]> git.ipfire.org Git - thirdparty/linux.git/blame - security/selinux/hooks.c
projects / thirdparty / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces
[thirdparty/linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
63205654 129static struct kmem_cache *file_security_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 140 *
141 */
142static int selinux_secmark_enabled(void)
143{
2be4d74f
CP		 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145}
146
147/**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157static int selinux_peerlbl_enabled(void)
158{
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 160}
161
615e51fd
PM		 162static int selinux_netcache_avc_callback(u32 event)
163{
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171}
172
d84f4f99
DH		 173/*
174 * initialise the security for the init task
175 */
176static void cred_init_security(void)
1da177e4 177{
3b11a1de 178 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 179 struct task_security_struct *tsec;
180
89d155ef 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 182 if (!tsec)
d84f4f99 183 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 184
d84f4f99 185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 186 cred->security = tsec;
1da177e4
LT		 187}
188
88e67f3b
DH		 189/*
190 * get the security ID of a set of credentials
191 */
192static inline u32 cred_sid(const struct cred *cred)
193{
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198}
199
275bb41e 200/*
3b11a1de 201 * get the objective security ID of a task
275bb41e
DH		 202 */
203static inline u32 task_sid(const struct task_struct *task)
204{
275bb41e
DH		 205 u32 sid;
206
207 rcu_read_lock();
88e67f3b 208 sid = cred_sid(__task_cred(task));
275bb41e
DH		 209 rcu_read_unlock();
210 return sid;
211}
212
213/*
3b11a1de 214 * get the subjective security ID of the current task
275bb41e
DH		 215 */
216static inline u32 current_sid(void)
217{
5fb49870 218 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 219
220 return tsec->sid;
221}
222
88e67f3b
DH		 223/* Allocate and free functions for each kind of security blob. */
224
1da177e4
LT		 225static int inode_alloc_security(struct inode *inode)
226{
1da177e4 227 struct inode_security_struct *isec;
275bb41e 228 u32 sid = current_sid();
1da177e4 229
a02fe132 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 231 if (!isec)
232 return -ENOMEM;
233
9287aed2 234 spin_lock_init(&isec->lock);
1da177e4 235 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
275bb41e 239 isec->task_sid = sid;
42059112 240 isec->initialized = LABEL_INVALID;
1da177e4
LT		 241 inode->i_security = isec;
242
243 return 0;
244}
245
5d226df4
AG		 246static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
247
248/*
249 * Try reloading inode security labels that have been marked as invalid. The
250 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 251 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 252 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
253 * when no dentry is available, set it to NULL instead.
254 */
255static int __inode_security_revalidate(struct inode *inode,
256 struct dentry *opt_dentry,
257 bool may_sleep)
258{
259 struct inode_security_struct *isec = inode->i_security;
260
261 might_sleep_if(may_sleep);
262
1ac42476 263 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 264 if (!may_sleep)
265 return -ECHILD;
266
267 /*
268 * Try reloading the inode security label. This will fail if
269 * @opt_dentry is NULL and no dentry for this inode can be
270 * found; in that case, continue using the old label.
271 */
272 inode_doinit_with_dentry(inode, opt_dentry);
273 }
274 return 0;
275}
276
5d226df4
AG		 277static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
278{
279 return inode->i_security;
280}
281
282static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
283{
284 int error;
285
286 error = __inode_security_revalidate(inode, NULL, !rcu);
287 if (error)
288 return ERR_PTR(error);
289 return inode->i_security;
290}
291
83da53c5
AG		 292/*
293 * Get the security label of an inode.
294 */
295static struct inode_security_struct *inode_security(struct inode *inode)
296{
5d226df4 297 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 298 return inode->i_security;
299}
300
2c97165b
PM		 301static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
302{
303 struct inode *inode = d_backing_inode(dentry);
304
305 return inode->i_security;
306}
307
83da53c5
AG		 308/*
309 * Get the security label of a dentry's backing inode.
310 */
311static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
312{
313 struct inode *inode = d_backing_inode(dentry);
314
5d226df4 315 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 316 return inode->i_security;
317}
318
3dc91d43
SR		 319static void inode_free_rcu(struct rcu_head *head)
320{
321 struct inode_security_struct *isec;
322
323 isec = container_of(head, struct inode_security_struct, rcu);
324 kmem_cache_free(sel_inode_cache, isec);
325}
326
1da177e4
LT		 327static void inode_free_security(struct inode *inode)
328{
329 struct inode_security_struct *isec = inode->i_security;
330 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
331
9629d04a
WL		 332 /*
333 * As not all inode security structures are in a list, we check for
334 * empty list outside of the lock to make sure that we won't waste
335 * time taking a lock doing nothing.
336 *
337 * The list_del_init() function can be safely called more than once.
338 * It should not be possible for this function to be called with
339 * concurrent list_add(), but for better safety against future changes
340 * in the code, we use list_empty_careful() here.
341 */
342 if (!list_empty_careful(&isec->list)) {
343 spin_lock(&sbsec->isec_lock);
1da177e4 344 list_del_init(&isec->list);
9629d04a
WL		 345 spin_unlock(&sbsec->isec_lock);
346 }
1da177e4 347
3dc91d43
SR		 348 /*
349 * The inode may still be referenced in a path walk and
350 * a call to selinux_inode_permission() can be made
351 * after inode_free_security() is called. Ideally, the VFS
352 * wouldn't do this, but fixing that is a much harder
353 * job. For now, simply free the i_security via RCU, and
354 * leave the current inode->i_security pointer intact.
355 * The inode will be freed after the RCU grace period too.
356 */
357 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 358}
359
360static int file_alloc_security(struct file *file)
361{
1da177e4 362 struct file_security_struct *fsec;
275bb41e 363 u32 sid = current_sid();
1da177e4 364
63205654 365 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 366 if (!fsec)
367 return -ENOMEM;
368
275bb41e
DH		 369 fsec->sid = sid;
370 fsec->fown_sid = sid;
1da177e4
LT		 371 file->f_security = fsec;
372
373 return 0;
374}
375
376static void file_free_security(struct file *file)
377{
378 struct file_security_struct *fsec = file->f_security;
1da177e4 379 file->f_security = NULL;
63205654 380 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 381}
382
383static int superblock_alloc_security(struct super_block *sb)
384{
385 struct superblock_security_struct *sbsec;
386
89d155ef 387 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 388 if (!sbsec)
389 return -ENOMEM;
390
bc7e982b 391 mutex_init(&sbsec->lock);
1da177e4
LT		 392 INIT_LIST_HEAD(&sbsec->isec_head);
393 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 394 sbsec->sb = sb;
395 sbsec->sid = SECINITSID_UNLABELED;
396 sbsec->def_sid = SECINITSID_FILE;
c312feb2 397 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 398 sb->s_security = sbsec;
399
400 return 0;
401}
402
403static void superblock_free_security(struct super_block *sb)
404{
405 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 406 sb->s_security = NULL;
407 kfree(sbsec);
408}
409
1da177e4
LT		 410/* The file system's label must be initialized prior to use. */
411
eb9ae686 412static const char *labeling_behaviors[7] = {
1da177e4
LT		 413 "uses xattr",
414 "uses transition SIDs",
415 "uses task SIDs",
416 "uses genfs_contexts",
417 "not configured for labeling",
418 "uses mountpoint labeling",
eb9ae686 419 "uses native labeling",
1da177e4
LT		 420};
421
1da177e4
LT		 422static inline int inode_doinit(struct inode *inode)
423{
424 return inode_doinit_with_dentry(inode, NULL);
425}
426
427enum {
31e87930 428 Opt_error = -1,
1da177e4
LT		 429 Opt_context = 1,
430 Opt_fscontext = 2,
c9180a57
EP		 431 Opt_defcontext = 3,
432 Opt_rootcontext = 4,
11689d47 433 Opt_labelsupport = 5,
d355987f 434 Opt_nextmntopt = 6,
1da177e4
LT		 435};
436
d355987f
EP		 437#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
438
a447c093 439static const match_table_t tokens = {
832cbd9a
EP		 440 {Opt_context, CONTEXT_STR "%s"},
441 {Opt_fscontext, FSCONTEXT_STR "%s"},
442 {Opt_defcontext, DEFCONTEXT_STR "%s"},
443 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 444 {Opt_labelsupport, LABELSUPP_STR},
31e87930 445 {Opt_error, NULL},
1da177e4
LT		 446};
447
448#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
449
c312feb2
EP		 450static int may_context_mount_sb_relabel(u32 sid,
451 struct superblock_security_struct *sbsec,
275bb41e 452 const struct cred *cred)
c312feb2 453{
275bb41e 454 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 455 int rc;
456
457 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
458 FILESYSTEM__RELABELFROM, NULL);
459 if (rc)
460 return rc;
461
462 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
463 FILESYSTEM__RELABELTO, NULL);
464 return rc;
465}
466
0808925e
EP		 467static int may_context_mount_inode_relabel(u32 sid,
468 struct superblock_security_struct *sbsec,
275bb41e 469 const struct cred *cred)
0808925e 470{
275bb41e 471 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 472 int rc;
473 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
474 FILESYSTEM__RELABELFROM, NULL);
475 if (rc)
476 return rc;
477
478 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
479 FILESYSTEM__ASSOCIATE, NULL);
480 return rc;
481}
482
b43e725d
EP		 483static int selinux_is_sblabel_mnt(struct super_block *sb)
484{
485 struct superblock_security_struct *sbsec = sb->s_security;
486
d5f3a5f6
MS		 487 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
488 sbsec->behavior == SECURITY_FS_USE_TRANS ||
489 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 490 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 491 /* Special handling. Genfs but also in-core setxattr handler */
492 !strcmp(sb->s_type->name, "sysfs") ||
493 !strcmp(sb->s_type->name, "pstore") ||
494 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 495 !strcmp(sb->s_type->name, "tracefs") ||
d5f3a5f6 496 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 497}
498
c9180a57 499static int sb_finish_set_opts(struct super_block *sb)
1da177e4 500{
1da177e4 501 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 502 struct dentry *root = sb->s_root;
c6f493d6 503 struct inode *root_inode = d_backing_inode(root);
c9180a57 504 int rc = 0;
1da177e4 505
c9180a57
EP		 506 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
507 /* Make sure that the xattr handler exists and that no
508 error other than -ENODATA is returned by getxattr on
509 the root directory. -ENODATA is ok, as this may be
510 the first boot of the SELinux kernel before we have
511 assigned xattr values to the filesystem. */
5d6c3191 512 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 513 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
514 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 515 rc = -EOPNOTSUPP;
516 goto out;
517 }
5d6c3191
AG		 518
519 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 520 if (rc < 0 && rc != -ENODATA) {
521 if (rc == -EOPNOTSUPP)
522 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 523 "%s) has no security xattr handler\n",
524 sb->s_id, sb->s_type->name);
c9180a57
EP		 525 else
526 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 527 "%s) getxattr errno %d\n", sb->s_id,
528 sb->s_type->name, -rc);
c9180a57
EP		 529 goto out;
530 }
531 }
1da177e4 532
c9180a57 533 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 534 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
535 sb->s_id, sb->s_type->name);
1da177e4 536
eadcabc6 537 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 538 if (selinux_is_sblabel_mnt(sb))
12f348b9 539 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 540
c9180a57
EP		 541 /* Initialize the root inode. */
542 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 543
c9180a57
EP		 544 /* Initialize any other inodes associated with the superblock, e.g.
545 inodes created prior to initial policy load or inodes created
546 during get_sb by a pseudo filesystem that directly
547 populates itself. */
548 spin_lock(&sbsec->isec_lock);
549next_inode:
550 if (!list_empty(&sbsec->isec_head)) {
551 struct inode_security_struct *isec =
552 list_entry(sbsec->isec_head.next,
553 struct inode_security_struct, list);
554 struct inode *inode = isec->inode;
923190d3 555 list_del_init(&isec->list);
c9180a57
EP		 556 spin_unlock(&sbsec->isec_lock);
557 inode = igrab(inode);
558 if (inode) {
559 if (!IS_PRIVATE(inode))
560 inode_doinit(inode);
561 iput(inode);
562 }
563 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 564 goto next_inode;
565 }
566 spin_unlock(&sbsec->isec_lock);
567out:
568 return rc;
569}
1da177e4 570
c9180a57
EP		 571/*
572 * This function should allow an FS to ask what it's mount security
573 * options were so it can use those later for submounts, displaying
574 * mount options, or whatever.
