]> git.ipfire.org Git - thirdparty/linux.git/blame - security/selinux/hooks.c
projects / thirdparty / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: fix typo in selinux_netlbl_sctp_sk_clone declaration
[thirdparty/linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
7efbb60b 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
d452930f
RH		 70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
1da177e4
LT		 72#include <linux/quota.h>
73#include <linux/un.h> /* for Unix socket types */
74#include <net/af_unix.h> /* for Unix socket types */
75#include <linux/parser.h>
76#include <linux/nfs_mount.h>
77#include <net/ipv6.h>
78#include <linux/hugetlb.h>
79#include <linux/personality.h>
1da177e4 80#include <linux/audit.h>
6931dfc9 81#include <linux/string.h>
877ce7c1 82#include <linux/selinux.h>
23970741 83#include <linux/mutex.h>
f06febc9 84#include <linux/posix-timers.h>
00234592 85#include <linux/syslog.h>
3486740a 86#include <linux/user_namespace.h>
44fc7ea0 87#include <linux/export.h>
40401530
AV		 88#include <linux/msg.h>
89#include <linux/shm.h>
ec27c356 90#include <linux/bpf.h>
1da177e4
LT		 91
92#include "avc.h"
93#include "objsec.h"
94#include "netif.h"
224dfbd8 95#include "netnode.h"
3e112172 96#include "netport.h"
409dcf31 97#include "ibpkey.h"
d28d1e08 98#include "xfrm.h"
c60475bf 99#include "netlabel.h"
9d57a7f9 100#include "audit.h"
7b98a585 101#include "avc_ss.h"
1da177e4 102
d621d35e 103/* SECMARK reference count */
56a4ca99 104static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 105
1da177e4 106#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 107int selinux_enforcing;
1da177e4
LT		 108
109static int __init enforcing_setup(char *str)
110{
f5269710 111 unsigned long enforcing;
29707b20 112 if (!kstrtoul(str, 0, &enforcing))
f5269710 113 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 114 return 1;
115}
116__setup("enforcing=", enforcing_setup);
117#endif
118
119#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
120int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
121
122static int __init selinux_enabled_setup(char *str)
123{
f5269710 124 unsigned long enabled;
29707b20 125 if (!kstrtoul(str, 0, &enabled))
f5269710 126 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 127 return 1;
128}
129__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 130#else
131int selinux_enabled = 1;
1da177e4
LT		 132#endif
133
e18b890b 134static struct kmem_cache *sel_inode_cache;
63205654 135static struct kmem_cache *file_security_cache;
7cae7e26 136
d621d35e
PM		 137/**
138 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
139 *
140 * Description:
141 * This function checks the SECMARK reference counter to see if any SECMARK
142 * targets are currently configured, if the reference counter is greater than
143 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 144 * enabled, false (0) if SECMARK is disabled. If the always_check_network
145 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 146 *
147 */
148static int selinux_secmark_enabled(void)
149{
2be4d74f
CP		 150 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
151}
152
153/**
154 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
155 *
156 * Description:
157 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
158 * (1) if any are enabled or false (0) if neither are enabled. If the
159 * always_check_network policy capability is enabled, peer labeling
160 * is always considered enabled.
161 *
162 */
163static int selinux_peerlbl_enabled(void)
164{
165 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 166}
167
615e51fd
PM		 168static int selinux_netcache_avc_callback(u32 event)
169{
170 if (event == AVC_CALLBACK_RESET) {
171 sel_netif_flush();
172 sel_netnode_flush();
173 sel_netport_flush();
174 synchronize_net();
175 }
176 return 0;
177}
178
8f408ab6
DJ		 179static int selinux_lsm_notifier_avc_callback(u32 event)
180{
409dcf31
DJ		 181 if (event == AVC_CALLBACK_RESET) {
182 sel_ib_pkey_flush();
8f408ab6 183 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 184 }
8f408ab6
DJ		 185
186 return 0;
187}
188
d84f4f99
DH		 189/*
190 * initialise the security for the init task
191 */
192static void cred_init_security(void)
1da177e4 193{
3b11a1de 194 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 195 struct task_security_struct *tsec;
196
89d155ef 197 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 198 if (!tsec)
d84f4f99 199 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 200
d84f4f99 201 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 202 cred->security = tsec;
1da177e4
LT		 203}
204
88e67f3b
DH		 205/*
206 * get the security ID of a set of credentials
207 */
208static inline u32 cred_sid(const struct cred *cred)
209{
210 const struct task_security_struct *tsec;
211
212 tsec = cred->security;
213 return tsec->sid;
214}
215
275bb41e 216/*
3b11a1de 217 * get the objective security ID of a task
275bb41e
DH		 218 */
219static inline u32 task_sid(const struct task_struct *task)
220{
275bb41e
DH		 221 u32 sid;
222
223 rcu_read_lock();
88e67f3b 224 sid = cred_sid(__task_cred(task));
275bb41e
DH		 225 rcu_read_unlock();
226 return sid;
227}
228
88e67f3b
DH		 229/* Allocate and free functions for each kind of security blob. */
230
1da177e4
LT		 231static int inode_alloc_security(struct inode *inode)
232{
1da177e4 233 struct inode_security_struct *isec;
275bb41e 234 u32 sid = current_sid();
1da177e4 235
a02fe132 236 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 237 if (!isec)
238 return -ENOMEM;
239
9287aed2 240 spin_lock_init(&isec->lock);
1da177e4 241 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 242 isec->inode = inode;
243 isec->sid = SECINITSID_UNLABELED;
244 isec->sclass = SECCLASS_FILE;
275bb41e 245 isec->task_sid = sid;
42059112 246 isec->initialized = LABEL_INVALID;
1da177e4
LT		 247 inode->i_security = isec;
248
249 return 0;
250}
251
5d226df4
AG		 252static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
253
254/*
255 * Try reloading inode security labels that have been marked as invalid. The
256 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 257 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 258 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
259 * when no dentry is available, set it to NULL instead.
260 */
261static int __inode_security_revalidate(struct inode *inode,
262 struct dentry *opt_dentry,
263 bool may_sleep)
264{
265 struct inode_security_struct *isec = inode->i_security;
266
267 might_sleep_if(may_sleep);
268
1ac42476 269 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 270 if (!may_sleep)
271 return -ECHILD;
272
273 /*
274 * Try reloading the inode security label. This will fail if
275 * @opt_dentry is NULL and no dentry for this inode can be
276 * found; in that case, continue using the old label.
277 */
278 inode_doinit_with_dentry(inode, opt_dentry);
279 }
280 return 0;
281}
282
5d226df4
AG		 283static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
284{
285 return inode->i_security;
286}
287
288static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
289{
290 int error;
291
292 error = __inode_security_revalidate(inode, NULL, !rcu);
293 if (error)
294 return ERR_PTR(error);
295 return inode->i_security;
296}
297
83da53c5
AG		 298/*
299 * Get the security label of an inode.
300 */
301static struct inode_security_struct *inode_security(struct inode *inode)
302{
5d226df4 303 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 304 return inode->i_security;
305}
306
2c97165b
PM		 307static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
308{
309 struct inode *inode = d_backing_inode(dentry);
310
311 return inode->i_security;
312}
313
83da53c5
AG		 314/*
315 * Get the security label of a dentry's backing inode.
316 */
317static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
318{
319 struct inode *inode = d_backing_inode(dentry);
320
5d226df4 321 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 322 return inode->i_security;
323}
324
3dc91d43
SR		 325static void inode_free_rcu(struct rcu_head *head)
326{
327 struct inode_security_struct *isec;
328
329 isec = container_of(head, struct inode_security_struct, rcu);
330 kmem_cache_free(sel_inode_cache, isec);
331}
332
1da177e4
LT		 333static void inode_free_security(struct inode *inode)
334{
335 struct inode_security_struct *isec = inode->i_security;
336 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
337
9629d04a
WL		 338 /*
339 * As not all inode security structures are in a list, we check for
340 * empty list outside of the lock to make sure that we won't waste
341 * time taking a lock doing nothing.
342 *
343 * The list_del_init() function can be safely called more than once.
344 * It should not be possible for this function to be called with
345 * concurrent list_add(), but for better safety against future changes
346 * in the code, we use list_empty_careful() here.
347 */
348 if (!list_empty_careful(&isec->list)) {
349 spin_lock(&sbsec->isec_lock);
1da177e4 350 list_del_init(&isec->list);
9629d04a
WL		 351 spin_unlock(&sbsec->isec_lock);
352 }
1da177e4 353
3dc91d43
SR		 354 /*
355 * The inode may still be referenced in a path walk and
356 * a call to selinux_inode_permission() can be made
357 * after inode_free_security() is called. Ideally, the VFS
358 * wouldn't do this, but fixing that is a much harder
359 * job. For now, simply free the i_security via RCU, and
360 * leave the current inode->i_security pointer intact.
361 * The inode will be freed after the RCU grace period too.
