblock_security_struct *sbsec;
2bf49690 3193 struct common_audit_data ad;
275bb41e 3194 u32 newsid, sid = current_sid();
1da177e4
LT		 3195 int rc = 0;
3196
b5376771
SH		 3197 if (strcmp(name, XATTR_NAME_SELINUX))
3198 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3199
3200 sbsec = inode->i_sb->s_security;
12f348b9 3201 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3202 return -EOPNOTSUPP;
3203
2e149670 3204 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3205 return -EPERM;
3206
50c205f5 3207 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3208 ad.u.dentry = dentry;
1da177e4 3209
20cdef8d 3210 isec = backing_inode_security(dentry);
275bb41e 3211 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3212 FILE__RELABELFROM, &ad);
3213 if (rc)
3214 return rc;
3215
52a4c640 3216 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3217 if (rc == -EINVAL) {
d6ea83ec
EP		 3218 if (!capable(CAP_MAC_ADMIN)) {
3219 struct audit_buffer *ab;
3220 size_t audit_size;
3221 const char *str;
3222
3223 /* We strip a nul only if it is at the end, otherwise the
3224 * context contains a nul and we should audit that */
e3fea3f7
AV		 3225 if (value) {
3226 str = value;
3227 if (str[size - 1] == '\0')
3228 audit_size = size - 1;
3229 else
3230 audit_size = size;
3231 } else {
3232 str = "";
3233 audit_size = 0;
3234 }
d6ea83ec
EP		 3235 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3236 audit_log_format(ab, "op=setxattr invalid_context=");
3237 audit_log_n_untrustedstring(ab, value, audit_size);
3238 audit_log_end(ab);
3239
12b29f34 3240 return rc;
d6ea83ec 3241 }
12b29f34
SS		 3242 rc = security_context_to_sid_force(value, size, &newsid);
3243 }
1da177e4
LT		 3244 if (rc)
3245 return rc;
3246
275bb41e 3247 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3248 FILE__RELABELTO, &ad);
3249 if (rc)
3250 return rc;
3251
275bb41e 3252 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3253 isec->sclass);
1da177e4
LT		 3254 if (rc)
3255 return rc;
3256
3257 return avc_has_perm(newsid,
3258 sbsec->sid,
3259 SECCLASS_FILESYSTEM,
3260 FILESYSTEM__ASSOCIATE,
3261 &ad);
3262}
3263
8f0cfa52 3264static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3265 const void *value, size_t size,
8f0cfa52 3266 int flags)
1da177e4 3267{
c6f493d6 3268 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3269 struct inode_security_struct *isec;
1da177e4
LT		 3270 u32 newsid;
3271 int rc;
3272
3273 if (strcmp(name, XATTR_NAME_SELINUX)) {
3274 /* Not an attribute we recognize, so nothing to do. */
3275 return;
3276 }
3277
12b29f34 3278 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3279 if (rc) {
12b29f34
SS		 3280 printk(KERN_ERR "SELinux: unable to map context to SID"
3281 "for (%s, %lu), rc=%d\n",
3282 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3283 return;
3284 }
3285
20cdef8d 3286 isec = backing_inode_security(dentry);
9287aed2 3287 spin_lock(&isec->lock);
aa9c2669 3288 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3289 isec->sid = newsid;
6f3be9f5 3290 isec->initialized = LABEL_INITIALIZED;
9287aed2 3291 spin_unlock(&isec->lock);
aa9c2669 3292
1da177e4
LT		 3293 return;
3294}
3295
8f0cfa52 3296static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3297{
88e67f3b
DH		 3298 const struct cred *cred = current_cred();
3299
2875fa00 3300 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3301}
3302
828dfe1d 3303static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3304{
88e67f3b
DH		 3305 const struct cred *cred = current_cred();
3306
2875fa00 3307 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3308}
3309
8f0cfa52 3310static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3311{
b5376771
SH		 3312 if (strcmp(name, XATTR_NAME_SELINUX))
3313 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3314
3315 /* No one is allowed to remove a SELinux security label.