575 */
576static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 577 struct security_mnt_opts *opts)
c9180a57
EP		 578{
579 int rc = 0, i;
580 struct superblock_security_struct *sbsec = sb->s_security;
581 char *context = NULL;
582 u32 len;
583 char tmp;
1da177e4 584
e0007529 585 security_init_mnt_opts(opts);
1da177e4 586
0d90a7ec 587 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 588 return -EINVAL;
1da177e4 589
c9180a57
EP		 590 if (!ss_initialized)
591 return -EINVAL;
1da177e4 592
af8e50cc
EP		 593 /* make sure we always check enough bits to cover the mask */
594 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
595
0d90a7ec 596 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 597 /* count the number of mount options for this sb */
af8e50cc 598 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 599 if (tmp & 0x01)
e0007529 600 opts->num_mnt_opts++;
c9180a57
EP		 601 tmp >>= 1;
602 }
11689d47 603 /* Check if the Label support flag is set */
0b4bdb35 604 if (sbsec->flags & SBLABEL_MNT)
11689d47 605 opts->num_mnt_opts++;
1da177e4 606
e0007529
EP		 607 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
608 if (!opts->mnt_opts) {
c9180a57
EP		 609 rc = -ENOMEM;
610 goto out_free;
611 }
1da177e4 612
e0007529
EP		 613 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
614 if (!opts->mnt_opts_flags) {
c9180a57
EP		 615 rc = -ENOMEM;
616 goto out_free;
617 }
1da177e4 618
c9180a57
EP		 619 i = 0;
620 if (sbsec->flags & FSCONTEXT_MNT) {
621 rc = security_sid_to_context(sbsec->sid, &context, &len);
622 if (rc)
623 goto out_free;
e0007529
EP		 624 opts->mnt_opts[i] = context;
625 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 626 }
627 if (sbsec->flags & CONTEXT_MNT) {
628 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
629 if (rc)
630 goto out_free;
e0007529
EP		 631 opts->mnt_opts[i] = context;
632 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 633 }
634 if (sbsec->flags & DEFCONTEXT_MNT) {
635 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
636 if (rc)
637 goto out_free;
e0007529
EP		 638 opts->mnt_opts[i] = context;
639 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 640 }
641 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 642 struct dentry *root = sbsec->sb->s_root;
643 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 644
c9180a57
EP		 645 rc = security_sid_to_context(isec->sid, &context, &len);
646 if (rc)
647 goto out_free;
e0007529
EP		 648 opts->mnt_opts[i] = context;
649 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 650 }
12f348b9 651 if (sbsec->flags & SBLABEL_MNT) {
11689d47 652 opts->mnt_opts[i] = NULL;
12f348b9 653 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 654 }
1da177e4 655
e0007529 656 BUG_ON(i != opts->num_mnt_opts);
1da177e4 657
c9180a57
EP		 658 return 0;
659
660out_free:
e0007529 661 security_free_mnt_opts(opts);
c9180a57
EP		 662 return rc;
663}
1da177e4 664
c9180a57
EP		 665static int bad_option(struct superblock_security_struct *sbsec, char flag,
666 u32 old_sid, u32 new_sid)
667{
0d90a7ec
DQ		 668 char mnt_flags = sbsec->flags & SE_MNTMASK;
669
c9180a57 670 /* check if the old mount command had the same options */
0d90a7ec 671 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 672 if (!(sbsec->flags & flag) ||
673 (old_sid != new_sid))
674 return 1;
675
676 /* check if we were passed the same options twice,
677 * aka someone passed context=a,context=b
678 */
0d90a7ec
DQ		 679 if (!(sbsec->flags & SE_SBINITIALIZED))
680 if (mnt_flags & flag)
c9180a57
EP		 681 return 1;
682 return 0;
683}
e0007529 684
c9180a57
EP		 685/*
686 * Allow filesystems with binary mount data to explicitly set mount point
687 * labeling information.
688 */
e0007529 689static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 690 struct security_mnt_opts *opts,
691 unsigned long kern_flags,
692 unsigned long *set_kern_flags)
c9180a57 693{
275bb41e 694 const struct cred *cred = current_cred();
c9180a57 695 int rc = 0, i;
c9180a57 696 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 697 const char *name = sb->s_type->name;
83da53c5 698 struct dentry *root = sbsec->sb->s_root;
2c97165b 699 struct inode_security_struct *root_isec;
c9180a57
EP		 700 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
701 u32 defcontext_sid = 0;
e0007529
EP		 702 char **mount_options = opts->mnt_opts;
703 int *flags = opts->mnt_opts_flags;
704 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 705
706 mutex_lock(&sbsec->lock);
707
708 if (!ss_initialized) {
709 if (!num_opts) {
710 /* Defer initialization until selinux_complete_init,
711 after the initial policy is loaded and the security
712 server is ready to handle calls. */
c9180a57
EP		 713 goto out;
714 }
715 rc = -EINVAL;
744ba35e
EP		 716 printk(KERN_WARNING "SELinux: Unable to set superblock options "
717 "before the security server is initialized\n");
1da177e4 718 goto out;
c9180a57 719 }
649f6e77
DQ		 720 if (kern_flags && !set_kern_flags) {
721 /* Specifying internal flags without providing a place to
722 * place the results is not allowed */
723 rc = -EINVAL;
724 goto out;
725 }
1da177e4 726
e0007529
EP		 727 /*
728 * Binary mount data FS will come through this function twice. Once
729 * from an explicit call and once from the generic calls from the vfs.
730 * Since the generic VFS calls will not contain any security mount data
731 * we need to skip the double mount verification.
732 *
733 * This does open a hole in which we will not notice if the first
734 * mount using this sb set explict options and a second mount using
735 * this sb does not set any security options. (The first options
736 * will be used for both mounts)
737 */
0d90a7ec 738 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 739 && (num_opts == 0))
f5269710 740 goto out;
e0007529 741
2c97165b
PM		 742 root_isec = backing_inode_security_novalidate(root);
743
c9180a57
EP		 744 /*
745 * parse the mount options, check if they are valid sids.
746 * also check if someone is trying to mount the same sb more
747 * than once with different security options.
748 */
749 for (i = 0; i < num_opts; i++) {
750 u32 sid;
11689d47 751
12f348b9 752 if (flags[i] == SBLABEL_MNT)
11689d47 753 continue;
44be2f65 754 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 755 if (rc) {
44be2f65 756 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 757 "(%s) failed for (dev %s, type %s) errno=%d\n",
758 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 759 goto out;
760 }
761 switch (flags[i]) {
762 case FSCONTEXT_MNT:
763 fscontext_sid = sid;
764
765 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
766 fscontext_sid))
767 goto out_double_mount;
768
769 sbsec->flags |= FSCONTEXT_MNT;
770 break;
771 case CONTEXT_MNT:
772 context_sid = sid;
773
774 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
775 context_sid))
776 goto out_double_mount;
777
778 sbsec->flags |= CONTEXT_MNT;
779 break;
780 case ROOTCONTEXT_MNT:
781 rootcontext_sid = sid;
782
783 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
784 rootcontext_sid))
785 goto out_double_mount;
786
787 sbsec->flags |= ROOTCONTEXT_MNT;
788
789 break;
790 case DEFCONTEXT_MNT:
791 defcontext_sid = sid;
792
793 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
794 defcontext_sid))
795 goto out_double_mount;
796
797 sbsec->flags |= DEFCONTEXT_MNT;
798
799 break;
800 default:
801 rc = -EINVAL;
802 goto out;
1da177e4 803 }
c9180a57
EP		 804 }
805
0d90a7ec 806 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 807 /* previously mounted with options, but not on this attempt? */
0d90a7ec 808 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 809 goto out_double_mount;
810 rc = 0;
811 goto out;
812 }
813
089be43e 814 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 815 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
816
8e014720
SS		 817 if (!strcmp(sb->s_type->name, "debugfs") ||
818 !strcmp(sb->s_type->name, "sysfs") ||
819 !strcmp(sb->s_type->name, "pstore"))
134509d5 820 sbsec->flags |= SE_SBGENFS;
c9180a57 821
eb9ae686
DQ		 822 if (!sbsec->behavior) {
823 /*
824 * Determine the labeling behavior to use for this
825 * filesystem type.
826 */
98f700f3 827 rc = security_fs_use(sb);
eb9ae686
DQ		 828 if (rc) {
829 printk(KERN_WARNING
830 "%s: security_fs_use(%s) returned %d\n",
831 __func__, sb->s_type->name, rc);
832 goto out;
833 }
c9180a57 834 }
aad82892
SF		 835
836 /*
01593d32
SS		 837 * If this is a user namespace mount and the filesystem type is not
838 * explicitly whitelisted, then no contexts are allowed on the command
839 * line and security labels must be ignored.
aad82892 840 */
01593d32
SS		 841 if (sb->s_user_ns != &init_user_ns &&
842 strcmp(sb->s_type->name, "tmpfs") &&
843 strcmp(sb->s_type->name, "ramfs") &&
844 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 845 if (context_sid || fscontext_sid || rootcontext_sid ||
846 defcontext_sid) {
847 rc = -EACCES;
848 goto out;
849 }
850 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
851 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
852 rc = security_transition_sid(current_sid(), current_sid(),
853 SECCLASS_FILE, NULL,
854 &sbsec->mntpoint_sid);
855 if (rc)
856 goto out;
857 }
858 goto out_set_opts;
859 }
860
c9180a57
EP		 861 /* sets the context of the superblock for the fs being mounted. */
862 if (fscontext_sid) {
275bb41e 863 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 864 if (rc)
c9180a57 865 goto out;
1da177e4 866
c9180a57 867 sbsec->sid = fscontext_sid;
c312feb2
EP		 868 }
869
870 /*
871 * Switch to using mount point labeling behavior.
872 * sets the label used on all file below the mountpoint, and will set
873 * the superblock context if not already set.
874 */
eb9ae686
DQ		 875 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
876 sbsec->behavior = SECURITY_FS_USE_NATIVE;
877 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
878 }
879
c9180a57
EP		 880 if (context_sid) {
881 if (!fscontext_sid) {
275bb41e
DH		 882 rc = may_context_mount_sb_relabel(context_sid, sbsec,
883 cred);
b04ea3ce 884 if (rc)
c9180a57
EP		 885 goto out;
886 sbsec->sid = context_sid;
b04ea3ce 887 } else {
275bb41e
DH		 888 rc = may_context_mount_inode_relabel(context_sid, sbsec,
889 cred);
b04ea3ce 890 if (rc)
c9180a57 891 goto out;
b04ea3ce 892 }
c9180a57
EP		 893 if (!rootcontext_sid)
894 rootcontext_sid = context_sid;
1da177e4 895
c9180a57 896 sbsec->mntpoint_sid = context_sid;
c312feb2 897 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 898 }
899
c9180a57 900 if (rootcontext_sid) {
275bb41e
DH		 901 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
902 cred);
0808925e 903 if (rc)
c9180a57 904 goto out;
0808925e 905
c9180a57 906 root_isec->sid = rootcontext_sid;
6f3be9f5 907 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 908 }
909
c9180a57 910 if (defcontext_sid) {
eb9ae686
DQ		 911 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
912 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 913 rc = -EINVAL;
914 printk(KERN_WARNING "SELinux: defcontext option is "
915 "invalid for this filesystem type\n");
916 goto out;
1da177e4
LT		 917 }
918
c9180a57
EP		 919 if (defcontext_sid != sbsec->def_sid) {
920 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 921 sbsec, cred);
c9180a57
EP		 922 if (rc)
923 goto out;
924 }
1da177e4 925
c9180a57 926 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 927 }
928
aad82892 929out_set_opts:
c9180a57 930 rc = sb_finish_set_opts(sb);
1da177e4 931out:
c9180a57 932 mutex_unlock(&sbsec->lock);
1da177e4 933 return rc;
c9180a57
EP		 934out_double_mount:
935 rc = -EINVAL;
936 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 937 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 938 goto out;
1da177e4
LT		 939}
940
094f7b69
JL		 941static int selinux_cmp_sb_context(const struct super_block *oldsb,
942 const struct super_block *newsb)
943{
944 struct superblock_security_struct *old = oldsb->s_security;
945 struct superblock_security_struct *new = newsb->s_security;
946 char oldflags = old->flags & SE_MNTMASK;
947 char newflags = new->flags & SE_MNTMASK;
948
949 if (oldflags != newflags)
950 goto mismatch;
951 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
952 goto mismatch;
953 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
954 goto mismatch;
955 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
956 goto mismatch;
957 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 958 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
959 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 960 if (oldroot->sid != newroot->sid)
961 goto mismatch;
962 }
963 return 0;
964mismatch:
965 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
966 "different security settings for (dev %s, "
967 "type %s)\n", newsb->s_id, newsb->s_type->name);
968 return -EBUSY;
969}
970
971static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 972 struct super_block *newsb)
1da177e4 973{
c9180a57
EP		 974 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
975 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 976
c9180a57
EP		 977 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
978 int set_context = (oldsbsec->flags & CONTEXT_MNT);
979 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 980
