]> git.ipfire.org Git - thirdparty/kernel/stable.git/blame - security/selinux/hooks.c
projects / thirdparty / kernel / stable.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'loongarch-kvm-6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhu...
[thirdparty/kernel/stable.git] / security / selinux / hooks.c
CommitLineData
d2912cb1 1// SPDX-License-Identifier: GPL-2.0-only
1da177e4 2/*
90aa4f5e 3 * Security-Enhanced Linux (SELinux) security module
1da177e4
LT		 4 *
5 * This file contains the SELinux hook function implementations.
6 *
0fe53224 7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com>
828dfe1d
EP		 8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
1da177e4
LT		 11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
1da177e4 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 16 * <dgoeddel@trustedcs.com>
ed6d76e4 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 18 * Paul Moore <paul@paul-moore.com>
788e7dd4 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 21 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 22 */
23
1da177e4 24#include <linux/init.h>
0b24dcb7 25#include <linux/kd.h>
1da177e4 26#include <linux/kernel.h>
b89999d0 27#include <linux/kernel_read_file.h>
1da177e4 28#include <linux/errno.h>
3f07c014 29#include <linux/sched/signal.h>
29930025 30#include <linux/sched/task.h>
3c4ed7bd 31#include <linux/lsm_hooks.h>
1da177e4
LT		 32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
0b24dcb7 39#include <linux/proc_fs.h>
1da177e4 40#include <linux/swap.h>
1da177e4
LT		 41#include <linux/spinlock.h>
42#include <linux/syscalls.h>
2a7dba39 43#include <linux/dcache.h>
1da177e4 44#include <linux/file.h>
9f3acc31 45#include <linux/fdtable.h>
1da177e4
LT		 46#include <linux/namei.h>
47#include <linux/mount.h>
442155c1
DH		 48#include <linux/fs_context.h>
49#include <linux/fs_parser.h>
1da177e4
LT		 50#include <linux/netfilter_ipv4.h>
51#include <linux/netfilter_ipv6.h>
52#include <linux/tty.h>
53#include <net/icmp.h>
227b60f5 54#include <net/ip.h> /* for local_port_range[] */
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 56#include <net/inet_connection_sock.h>
220deb96 57#include <net/net_namespace.h>
d621d35e 58#include <net/netlabel.h>
f5269710 59#include <linux/uaccess.h>
1da177e4 60#include <asm/ioctls.h>
60063497 61#include <linux/atomic.h>
1da177e4
LT		 62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
77954983 65#include <net/netlink.h>
1da177e4
LT		 66#include <linux/tcp.h>
67#include <linux/udp.h>
2ee92d46 68#include <linux/dccp.h>
d452930f
RH		 69#include <linux/sctp.h>
70#include <net/sctp/structs.h>
1da177e4
LT		 71#include <linux/quota.h>
72#include <linux/un.h> /* for Unix socket types */
73#include <net/af_unix.h> /* for Unix socket types */
74#include <linux/parser.h>
75#include <linux/nfs_mount.h>
76#include <net/ipv6.h>
77#include <linux/hugetlb.h>
78#include <linux/personality.h>
1da177e4 79#include <linux/audit.h>
6931dfc9 80#include <linux/string.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
ec27c356 88#include <linux/bpf.h>
ec882da5
OM		 89#include <linux/kernfs.h>
90#include <linux/stringhash.h> /* for hashlen_string() */
e262e32d 91#include <uapi/linux/mount.h>
ac5656d8
AG		 92#include <linux/fsnotify.h>
93#include <linux/fanotify.h>
f4d653dc 94#include <linux/io_uring.h>
1da177e4
LT		 95
96#include "avc.h"
97#include "objsec.h"
98#include "netif.h"
224dfbd8 99#include "netnode.h"
3e112172 100#include "netport.h"
409dcf31 101#include "ibpkey.h"
d28d1e08 102#include "xfrm.h"
c60475bf 103#include "netlabel.h"
9d57a7f9 104#include "audit.h"
7b98a585 105#include "avc_ss.h"
1da177e4 106
6bcdfd2c
RS		 107#define SELINUX_INODE_INIT_XATTRS 1
108
aa8e712c
SS		 109struct selinux_state selinux_state;
110
d621d35e 111/* SECMARK reference count */
56a4ca99 112static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 113
1da177e4 114#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
6c5a682e 115static int selinux_enforcing_boot __initdata;
1da177e4
LT		 116
117static int __init enforcing_setup(char *str)
118{
f5269710 119 unsigned long enforcing;
29707b20 120 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 121 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 122 return 1;
123}
124__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 125#else
126#define selinux_enforcing_boot 1
1da177e4
LT		 127#endif
128
6c5a682e 129int selinux_enabled_boot __initdata = 1;
1da177e4 130#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
1da177e4
LT		 131static int __init selinux_enabled_setup(char *str)
132{
f5269710 133 unsigned long enabled;
29707b20 134 if (!kstrtoul(str, 0, &enabled))
6c5a682e 135 selinux_enabled_boot = enabled ? 1 : 0;
1da177e4
LT		 136 return 1;
137}
138__setup("selinux=", selinux_enabled_setup);
139#endif
140
aa8e712c
SS		 141static int __init checkreqprot_setup(char *str)
142{
143 unsigned long checkreqprot;
144
e9c38f9f 145 if (!kstrtoul(str, 0, &checkreqprot)) {
e9c38f9f 146 if (checkreqprot)
a7e4676e 147 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n");
e9c38f9f 148 }
aa8e712c
SS		 149 return 1;
150}
151__setup("checkreqprot=", checkreqprot_setup);
152
d621d35e
PM		 153/**
154 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
155 *
156 * Description:
157 * This function checks the SECMARK reference counter to see if any SECMARK
158 * targets are currently configured, if the reference counter is greater than
159 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 160 * enabled, false (0) if SECMARK is disabled. If the always_check_network
161 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 162 *
163 */
164static int selinux_secmark_enabled(void)
165{
aa8e712c
SS		 166 return (selinux_policycap_alwaysnetwork() ||
167 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 168}
169
170/**
171 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
172 *
173 * Description:
174 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
175 * (1) if any are enabled or false (0) if neither are enabled. If the
176 * always_check_network policy capability is enabled, peer labeling
177 * is always considered enabled.
178 *
179 */
180static int selinux_peerlbl_enabled(void)
181{
aa8e712c
SS		 182 return (selinux_policycap_alwaysnetwork() ||
183 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 184}
185
615e51fd
PM		 186static int selinux_netcache_avc_callback(u32 event)
187{
188 if (event == AVC_CALLBACK_RESET) {
189 sel_netif_flush();
190 sel_netnode_flush();
191 sel_netport_flush();
192 synchronize_net();
193 }
194 return 0;
195}
196
8f408ab6
DJ		 197static int selinux_lsm_notifier_avc_callback(u32 event)
198{
409dcf31
DJ		 199 if (event == AVC_CALLBACK_RESET) {
200 sel_ib_pkey_flush();
42df744c 201 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 202 }
8f408ab6
DJ		 203
204 return 0;
205}
206
d84f4f99
DH		 207/*
208 * initialise the security for the init task
209 */
210static void cred_init_security(void)
1da177e4
LT		 211{
212 struct task_security_struct *tsec;
213
cdeea454 214 tsec = selinux_cred(unrcu_pointer(current->real_cred));
d84f4f99 215 tsec->osid = tsec->sid = SECINITSID_KERNEL;
1da177e4
LT		 216}
217
88e67f3b
DH		 218/*
219 * get the security ID of a set of credentials
220 */
221static inline u32 cred_sid(const struct cred *cred)
222{
223 const struct task_security_struct *tsec;
224
0c6cfa62 225 tsec = selinux_cred(cred);
88e67f3b
DH		 226 return tsec->sid;
227}
228
dd51fcd4
PA		 229static void __ad_net_init(struct common_audit_data *ad,
230 struct lsm_network_audit *net,
231 int ifindex, struct sock *sk, u16 family)
232{
233 ad->type = LSM_AUDIT_DATA_NET;
234 ad->u.net = net;
235 net->netif = ifindex;
236 net->sk = sk;
237 net->family = family;
238}
239
240static void ad_net_init_from_sk(struct common_audit_data *ad,
241 struct lsm_network_audit *net,
242 struct sock *sk)
243{
244 __ad_net_init(ad, net, 0, sk, 0);
245}
246
247static void ad_net_init_from_iif(struct common_audit_data *ad,
248 struct lsm_network_audit *net,
249 int ifindex, u16 family)
250{
3876043a 251 __ad_net_init(ad, net, ifindex, NULL, family);
dd51fcd4
PA		 252}
253
275bb41e 254/*
3b11a1de 255 * get the objective security ID of a task
275bb41e 256 */
eb1231f7 257static inline u32 task_sid_obj(const struct task_struct *task)
275bb41e 258{
275bb41e
DH		 259 u32 sid;
260
261 rcu_read_lock();
88e67f3b 262 sid = cred_sid(__task_cred(task));
275bb41e
DH		 263 rcu_read_unlock();
264 return sid;
265}
266
5d226df4
AG		 267static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
268
269/*
270 * Try reloading inode security labels that have been marked as invalid. The
271 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 272 * allowed; when set to false, returns -ECHILD when the label is
e9193288 273 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 274 */
275static int __inode_security_revalidate(struct inode *inode,
e9193288 276 struct dentry *dentry,
5d226df4
AG		 277 bool may_sleep)
278{
80788c22 279 struct inode_security_struct *isec = selinux_inode(inode);
5d226df4
AG		 280
281 might_sleep_if(may_sleep);
282
e67b7985 283 if (selinux_initialized() &&
aa8e712c 284 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 285 if (!may_sleep)
286 return -ECHILD;
287
288 /*
289 * Try reloading the inode security label. This will fail if
290 * @opt_dentry is NULL and no dentry for this inode can be
291 * found; in that case, continue using the old label.
292 */
e9193288 293 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 294 }
295 return 0;
296}
297
5d226df4
AG		 298static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
299{
80788c22 300 return selinux_inode(inode);
5d226df4
AG		 301}
302
303static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
304{
305 int error;
306
307 error = __inode_security_revalidate(inode, NULL, !rcu);
308 if (error)
309 return ERR_PTR(error);
80788c22 310 return selinux_inode(inode);
5d226df4
AG		 311}
312
83da53c5
AG		 313/*
314 * Get the security label of an inode.
315 */
316static struct inode_security_struct *inode_security(struct inode *inode)
317{
5d226df4 318 __inode_security_revalidate(inode, NULL, true);
80788c22 319 return selinux_inode(inode);
83da53c5
AG		 320}
321
2c97165b
PM		 322static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
323{
324 struct inode *inode = d_backing_inode(dentry);
325
80788c22 326 return selinux_inode(inode);
2c97165b
PM		 327}
328
83da53c5
AG		 329/*
330 * Get the security label of a dentry's backing inode.
331 */
332static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
333{
334 struct inode *inode = d_backing_inode(dentry);
335
5d226df4 336 __inode_security_revalidate(inode, dentry, true);
80788c22 337 return selinux_inode(inode);
83da53c5
AG		 338}
339
1da177e4
LT		 340static void inode_free_security(struct inode *inode)
341{
80788c22 342 struct inode_security_struct *isec = selinux_inode(inode);
afb1cbe3 343 struct superblock_security_struct *sbsec;
1da177e4 344
afb1cbe3
CS		 345 if (!isec)
346 return;
1aea7808 347 sbsec = selinux_superblock(inode->i_sb);
9629d04a
WL		 348 /*
349 * As not all inode security structures are in a list, we check for
350 * empty list outside of the lock to make sure that we won't waste
351 * time taking a lock doing nothing.
352 *
353 * The list_del_init() function can be safely called more than once.
354 * It should not be possible for this function to be called with
355 * concurrent list_add(), but for better safety against future changes
356 * in the code, we use list_empty_careful() here.
357 */
358 if (!list_empty_careful(&isec->list)) {
359 spin_lock(&sbsec->isec_lock);
1da177e4 360 list_del_init(&isec->list);
9629d04a
WL		 361 spin_unlock(&sbsec->isec_lock);
362 }
1da177e4
LT		 363}
364
bd323655 365struct selinux_mnt_opts {
b8b87fd9
SM		 366 u32 fscontext_sid;
367 u32 context_sid;
368 u32 rootcontext_sid;
369 u32 defcontext_sid;
bd323655
AV		 370};
371
204cc0cc
AV		 372static void selinux_free_mnt_opts(void *mnt_opts)
373{
70f4169a 374 kfree(mnt_opts);
204cc0cc
AV		 375}
376
1da177e4 377enum {
31e87930 378 Opt_error = -1,
442155c1
DH		 379 Opt_context = 0,
380 Opt_defcontext = 1,
1da177e4 381 Opt_fscontext = 2,
442155c1
DH		 382 Opt_rootcontext = 3,
383 Opt_seclabel = 4,
1da177e4
LT		 384};
385
da3d76ab 386#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
4158cb60 387static const struct {
169d68ef
AV		 388 const char *name;
389 int len;
390 int opt;
391 bool has_arg;
392} tokens[] = {
da3d76ab
AV		 393 A(context, true),
394 A(fscontext, true),
395 A(defcontext, true),
396 A(rootcontext, true),
397 A(seclabel, false),
1da177e4 398};
169d68ef
AV		 399#undef A
400
401static int match_opt_prefix(char *s, int l, char **arg)
402{
403 int i;
404
405 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
406 size_t len = tokens[i].len;
407 if (len > l || memcmp(s, tokens[i].name, len))
408 continue;
409 if (tokens[i].has_arg) {
410 if (len == l || s[len] != '=')
411 continue;
412 *arg = s + len + 1;
413 } else if (len != l)
414 continue;
415 return tokens[i].opt;
416 }
417 return Opt_error;
418}
1da177e4
LT		 419
420#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
421
c312feb2
EP		 422static int may_context_mount_sb_relabel(u32 sid,
423 struct superblock_security_struct *sbsec,
275bb41e 424 const struct cred *cred)
c312feb2 425{
0c6cfa62 426 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 427 int rc;
428
e67b7985 429 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 430 FILESYSTEM__RELABELFROM, NULL);
431 if (rc)
432 return rc;
433
e67b7985 434 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 435 FILESYSTEM__RELABELTO, NULL);
436 return rc;
437}
438
0808925e
EP		 439static int may_context_mount_inode_relabel(u32 sid,
440 struct superblock_security_struct *sbsec,
275bb41e 441 const struct cred *cred)
0808925e 442{
0c6cfa62 443 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e 444 int rc;
e67b7985 445 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 446 FILESYSTEM__RELABELFROM, NULL);
447 if (rc)
448 return rc;
449
e67b7985 450 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 451 FILESYSTEM__ASSOCIATE, NULL);
452 return rc;
453}
454
a83d6dda 455static int selinux_is_genfs_special_handling(struct super_block *sb)
b43e725d 456{
a83d6dda
OM		 457 /* Special handling. Genfs but also in-core setxattr handler */
458 return !strcmp(sb->s_type->name, "sysfs") ||
d5f3a5f6
MS		 459 !strcmp(sb->s_type->name, "pstore") ||
460 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 461 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 462 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 463 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 464 (!strcmp(sb->s_type->name, "cgroup") ||
465 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 466}
467
a83d6dda
OM		 468static int selinux_is_sblabel_mnt(struct super_block *sb)
469{
1aea7808 470 struct superblock_security_struct *sbsec = selinux_superblock(sb);
a83d6dda
OM		 471
472 /*
473 * IMPORTANT: Double-check logic in this function when adding a new
474 * SECURITY_FS_USE_* definition!
475 */
476 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
477
478 switch (sbsec->behavior) {
479 case SECURITY_FS_USE_XATTR:
480 case SECURITY_FS_USE_TRANS:
481 case SECURITY_FS_USE_TASK:
482 case SECURITY_FS_USE_NATIVE:
483 return 1;
484
485 case SECURITY_FS_USE_GENFS:
486 return selinux_is_genfs_special_handling(sb);
487
488 /* Never allow relabeling on context mounts */
489 case SECURITY_FS_USE_MNTPOINT:
490 case SECURITY_FS_USE_NONE:
491 default:
492 return 0;
493 }
494}
495
08abe46b
OM		 496static int sb_check_xattr_support(struct super_block *sb)
497{
0266c25e 498 struct superblock_security_struct *sbsec = selinux_superblock(sb);
08abe46b
OM		 499 struct dentry *root = sb->s_root;
500 struct inode *root_inode = d_backing_inode(root);
501 u32 sid;
502 int rc;
503
504 /*
505 * Make sure that the xattr handler exists and that no
506 * error other than -ENODATA is returned by getxattr on
507 * the root directory. -ENODATA is ok, as this may be
508 * the first boot of the SELinux kernel before we have
509 * assigned xattr values to the filesystem.