362 */
363 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 364}
365
366static int file_alloc_security(struct file *file)
367{
1da177e4 368 struct file_security_struct *fsec;
275bb41e 369 u32 sid = current_sid();
1da177e4 370
63205654 371 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 372 if (!fsec)
373 return -ENOMEM;
374
275bb41e
DH		 375 fsec->sid = sid;
376 fsec->fown_sid = sid;
1da177e4
LT		 377 file->f_security = fsec;
378
379 return 0;
380}
381
382static void file_free_security(struct file *file)
383{
384 struct file_security_struct *fsec = file->f_security;
1da177e4 385 file->f_security = NULL;
63205654 386 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 387}
388
389static int superblock_alloc_security(struct super_block *sb)
390{
391 struct superblock_security_struct *sbsec;
392
89d155ef 393 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 394 if (!sbsec)
395 return -ENOMEM;
396
bc7e982b 397 mutex_init(&sbsec->lock);
1da177e4
LT		 398 INIT_LIST_HEAD(&sbsec->isec_head);
399 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 400 sbsec->sb = sb;
401 sbsec->sid = SECINITSID_UNLABELED;
402 sbsec->def_sid = SECINITSID_FILE;
c312feb2 403 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 404 sb->s_security = sbsec;
405
406 return 0;
407}
408
409static void superblock_free_security(struct super_block *sb)
410{
411 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 412 sb->s_security = NULL;
413 kfree(sbsec);
414}
415
1da177e4
LT		 416static inline int inode_doinit(struct inode *inode)
417{
418 return inode_doinit_with_dentry(inode, NULL);
419}
420
421enum {
31e87930 422 Opt_error = -1,
1da177e4
LT		 423 Opt_context = 1,
424 Opt_fscontext = 2,
c9180a57
EP		 425 Opt_defcontext = 3,
426 Opt_rootcontext = 4,
11689d47 427 Opt_labelsupport = 5,
d355987f 428 Opt_nextmntopt = 6,
1da177e4
LT		 429};
430
d355987f
EP		 431#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
432
a447c093 433static const match_table_t tokens = {
832cbd9a
EP		 434 {Opt_context, CONTEXT_STR "%s"},
435 {Opt_fscontext, FSCONTEXT_STR "%s"},
436 {Opt_defcontext, DEFCONTEXT_STR "%s"},
437 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 438 {Opt_labelsupport, LABELSUPP_STR},
31e87930 439 {Opt_error, NULL},
1da177e4
LT		 440};
441
442#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
443
c312feb2
EP		 444static int may_context_mount_sb_relabel(u32 sid,
445 struct superblock_security_struct *sbsec,
275bb41e 446 const struct cred *cred)
c312feb2 447{
275bb41e 448 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 449 int rc;
450
451 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
452 FILESYSTEM__RELABELFROM, NULL);
453 if (rc)
454 return rc;
455
456 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
457 FILESYSTEM__RELABELTO, NULL);
458 return rc;
459}
460
0808925e
EP		 461static int may_context_mount_inode_relabel(u32 sid,
462 struct superblock_security_struct *sbsec,
275bb41e 463 const struct cred *cred)
0808925e 464{
275bb41e 465 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 466 int rc;
467 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
468 FILESYSTEM__RELABELFROM, NULL);
469 if (rc)
470 return rc;
471
472 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 FILESYSTEM__ASSOCIATE, NULL);
474 return rc;
475}
476
b43e725d
EP		 477static int selinux_is_sblabel_mnt(struct super_block *sb)
478{
479 struct superblock_security_struct *sbsec = sb->s_security;
480
d5f3a5f6
MS		 481 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
482 sbsec->behavior == SECURITY_FS_USE_TRANS ||
483 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 484 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 485 /* Special handling. Genfs but also in-core setxattr handler */
486 !strcmp(sb->s_type->name, "sysfs") ||
487 !strcmp(sb->s_type->name, "pstore") ||
488 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 489 !strcmp(sb->s_type->name, "tracefs") ||
2651225b
SS		 490 !strcmp(sb->s_type->name, "rootfs") ||
491 (selinux_policycap_cgroupseclabel &&
492 (!strcmp(sb->s_type->name, "cgroup") ||
493 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 494}
495
c9180a57 496static int sb_finish_set_opts(struct super_block *sb)
1da177e4 497{
1da177e4 498 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 499 struct dentry *root = sb->s_root;
c6f493d6 500 struct inode *root_inode = d_backing_inode(root);
c9180a57 501 int rc = 0;
1da177e4 502
c9180a57
EP		 503 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
504 /* Make sure that the xattr handler exists and that no
505 error other than -ENODATA is returned by getxattr on
506 the root directory. -ENODATA is ok, as this may be
507 the first boot of the SELinux kernel before we have
508 assigned xattr values to the filesystem. */
5d6c3191 509 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 510 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
511 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 512 rc = -EOPNOTSUPP;
513 goto out;
514 }
5d6c3191
AG		 515
516 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 517 if (rc < 0 && rc != -ENODATA) {
518 if (rc == -EOPNOTSUPP)
519 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 520 "%s) has no security xattr handler\n",
521 sb->s_id, sb->s_type->name);
c9180a57
EP		 522 else
523 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 524 "%s) getxattr errno %d\n", sb->s_id,
525 sb->s_type->name, -rc);
c9180a57
EP		 526 goto out;
527 }
528 }
1da177e4 529
eadcabc6 530 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 531
532 /*
533 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
534 * leave the flag untouched because sb_clone_mnt_opts might be handing
535 * us a superblock that needs the flag to be cleared.
536 */
b43e725d 537 if (selinux_is_sblabel_mnt(sb))
12f348b9 538 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 539 else
540 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 541
c9180a57
EP		 542 /* Initialize the root inode. */
543 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 544
c9180a57
EP		 545 /* Initialize any other inodes associated with the superblock, e.g.
546 inodes created prior to initial policy load or inodes created
547 during get_sb by a pseudo filesystem that directly
548 populates itself. */
549 spin_lock(&sbsec->isec_lock);
550next_inode:
551 if (!list_empty(&sbsec->isec_head)) {
552 struct inode_security_struct *isec =
553 list_entry(sbsec->isec_head.next,
554 struct inode_security_struct, list);
555 struct inode *inode = isec->inode;
923190d3 556 list_del_init(&isec->list);
c9180a57
EP		 557 spin_unlock(&sbsec->isec_lock);
558 inode = igrab(inode);
559 if (inode) {
560 if (!IS_PRIVATE(inode))
561 inode_doinit(inode);
562 iput(inode);
563 }
564 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 565 goto next_inode;
566 }
567 spin_unlock(&sbsec->isec_lock);
568out:
569 return rc;
570}
1da177e4 571
c9180a57
EP		 572/*
573 * This function should allow an FS to ask what it's mount security
574 * options were so it can use those later for submounts, displaying
575 * mount options, or whatever.
576 */
577static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 578 struct security_mnt_opts *opts)
c9180a57
EP		 579{
580 int rc = 0, i;
581 struct superblock_security_struct *sbsec = sb->s_security;
582 char *context = NULL;
583 u32 len;
584 char tmp;
1da177e4 585
e0007529 586 security_init_mnt_opts(opts);
1da177e4 587
0d90a7ec 588 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 589 return -EINVAL;
1da177e4 590
c9180a57
EP		 591 if (!ss_initialized)
592 return -EINVAL;
1da177e4 593
af8e50cc
EP		 594 /* make sure we always check enough bits to cover the mask */
595 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
596
0d90a7ec 597 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 598 /* count the number of mount options for this sb */
af8e50cc 599 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 600 if (tmp & 0x01)
e0007529 601 opts->num_mnt_opts++;
c9180a57
EP		 602 tmp >>= 1;
603 }
11689d47 604 /* Check if the Label support flag is set */
0b4bdb35 605 if (sbsec->flags & SBLABEL_MNT)
11689d47 606 opts->num_mnt_opts++;
1da177e4 607
e0007529
EP		 608 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
609 if (!opts->mnt_opts) {
c9180a57
EP		 610 rc = -ENOMEM;
611 goto out_free;
612 }
1da177e4 613
e0007529
EP		 614 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
615 if (!opts->mnt_opts_flags) {
c9180a57
EP		 616 rc = -ENOMEM;
617 goto out_free;
618 }
1da177e4 619
c9180a57
EP		 620 i = 0;
621 if (sbsec->flags & FSCONTEXT_MNT) {
622 rc = security_sid_to_context(sbsec->sid, &context, &len);
623 if (rc)
624 goto out_free;
e0007529
EP		 625 opts->mnt_opts[i] = context;
626 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 627 }
628 if (sbsec->flags & CONTEXT_MNT) {
629 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
630 if (rc)
631 goto out_free;
e0007529
EP		 632 opts->mnt_opts[i] = context;
633 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 634 }
635 if (sbsec->flags & DEFCONTEXT_MNT) {
636 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
637 if (rc)
638 goto out_free;
e0007529
EP		 639 opts->mnt_opts[i] = context;
640 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 641 }
642 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 643 struct dentry *root = sbsec->sb->s_root;
644 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 645
c9180a57
EP		 646 rc = security_sid_to_context(isec->sid, &context, &len);
647 if (rc)
648 goto out_free;
e0007529
EP		 649 opts->mnt_opts[i] = context;
650 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 651 }
12f348b9 652 if (sbsec->flags & SBLABEL_MNT) {
11689d47 653 opts->mnt_opts[i] = NULL;
12f348b9 654 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 655 }
1da177e4 656
e0007529 657 BUG_ON(i != opts->num_mnt_opts);
1da177e4 658
c9180a57
EP		 659 return 0;
660
661out_free:
e0007529 662 security_free_mnt_opts(opts);
c9180a57
EP		 663 return rc;
664}
1da177e4 665
c9180a57
EP		 666static int bad_option(struct superblock_security_struct *sbsec, char flag,
667 u32 old_sid, u32 new_sid)
668{
0d90a7ec
DQ		 669 char mnt_flags = sbsec->flags & SE_MNTMASK;
670
c9180a57 671 /* check if the old mount command had the same options */
0d90a7ec 672 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 673 if (!(sbsec->flags & flag) ||
674 (old_sid != new_sid))
675 return 1;
676
677 /* check if we were passed the same options twice,
678 * aka someone passed context=a,context=b
679 */
0d90a7ec
DQ		 680 if (!(sbsec->flags & SE_SBINITIALIZED))
681 if (mnt_flags & flag)
c9180a57
EP		 682 return 1;
683 return 0;
684}
e0007529 685
c9180a57
EP		 686/*
687 * Allow filesystems with binary mount data to explicitly set mount point
688 * labeling information.
689 */
e0007529 690static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 691 struct security_mnt_opts *opts,
692 unsigned long kern_flags,
693 unsigned long *set_kern_flags)
c9180a57 694{
275bb41e 695 const struct cred *cred = current_cred();
c9180a57 696 int rc = 0, i;
c9180a57 697 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 698 const char *name = sb->s_type->name;
83da53c5 699 struct dentry *root = sbsec->sb->s_root;
2c97165b 700 struct inode_security_struct *root_isec;
c9180a57
EP		 701 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
702 u32 defcontext_sid = 0;
e0007529
EP		 703 char **mount_options = opts->mnt_opts;
704 int *flags = opts->mnt_opts_flags;
705 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 706
707 mutex_lock(&sbsec->lock);
708
709 if (!ss_initialized) {
710 if (!num_opts) {
711 /* Defer initialization until selinux_complete_init,
712 after the initial policy is loaded and the security
713 server is ready to handle calls. */
c9180a57
EP		 714 goto out;
715 }
716 rc = -EINVAL;
744ba35e
EP		 717 printk(KERN_WARNING "SELinux: Unable to set superblock options "
718 "before the security server is initialized\n");
1da177e4 719 goto out;
c9180a57 720 }
649f6e77
DQ		 721 if (kern_flags && !set_kern_flags) {
722 /* Specifying internal flags without providing a place to
723 * place the results is not allowed */
724 rc = -EINVAL;
725 goto out;
726 }
1da177e4 727
e0007529
EP		 728 /*
729 * Binary mount data FS will come through this function twice. Once
730 * from an explicit call and once from the generic calls from the vfs.
731 * Since the generic VFS calls will not contain any security mount data
732 * we need to skip the double mount verification.
733 *
734 * This does open a hole in which we will not notice if the first
735 * mount using this sb set explict options and a second mount using
736 * this sb does not set any security options. (The first options
737 * will be used for both mounts)
738 */
0d90a7ec 739 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 740 && (num_opts == 0))
f5269710 741 goto out;
e0007529 742
2c97165b
PM		 743 root_isec = backing_inode_security_novalidate(root);
744
c9180a57
EP		 745 /*
746 * parse the mount options, check if they are valid sids.
747 * also check if someone is trying to mount the same sb more
748 * than once with different security options.
749 */
750 for (i = 0; i < num_opts; i++) {
751 u32 sid;
11689d47 752
12f348b9 753 if (flags[i] == SBLABEL_MNT)
11689d47 754 continue;
44be2f65 755 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 756 if (rc) {
44be2f65 757 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 758 "(%s) failed for (dev %s, type %s) errno=%d\n",
759 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 760 goto out;
761 }
762 switch (flags[i]) {
763 case FSCONTEXT_MNT:
764 fscontext_sid = sid;
765
766 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
767 fscontext_sid))
768 goto out_double_mount;
769
770 sbsec->flags |= FSCONTEXT_MNT;
771 break;
772 case CONTEXT_MNT:
773 context_sid = sid;
774
775 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
776 context_sid))
777 goto out_double_mount;
778
779 sbsec->flags |= CONTEXT_MNT;
780 break;
781 case ROOTCONTEXT_MNT:
782 rootcontext_sid = sid;
783
784 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
785 rootcontext_sid))
786 goto out_double_mount;
787
788 sbsec->flags |= ROOTCONTEXT_MNT;
789
790 break;
791 case DEFCONTEXT_MNT:
792 defcontext_sid = sid;
793
794 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
795 defcontext_sid))
796 goto out_double_mount;
797
798 sbsec->flags |= DEFCONTEXT_MNT;
799
800 break;
801 default:
802 rc = -EINVAL;
803 goto out;
1da177e4 804 }
c9180a57
EP		 805 }
806
0d90a7ec 807 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 808 /* previously mounted with options, but not on this attempt? */
0d90a7ec 809 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 810 goto out_double_mount;
811 rc = 0;
812 goto out;
813 }
814
089be43e 815 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 816 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
817
8e014720 818 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 819 !strcmp(sb->s_type->name, "tracefs") ||
8e014720 820 !strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 821 !strcmp(sb->s_type->name, "pstore") ||
822 !strcmp(sb->s_type->name, "cgroup") ||
823 !strcmp(sb->s_type->name, "cgroup2"))
134509d5 824 sbsec->flags |= SE_SBGENFS;
c9180a57 825
eb9ae686
DQ		 826 if (!sbsec->behavior) {
827 /*
828 * Determine the labeling behavior to use for this
829 * filesystem type.