0f5e6420
EP		 981 /*
982 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 983 * mount options. thus we can safely deal with this superblock later
0f5e6420 984 */
e8c26255 985 if (!ss_initialized)
094f7b69 986 return 0;
c9180a57 987
c9180a57 988 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 989 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 990
094f7b69 991 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 992 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 993 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 994
c9180a57
EP		 995 mutex_lock(&newsbsec->lock);
996
997 newsbsec->flags = oldsbsec->flags;
998
999 newsbsec->sid = oldsbsec->sid;
1000 newsbsec->def_sid = oldsbsec->def_sid;
1001 newsbsec->behavior = oldsbsec->behavior;
1002
1003 if (set_context) {
1004 u32 sid = oldsbsec->mntpoint_sid;
1005
1006 if (!set_fscontext)
1007 newsbsec->sid = sid;
1008 if (!set_rootcontext) {
83da53c5 1009 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1010 newisec->sid = sid;
1011 }
1012 newsbsec->mntpoint_sid = sid;
1da177e4 1013 }
c9180a57 1014 if (set_rootcontext) {
83da53c5
AG		 1015 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1016 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1017
c9180a57 1018 newisec->sid = oldisec->sid;
1da177e4
LT		 1019 }
1020
c9180a57
EP		 1021 sb_finish_set_opts(newsb);
1022 mutex_unlock(&newsbsec->lock);
094f7b69 1023 return 0;
c9180a57
EP		 1024}
1025
2e1479d9
AB		 1026static int selinux_parse_opts_str(char *options,
1027 struct security_mnt_opts *opts)
c9180a57 1028{
e0007529 1029 char *p;
c9180a57
EP		 1030 char *context = NULL, *defcontext = NULL;
1031 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1032 int rc, num_mnt_opts = 0;
1da177e4 1033
e0007529 1034 opts->num_mnt_opts = 0;
1da177e4 1035
c9180a57
EP		 1036 /* Standard string-based options. */
1037 while ((p = strsep(&options, "|")) != NULL) {
1038 int token;
1039 substring_t args[MAX_OPT_ARGS];
1da177e4 1040
c9180a57
EP		 1041 if (!*p)
1042 continue;
1da177e4 1043
c9180a57 1044 token = match_token(p, tokens, args);
1da177e4 1045
c9180a57
EP		 1046 switch (token) {
1047 case Opt_context:
1048 if (context || defcontext) {
1049 rc = -EINVAL;
1050 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1051 goto out_err;
1052 }
1053 context = match_strdup(&args[0]);
1054 if (!context) {
1055 rc = -ENOMEM;
1056 goto out_err;
1057 }
1058 break;
1059
1060 case Opt_fscontext:
1061 if (fscontext) {
1062 rc = -EINVAL;
1063 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1064 goto out_err;
1065 }
1066 fscontext = match_strdup(&args[0]);
1067 if (!fscontext) {
1068 rc = -ENOMEM;
1069 goto out_err;
1070 }
1071 break;
1072
1073 case Opt_rootcontext:
1074 if (rootcontext) {
1075 rc = -EINVAL;
1076 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1077 goto out_err;
1078 }
1079 rootcontext = match_strdup(&args[0]);
1080 if (!rootcontext) {
1081 rc = -ENOMEM;
1082 goto out_err;
1083 }
1084 break;
1085
1086 case Opt_defcontext:
1087 if (context || defcontext) {
1088 rc = -EINVAL;
1089 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1090 goto out_err;
1091 }
1092 defcontext = match_strdup(&args[0]);
1093 if (!defcontext) {
1094 rc = -ENOMEM;
1095 goto out_err;
1096 }
1097 break;
11689d47
DQ		 1098 case Opt_labelsupport:
1099 break;
c9180a57
EP		 1100 default:
1101 rc = -EINVAL;
1102 printk(KERN_WARNING "SELinux: unknown mount option\n");
1103 goto out_err;
1da177e4 1104
1da177e4 1105 }
1da177e4 1106 }
c9180a57 1107
e0007529 1108 rc = -ENOMEM;
8931c3bd 1109 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1110 if (!opts->mnt_opts)
1111 goto out_err;
1112
8931c3bd
TH		 1113 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1114 GFP_KERNEL);
e0007529
EP		 1115 if (!opts->mnt_opts_flags) {
1116 kfree(opts->mnt_opts);
1117 goto out_err;
1118 }
1119
c9180a57 1120 if (fscontext) {
e0007529
EP		 1121 opts->mnt_opts[num_mnt_opts] = fscontext;
1122 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1123 }
1124 if (context) {
e0007529
EP		 1125 opts->mnt_opts[num_mnt_opts] = context;
1126 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1127 }
1128 if (rootcontext) {
e0007529
EP		 1129 opts->mnt_opts[num_mnt_opts] = rootcontext;
1130 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1131 }
1132 if (defcontext) {
e0007529
EP		 1133 opts->mnt_opts[num_mnt_opts] = defcontext;
1134 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1135 }
1136
e0007529
EP		 1137 opts->num_mnt_opts = num_mnt_opts;
1138 return 0;
1139
c9180a57
EP		 1140out_err:
1141 kfree(context);
1142 kfree(defcontext);
1143 kfree(fscontext);
1144 kfree(rootcontext);
1da177e4
LT		 1145 return rc;
1146}
e0007529
EP		 1147/*
1148 * string mount options parsing and call set the sbsec
1149 */
1150static int superblock_doinit(struct super_block *sb, void *data)
1151{
1152 int rc = 0;
1153 char *options = data;
1154 struct security_mnt_opts opts;
1155
1156 security_init_mnt_opts(&opts);
1157
1158 if (!data)
1159 goto out;
1160
1161 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1162
1163 rc = selinux_parse_opts_str(options, &opts);
1164 if (rc)
1165 goto out_err;
1166
1167out:
649f6e77 1168 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1169
1170out_err:
1171 security_free_mnt_opts(&opts);
1172 return rc;
1173}
1da177e4 1174
3583a711
AB		 1175static void selinux_write_opts(struct seq_file *m,
1176 struct security_mnt_opts *opts)
2069f457
EP		 1177{
1178 int i;
1179 char *prefix;
1180
1181 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1182 char *has_comma;
1183
1184 if (opts->mnt_opts[i])
1185 has_comma = strchr(opts->mnt_opts[i], ',');
1186 else
1187 has_comma = NULL;
2069f457
EP		 1188
1189 switch (opts->mnt_opts_flags[i]) {
1190 case CONTEXT_MNT:
1191 prefix = CONTEXT_STR;
1192 break;
1193 case FSCONTEXT_MNT:
1194 prefix = FSCONTEXT_STR;
1195 break;
1196 case ROOTCONTEXT_MNT:
1197 prefix = ROOTCONTEXT_STR;
1198 break;
1199 case DEFCONTEXT_MNT:
1200 prefix = DEFCONTEXT_STR;
1201 break;
12f348b9 1202 case SBLABEL_MNT:
11689d47
DQ		 1203 seq_putc(m, ',');
1204 seq_puts(m, LABELSUPP_STR);
1205 continue;
2069f457
EP		 1206 default:
1207 BUG();
a35c6c83 1208 return;
2069f457
EP		 1209 };
1210 /* we need a comma before each option */
1211 seq_putc(m, ',');
1212 seq_puts(m, prefix);
1213 if (has_comma)
1214 seq_putc(m, '\"');
a068acf2 1215 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1216 if (has_comma)
1217 seq_putc(m, '\"');
1218 }
1219}
1220
1221static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1222{
1223 struct security_mnt_opts opts;
1224 int rc;
1225
1226 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1227 if (rc) {
1228 /* before policy load we may get EINVAL, don't show anything */
1229 if (rc == -EINVAL)
1230 rc = 0;
2069f457 1231 return rc;
383795c2 1232 }
2069f457
EP		 1233
1234 selinux_write_opts(m, &opts);
1235
1236 security_free_mnt_opts(&opts);
1237
1238 return rc;
1239}
1240
1da177e4
LT		 1241static inline u16 inode_mode_to_security_class(umode_t mode)
1242{
1243 switch (mode & S_IFMT) {
1244 case S_IFSOCK:
1245 return SECCLASS_SOCK_FILE;
1246 case S_IFLNK:
1247 return SECCLASS_LNK_FILE;
1248 case S_IFREG:
1249 return SECCLASS_FILE;
1250 case S_IFBLK:
1251 return SECCLASS_BLK_FILE;
1252 case S_IFDIR:
1253 return SECCLASS_DIR;
1254 case S_IFCHR:
1255 return SECCLASS_CHR_FILE;
1256 case S_IFIFO:
1257 return SECCLASS_FIFO_FILE;
1258
1259 }
1260
1261 return SECCLASS_FILE;
1262}
1263
13402580
JM		 1264static inline int default_protocol_stream(int protocol)
1265{
1266 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1267}
1268
1269static inline int default_protocol_dgram(int protocol)
1270{
1271 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1272}
1273
1da177e4
LT		 1274static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1275{
da69a530
SS		 1276 int extsockclass = selinux_policycap_extsockclass;
1277
1da177e4
LT		 1278 switch (family) {
1279 case PF_UNIX:
1280 switch (type) {
1281 case SOCK_STREAM:
1282 case SOCK_SEQPACKET:
1283 return SECCLASS_UNIX_STREAM_SOCKET;
1284 case SOCK_DGRAM:
1285 return SECCLASS_UNIX_DGRAM_SOCKET;
1286 }
1287 break;
1288 case PF_INET:
1289 case PF_INET6:
1290 switch (type) {
1291 case SOCK_STREAM:
da69a530 1292 case SOCK_SEQPACKET:
13402580
JM		 1293 if (default_protocol_stream(protocol))
1294 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1295 else if (extsockclass && protocol == IPPROTO_SCTP)
1296 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1297 else
1298 return SECCLASS_RAWIP_SOCKET;
1da177e4 1299 case SOCK_DGRAM:
13402580
JM		 1300 if (default_protocol_dgram(protocol))
1301 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1302 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1303 protocol == IPPROTO_ICMPV6))
da69a530 1304 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1305 else
1306 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1307 case SOCK_DCCP:
1308 return SECCLASS_DCCP_SOCKET;
13402580 1309 default:
1da177e4
LT		 1310 return SECCLASS_RAWIP_SOCKET;
1311 }
1312 break;
1313 case PF_NETLINK:
1314 switch (protocol) {
1315 case NETLINK_ROUTE:
1316 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1317 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1318 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1319 case NETLINK_NFLOG:
1320 return SECCLASS_NETLINK_NFLOG_SOCKET;
1321 case NETLINK_XFRM:
1322 return SECCLASS_NETLINK_XFRM_SOCKET;
1323 case NETLINK_SELINUX:
1324 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1325 case NETLINK_ISCSI:
1326 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1327 case NETLINK_AUDIT:
1328 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1329 case NETLINK_FIB_LOOKUP:
1330 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1331 case NETLINK_CONNECTOR:
1332 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1333 case NETLINK_NETFILTER:
1334 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1335 case NETLINK_DNRTMSG:
1336 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1337 case NETLINK_KOBJECT_UEVENT:
1338 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1339 case NETLINK_GENERIC:
1340 return SECCLASS_NETLINK_GENERIC_SOCKET;
1341 case NETLINK_SCSITRANSPORT:
1342 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1343 case NETLINK_RDMA:
1344 return SECCLASS_NETLINK_RDMA_SOCKET;
1345 case NETLINK_CRYPTO:
1346 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1347 default:
1348 return SECCLASS_NETLINK_SOCKET;
1349 }
1350 case PF_PACKET:
1351 return SECCLASS_PACKET_SOCKET;
1352 case PF_KEY:
1353 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1354 case PF_APPLETALK:
1355 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1356 }
1357
da69a530
SS		 1358 if (extsockclass) {
1359 switch (family) {
1360 case PF_AX25:
1361 return SECCLASS_AX25_SOCKET;
1362 case PF_IPX:
1363 return SECCLASS_IPX_SOCKET;
1364 case PF_NETROM:
1365 return SECCLASS_NETROM_SOCKET;
1366 case PF_BRIDGE:
1367 return SECCLASS_BRIDGE_SOCKET;
1368 case PF_ATMPVC:
1369 return SECCLASS_ATMPVC_SOCKET;
1370 case PF_X25:
1371 return SECCLASS_X25_SOCKET;
1372 case PF_ROSE:
1373 return SECCLASS_ROSE_SOCKET;
1374 case PF_DECnet:
1375 return SECCLASS_DECNET_SOCKET;
1376 case PF_ATMSVC:
1377 return SECCLASS_ATMSVC_SOCKET;
1378 case PF_RDS:
1379 return SECCLASS_RDS_SOCKET;
1380 case PF_IRDA:
1381 return SECCLASS_IRDA_SOCKET;
1382 case PF_PPPOX:
1383 return SECCLASS_PPPOX_SOCKET;
1384 case PF_LLC:
1385 return SECCLASS_LLC_SOCKET;
1386 case PF_IB:
1387 return SECCLASS_IB_SOCKET;
1388 case PF_MPLS:
1389 return SECCLASS_MPLS_SOCKET;
1390 case PF_CAN:
1391 return SECCLASS_CAN_SOCKET;
1392 case PF_TIPC:
1393 return SECCLASS_TIPC_SOCKET;
1394 case PF_BLUETOOTH:
1395 return SECCLASS_BLUETOOTH_SOCKET;
1396 case PF_IUCV:
1397 return SECCLASS_IUCV_SOCKET;
1398 case PF_RXRPC:
1399 return SECCLASS_RXRPC_SOCKET;
1400 case PF_ISDN:
1401 return SECCLASS_ISDN_SOCKET;
1402 case PF_PHONET:
1403 return SECCLASS_PHONET_SOCKET;
1404 case PF_IEEE802154:
1405 return SECCLASS_IEEE802154_SOCKET;
1406 case PF_CAIF:
1407 return SECCLASS_CAIF_SOCKET;
1408 case PF_ALG:
1409 return SECCLASS_ALG_SOCKET;
1410 case PF_NFC:
1411 return SECCLASS_NFC_SOCKET;
1412 case PF_VSOCK:
1413 return SECCLASS_VSOCK_SOCKET;
1414 case PF_KCM:
1415 return SECCLASS_KCM_SOCKET;
1416 case PF_QIPCRTR:
1417 return SECCLASS_QIPCRTR_SOCKET;
1418#if PF_MAX > 43
1419#error New address family defined, please update this function.
1420#endif
1421 }
1422 }
1423
1da177e4
LT		 1424 return SECCLASS_SOCKET;
1425}
1426
134509d5
SS		 1427static int selinux_genfs_get_sid(struct dentry *dentry,
1428 u16 tclass,
1429 u16 flags,
1430 u32 *sid)
1da177e4 1431{
8e6c9693 1432 int rc;
fc64005c 1433 struct super_block *sb = dentry->d_sb;
8e6c9693 1434 char *buffer, *path;
1da177e4 1435
828dfe1d 1436 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1437 if (!buffer)
1438 return -ENOMEM;
1439
8e6c9693
LAG		 1440 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1441 if (IS_ERR(path))
1442 rc = PTR_ERR(path);
1443 else {
134509d5
SS		 1444 if (flags & SE_SBPROC) {
1445 /* each process gets a /proc/PID/ entry. Strip off the
1446 * PID part to get a valid selinux labeling.