510 */
511 if (!(root_inode->i_opflags & IOP_XATTR)) {
512 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
513 sb->s_id, sb->s_type->name);
514 goto fallback;
515 }
516
517 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
518 if (rc < 0 && rc != -ENODATA) {
519 if (rc == -EOPNOTSUPP) {
520 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
521 sb->s_id, sb->s_type->name);
522 goto fallback;
523 } else {
524 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
525 sb->s_id, sb->s_type->name, -rc);
526 return rc;
527 }
528 }
529 return 0;
530
531fallback:
532 /* No xattr support - try to fallback to genfs if possible. */
e67b7985 533 rc = security_genfs_sid(sb->s_type->name, "/",
08abe46b
OM		 534 SECCLASS_DIR, &sid);
535 if (rc)
536 return -EOPNOTSUPP;
537
538 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
539 sb->s_id, sb->s_type->name);
540 sbsec->behavior = SECURITY_FS_USE_GENFS;
541 sbsec->sid = sid;
542 return 0;
543}
544
c9180a57 545static int sb_finish_set_opts(struct super_block *sb)
1da177e4 546{
1aea7808 547 struct superblock_security_struct *sbsec = selinux_superblock(sb);
c9180a57 548 struct dentry *root = sb->s_root;
c6f493d6 549 struct inode *root_inode = d_backing_inode(root);
c9180a57 550 int rc = 0;
1da177e4 551
c9180a57 552 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
08abe46b
OM		 553 rc = sb_check_xattr_support(sb);
554 if (rc)
555 return rc;
c9180a57 556 }
1da177e4 557
eadcabc6 558 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 559
560 /*
561 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
562 * leave the flag untouched because sb_clone_mnt_opts might be handing
563 * us a superblock that needs the flag to be cleared.
564 */
b43e725d 565 if (selinux_is_sblabel_mnt(sb))
12f348b9 566 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 567 else
568 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 569
c9180a57
EP		 570 /* Initialize the root inode. */
571 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 572
c9180a57
EP		 573 /* Initialize any other inodes associated with the superblock, e.g.
574 inodes created prior to initial policy load or inodes created
575 during get_sb by a pseudo filesystem that directly
576 populates itself. */
577 spin_lock(&sbsec->isec_lock);
8d64124a 578 while (!list_empty(&sbsec->isec_head)) {
c9180a57 579 struct inode_security_struct *isec =
8d64124a 580 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 581 struct inode_security_struct, list);
582 struct inode *inode = isec->inode;
923190d3 583 list_del_init(&isec->list);
c9180a57
EP		 584 spin_unlock(&sbsec->isec_lock);
585 inode = igrab(inode);
586 if (inode) {
587 if (!IS_PRIVATE(inode))
cb89e246 588 inode_doinit_with_dentry(inode, NULL);
c9180a57
EP		 589 iput(inode);
590 }
591 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 592 }
593 spin_unlock(&sbsec->isec_lock);
c9180a57
EP		 594 return rc;
595}
1da177e4 596
c9180a57
EP		 597static int bad_option(struct superblock_security_struct *sbsec, char flag,
598 u32 old_sid, u32 new_sid)
599{
0d90a7ec
DQ		 600 char mnt_flags = sbsec->flags & SE_MNTMASK;
601
c9180a57 602 /* check if the old mount command had the same options */
0d90a7ec 603 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 604 if (!(sbsec->flags & flag) ||
605 (old_sid != new_sid))
606 return 1;
607
608 /* check if we were passed the same options twice,
609 * aka someone passed context=a,context=b
610 */
0d90a7ec
DQ		 611 if (!(sbsec->flags & SE_SBINITIALIZED))
612 if (mnt_flags & flag)
c9180a57
EP		 613 return 1;
614 return 0;
615}
e0007529 616
c9180a57
EP		 617/*
618 * Allow filesystems with binary mount data to explicitly set mount point
619 * labeling information.
620 */
e0007529 621static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 622 void *mnt_opts,
649f6e77
DQ		 623 unsigned long kern_flags,
624 unsigned long *set_kern_flags)
c9180a57 625{
275bb41e 626 const struct cred *cred = current_cred();
1aea7808 627 struct superblock_security_struct *sbsec = selinux_superblock(sb);
b159e86b 628 struct dentry *root = sb->s_root;
bd323655 629 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 630 struct inode_security_struct *root_isec;
c9180a57
EP		 631 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
632 u32 defcontext_sid = 0;
bd323655 633 int rc = 0;
c9180a57 634
cec5fe70
OM		 635 /*
636 * Specifying internal flags without providing a place to
637 * place the results is not allowed
638 */
639 if (kern_flags && !set_kern_flags)
640 return -EINVAL;
641
c9180a57
EP		 642 mutex_lock(&sbsec->lock);
643
e67b7985 644 if (!selinux_initialized()) {
bd323655 645 if (!opts) {
c9180a57
EP		 646 /* Defer initialization until selinux_complete_init,
647 after the initial policy is loaded and the security
648 server is ready to handle calls. */
cec5fe70
OM		 649 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
650 sbsec->flags |= SE_SBNATIVE;
651 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
652 }
c9180a57
EP		 653 goto out;
654 }
655 rc = -EINVAL;
c103a91e 656 pr_warn("SELinux: Unable to set superblock options "
744ba35e 657 "before the security server is initialized\n");
1da177e4 658 goto out;
c9180a57 659 }
1da177e4 660
e0007529
EP		 661 /*
662 * Binary mount data FS will come through this function twice. Once
663 * from an explicit call and once from the generic calls from the vfs.
664 * Since the generic VFS calls will not contain any security mount data
665 * we need to skip the double mount verification.
666 *
667 * This does open a hole in which we will not notice if the first
9691e4f9 668 * mount using this sb set explicit options and a second mount using
e0007529
EP		 669 * this sb does not set any security options. (The first options
670 * will be used for both mounts)
671 */
0d90a7ec 672 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 673 && !opts)
f5269710 674 goto out;
e0007529 675
2c97165b
PM		 676 root_isec = backing_inode_security_novalidate(root);
677
c9180a57
EP		 678 /*
679 * parse the mount options, check if they are valid sids.
680 * also check if someone is trying to mount the same sb more
681 * than once with different security options.
682 */
bd323655 683 if (opts) {
70f4169a
OM		 684 if (opts->fscontext_sid) {
685 fscontext_sid = opts->fscontext_sid;
c9180a57
EP		 686 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
687 fscontext_sid))
688 goto out_double_mount;
c9180a57 689 sbsec->flags |= FSCONTEXT_MNT;
bd323655 690 }
70f4169a
OM		 691 if (opts->context_sid) {
692 context_sid = opts->context_sid;
c9180a57
EP		 693 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
694 context_sid))
695 goto out_double_mount;
c9180a57 696 sbsec->flags |= CONTEXT_MNT;
bd323655 697 }
70f4169a
OM		 698 if (opts->rootcontext_sid) {
699 rootcontext_sid = opts->rootcontext_sid;
c9180a57
EP		 700 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
701 rootcontext_sid))
702 goto out_double_mount;
c9180a57 703 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655 704 }
70f4169a
OM		 705 if (opts->defcontext_sid) {
706 defcontext_sid = opts->defcontext_sid;
c9180a57
EP		 707 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
708 defcontext_sid))
709 goto out_double_mount;
c9180a57 710 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 711 }
c9180a57
EP		 712 }
713
0d90a7ec 714 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 715 /* previously mounted with options, but not on this attempt? */
bd323655 716 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 717 goto out_double_mount;
718 rc = 0;
719 goto out;
720 }
721
089be43e 722 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 723 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
724
8e014720 725 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 726 !strcmp(sb->s_type->name, "tracefs") ||
a20456ae 727 !strcmp(sb->s_type->name, "binder") ||
4ca54d3d 728 !strcmp(sb->s_type->name, "bpf") ||
8a764ef1
CG		 729 !strcmp(sb->s_type->name, "pstore") ||
730 !strcmp(sb->s_type->name, "securityfs"))
b754026b
OM		 731 sbsec->flags |= SE_SBGENFS;
732
733 if (!strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 734 !strcmp(sb->s_type->name, "cgroup") ||
735 !strcmp(sb->s_type->name, "cgroup2"))
b754026b 736 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
c9180a57 737
eb9ae686
DQ		 738 if (!sbsec->behavior) {
739 /*
740 * Determine the labeling behavior to use for this
741 * filesystem type.
742 */
e67b7985 743 rc = security_fs_use(sb);
eb9ae686 744 if (rc) {
c103a91e 745 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 746 __func__, sb->s_type->name, rc);
747 goto out;
748 }
c9180a57 749 }
aad82892
SF		 750
751 /*
01593d32
SS		 752 * If this is a user namespace mount and the filesystem type is not
753 * explicitly whitelisted, then no contexts are allowed on the command
754 * line and security labels must be ignored.
aad82892 755 */
01593d32
SS		 756 if (sb->s_user_ns != &init_user_ns &&
757 strcmp(sb->s_type->name, "tmpfs") &&
758 strcmp(sb->s_type->name, "ramfs") &&
7fa2e79a
VG		 759 strcmp(sb->s_type->name, "devpts") &&
760 strcmp(sb->s_type->name, "overlay")) {
aad82892
SF		 761 if (context_sid || fscontext_sid || rootcontext_sid ||
762 defcontext_sid) {
763 rc = -EACCES;
764 goto out;
765 }
766 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
767 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
e67b7985 768 rc = security_transition_sid(current_sid(),
aa8e712c 769 current_sid(),
aad82892
SF		 770 SECCLASS_FILE, NULL,
771 &sbsec->mntpoint_sid);
772 if (rc)
773 goto out;
774 }
775 goto out_set_opts;
776 }
777
c9180a57
EP		 778 /* sets the context of the superblock for the fs being mounted. */
779 if (fscontext_sid) {
275bb41e 780 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 781 if (rc)
c9180a57 782 goto out;
1da177e4 783
c9180a57 784 sbsec->sid = fscontext_sid;
c312feb2
EP		 785 }
786
787 /*
788 * Switch to using mount point labeling behavior.
789 * sets the label used on all file below the mountpoint, and will set
790 * the superblock context if not already set.
791 */
cec5fe70
OM		 792 if (sbsec->flags & SE_SBNATIVE) {
793 /*
794 * This means we are initializing a superblock that has been
795 * mounted before the SELinux was initialized and the
796 * filesystem requested native labeling. We had already
797 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
798 * in the original mount attempt, so now we just need to set
799 * the SECURITY_FS_USE_NATIVE behavior.
800 */
801 sbsec->behavior = SECURITY_FS_USE_NATIVE;
802 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
eb9ae686
DQ		 803 sbsec->behavior = SECURITY_FS_USE_NATIVE;
804 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
805 }
806
c9180a57
EP		 807 if (context_sid) {
808 if (!fscontext_sid) {
275bb41e
DH		 809 rc = may_context_mount_sb_relabel(context_sid, sbsec,
810 cred);
b04ea3ce 811 if (rc)
c9180a57
EP		 812 goto out;
813 sbsec->sid = context_sid;
b04ea3ce 814 } else {
275bb41e
DH		 815 rc = may_context_mount_inode_relabel(context_sid, sbsec,
816 cred);
b04ea3ce 817 if (rc)
c9180a57 818 goto out;
b04ea3ce 819 }
c9180a57
EP		 820 if (!rootcontext_sid)
821 rootcontext_sid = context_sid;
1da177e4 822
c9180a57 823 sbsec->mntpoint_sid = context_sid;
c312feb2 824 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 825 }
826
c9180a57 827 if (rootcontext_sid) {
275bb41e
DH		 828 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
829 cred);
0808925e 830 if (rc)
c9180a57 831 goto out;
0808925e 832
c9180a57 833 root_isec->sid = rootcontext_sid;
6f3be9f5 834 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 835 }
836
c9180a57 837 if (defcontext_sid) {
eb9ae686
DQ		 838 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
839 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 840 rc = -EINVAL;
c103a91e 841 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 842 "invalid for this filesystem type\n");
843 goto out;
1da177e4
LT		 844 }
845
c9180a57
EP		 846 if (defcontext_sid != sbsec->def_sid) {
847 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 848 sbsec, cred);
c9180a57
EP		 849 if (rc)
850 goto out;
851 }
1da177e4 852
c9180a57 853 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 854 }
855
aad82892 856out_set_opts:
c9180a57 857 rc = sb_finish_set_opts(sb);
1da177e4 858out:
c9180a57 859 mutex_unlock(&sbsec->lock);
1da177e4 860 return rc;
c9180a57
EP		 861out_double_mount:
862 rc = -EINVAL;
c103a91e 863 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 864 "security settings for (dev %s, type %s)\n", sb->s_id,
865 sb->s_type->name);
c9180a57 866 goto out;
1da177e4
LT		 867}
868
094f7b69
JL		 869static int selinux_cmp_sb_context(const struct super_block *oldsb,
870 const struct super_block *newsb)
871{
1aea7808
CS		 872 struct superblock_security_struct *old = selinux_superblock(oldsb);
873 struct superblock_security_struct *new = selinux_superblock(newsb);
094f7b69
JL		 874 char oldflags = old->flags & SE_MNTMASK;
875 char newflags = new->flags & SE_MNTMASK;
876
877 if (oldflags != newflags)
878 goto mismatch;
879 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
880 goto mismatch;
881 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
882 goto mismatch;
883 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
884 goto mismatch;
885 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 886 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
887 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 888 if (oldroot->sid != newroot->sid)
889 goto mismatch;
890 }
891 return 0;
892mismatch:
c103a91e 893 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 894 "different security settings for (dev %s, "
895 "type %s)\n", newsb->s_id, newsb->s_type->name);
896 return -EBUSY;
897}
898
899static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 900 struct super_block *newsb,
901 unsigned long kern_flags,
902 unsigned long *set_kern_flags)
1da177e4 903{
0b4d3452 904 int rc = 0;
1aea7808
CS		 905 const struct superblock_security_struct *oldsbsec =
906 selinux_superblock(oldsb);
907 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
1da177e4 908
c9180a57
EP		 909 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
910 int set_context = (oldsbsec->flags & CONTEXT_MNT);
911 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 912
0b4d3452
SM		 913 /*
914 * Specifying internal flags without providing a place to
915 * place the results is not allowed.