830 */
98f700f3 831 rc = security_fs_use(sb);
eb9ae686
DQ		 832 if (rc) {
833 printk(KERN_WARNING
834 "%s: security_fs_use(%s) returned %d\n",
835 __func__, sb->s_type->name, rc);
836 goto out;
837 }
c9180a57 838 }
aad82892
SF		 839
840 /*
01593d32
SS		 841 * If this is a user namespace mount and the filesystem type is not
842 * explicitly whitelisted, then no contexts are allowed on the command
843 * line and security labels must be ignored.
aad82892 844 */
01593d32
SS		 845 if (sb->s_user_ns != &init_user_ns &&
846 strcmp(sb->s_type->name, "tmpfs") &&
847 strcmp(sb->s_type->name, "ramfs") &&
848 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 849 if (context_sid || fscontext_sid || rootcontext_sid ||
850 defcontext_sid) {
851 rc = -EACCES;
852 goto out;
853 }
854 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
855 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
856 rc = security_transition_sid(current_sid(), current_sid(),
857 SECCLASS_FILE, NULL,
858 &sbsec->mntpoint_sid);
859 if (rc)
860 goto out;
861 }
862 goto out_set_opts;
863 }
864
c9180a57
EP		 865 /* sets the context of the superblock for the fs being mounted. */
866 if (fscontext_sid) {
275bb41e 867 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 868 if (rc)
c9180a57 869 goto out;
1da177e4 870
c9180a57 871 sbsec->sid = fscontext_sid;
c312feb2
EP		 872 }
873
874 /*
875 * Switch to using mount point labeling behavior.
876 * sets the label used on all file below the mountpoint, and will set
877 * the superblock context if not already set.
878 */
eb9ae686
DQ		 879 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
880 sbsec->behavior = SECURITY_FS_USE_NATIVE;
881 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
882 }
883
c9180a57
EP		 884 if (context_sid) {
885 if (!fscontext_sid) {
275bb41e
DH		 886 rc = may_context_mount_sb_relabel(context_sid, sbsec,
887 cred);
b04ea3ce 888 if (rc)
c9180a57
EP		 889 goto out;
890 sbsec->sid = context_sid;
b04ea3ce 891 } else {
275bb41e
DH		 892 rc = may_context_mount_inode_relabel(context_sid, sbsec,
893 cred);
b04ea3ce 894 if (rc)
c9180a57 895 goto out;
b04ea3ce 896 }
c9180a57
EP		 897 if (!rootcontext_sid)
898 rootcontext_sid = context_sid;
1da177e4 899
c9180a57 900 sbsec->mntpoint_sid = context_sid;
c312feb2 901 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 902 }
903
c9180a57 904 if (rootcontext_sid) {
275bb41e
DH		 905 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
906 cred);
0808925e 907 if (rc)
c9180a57 908 goto out;
0808925e 909
c9180a57 910 root_isec->sid = rootcontext_sid;
6f3be9f5 911 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 912 }
913
c9180a57 914 if (defcontext_sid) {
eb9ae686
DQ		 915 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
916 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 917 rc = -EINVAL;
918 printk(KERN_WARNING "SELinux: defcontext option is "
919 "invalid for this filesystem type\n");
920 goto out;
1da177e4
LT		 921 }
922
c9180a57
EP		 923 if (defcontext_sid != sbsec->def_sid) {
924 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 925 sbsec, cred);
c9180a57
EP		 926 if (rc)
927 goto out;
928 }
1da177e4 929
c9180a57 930 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 931 }
932
aad82892 933out_set_opts:
c9180a57 934 rc = sb_finish_set_opts(sb);
1da177e4 935out:
c9180a57 936 mutex_unlock(&sbsec->lock);
1da177e4 937 return rc;
c9180a57
EP		 938out_double_mount:
939 rc = -EINVAL;
940 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 941 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 942 goto out;
1da177e4
LT		 943}
944
094f7b69
JL		 945static int selinux_cmp_sb_context(const struct super_block *oldsb,
946 const struct super_block *newsb)
947{
948 struct superblock_security_struct *old = oldsb->s_security;
949 struct superblock_security_struct *new = newsb->s_security;
950 char oldflags = old->flags & SE_MNTMASK;
951 char newflags = new->flags & SE_MNTMASK;
952
953 if (oldflags != newflags)
954 goto mismatch;
955 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
956 goto mismatch;
957 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
958 goto mismatch;
959 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
960 goto mismatch;
961 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 962 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
963 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 964 if (oldroot->sid != newroot->sid)
965 goto mismatch;
966 }
967 return 0;
968mismatch:
969 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
970 "different security settings for (dev %s, "
971 "type %s)\n", newsb->s_id, newsb->s_type->name);
972 return -EBUSY;
973}
974
975static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 976 struct super_block *newsb,
977 unsigned long kern_flags,
978 unsigned long *set_kern_flags)
1da177e4 979{
0b4d3452 980 int rc = 0;
c9180a57
EP		 981 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
982 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 983
c9180a57
EP		 984 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
985 int set_context = (oldsbsec->flags & CONTEXT_MNT);
986 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 987
0f5e6420
EP		 988 /*
989 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 990 * mount options. thus we can safely deal with this superblock later
0f5e6420 991 */
e8c26255 992 if (!ss_initialized)
094f7b69 993 return 0;
c9180a57 994
0b4d3452
SM		 995 /*
996 * Specifying internal flags without providing a place to
997 * place the results is not allowed.
998 */
999 if (kern_flags && !set_kern_flags)
1000 return -EINVAL;
1001
c9180a57 1002 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 1003 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 1004
094f7b69 1005 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 1006 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 1007 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 1008
c9180a57
EP		 1009 mutex_lock(&newsbsec->lock);
1010
1011 newsbsec->flags = oldsbsec->flags;
1012
1013 newsbsec->sid = oldsbsec->sid;
1014 newsbsec->def_sid = oldsbsec->def_sid;
1015 newsbsec->behavior = oldsbsec->behavior;
1016
0b4d3452
SM		 1017 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1018 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1019 rc = security_fs_use(newsb);
1020 if (rc)
1021 goto out;
1022 }
1023
1024 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1025 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1026 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1027 }
1028
c9180a57
EP		 1029 if (set_context) {
1030 u32 sid = oldsbsec->mntpoint_sid;
1031
1032 if (!set_fscontext)
1033 newsbsec->sid = sid;
1034 if (!set_rootcontext) {
83da53c5 1035 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1036 newisec->sid = sid;
1037 }
1038 newsbsec->mntpoint_sid = sid;
1da177e4 1039 }
c9180a57 1040 if (set_rootcontext) {
83da53c5
AG		 1041 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1042 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1043
c9180a57 1044 newisec->sid = oldisec->sid;
1da177e4
LT		 1045 }
1046
c9180a57 1047 sb_finish_set_opts(newsb);
0b4d3452 1048out:
c9180a57 1049 mutex_unlock(&newsbsec->lock);
0b4d3452 1050 return rc;
c9180a57
EP		 1051}
1052
2e1479d9
AB		 1053static int selinux_parse_opts_str(char *options,
1054 struct security_mnt_opts *opts)
c9180a57 1055{
e0007529 1056 char *p;
c9180a57
EP		 1057 char *context = NULL, *defcontext = NULL;
1058 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1059 int rc, num_mnt_opts = 0;
1da177e4 1060
e0007529 1061 opts->num_mnt_opts = 0;
1da177e4 1062
c9180a57
EP		 1063 /* Standard string-based options. */
1064 while ((p = strsep(&options, "|")) != NULL) {
1065 int token;
1066 substring_t args[MAX_OPT_ARGS];
1da177e4 1067
c9180a57
EP		 1068 if (!*p)
1069 continue;
1da177e4 1070
c9180a57 1071 token = match_token(p, tokens, args);
1da177e4 1072
c9180a57
EP		 1073 switch (token) {
1074 case Opt_context:
1075 if (context || defcontext) {
1076 rc = -EINVAL;
1077 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1078 goto out_err;
1079 }
1080 context = match_strdup(&args[0]);
1081 if (!context) {
1082 rc = -ENOMEM;
1083 goto out_err;
1084 }
1085 break;
1086
1087 case Opt_fscontext:
1088 if (fscontext) {
1089 rc = -EINVAL;
1090 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1091 goto out_err;
1092 }
1093 fscontext = match_strdup(&args[0]);
1094 if (!fscontext) {
1095 rc = -ENOMEM;
1096 goto out_err;
1097 }
1098 break;
1099
1100 case Opt_rootcontext:
1101 if (rootcontext) {
1102 rc = -EINVAL;
1103 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1104 goto out_err;
1105 }
1106 rootcontext = match_strdup(&args[0]);
1107 if (!rootcontext) {
1108 rc = -ENOMEM;
1109 goto out_err;
1110 }
1111 break;
1112
1113 case Opt_defcontext:
1114 if (context || defcontext) {
1115 rc = -EINVAL;
1116 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1117 goto out_err;
1118 }
1119 defcontext = match_strdup(&args[0]);
1120 if (!defcontext) {
1121 rc = -ENOMEM;
1122 goto out_err;
1123 }
1124 break;
11689d47
DQ		 1125 case Opt_labelsupport:
1126 break;
c9180a57
EP		 1127 default:
1128 rc = -EINVAL;
1129 printk(KERN_WARNING "SELinux: unknown mount option\n");
1130 goto out_err;
1da177e4 1131
1da177e4 1132 }
1da177e4 1133 }
c9180a57 1134
e0007529 1135 rc = -ENOMEM;
8931c3bd 1136 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1137 if (!opts->mnt_opts)
1138 goto out_err;
1139
8931c3bd
TH		 1140 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1141 GFP_KERNEL);