1447 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1448 while (path[1] >= '0' && path[1] <= '9') {
1449 path[1] = '/';
1450 path++;
1451 }
8e6c9693 1452 }
134509d5 1453 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1454 }
1da177e4
LT		 1455 free_page((unsigned long)buffer);
1456 return rc;
1457}
1da177e4
LT		 1458
1459/* The inode's security attributes must be initialized before first use. */
1460static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1461{
1462 struct superblock_security_struct *sbsec = NULL;
1463 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1464 u32 task_sid, sid = 0;
1465 u16 sclass;
1da177e4
LT		 1466 struct dentry *dentry;
1467#define INITCONTEXTLEN 255
1468 char *context = NULL;
1469 unsigned len = 0;
1470 int rc = 0;
1da177e4 1471
6f3be9f5 1472 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1473 return 0;
1da177e4 1474
9287aed2 1475 spin_lock(&isec->lock);
6f3be9f5 1476 if (isec->initialized == LABEL_INITIALIZED)
23970741 1477 goto out_unlock;
1da177e4 1478
13457d07
AG		 1479 if (isec->sclass == SECCLASS_FILE)
1480 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1481
1da177e4 1482 sbsec = inode->i_sb->s_security;
0d90a7ec 1483 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1484 /* Defer initialization until selinux_complete_init,
1485 after the initial policy is loaded and the security
1486 server is ready to handle calls. */
1487 spin_lock(&sbsec->isec_lock);
1488 if (list_empty(&isec->list))
1489 list_add(&isec->list, &sbsec->isec_head);
1490 spin_unlock(&sbsec->isec_lock);
23970741 1491 goto out_unlock;
1da177e4
LT		 1492 }
1493
9287aed2
AG		 1494 sclass = isec->sclass;
1495 task_sid = isec->task_sid;
1496 sid = isec->sid;
1497 isec->initialized = LABEL_PENDING;
1498 spin_unlock(&isec->lock);
1499
1da177e4 1500 switch (sbsec->behavior) {
eb9ae686
DQ		 1501 case SECURITY_FS_USE_NATIVE:
1502 break;
1da177e4 1503 case SECURITY_FS_USE_XATTR:
5d6c3191 1504 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1505 sid = sbsec->def_sid;
1da177e4
LT		 1506 break;
1507 }
1da177e4
LT		 1508 /* Need a dentry, since the xattr API requires one.
1509 Life would be simpler if we could just pass the inode. */
1510 if (opt_dentry) {
1511 /* Called from d_instantiate or d_splice_alias. */
1512 dentry = dget(opt_dentry);
1513 } else {
1514 /* Called from selinux_complete_init, try to find a dentry. */
1515 dentry = d_find_alias(inode);
1516 }
1517 if (!dentry) {
df7f54c0
EP		 1518 /*
1519 * this is can be hit on boot when a file is accessed
1520 * before the policy is loaded. When we load policy we
1521 * may find inodes that have no dentry on the
1522 * sbsec->isec_head list. No reason to complain as these
1523 * will get fixed up the next time we go through
1524 * inode_doinit with a dentry, before these inodes could
1525 * be used again by userspace.
1526 */
9287aed2 1527 goto out;
1da177e4
LT		 1528 }
1529
1530 len = INITCONTEXTLEN;
4cb912f1 1531 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1532 if (!context) {
1533 rc = -ENOMEM;
1534 dput(dentry);
9287aed2 1535 goto out;
1da177e4 1536 }
4cb912f1 1537 context[len] = '\0';
5d6c3191 1538 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1539 if (rc == -ERANGE) {
314dabb8
JM		 1540 kfree(context);
1541
1da177e4 1542 /* Need a larger buffer. Query for the right size. */
5d6c3191 1543 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1544 if (rc < 0) {
1545 dput(dentry);
9287aed2 1546 goto out;
1da177e4 1547 }
1da177e4 1548 len = rc;
4cb912f1 1549 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1550 if (!context) {
1551 rc = -ENOMEM;
1552 dput(dentry);
9287aed2 1553 goto out;
1da177e4 1554 }
4cb912f1 1555 context[len] = '\0';
5d6c3191 1556 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1557 }
1558 dput(dentry);
1559 if (rc < 0) {
1560 if (rc != -ENODATA) {
744ba35e 1561 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1562 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1563 -rc, inode->i_sb->s_id, inode->i_ino);
1564 kfree(context);
9287aed2 1565 goto out;
1da177e4
LT		 1566 }
1567 /* Map ENODATA to the default file SID */
1568 sid = sbsec->def_sid;
1569 rc = 0;
1570 } else {
f5c1d5b2 1571 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1572 sbsec->def_sid,
1573 GFP_NOFS);
1da177e4 1574 if (rc) {
4ba0a8ad
EP		 1575 char *dev = inode->i_sb->s_id;
1576 unsigned long ino = inode->i_ino;
1577
1578 if (rc == -EINVAL) {
1579 if (printk_ratelimit())
1580 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1581 "context=%s. This indicates you may need to relabel the inode or the "
1582 "filesystem in question.\n", ino, dev, context);
1583 } else {
1584 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1585 "returned %d for dev=%s ino=%ld\n",
1586 __func__, context, -rc, dev, ino);
1587 }
1da177e4
LT		 1588 kfree(context);
1589 /* Leave with the unlabeled SID */
1590 rc = 0;
1591 break;
1592 }
1593 }
1594 kfree(context);
1da177e4
LT		 1595 break;
1596 case SECURITY_FS_USE_TASK:
9287aed2 1597 sid = task_sid;
1da177e4
LT		 1598 break;
1599 case SECURITY_FS_USE_TRANS:
1600 /* Default to the fs SID. */
9287aed2 1601 sid = sbsec->sid;
1da177e4
LT		 1602
1603 /* Try to obtain a transition SID. */
9287aed2 1604 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1da177e4 1605 if (rc)
9287aed2 1606 goto out;
1da177e4 1607 break;
c312feb2 1608 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1609 sid = sbsec->mntpoint_sid;
c312feb2 1610 break;
1da177e4 1611 default:
c312feb2 1612 /* Default to the fs superblock SID. */
9287aed2 1613 sid = sbsec->sid;
1da177e4 1614
134509d5 1615 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1616 /* We must have a dentry to determine the label on
1617 * procfs inodes */
1618 if (opt_dentry)
1619 /* Called from d_instantiate or
1620 * d_splice_alias. */
1621 dentry = dget(opt_dentry);
1622 else
1623 /* Called from selinux_complete_init, try to
1624 * find a dentry. */
1625 dentry = d_find_alias(inode);
1626 /*
1627 * This can be hit on boot when a file is accessed
1628 * before the policy is loaded. When we load policy we
1629 * may find inodes that have no dentry on the
1630 * sbsec->isec_head list. No reason to complain as
1631 * these will get fixed up the next time we go through
1632 * inode_doinit() with a dentry, before these inodes
1633 * could be used again by userspace.
1634 */
1635 if (!dentry)
9287aed2
AG		 1636 goto out;
1637 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1638 sbsec->flags, &sid);
f64410ec
PM		 1639 dput(dentry);
1640 if (rc)
9287aed2 1641 goto out;
1da177e4
LT		 1642 }
1643 break;
1644 }
1645
9287aed2
AG		 1646out:
1647 spin_lock(&isec->lock);
1648 if (isec->initialized == LABEL_PENDING) {
1649 if (!sid || rc) {
1650 isec->initialized = LABEL_INVALID;
1651 goto out_unlock;
1652 }
1653
1654 isec->initialized = LABEL_INITIALIZED;
1655 isec->sid = sid;
1656 }
1da177e4 1657
23970741 1658out_unlock:
9287aed2 1659 spin_unlock(&isec->lock);
1da177e4
LT		 1660 return rc;
1661}
1662
1663/* Convert a Linux signal to an access vector. */
1664static inline u32 signal_to_av(int sig)
1665{
1666 u32 perm = 0;
1667
1668 switch (sig) {
1669 case SIGCHLD:
1670 /* Commonly granted from child to parent. */
1671 perm = PROCESS__SIGCHLD;
1672 break;
1673 case SIGKILL:
1674 /* Cannot be caught or ignored */
1675 perm = PROCESS__SIGKILL;
1676 break;
1677 case SIGSTOP:
1678 /* Cannot be caught or ignored */
1679 perm = PROCESS__SIGSTOP;
1680 break;
1681 default:
1682 /* All other signals. */
1683 perm = PROCESS__SIGNAL;
1684 break;
1685 }
1686
1687 return perm;
1688}
1689
d84f4f99
DH		 1690/*
1691 * Check permission between a pair of credentials
1692 * fork check, ptrace check, etc.
1693 */
1694static int cred_has_perm(const struct cred *actor,
1695 const struct cred *target,
1696 u32 perms)
1697{
1698 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1699
1700 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1701}
1702
275bb41e 1703/*
88e67f3b 1704 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1705 * fork check, ptrace check, etc.
1706 * tsk1 is the actor and tsk2 is the target
3b11a1de 1707 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1708 */
1709static int task_has_perm(const struct task_struct *tsk1,
1710 const struct task_struct *tsk2,
1da177e4
LT		 1711 u32 perms)
1712{
275bb41e
DH		 1713 const struct task_security_struct *__tsec1, *__tsec2;
1714 u32 sid1, sid2;
1da177e4 1715
275bb41e
DH		 1716 rcu_read_lock();
1717 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1718 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1719 rcu_read_unlock();
1720 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1721}
1722
3b11a1de
DH		 1723/*
1724 * Check permission between current and another task, e.g. signal checks,
1725 * fork check, ptrace check, etc.
1726 * current is the actor and tsk2 is the target
1727 * - this uses current's subjective creds
1728 */
1729static int current_has_perm(const struct task_struct *tsk,
1730 u32 perms)
1731{
1732 u32 sid, tsid;
1733
1734 sid = current_sid();
1735 tsid = task_sid(tsk);
1736 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1737}
1738
b68e418c
SS		 1739#if CAP_LAST_CAP > 63
1740#error Fix SELinux to handle capabilities > 63.
1741#endif
1742
1da177e4 1743/* Check whether a task is allowed to use a capability. */
6a9de491 1744static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1745 int cap, int audit, bool initns)
1da177e4 1746{
2bf49690 1747 struct common_audit_data ad;
06112163 1748 struct av_decision avd;
b68e418c 1749 u16 sclass;
3699c53c 1750 u32 sid = cred_sid(cred);
b68e418c 1751 u32 av = CAP_TO_MASK(cap);
06112163 1752 int rc;
1da177e4 1753
50c205f5 1754 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1755 ad.u.cap = cap;
1756
b68e418c
SS		 1757 switch (CAP_TO_INDEX(cap)) {
1758 case 0:
8e4ff6f2 1759 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1760 break;
1761 case 1:
8e4ff6f2 1762 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1763 break;
1764 default:
1765 printk(KERN_ERR
1766 "SELinux: out of range capability %d\n", cap);
1767 BUG();
a35c6c83 1768 return -EINVAL;
b68e418c 1769 }
06112163 1770
275bb41e 1771 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1772 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1773 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1774 if (rc2)
1775 return rc2;
1776 }
06112163 1777 return rc;
1da177e4
LT		 1778}
1779
1780/* Check whether a task is allowed to use a system operation. */
1781static int task_has_system(struct task_struct *tsk,
1782 u32 perms)
1783{
275bb41e 1784 u32 sid = task_sid(tsk);
1da177e4 1785
275bb41e 1786 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1787 SECCLASS_SYSTEM, perms, NULL);
1788}
1789
1790/* Check whether a task has a particular permission to an inode.
1791 The 'adp' parameter is optional and allows other audit
1792 data to be passed (e.g. the dentry). */
88e67f3b 1793static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1794 struct inode *inode,
1795 u32 perms,
19e49834 1796 struct common_audit_data *adp)
1da177e4 1797{
1da177e4 1798 struct inode_security_struct *isec;
275bb41e 1799 u32 sid;
1da177e4 1800
e0e81739
DH		 1801 validate_creds(cred);
1802
828dfe1d 1803 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1804 return 0;
1805
88e67f3b 1806 sid = cred_sid(cred);
1da177e4
LT		 1807 isec = inode->i_security;
1808
19e49834 1809 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1810}
1811
1812/* Same as inode_has_perm, but pass explicit audit data containing
1813 the dentry to help the auditing code to more easily generate the
1814 pathname if needed. */
88e67f3b 1815static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1816 struct dentry *dentry,
1817 u32 av)
1818{
c6f493d6 1819 struct inode *inode = d_backing_inode(dentry);
2bf49690 1820 struct common_audit_data ad;
88e67f3b 1821
50c205f5 1822 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1823 ad.u.dentry = dentry;
5d226df4 1824 __inode_security_revalidate(inode, dentry, true);
19e49834 1825 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1826}
1827
1828/* Same as inode_has_perm, but pass explicit audit data containing
1829 the path to help the auditing code to more easily generate the
1830 pathname if needed. */
1831static inline int path_has_perm(const struct cred *cred,
3f7036a0 1832 const struct path *path,
2875fa00
EP		 1833 u32 av)
1834{
c6f493d6 1835 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1836 struct common_audit_data ad;
1837
50c205f5 1838 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1839 ad.u.path = *path;
5d226df4 1840 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1841 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1842}
1843
13f8e981
DH		 1844/* Same as path_has_perm, but uses the inode from the file struct. */
1845static inline int file_path_has_perm(const struct cred *cred,
1846 struct file *file,
1847 u32 av)
1848{
1849 struct common_audit_data ad;
1850
43af5de7
VG		 1851 ad.type = LSM_AUDIT_DATA_FILE;
1852 ad.u.file = file;
19e49834 1853 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1854}
1855
1da177e4
LT		 1856/* Check whether a task can use an open file descriptor to
1857 access an inode in a given way. Check access to the
1858 descriptor itself, and then use dentry_has_perm to
1859 check a particular permission to the file.
1860 Access to the descriptor is implicitly granted if it
1861 has the same SID as the process. If av is zero, then
1862 access to the file is not checked, e.g. for cases
1863 where only the descriptor is affected like seek. */
88e67f3b
DH		 1864static int file_has_perm(const struct cred *cred,
1865 struct file *file,
1866 u32 av)
1da177e4 1867{
1da177e4 1868 struct file_security_struct *fsec = file->f_security;
496ad9aa 1869 struct inode *inode = file_inode(file);
2bf49690 1870 struct common_audit_data ad;
88e67f3b 1871 u32 sid = cred_sid(cred);
1da177e4
LT		 1872 int rc;
1873
43af5de7
VG		 1874 ad.type = LSM_AUDIT_DATA_FILE;
1875 ad.u.file = file;
1da177e4 1876
275bb41e
DH		 1877 if (sid != fsec->sid) {
1878 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1879 SECCLASS_FD,
1880 FD__USE,
1881 &ad);
1882 if (rc)
88e67f3b 1883 goto out;
1da177e4
LT		 1884 }
1885
1886 /* av is zero if only checking access to the descriptor. */
88e67f3b 1887 rc = 0;
1da177e4 1888 if (av)
19e49834 1889 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1890
88e67f3b
DH		 1891out:
1892 return rc;
1da177e4
LT		 1893}
1894
c3c188b2
DH		 1895/*
1896 * Determine the label for an inode that might be unioned.