916 */
917 if (kern_flags && !set_kern_flags)
918 return -EINVAL;
919
cec5fe70
OM		 920 mutex_lock(&newsbsec->lock);
921
922 /*
923 * if the parent was able to be mounted it clearly had no special lsm
924 * mount options. thus we can safely deal with this superblock later
925 */
926 if (!selinux_initialized()) {
927 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
928 newsbsec->flags |= SE_SBNATIVE;
929 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
930 }
931 goto out;
932 }
933
c9180a57 934 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 935 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 936
094f7b69 937 /* if fs is reusing a sb, make sure that the contexts match */
3815a245 938 if (newsbsec->flags & SE_SBINITIALIZED) {
cec5fe70 939 mutex_unlock(&newsbsec->lock);
3815a245
BF		 940 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
941 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
094f7b69 942 return selinux_cmp_sb_context(oldsb, newsb);
3815a245 943 }
5a552617 944
c9180a57
EP		 945 newsbsec->flags = oldsbsec->flags;
946
947 newsbsec->sid = oldsbsec->sid;
948 newsbsec->def_sid = oldsbsec->def_sid;
949 newsbsec->behavior = oldsbsec->behavior;
950
0b4d3452
SM		 951 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
952 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
e67b7985 953 rc = security_fs_use(newsb);
0b4d3452
SM		 954 if (rc)
955 goto out;
956 }
957
958 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
959 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
960 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
961 }
962
c9180a57
EP		 963 if (set_context) {
964 u32 sid = oldsbsec->mntpoint_sid;
965
966 if (!set_fscontext)
967 newsbsec->sid = sid;
968 if (!set_rootcontext) {
83da53c5 969 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 970 newisec->sid = sid;
971 }
972 newsbsec->mntpoint_sid = sid;
1da177e4 973 }
c9180a57 974 if (set_rootcontext) {
83da53c5
AG		 975 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
976 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 977
c9180a57 978 newisec->sid = oldisec->sid;
1da177e4
LT		 979 }
980
c9180a57 981 sb_finish_set_opts(newsb);
0b4d3452 982out:
c9180a57 983 mutex_unlock(&newsbsec->lock);
0b4d3452 984 return rc;
c9180a57
EP		 985}
986
ef54ccb6 987/*
3d9047a0 988 * NOTE: the caller is responsible for freeing the memory even if on error.
ef54ccb6 989 */
ba641862 990static int selinux_add_opt(int token, const char *s, void **mnt_opts)
c9180a57 991{
ba641862 992 struct selinux_mnt_opts *opts = *mnt_opts;
70f4169a
OM		 993 u32 *dst_sid;
994 int rc;
1da177e4 995
6cd9d4b9
PM		 996 if (token == Opt_seclabel)
997 /* eaten and completely ignored */
169d68ef 998 return 0;
2e08df3c 999 if (!s)
ef54ccb6 1000 return -EINVAL;
e0007529 1001
e67b7985 1002 if (!selinux_initialized()) {
70f4169a
OM		 1003 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1004 return -EINVAL;
1005 }
1006
ba641862 1007 if (!opts) {
6cd9d4b9 1008 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
ba641862
AV		 1009 if (!opts)
1010 return -ENOMEM;
1011 *mnt_opts = opts;
c9180a57 1012 }
2e08df3c 1013
ba641862
AV		 1014 switch (token) {
1015 case Opt_context:
70f4169a 1016 if (opts->context_sid || opts->defcontext_sid)
6cd9d4b9 1017 goto err;
70f4169a 1018 dst_sid = &opts->context_sid;
ba641862
AV		 1019 break;
1020 case Opt_fscontext:
70f4169a 1021 if (opts->fscontext_sid)
6cd9d4b9 1022 goto err;
70f4169a 1023 dst_sid = &opts->fscontext_sid;
ba641862
AV		 1024 break;
1025 case Opt_rootcontext:
70f4169a 1026 if (opts->rootcontext_sid)
6cd9d4b9 1027 goto err;
70f4169a 1028 dst_sid = &opts->rootcontext_sid;
ba641862
AV		 1029 break;
1030 case Opt_defcontext:
70f4169a 1031 if (opts->context_sid || opts->defcontext_sid)
6cd9d4b9 1032 goto err;
70f4169a 1033 dst_sid = &opts->defcontext_sid;
ba641862 1034 break;
70f4169a
OM		 1035 default:
1036 WARN_ON(1);
1037 return -EINVAL;
c9180a57 1038 }
e67b7985 1039 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
70f4169a
OM		 1040 if (rc)
1041 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1042 s, rc);
1043 return rc;
e2e0e097 1044
6cd9d4b9 1045err:
ba641862 1046 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862 1047 return -EINVAL;
e0007529 1048}
1da177e4 1049
e3489f89 1050static int show_sid(struct seq_file *m, u32 sid)
2069f457 1051{
e3489f89
AV		 1052 char *context = NULL;
1053 u32 len;
1054 int rc;
11689d47 1055
e67b7985 1056 rc = security_sid_to_context(sid, &context, &len);
e3489f89 1057 if (!rc) {
4d3d0ed6 1058 bool has_comma = strchr(context, ',');
2069f457 1059
442155c1 1060 seq_putc(m, '=');
2069f457
EP		 1061 if (has_comma)
1062 seq_putc(m, '\"');
e3489f89 1063 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1064 if (has_comma)
1065 seq_putc(m, '\"');
1066 }
e3489f89
AV		 1067 kfree(context);
1068 return rc;
2069f457
EP		 1069}
1070
1071static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1072{
1aea7808 1073 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2069f457
EP		 1074 int rc;
1075
e3489f89
AV		 1076 if (!(sbsec->flags & SE_SBINITIALIZED))
1077 return 0;
2069f457 1078
e67b7985 1079 if (!selinux_initialized())
e3489f89 1080 return 0;
2069f457 1081
e3489f89
AV		 1082 if (sbsec->flags & FSCONTEXT_MNT) {
1083 seq_putc(m, ',');
1084 seq_puts(m, FSCONTEXT_STR);
1085 rc = show_sid(m, sbsec->sid);
1086 if (rc)
1087 return rc;
1088 }
1089 if (sbsec->flags & CONTEXT_MNT) {
1090 seq_putc(m, ',');
1091 seq_puts(m, CONTEXT_STR);
1092 rc = show_sid(m, sbsec->mntpoint_sid);
1093 if (rc)
1094 return rc;
1095 }
1096 if (sbsec->flags & DEFCONTEXT_MNT) {
1097 seq_putc(m, ',');
1098 seq_puts(m, DEFCONTEXT_STR);
1099 rc = show_sid(m, sbsec->def_sid);
1100 if (rc)
1101 return rc;
1102 }
1103 if (sbsec->flags & ROOTCONTEXT_MNT) {
b159e86b 1104 struct dentry *root = sb->s_root;
e3489f89
AV		 1105 struct inode_security_struct *isec = backing_inode_security(root);
1106 seq_putc(m, ',');
1107 seq_puts(m, ROOTCONTEXT_STR);
1108 rc = show_sid(m, isec->sid);
1109 if (rc)
1110 return rc;
1111 }
1112 if (sbsec->flags & SBLABEL_MNT) {
1113 seq_putc(m, ',');
442155c1 1114 seq_puts(m, SECLABEL_STR);
e3489f89
AV		 1115 }
1116 return 0;
2069f457
EP		 1117}
1118
1da177e4
LT		 1119static inline u16 inode_mode_to_security_class(umode_t mode)
1120{
1121 switch (mode & S_IFMT) {
1122 case S_IFSOCK:
1123 return SECCLASS_SOCK_FILE;
1124 case S_IFLNK:
1125 return SECCLASS_LNK_FILE;
1126 case S_IFREG:
1127 return SECCLASS_FILE;
1128 case S_IFBLK:
1129 return SECCLASS_BLK_FILE;
1130 case S_IFDIR:
1131 return SECCLASS_DIR;
1132 case S_IFCHR:
1133 return SECCLASS_CHR_FILE;
1134 case S_IFIFO:
1135 return SECCLASS_FIFO_FILE;
1136
1137 }
1138
1139 return SECCLASS_FILE;
1140}
1141
13402580
JM		 1142static inline int default_protocol_stream(int protocol)
1143{
95ca9072
PA		 1144 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1145 protocol == IPPROTO_MPTCP);
13402580
JM		 1146}
1147
1148static inline int default_protocol_dgram(int protocol)
1149{
1150 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1151}
1152
1da177e4
LT		 1153static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1154{
a13479bb 1155 bool extsockclass = selinux_policycap_extsockclass();
da69a530 1156
1da177e4
LT		 1157 switch (family) {
1158 case PF_UNIX:
1159 switch (type) {
1160 case SOCK_STREAM:
1161 case SOCK_SEQPACKET:
1162 return SECCLASS_UNIX_STREAM_SOCKET;
1163 case SOCK_DGRAM:
2a764b52 1164 case SOCK_RAW:
1da177e4
LT		 1165 return SECCLASS_UNIX_DGRAM_SOCKET;
1166 }
1167 break;
1168 case PF_INET:
1169 case PF_INET6:
1170 switch (type) {
1171 case SOCK_STREAM:
da69a530 1172 case SOCK_SEQPACKET:
13402580
JM		 1173 if (default_protocol_stream(protocol))
1174 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1175 else if (extsockclass && protocol == IPPROTO_SCTP)
1176 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1177 else
1178 return SECCLASS_RAWIP_SOCKET;
1da177e4 1179 case SOCK_DGRAM:
13402580
JM		 1180 if (default_protocol_dgram(protocol))
1181 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1182 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1183 protocol == IPPROTO_ICMPV6))
da69a530 1184 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1185 else
1186 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1187 case SOCK_DCCP:
1188 return SECCLASS_DCCP_SOCKET;
13402580 1189 default:
1da177e4
LT		 1190 return SECCLASS_RAWIP_SOCKET;
1191 }
1192 break;
1193 case PF_NETLINK:
1194 switch (protocol) {
1195 case NETLINK_ROUTE:
1196 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1197 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1198 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1199 case NETLINK_NFLOG:
1200 return SECCLASS_NETLINK_NFLOG_SOCKET;
1201 case NETLINK_XFRM:
1202 return SECCLASS_NETLINK_XFRM_SOCKET;
1203 case NETLINK_SELINUX:
1204 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1205 case NETLINK_ISCSI:
1206 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1207 case NETLINK_AUDIT:
1208 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1209 case NETLINK_FIB_LOOKUP:
1210 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1211 case NETLINK_CONNECTOR:
1212 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1213 case NETLINK_NETFILTER:
1214 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1215 case NETLINK_DNRTMSG:
1216 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1217 case NETLINK_KOBJECT_UEVENT:
1218 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1219 case NETLINK_GENERIC:
1220 return SECCLASS_NETLINK_GENERIC_SOCKET;
1221 case NETLINK_SCSITRANSPORT:
1222 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1223 case NETLINK_RDMA:
1224 return SECCLASS_NETLINK_RDMA_SOCKET;
1225 case NETLINK_CRYPTO:
1226 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1227 default:
1228 return SECCLASS_NETLINK_SOCKET;
1229 }
1230 case PF_PACKET:
1231 return SECCLASS_PACKET_SOCKET;
1232 case PF_KEY:
1233 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1234 case PF_APPLETALK:
1235 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1236 }
1237
da69a530
SS		 1238 if (extsockclass) {
1239 switch (family) {
1240 case PF_AX25:
1241 return SECCLASS_AX25_SOCKET;
1242 case PF_IPX:
1243 return SECCLASS_IPX_SOCKET;
1244 case PF_NETROM:
1245 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1246 case PF_ATMPVC:
1247 return SECCLASS_ATMPVC_SOCKET;
1248 case PF_X25:
1249 return SECCLASS_X25_SOCKET;
1250 case PF_ROSE:
1251 return SECCLASS_ROSE_SOCKET;
1252 case PF_DECnet:
1253 return SECCLASS_DECNET_SOCKET;
1254 case PF_ATMSVC:
1255 return SECCLASS_ATMSVC_SOCKET;
1256 case PF_RDS:
1257 return SECCLASS_RDS_SOCKET;
1258 case PF_IRDA:
1259 return SECCLASS_IRDA_SOCKET;
1260 case PF_PPPOX:
1261 return SECCLASS_PPPOX_SOCKET;
1262 case PF_LLC:
1263 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1264 case PF_CAN:
1265 return SECCLASS_CAN_SOCKET;
1266 case PF_TIPC:
1267 return SECCLASS_TIPC_SOCKET;
1268 case PF_BLUETOOTH:
1269 return SECCLASS_BLUETOOTH_SOCKET;
1270 case PF_IUCV:
1271 return SECCLASS_IUCV_SOCKET;
1272 case PF_RXRPC:
1273 return SECCLASS_RXRPC_SOCKET;
1274 case PF_ISDN:
1275 return SECCLASS_ISDN_SOCKET;
1276 case PF_PHONET:
1277 return SECCLASS_PHONET_SOCKET;
1278 case PF_IEEE802154:
1279 return SECCLASS_IEEE802154_SOCKET;
1280 case PF_CAIF:
1281 return SECCLASS_CAIF_SOCKET;
1282 case PF_ALG:
1283 return SECCLASS_ALG_SOCKET;
1284 case PF_NFC:
1285 return SECCLASS_NFC_SOCKET;
1286 case PF_VSOCK:
1287 return SECCLASS_VSOCK_SOCKET;
1288 case PF_KCM:
1289 return SECCLASS_KCM_SOCKET;
1290 case PF_QIPCRTR:
1291 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1292 case PF_SMC:
1293 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1294 case PF_XDP:
1295 return SECCLASS_XDP_SOCKET;
bc49d816
JK		 1296 case PF_MCTP:
1297 return SECCLASS_MCTP_SOCKET;
1298#if PF_MAX > 46
da69a530
SS		 1299#error New address family defined, please update this function.
1300#endif
1301 }
1302 }
1303
1da177e4
LT		 1304 return SECCLASS_SOCKET;
1305}
1306
134509d5
SS		 1307static int selinux_genfs_get_sid(struct dentry *dentry,
1308 u16 tclass,
1309 u16 flags,
1310 u32 *sid)
1da177e4 1311{
8e6c9693 1312 int rc;
fc64005c 1313 struct super_block *sb = dentry->d_sb;
8e6c9693 1314 char *buffer, *path;
1da177e4 1315
828dfe1d 1316 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1317 if (!buffer)
1318 return -ENOMEM;
1319
8e6c9693
LAG		 1320 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1321 if (IS_ERR(path))
1322 rc = PTR_ERR(path);
1323 else {
134509d5
SS		 1324 if (flags & SE_SBPROC) {
1325 /* each process gets a /proc/PID/ entry. Strip off the
1326 * PID part to get a valid selinux labeling.
1327 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1328 while (path[1] >= '0' && path[1] <= '9') {
1329 path[1] = '/';
1330 path++;
1331 }
8e6c9693 1332 }
e67b7985 1333 rc = security_genfs_sid(sb->s_type->name,
aa8e712c 1334 path, tclass, sid);
7bb185ed
SS		 1335 if (rc == -ENOENT) {
1336 /* No match in policy, mark as unlabeled. */
1337 *sid = SECINITSID_UNLABELED;
1338 rc = 0;
1339 }
1da177e4 1340 }
1da177e4
LT		 1341 free_page((unsigned long)buffer);
1342 return rc;
1343}
1da177e4 1344
b754026b
OM		 1345static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1346 u32 def_sid, u32 *sid)
1347{
1348#define INITCONTEXTLEN 255
1349 char *context;
1350 unsigned int len;
1351 int rc;
1352
1353 len = INITCONTEXTLEN;
1354 context = kmalloc(len + 1, GFP_NOFS);
1355 if (!context)
1356 return -ENOMEM;
1357
1358 context[len] = '\0';
1359 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1360 if (rc == -ERANGE) {
1361 kfree(context);
1362
1363 /* Need a larger buffer. Query for the right size. */
1364 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1365 if (rc < 0)
1366 return rc;
1367
1368 len = rc;
1369 context = kmalloc(len + 1, GFP_NOFS);
1370 if (!context)
1371 return -ENOMEM;
1372
1373 context[len] = '\0';
1374 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1375 context, len);
1376 }
1377 if (rc < 0) {
1378 kfree(context);
1379 if (rc != -ENODATA) {
1380 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1381 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1382 return rc;
1383 }
1384 *sid = def_sid;
1385 return 0;
1386 }
1387
e67b7985 1388 rc = security_context_to_sid_default(context, rc, sid,
b754026b
OM		 1389 def_sid, GFP_NOFS);
1390 if (rc) {
1391 char *dev = inode->i_sb->s_id;
1392 unsigned long ino = inode->i_ino;
1393
1394 if (rc == -EINVAL) {
1395 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1396 ino, dev, context);
1397 } else {
1398 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1399 __func__, context, -rc, dev, ino);
1400 }
1401 }
1402 kfree(context);
1403 return 0;
1404}
1405
1da177e4
LT		 1406/* The inode's security attributes must be initialized before first use. */
1407static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1408{
1409 struct superblock_security_struct *sbsec = NULL;
80788c22 1410 struct inode_security_struct *isec = selinux_inode(inode);
9287aed2
AG		 1411 u32 task_sid, sid = 0;
1412 u16 sclass;
1da177e4 1413 struct dentry *dentry;
1da177e4 1414 int rc = 0;
1da177e4 1415
6f3be9f5 1416 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1417 return 0;
1da177e4 1418
9287aed2 1419 spin_lock(&isec->lock);
6f3be9f5 1420 if (isec->initialized == LABEL_INITIALIZED)
23970741 1421 goto out_unlock;
1da177e4 1422
13457d07
AG		 1423 if (isec->sclass == SECCLASS_FILE)
1424 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1425
1aea7808 1426 sbsec = selinux_superblock(inode->i_sb);
0d90a7ec 1427 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1428 /* Defer initialization until selinux_complete_init,
1429 after the initial policy is loaded and the security
1430 server is ready to handle calls. */
1431 spin_lock(&sbsec->isec_lock);
1432 if (list_empty(&isec->list))
1433 list_add(&isec->list, &sbsec->isec_head);
1434 spin_unlock(&sbsec->isec_lock);
23970741 1435 goto out_unlock;
1da177e4
LT		 1436 }
1437
9287aed2
AG		 1438 sclass = isec->sclass;
1439 task_sid = isec->task_sid;
1440 sid = isec->sid;
1441 isec->initialized = LABEL_PENDING;
1442 spin_unlock(&isec->lock);
1443
1da177e4 1444 switch (sbsec->behavior) {
cec5fe70
OM		 1445 /*
1446 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1447 * via xattr when called from delayed_superblock_init().
1448 */
eb9ae686 1449 case SECURITY_FS_USE_NATIVE:
1da177e4 1450 case SECURITY_FS_USE_XATTR:
5d6c3191 1451 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1452 sid = sbsec->def_sid;
1da177e4
LT		 1453 break;
1454 }
1da177e4
LT		 1455 /* Need a dentry, since the xattr API requires one.