3316 You can change the label, but all data must be labeled. */
3317 return -EACCES;
3318}
3319
d381d8a9 3320/*
abc69bb6 3321 * Copy the inode security context value to the user.
d381d8a9
JM		 3322 *
3323 * Permission check is handled by selinux_inode_getxattr hook.
3324 */
ea861dfd 3325static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3326{
42492594
DQ		 3327 u32 size;
3328 int error;
3329 char *context = NULL;
20cdef8d 3330 struct inode_security_struct *isec;
d381d8a9 3331
8c8570fb
DK		 3332 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3333 return -EOPNOTSUPP;
d381d8a9 3334
abc69bb6
SS		 3335 /*
3336 * If the caller has CAP_MAC_ADMIN, then get the raw context
3337 * value even if it is not defined by current policy; otherwise,
3338 * use the in-core value under current policy.
3339 * Use the non-auditing forms of the permission checks since
3340 * getxattr may be called by unprivileged processes commonly
3341 * and lack of permission just means that we fall back to the
3342 * in-core context value, not a denial.
3343 */
b1d9e6b0
CS		 3344 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3345 SECURITY_CAP_NOAUDIT);
3346 if (!error)
3347 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
8e4ff6f2 3348 SECURITY_CAP_NOAUDIT, true);
20cdef8d 3349 isec = inode_security(inode);
abc69bb6
SS		 3350 if (!error)
3351 error = security_sid_to_context_force(isec->sid, &context,
3352 &size);
3353 else
3354 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3355 if (error)
3356 return error;
3357 error = size;
3358 if (alloc) {
3359 *buffer = context;
3360 goto out_nofree;
3361 }
3362 kfree(context);
3363out_nofree:
3364 return error;
1da177e4
LT		 3365}
3366
3367static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3368 const void *value, size_t size, int flags)
1da177e4 3369{
2c97165b 3370 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3371 u32 newsid;
3372 int rc;
3373
3374 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3375 return -EOPNOTSUPP;
3376
3377 if (!value || !size)
3378 return -EACCES;
3379
20ba96ae 3380 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3381 if (rc)
3382 return rc;
3383
9287aed2 3384 spin_lock(&isec->lock);
aa9c2669 3385 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3386 isec->sid = newsid;
6f3be9f5 3387 isec->initialized = LABEL_INITIALIZED;
9287aed2 3388 spin_unlock(&isec->lock);
1da177e4
LT		 3389 return 0;
3390}
3391
3392static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3393{
3394 const int len = sizeof(XATTR_NAME_SELINUX);
3395 if (buffer && len <= buffer_size)
3396 memcpy(buffer, XATTR_NAME_SELINUX, len);
3397 return len;
3398}
3399
d6335d77 3400static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3401{
e817c2f3 3402 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3403 *secid = isec->sid;
3404}
3405
56909eb3
VG		 3406static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3407{
3408 u32 sid;
3409 struct task_security_struct *tsec;
3410 struct cred *new_creds = *new;
3411
3412 if (new_creds == NULL) {
3413 new_creds = prepare_creds();
3414 if (!new_creds)
3415 return -ENOMEM;
3416 }
3417
3418 tsec = new_creds->security;
3419 /* Get label from overlay inode and set it in create_sid */
3420 selinux_inode_getsecid(d_inode(src), &sid);
3421 tsec->create_sid = sid;
3422 *new = new_creds;
3423 return 0;
3424}
3425
19472b69
VG		 3426static int selinux_inode_copy_up_xattr(const char *name)
3427{
3428 /* The copy_up hook above sets the initial context on an inode, but we
3429 * don't then want to overwrite it by blindly copying all the lower
3430 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3431 */
3432 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3433 return 1; /* Discard */
3434 /*
3435 * Any other attribute apart from SELINUX is not claimed, supported
3436 * by selinux.