1897 */
c957f6df
VG		 1898static int
1899selinux_determine_inode_label(const struct task_security_struct *tsec,
1900 struct inode *dir,
1901 const struct qstr *name, u16 tclass,
1902 u32 *_new_isid)
c3c188b2
DH		 1903{
1904 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1905
1906 if ((sbsec->flags & SE_SBINITIALIZED) &&
1907 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1908 *_new_isid = sbsec->mntpoint_sid;
1909 } else if ((sbsec->flags & SBLABEL_MNT) &&
1910 tsec->create_sid) {
1911 *_new_isid = tsec->create_sid;
1912 } else {
20cdef8d 1913 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1914 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1915 name, _new_isid);
1916 }
1917
1918 return 0;
1919}
1920
1da177e4
LT		 1921/* Check whether a task can create a file. */
1922static int may_create(struct inode *dir,
1923 struct dentry *dentry,
1924 u16 tclass)
1925{
5fb49870 1926 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1927 struct inode_security_struct *dsec;
1928 struct superblock_security_struct *sbsec;
275bb41e 1929 u32 sid, newsid;
2bf49690 1930 struct common_audit_data ad;
1da177e4
LT		 1931 int rc;
1932
83da53c5 1933 dsec = inode_security(dir);
1da177e4
LT		 1934 sbsec = dir->i_sb->s_security;
1935
275bb41e 1936 sid = tsec->sid;
275bb41e 1937
50c205f5 1938 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1939 ad.u.dentry = dentry;
1da177e4 1940
275bb41e 1941 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1942 DIR__ADD_NAME | DIR__SEARCH,
1943 &ad);
1944 if (rc)
1945 return rc;
1946
c957f6df
VG		 1947 rc = selinux_determine_inode_label(current_security(), dir,
1948 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1949 if (rc)
1950 return rc;
1da177e4 1951
275bb41e 1952 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1953 if (rc)
1954 return rc;
1955
1956 return avc_has_perm(newsid, sbsec->sid,
1957 SECCLASS_FILESYSTEM,
1958 FILESYSTEM__ASSOCIATE, &ad);
1959}
1960
4eb582cf
ML		 1961/* Check whether a task can create a key. */
1962static int may_create_key(u32 ksid,
1963 struct task_struct *ctx)
1964{
275bb41e 1965 u32 sid = task_sid(ctx);
4eb582cf 1966
275bb41e 1967 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1968}
1969
828dfe1d
EP		 1970#define MAY_LINK 0
1971#define MAY_UNLINK 1
1972#define MAY_RMDIR 2
1da177e4
LT		 1973
1974/* Check whether a task can link, unlink, or rmdir a file/directory. */
1975static int may_link(struct inode *dir,
1976 struct dentry *dentry,
1977 int kind)
1978
1979{
1da177e4 1980 struct inode_security_struct *dsec, *isec;
2bf49690 1981 struct common_audit_data ad;
275bb41e 1982 u32 sid = current_sid();
1da177e4
LT		 1983 u32 av;
1984 int rc;
1985
83da53c5
AG		 1986 dsec = inode_security(dir);
1987 isec = backing_inode_security(dentry);
1da177e4 1988
50c205f5 1989 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1990 ad.u.dentry = dentry;
1da177e4
LT		 1991
1992 av = DIR__SEARCH;
1993 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1994 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1995 if (rc)
1996 return rc;
1997
1998 switch (kind) {
1999 case MAY_LINK:
2000 av = FILE__LINK;
2001 break;
2002 case MAY_UNLINK:
2003 av = FILE__UNLINK;
2004 break;
2005 case MAY_RMDIR:
2006 av = DIR__RMDIR;
2007 break;
2008 default:
744ba35e
EP		 2009 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
2010 __func__, kind);
1da177e4
LT		 2011 return 0;
2012 }
2013
275bb41e 2014 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 2015 return rc;
2016}
2017
2018static inline int may_rename(struct inode *old_dir,
2019 struct dentry *old_dentry,
2020 struct inode *new_dir,
2021 struct dentry *new_dentry)
2022{
1da177e4 2023 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 2024 struct common_audit_data ad;
275bb41e 2025 u32 sid = current_sid();
1da177e4
LT		 2026 u32 av;
2027 int old_is_dir, new_is_dir;
2028 int rc;
2029
83da53c5
AG		 2030 old_dsec = inode_security(old_dir);
2031 old_isec = backing_inode_security(old_dentry);
e36cb0b8 2032 old_is_dir = d_is_dir(old_dentry);
83da53c5 2033 new_dsec = inode_security(new_dir);
1da177e4 2034
50c205f5 2035 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 2036
a269434d 2037 ad.u.dentry = old_dentry;
275bb41e 2038 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 2039 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2040 if (rc)
2041 return rc;
275bb41e 2042 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 2043 old_isec->sclass, FILE__RENAME, &ad);
2044 if (rc)
2045 return rc;
2046 if (old_is_dir && new_dir != old_dir) {
275bb41e 2047 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 2048 old_isec->sclass, DIR__REPARENT, &ad);
2049 if (rc)
2050 return rc;
2051 }
2052
a269434d 2053 ad.u.dentry = new_dentry;
1da177e4 2054 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 2055 if (d_is_positive(new_dentry))
1da177e4 2056 av |= DIR__REMOVE_NAME;
275bb41e 2057 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 2058 if (rc)
2059 return rc;
2c616d4d 2060 if (d_is_positive(new_dentry)) {
83da53c5 2061 new_isec = backing_inode_security(new_dentry);
e36cb0b8 2062 new_is_dir = d_is_dir(new_dentry);
275bb41e 2063 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 2064 new_isec->sclass,
2065 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2066 if (rc)
2067 return rc;
2068 }
2069
2070 return 0;
2071}
2072
2073/* Check whether a task can perform a filesystem operation. */
88e67f3b 2074static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2075 struct super_block *sb,
2076 u32 perms,
2bf49690 2077 struct common_audit_data *ad)
1da177e4 2078{
1da177e4 2079 struct superblock_security_struct *sbsec;
88e67f3b 2080 u32 sid = cred_sid(cred);
1da177e4 2081
1da177e4 2082 sbsec = sb->s_security;
275bb41e 2083 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2084}
2085
2086/* Convert a Linux mode and permission mask to an access vector. */
2087static inline u32 file_mask_to_av(int mode, int mask)
2088{
2089 u32 av = 0;
2090
dba19c60 2091 if (!S_ISDIR(mode)) {
1da177e4
LT		 2092 if (mask & MAY_EXEC)
2093 av |= FILE__EXECUTE;
2094 if (mask & MAY_READ)
2095 av |= FILE__READ;
2096
2097 if (mask & MAY_APPEND)
2098 av |= FILE__APPEND;
2099 else if (mask & MAY_WRITE)
2100 av |= FILE__WRITE;
2101
2102 } else {
2103 if (mask & MAY_EXEC)
2104 av |= DIR__SEARCH;
2105 if (mask & MAY_WRITE)
2106 av |= DIR__WRITE;
2107 if (mask & MAY_READ)
2108 av |= DIR__READ;
2109 }
2110
2111 return av;
2112}
2113
8b6a5a37
EP		 2114/* Convert a Linux file to an access vector. */
2115static inline u32 file_to_av(struct file *file)
2116{
2117 u32 av = 0;
2118
2119 if (file->f_mode & FMODE_READ)
2120 av |= FILE__READ;
2121 if (file->f_mode & FMODE_WRITE) {
2122 if (file->f_flags & O_APPEND)
2123 av |= FILE__APPEND;
2124 else
2125 av |= FILE__WRITE;
2126 }
2127 if (!av) {
2128 /*
2129 * Special file opened with flags 3 for ioctl-only use.
2130 */
2131 av = FILE__IOCTL;
2132 }
2133
2134 return av;
2135}
2136
b0c636b9 2137/*
8b6a5a37 2138 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2139 * open permission.
2140 */
8b6a5a37 2141static inline u32 open_file_to_av(struct file *file)
b0c636b9 2142{
8b6a5a37 2143 u32 av = file_to_av(file);
b0c636b9 2144
49b7b8de
EP		 2145 if (selinux_policycap_openperm)
2146 av |= FILE__OPEN;
2147
b0c636b9
EP		 2148 return av;
2149}
2150
1da177e4
LT		 2151/* Hook functions begin here. */
2152
79af7307
SS		 2153static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2154{
2155 u32 mysid = current_sid();
2156 u32 mgrsid = task_sid(mgr);
2157
2158 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2159 BINDER__SET_CONTEXT_MGR, NULL);
2160}
2161
2162static int selinux_binder_transaction(struct task_struct *from,
2163 struct task_struct *to)
2164{
2165 u32 mysid = current_sid();
2166 u32 fromsid = task_sid(from);
2167 u32 tosid = task_sid(to);
2168 int rc;
2169
2170 if (mysid != fromsid) {
2171 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2172 BINDER__IMPERSONATE, NULL);
2173 if (rc)
2174 return rc;
2175 }
2176
2177 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2178 NULL);
2179}
2180
2181static int selinux_binder_transfer_binder(struct task_struct *from,
2182 struct task_struct *to)
2183{
2184 u32 fromsid = task_sid(from);
2185 u32 tosid = task_sid(to);
2186
2187 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2188 NULL);
2189}
2190
2191static int selinux_binder_transfer_file(struct task_struct *from,
2192 struct task_struct *to,
2193 struct file *file)
2194{
2195 u32 sid = task_sid(to);
2196 struct file_security_struct *fsec = file->f_security;
83da53c5 2197 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2198 struct inode_security_struct *isec;
79af7307
SS		 2199 struct common_audit_data ad;
2200 int rc;
2201
2202 ad.type = LSM_AUDIT_DATA_PATH;
2203 ad.u.path = file->f_path;
2204
2205 if (sid != fsec->sid) {
2206 rc = avc_has_perm(sid, fsec->sid,
2207 SECCLASS_FD,
2208 FD__USE,
2209 &ad);
2210 if (rc)
2211 return rc;
2212 }
2213
83da53c5 2214 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2215 return 0;
2216
20cdef8d 2217 isec = backing_inode_security(dentry);
79af7307
SS		 2218 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2219 &ad);
2220}
2221
9e48858f 2222static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2223 unsigned int mode)
1da177e4 2224{
69f594a3 2225 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2226 u32 sid = current_sid();
2227 u32 csid = task_sid(child);
2228 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2229 }
2230
3b11a1de 2231 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2232}
2233
2234static int selinux_ptrace_traceme(struct task_struct *parent)
2235{
5cd9c58f 2236 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2237}
2238
2239static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2240 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2241{
b1d9e6b0 2242 return current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2243}
2244
d84f4f99
DH		 2245static int selinux_capset(struct cred *new, const struct cred *old,
2246 const kernel_cap_t *effective,
2247 const kernel_cap_t *inheritable,
2248 const kernel_cap_t *permitted)
1da177e4 2249{
d84f4f99 2250 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2251}
2252
5626d3e8
JM		 2253/*
2254 * (This comment used to live with the selinux_task_setuid hook,
2255 * which was removed).
2256 *
2257 * Since setuid only affects the current process, and since the SELinux
2258 * controls are not based on the Linux identity attributes, SELinux does not
2259 * need to control this operation. However, SELinux does control the use of
2260 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2261 */
2262
6a9de491
EP		 2263static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2264 int cap, int audit)
1da177e4 2265{
8e4ff6f2 2266 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2267}
2268
1da177e4
LT		 2269static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2270{
88e67f3b 2271 const struct cred *cred = current_cred();
1da177e4
LT		 2272 int rc = 0;
2273
2274 if (!sb)
2275 return 0;
2276
2277 switch (cmds) {
828dfe1d
EP		 2278 case Q_SYNC:
2279 case Q_QUOTAON:
2280 case Q_QUOTAOFF:
2281 case Q_SETINFO:
2282 case Q_SETQUOTA:
88e67f3b 2283 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2284 break;
2285 case Q_GETFMT:
2286 case Q_GETINFO:
2287 case Q_GETQUOTA:
88e67f3b 2288 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2289 break;
2290 default:
2291 rc = 0; /* let the kernel handle invalid cmds */
2292 break;
1da177e4
LT		 2293 }
2294 return rc;
2295}
2296
2297static int selinux_quota_on(struct dentry *dentry)
2298{
88e67f3b
DH		 2299 const struct cred *cred = current_cred();
2300
2875fa00 2301 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2302}
2303
12b3052c 2304static int selinux_syslog(int type)
1da177e4
LT		 2305{
2306 int rc;
2307
1da177e4 2308 switch (type) {
d78ca3cd
KC		 2309 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2310 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2311 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2312 break;
d78ca3cd
KC		 2313 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2314 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2315 /* Set level of messages printed to console */
2316 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2317 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2318 break;
d78ca3cd
KC		 2319 case SYSLOG_ACTION_CLOSE: /* Close log */
2320 case SYSLOG_ACTION_OPEN: /* Open log */
2321 case SYSLOG_ACTION_READ: /* Read from log */
2322 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2323 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2324 default:
2325 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2326 break;
1da177e4
LT		 2327 }
2328 return rc;
2329}
2330
2331/*
2332 * Check that a process has enough memory to allocate a new virtual
2333 * mapping. 0 means there is enough memory for the allocation to
2334 * succeed and -ENOMEM implies there is not.
2335 *
1da177e4
LT		 2336 * Do not audit the selinux permission check, as this is applied to all
2337 * processes that allocate mappings.