1456 Life would be simpler if we could just pass the inode. */
1457 if (opt_dentry) {
1458 /* Called from d_instantiate or d_splice_alias. */
1459 dentry = dget(opt_dentry);
1460 } else {
b127125d
AV		 1461 /*
1462 * Called from selinux_complete_init, try to find a dentry.
1463 * Some filesystems really want a connected one, so try
1464 * that first. We could split SECURITY_FS_USE_XATTR in
1465 * two, depending upon that...
1466 */
1da177e4 1467 dentry = d_find_alias(inode);
b127125d
AV		 1468 if (!dentry)
1469 dentry = d_find_any_alias(inode);
1da177e4
LT		 1470 }
1471 if (!dentry) {
df7f54c0
EP		 1472 /*
1473 * this is can be hit on boot when a file is accessed
1474 * before the policy is loaded. When we load policy we
1475 * may find inodes that have no dentry on the
1476 * sbsec->isec_head list. No reason to complain as these
1477 * will get fixed up the next time we go through
1478 * inode_doinit with a dentry, before these inodes could
1479 * be used again by userspace.
1480 */
200ea5a2 1481 goto out_invalid;
1da177e4
LT		 1482 }
1483
b754026b
OM		 1484 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1485 &sid);
1da177e4 1486 dput(dentry);
b754026b
OM		 1487 if (rc)
1488 goto out;
1da177e4
LT		 1489 break;
1490 case SECURITY_FS_USE_TASK:
9287aed2 1491 sid = task_sid;
1da177e4
LT		 1492 break;
1493 case SECURITY_FS_USE_TRANS:
1494 /* Default to the fs SID. */
9287aed2 1495 sid = sbsec->sid;
1da177e4
LT		 1496
1497 /* Try to obtain a transition SID. */
e67b7985 1498 rc = security_transition_sid(task_sid, sid,
aa8e712c 1499 sclass, NULL, &sid);
1da177e4 1500 if (rc)
9287aed2 1501 goto out;
1da177e4 1502 break;
c312feb2 1503 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1504 sid = sbsec->mntpoint_sid;
c312feb2 1505 break;
1da177e4 1506 default:
c312feb2 1507 /* Default to the fs superblock SID. */
9287aed2 1508 sid = sbsec->sid;
1da177e4 1509
7470d0d1
CG		 1510 if ((sbsec->flags & SE_SBGENFS) &&
1511 (!S_ISLNK(inode->i_mode) ||
1512 selinux_policycap_genfs_seclabel_symlinks())) {
f64410ec
PM		 1513 /* We must have a dentry to determine the label on
1514 * procfs inodes */
b127125d 1515 if (opt_dentry) {
f64410ec
PM		 1516 /* Called from d_instantiate or
1517 * d_splice_alias. */
1518 dentry = dget(opt_dentry);
b127125d 1519 } else {
f64410ec 1520 /* Called from selinux_complete_init, try to
b127125d
AV		 1521 * find a dentry. Some filesystems really want
1522 * a connected one, so try that first.
1523 */
f64410ec 1524 dentry = d_find_alias(inode);
b127125d
AV		 1525 if (!dentry)
1526 dentry = d_find_any_alias(inode);
1527 }
f64410ec
PM		 1528 /*
1529 * This can be hit on boot when a file is accessed
1530 * before the policy is loaded. When we load policy we
1531 * may find inodes that have no dentry on the
1532 * sbsec->isec_head list. No reason to complain as
1533 * these will get fixed up the next time we go through
1534 * inode_doinit() with a dentry, before these inodes
1535 * could be used again by userspace.
1536 */
1537 if (!dentry)
200ea5a2 1538 goto out_invalid;
9287aed2 1539 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1540 sbsec->flags, &sid);
b754026b
OM		 1541 if (rc) {
1542 dput(dentry);
9287aed2 1543 goto out;
b754026b
OM		 1544 }
1545
1546 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1547 (inode->i_opflags & IOP_XATTR)) {
1548 rc = inode_doinit_use_xattr(inode, dentry,
1549 sid, &sid);
1550 if (rc) {
1551 dput(dentry);
1552 goto out;
1553 }
1554 }
1555 dput(dentry);
1da177e4
LT		 1556 }
1557 break;
1558 }
1559
9287aed2
AG		 1560out:
1561 spin_lock(&isec->lock);
1562 if (isec->initialized == LABEL_PENDING) {
200ea5a2 1563 if (rc) {
9287aed2
AG		 1564 isec->initialized = LABEL_INVALID;
1565 goto out_unlock;
1566 }
9287aed2
AG		 1567 isec->initialized = LABEL_INITIALIZED;
1568 isec->sid = sid;
1569 }
1da177e4 1570
23970741 1571out_unlock:
9287aed2 1572 spin_unlock(&isec->lock);
1da177e4 1573 return rc;
200ea5a2
PM		 1574
1575out_invalid:
1576 spin_lock(&isec->lock);
1577 if (isec->initialized == LABEL_PENDING) {
1578 isec->initialized = LABEL_INVALID;
1579 isec->sid = sid;
1580 }
1581 spin_unlock(&isec->lock);
1582 return 0;
1da177e4
LT		 1583}
1584
1585/* Convert a Linux signal to an access vector. */
1586static inline u32 signal_to_av(int sig)
1587{
1588 u32 perm = 0;
1589
1590 switch (sig) {
1591 case SIGCHLD:
1592 /* Commonly granted from child to parent. */
1593 perm = PROCESS__SIGCHLD;
1594 break;
1595 case SIGKILL:
1596 /* Cannot be caught or ignored */
1597 perm = PROCESS__SIGKILL;
1598 break;
1599 case SIGSTOP:
1600 /* Cannot be caught or ignored */
1601 perm = PROCESS__SIGSTOP;
1602 break;
1603 default:
1604 /* All other signals. */
1605 perm = PROCESS__SIGNAL;
1606 break;
1607 }
1608
1609 return perm;
1610}
1611
b68e418c
SS		 1612#if CAP_LAST_CAP > 63
1613#error Fix SELinux to handle capabilities > 63.
1614#endif
1615
1da177e4 1616/* Check whether a task is allowed to use a capability. */
6a9de491 1617static int cred_has_capability(const struct cred *cred,
c1a85a00 1618 int cap, unsigned int opts, bool initns)
1da177e4 1619{
2bf49690 1620 struct common_audit_data ad;
06112163 1621 struct av_decision avd;
b68e418c 1622 u16 sclass;
3699c53c 1623 u32 sid = cred_sid(cred);
b68e418c 1624 u32 av = CAP_TO_MASK(cap);
06112163 1625 int rc;
1da177e4 1626
50c205f5 1627 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1628 ad.u.cap = cap;
1629
b68e418c
SS		 1630 switch (CAP_TO_INDEX(cap)) {
1631 case 0:
8e4ff6f2 1632 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1633 break;
1634 case 1:
8e4ff6f2 1635 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1636 break;
1637 default:
c103a91e 1638 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1639 BUG();
a35c6c83 1640 return -EINVAL;
b68e418c 1641 }
06112163 1642
e67b7985 1643 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
c1a85a00 1644 if (!(opts & CAP_OPT_NOAUDIT)) {
e67b7985 1645 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
9ade0cf4
EP		 1646 if (rc2)
1647 return rc2;
1648 }
06112163 1649 return rc;
1da177e4
LT		 1650}
1651
1da177e4
LT		 1652/* Check whether a task has a particular permission to an inode.
1653 The 'adp' parameter is optional and allows other audit
1654 data to be passed (e.g. the dentry). */
88e67f3b 1655static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1656 struct inode *inode,
1657 u32 perms,
19e49834 1658 struct common_audit_data *adp)
1da177e4 1659{
1da177e4 1660 struct inode_security_struct *isec;
275bb41e 1661 u32 sid;
1da177e4 1662
828dfe1d 1663 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1664 return 0;
1665
88e67f3b 1666 sid = cred_sid(cred);
80788c22 1667 isec = selinux_inode(inode);
1da177e4 1668
e67b7985 1669 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1670}
1671
1672/* Same as inode_has_perm, but pass explicit audit data containing
1673 the dentry to help the auditing code to more easily generate the
1674 pathname if needed. */
88e67f3b 1675static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1676 struct dentry *dentry,
1677 u32 av)
1678{
c6f493d6 1679 struct inode *inode = d_backing_inode(dentry);
2bf49690 1680 struct common_audit_data ad;
88e67f3b 1681
50c205f5 1682 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1683 ad.u.dentry = dentry;
5d226df4 1684 __inode_security_revalidate(inode, dentry, true);
19e49834 1685 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1686}
1687
1688/* Same as inode_has_perm, but pass explicit audit data containing
1689 the path to help the auditing code to more easily generate the
1690 pathname if needed. */
1691static inline int path_has_perm(const struct cred *cred,
3f7036a0 1692 const struct path *path,
2875fa00
EP		 1693 u32 av)
1694{
c6f493d6 1695 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1696 struct common_audit_data ad;
1697
50c205f5 1698 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1699 ad.u.path = *path;
5d226df4 1700 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1701 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1702}
1703
13f8e981
DH		 1704/* Same as path_has_perm, but uses the inode from the file struct. */
1705static inline int file_path_has_perm(const struct cred *cred,
1706 struct file *file,
1707 u32 av)
1708{
1709 struct common_audit_data ad;
1710
43af5de7
VG		 1711 ad.type = LSM_AUDIT_DATA_FILE;
1712 ad.u.file = file;
19e49834 1713 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1714}
1715
f66e448c 1716#ifdef CONFIG_BPF_SYSCALL
8e4672d6 1717static int bpf_fd_pass(const struct file *file, u32 sid);
f66e448c
CF		 1718#endif
1719
1da177e4
LT		 1720/* Check whether a task can use an open file descriptor to
1721 access an inode in a given way. Check access to the
1722 descriptor itself, and then use dentry_has_perm to
1723 check a particular permission to the file.
1724 Access to the descriptor is implicitly granted if it
1725 has the same SID as the process. If av is zero, then
1726 access to the file is not checked, e.g. for cases
1727 where only the descriptor is affected like seek. */
88e67f3b
DH		 1728static int file_has_perm(const struct cred *cred,
1729 struct file *file,
1730 u32 av)
1da177e4 1731{
bb6c6b02 1732 struct file_security_struct *fsec = selinux_file(file);
496ad9aa 1733 struct inode *inode = file_inode(file);
2bf49690 1734 struct common_audit_data ad;
88e67f3b 1735 u32 sid = cred_sid(cred);
1da177e4
LT		 1736 int rc;
1737
43af5de7
VG		 1738 ad.type = LSM_AUDIT_DATA_FILE;
1739 ad.u.file = file;
1da177e4 1740
275bb41e 1741 if (sid != fsec->sid) {
e67b7985 1742 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1743 SECCLASS_FD,
1744 FD__USE,
1745 &ad);
1746 if (rc)
88e67f3b 1747 goto out;
1da177e4
LT		 1748 }
1749
f66e448c
CF		 1750#ifdef CONFIG_BPF_SYSCALL
1751 rc = bpf_fd_pass(file, cred_sid(cred));
1752 if (rc)
1753 return rc;
1754#endif
1755
1da177e4 1756 /* av is zero if only checking access to the descriptor. */
88e67f3b 1757 rc = 0;
1da177e4 1758 if (av)
19e49834 1759 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1760
88e67f3b
DH		 1761out:
1762 return rc;
1da177e4
LT		 1763}
1764
c3c188b2
DH		 1765/*
1766 * Determine the label for an inode that might be unioned.
1767 */
c957f6df
VG		 1768static int
1769selinux_determine_inode_label(const struct task_security_struct *tsec,
1770 struct inode *dir,
1771 const struct qstr *name, u16 tclass,
1772 u32 *_new_isid)
c3c188b2 1773{
1aea7808
CS		 1774 const struct superblock_security_struct *sbsec =
1775 selinux_superblock(dir->i_sb);
c3c188b2
DH		 1776
1777 if ((sbsec->flags & SE_SBINITIALIZED) &&
1778 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1779 *_new_isid = sbsec->mntpoint_sid;
1780 } else if ((sbsec->flags & SBLABEL_MNT) &&
1781 tsec->create_sid) {
1782 *_new_isid = tsec->create_sid;
1783 } else {
20cdef8d 1784 const struct inode_security_struct *dsec = inode_security(dir);
e67b7985 1785 return security_transition_sid(tsec->sid,
aa8e712c 1786 dsec->sid, tclass,
c3c188b2
DH		 1787 name, _new_isid);
1788 }
1789
1790 return 0;
1791}
1792
1da177e4
LT		 1793/* Check whether a task can create a file. */
1794static int may_create(struct inode *dir,
1795 struct dentry *dentry,
1796 u16 tclass)
1797{
0c6cfa62 1798 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1799 struct inode_security_struct *dsec;
1800 struct superblock_security_struct *sbsec;
275bb41e 1801 u32 sid, newsid;
2bf49690 1802 struct common_audit_data ad;
1da177e4
LT		 1803 int rc;
1804
83da53c5 1805 dsec = inode_security(dir);
1aea7808 1806 sbsec = selinux_superblock(dir->i_sb);
1da177e4 1807
275bb41e 1808 sid = tsec->sid;
275bb41e 1809
50c205f5 1810 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1811 ad.u.dentry = dentry;
1da177e4 1812
e67b7985 1813 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1814 DIR__ADD_NAME | DIR__SEARCH,
1815 &ad);
1816 if (rc)
1817 return rc;
1818
210a2928
YG		 1819 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1820 &newsid);
c3c188b2
DH		 1821 if (rc)
1822 return rc;
1da177e4 1823
e67b7985 1824 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1825 if (rc)
1826 return rc;
1827
e67b7985 1828 return avc_has_perm(newsid, sbsec->sid,
1da177e4
LT		 1829 SECCLASS_FILESYSTEM,
1830 FILESYSTEM__ASSOCIATE, &ad);
1831}
1832
828dfe1d
EP		 1833#define MAY_LINK 0
1834#define MAY_UNLINK 1
1835#define MAY_RMDIR 2
1da177e4
LT		 1836
1837/* Check whether a task can link, unlink, or rmdir a file/directory. */
1838static int may_link(struct inode *dir,
1839 struct dentry *dentry,
1840 int kind)
1841
1842{
1da177e4 1843 struct inode_security_struct *dsec, *isec;
2bf49690 1844 struct common_audit_data ad;
275bb41e 1845 u32 sid = current_sid();
1da177e4
LT		 1846 u32 av;
1847 int rc;
1848
83da53c5
AG		 1849 dsec = inode_security(dir);
1850 isec = backing_inode_security(dentry);
1da177e4 1851
50c205f5 1852 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1853 ad.u.dentry = dentry;
1da177e4
LT		 1854
1855 av = DIR__SEARCH;
1856 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
e67b7985 1857 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1858 if (rc)
1859 return rc;
1860
1861 switch (kind) {
1862 case MAY_LINK:
1863 av = FILE__LINK;
1864 break;
1865 case MAY_UNLINK:
1866 av = FILE__UNLINK;
1867 break;
1868 case MAY_RMDIR:
1869 av = DIR__RMDIR;
1870 break;
1871 default:
c103a91e 1872 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1873 __func__, kind);
1da177e4
LT		 1874 return 0;
1875 }
1876
e67b7985 1877 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1878 return rc;
1879}
1880
1881static inline int may_rename(struct inode *old_dir,
1882 struct dentry *old_dentry,
1883 struct inode *new_dir,
1884 struct dentry *new_dentry)
1885{
1da177e4 1886 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1887 struct common_audit_data ad;
275bb41e 1888 u32 sid = current_sid();
1da177e4
LT		 1889 u32 av;
1890 int old_is_dir, new_is_dir;
1891 int rc;
1892
83da53c5
AG		 1893 old_dsec = inode_security(old_dir);
1894 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1895 old_is_dir = d_is_dir(old_dentry);
83da53c5 1896 new_dsec = inode_security(new_dir);
1da177e4 1897
50c205f5 1898 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1899
a269434d 1900 ad.u.dentry = old_dentry;
e67b7985 1901 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1902 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1903 if (rc)
1904 return rc;
e67b7985 1905 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1906 old_isec->sclass, FILE__RENAME, &ad);
1907 if (rc)
1908 return rc;
1909 if (old_is_dir && new_dir != old_dir) {
e67b7985 1910 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1911 old_isec->sclass, DIR__REPARENT, &ad);
1912 if (rc)
1913 return rc;
1914 }
1915
a269434d 1916 ad.u.dentry = new_dentry;
1da177e4 1917 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1918 if (d_is_positive(new_dentry))
1da177e4 1919 av |= DIR__REMOVE_NAME;
e67b7985 1920 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1921 if (rc)
1922 return rc;
2c616d4d 1923 if (d_is_positive(new_dentry)) {
83da53c5 1924 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1925 new_is_dir = d_is_dir(new_dentry);
e67b7985 1926 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1927 new_isec->sclass,
1928 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1929 if (rc)
1930 return rc;
1931 }
1932
1933 return 0;
1934}
1935
1936/* Check whether a task can perform a filesystem operation. */
88e67f3b 1937static int superblock_has_perm(const struct cred *cred,
25cc71d1 1938 const struct super_block *sb,
1da177e4 1939 u32 perms,
2bf49690 1940 struct common_audit_data *ad)
1da177e4 1941{
1da177e4 1942 struct superblock_security_struct *sbsec;
88e67f3b 1943 u32 sid = cred_sid(cred);
1da177e4 1944
1aea7808 1945 sbsec = selinux_superblock(sb);
e67b7985 1946 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1947}
1948
1949/* Convert a Linux mode and permission mask to an access vector. */
1950static inline u32 file_mask_to_av(int mode, int mask)
1951{
1952 u32 av = 0;
1953
dba19c60 1954 if (!S_ISDIR(mode)) {
1da177e4
LT		 1955 if (mask & MAY_EXEC)
1956 av |= FILE__EXECUTE;
1957 if (mask & MAY_READ)
1958 av |= FILE__READ;
1959
1960 if (mask & MAY_APPEND)
1961 av |= FILE__APPEND;
1962 else if (mask & MAY_WRITE)
1963 av |= FILE__WRITE;
1964
1965 } else {
1966 if (mask & MAY_EXEC)
1967 av |= DIR__SEARCH;
1968 if (mask & MAY_WRITE)
1969 av |= DIR__WRITE;
1970 if (mask & MAY_READ)
1971 av |= DIR__READ;
1972 }
1973
1974 return av;
1975}
1976
8b6a5a37 1977/* Convert a Linux file to an access vector. */
8e4672d6 1978static inline u32 file_to_av(const struct file *file)
8b6a5a37
EP		 1979{
1980 u32 av = 0;
1981
1982 if (file->f_mode & FMODE_READ)
1983 av |= FILE__READ;
1984 if (file->f_mode & FMODE_WRITE) {
1985 if (file->f_flags & O_APPEND)
1986 av |= FILE__APPEND;
1987 else
1988 av |= FILE__WRITE;
1989 }
1990 if (!av) {
1991 /*
1992 * Special file opened with flags 3 for ioctl-only use.