023f108d 1142 if (!opts->mnt_opts_flags)
e0007529 1143 goto out_err;
e0007529 1144
c9180a57 1145 if (fscontext) {
e0007529
EP		 1146 opts->mnt_opts[num_mnt_opts] = fscontext;
1147 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1148 }
1149 if (context) {
e0007529
EP		 1150 opts->mnt_opts[num_mnt_opts] = context;
1151 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1152 }
1153 if (rootcontext) {
e0007529
EP		 1154 opts->mnt_opts[num_mnt_opts] = rootcontext;
1155 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1156 }
1157 if (defcontext) {
e0007529
EP		 1158 opts->mnt_opts[num_mnt_opts] = defcontext;
1159 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1160 }
1161
e0007529
EP		 1162 opts->num_mnt_opts = num_mnt_opts;
1163 return 0;
1164
c9180a57 1165out_err:
023f108d 1166 security_free_mnt_opts(opts);
c9180a57
EP		 1167 kfree(context);
1168 kfree(defcontext);
1169 kfree(fscontext);
1170 kfree(rootcontext);
1da177e4
LT		 1171 return rc;
1172}
e0007529
EP		 1173/*
1174 * string mount options parsing and call set the sbsec
1175 */
1176static int superblock_doinit(struct super_block *sb, void *data)
1177{
1178 int rc = 0;
1179 char *options = data;
1180 struct security_mnt_opts opts;
1181
1182 security_init_mnt_opts(&opts);
1183
1184 if (!data)
1185 goto out;
1186
1187 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1188
1189 rc = selinux_parse_opts_str(options, &opts);
1190 if (rc)
1191 goto out_err;
1192
1193out:
649f6e77 1194 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1195
1196out_err:
1197 security_free_mnt_opts(&opts);
1198 return rc;
1199}
1da177e4 1200
3583a711
AB		 1201static void selinux_write_opts(struct seq_file *m,
1202 struct security_mnt_opts *opts)
2069f457
EP		 1203{
1204 int i;
1205 char *prefix;
1206
1207 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1208 char *has_comma;
1209
1210 if (opts->mnt_opts[i])
1211 has_comma = strchr(opts->mnt_opts[i], ',');
1212 else
1213 has_comma = NULL;
2069f457
EP		 1214
1215 switch (opts->mnt_opts_flags[i]) {
1216 case CONTEXT_MNT:
1217 prefix = CONTEXT_STR;
1218 break;
1219 case FSCONTEXT_MNT:
1220 prefix = FSCONTEXT_STR;
1221 break;
1222 case ROOTCONTEXT_MNT:
1223 prefix = ROOTCONTEXT_STR;
1224 break;
1225 case DEFCONTEXT_MNT:
1226 prefix = DEFCONTEXT_STR;
1227 break;
12f348b9 1228 case SBLABEL_MNT:
11689d47
DQ		 1229 seq_putc(m, ',');
1230 seq_puts(m, LABELSUPP_STR);
1231 continue;
2069f457
EP		 1232 default:
1233 BUG();
a35c6c83 1234 return;
2069f457
EP		 1235 };
1236 /* we need a comma before each option */
1237 seq_putc(m, ',');
1238 seq_puts(m, prefix);
1239 if (has_comma)
1240 seq_putc(m, '\"');
a068acf2 1241 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1242 if (has_comma)
1243 seq_putc(m, '\"');
1244 }
1245}
1246
1247static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1248{
1249 struct security_mnt_opts opts;
1250 int rc;
1251
1252 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1253 if (rc) {
1254 /* before policy load we may get EINVAL, don't show anything */
1255 if (rc == -EINVAL)
1256 rc = 0;
2069f457 1257 return rc;
383795c2 1258 }
2069f457
EP		 1259
1260 selinux_write_opts(m, &opts);
1261
1262 security_free_mnt_opts(&opts);
1263
1264 return rc;
1265}
1266
1da177e4
LT		 1267static inline u16 inode_mode_to_security_class(umode_t mode)
1268{
1269 switch (mode & S_IFMT) {
1270 case S_IFSOCK:
1271 return SECCLASS_SOCK_FILE;
1272 case S_IFLNK:
1273 return SECCLASS_LNK_FILE;
1274 case S_IFREG:
1275 return SECCLASS_FILE;
1276 case S_IFBLK:
1277 return SECCLASS_BLK_FILE;
1278 case S_IFDIR:
1279 return SECCLASS_DIR;
1280 case S_IFCHR:
1281 return SECCLASS_CHR_FILE;
1282 case S_IFIFO:
1283 return SECCLASS_FIFO_FILE;
1284
1285 }
1286
1287 return SECCLASS_FILE;
1288}
1289
13402580
JM		 1290static inline int default_protocol_stream(int protocol)
1291{
1292 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1293}
1294
1295static inline int default_protocol_dgram(int protocol)
1296{
1297 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1298}
1299
1da177e4
LT		 1300static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1301{
da69a530
SS		 1302 int extsockclass = selinux_policycap_extsockclass;
1303
1da177e4
LT		 1304 switch (family) {
1305 case PF_UNIX:
1306 switch (type) {
1307 case SOCK_STREAM:
1308 case SOCK_SEQPACKET:
1309 return SECCLASS_UNIX_STREAM_SOCKET;
1310 case SOCK_DGRAM:
2a764b52 1311 case SOCK_RAW:
1da177e4
LT		 1312 return SECCLASS_UNIX_DGRAM_SOCKET;
1313 }
1314 break;
1315 case PF_INET:
1316 case PF_INET6:
1317 switch (type) {
1318 case SOCK_STREAM:
da69a530 1319 case SOCK_SEQPACKET:
13402580
JM		 1320 if (default_protocol_stream(protocol))
1321 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1322 else if (extsockclass && protocol == IPPROTO_SCTP)
1323 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1324 else
1325 return SECCLASS_RAWIP_SOCKET;
1da177e4 1326 case SOCK_DGRAM:
13402580
JM		 1327 if (default_protocol_dgram(protocol))
1328 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1329 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1330 protocol == IPPROTO_ICMPV6))
da69a530 1331 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1332 else
1333 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1334 case SOCK_DCCP:
1335 return SECCLASS_DCCP_SOCKET;
13402580 1336 default:
1da177e4
LT		 1337 return SECCLASS_RAWIP_SOCKET;
1338 }
1339 break;
1340 case PF_NETLINK:
1341 switch (protocol) {
1342 case NETLINK_ROUTE:
1343 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1344 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1345 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1346 case NETLINK_NFLOG:
1347 return SECCLASS_NETLINK_NFLOG_SOCKET;
1348 case NETLINK_XFRM:
1349 return SECCLASS_NETLINK_XFRM_SOCKET;
1350 case NETLINK_SELINUX:
1351 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1352 case NETLINK_ISCSI:
1353 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1354 case NETLINK_AUDIT:
1355 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1356 case NETLINK_FIB_LOOKUP:
1357 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1358 case NETLINK_CONNECTOR:
1359 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1360 case NETLINK_NETFILTER:
1361 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1362 case NETLINK_DNRTMSG:
1363 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1364 case NETLINK_KOBJECT_UEVENT:
1365 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1366 case NETLINK_GENERIC:
1367 return SECCLASS_NETLINK_GENERIC_SOCKET;
1368 case NETLINK_SCSITRANSPORT:
1369 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1370 case NETLINK_RDMA:
1371 return SECCLASS_NETLINK_RDMA_SOCKET;
1372 case NETLINK_CRYPTO:
1373 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1374 default:
1375 return SECCLASS_NETLINK_SOCKET;
1376 }
1377 case PF_PACKET:
1378 return SECCLASS_PACKET_SOCKET;
1379 case PF_KEY:
1380 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1381 case PF_APPLETALK:
1382 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1383 }
1384
da69a530
SS		 1385 if (extsockclass) {
1386 switch (family) {
1387 case PF_AX25:
1388 return SECCLASS_AX25_SOCKET;
1389 case PF_IPX:
1390 return SECCLASS_IPX_SOCKET;
1391 case PF_NETROM:
1392 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1393 case PF_ATMPVC:
1394 return SECCLASS_ATMPVC_SOCKET;
1395 case PF_X25:
1396 return SECCLASS_X25_SOCKET;
1397 case PF_ROSE:
1398 return SECCLASS_ROSE_SOCKET;
1399 case PF_DECnet:
1400 return SECCLASS_DECNET_SOCKET;
1401 case PF_ATMSVC:
1402 return SECCLASS_ATMSVC_SOCKET;
1403 case PF_RDS:
1404 return SECCLASS_RDS_SOCKET;
1405 case PF_IRDA:
1406 return SECCLASS_IRDA_SOCKET;
1407 case PF_PPPOX:
1408 return SECCLASS_PPPOX_SOCKET;
1409 case PF_LLC:
1410 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1411 case PF_CAN:
1412 return SECCLASS_CAN_SOCKET;
1413 case PF_TIPC:
1414 return SECCLASS_TIPC_SOCKET;
1415 case PF_BLUETOOTH:
1416 return SECCLASS_BLUETOOTH_SOCKET;
1417 case PF_IUCV:
1418 return SECCLASS_IUCV_SOCKET;
1419 case PF_RXRPC:
1420 return SECCLASS_RXRPC_SOCKET;
1421 case PF_ISDN:
1422 return SECCLASS_ISDN_SOCKET;
1423 case PF_PHONET:
1424 return SECCLASS_PHONET_SOCKET;
1425 case PF_IEEE802154:
1426 return SECCLASS_IEEE802154_SOCKET;
1427 case PF_CAIF:
1428 return SECCLASS_CAIF_SOCKET;
1429 case PF_ALG:
1430 return SECCLASS_ALG_SOCKET;
1431 case PF_NFC:
1432 return SECCLASS_NFC_SOCKET;
1433 case PF_VSOCK:
1434 return SECCLASS_VSOCK_SOCKET;
1435 case PF_KCM:
1436 return SECCLASS_KCM_SOCKET;
1437 case PF_QIPCRTR:
1438 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1439 case PF_SMC:
1440 return SECCLASS_SMC_SOCKET;
1441#if PF_MAX > 44
da69a530
SS		 1442#error New address family defined, please update this function.
1443#endif
1444 }
1445 }
1446
1da177e4
LT		 1447 return SECCLASS_SOCKET;
1448}
1449
134509d5
SS		 1450static int selinux_genfs_get_sid(struct dentry *dentry,
1451 u16 tclass,
1452 u16 flags,
1453 u32 *sid)
1da177e4 1454{
8e6c9693 1455 int rc;
fc64005c 1456 struct super_block *sb = dentry->d_sb;
8e6c9693 1457 char *buffer, *path;
1da177e4 1458
828dfe1d 1459 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1460 if (!buffer)
1461 return -ENOMEM;
1462
8e6c9693
LAG		 1463 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1464 if (IS_ERR(path))
1465 rc = PTR_ERR(path);
1466 else {
134509d5
SS		 1467 if (flags & SE_SBPROC) {
1468 /* each process gets a /proc/PID/ entry. Strip off the
1469 * PID part to get a valid selinux labeling.