2338 */
34b4e4aa 2339static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2340{
2341 int rc, cap_sys_admin = 0;
1da177e4 2342
b1d9e6b0 2343 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2344 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2345 if (rc == 0)
2346 cap_sys_admin = 1;
2347
b1d9e6b0 2348 return cap_sys_admin;
1da177e4
LT		 2349}
2350
2351/* binprm security operations */
2352
0c6181cb
PM		 2353static u32 ptrace_parent_sid(struct task_struct *task)
2354{
2355 u32 sid = 0;
2356 struct task_struct *tracer;
2357
2358 rcu_read_lock();
2359 tracer = ptrace_parent(task);
2360 if (tracer)
2361 sid = task_sid(tracer);
2362 rcu_read_unlock();
2363
2364 return sid;
2365}
2366
7b0d0b40
SS		 2367static int check_nnp_nosuid(const struct linux_binprm *bprm,
2368 const struct task_security_struct *old_tsec,
2369 const struct task_security_struct *new_tsec)
2370{
2371 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2372 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40
SS		 2373 int rc;
2374
2375 if (!nnp && !nosuid)
2376 return 0; /* neither NNP nor nosuid */
2377
2378 if (new_tsec->sid == old_tsec->sid)
2379 return 0; /* No change in credentials */
2380
2381 /*
2382 * The only transitions we permit under NNP or nosuid
2383 * are transitions to bounded SIDs, i.e. SIDs that are
2384 * guaranteed to only be allowed a subset of the permissions
2385 * of the current SID.
2386 */
2387 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2388 if (rc) {
2389 /*
2390 * On failure, preserve the errno values for NNP vs nosuid.
2391 * NNP: Operation not permitted for caller.
2392 * nosuid: Permission denied to file.
2393 */
2394 if (nnp)
2395 return -EPERM;
2396 else
2397 return -EACCES;
2398 }
2399 return 0;
2400}
2401
a6f76f23 2402static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2403{
a6f76f23
DH		 2404 const struct task_security_struct *old_tsec;
2405 struct task_security_struct *new_tsec;
1da177e4 2406 struct inode_security_struct *isec;
2bf49690 2407 struct common_audit_data ad;
496ad9aa 2408 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2409 int rc;
2410
a6f76f23
DH		 2411 /* SELinux context only depends on initial program or script and not
2412 * the script interpreter */
2413 if (bprm->cred_prepared)
1da177e4
LT		 2414 return 0;
2415
a6f76f23
DH		 2416 old_tsec = current_security();
2417 new_tsec = bprm->cred->security;
83da53c5 2418 isec = inode_security(inode);
1da177e4
LT		 2419
2420 /* Default to the current task SID. */
a6f76f23
DH		 2421 new_tsec->sid = old_tsec->sid;
2422 new_tsec->osid = old_tsec->sid;
1da177e4 2423
28eba5bf 2424 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2425 new_tsec->create_sid = 0;
2426 new_tsec->keycreate_sid = 0;
2427 new_tsec->sockcreate_sid = 0;
1da177e4 2428
a6f76f23
DH		 2429 if (old_tsec->exec_sid) {
2430 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2431 /* Reset exec SID on execve. */
a6f76f23 2432 new_tsec->exec_sid = 0;
259e5e6c 2433
7b0d0b40
SS		 2434 /* Fail on NNP or nosuid if not an allowed transition. */
2435 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2436 if (rc)
2437 return rc;
1da177e4
LT		 2438 } else {
2439 /* Check for a default transition on this program. */
a6f76f23 2440 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2441 SECCLASS_PROCESS, NULL,
2442 &new_tsec->sid);
1da177e4
LT		 2443 if (rc)
2444 return rc;
7b0d0b40
SS		 2445
2446 /*
2447 * Fallback to old SID on NNP or nosuid if not an allowed
2448 * transition.
2449 */
2450 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2451 if (rc)
2452 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2453 }
2454
43af5de7
VG		 2455 ad.type = LSM_AUDIT_DATA_FILE;
2456 ad.u.file = bprm->file;
1da177e4 2457
a6f76f23
DH		 2458 if (new_tsec->sid == old_tsec->sid) {
2459 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2460 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2461 if (rc)
2462 return rc;
2463 } else {
2464 /* Check permissions for the transition. */
a6f76f23 2465 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2466 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2467 if (rc)
2468 return rc;
2469
a6f76f23 2470 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2471 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2472 if (rc)
2473 return rc;
2474
a6f76f23
DH		 2475 /* Check for shared state */
2476 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2477 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2478 SECCLASS_PROCESS, PROCESS__SHARE,
2479 NULL);
2480 if (rc)
2481 return -EPERM;
2482 }
2483
2484 /* Make sure that anyone attempting to ptrace over a task that
2485 * changes its SID has the appropriate permit */
2486 if (bprm->unsafe &
2487 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0c6181cb 2488 u32 ptsid = ptrace_parent_sid(current);
a6f76f23
DH		 2489 if (ptsid != 0) {
2490 rc = avc_has_perm(ptsid, new_tsec->sid,
2491 SECCLASS_PROCESS,
2492 PROCESS__PTRACE, NULL);
2493 if (rc)
2494 return -EPERM;
2495 }
2496 }
1da177e4 2497
a6f76f23
DH		 2498 /* Clear any possibly unsafe personality bits on exec: */
2499 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2500 }
2501
1da177e4
LT		 2502 return 0;
2503}
2504
828dfe1d 2505static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2506{
5fb49870 2507 const struct task_security_struct *tsec = current_security();
275bb41e 2508 u32 sid, osid;
1da177e4
LT		 2509 int atsecure = 0;
2510
275bb41e
DH		 2511 sid = tsec->sid;
2512 osid = tsec->osid;
2513
2514 if (osid != sid) {
1da177e4
LT		 2515 /* Enable secure mode for SIDs transitions unless
2516 the noatsecure permission is granted between
2517 the two SIDs, i.e. ahp returns 0. */
275bb41e 2518 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2519 SECCLASS_PROCESS,
2520 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2521 }
2522
b1d9e6b0 2523 return !!atsecure;
1da177e4
LT		 2524}
2525
c3c073f8
AV		 2526static int match_file(const void *p, struct file *file, unsigned fd)
2527{
2528 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2529}
2530
1da177e4 2531/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2532static inline void flush_unauthorized_files(const struct cred *cred,
2533 struct files_struct *files)
1da177e4 2534{
1da177e4 2535 struct file *file, *devnull = NULL;
b20c8122 2536 struct tty_struct *tty;
24ec839c 2537 int drop_tty = 0;
c3c073f8 2538 unsigned n;
1da177e4 2539
24ec839c 2540 tty = get_current_tty();
1da177e4 2541 if (tty) {
4a510969 2542 spin_lock(&tty->files_lock);
37dd0bd0 2543 if (!list_empty(&tty->tty_files)) {
d996b62a 2544 struct tty_file_private *file_priv;
37dd0bd0 2545
1da177e4 2546 /* Revalidate access to controlling tty.
13f8e981
DH		 2547 Use file_path_has_perm on the tty path directly
2548 rather than using file_has_perm, as this particular
2549 open file may belong to another process and we are
2550 only interested in the inode-based check here. */
d996b62a
NP		 2551 file_priv = list_first_entry(&tty->tty_files,
2552 struct tty_file_private, list);
2553 file = file_priv->file;
13f8e981 2554 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2555 drop_tty = 1;
1da177e4 2556 }
4a510969 2557 spin_unlock(&tty->files_lock);
452a00d2 2558 tty_kref_put(tty);
1da177e4 2559 }
98a27ba4
EB		 2560 /* Reset controlling tty. */
2561 if (drop_tty)
2562 no_tty();
1da177e4
LT		 2563
2564 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2565 n = iterate_fd(files, 0, match_file, cred);
2566 if (!n) /* none found? */
2567 return;
1da177e4 2568
c3c073f8 2569 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2570 if (IS_ERR(devnull))
2571 devnull = NULL;
2572 /* replace all the matching ones with this */
2573 do {
2574 replace_fd(n - 1, devnull, 0);
2575 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2576 if (devnull)
c3c073f8 2577 fput(devnull);
1da177e4
LT		 2578}
2579
a6f76f23
DH		 2580/*
2581 * Prepare a process for imminent new credential changes due to exec
2582 */
2583static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2584{
a6f76f23
DH		 2585 struct task_security_struct *new_tsec;
2586 struct rlimit *rlim, *initrlim;
2587 int rc, i;
d84f4f99 2588
a6f76f23
DH		 2589 new_tsec = bprm->cred->security;
2590 if (new_tsec->sid == new_tsec->osid)
2591 return;
1da177e4 2592
a6f76f23
DH		 2593 /* Close files for which the new task SID is not authorized. */
2594 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2595
a6f76f23
DH		 2596 /* Always clear parent death signal on SID transitions. */
2597 current->pdeath_signal = 0;
0356357c 2598
a6f76f23
DH		 2599 /* Check whether the new SID can inherit resource limits from the old
2600 * SID. If not, reset all soft limits to the lower of the current
2601 * task's hard limit and the init task's soft limit.
2602 *
2603 * Note that the setting of hard limits (even to lower them) can be
2604 * controlled by the setrlimit check. The inclusion of the init task's
2605 * soft limit into the computation is to avoid resetting soft limits
2606 * higher than the default soft limit for cases where the default is
2607 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2608 */
2609 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2610 PROCESS__RLIMITINH, NULL);
2611 if (rc) {
eb2d55a3
ON		 2612 /* protect against do_prlimit() */
2613 task_lock(current);
a6f76f23
DH		 2614 for (i = 0; i < RLIM_NLIMITS; i++) {
2615 rlim = current->signal->rlim + i;
2616 initrlim = init_task.signal->rlim + i;
2617 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2618 }
eb2d55a3 2619 task_unlock(current);
baa73d9e
NP		 2620 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2621 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2622 }
2623}
2624
2625/*
a6f76f23
DH		 2626 * Clean up the process immediately after the installation of new credentials
2627 * due to exec
1da177e4 2628 */
a6f76f23 2629static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2630{
a6f76f23 2631 const struct task_security_struct *tsec = current_security();
1da177e4 2632 struct itimerval itimer;
a6f76f23 2633 u32 osid, sid;
1da177e4
LT		 2634 int rc, i;
2635
a6f76f23
DH		 2636 osid = tsec->osid;
2637 sid = tsec->sid;
2638
2639 if (sid == osid)
1da177e4
LT		 2640 return;
2641
a6f76f23
DH		 2642 /* Check whether the new SID can inherit signal state from the old SID.
2643 * If not, clear itimers to avoid subsequent signal generation and
2644 * flush and unblock signals.
2645 *
2646 * This must occur _after_ the task SID has been updated so that any
2647 * kill done after the flush will be checked against the new SID.