1993 */
1994 av = FILE__IOCTL;
1995 }
1996
1997 return av;
1998}
1999
b0c636b9 2000/*
c76a2f9e 2001 * Convert a file to an access vector and include the correct
b0c636b9
EP		 2002 * open permission.
2003 */
8b6a5a37 2004static inline u32 open_file_to_av(struct file *file)
b0c636b9 2005{
8b6a5a37 2006 u32 av = file_to_av(file);
ccb54478 2007 struct inode *inode = file_inode(file);
b0c636b9 2008
aa8e712c
SS		 2009 if (selinux_policycap_openperm() &&
2010 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2011 av |= FILE__OPEN;
2012
b0c636b9
EP		 2013 return av;
2014}
2015
1da177e4
LT		 2016/* Hook functions begin here. */
2017
52f88693 2018static int selinux_binder_set_context_mgr(const struct cred *mgr)
79af7307 2019{
e67b7985 2020 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
79af7307
SS		 2021 BINDER__SET_CONTEXT_MGR, NULL);
2022}
2023
52f88693
TK		 2024static int selinux_binder_transaction(const struct cred *from,
2025 const struct cred *to)
79af7307
SS		 2026{
2027 u32 mysid = current_sid();
52f88693
TK		 2028 u32 fromsid = cred_sid(from);
2029 u32 tosid = cred_sid(to);
79af7307
SS		 2030 int rc;
2031
2032 if (mysid != fromsid) {
e67b7985 2033 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2034 BINDER__IMPERSONATE, NULL);
2035 if (rc)
2036 return rc;
2037 }
2038
e67b7985 2039 return avc_has_perm(fromsid, tosid,
eb1231f7 2040 SECCLASS_BINDER, BINDER__CALL, NULL);
79af7307
SS		 2041}
2042
52f88693
TK		 2043static int selinux_binder_transfer_binder(const struct cred *from,
2044 const struct cred *to)
79af7307 2045{
e67b7985 2046 return avc_has_perm(cred_sid(from), cred_sid(to),
eb1231f7 2047 SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2048 NULL);
2049}
2050
52f88693
TK		 2051static int selinux_binder_transfer_file(const struct cred *from,
2052 const struct cred *to,
8e4672d6 2053 const struct file *file)
79af7307 2054{
52f88693 2055 u32 sid = cred_sid(to);
bb6c6b02 2056 struct file_security_struct *fsec = selinux_file(file);
83da53c5 2057 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2058 struct inode_security_struct *isec;
79af7307
SS		 2059 struct common_audit_data ad;
2060 int rc;
2061
2062 ad.type = LSM_AUDIT_DATA_PATH;
2063 ad.u.path = file->f_path;
2064
2065 if (sid != fsec->sid) {
e67b7985 2066 rc = avc_has_perm(sid, fsec->sid,
79af7307
SS		 2067 SECCLASS_FD,
2068 FD__USE,
2069 &ad);
2070 if (rc)
2071 return rc;
2072 }
2073
f66e448c
CF		 2074#ifdef CONFIG_BPF_SYSCALL
2075 rc = bpf_fd_pass(file, sid);
2076 if (rc)
2077 return rc;
2078#endif
2079
83da53c5 2080 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2081 return 0;
2082
20cdef8d 2083 isec = backing_inode_security(dentry);
e67b7985 2084 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2085 &ad);
2086}
2087
9e48858f 2088static int selinux_ptrace_access_check(struct task_struct *child,
eb1231f7 2089 unsigned int mode)
1da177e4 2090{
be0554c9 2091 u32 sid = current_sid();
eb1231f7 2092 u32 csid = task_sid_obj(child);
be0554c9
SS		 2093
2094 if (mode & PTRACE_MODE_READ)
e67b7985
SS		 2095 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2096 NULL);
006ebb40 2097
e67b7985
SS		 2098 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2099 NULL);
5cd9c58f
DH		 2100}
2101
2102static int selinux_ptrace_traceme(struct task_struct *parent)
2103{
e67b7985 2104 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
eb1231f7 2105 SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
1da177e4
LT		 2106}
2107
6672efbb 2108static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2109 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2110{
e67b7985
SS		 2111 return avc_has_perm(current_sid(), task_sid_obj(target),
2112 SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
1da177e4
LT		 2113}
2114
d84f4f99
DH		 2115static int selinux_capset(struct cred *new, const struct cred *old,
2116 const kernel_cap_t *effective,
2117 const kernel_cap_t *inheritable,
2118 const kernel_cap_t *permitted)
1da177e4 2119{
e67b7985 2120 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2121 PROCESS__SETCAP, NULL);
1da177e4
LT		 2122}
2123
5626d3e8
JM		 2124/*
2125 * (This comment used to live with the selinux_task_setuid hook,
2126 * which was removed).
2127 *
2128 * Since setuid only affects the current process, and since the SELinux
2129 * controls are not based on the Linux identity attributes, SELinux does not
2130 * need to control this operation. However, SELinux does control the use of
2131 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2132 */
2133
6a9de491 2134static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
c1a85a00 2135 int cap, unsigned int opts)
1da177e4 2136{
c1a85a00 2137 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
1da177e4
LT		 2138}
2139
25cc71d1 2140static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb)
1da177e4 2141{
88e67f3b 2142 const struct cred *cred = current_cred();
1da177e4
LT		 2143 int rc = 0;
2144
2145 if (!sb)
2146 return 0;
2147
2148 switch (cmds) {
828dfe1d
EP		 2149 case Q_SYNC:
2150 case Q_QUOTAON:
2151 case Q_QUOTAOFF:
2152 case Q_SETINFO:
2153 case Q_SETQUOTA:
e4cfa05e
RH		 2154 case Q_XQUOTAOFF:
2155 case Q_XQUOTAON:
2156 case Q_XSETQLIM:
88e67f3b 2157 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2158 break;
2159 case Q_GETFMT:
2160 case Q_GETINFO:
2161 case Q_GETQUOTA:
e4cfa05e
RH		 2162 case Q_XGETQUOTA:
2163 case Q_XGETQSTAT:
2164 case Q_XGETQSTATV:
2165 case Q_XGETNEXTQUOTA:
88e67f3b 2166 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2167 break;
2168 default:
2169 rc = 0; /* let the kernel handle invalid cmds */
2170 break;
1da177e4
LT		 2171 }
2172 return rc;
2173}
2174
2175static int selinux_quota_on(struct dentry *dentry)
2176{
88e67f3b
DH		 2177 const struct cred *cred = current_cred();
2178
2875fa00 2179 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2180}
2181
12b3052c 2182static int selinux_syslog(int type)
1da177e4 2183{
1da177e4 2184 switch (type) {
d78ca3cd
KC		 2185 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2186 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
e67b7985 2187 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
be0554c9 2188 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2189 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2190 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2191 /* Set level of messages printed to console */
2192 case SYSLOG_ACTION_CONSOLE_LEVEL:
e67b7985 2193 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2194 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2195 NULL);
1da177e4 2196 }
be0554c9 2197 /* All other syslog types */
e67b7985 2198 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
be0554c9 2199 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2200}
2201
2202/*
2203 * Check that a process has enough memory to allocate a new virtual
2204 * mapping. 0 means there is enough memory for the allocation to
2205 * succeed and -ENOMEM implies there is not.
2206 *
1da177e4
LT		 2207 * Do not audit the selinux permission check, as this is applied to all
2208 * processes that allocate mappings.
2209 */
34b4e4aa 2210static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2211{
2212 int rc, cap_sys_admin = 0;
1da177e4 2213
b1d9e6b0 2214 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
c1a85a00 2215 CAP_OPT_NOAUDIT, true);
1da177e4
LT		 2216 if (rc == 0)
2217 cap_sys_admin = 1;
2218
b1d9e6b0 2219 return cap_sys_admin;
1da177e4
LT		 2220}
2221
2222/* binprm security operations */
2223
be0554c9 2224static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2225{
2226 u32 sid = 0;
2227 struct task_struct *tracer;
2228
2229 rcu_read_lock();
be0554c9 2230 tracer = ptrace_parent(current);
0c6181cb 2231 if (tracer)
eb1231f7 2232 sid = task_sid_obj(tracer);
0c6181cb
PM		 2233 rcu_read_unlock();
2234
2235 return sid;
2236}
2237
7b0d0b40
SS		 2238static int check_nnp_nosuid(const struct linux_binprm *bprm,
2239 const struct task_security_struct *old_tsec,
2240 const struct task_security_struct *new_tsec)
2241{
2242 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2243 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2244 int rc;
af63f419 2245 u32 av;
7b0d0b40
SS		 2246
2247 if (!nnp && !nosuid)
2248 return 0; /* neither NNP nor nosuid */
2249
2250 if (new_tsec->sid == old_tsec->sid)
2251 return 0; /* No change in credentials */
2252
2253 /*
af63f419
SS		 2254 * If the policy enables the nnp_nosuid_transition policy capability,
2255 * then we permit transitions under NNP or nosuid if the
2256 * policy allows the corresponding permission between
2257 * the old and new contexts.
7b0d0b40 2258 */
aa8e712c 2259 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2260 av = 0;
7b0d0b40 2261 if (nnp)
af63f419
SS		 2262 av |= PROCESS2__NNP_TRANSITION;
2263 if (nosuid)
2264 av |= PROCESS2__NOSUID_TRANSITION;
e67b7985 2265 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
af63f419
SS		 2266 SECCLASS_PROCESS2, av, NULL);
2267 if (!rc)
2268 return 0;
7b0d0b40 2269 }
af63f419
SS		 2270
2271 /*
2272 * We also permit NNP or nosuid transitions to bounded SIDs,
2273 * i.e. SIDs that are guaranteed to only be allowed a subset
2274 * of the permissions of the current SID.
2275 */
e67b7985 2276 rc = security_bounded_transition(old_tsec->sid,
aa8e712c 2277 new_tsec->sid);
af63f419
SS		 2278 if (!rc)
2279 return 0;
2280
2281 /*
2282 * On failure, preserve the errno values for NNP vs nosuid.
2283 * NNP: Operation not permitted for caller.
2284 * nosuid: Permission denied to file.
2285 */
2286 if (nnp)
2287 return -EPERM;
2288 return -EACCES;
7b0d0b40
SS		 2289}
2290
b8bff599 2291static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
1da177e4 2292{
a6f76f23
DH		 2293 const struct task_security_struct *old_tsec;
2294 struct task_security_struct *new_tsec;
1da177e4 2295 struct inode_security_struct *isec;
2bf49690 2296 struct common_audit_data ad;
496ad9aa 2297 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2298 int rc;
2299
a6f76f23
DH		 2300 /* SELinux context only depends on initial program or script and not
2301 * the script interpreter */
1da177e4 2302
0c6cfa62
CS		 2303 old_tsec = selinux_cred(current_cred());
2304 new_tsec = selinux_cred(bprm->cred);
83da53c5 2305 isec = inode_security(inode);
1da177e4
LT		 2306
2307 /* Default to the current task SID. */
a6f76f23
DH		 2308 new_tsec->sid = old_tsec->sid;
2309 new_tsec->osid = old_tsec->sid;
1da177e4 2310
28eba5bf 2311 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2312 new_tsec->create_sid = 0;
2313 new_tsec->keycreate_sid = 0;
2314 new_tsec->sockcreate_sid = 0;
1da177e4 2315
a6f76f23
DH		 2316 if (old_tsec->exec_sid) {
2317 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2318 /* Reset exec SID on execve. */
a6f76f23 2319 new_tsec->exec_sid = 0;
259e5e6c 2320
7b0d0b40
SS		 2321 /* Fail on NNP or nosuid if not an allowed transition. */
2322 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2323 if (rc)
2324 return rc;
1da177e4
LT		 2325 } else {
2326 /* Check for a default transition on this program. */
e67b7985 2327 rc = security_transition_sid(old_tsec->sid,
aa8e712c 2328 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2329 &new_tsec->sid);
1da177e4
LT		 2330 if (rc)
2331 return rc;
7b0d0b40
SS		 2332
2333 /*
2334 * Fallback to old SID on NNP or nosuid if not an allowed
2335 * transition.
2336 */
2337 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2338 if (rc)
2339 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2340 }
2341
43af5de7
VG		 2342 ad.type = LSM_AUDIT_DATA_FILE;
2343 ad.u.file = bprm->file;
1da177e4 2344
a6f76f23 2345 if (new_tsec->sid == old_tsec->sid) {
e67b7985 2346 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2347 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2348 if (rc)
2349 return rc;
2350 } else {
2351 /* Check permissions for the transition. */
e67b7985 2352 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2353 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2354 if (rc)
2355 return rc;
2356
e67b7985 2357 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2358 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2359 if (rc)
2360 return rc;
2361
a6f76f23
DH		 2362 /* Check for shared state */
2363 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
e67b7985 2364 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2365 SECCLASS_PROCESS, PROCESS__SHARE,
2366 NULL);
2367 if (rc)
2368 return -EPERM;
2369 }
2370
2371 /* Make sure that anyone attempting to ptrace over a task that
2372 * changes its SID has the appropriate permit */
9227dd2a 2373 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2374 u32 ptsid = ptrace_parent_sid();
a6f76f23 2375 if (ptsid != 0) {
e67b7985 2376 rc = avc_has_perm(ptsid, new_tsec->sid,
a6f76f23
DH		 2377 SECCLASS_PROCESS,
2378 PROCESS__PTRACE, NULL);
2379 if (rc)
2380 return -EPERM;
2381 }
2382 }
1da177e4 2383
a6f76f23
DH		 2384 /* Clear any possibly unsafe personality bits on exec: */
2385 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2386
1da177e4
LT		 2387 /* Enable secure mode for SIDs transitions unless
2388 the noatsecure permission is granted between
2389 the two SIDs, i.e. ahp returns 0. */
e67b7985 2390 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2391 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2392 NULL);
2393 bprm->secureexec |= !!rc;
1da177e4
LT		 2394 }
2395
62874c3a 2396 return 0;
1da177e4
LT		 2397}
2398
c3c073f8
AV		 2399static int match_file(const void *p, struct file *file, unsigned fd)
2400{
2401 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2402}
2403
1da177e4 2404/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2405static inline void flush_unauthorized_files(const struct cred *cred,
2406 struct files_struct *files)
1da177e4 2407{
1da177e4 2408 struct file *file, *devnull = NULL;
b20c8122 2409 struct tty_struct *tty;
24ec839c 2410 int drop_tty = 0;
c3c073f8 2411 unsigned n;
1da177e4 2412
24ec839c 2413 tty = get_current_tty();
1da177e4 2414 if (tty) {
4a510969 2415 spin_lock(&tty->files_lock);
37dd0bd0 2416 if (!list_empty(&tty->tty_files)) {
d996b62a 2417 struct tty_file_private *file_priv;
37dd0bd0 2418
1da177e4 2419 /* Revalidate access to controlling tty.