1470 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1471 while (path[1] >= '0' && path[1] <= '9') {
1472 path[1] = '/';
1473 path++;
1474 }
8e6c9693 1475 }
134509d5 1476 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1477 }
1da177e4
LT		 1478 free_page((unsigned long)buffer);
1479 return rc;
1480}
1da177e4
LT		 1481
1482/* The inode's security attributes must be initialized before first use. */
1483static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1484{
1485 struct superblock_security_struct *sbsec = NULL;
1486 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1487 u32 task_sid, sid = 0;
1488 u16 sclass;
1da177e4
LT		 1489 struct dentry *dentry;
1490#define INITCONTEXTLEN 255
1491 char *context = NULL;
1492 unsigned len = 0;
1493 int rc = 0;
1da177e4 1494
6f3be9f5 1495 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1496 return 0;
1da177e4 1497
9287aed2 1498 spin_lock(&isec->lock);
6f3be9f5 1499 if (isec->initialized == LABEL_INITIALIZED)
23970741 1500 goto out_unlock;
1da177e4 1501
13457d07
AG		 1502 if (isec->sclass == SECCLASS_FILE)
1503 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1504
1da177e4 1505 sbsec = inode->i_sb->s_security;
0d90a7ec 1506 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1507 /* Defer initialization until selinux_complete_init,
1508 after the initial policy is loaded and the security
1509 server is ready to handle calls. */
1510 spin_lock(&sbsec->isec_lock);
1511 if (list_empty(&isec->list))
1512 list_add(&isec->list, &sbsec->isec_head);
1513 spin_unlock(&sbsec->isec_lock);
23970741 1514 goto out_unlock;
1da177e4
LT		 1515 }
1516
9287aed2
AG		 1517 sclass = isec->sclass;
1518 task_sid = isec->task_sid;
1519 sid = isec->sid;
1520 isec->initialized = LABEL_PENDING;
1521 spin_unlock(&isec->lock);
1522
1da177e4 1523 switch (sbsec->behavior) {
eb9ae686
DQ		 1524 case SECURITY_FS_USE_NATIVE:
1525 break;
1da177e4 1526 case SECURITY_FS_USE_XATTR:
5d6c3191 1527 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1528 sid = sbsec->def_sid;
1da177e4
LT		 1529 break;
1530 }
1da177e4
LT		 1531 /* Need a dentry, since the xattr API requires one.
1532 Life would be simpler if we could just pass the inode. */
1533 if (opt_dentry) {
1534 /* Called from d_instantiate or d_splice_alias. */
1535 dentry = dget(opt_dentry);
1536 } else {
1537 /* Called from selinux_complete_init, try to find a dentry. */
1538 dentry = d_find_alias(inode);
1539 }
1540 if (!dentry) {
df7f54c0
EP		 1541 /*
1542 * this is can be hit on boot when a file is accessed
1543 * before the policy is loaded. When we load policy we
1544 * may find inodes that have no dentry on the
1545 * sbsec->isec_head list. No reason to complain as these
1546 * will get fixed up the next time we go through
1547 * inode_doinit with a dentry, before these inodes could
1548 * be used again by userspace.
1549 */
9287aed2 1550 goto out;
1da177e4
LT		 1551 }
1552
1553 len = INITCONTEXTLEN;
4cb912f1 1554 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1555 if (!context) {
1556 rc = -ENOMEM;
1557 dput(dentry);
9287aed2 1558 goto out;
1da177e4 1559 }
4cb912f1 1560 context[len] = '\0';
5d6c3191 1561 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1562 if (rc == -ERANGE) {
314dabb8
JM		 1563 kfree(context);
1564
1da177e4 1565 /* Need a larger buffer. Query for the right size. */
5d6c3191 1566 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1567 if (rc < 0) {
1568 dput(dentry);
9287aed2 1569 goto out;
1da177e4 1570 }
1da177e4 1571 len = rc;
4cb912f1 1572 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1573 if (!context) {
1574 rc = -ENOMEM;
1575 dput(dentry);
9287aed2 1576 goto out;
1da177e4 1577 }
4cb912f1 1578 context[len] = '\0';
5d6c3191 1579 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1580 }
1581 dput(dentry);
1582 if (rc < 0) {
1583 if (rc != -ENODATA) {
744ba35e 1584 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1585 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1586 -rc, inode->i_sb->s_id, inode->i_ino);
1587 kfree(context);
9287aed2 1588 goto out;
1da177e4
LT		 1589 }
1590 /* Map ENODATA to the default file SID */
1591 sid = sbsec->def_sid;
1592 rc = 0;
1593 } else {
f5c1d5b2 1594 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1595 sbsec->def_sid,
1596 GFP_NOFS);
1da177e4 1597 if (rc) {
4ba0a8ad
EP		 1598 char *dev = inode->i_sb->s_id;
1599 unsigned long ino = inode->i_ino;
1600
1601 if (rc == -EINVAL) {
1602 if (printk_ratelimit())
1603 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1604 "context=%s. This indicates you may need to relabel the inode or the "
1605 "filesystem in question.\n", ino, dev, context);
1606 } else {
1607 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1608 "returned %d for dev=%s ino=%ld\n",
1609 __func__, context, -rc, dev, ino);
1610 }
1da177e4
LT		 1611 kfree(context);
1612 /* Leave with the unlabeled SID */
1613 rc = 0;
1614 break;
1615 }
1616 }
1617 kfree(context);
1da177e4
LT		 1618 break;
1619 case SECURITY_FS_USE_TASK:
9287aed2 1620 sid = task_sid;
1da177e4
LT		 1621 break;
1622 case SECURITY_FS_USE_TRANS:
1623 /* Default to the fs SID. */
9287aed2 1624 sid = sbsec->sid;
1da177e4
LT		 1625
1626 /* Try to obtain a transition SID. */
9287aed2 1627 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1da177e4 1628 if (rc)
9287aed2 1629 goto out;
1da177e4 1630 break;
c312feb2 1631 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1632 sid = sbsec->mntpoint_sid;
c312feb2 1633 break;
1da177e4 1634 default:
c312feb2 1635 /* Default to the fs superblock SID. */
9287aed2 1636 sid = sbsec->sid;
1da177e4 1637
134509d5 1638 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1639 /* We must have a dentry to determine the label on
1640 * procfs inodes */
1641 if (opt_dentry)
1642 /* Called from d_instantiate or
1643 * d_splice_alias. */
1644 dentry = dget(opt_dentry);
1645 else
1646 /* Called from selinux_complete_init, try to
1647 * find a dentry. */
1648 dentry = d_find_alias(inode);
1649 /*
1650 * This can be hit on boot when a file is accessed
1651 * before the policy is loaded. When we load policy we
1652 * may find inodes that have no dentry on the
1653 * sbsec->isec_head list. No reason to complain as
1654 * these will get fixed up the next time we go through
1655 * inode_doinit() with a dentry, before these inodes
1656 * could be used again by userspace.
1657 */
1658 if (!dentry)
9287aed2
AG		 1659 goto out;
1660 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1661 sbsec->flags, &sid);
f64410ec
PM		 1662 dput(dentry);
1663 if (rc)
9287aed2 1664 goto out;
1da177e4
LT		 1665 }
1666 break;
1667 }
1668
9287aed2
AG		 1669out:
1670 spin_lock(&isec->lock);
1671 if (isec->initialized == LABEL_PENDING) {
1672 if (!sid || rc) {
1673 isec->initialized = LABEL_INVALID;
1674 goto out_unlock;
1675 }
1676
1677 isec->initialized = LABEL_INITIALIZED;
1678 isec->sid = sid;
1679 }
1da177e4 1680
23970741 1681out_unlock:
9287aed2 1682 spin_unlock(&isec->lock);
1da177e4
LT		 1683 return rc;
1684}
1685
1686/* Convert a Linux signal to an access vector. */
1687static inline u32 signal_to_av(int sig)
1688{
1689 u32 perm = 0;
1690
1691 switch (sig) {
1692 case SIGCHLD:
1693 /* Commonly granted from child to parent. */
1694 perm = PROCESS__SIGCHLD;
1695 break;
1696 case SIGKILL:
1697 /* Cannot be caught or ignored */
1698 perm = PROCESS__SIGKILL;
1699 break;
1700 case SIGSTOP:
1701 /* Cannot be caught or ignored */
1702 perm = PROCESS__SIGSTOP;
1703 break;
1704 default:
1705 /* All other signals. */
1706 perm = PROCESS__SIGNAL;
1707 break;
1708 }
1709
1710 return perm;
1711}
1712
b68e418c
SS		 1713#if CAP_LAST_CAP > 63
1714#error Fix SELinux to handle capabilities > 63.
1715#endif
1716
1da177e4 1717/* Check whether a task is allowed to use a capability. */
6a9de491 1718static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1719 int cap, int audit, bool initns)
1da177e4 1720{
2bf49690 1721 struct common_audit_data ad;
06112163 1722 struct av_decision avd;
b68e418c 1723 u16 sclass;
3699c53c 1724 u32 sid = cred_sid(cred);
b68e418c 1725 u32 av = CAP_TO_MASK(cap);
06112163 1726 int rc;
1da177e4 1727
50c205f5 1728 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1729 ad.u.cap = cap;
1730
b68e418c
SS		 1731 switch (CAP_TO_INDEX(cap)) {
1732 case 0:
8e4ff6f2 1733 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1734 break;
1735 case 1:
8e4ff6f2 1736 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1737 break;
1738 default:
1739 printk(KERN_ERR
1740 "SELinux: out of range capability %d\n", cap);
1741 BUG();
a35c6c83 1742 return -EINVAL;
b68e418c 1743 }
06112163 1744
275bb41e 1745 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1746 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1747 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1748 if (rc2)
1749 return rc2;
1750 }
06112163 1751 return rc;
1da177e4
LT		 1752}
1753
1da177e4
LT		 1754/* Check whether a task has a particular permission to an inode.
1755 The 'adp' parameter is optional and allows other audit
1756 data to be passed (e.g. the dentry). */
88e67f3b 1757static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1758 struct inode *inode,
1759 u32 perms,
19e49834 1760 struct common_audit_data *adp)
1da177e4 1761{
1da177e4 1762 struct inode_security_struct *isec;
275bb41e 1763 u32 sid;
1da177e4 1764
e0e81739
DH		 1765 validate_creds(cred);
1766
828dfe1d 1767 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1768 return 0;
1769
88e67f3b 1770 sid = cred_sid(cred);
1da177e4
LT		 1771 isec = inode->i_security;
1772
19e49834 1773 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1774}
1775
1776/* Same as inode_has_perm, but pass explicit audit data containing
1777 the dentry to help the auditing code to more easily generate the
1778 pathname if needed. */
88e67f3b 1779static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1780 struct dentry *dentry,
1781 u32 av)
1782{
c6f493d6 1783 struct inode *inode = d_backing_inode(dentry);
2bf49690 1784 struct common_audit_data ad;
88e67f3b 1785
50c205f5 1786 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1787 ad.u.dentry = dentry;
5d226df4 1788 __inode_security_revalidate(inode, dentry, true);
19e49834 1789 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1790}
1791
1792/* Same as inode_has_perm, but pass explicit audit data containing
1793 the path to help the auditing code to more easily generate the
1794 pathname if needed. */
1795static inline int path_has_perm(const struct cred *cred,
3f7036a0 1796 const struct path *path,
2875fa00
EP		 1797 u32 av)
1798{
c6f493d6 1799 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1800 struct common_audit_data ad;
1801
50c205f5 1802 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1803 ad.u.path = *path;
5d226df4 1804 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1805 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1806}
1807
13f8e981
DH		 1808/* Same as path_has_perm, but uses the inode from the file struct. */
1809static inline int file_path_has_perm(const struct cred *cred,
1810 struct file *file,
1811 u32 av)
1812{
1813 struct common_audit_data ad;
1814
43af5de7
VG		 1815 ad.type = LSM_AUDIT_DATA_FILE;
1816 ad.u.file = file;
19e49834 1817 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1818}
1819
f66e448c
CF		 1820#ifdef CONFIG_BPF_SYSCALL
1821static int bpf_fd_pass(struct file *file, u32 sid);
1822#endif
1823
1da177e4
LT		 1824/* Check whether a task can use an open file descriptor to
1825 access an inode in a given way. Check access to the
1826 descriptor itself, and then use dentry_has_perm to
1827 check a particular permission to the file.