2648 */
2649 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2650 if (rc) {
baa73d9e
NP		 2651 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2652 memset(&itimer, 0, sizeof itimer);
2653 for (i = 0; i < 3; i++)
2654 do_setitimer(i, &itimer, NULL);
2655 }
1da177e4 2656 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2657 if (!fatal_signal_pending(current)) {
2658 flush_sigqueue(&current->pending);
2659 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2660 flush_signal_handlers(current, 1);
2661 sigemptyset(&current->blocked);
9e7c8f8c 2662 recalc_sigpending();
3bcac026 2663 }
1da177e4
LT		 2664 spin_unlock_irq(&current->sighand->siglock);
2665 }
2666
a6f76f23
DH		 2667 /* Wake up the parent if it is waiting so that it can recheck
2668 * wait permission to the new task SID. */
ecd6de3c 2669 read_lock(&tasklist_lock);
0b7570e7 2670 __wake_up_parent(current, current->real_parent);
ecd6de3c 2671 read_unlock(&tasklist_lock);
1da177e4
LT		 2672}
2673
2674/* superblock security operations */
2675
2676static int selinux_sb_alloc_security(struct super_block *sb)
2677{
2678 return superblock_alloc_security(sb);
2679}
2680
2681static void selinux_sb_free_security(struct super_block *sb)
2682{
2683 superblock_free_security(sb);
2684}
2685
2686static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2687{
2688 if (plen > olen)
2689 return 0;
2690
2691 return !memcmp(prefix, option, plen);
2692}
2693
2694static inline int selinux_option(char *option, int len)
2695{
832cbd9a
EP		 2696 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2697 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2698 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2699 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2700 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2701}
2702
2703static inline void take_option(char **to, char *from, int *first, int len)
2704{
2705 if (!*first) {
2706 **to = ',';
2707 *to += 1;
3528a953 2708 } else
1da177e4
LT		 2709 *first = 0;
2710 memcpy(*to, from, len);
2711 *to += len;
2712}
2713
828dfe1d
EP		 2714static inline void take_selinux_option(char **to, char *from, int *first,
2715 int len)
3528a953
CO		 2716{
2717 int current_size = 0;
2718
2719 if (!*first) {
2720 **to = '|';
2721 *to += 1;
828dfe1d 2722 } else
3528a953
CO		 2723 *first = 0;
2724
2725 while (current_size < len) {
2726 if (*from != '"') {
2727 **to = *from;
2728 *to += 1;
2729 }
2730 from += 1;
2731 current_size += 1;
2732 }
2733}
2734
e0007529 2735static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2736{
2737 int fnosec, fsec, rc = 0;
2738 char *in_save, *in_curr, *in_end;
2739 char *sec_curr, *nosec_save, *nosec;
3528a953 2740 int open_quote = 0;
1da177e4
LT		 2741
2742 in_curr = orig;
2743 sec_curr = copy;
2744
1da177e4
LT		 2745 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2746 if (!nosec) {
2747 rc = -ENOMEM;
2748 goto out;
2749 }
2750
2751 nosec_save = nosec;
2752 fnosec = fsec = 1;
2753 in_save = in_end = orig;
2754
2755 do {
3528a953
CO		 2756 if (*in_end == '"')
2757 open_quote = !open_quote;
2758 if ((*in_end == ',' && open_quote == 0) ||
2759 *in_end == '\0') {
1da177e4
LT		 2760 int len = in_end - in_curr;
2761
2762 if (selinux_option(in_curr, len))
3528a953 2763 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2764 else
2765 take_option(&nosec, in_curr, &fnosec, len);
2766
2767 in_curr = in_end + 1;
2768 }
2769 } while (*in_end++);
2770
6931dfc9 2771 strcpy(in_save, nosec_save);
da3caa20 2772 free_page((unsigned long)nosec_save);
1da177e4
LT		 2773out:
2774 return rc;
2775}
2776
026eb167
EP		 2777static int selinux_sb_remount(struct super_block *sb, void *data)
2778{
2779 int rc, i, *flags;
2780 struct security_mnt_opts opts;
2781 char *secdata, **mount_options;
2782 struct superblock_security_struct *sbsec = sb->s_security;
2783
2784 if (!(sbsec->flags & SE_SBINITIALIZED))
2785 return 0;
2786
2787 if (!data)
2788 return 0;
2789
2790 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2791 return 0;
2792
2793 security_init_mnt_opts(&opts);
2794 secdata = alloc_secdata();
2795 if (!secdata)
2796 return -ENOMEM;
2797 rc = selinux_sb_copy_data(data, secdata);
2798 if (rc)
2799 goto out_free_secdata;
2800
2801 rc = selinux_parse_opts_str(secdata, &opts);
2802 if (rc)
2803 goto out_free_secdata;
2804
2805 mount_options = opts.mnt_opts;
2806 flags = opts.mnt_opts_flags;
2807
2808 for (i = 0; i < opts.num_mnt_opts; i++) {
2809 u32 sid;
026eb167 2810
12f348b9 2811 if (flags[i] == SBLABEL_MNT)
026eb167 2812 continue;
44be2f65 2813 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2814 if (rc) {
44be2f65 2815 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2816 "(%s) failed for (dev %s, type %s) errno=%d\n",
2817 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2818 goto out_free_opts;
2819 }
2820 rc = -EINVAL;
2821 switch (flags[i]) {
2822 case FSCONTEXT_MNT:
2823 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2824 goto out_bad_option;
2825 break;
2826 case CONTEXT_MNT:
2827 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2828 goto out_bad_option;
2829 break;
2830 case ROOTCONTEXT_MNT: {
2831 struct inode_security_struct *root_isec;
83da53c5 2832 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2833
2834 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2835 goto out_bad_option;
2836 break;
2837 }
2838 case DEFCONTEXT_MNT:
2839 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2840 goto out_bad_option;
2841 break;
2842 default:
2843 goto out_free_opts;
2844 }
2845 }
2846
2847 rc = 0;
2848out_free_opts:
2849 security_free_mnt_opts(&opts);
2850out_free_secdata:
2851 free_secdata(secdata);
2852 return rc;
2853out_bad_option:
2854 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2855 "during remount (dev %s, type=%s)\n", sb->s_id,
2856 sb->s_type->name);
026eb167
EP		 2857 goto out_free_opts;
2858}
2859
12204e24 2860static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2861{
88e67f3b 2862 const struct cred *cred = current_cred();
2bf49690 2863 struct common_audit_data ad;
1da177e4
LT		 2864 int rc;
2865
2866 rc = superblock_doinit(sb, data);
2867 if (rc)
2868 return rc;
2869
74192246
JM		 2870 /* Allow all mounts performed by the kernel */
2871 if (flags & MS_KERNMOUNT)
2872 return 0;
2873
50c205f5 2874 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2875 ad.u.dentry = sb->s_root;
88e67f3b 2876 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2877}
2878
726c3342 2879static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2880{
88e67f3b 2881 const struct cred *cred = current_cred();
2bf49690 2882 struct common_audit_data ad;
1da177e4 2883
50c205f5 2884 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2885 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2886 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2887}
2888
808d4e3c 2889static int selinux_mount(const char *dev_name,
8a04c43b 2890 const struct path *path,
808d4e3c 2891 const char *type,
828dfe1d
EP		 2892 unsigned long flags,
2893 void *data)
1da177e4 2894{
88e67f3b 2895 const struct cred *cred = current_cred();
1da177e4
LT		 2896
2897 if (flags & MS_REMOUNT)
d8c9584e 2898 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2899 FILESYSTEM__REMOUNT, NULL);
1da177e4 2900 else
2875fa00 2901 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2902}
2903
2904static int selinux_umount(struct vfsmount *mnt, int flags)
2905{
88e67f3b 2906 const struct cred *cred = current_cred();
1da177e4 2907
88e67f3b 2908 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2909 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2910}
2911
2912/* inode security operations */
2913
2914static int selinux_inode_alloc_security(struct inode *inode)
2915{
2916 return inode_alloc_security(inode);
2917}
2918
2919static void selinux_inode_free_security(struct inode *inode)
2920{
2921 inode_free_security(inode);
2922}
2923
d47be3df 2924static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2925 const struct qstr *name, void **ctx,
d47be3df
DQ		 2926 u32 *ctxlen)
2927{
d47be3df
DQ		 2928 u32 newsid;
2929 int rc;
2930
c957f6df
VG		 2931 rc = selinux_determine_inode_label(current_security(),
2932 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2933 inode_mode_to_security_class(mode),
2934 &newsid);
2935 if (rc)
2936 return rc;
d47be3df
DQ		 2937
2938 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2939}
2940
a518b0a5
VG		 2941static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2942 struct qstr *name,
2943 const struct cred *old,
2944 struct cred *new)
2945{
2946 u32 newsid;
2947 int rc;
2948 struct task_security_struct *tsec;
2949
2950 rc = selinux_determine_inode_label(old->security,
2951 d_inode(dentry->d_parent), name,
2952 inode_mode_to_security_class(mode),
2953 &newsid);
2954 if (rc)
2955 return rc;
2956
2957 tsec = new->security;
2958 tsec->create_sid = newsid;
2959 return 0;
2960}
2961
5e41ff9e 2962static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2963 const struct qstr *qstr,
2964 const char **name,
2a7dba39 2965 void **value, size_t *len)
5e41ff9e 2966{
5fb49870 2967 const struct task_security_struct *tsec = current_security();
5e41ff9e 2968 struct superblock_security_struct *sbsec;
275bb41e 2969 u32 sid, newsid, clen;
5e41ff9e 2970 int rc;
9548906b 2971 char *context;
5e41ff9e 2972
5e41ff9e 2973 sbsec = dir->i_sb->s_security;
5e41ff9e 2974
275bb41e
DH		 2975 sid = tsec->sid;
2976 newsid = tsec->create_sid;
2977
c957f6df 2978 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2979 dir, qstr,
2980 inode_mode_to_security_class(inode->i_mode),
2981 &newsid);
2982 if (rc)
2983 return rc;
5e41ff9e 2984
296fddf7 2985 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2986 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2987 struct inode_security_struct *isec = inode->i_security;
2988 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2989 isec->sid = newsid;
6f3be9f5 2990 isec->initialized = LABEL_INITIALIZED;
296fddf7 2991 }
5e41ff9e 2992
12f348b9 2993 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2994 return -EOPNOTSUPP;
2995
9548906b
TH		 2996 if (name)
2997 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2998
570bc1c2 2999 if (value && len) {
12b29f34 3000 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 3001 if (rc)
570bc1c2 3002 return rc;
570bc1c2
SS		 3003 *value = context;
3004 *len = clen;
5e41ff9e 3005 }
5e41ff9e 3006
5e41ff9e
SS		 3007 return 0;
3008}
3009
4acdaf27 3010static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 3011{
3012 return may_create(dir, dentry, SECCLASS_FILE);
3013}
3014
1da177e4
LT		 3015static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3016{
1da177e4
LT		 3017 return may_link(dir, old_dentry, MAY_LINK);
3018}
3019
1da177e4
LT		 3020static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3021{
1da177e4
LT		 3022 return may_link(dir, dentry, MAY_UNLINK);
3023}
3024
3025static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3026{
3027 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3028}
3029
18bb1db3 3030static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 3031{
3032 return may_create(dir, dentry, SECCLASS_DIR);
3033}
3034
1da177e4
LT		 3035static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3036{
3037 return may_link(dir, dentry, MAY_RMDIR);
3038}
3039
1a67aafb 3040static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 3041{
1da177e4
LT		 3042 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3043}
3044
1da177e4 3045static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 3046 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 3047{
3048 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3049}
3050
1da177e4
LT		 3051static int selinux_inode_readlink(struct dentry *dentry)
3052{
88e67f3b
DH		 3053 const struct cred *cred = current_cred();
3054
2875fa00 3055 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3056}
3057
bda0be7a
N		 3058static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3059 bool rcu)
1da177e4 3060{
88e67f3b 3061 const struct cred *cred = current_cred();
bda0be7a
N		 3062 struct common_audit_data ad;
3063 struct inode_security_struct *isec;
3064 u32 sid;
1da177e4 3065
bda0be7a
N		 3066 validate_creds(cred);
3067
3068 ad.type = LSM_AUDIT_DATA_DENTRY;
3069 ad.u.dentry = dentry;
3070 sid = cred_sid(cred);
5d226df4
AG		 3071 isec = inode_security_rcu(inode, rcu);
3072 if (IS_ERR(isec))
3073 return PTR_ERR(isec);
bda0be7a
N		 3074
3075 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3076 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3077}
3078
d4cf970d
EP		 3079static noinline int audit_inode_permission(struct inode *inode,
3080 u32 perms, u32 audited, u32 denied,
626b9740 3081 int result,
d4cf970d 3082 unsigned flags)
1da177e4 3083{
b782e0a6 3084 struct common_audit_data ad;
d4cf970d
EP		 3085 struct inode_security_struct *isec = inode->i_security;
3086 int rc;
3087
50c205f5 3088 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3089 ad.u.inode = inode;
3090
3091 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 3092 audited, denied, result, &ad, flags);
d4cf970d
EP		 3093 if (rc)
3094 return rc;
3095 return 0;
3096}
3097
e74f71eb 3098static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3099{
88e67f3b 3100 const struct cred *cred = current_cred();
b782e0a6
EP		 3101 u32 perms;
3102 bool from_access;
cf1dd1da 3103 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3104 struct inode_security_struct *isec;
3105 u32 sid;
3106 struct av_decision avd;
3107 int rc, rc2;
3108 u32 audited, denied;
1da177e4 3109
b782e0a6 3110 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3111 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3112
b782e0a6
EP		 3113 /* No permission to check. Existence test. */
3114 if (!mask)
1da177e4 3115 return 0;
1da177e4 3116
2e334057 3117 validate_creds(cred);
b782e0a6 3118
2e334057
EP		 3119 if (unlikely(IS_PRIVATE(inode)))
3120 return 0;
b782e0a6
EP		 3121
3122 perms = file_mask_to_av(inode->i_mode, mask);
3123
2e334057 3124 sid = cred_sid(cred);
5d226df4
AG		 3125 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3126 if (IS_ERR(isec))
3127 return PTR_ERR(isec);
2e334057
EP		 3128
3129 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3130 audited = avc_audit_required(perms, &avd, rc,
3131 from_access ? FILE__AUDIT_ACCESS : 0,
3132 &denied);
3133 if (likely(!audited))
3134 return rc;
3135
626b9740 3136 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3137 if (rc2)
3138 return rc2;
3139 return rc;
1da177e4
LT		 3140}
3141
3142static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3143{
88e67f3b 3144 const struct cred *cred = current_cred();
bc6a6008 3145 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3146 __u32 av = FILE__WRITE;
1da177e4 3147
bc6a6008
AW		 3148 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3149 if (ia_valid & ATTR_FORCE) {
3150 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3151 ATTR_FORCE);
3152 if (!ia_valid)
3153 return 0;
3154 }
1da177e4 3155
bc6a6008
AW		 3156 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3157 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3158 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3159
44d37ad3
JVS		 3160 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3161 && !(ia_valid & ATTR_FILE))
95dbf739
EP		 3162 av |= FILE__OPEN;
3163
3164 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3165}
3166
3f7036a0 3167static int selinux_inode_getattr(const struct path *path)
1da177e4 3168{
3f7036a0 3169 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3170}
3171
8f0cfa52 3172static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3173{
88e67f3b
DH		 3174 const struct cred *cred = current_cred();
3175
b5376771
SH		 3176 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3177 sizeof XATTR_SECURITY_PREFIX - 1)) {
3178 if (!strcmp(name, XATTR_NAME_CAPS)) {
3179 if (!capable(CAP_SETFCAP))
3180 return -EPERM;
3181 } else if (!capable(CAP_SYS_ADMIN)) {
3182 /* A different attribute in the security namespace.