3437 */
3438 return -EOPNOTSUPP;
3439}
3440
1da177e4
LT		 3441/* file security operations */
3442
788e7dd4 3443static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3444{
88e67f3b 3445 const struct cred *cred = current_cred();
496ad9aa 3446 struct inode *inode = file_inode(file);
1da177e4 3447
1da177e4
LT		 3448 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3449 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3450 mask |= MAY_APPEND;
3451
389fb800
PM		 3452 return file_has_perm(cred, file,
3453 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3454}
3455
788e7dd4
YN		 3456static int selinux_file_permission(struct file *file, int mask)
3457{
496ad9aa 3458 struct inode *inode = file_inode(file);
20dda18b 3459 struct file_security_struct *fsec = file->f_security;
b197367e 3460 struct inode_security_struct *isec;
20dda18b
SS		 3461 u32 sid = current_sid();
3462
389fb800 3463 if (!mask)
788e7dd4
YN		 3464 /* No permission to check. Existence test. */
3465 return 0;
788e7dd4 3466
b197367e 3467 isec = inode_security(inode);
20dda18b
SS		 3468 if (sid == fsec->sid && fsec->isid == isec->sid &&
3469 fsec->pseqno == avc_policy_seqno())
83d49856 3470 /* No change since file_open check. */
20dda18b
SS		 3471 return 0;
3472
788e7dd4
YN		 3473 return selinux_revalidate_file_permission(file, mask);
3474}
3475
1da177e4
LT		 3476static int selinux_file_alloc_security(struct file *file)
3477{
3478 return file_alloc_security(file);
3479}
3480
3481static void selinux_file_free_security(struct file *file)
3482{
3483 file_free_security(file);
3484}
3485
fa1aa143
JVS		 3486/*
3487 * Check whether a task has the ioctl permission and cmd
3488 * operation to an inode.
3489 */
1d2a168a 3490static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3491 u32 requested, u16 cmd)
3492{
3493 struct common_audit_data ad;
3494 struct file_security_struct *fsec = file->f_security;
3495 struct inode *inode = file_inode(file);
20cdef8d 3496 struct inode_security_struct *isec;
fa1aa143
JVS		 3497 struct lsm_ioctlop_audit ioctl;
3498 u32 ssid = cred_sid(cred);
3499 int rc;
3500 u8 driver = cmd >> 8;
3501 u8 xperm = cmd & 0xff;
3502
3503 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3504 ad.u.op = &ioctl;
3505 ad.u.op->cmd = cmd;
3506 ad.u.op->path = file->f_path;
3507
3508 if (ssid != fsec->sid) {
3509 rc = avc_has_perm(ssid, fsec->sid,
3510 SECCLASS_FD,
3511 FD__USE,
3512 &ad);
3513 if (rc)
3514 goto out;
3515 }
3516
3517 if (unlikely(IS_PRIVATE(inode)))
3518 return 0;
3519
20cdef8d 3520 isec = inode_security(inode);
fa1aa143
JVS		 3521 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3522 requested, driver, xperm, &ad);
3523out:
3524 return rc;
3525}
3526
1da177e4
LT		 3527static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3528 unsigned long arg)
3529{
88e67f3b 3530 const struct cred *cred = current_cred();
0b24dcb7 3531 int error = 0;
1da177e4 3532
0b24dcb7
EP		 3533 switch (cmd) {
3534 case FIONREAD:
3535 /* fall through */
3536 case FIBMAP:
3537 /* fall through */
3538 case FIGETBSZ:
3539 /* fall through */
2f99c369 3540 case FS_IOC_GETFLAGS:
0b24dcb7 3541 /* fall through */
2f99c369 3542 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3543 error = file_has_perm(cred, file, FILE__GETATTR);
3544 break;
1da177e4 3545
2f99c369 3546 case FS_IOC_SETFLAGS:
0b24dcb7 3547 /* fall through */
2f99c369 3548 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3549 error = file_has_perm(cred, file, FILE__SETATTR);
3550 break;
3551
3552 /* sys_ioctl() checks */
3553 case FIONBIO:
3554 /* fall through */
3555 case FIOASYNC:
3556 error = file_has_perm(cred, file, 0);
3557 break;
1da177e4 3558
0b24dcb7
EP		 3559 case KDSKBENT:
3560 case KDSKBSENT:
6a9de491 3561 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3562 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3563 break;
3564
3565 /* default case assumes that the command will go
3566 * to the file's ioctl() function.