1828 Access to the descriptor is implicitly granted if it
1829 has the same SID as the process. If av is zero, then
1830 access to the file is not checked, e.g. for cases
1831 where only the descriptor is affected like seek. */
88e67f3b
DH		 1832static int file_has_perm(const struct cred *cred,
1833 struct file *file,
1834 u32 av)
1da177e4 1835{
1da177e4 1836 struct file_security_struct *fsec = file->f_security;
496ad9aa 1837 struct inode *inode = file_inode(file);
2bf49690 1838 struct common_audit_data ad;
88e67f3b 1839 u32 sid = cred_sid(cred);
1da177e4
LT		 1840 int rc;
1841
43af5de7
VG		 1842 ad.type = LSM_AUDIT_DATA_FILE;
1843 ad.u.file = file;
1da177e4 1844
275bb41e
DH		 1845 if (sid != fsec->sid) {
1846 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1847 SECCLASS_FD,
1848 FD__USE,
1849 &ad);
1850 if (rc)
88e67f3b 1851 goto out;
1da177e4
LT		 1852 }
1853
f66e448c
CF		 1854#ifdef CONFIG_BPF_SYSCALL
1855 rc = bpf_fd_pass(file, cred_sid(cred));
1856 if (rc)
1857 return rc;
1858#endif
1859
1da177e4 1860 /* av is zero if only checking access to the descriptor. */
88e67f3b 1861 rc = 0;
1da177e4 1862 if (av)
19e49834 1863 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1864
88e67f3b
DH		 1865out:
1866 return rc;
1da177e4
LT		 1867}
1868
c3c188b2
DH		 1869/*
1870 * Determine the label for an inode that might be unioned.
1871 */
c957f6df
VG		 1872static int
1873selinux_determine_inode_label(const struct task_security_struct *tsec,
1874 struct inode *dir,
1875 const struct qstr *name, u16 tclass,
1876 u32 *_new_isid)
c3c188b2
DH		 1877{
1878 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1879
1880 if ((sbsec->flags & SE_SBINITIALIZED) &&
1881 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1882 *_new_isid = sbsec->mntpoint_sid;
1883 } else if ((sbsec->flags & SBLABEL_MNT) &&
1884 tsec->create_sid) {
1885 *_new_isid = tsec->create_sid;
1886 } else {
20cdef8d 1887 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1888 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1889 name, _new_isid);
1890 }
1891
1892 return 0;
1893}
1894
1da177e4
LT		 1895/* Check whether a task can create a file. */
1896static int may_create(struct inode *dir,
1897 struct dentry *dentry,
1898 u16 tclass)
1899{
5fb49870 1900 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1901 struct inode_security_struct *dsec;
1902 struct superblock_security_struct *sbsec;
275bb41e 1903 u32 sid, newsid;
2bf49690 1904 struct common_audit_data ad;
1da177e4
LT		 1905 int rc;
1906
83da53c5 1907 dsec = inode_security(dir);
1da177e4
LT		 1908 sbsec = dir->i_sb->s_security;
1909
275bb41e 1910 sid = tsec->sid;
275bb41e 1911
50c205f5 1912 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1913 ad.u.dentry = dentry;
1da177e4 1914
275bb41e 1915 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1916 DIR__ADD_NAME | DIR__SEARCH,
1917 &ad);
1918 if (rc)
1919 return rc;
1920
c957f6df
VG		 1921 rc = selinux_determine_inode_label(current_security(), dir,
1922 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1923 if (rc)
1924 return rc;
1da177e4 1925
275bb41e 1926 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1927 if (rc)
1928 return rc;
1929
1930 return avc_has_perm(newsid, sbsec->sid,
1931 SECCLASS_FILESYSTEM,
1932 FILESYSTEM__ASSOCIATE, &ad);
1933}
1934
828dfe1d
EP		 1935#define MAY_LINK 0
1936#define MAY_UNLINK 1
1937#define MAY_RMDIR 2
1da177e4
LT		 1938
1939/* Check whether a task can link, unlink, or rmdir a file/directory. */
1940static int may_link(struct inode *dir,
1941 struct dentry *dentry,
1942 int kind)
1943
1944{
1da177e4 1945 struct inode_security_struct *dsec, *isec;
2bf49690 1946 struct common_audit_data ad;
275bb41e 1947 u32 sid = current_sid();
1da177e4
LT		 1948 u32 av;
1949 int rc;
1950
83da53c5
AG		 1951 dsec = inode_security(dir);
1952 isec = backing_inode_security(dentry);
1da177e4 1953
50c205f5 1954 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1955 ad.u.dentry = dentry;
1da177e4
LT		 1956
1957 av = DIR__SEARCH;
1958 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1959 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1960 if (rc)
1961 return rc;
1962
1963 switch (kind) {
1964 case MAY_LINK:
1965 av = FILE__LINK;
1966 break;
1967 case MAY_UNLINK:
1968 av = FILE__UNLINK;
1969 break;
1970 case MAY_RMDIR:
1971 av = DIR__RMDIR;
1972 break;
1973 default:
744ba35e
EP		 1974 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1975 __func__, kind);
1da177e4
LT		 1976 return 0;
1977 }
1978
275bb41e 1979 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1980 return rc;
1981}
1982
1983static inline int may_rename(struct inode *old_dir,
1984 struct dentry *old_dentry,
1985 struct inode *new_dir,
1986 struct dentry *new_dentry)
1987{
1da177e4 1988 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1989 struct common_audit_data ad;
275bb41e 1990 u32 sid = current_sid();
1da177e4
LT		 1991 u32 av;
1992 int old_is_dir, new_is_dir;
1993 int rc;
1994
83da53c5
AG		 1995 old_dsec = inode_security(old_dir);
1996 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1997 old_is_dir = d_is_dir(old_dentry);
83da53c5 1998 new_dsec = inode_security(new_dir);
1da177e4 1999
50c205f5 2000 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 2001
a269434d 2002 ad.u.dentry = old_dentry;
275bb41e 2003 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 2004 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2005 if (rc)
2006 return rc;
275bb41e 2007 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 2008 old_isec->sclass, FILE__RENAME, &ad);
2009 if (rc)
2010 return rc;
2011 if (old_is_dir && new_dir != old_dir) {
275bb41e 2012 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 2013 old_isec->sclass, DIR__REPARENT, &ad);
2014 if (rc)
2015 return rc;
2016 }
2017
a269434d 2018 ad.u.dentry = new_dentry;
1da177e4 2019 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 2020 if (d_is_positive(new_dentry))
1da177e4 2021 av |= DIR__REMOVE_NAME;
275bb41e 2022 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 2023 if (rc)
2024 return rc;
2c616d4d 2025 if (d_is_positive(new_dentry)) {
83da53c5 2026 new_isec = backing_inode_security(new_dentry);
e36cb0b8 2027 new_is_dir = d_is_dir(new_dentry);
275bb41e 2028 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 2029 new_isec->sclass,
2030 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2031 if (rc)
2032 return rc;
2033 }
2034
2035 return 0;
2036}
2037
2038/* Check whether a task can perform a filesystem operation. */
88e67f3b 2039static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2040 struct super_block *sb,
2041 u32 perms,
2bf49690 2042 struct common_audit_data *ad)
1da177e4 2043{
1da177e4 2044 struct superblock_security_struct *sbsec;
88e67f3b 2045 u32 sid = cred_sid(cred);
1da177e4 2046
1da177e4 2047 sbsec = sb->s_security;
275bb41e 2048 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2049}
2050
2051/* Convert a Linux mode and permission mask to an access vector. */
2052static inline u32 file_mask_to_av(int mode, int mask)
2053{
2054 u32 av = 0;
2055
dba19c60 2056 if (!S_ISDIR(mode)) {
1da177e4
LT		 2057 if (mask & MAY_EXEC)
2058 av |= FILE__EXECUTE;
2059 if (mask & MAY_READ)
2060 av |= FILE__READ;
2061
2062 if (mask & MAY_APPEND)
2063 av |= FILE__APPEND;
2064 else if (mask & MAY_WRITE)
2065 av |= FILE__WRITE;
2066
2067 } else {
2068 if (mask & MAY_EXEC)
2069 av |= DIR__SEARCH;
2070 if (mask & MAY_WRITE)
2071 av |= DIR__WRITE;
2072 if (mask & MAY_READ)
2073 av |= DIR__READ;
2074 }
2075
2076 return av;
2077}
2078
8b6a5a37
EP		 2079/* Convert a Linux file to an access vector. */
2080static inline u32 file_to_av(struct file *file)
2081{
2082 u32 av = 0;
2083
2084 if (file->f_mode & FMODE_READ)
2085 av |= FILE__READ;
2086 if (file->f_mode & FMODE_WRITE) {
2087 if (file->f_flags & O_APPEND)
2088 av |= FILE__APPEND;
2089 else
2090 av |= FILE__WRITE;
2091 }
2092 if (!av) {
2093 /*
2094 * Special file opened with flags 3 for ioctl-only use.
2095 */
2096 av = FILE__IOCTL;
2097 }
2098
2099 return av;
2100}
2101
b0c636b9 2102/*
8b6a5a37 2103 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2104 * open permission.
2105 */
8b6a5a37 2106static inline u32 open_file_to_av(struct file *file)
b0c636b9 2107{
8b6a5a37 2108 u32 av = file_to_av(file);
ccb54478 2109 struct inode *inode = file_inode(file);
b0c636b9 2110
ccb54478 2111 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2112 av |= FILE__OPEN;
2113
b0c636b9
EP		 2114 return av;
2115}
2116
1da177e4
LT		 2117/* Hook functions begin here. */
2118
79af7307
SS		 2119static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2120{
2121 u32 mysid = current_sid();
2122 u32 mgrsid = task_sid(mgr);
2123
2124 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2125 BINDER__SET_CONTEXT_MGR, NULL);
2126}
2127
2128static int selinux_binder_transaction(struct task_struct *from,
2129 struct task_struct *to)
2130{
2131 u32 mysid = current_sid();
2132 u32 fromsid = task_sid(from);
2133 u32 tosid = task_sid(to);
2134 int rc;
2135
2136 if (mysid != fromsid) {
2137 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2138 BINDER__IMPERSONATE, NULL);
2139 if (rc)
2140 return rc;
2141 }
2142
2143 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2144 NULL);
2145}
2146
2147static int selinux_binder_transfer_binder(struct task_struct *from,
2148 struct task_struct *to)
2149{
2150 u32 fromsid = task_sid(from);
2151 u32 tosid = task_sid(to);
2152
2153 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2154 NULL);
2155}
2156
2157static int selinux_binder_transfer_file(struct task_struct *from,
2158 struct task_struct *to,
2159 struct file *file)
2160{
2161 u32 sid = task_sid(to);
2162 struct file_security_struct *fsec = file->f_security;
83da53c5 2163 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2164 struct inode_security_struct *isec;
79af7307
SS		 2165 struct common_audit_data ad;
2166 int rc;
2167
2168 ad.type = LSM_AUDIT_DATA_PATH;
2169 ad.u.path = file->f_path;
2170
2171 if (sid != fsec->sid) {
2172 rc = avc_has_perm(sid, fsec->sid,
2173 SECCLASS_FD,
2174 FD__USE,
2175 &ad);
2176 if (rc)
2177 return rc;
2178 }
2179
f66e448c
CF		 2180#ifdef CONFIG_BPF_SYSCALL
2181 rc = bpf_fd_pass(file, sid);
2182 if (rc)
2183 return rc;
2184#endif
2185
83da53c5 2186 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2187 return 0;
2188
20cdef8d 2189 isec = backing_inode_security(dentry);
79af7307
SS		 2190 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2191 &ad);
2192}
2193
9e48858f 2194static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2195 unsigned int mode)
1da177e4 2196{
be0554c9
SS		 2197 u32 sid = current_sid();
2198 u32 csid = task_sid(child);
2199
2200 if (mode & PTRACE_MODE_READ)
275bb41e 2201 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2202
be0554c9 2203 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2204}
2205
2206static int selinux_ptrace_traceme(struct task_struct *parent)
2207{
be0554c9
SS		 2208 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2209 PROCESS__PTRACE, NULL);
1da177e4
LT		 2210}
2211
2212static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2213 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2214{
be0554c9
SS		 2215 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2216 PROCESS__GETCAP, NULL);
1da177e4
LT		 2217}
2218
d84f4f99
DH		 2219static int selinux_capset(struct cred *new, const struct cred *old,
2220 const kernel_cap_t *effective,
2221 const kernel_cap_t *inheritable,
2222 const kernel_cap_t *permitted)
1da177e4 2223{
be0554c9
SS		 2224 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2225 PROCESS__SETCAP, NULL);
1da177e4
LT		 2226}
2227
5626d3e8
JM		 2228/*
2229 * (This comment used to live with the selinux_task_setuid hook,
2230 * which was removed).