3183 Restrict to administrator. */
3184 return -EPERM;
3185 }
3186 }
3187
3188 /* Not an attribute we recognize, so just check the
3189 ordinary setattr permission. */
2875fa00 3190 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3191}
3192
8f0cfa52
DH		 3193static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3194 const void *value, size_t size, int flags)
1da177e4 3195{
c6f493d6 3196 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3197 struct inode_security_struct *isec;
1da177e4 3198 struct superblock_security_struct *sbsec;
2bf49690 3199 struct common_audit_data ad;
275bb41e 3200 u32 newsid, sid = current_sid();
1da177e4
LT		 3201 int rc = 0;
3202
b5376771
SH		 3203 if (strcmp(name, XATTR_NAME_SELINUX))
3204 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3205
3206 sbsec = inode->i_sb->s_security;
12f348b9 3207 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3208 return -EOPNOTSUPP;
3209
2e149670 3210 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3211 return -EPERM;
3212
50c205f5 3213 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3214 ad.u.dentry = dentry;
1da177e4 3215
20cdef8d 3216 isec = backing_inode_security(dentry);
275bb41e 3217 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3218 FILE__RELABELFROM, &ad);
3219 if (rc)
3220 return rc;
3221
52a4c640 3222 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3223 if (rc == -EINVAL) {
d6ea83ec
EP		 3224 if (!capable(CAP_MAC_ADMIN)) {
3225 struct audit_buffer *ab;
3226 size_t audit_size;
3227 const char *str;
3228
3229 /* We strip a nul only if it is at the end, otherwise the
3230 * context contains a nul and we should audit that */
e3fea3f7
AV		 3231 if (value) {
3232 str = value;
3233 if (str[size - 1] == '\0')
3234 audit_size = size - 1;
3235 else
3236 audit_size = size;
3237 } else {
3238 str = "";
3239 audit_size = 0;
3240 }
d6ea83ec
EP		 3241 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3242 audit_log_format(ab, "op=setxattr invalid_context=");
3243 audit_log_n_untrustedstring(ab, value, audit_size);
3244 audit_log_end(ab);
3245
12b29f34 3246 return rc;
d6ea83ec 3247 }
12b29f34
SS		 3248 rc = security_context_to_sid_force(value, size, &newsid);
3249 }
1da177e4
LT		 3250 if (rc)
3251 return rc;
3252
275bb41e 3253 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3254 FILE__RELABELTO, &ad);
3255 if (rc)
3256 return rc;
3257
275bb41e 3258 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3259 isec->sclass);
1da177e4
LT		 3260 if (rc)
3261 return rc;
3262
3263 return avc_has_perm(newsid,
3264 sbsec->sid,
3265 SECCLASS_FILESYSTEM,
3266 FILESYSTEM__ASSOCIATE,
3267 &ad);
3268}
3269
8f0cfa52 3270static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3271 const void *value, size_t size,
8f0cfa52 3272 int flags)
1da177e4 3273{
c6f493d6 3274 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3275 struct inode_security_struct *isec;
1da177e4
LT		 3276 u32 newsid;
3277 int rc;
3278
3279 if (strcmp(name, XATTR_NAME_SELINUX)) {
3280 /* Not an attribute we recognize, so nothing to do. */
3281 return;
3282 }
3283
12b29f34 3284 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3285 if (rc) {
12b29f34
SS		 3286 printk(KERN_ERR "SELinux: unable to map context to SID"
3287 "for (%s, %lu), rc=%d\n",
3288 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3289 return;
3290 }
3291
20cdef8d 3292 isec = backing_inode_security(dentry);
9287aed2 3293 spin_lock(&isec->lock);
aa9c2669 3294 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3295 isec->sid = newsid;
6f3be9f5 3296 isec->initialized = LABEL_INITIALIZED;
9287aed2 3297 spin_unlock(&isec->lock);
aa9c2669 3298
1da177e4
LT		 3299 return;
3300}
3301
8f0cfa52 3302static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3303{
88e67f3b
DH		 3304 const struct cred *cred = current_cred();
3305
2875fa00 3306 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3307}
3308
828dfe1d 3309static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3310{
88e67f3b
DH		 3311 const struct cred *cred = current_cred();
3312
2875fa00 3313 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3314}
3315
8f0cfa52 3316static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3317{
b5376771
SH		 3318 if (strcmp(name, XATTR_NAME_SELINUX))
3319 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3320
3321 /* No one is allowed to remove a SELinux security label.
3322 You can change the label, but all data must be labeled. */
3323 return -EACCES;
3324}
3325
d381d8a9 3326/*
abc69bb6 3327 * Copy the inode security context value to the user.
d381d8a9
JM		 3328 *
3329 * Permission check is handled by selinux_inode_getxattr hook.
3330 */
ea861dfd 3331static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3332{
42492594
DQ		 3333 u32 size;
3334 int error;
3335 char *context = NULL;
20cdef8d 3336 struct inode_security_struct *isec;
d381d8a9 3337
8c8570fb
DK		 3338 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3339 return -EOPNOTSUPP;
d381d8a9 3340
abc69bb6
SS		 3341 /*
3342 * If the caller has CAP_MAC_ADMIN, then get the raw context
3343 * value even if it is not defined by current policy; otherwise,
3344 * use the in-core value under current policy.
3345 * Use the non-auditing forms of the permission checks since
3346 * getxattr may be called by unprivileged processes commonly
3347 * and lack of permission just means that we fall back to the
3348 * in-core context value, not a denial.
3349 */
b1d9e6b0
CS		 3350 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3351 SECURITY_CAP_NOAUDIT);
3352 if (!error)
3353 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
8e4ff6f2 3354 SECURITY_CAP_NOAUDIT, true);
20cdef8d 3355 isec = inode_security(inode);
abc69bb6
SS		 3356 if (!error)
3357 error = security_sid_to_context_force(isec->sid, &context,
3358 &size);
3359 else
3360 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3361 if (error)
3362 return error;
3363 error = size;
3364 if (alloc) {
3365 *buffer = context;
3366 goto out_nofree;
3367 }
3368 kfree(context);
3369out_nofree:
3370 return error;
1da177e4
LT		 3371}
3372
3373static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3374 const void *value, size_t size, int flags)
1da177e4 3375{
2c97165b 3376 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3377 u32 newsid;
3378 int rc;
3379
3380 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3381 return -EOPNOTSUPP;
3382
3383 if (!value || !size)
3384 return -EACCES;
3385
20ba96ae 3386 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3387 if (rc)
3388 return rc;
3389
9287aed2 3390 spin_lock(&isec->lock);
aa9c2669 3391 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3392 isec->sid = newsid;
6f3be9f5 3393 isec->initialized = LABEL_INITIALIZED;
9287aed2 3394 spin_unlock(&isec->lock);
1da177e4
LT		 3395 return 0;
3396}
3397
3398static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3399{
3400 const int len = sizeof(XATTR_NAME_SELINUX);
3401 if (buffer && len <= buffer_size)
3402 memcpy(buffer, XATTR_NAME_SELINUX, len);
3403 return len;
3404}
3405
d6335d77 3406static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3407{
e817c2f3 3408 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3409 *secid = isec->sid;
3410}
3411
56909eb3
VG		 3412static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3413{
3414 u32 sid;
3415 struct task_security_struct *tsec;
3416 struct cred *new_creds = *new;
3417
3418 if (new_creds == NULL) {
3419 new_creds = prepare_creds();
3420 if (!new_creds)
3421 return -ENOMEM;
3422 }
3423
3424 tsec = new_creds->security;
3425 /* Get label from overlay inode and set it in create_sid */
3426 selinux_inode_getsecid(d_inode(src), &sid);
3427 tsec->create_sid = sid;
3428 *new = new_creds;
3429 return 0;
3430}
3431
19472b69
VG		 3432static int selinux_inode_copy_up_xattr(const char *name)
3433{
3434 /* The copy_up hook above sets the initial context on an inode, but we
3435 * don't then want to overwrite it by blindly copying all the lower
3436 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3437 */
3438 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3439 return 1; /* Discard */
3440 /*
3441 * Any other attribute apart from SELINUX is not claimed, supported
3442 * by selinux.
3443 */
3444 return -EOPNOTSUPP;
3445}
3446
1da177e4
LT		 3447/* file security operations */
3448
788e7dd4 3449static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3450{
88e67f3b 3451 const struct cred *cred = current_cred();
496ad9aa 3452 struct inode *inode = file_inode(file);
1da177e4 3453
1da177e4
LT		 3454 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3455 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3456 mask |= MAY_APPEND;
3457
389fb800
PM		 3458 return file_has_perm(cred, file,
3459 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3460}
3461
788e7dd4
YN		 3462static int selinux_file_permission(struct file *file, int mask)
3463{
496ad9aa 3464 struct inode *inode = file_inode(file);
20dda18b 3465 struct file_security_struct *fsec = file->f_security;
b197367e 3466 struct inode_security_struct *isec;
20dda18b
SS		 3467 u32 sid = current_sid();
3468
389fb800 3469 if (!mask)
788e7dd4
YN		 3470 /* No permission to check. Existence test. */
3471 return 0;
788e7dd4 3472
b197367e 3473 isec = inode_security(inode);
20dda18b
SS		 3474 if (sid == fsec->sid && fsec->isid == isec->sid &&
3475 fsec->pseqno == avc_policy_seqno())
83d49856 3476 /* No change since file_open check. */
20dda18b
SS		 3477 return 0;
3478
788e7dd4
YN		 3479 return selinux_revalidate_file_permission(file, mask);
3480}
3481
1da177e4
LT		 3482static int selinux_file_alloc_security(struct file *file)
3483{
3484 return file_alloc_security(file);
3485}
3486
3487static void selinux_file_free_security(struct file *file)
3488{
3489 file_free_security(file);
3490}
3491
fa1aa143
JVS		 3492/*
3493 * Check whether a task has the ioctl permission and cmd
3494 * operation to an inode.
3495 */
1d2a168a 3496static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3497 u32 requested, u16 cmd)
3498{
3499 struct common_audit_data ad;
3500 struct file_security_struct *fsec = file->f_security;
3501 struct inode *inode = file_inode(file);
20cdef8d 3502 struct inode_security_struct *isec;
fa1aa143
JVS		 3503 struct lsm_ioctlop_audit ioctl;
3504 u32 ssid = cred_sid(cred);
3505 int rc;
3506 u8 driver = cmd >> 8;
3507 u8 xperm = cmd & 0xff;
3508
3509 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3510 ad.u.op = &ioctl;
3511 ad.u.op->cmd = cmd;
3512 ad.u.op->path = file->f_path;
3513
3514 if (ssid != fsec->sid) {
3515 rc = avc_has_perm(ssid, fsec->sid,
3516 SECCLASS_FD,
3517 FD__USE,
3518 &ad);
3519 if (rc)
3520 goto out;
3521 }
3522
3523 if (unlikely(IS_PRIVATE(inode)))
3524 return 0;
3525
20cdef8d 3526 isec = inode_security(inode);
fa1aa143
JVS		 3527 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3528 requested, driver, xperm, &ad);
3529out:
3530 return rc;
3531}
3532
1da177e4
LT		 3533static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3534 unsigned long arg)
3535{
88e67f3b 3536 const struct cred *cred = current_cred();
0b24dcb7 3537 int error = 0;
1da177e4 3538
0b24dcb7
EP		 3539 switch (cmd) {
3540 case FIONREAD:
3541 /* fall through */
3542 case FIBMAP:
3543 /* fall through */
3544 case FIGETBSZ:
3545 /* fall through */
2f99c369 3546 case FS_IOC_GETFLAGS:
0b24dcb7 3547 /* fall through */
2f99c369 3548 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3549 error = file_has_perm(cred, file, FILE__GETATTR);
3550 break;
1da177e4 3551
2f99c369 3552 case FS_IOC_SETFLAGS:
0b24dcb7 3553 /* fall through */
2f99c369 3554 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3555 error = file_has_perm(cred, file, FILE__SETATTR);
3556 break;
3557
3558 /* sys_ioctl() checks */
3559 case FIONBIO:
3560 /* fall through */
3561 case FIOASYNC:
3562 error = file_has_perm(cred, file, 0);
3563 break;
1da177e4 3564
0b24dcb7
EP		 3565 case KDSKBENT:
3566 case KDSKBSENT:
6a9de491 3567 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3568 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3569 break;
3570
3571 /* default case assumes that the command will go
3572 * to the file's ioctl() function.
3573 */
3574 default:
fa1aa143 3575 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3576 }
3577 return error;
1da177e4
LT		 3578}
3579
fcaaade1
SS		 3580static int default_noexec;
3581
1da177e4
LT		 3582static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3583{
88e67f3b 3584 const struct cred *cred = current_cred();
d84f4f99 3585 int rc = 0;
88e67f3b 3586
fcaaade1 3587 if (default_noexec &&
892e8cac
SS		 3588 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3589 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3590 /*
3591 * We are making executable an anonymous mapping or a
3592 * private file mapping that will also be writable.
3593 * This has an additional check.
3594 */
d84f4f99 3595 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3596 if (rc)
d84f4f99 3597 goto error;
1da177e4 3598 }
1da177e4
LT		 3599
3600 if (file) {
3601 /* read access is always possible with a mapping */
3602 u32 av = FILE__READ;
3603
3604 /* write access only matters if the mapping is shared */
3605 if (shared && (prot & PROT_WRITE))
3606 av |= FILE__WRITE;
3607
3608 if (prot & PROT_EXEC)
3609 av |= FILE__EXECUTE;
3610
88e67f3b 3611 return file_has_perm(cred, file, av);
1da177e4 3612 }
d84f4f99
DH		 3613
3614error:
3615 return rc;
1da177e4
LT		 3616}
3617
e5467859 3618static int selinux_mmap_addr(unsigned long addr)
1da177e4 3619{
b1d9e6b0 3620 int rc = 0;
1da177e4 3621
a2551df7 3622 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3623 u32 sid = current_sid();
ed032189
EP		 3624 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3625 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3626 }
3627
98883bfd 3628 return rc;
e5467859 3629}
1da177e4 3630
e5467859
AV		 3631static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3632 unsigned long prot, unsigned long flags)
3633{
1da177e4
LT		 3634 if (selinux_checkreqprot)
3635 prot = reqprot;
3636
3637 return file_map_prot_check(file, prot,
3638 (flags & MAP_TYPE) == MAP_SHARED);
3639}
3640
3641static int selinux_file_mprotect(struct vm_area_struct *vma,
3642 unsigned long reqprot,
3643 unsigned long prot)
3644{
88e67f3b 3645 const struct cred *cred = current_cred();
1da177e4
LT		 3646
3647 if (selinux_checkreqprot)
3648 prot = reqprot;
3649
fcaaade1
SS		 3650 if (default_noexec &&
3651 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3652 int rc = 0;
db4c9641
SS		 3653 if (vma->vm_start >= vma->vm_mm->start_brk &&
3654 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3655 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641 3656 } else if (!vma->vm_file &&
c2316dbf
SS		 3657 ((vma->vm_start <= vma->vm_mm->start_stack &&
3658 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3659 vma_is_stack_for_current(vma))) {
3b11a1de 3660 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3661 } else if (vma->vm_file && vma->anon_vma) {
3662 /*
3663 * We are making executable a file mapping that has
3664 * had some COW done. Since pages might have been
3665 * written, check ability to execute the possibly
3666 * modified content. This typically should only
3667 * occur for text relocations.
3668 */
d84f4f99 3669 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3670 }