13f8e981
DH		 2420 Use file_path_has_perm on the tty path directly
2421 rather than using file_has_perm, as this particular
2422 open file may belong to another process and we are
2423 only interested in the inode-based check here. */
d996b62a
NP		 2424 file_priv = list_first_entry(&tty->tty_files,
2425 struct tty_file_private, list);
2426 file = file_priv->file;
13f8e981 2427 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2428 drop_tty = 1;
1da177e4 2429 }
4a510969 2430 spin_unlock(&tty->files_lock);
452a00d2 2431 tty_kref_put(tty);
1da177e4 2432 }
98a27ba4
EB		 2433 /* Reset controlling tty. */
2434 if (drop_tty)
2435 no_tty();
1da177e4
LT		 2436
2437 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2438 n = iterate_fd(files, 0, match_file, cred);
2439 if (!n) /* none found? */
2440 return;
1da177e4 2441
c3c073f8 2442 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2443 if (IS_ERR(devnull))
2444 devnull = NULL;
2445 /* replace all the matching ones with this */
2446 do {
2447 replace_fd(n - 1, devnull, 0);
2448 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2449 if (devnull)
c3c073f8 2450 fput(devnull);
1da177e4
LT		 2451}
2452
a6f76f23
DH		 2453/*
2454 * Prepare a process for imminent new credential changes due to exec
2455 */
64fc9526 2456static void selinux_bprm_committing_creds(const struct linux_binprm *bprm)
1da177e4 2457{
a6f76f23
DH		 2458 struct task_security_struct *new_tsec;
2459 struct rlimit *rlim, *initrlim;
2460 int rc, i;
d84f4f99 2461
0c6cfa62 2462 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2463 if (new_tsec->sid == new_tsec->osid)
2464 return;
1da177e4 2465
a6f76f23
DH		 2466 /* Close files for which the new task SID is not authorized. */
2467 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2468
a6f76f23
DH		 2469 /* Always clear parent death signal on SID transitions. */
2470 current->pdeath_signal = 0;
0356357c 2471
a6f76f23
DH		 2472 /* Check whether the new SID can inherit resource limits from the old
2473 * SID. If not, reset all soft limits to the lower of the current
2474 * task's hard limit and the init task's soft limit.
2475 *
2476 * Note that the setting of hard limits (even to lower them) can be
2477 * controlled by the setrlimit check. The inclusion of the init task's
2478 * soft limit into the computation is to avoid resetting soft limits
2479 * higher than the default soft limit for cases where the default is
2480 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2481 */
e67b7985 2482 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2483 PROCESS__RLIMITINH, NULL);
2484 if (rc) {
eb2d55a3
ON		 2485 /* protect against do_prlimit() */
2486 task_lock(current);
a6f76f23
DH		 2487 for (i = 0; i < RLIM_NLIMITS; i++) {
2488 rlim = current->signal->rlim + i;
2489 initrlim = init_task.signal->rlim + i;
2490 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2491 }
eb2d55a3 2492 task_unlock(current);
baa73d9e
NP		 2493 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2494 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2495 }
2496}
2497
2498/*
a6f76f23
DH		 2499 * Clean up the process immediately after the installation of new credentials
2500 * due to exec
1da177e4 2501 */
a721f7b8 2502static void selinux_bprm_committed_creds(const struct linux_binprm *bprm)
1da177e4 2503{
0c6cfa62 2504 const struct task_security_struct *tsec = selinux_cred(current_cred());
a6f76f23 2505 u32 osid, sid;
ddbc7d06 2506 int rc;
1da177e4 2507
a6f76f23
DH		 2508 osid = tsec->osid;
2509 sid = tsec->sid;
2510
2511 if (sid == osid)
1da177e4
LT		 2512 return;
2513
a6f76f23
DH		 2514 /* Check whether the new SID can inherit signal state from the old SID.
2515 * If not, clear itimers to avoid subsequent signal generation and
2516 * flush and unblock signals.
2517 *
2518 * This must occur _after_ the task SID has been updated so that any
2519 * kill done after the flush will be checked against the new SID.
2520 */
e67b7985 2521 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2522 if (rc) {
ddbc7d06
AB		 2523 clear_itimer();
2524
0e326df0 2525 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
9e7c8f8c
ON		 2526 if (!fatal_signal_pending(current)) {
2527 flush_sigqueue(&current->pending);
2528 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2529 flush_signal_handlers(current, 1);
2530 sigemptyset(&current->blocked);
9e7c8f8c 2531 recalc_sigpending();
3bcac026 2532 }
0e326df0 2533 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
1da177e4
LT		 2534 }
2535
a6f76f23
DH		 2536 /* Wake up the parent if it is waiting so that it can recheck
2537 * wait permission to the new task SID. */
ecd6de3c 2538 read_lock(&tasklist_lock);
0e326df0 2539 __wake_up_parent(current, unrcu_pointer(current->real_parent));
ecd6de3c 2540 read_unlock(&tasklist_lock);
1da177e4
LT		 2541}
2542
2543/* superblock security operations */
2544
2545static int selinux_sb_alloc_security(struct super_block *sb)
2546{
1aea7808 2547 struct superblock_security_struct *sbsec = selinux_superblock(sb);
cb89e246
PM		 2548
2549 mutex_init(&sbsec->lock);
2550 INIT_LIST_HEAD(&sbsec->isec_head);
2551 spin_lock_init(&sbsec->isec_lock);
cb89e246
PM		 2552 sbsec->sid = SECINITSID_UNLABELED;
2553 sbsec->def_sid = SECINITSID_FILE;
2554 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
cb89e246
PM		 2555
2556 return 0;
1da177e4
LT		 2557}
2558
99dbbb59 2559static inline int opt_len(const char *s)
1da177e4 2560{
99dbbb59
AV		 2561 bool open_quote = false;
2562 int len;
2563 char c;
1da177e4 2564
99dbbb59
AV		 2565 for (len = 0; (c = s[len]) != '\0'; len++) {
2566 if (c == '"')
2567 open_quote = !open_quote;
2568 if (c == ',' && !open_quote)
2569 break;
3528a953 2570 }
99dbbb59 2571 return len;
3528a953
CO		 2572}
2573
99dbbb59 2574static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
1da177e4 2575{
99dbbb59
AV		 2576 char *from = options;
2577 char *to = options;
2578 bool first = true;
fec63753 2579 int rc;
1da177e4 2580
99dbbb59
AV		 2581 while (1) {
2582 int len = opt_len(from);
fec63753 2583 int token;
99dbbb59 2584 char *arg = NULL;
1da177e4 2585
99dbbb59 2586 token = match_opt_prefix(from, len, &arg);
1da177e4 2587
99dbbb59
AV		 2588 if (token != Opt_error) {
2589 char *p, *q;
1da177e4 2590
99dbbb59
AV		 2591 /* strip quotes */
2592 if (arg) {
2593 for (p = q = arg; p < from + len; p++) {
2594 char c = *p;
2595 if (c != '"')
2596 *q++ = c;
2597 }
2598 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
fec63753
GZ		 2599 if (!arg) {
2600 rc = -ENOMEM;
2601 goto free_opt;
2602 }
99dbbb59
AV		 2603 }
2604 rc = selinux_add_opt(token, arg, mnt_opts);
cad140d0
CG		 2605 kfree(arg);
2606 arg = NULL;
99dbbb59 2607 if (unlikely(rc)) {
fec63753 2608 goto free_opt;
99dbbb59
AV		 2609 }
2610 } else {
2611 if (!first) { // copy with preceding comma
2612 from--;
2613 len++;
2614 }
2615 if (to != from)
2616 memmove(to, from, len);
2617 to += len;
2618 first = false;
1da177e4 2619 }
99dbbb59
AV		 2620 if (!from[len])
2621 break;
2622 from += len + 1;
2623 }
2624 *to = '\0';
2625 return 0;
fec63753
GZ		 2626
2627free_opt:
2628 if (*mnt_opts) {
2629 selinux_free_mnt_opts(*mnt_opts);
2630 *mnt_opts = NULL;
2631 }
2632 return rc;
1da177e4
LT		 2633}
2634
69c4a42d
OK		 2635static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2636{
2637 struct selinux_mnt_opts *opts = mnt_opts;
0266c25e 2638 struct superblock_security_struct *sbsec = selinux_superblock(sb);
69c4a42d
OK		 2639
2640 /*
2641 * Superblock not initialized (i.e. no options) - reject if any
2642 * options specified, otherwise accept.
2643 */
2644 if (!(sbsec->flags & SE_SBINITIALIZED))
2645 return opts ? 1 : 0;
2646
2647 /*
2648 * Superblock initialized and no options specified - reject if
2649 * superblock has any options set, otherwise accept.
2650 */
2651 if (!opts)
2652 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2653
70f4169a
OM		 2654 if (opts->fscontext_sid) {
2655 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2656 opts->fscontext_sid))
69c4a42d
OK		 2657 return 1;
2658 }
70f4169a
OM		 2659 if (opts->context_sid) {
2660 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2661 opts->context_sid))
69c4a42d
OK		 2662 return 1;
2663 }
70f4169a
OM		 2664 if (opts->rootcontext_sid) {
2665 struct inode_security_struct *root_isec;
b8b87fd9 2666
70f4169a
OM		 2667 root_isec = backing_inode_security(sb->s_root);
2668 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2669 opts->rootcontext_sid))
69c4a42d 2670 return 1;
70f4169a
OM		 2671 }
2672 if (opts->defcontext_sid) {
2673 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2674 opts->defcontext_sid))
69c4a42d
OK		 2675 return 1;
2676 }
2677 return 0;
2678}
2679
204cc0cc 2680static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2681{
bd323655 2682 struct selinux_mnt_opts *opts = mnt_opts;
1aea7808 2683 struct superblock_security_struct *sbsec = selinux_superblock(sb);
026eb167
EP		 2684
2685 if (!(sbsec->flags & SE_SBINITIALIZED))
2686 return 0;
2687
204cc0cc 2688 if (!opts)
026eb167
EP		 2689 return 0;
2690
70f4169a 2691 if (opts->fscontext_sid) {
6bc1968c
SM		 2692 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2693 opts->fscontext_sid))
bd323655 2694 goto out_bad_option;
026eb167 2695 }
70f4169a 2696 if (opts->context_sid) {
6bc1968c
SM		 2697 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2698 opts->context_sid))
bd323655
AV		 2699 goto out_bad_option;
2700 }
70f4169a 2701 if (opts->rootcontext_sid) {
bd323655
AV		 2702 struct inode_security_struct *root_isec;
2703 root_isec = backing_inode_security(sb->s_root);
6bc1968c
SM		 2704 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2705 opts->rootcontext_sid))
bd323655
AV		 2706 goto out_bad_option;
2707 }
70f4169a 2708 if (opts->defcontext_sid) {
6bc1968c
SM		 2709 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2710 opts->defcontext_sid))
bd323655 2711 goto out_bad_option;
026eb167 2712 }
c039bc3c 2713 return 0;
026eb167 2714
026eb167 2715out_bad_option:
c103a91e 2716 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2717 "during remount (dev %s, type=%s)\n", sb->s_id,
2718 sb->s_type->name);
c039bc3c 2719 return -EINVAL;
026eb167
EP		 2720}
2721
20a2aa47 2722static int selinux_sb_kern_mount(const struct super_block *sb)
1da177e4 2723{
88e67f3b 2724 const struct cred *cred = current_cred();
2bf49690 2725 struct common_audit_data ad;
74192246 2726
50c205f5 2727 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2728 ad.u.dentry = sb->s_root;
88e67f3b 2729 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2730}
2731
726c3342 2732static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2733{
88e67f3b 2734 const struct cred *cred = current_cred();
2bf49690 2735 struct common_audit_data ad;
1da177e4 2736
50c205f5 2737 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2738 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2739 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2740}
2741
808d4e3c 2742static int selinux_mount(const char *dev_name,
8a04c43b 2743 const struct path *path,
808d4e3c 2744 const char *type,
828dfe1d
EP		 2745 unsigned long flags,
2746 void *data)
1da177e4 2747{
88e67f3b 2748 const struct cred *cred = current_cred();
1da177e4
LT		 2749
2750 if (flags & MS_REMOUNT)
d8c9584e 2751 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2752 FILESYSTEM__REMOUNT, NULL);
1da177e4 2753 else
2875fa00 2754 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2755}
2756
98aa0034
SS		 2757static int selinux_move_mount(const struct path *from_path,
2758 const struct path *to_path)
2759{
2760 const struct cred *cred = current_cred();
2761
2762 return path_has_perm(cred, to_path, FILE__MOUNTON);
2763}
2764
1da177e4
LT		 2765static int selinux_umount(struct vfsmount *mnt, int flags)
2766{
88e67f3b 2767 const struct cred *cred = current_cred();
1da177e4 2768
88e67f3b 2769 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2770 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2771}
2772
d80a8f1b
DH		 2773static int selinux_fs_context_submount(struct fs_context *fc,
2774 struct super_block *reference)
2775{
ccf1dab9 2776 const struct superblock_security_struct *sbsec = selinux_superblock(reference);
d80a8f1b
DH		 2777 struct selinux_mnt_opts *opts;
2778
ccf1dab9
OM		 2779 /*
2780 * Ensure that fc->security remains NULL when no options are set
2781 * as expected by selinux_set_mnt_opts().