2231 *
2232 * Since setuid only affects the current process, and since the SELinux
2233 * controls are not based on the Linux identity attributes, SELinux does not
2234 * need to control this operation. However, SELinux does control the use of
2235 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2236 */
2237
6a9de491
EP		 2238static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2239 int cap, int audit)
1da177e4 2240{
8e4ff6f2 2241 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2242}
2243
1da177e4
LT		 2244static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2245{
88e67f3b 2246 const struct cred *cred = current_cred();
1da177e4
LT		 2247 int rc = 0;
2248
2249 if (!sb)
2250 return 0;
2251
2252 switch (cmds) {
828dfe1d
EP		 2253 case Q_SYNC:
2254 case Q_QUOTAON:
2255 case Q_QUOTAOFF:
2256 case Q_SETINFO:
2257 case Q_SETQUOTA:
88e67f3b 2258 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2259 break;
2260 case Q_GETFMT:
2261 case Q_GETINFO:
2262 case Q_GETQUOTA:
88e67f3b 2263 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2264 break;
2265 default:
2266 rc = 0; /* let the kernel handle invalid cmds */
2267 break;
1da177e4
LT		 2268 }
2269 return rc;
2270}
2271
2272static int selinux_quota_on(struct dentry *dentry)
2273{
88e67f3b
DH		 2274 const struct cred *cred = current_cred();
2275
2875fa00 2276 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2277}
2278
12b3052c 2279static int selinux_syslog(int type)
1da177e4 2280{
1da177e4 2281 switch (type) {
d78ca3cd
KC		 2282 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2283 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
be0554c9
SS		 2284 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2285 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2286 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2287 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2288 /* Set level of messages printed to console */
2289 case SYSLOG_ACTION_CONSOLE_LEVEL:
be0554c9
SS		 2290 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2291 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2292 NULL);
1da177e4 2293 }
be0554c9
SS		 2294 /* All other syslog types */
2295 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2296 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2297}
2298
2299/*
2300 * Check that a process has enough memory to allocate a new virtual
2301 * mapping. 0 means there is enough memory for the allocation to
2302 * succeed and -ENOMEM implies there is not.
2303 *
1da177e4
LT		 2304 * Do not audit the selinux permission check, as this is applied to all
2305 * processes that allocate mappings.
2306 */
34b4e4aa 2307static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2308{
2309 int rc, cap_sys_admin = 0;
1da177e4 2310
b1d9e6b0 2311 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2312 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2313 if (rc == 0)
2314 cap_sys_admin = 1;
2315
b1d9e6b0 2316 return cap_sys_admin;
1da177e4
LT		 2317}
2318
2319/* binprm security operations */
2320
be0554c9 2321static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2322{
2323 u32 sid = 0;
2324 struct task_struct *tracer;
2325
2326 rcu_read_lock();
be0554c9 2327 tracer = ptrace_parent(current);
0c6181cb
PM		 2328 if (tracer)
2329 sid = task_sid(tracer);
2330 rcu_read_unlock();
2331
2332 return sid;
2333}
2334
7b0d0b40
SS		 2335static int check_nnp_nosuid(const struct linux_binprm *bprm,
2336 const struct task_security_struct *old_tsec,
2337 const struct task_security_struct *new_tsec)
2338{
2339 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2340 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2341 int rc;
af63f419 2342 u32 av;
7b0d0b40
SS		 2343
2344 if (!nnp && !nosuid)
2345 return 0; /* neither NNP nor nosuid */
2346
2347 if (new_tsec->sid == old_tsec->sid)
2348 return 0; /* No change in credentials */
2349
2350 /*
af63f419
SS		 2351 * If the policy enables the nnp_nosuid_transition policy capability,
2352 * then we permit transitions under NNP or nosuid if the
2353 * policy allows the corresponding permission between
2354 * the old and new contexts.
7b0d0b40 2355 */
af63f419
SS		 2356 if (selinux_policycap_nnp_nosuid_transition) {
2357 av = 0;
7b0d0b40 2358 if (nnp)
af63f419
SS		 2359 av |= PROCESS2__NNP_TRANSITION;
2360 if (nosuid)
2361 av |= PROCESS2__NOSUID_TRANSITION;
2362 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2363 SECCLASS_PROCESS2, av, NULL);
2364 if (!rc)
2365 return 0;
7b0d0b40 2366 }
af63f419
SS		 2367
2368 /*
2369 * We also permit NNP or nosuid transitions to bounded SIDs,
2370 * i.e. SIDs that are guaranteed to only be allowed a subset
2371 * of the permissions of the current SID.
2372 */
2373 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2374 if (!rc)
2375 return 0;
2376
2377 /*
2378 * On failure, preserve the errno values for NNP vs nosuid.
2379 * NNP: Operation not permitted for caller.
2380 * nosuid: Permission denied to file.
2381 */
2382 if (nnp)
2383 return -EPERM;
2384 return -EACCES;
7b0d0b40
SS		 2385}
2386
a6f76f23 2387static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2388{
a6f76f23
DH		 2389 const struct task_security_struct *old_tsec;
2390 struct task_security_struct *new_tsec;
1da177e4 2391 struct inode_security_struct *isec;
2bf49690 2392 struct common_audit_data ad;
496ad9aa 2393 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2394 int rc;
2395
a6f76f23
DH		 2396 /* SELinux context only depends on initial program or script and not
2397 * the script interpreter */
ddb4a144 2398 if (bprm->called_set_creds)
1da177e4
LT		 2399 return 0;
2400
a6f76f23
DH		 2401 old_tsec = current_security();
2402 new_tsec = bprm->cred->security;
83da53c5 2403 isec = inode_security(inode);
1da177e4
LT		 2404
2405 /* Default to the current task SID. */
a6f76f23
DH		 2406 new_tsec->sid = old_tsec->sid;
2407 new_tsec->osid = old_tsec->sid;
1da177e4 2408
28eba5bf 2409 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2410 new_tsec->create_sid = 0;
2411 new_tsec->keycreate_sid = 0;
2412 new_tsec->sockcreate_sid = 0;
1da177e4 2413
a6f76f23
DH		 2414 if (old_tsec->exec_sid) {
2415 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2416 /* Reset exec SID on execve. */
a6f76f23 2417 new_tsec->exec_sid = 0;
259e5e6c 2418
7b0d0b40
SS		 2419 /* Fail on NNP or nosuid if not an allowed transition. */
2420 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2421 if (rc)
2422 return rc;
1da177e4
LT		 2423 } else {
2424 /* Check for a default transition on this program. */
a6f76f23 2425 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2426 SECCLASS_PROCESS, NULL,
2427 &new_tsec->sid);
1da177e4
LT		 2428 if (rc)
2429 return rc;
7b0d0b40
SS		 2430
2431 /*
2432 * Fallback to old SID on NNP or nosuid if not an allowed
2433 * transition.
2434 */
2435 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2436 if (rc)
2437 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2438 }
2439
43af5de7
VG		 2440 ad.type = LSM_AUDIT_DATA_FILE;
2441 ad.u.file = bprm->file;
1da177e4 2442
a6f76f23
DH		 2443 if (new_tsec->sid == old_tsec->sid) {
2444 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2445 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2446 if (rc)
2447 return rc;
2448 } else {
2449 /* Check permissions for the transition. */
a6f76f23 2450 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2451 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2452 if (rc)
2453 return rc;
2454
a6f76f23 2455 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2456 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2457 if (rc)
2458 return rc;
2459
a6f76f23
DH		 2460 /* Check for shared state */
2461 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2462 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2463 SECCLASS_PROCESS, PROCESS__SHARE,
2464 NULL);
2465 if (rc)
2466 return -EPERM;
2467 }
2468
2469 /* Make sure that anyone attempting to ptrace over a task that
2470 * changes its SID has the appropriate permit */
9227dd2a 2471 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2472 u32 ptsid = ptrace_parent_sid();
a6f76f23
DH		 2473 if (ptsid != 0) {
2474 rc = avc_has_perm(ptsid, new_tsec->sid,
2475 SECCLASS_PROCESS,
2476 PROCESS__PTRACE, NULL);
2477 if (rc)
2478 return -EPERM;
2479 }
2480 }
1da177e4 2481
a6f76f23
DH		 2482 /* Clear any possibly unsafe personality bits on exec: */
2483 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2484
1da177e4
LT		 2485 /* Enable secure mode for SIDs transitions unless
2486 the noatsecure permission is granted between
2487 the two SIDs, i.e. ahp returns 0. */
62874c3a
KC		 2488 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2489 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2490 NULL);
2491 bprm->secureexec |= !!rc;
1da177e4
LT		 2492 }
2493
62874c3a 2494 return 0;
1da177e4
LT		 2495}
2496
c3c073f8
AV		 2497static int match_file(const void *p, struct file *file, unsigned fd)
2498{
2499 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2500}
2501
1da177e4 2502/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2503static inline void flush_unauthorized_files(const struct cred *cred,
2504 struct files_struct *files)
1da177e4 2505{
1da177e4 2506 struct file *file, *devnull = NULL;
b20c8122 2507 struct tty_struct *tty;
24ec839c 2508 int drop_tty = 0;
c3c073f8 2509 unsigned n;
1da177e4 2510
24ec839c 2511 tty = get_current_tty();
1da177e4 2512 if (tty) {
4a510969 2513 spin_lock(&tty->files_lock);
37dd0bd0 2514 if (!list_empty(&tty->tty_files)) {
d996b62a 2515 struct tty_file_private *file_priv;
37dd0bd0 2516
1da177e4 2517 /* Revalidate access to controlling tty.