3567 */
3568 default:
fa1aa143 3569 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3570 }
3571 return error;
1da177e4
LT		 3572}
3573
fcaaade1
SS		 3574static int default_noexec;
3575
1da177e4
LT		 3576static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3577{
88e67f3b 3578 const struct cred *cred = current_cred();
d84f4f99 3579 int rc = 0;
88e67f3b 3580
fcaaade1 3581 if (default_noexec &&
892e8cac
SS		 3582 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3583 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3584 /*
3585 * We are making executable an anonymous mapping or a
3586 * private file mapping that will also be writable.
3587 * This has an additional check.
3588 */
d84f4f99 3589 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3590 if (rc)
d84f4f99 3591 goto error;
1da177e4 3592 }
1da177e4
LT		 3593
3594 if (file) {
3595 /* read access is always possible with a mapping */
3596 u32 av = FILE__READ;
3597
3598 /* write access only matters if the mapping is shared */
3599 if (shared && (prot & PROT_WRITE))
3600 av |= FILE__WRITE;
3601
3602 if (prot & PROT_EXEC)
3603 av |= FILE__EXECUTE;
3604
88e67f3b 3605 return file_has_perm(cred, file, av);
1da177e4 3606 }
d84f4f99
DH		 3607
3608error:
3609 return rc;
1da177e4
LT		 3610}
3611
e5467859 3612static int selinux_mmap_addr(unsigned long addr)
1da177e4 3613{
b1d9e6b0 3614 int rc = 0;
1da177e4 3615
a2551df7 3616 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3617 u32 sid = current_sid();
ed032189
EP		 3618 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3619 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3620 }
3621
98883bfd 3622 return rc;
e5467859 3623}
1da177e4 3624
e5467859
AV		 3625static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3626 unsigned long prot, unsigned long flags)
3627{
1da177e4
LT		 3628 if (selinux_checkreqprot)
3629 prot = reqprot;
3630
3631 return file_map_prot_check(file, prot,
3632 (flags & MAP_TYPE) == MAP_SHARED);
3633}
3634
3635static int selinux_file_mprotect(struct vm_area_struct *vma,
3636 unsigned long reqprot,
3637 unsigned long prot)
3638{
88e67f3b 3639 const struct cred *cred = current_cred();
1da177e4
LT		 3640
3641 if (selinux_checkreqprot)
3642 prot = reqprot;
3643
fcaaade1
SS		 3644 if (default_noexec &&
3645 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3646 int rc = 0;
db4c9641
SS		 3647 if (vma->vm_start >= vma->vm_mm->start_brk &&
3648 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3649 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641 3650 } else if (!vma->vm_file &&
c2316dbf
SS		 3651 ((vma->vm_start <= vma->vm_mm->start_stack &&
3652 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3653 vma_is_stack_for_current(vma))) {
3b11a1de 3654 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3655 } else if (vma->vm_file && vma->anon_vma) {
3656 /*
3657 * We are making executable a file mapping that has
3658 * had some COW done. Since pages might have been
3659 * written, check ability to execute the possibly
3660 * modified content. This typically should only
3661 * occur for text relocations.
3662 */
d84f4f99 3663 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3664 }