2782 */
2783 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2784 return 0;
2785
d80a8f1b
DH		 2786 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2787 if (!opts)
2788 return -ENOMEM;
2789
d80a8f1b
DH		 2790 if (sbsec->flags & FSCONTEXT_MNT)
2791 opts->fscontext_sid = sbsec->sid;
2792 if (sbsec->flags & CONTEXT_MNT)
2793 opts->context_sid = sbsec->mntpoint_sid;
2794 if (sbsec->flags & DEFCONTEXT_MNT)
2795 opts->defcontext_sid = sbsec->def_sid;
2796 fc->security = opts;
2797 return 0;
2798}
2799
0b52075e
AV		 2800static int selinux_fs_context_dup(struct fs_context *fc,
2801 struct fs_context *src_fc)
2802{
2803 const struct selinux_mnt_opts *src = src_fc->security;
0b52075e
AV		 2804
2805 if (!src)
2806 return 0;
2807
70f4169a
OM		 2808 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2809 return fc->security ? 0 : -ENOMEM;
0b52075e
AV		 2810}
2811
d7167b14 2812static const struct fs_parameter_spec selinux_fs_parameters[] = {
442155c1
DH		 2813 fsparam_string(CONTEXT_STR, Opt_context),
2814 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2815 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2816 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2817 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2818 {}
2819};
2820
442155c1
DH		 2821static int selinux_fs_context_parse_param(struct fs_context *fc,
2822 struct fs_parameter *param)
2823{
2824 struct fs_parse_result result;
cad140d0 2825 int opt;
442155c1 2826
d7167b14 2827 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
442155c1
DH		 2828 if (opt < 0)
2829 return opt;
2830
cad140d0 2831 return selinux_add_opt(opt, param->string, &fc->security);
442155c1
DH		 2832}
2833
1da177e4
LT		 2834/* inode security operations */
2835
2836static int selinux_inode_alloc_security(struct inode *inode)
2837{
cb89e246
PM		 2838 struct inode_security_struct *isec = selinux_inode(inode);
2839 u32 sid = current_sid();
2840
2841 spin_lock_init(&isec->lock);
2842 INIT_LIST_HEAD(&isec->list);
2843 isec->inode = inode;
2844 isec->sid = SECINITSID_UNLABELED;
2845 isec->sclass = SECCLASS_FILE;
2846 isec->task_sid = sid;
2847 isec->initialized = LABEL_INVALID;
2848
2849 return 0;
1da177e4
LT		 2850}
2851
2852static void selinux_inode_free_security(struct inode *inode)
2853{
2854 inode_free_security(inode);
2855}
2856
d47be3df 2857static int selinux_dentry_init_security(struct dentry *dentry, int mode,
15bf3239
VG		 2858 const struct qstr *name,
2859 const char **xattr_name, void **ctx,
d47be3df
DQ		 2860 u32 *ctxlen)
2861{
d47be3df
DQ		 2862 u32 newsid;
2863 int rc;
2864
0c6cfa62 2865 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2866 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2867 inode_mode_to_security_class(mode),
2868 &newsid);
2869 if (rc)
2870 return rc;
d47be3df 2871
15bf3239
VG		 2872 if (xattr_name)
2873 *xattr_name = XATTR_NAME_SELINUX;
2874
e67b7985 2875 return security_sid_to_context(newsid, (char **)ctx,
aa8e712c 2876 ctxlen);
d47be3df
DQ		 2877}
2878
a518b0a5
VG		 2879static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2880 struct qstr *name,
2881 const struct cred *old,
2882 struct cred *new)
2883{
2884 u32 newsid;
2885 int rc;
2886 struct task_security_struct *tsec;
2887
0c6cfa62 2888 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2889 d_inode(dentry->d_parent), name,
2890 inode_mode_to_security_class(mode),
2891 &newsid);
2892 if (rc)
2893 return rc;
2894
0c6cfa62 2895 tsec = selinux_cred(new);
a518b0a5
VG		 2896 tsec->create_sid = newsid;
2897 return 0;
2898}
2899
5e41ff9e 2900static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b 2901 const struct qstr *qstr,
6bcdfd2c 2902 struct xattr *xattrs, int *xattr_count)
5e41ff9e 2903{
0c6cfa62 2904 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2905 struct superblock_security_struct *sbsec;
6bcdfd2c 2906 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
c0d4f464 2907 u32 newsid, clen;
5e41ff9e 2908 int rc;
9548906b 2909 char *context;
5e41ff9e 2910
1aea7808 2911 sbsec = selinux_superblock(dir->i_sb);
5e41ff9e 2912
275bb41e
DH		 2913 newsid = tsec->create_sid;
2914
210a2928 2915 rc = selinux_determine_inode_label(tsec, dir, qstr,
c3c188b2
DH		 2916 inode_mode_to_security_class(inode->i_mode),
2917 &newsid);
2918 if (rc)
2919 return rc;
5e41ff9e 2920
296fddf7 2921 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2922 if (sbsec->flags & SE_SBINITIALIZED) {
80788c22 2923 struct inode_security_struct *isec = selinux_inode(inode);
296fddf7
EP		 2924 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2925 isec->sid = newsid;
6f3be9f5 2926 isec->initialized = LABEL_INITIALIZED;
296fddf7 2927 }
5e41ff9e 2928
e67b7985 2929 if (!selinux_initialized() ||
65cddd50 2930 !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2931 return -EOPNOTSUPP;
2932
6bcdfd2c 2933 if (xattr) {
e67b7985 2934 rc = security_sid_to_context_force(newsid,
aa8e712c 2935 &context, &clen);
9548906b 2936 if (rc)
570bc1c2 2937 return rc;
6bcdfd2c
RS		 2938 xattr->value = context;
2939 xattr->value_len = clen;
2940 xattr->name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2941 }
5e41ff9e 2942
5e41ff9e
SS		 2943 return 0;
2944}
2945
29cd6591
DC		 2946static int selinux_inode_init_security_anon(struct inode *inode,
2947 const struct qstr *name,
2948 const struct inode *context_inode)
2949{
2950 const struct task_security_struct *tsec = selinux_cred(current_cred());
2951 struct common_audit_data ad;
2952 struct inode_security_struct *isec;
2953 int rc;
2954
e67b7985 2955 if (unlikely(!selinux_initialized()))
29cd6591
DC		 2956 return 0;
2957
2958 isec = selinux_inode(inode);
2959
2960 /*
2961 * We only get here once per ephemeral inode. The inode has
2962 * been initialized via inode_alloc_security but is otherwise
2963 * untouched.
2964 */
2965
2966 if (context_inode) {
2967 struct inode_security_struct *context_isec =
2968 selinux_inode(context_inode);
2969 if (context_isec->initialized != LABEL_INITIALIZED) {
e5faa839 2970 pr_err("SELinux: context_inode is not initialized\n");
29cd6591
DC		 2971 return -EACCES;
2972 }
2973
2974 isec->sclass = context_isec->sclass;
2975 isec->sid = context_isec->sid;
2976 } else {
2977 isec->sclass = SECCLASS_ANON_INODE;
2978 rc = security_transition_sid(
e67b7985 2979 tsec->sid, tsec->sid,
29cd6591
DC		 2980 isec->sclass, name, &isec->sid);
2981 if (rc)
2982 return rc;
2983 }
2984
2985 isec->initialized = LABEL_INITIALIZED;
2986 /*
2987 * Now that we've initialized security, check whether we're
2988 * allowed to actually create this type of anonymous inode.
2989 */
2990
c29722fa
CG		 2991 ad.type = LSM_AUDIT_DATA_ANONINODE;
2992 ad.u.anonclass = name ? (const char *)name->name : "?";
29cd6591 2993
e67b7985 2994 return avc_has_perm(tsec->sid,
29cd6591
DC		 2995 isec->sid,
2996 isec->sclass,
2997 FILE__CREATE,
2998 &ad);
2999}
3000
4acdaf27 3001static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 3002{
3003 return may_create(dir, dentry, SECCLASS_FILE);
3004}
3005
1da177e4
LT		 3006static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3007{
1da177e4
LT		 3008 return may_link(dir, old_dentry, MAY_LINK);
3009}
3010
1da177e4
LT		 3011static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3012{
1da177e4
LT		 3013 return may_link(dir, dentry, MAY_UNLINK);
3014}
3015
3016static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3017{
3018 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3019}
3020
18bb1db3 3021static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 3022{
3023 return may_create(dir, dentry, SECCLASS_DIR);
3024}
3025
1da177e4
LT		 3026static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3027{
3028 return may_link(dir, dentry, MAY_RMDIR);
3029}
3030
1a67aafb 3031static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 3032{
1da177e4
LT		 3033 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3034}
3035
1da177e4 3036static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 3037 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 3038{
3039 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3040}
3041
1da177e4
LT		 3042static int selinux_inode_readlink(struct dentry *dentry)
3043{
88e67f3b
DH		 3044 const struct cred *cred = current_cred();
3045
2875fa00 3046 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3047}
3048
bda0be7a
N		 3049static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3050 bool rcu)
1da177e4 3051{
88e67f3b 3052 const struct cred *cred = current_cred();
bda0be7a
N		 3053 struct common_audit_data ad;
3054 struct inode_security_struct *isec;
3055 u32 sid;
1da177e4 3056
bda0be7a
N		 3057 ad.type = LSM_AUDIT_DATA_DENTRY;
3058 ad.u.dentry = dentry;
3059 sid = cred_sid(cred);
5d226df4
AG		 3060 isec = inode_security_rcu(inode, rcu);
3061 if (IS_ERR(isec))
3062 return PTR_ERR(isec);
bda0be7a 3063
e67b7985 3064 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
1da177e4
LT		 3065}
3066
d4cf970d
EP		 3067static noinline int audit_inode_permission(struct inode *inode,
3068 u32 perms, u32 audited, u32 denied,
0188d5c0 3069 int result)
1da177e4 3070{
b782e0a6 3071 struct common_audit_data ad;
80788c22 3072 struct inode_security_struct *isec = selinux_inode(inode);
d4cf970d 3073
50c205f5 3074 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3075 ad.u.inode = inode;
3076
e67b7985 3077 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
0188d5c0 3078 audited, denied, result, &ad);
d4cf970d
EP		 3079}
3080
e74f71eb 3081static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3082{
88e67f3b 3083 const struct cred *cred = current_cred();
b782e0a6
EP		 3084 u32 perms;
3085 bool from_access;
5298d0b9 3086 bool no_block = mask & MAY_NOT_BLOCK;
2e334057
EP		 3087 struct inode_security_struct *isec;
3088 u32 sid;
3089 struct av_decision avd;
3090 int rc, rc2;
3091 u32 audited, denied;
1da177e4 3092
b782e0a6 3093 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3094 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3095
b782e0a6
EP		 3096 /* No permission to check. Existence test. */
3097 if (!mask)
1da177e4 3098 return 0;
1da177e4 3099
2e334057
EP		 3100 if (unlikely(IS_PRIVATE(inode)))
3101 return 0;
b782e0a6
EP		 3102
3103 perms = file_mask_to_av(inode->i_mode, mask);
3104
2e334057 3105 sid = cred_sid(cred);
5298d0b9 3106 isec = inode_security_rcu(inode, no_block);
5d226df4
AG		 3107 if (IS_ERR(isec))
3108 return PTR_ERR(isec);
2e334057 3109
e67b7985 3110 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0,
3a28cff3 3111 &avd);
2e334057
EP		 3112 audited = avc_audit_required(perms, &avd, rc,
3113 from_access ? FILE__AUDIT_ACCESS : 0,
3114 &denied);
3115 if (likely(!audited))
3116 return rc;
3117
0188d5c0 3118 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
2e334057
EP		 3119 if (rc2)
3120 return rc2;
3121 return rc;
1da177e4
LT		 3122}
3123
3124static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3125{
88e67f3b 3126 const struct cred *cred = current_cred();
ccb54478 3127 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3128 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3129 __u32 av = FILE__WRITE;
1da177e4 3130
bc6a6008
AW		 3131 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3132 if (ia_valid & ATTR_FORCE) {
3133 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3134 ATTR_FORCE);
3135 if (!ia_valid)
3136 return 0;
3137 }
1da177e4 3138
bc6a6008
AW		 3139 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3140 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3141 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3142
aa8e712c 3143 if (selinux_policycap_openperm() &&
ccb54478
SS		 3144 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3145 (ia_valid & ATTR_SIZE) &&
3146 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3147 av |= FILE__OPEN;
3148
3149 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3150}
3151
3f7036a0 3152static int selinux_inode_getattr(const struct path *path)
1da177e4 3153{
3f7036a0 3154 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3155}
3156
db59000a
SS		 3157static bool has_cap_mac_admin(bool audit)
3158{
3159 const struct cred *cred = current_cred();
c1a85a00 3160 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
db59000a 3161
c1a85a00 3162 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
db59000a 3163 return false;
c1a85a00 3164 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
db59000a
SS		 3165 return false;
3166 return true;
3167}
3168
39f60c1c 3169static int selinux_inode_setxattr(struct mnt_idmap *idmap,
71bc356f 3170 struct dentry *dentry, const char *name,
8f0cfa52 3171 const void *value, size_t size, int flags)
1da177e4 3172{
c6f493d6 3173 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3174 struct inode_security_struct *isec;
1da177e4 3175 struct superblock_security_struct *sbsec;
2bf49690 3176 struct common_audit_data ad;
275bb41e 3177 u32 newsid, sid = current_sid();
1da177e4
LT		 3178 int rc = 0;
3179
6b240306
EB		 3180 if (strcmp(name, XATTR_NAME_SELINUX)) {
3181 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3182 if (rc)
3183 return rc;
3184
3185 /* Not an attribute we recognize, so just check the
3186 ordinary setattr permission. */
3187 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3188 }
1da177e4 3189
e67b7985 3190 if (!selinux_initialized())
01beba79 3191 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3e3e24b4 3192
1aea7808 3193 sbsec = selinux_superblock(inode->i_sb);
12f348b9 3194 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3195 return -EOPNOTSUPP;
3196
01beba79 3197 if (!inode_owner_or_capable(idmap, inode))
1da177e4
LT		 3198 return -EPERM;
3199
50c205f5 3200 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3201 ad.u.dentry = dentry;
1da177e4 3202
20cdef8d 3203 isec = backing_inode_security(dentry);
e67b7985 3204 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3205 FILE__RELABELFROM, &ad);
3206 if (rc)
3207 return rc;
3208
e67b7985 3209 rc = security_context_to_sid(value, size, &newsid,
aa8e712c 3210 GFP_KERNEL);
12b29f34 3211 if (rc == -EINVAL) {
db59000a 3212 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3213 struct audit_buffer *ab;
3214 size_t audit_size;
d6ea83ec
EP		 3215
3216 /* We strip a nul only if it is at the end, otherwise the
3217 * context contains a nul and we should audit that */
e3fea3f7 3218 if (value) {
add24372
CIK		 3219 const char *str = value;
3220
e3fea3f7
AV		 3221 if (str[size - 1] == '\0')
3222 audit_size = size - 1;
3223 else
3224 audit_size = size;
3225 } else {
e3fea3f7
AV		 3226 audit_size = 0;
3227 }
cdfb6b34
RGB		 3228 ab = audit_log_start(audit_context(),
3229 GFP_ATOMIC, AUDIT_SELINUX_ERR);
893c47d1
AK		 3230 if (!ab)
3231 return rc;
d6ea83ec
EP		 3232 audit_log_format(ab, "op=setxattr invalid_context=");
3233 audit_log_n_untrustedstring(ab, value, audit_size);
3234 audit_log_end(ab);
3235
12b29f34 3236 return rc;
d6ea83ec 3237 }
e67b7985 3238 rc = security_context_to_sid_force(value,
aa8e712c 3239 size, &newsid);
12b29f34 3240 }
1da177e4
LT		 3241 if (rc)
3242 return rc;
3243
e67b7985 3244 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3245 FILE__RELABELTO, &ad);
3246 if (rc)
3247 return rc;
3248
e67b7985 3249 rc = security_validate_transition(isec->sid, newsid,
aa8e712c 3250 sid, isec->sclass);
1da177e4
LT		 3251 if (rc)
3252 return rc;
3253
e67b7985 3254 return avc_has_perm(newsid,
1da177e4
LT		 3255 sbsec->sid,
3256 SECCLASS_FILESYSTEM,
3257 FILESYSTEM__ASSOCIATE,
3258 &ad);
3259}
3260
700b7940 3261static int selinux_inode_set_acl(struct mnt_idmap *idmap,
1bdeb218
CB		 3262 struct dentry *dentry, const char *acl_name,
3263 struct posix_acl *kacl)
3264{
3265 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3266}
3267
700b7940 3268static int selinux_inode_get_acl(struct mnt_idmap *idmap,
1bdeb218
CB		 3269 struct dentry *dentry, const char *acl_name)
3270{
3271 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3272}
3273
700b7940 3274static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
1bdeb218
CB		 3275 struct dentry *dentry, const char *acl_name)
3276{
3277 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3278}
3279
8f0cfa52 3280static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3281 const void *value, size_t size,
8f0cfa52 3282 int flags)
1da177e4 3283{
c6f493d6 3284 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3285 struct inode_security_struct *isec;
1da177e4
LT		 3286 u32 newsid;
3287 int rc;
3288
3289 if (strcmp(name, XATTR_NAME_SELINUX)) {
3290 /* Not an attribute we recognize, so nothing to do. */
3291 return;
3292 }
3293
e67b7985 3294 if (!selinux_initialized()) {
3e3e24b4
JL		 3295 /* If we haven't even been initialized, then we can't validate
3296 * against a policy, so leave the label as invalid. It may
3297 * resolve to a valid label on the next revalidation try if
3298 * we've since initialized.
3299 */
3300 return;
3301 }
3302
e67b7985 3303 rc = security_context_to_sid_force(value, size,
aa8e712c 3304 &newsid);
1da177e4 3305 if (rc) {
c103a91e 3306 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3307 "for (%s, %lu), rc=%d\n",
3308 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3309 return;
3310 }
3311
20cdef8d 3312 isec = backing_inode_security(dentry);
9287aed2 3313 spin_lock(&isec->lock);
aa9c2669 3314 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3315 isec->sid = newsid;
6f3be9f5 3316 isec->initialized = LABEL_INITIALIZED;
9287aed2 3317 spin_unlock(&isec->lock);
1da177e4
LT		 3318}
3319
8f0cfa52 3320static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3321{
88e67f3b
DH		 3322 const struct cred *cred = current_cred();
3323
2875fa00 3324 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3325}
3326
828dfe1d 3327static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3328{
88e67f3b
DH		 3329 const struct cred *cred = current_cred();
3330
2875fa00 3331 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3332}
3333
39f60c1c 3334static int selinux_inode_removexattr(struct mnt_idmap *idmap,
71bc356f 3335 struct dentry *dentry, const char *name)
1da177e4 3336{
6b240306 3337 if (strcmp(name, XATTR_NAME_SELINUX)) {
39f60c1c 3338 int rc = cap_inode_removexattr(idmap, dentry, name);
6b240306
EB		 3339 if (rc)
3340 return rc;
3341
3342 /* Not an attribute we recognize, so just check the
3343 ordinary setattr permission. */
3344 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3345 }
1da177e4 3346
e67b7985 3347 if (!selinux_initialized())
9530a3e0
SS		 3348 return 0;
3349
1da177e4
LT		 3350 /* No one is allowed to remove a SELinux security label.
3351 You can change the label, but all data must be labeled. */
3352 return -EACCES;
3353}
3354
ac5656d8
AG		 3355static int selinux_path_notify(const struct path *path, u64 mask,
3356 unsigned int obj_type)
3357{
3358 int ret;
3359 u32 perm;
3360
3361 struct common_audit_data ad;
3362
3363 ad.type = LSM_AUDIT_DATA_PATH;
3364 ad.u.path = *path;
3365
3366 /*
3367 * Set permission needed based on the type of mark being set.
3368 * Performs an additional check for sb watches.
3369 */
3370 switch (obj_type) {
3371 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3372 perm = FILE__WATCH_MOUNT;
3373 break;
3374 case FSNOTIFY_OBJ_TYPE_SB:
3375 perm = FILE__WATCH_SB;
3376 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3377 FILESYSTEM__WATCH, &ad);
3378 if (ret)
3379 return ret;
3380 break;
3381 case FSNOTIFY_OBJ_TYPE_INODE:
3382 perm = FILE__WATCH;
3383 break;
3384 default:
3385 return -EINVAL;
3386 }
3387
3388 /* blocking watches require the file:watch_with_perm permission */
3389 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3390 perm |= FILE__WATCH_WITH_PERM;
3391
3392 /* watches on read-like events need the file:watch_reads permission */
3393 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3394 perm |= FILE__WATCH_READS;
3395
3396 return path_has_perm(current_cred(), path, perm);
3397}
3398
d381d8a9 3399/*
abc69bb6 3400 * Copy the inode security context value to the user.
d381d8a9
JM		 3401 *
3402 * Permission check is handled by selinux_inode_getxattr hook.
3403 */
4609e1f1 3404static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
71bc356f
CB		 3405 struct inode *inode, const char *name,
3406 void **buffer, bool alloc)
1da177e4 3407{
42492594
DQ		 3408 u32 size;
3409 int error;
3410 char *context = NULL;
20cdef8d 3411 struct inode_security_struct *isec;
d381d8a9 3412
c8e22261
JL		 3413 /*
3414 * If we're not initialized yet, then we can't validate contexts, so
3415 * just let vfs_getxattr fall back to using the on-disk xattr.
3416 */
e67b7985 3417 if (!selinux_initialized() ||
c8e22261 3418 strcmp(name, XATTR_SELINUX_SUFFIX))
8c8570fb 3419 return -EOPNOTSUPP;
d381d8a9 3420
abc69bb6
SS		 3421 /*
3422 * If the caller has CAP_MAC_ADMIN, then get the raw context
3423 * value even if it is not defined by current policy; otherwise,
3424 * use the in-core value under current policy.
3425 * Use the non-auditing forms of the permission checks since
3426 * getxattr may be called by unprivileged processes commonly
3427 * and lack of permission just means that we fall back to the
3428 * in-core context value, not a denial.
3429 */
20cdef8d 3430 isec = inode_security(inode);
db59000a 3431 if (has_cap_mac_admin(false))
e67b7985 3432 error = security_sid_to_context_force(isec->sid, &context,
abc69bb6
SS		 3433 &size);
3434 else
e67b7985 3435 error = security_sid_to_context(isec->sid,
aa8e712c 3436 &context, &size);
42492594
DQ		 3437 if (error)
3438 return error;
3439 error = size;
3440 if (alloc) {
3441 *buffer = context;
3442 goto out_nofree;
3443 }
3444 kfree(context);
3445out_nofree:
3446 return error;
1da177e4
LT		 3447}
3448
3449static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3450 const void *value, size_t size, int flags)
1da177e4 3451{
2c97165b 3452 struct inode_security_struct *isec = inode_security_novalidate(inode);
1aea7808 3453 struct superblock_security_struct *sbsec;
1da177e4
LT		 3454 u32 newsid;
3455 int rc;
3456
3457 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3458 return -EOPNOTSUPP;
3459
1aea7808 3460 sbsec = selinux_superblock(inode->i_sb);
53e0c2aa
OM		 3461 if (!(sbsec->flags & SBLABEL_MNT))
3462 return -EOPNOTSUPP;
3463
1da177e4
LT		 3464 if (!value || !size)
3465 return -EACCES;
3466
e67b7985 3467 rc = security_context_to_sid(value, size, &newsid,
aa8e712c 3468 GFP_KERNEL);
1da177e4
LT		 3469 if (rc)
3470 return rc;
3471
9287aed2 3472 spin_lock(&isec->lock);
aa9c2669 3473 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3474 isec->sid = newsid;
6f3be9f5 3475 isec->initialized = LABEL_INITIALIZED;
9287aed2 3476 spin_unlock(&isec->lock);
1da177e4
LT		 3477 return 0;
3478}
3479
3480static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3481{
3482 const int len = sizeof(XATTR_NAME_SELINUX);
a9ffe682 3483
e67b7985 3484 if (!selinux_initialized())
a9ffe682
AG		 3485 return 0;
3486
1da177e4
LT		 3487 if (buffer && len <= buffer_size)
3488 memcpy(buffer, XATTR_NAME_SELINUX, len);
3489 return len;
3490}
3491
d6335d77 3492static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3493{
e817c2f3 3494 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3495 *secid = isec->sid;
3496}
3497
56909eb3
VG		 3498static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3499{
3500 u32 sid;
3501 struct task_security_struct *tsec;
3502 struct cred *new_creds = *new;
3503
3504 if (new_creds == NULL) {
3505 new_creds = prepare_creds();
3506 if (!new_creds)
3507 return -ENOMEM;
3508 }
3509
0c6cfa62 3510 tsec = selinux_cred(new_creds);
56909eb3
VG		 3511 /* Get label from overlay inode and set it in create_sid */
3512 selinux_inode_getsecid(d_inode(src), &sid);
3513 tsec->create_sid = sid;
3514 *new = new_creds;
3515 return 0;
3516}
3517
19472b69
VG		 3518static int selinux_inode_copy_up_xattr(const char *name)
3519{
3520 /* The copy_up hook above sets the initial context on an inode, but we
3521 * don't then want to overwrite it by blindly copying all the lower
3522 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3523 */
3524 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3525 return 1; /* Discard */
3526 /*
3527 * Any other attribute apart from SELINUX is not claimed, supported
3528 * by selinux.
3529 */
3530 return -EOPNOTSUPP;
3531}
3532
ec882da5
OM		 3533/* kernfs node operations */
3534
c72c4cde
Y		 3535static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3536 struct kernfs_node *kn)
ec882da5 3537{
169ce0c0 3538 const struct task_security_struct *tsec = selinux_cred(current_cred());
ec882da5
OM		 3539 u32 parent_sid, newsid, clen;
3540 int rc;
3541 char *context;
3542
1537ad15 3543 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
ec882da5
OM		 3544 if (rc == -ENODATA)
3545 return 0;
3546 else if (rc < 0)
3547 return rc;
3548
3549 clen = (u32)rc;
3550 context = kmalloc(clen, GFP_KERNEL);
3551 if (!context)
3552 return -ENOMEM;
3553
1537ad15 3554 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
ec882da5
OM		 3555 if (rc < 0) {
3556 kfree(context);
3557 return rc;
3558 }
3559
e67b7985 3560 rc = security_context_to_sid(context, clen, &parent_sid,
ec882da5
OM		 3561 GFP_KERNEL);
3562 kfree(context);
3563 if (rc)
3564 return rc;
3565
3566 if (tsec->create_sid) {
3567 newsid = tsec->create_sid;
3568 } else {
3569 u16 secclass = inode_mode_to_security_class(kn->mode);
3570 struct qstr q;
3571
3572 q.name = kn->name;
3573 q.hash_len = hashlen_string(kn_dir, kn->name);
3574
e67b7985 3575 rc = security_transition_sid(tsec->sid,
ec882da5
OM		 3576 parent_sid, secclass, &q,
3577 &newsid);
3578 if (rc)
3579 return rc;
3580 }
3581
e67b7985 3582 rc = security_sid_to_context_force(newsid,
ec882da5
OM		 3583 &context, &clen);
3584 if (rc)
3585 return rc;
3586
1537ad15
OM		 3587 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3588 XATTR_CREATE);
ec882da5
OM		 3589 kfree(context);
3590 return rc;
3591}
3592
3593
1da177e4
LT		 3594/* file security operations */
3595
788e7dd4 3596static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3597{
88e67f3b 3598 const struct cred *cred = current_cred();
496ad9aa 3599 struct inode *inode = file_inode(file);
1da177e4 3600
1da177e4
LT		 3601 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3602 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3603 mask |= MAY_APPEND;
3604
389fb800
PM		 3605 return file_has_perm(cred, file,
3606 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3607}
3608
788e7dd4
YN		 3609static int selinux_file_permission(struct file *file, int mask)
3610{
496ad9aa 3611 struct inode *inode = file_inode(file);
bb6c6b02 3612 struct file_security_struct *fsec = selinux_file(file);
b197367e 3613 struct inode_security_struct *isec;
20dda18b
SS		 3614 u32 sid = current_sid();
3615
389fb800 3616 if (!mask)
788e7dd4
YN		 3617 /* No permission to check. Existence test. */
3618 return 0;
788e7dd4 3619
b197367e 3620 isec = inode_security(inode);
20dda18b 3621 if (sid == fsec->sid && fsec->isid == isec->sid &&
e67b7985 3622 fsec->pseqno == avc_policy_seqno())
83d49856 3623 /* No change since file_open check. */
20dda18b
SS		 3624 return 0;
3625
788e7dd4
YN		 3626 return selinux_revalidate_file_permission(file, mask);
3627}
3628
1da177e4
LT		 3629static int selinux_file_alloc_security(struct file *file)
3630{
cb89e246
PM		 3631 struct file_security_struct *fsec = selinux_file(file);
3632 u32 sid = current_sid();
3633
3634 fsec->sid = sid;
3635 fsec->fown_sid = sid;
3636
3637 return 0;
1da177e4
LT		 3638}
3639
fa1aa143
JVS		 3640/*
3641 * Check whether a task has the ioctl permission and cmd
3642 * operation to an inode.
3643 */
1d2a168a 3644static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3645 u32 requested, u16 cmd)
3646{
3647 struct common_audit_data ad;
bb6c6b02 3648 struct file_security_struct *fsec = selinux_file(file);
fa1aa143 3649 struct inode *inode = file_inode(file);
20cdef8d 3650 struct inode_security_struct *isec;
fa1aa143
JVS		 3651 struct lsm_ioctlop_audit ioctl;
3652 u32 ssid = cred_sid(cred);
3653 int rc;
3654 u8 driver = cmd >> 8;
3655 u8 xperm = cmd & 0xff;
3656
3657 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3658 ad.u.op = &ioctl;
3659 ad.u.op->cmd = cmd;
3660 ad.u.op->path = file->f_path;
3661
3662 if (ssid != fsec->sid) {
e67b7985 3663 rc = avc_has_perm(ssid, fsec->sid,
fa1aa143
JVS		 3664 SECCLASS_FD,
3665 FD__USE,
3666 &ad);
3667 if (rc)
3668 goto out;
3669 }
3670
3671 if (unlikely(IS_PRIVATE(inode)))
3672 return 0;
3673
20cdef8d 3674 isec = inode_security(inode);
e67b7985 3675 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
6b6bc620 3676 requested, driver, xperm, &ad);
fa1aa143
JVS		 3677out:
3678 return rc;
3679}
3680
1da177e4
LT		 3681static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3682 unsigned long arg)
3683{
88e67f3b 3684 const struct cred *cred = current_cred();
0b24dcb7 3685 int error = 0;
1da177e4 3686
0b24dcb7
EP		 3687 switch (cmd) {
3688 case FIONREAD:
0b24dcb7 3689 case FIBMAP:
0b24dcb7 3690 case FIGETBSZ:
2f99c369 3691 case FS_IOC_GETFLAGS:
2f99c369 3692 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3693 error = file_has_perm(cred, file, FILE__GETATTR);
3694 break;
1da177e4 3695
2f99c369 3696 case FS_IOC_SETFLAGS:
2f99c369 3697 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3698 error = file_has_perm(cred, file, FILE__SETATTR);
3699 break;
3700
3701 /* sys_ioctl() checks */
3702 case FIONBIO:
0b24dcb7
EP		 3703 case FIOASYNC:
3704 error = file_has_perm(cred, file, 0);
3705 break;
1da177e4 3706
0b24dcb7
EP		 3707 case KDSKBENT:
3708 case KDSKBSENT:
6a9de491 3709 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
c1a85a00 3710 CAP_OPT_NONE, true);
0b24dcb7
EP		 3711 break;
3712
65881e1d
RH		 3713 case FIOCLEX:
3714 case FIONCLEX:
3715 if (!selinux_policycap_ioctl_skip_cloexec())
3716 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3717 break;
3718
0b24dcb7
EP		 3719 /* default case assumes that the command will go
3720 * to the file's ioctl() function.
3721 */
3722 default:
fa1aa143 3723 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3724 }
3725 return error;
1da177e4
LT		 3726}
3727
b78b7d59 3728static int default_noexec __ro_after_init;
fcaaade1 3729
1da177e4
LT		 3730static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3731{
88e67f3b 3732 const struct cred *cred = current_cred();
be0554c9 3733 u32 sid = cred_sid(cred);
d84f4f99 3734 int rc = 0;
88e67f3b 3735
fcaaade1 3736 if (default_noexec &&
892e8cac
SS		 3737 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3738 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3739 /*
3740 * We are making executable an anonymous mapping or a
3741 * private file mapping that will also be writable.
3742 * This has an additional check.
3743 */
e67b7985 3744 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
be0554c9 3745 PROCESS__EXECMEM, NULL);
1da177e4 3746 if (rc)
d84f4f99 3747 goto error;
1da177e4 3748 }
1da177e4
LT		 3749
3750 if (file) {
3751 /* read access is always possible with a mapping */
3752 u32 av = FILE__READ;
3753
3754 /* write access only matters if the mapping is shared */
3755 if (shared && (prot & PROT_WRITE))
3756 av |= FILE__WRITE;
3757
3758 if (prot & PROT_EXEC)
3759 av |= FILE__EXECUTE;
3760
88e67f3b 3761 return file_has_perm(cred, file, av);
1da177e4 3762 }
d84f4f99
DH		 3763
3764error:
3765 return rc;
1da177e4
LT		 3766}
3767
e5467859 3768static int selinux_mmap_addr(unsigned long addr)
1da177e4 3769{
b1d9e6b0 3770 int rc = 0;
1da177e4 3771
a2551df7 3772 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3773 u32 sid = current_sid();
e67b7985 3774 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
ed032189 3775 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3776 }
3777
98883bfd 3778 return rc;
e5467859 3779}
1da177e4 3780
a7e4676e
PM		 3781static int selinux_mmap_file(struct file *file,
3782 unsigned long reqprot __always_unused,
e5467859
AV		 3783 unsigned long prot, unsigned long flags)
3784{
3ba4bf5f
SS		 3785 struct common_audit_data ad;
3786 int rc;
3787
3788 if (file) {
3789 ad.type = LSM_AUDIT_DATA_FILE;
3790 ad.u.file = file;
3791 rc = inode_has_perm(current_cred(), file_inode(file),
3792 FILE__MAP, &ad);
3793 if (rc)
3794 return rc;
3795 }
3796
1da177e4
LT		 3797 return file_map_prot_check(file, prot,
3798 (flags & MAP_TYPE) == MAP_SHARED);
3799}
3800
3801static int selinux_file_mprotect(struct vm_area_struct *vma,
a7e4676e 3802 unsigned long reqprot __always_unused,
1da177e4
LT		 3803 unsigned long prot)
3804{
88e67f3b 3805 const struct cred *cred = current_cred();
be0554c9 3806 u32 sid = cred_sid(cred);
1da177e4 3807
fcaaade1
SS		 3808 if (default_noexec &&
3809 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3810 int rc = 0;
68df1baf 3811 if (vma_is_initial_heap(vma)) {
e67b7985 3812 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
be0554c9 3813 PROCESS__EXECHEAP, NULL);
68df1baf 3814 } else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
d17af505 3815 vma_is_stack_for_current(vma))) {
e67b7985 3816 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
be0554c9 3817 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3818 } else if (vma->vm_file && vma->anon_vma) {
3819 /*
3820 * We are making executable a file mapping that has
3821 * had some COW done. Since pages might have been
3822 * written, check ability to execute the possibly
3823 * modified content. This typically should only
3824 * occur for text relocations.
3825 */
d84f4f99 3826 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3827 }