13f8e981
DH		 2518 Use file_path_has_perm on the tty path directly
2519 rather than using file_has_perm, as this particular
2520 open file may belong to another process and we are
2521 only interested in the inode-based check here. */
d996b62a
NP		 2522 file_priv = list_first_entry(&tty->tty_files,
2523 struct tty_file_private, list);
2524 file = file_priv->file;
13f8e981 2525 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2526 drop_tty = 1;
1da177e4 2527 }
4a510969 2528 spin_unlock(&tty->files_lock);
452a00d2 2529 tty_kref_put(tty);
1da177e4 2530 }
98a27ba4
EB		 2531 /* Reset controlling tty. */
2532 if (drop_tty)
2533 no_tty();
1da177e4
LT		 2534
2535 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2536 n = iterate_fd(files, 0, match_file, cred);
2537 if (!n) /* none found? */
2538 return;
1da177e4 2539
c3c073f8 2540 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2541 if (IS_ERR(devnull))
2542 devnull = NULL;
2543 /* replace all the matching ones with this */
2544 do {
2545 replace_fd(n - 1, devnull, 0);
2546 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2547 if (devnull)
c3c073f8 2548 fput(devnull);
1da177e4
LT		 2549}
2550
a6f76f23
DH		 2551/*
2552 * Prepare a process for imminent new credential changes due to exec
2553 */
2554static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2555{
a6f76f23
DH		 2556 struct task_security_struct *new_tsec;
2557 struct rlimit *rlim, *initrlim;
2558 int rc, i;
d84f4f99 2559
a6f76f23
DH		 2560 new_tsec = bprm->cred->security;
2561 if (new_tsec->sid == new_tsec->osid)
2562 return;
1da177e4 2563
a6f76f23
DH		 2564 /* Close files for which the new task SID is not authorized. */
2565 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2566
a6f76f23
DH		 2567 /* Always clear parent death signal on SID transitions. */
2568 current->pdeath_signal = 0;
0356357c 2569
a6f76f23
DH		 2570 /* Check whether the new SID can inherit resource limits from the old
2571 * SID. If not, reset all soft limits to the lower of the current
2572 * task's hard limit and the init task's soft limit.
2573 *
2574 * Note that the setting of hard limits (even to lower them) can be
2575 * controlled by the setrlimit check. The inclusion of the init task's
2576 * soft limit into the computation is to avoid resetting soft limits
2577 * higher than the default soft limit for cases where the default is
2578 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2579 */
2580 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2581 PROCESS__RLIMITINH, NULL);
2582 if (rc) {
eb2d55a3
ON		 2583 /* protect against do_prlimit() */
2584 task_lock(current);
a6f76f23
DH		 2585 for (i = 0; i < RLIM_NLIMITS; i++) {
2586 rlim = current->signal->rlim + i;
2587 initrlim = init_task.signal->rlim + i;
2588 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2589 }
eb2d55a3 2590 task_unlock(current);
baa73d9e
NP		 2591 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2592 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2593 }
2594}
2595
2596/*
a6f76f23
DH		 2597 * Clean up the process immediately after the installation of new credentials
2598 * due to exec
1da177e4 2599 */
a6f76f23 2600static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2601{
a6f76f23 2602 const struct task_security_struct *tsec = current_security();
1da177e4 2603 struct itimerval itimer;
a6f76f23 2604 u32 osid, sid;
1da177e4
LT		 2605 int rc, i;
2606
a6f76f23
DH		 2607 osid = tsec->osid;
2608 sid = tsec->sid;
2609
2610 if (sid == osid)
1da177e4
LT		 2611 return;
2612
a6f76f23
DH		 2613 /* Check whether the new SID can inherit signal state from the old SID.
2614 * If not, clear itimers to avoid subsequent signal generation and
2615 * flush and unblock signals.
2616 *
2617 * This must occur _after_ the task SID has been updated so that any
2618 * kill done after the flush will be checked against the new SID.
2619 */
2620 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2621 if (rc) {
baa73d9e
NP		 2622 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2623 memset(&itimer, 0, sizeof itimer);
2624 for (i = 0; i < 3; i++)
2625 do_setitimer(i, &itimer, NULL);
2626 }
1da177e4 2627 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2628 if (!fatal_signal_pending(current)) {
2629 flush_sigqueue(&current->pending);
2630 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2631 flush_signal_handlers(current, 1);
2632 sigemptyset(&current->blocked);
9e7c8f8c 2633 recalc_sigpending();
3bcac026 2634 }
1da177e4
LT		 2635 spin_unlock_irq(&current->sighand->siglock);
2636 }
2637
a6f76f23
DH		 2638 /* Wake up the parent if it is waiting so that it can recheck
2639 * wait permission to the new task SID. */
ecd6de3c 2640 read_lock(&tasklist_lock);
0b7570e7 2641 __wake_up_parent(current, current->real_parent);
ecd6de3c 2642 read_unlock(&tasklist_lock);
1da177e4
LT		 2643}
2644
2645/* superblock security operations */
2646
2647static int selinux_sb_alloc_security(struct super_block *sb)
2648{
2649 return superblock_alloc_security(sb);
2650}
2651
2652static void selinux_sb_free_security(struct super_block *sb)
2653{
2654 superblock_free_security(sb);
2655}
2656
2657static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2658{
2659 if (plen > olen)
2660 return 0;
2661
2662 return !memcmp(prefix, option, plen);
2663}
2664
2665static inline int selinux_option(char *option, int len)
2666{
832cbd9a
EP		 2667 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2668 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2669 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2670 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2671 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2672}
2673
2674static inline void take_option(char **to, char *from, int *first, int len)
2675{
2676 if (!*first) {
2677 **to = ',';
2678 *to += 1;
3528a953 2679 } else
1da177e4
LT		 2680 *first = 0;
2681 memcpy(*to, from, len);
2682 *to += len;
2683}
2684
828dfe1d
EP		 2685static inline void take_selinux_option(char **to, char *from, int *first,
2686 int len)
3528a953
CO		 2687{
2688 int current_size = 0;
2689
2690 if (!*first) {
2691 **to = '|';
2692 *to += 1;
828dfe1d 2693 } else
3528a953
CO		 2694 *first = 0;
2695
2696 while (current_size < len) {
2697 if (*from != '"') {
2698 **to = *from;
2699 *to += 1;
2700 }
2701 from += 1;
2702 current_size += 1;
2703 }
2704}
2705
e0007529 2706static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2707{
2708 int fnosec, fsec, rc = 0;
2709 char *in_save, *in_curr, *in_end;
2710 char *sec_curr, *nosec_save, *nosec;
3528a953 2711 int open_quote = 0;
1da177e4
LT		 2712
2713 in_curr = orig;
2714 sec_curr = copy;
2715
1da177e4
LT		 2716 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2717 if (!nosec) {
2718 rc = -ENOMEM;
2719 goto out;
2720 }
2721
2722 nosec_save = nosec;
2723 fnosec = fsec = 1;
2724 in_save = in_end = orig;
2725
2726 do {
3528a953
CO		 2727 if (*in_end == '"')
2728 open_quote = !open_quote;
2729 if ((*in_end == ',' && open_quote == 0) ||
2730 *in_end == '\0') {
1da177e4
LT		 2731 int len = in_end - in_curr;
2732
2733 if (selinux_option(in_curr, len))
3528a953 2734 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2735 else
2736 take_option(&nosec, in_curr, &fnosec, len);
2737
2738 in_curr = in_end + 1;
2739 }
2740 } while (*in_end++);
2741
6931dfc9 2742 strcpy(in_save, nosec_save);
da3caa20 2743 free_page((unsigned long)nosec_save);
1da177e4
LT		 2744out:
2745 return rc;
2746}
2747
026eb167
EP		 2748static int selinux_sb_remount(struct super_block *sb, void *data)
2749{
2750 int rc, i, *flags;
2751 struct security_mnt_opts opts;
2752 char *secdata, **mount_options;
2753 struct superblock_security_struct *sbsec = sb->s_security;
2754
2755 if (!(sbsec->flags & SE_SBINITIALIZED))
2756 return 0;
2757
2758 if (!data)
2759 return 0;
2760
2761 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2762 return 0;
2763
2764 security_init_mnt_opts(&opts);
2765 secdata = alloc_secdata();
2766 if (!secdata)
2767 return -ENOMEM;
2768 rc = selinux_sb_copy_data(data, secdata);
2769 if (rc)
2770 goto out_free_secdata;
2771
2772 rc = selinux_parse_opts_str(secdata, &opts);
2773 if (rc)
2774 goto out_free_secdata;
2775
2776 mount_options = opts.mnt_opts;
2777 flags = opts.mnt_opts_flags;
2778
2779 for (i = 0; i < opts.num_mnt_opts; i++) {
2780 u32 sid;
026eb167 2781
12f348b9 2782 if (flags[i] == SBLABEL_MNT)
026eb167 2783 continue;
44be2f65 2784 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2785 if (rc) {
44be2f65 2786 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2787 "(%s) failed for (dev %s, type %s) errno=%d\n",
2788 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2789 goto out_free_opts;
2790 }
2791 rc = -EINVAL;
2792 switch (flags[i]) {
2793 case FSCONTEXT_MNT:
2794 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2795 goto out_bad_option;
2796 break;
2797 case CONTEXT_MNT:
2798 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2799 goto out_bad_option;
2800 break;
2801 case ROOTCONTEXT_MNT: {
2802 struct inode_security_struct *root_isec;
83da53c5 2803 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2804
2805 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2806 goto out_bad_option;
2807 break;
2808 }
2809 case DEFCONTEXT_MNT:
2810 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2811 goto out_bad_option;
2812 break;
2813 default:
2814 goto out_free_opts;
2815 }
2816 }
2817
2818 rc = 0;
2819out_free_opts:
2820 security_free_mnt_opts(&opts);
2821out_free_secdata:
2822 free_secdata(secdata);
2823 return rc;
2824out_bad_option:
2825 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2826 "during remount (dev %s, type=%s)\n", sb->s_id,
2827 sb->s_type->name);
026eb167
EP		 2828 goto out_free_opts;
2829}
2830
12204e24 2831static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2832{
88e67f3b 2833 const struct cred *cred = current_cred();
2bf49690 2834 struct common_audit_data ad;
1da177e4
LT		 2835 int rc;
2836
2837 rc = superblock_doinit(sb, data);
2838 if (rc)
2839 return rc;
2840
74192246
JM		 2841 /* Allow all mounts performed by the kernel */
2842 if (flags & MS_KERNMOUNT)
2843 return 0;
2844
50c205f5 2845 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2846 ad.u.dentry = sb->s_root;
88e67f3b 2847 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2848}
2849
726c3342 2850static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2851{
88e67f3b 2852 const struct cred *cred = current_cred();
2bf49690 2853 struct common_audit_data ad;
1da177e4 2854
50c205f5 2855 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2856 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2857 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2858}
2859
808d4e3c 2860static int selinux_mount(const char *dev_name,
8a04c43b 2861 const struct path *path,
808d4e3c 2862 const char *type,
828dfe1d
EP		 2863 unsigned long flags,
2864 void *data)
1da177e4 2865{
88e67f3b 2866 const struct cred *cred = current_cred();
1da177e4
LT		 2867
2868 if (flags & MS_REMOUNT)
d8c9584e 2869 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2870 FILESYSTEM__REMOUNT, NULL);
1da177e4 2871 else
2875fa00 2872 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2873}
2874
2875static int selinux_umount(struct vfsmount *mnt, int flags)
2876{
88e67f3b 2877 const struct cred *cred = current_cred();
1da177e4 2878
88e67f3b 2879 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2880 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2881}
2882
2883/* inode security operations */
2884
2885static int selinux_inode_alloc_security(struct inode *inode)
2886{
2887 return inode_alloc_security(inode);
2888}
2889
2890static void selinux_inode_free_security(struct inode *inode)
2891{
2892 inode_free_security(inode);
2893}
2894
d47be3df 2895static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2896 const struct qstr *name, void **ctx,
d47be3df
DQ		 2897 u32 *ctxlen)
2898{
d47be3df
DQ		 2899 u32 newsid;
2900 int rc;
2901
c957f6df
VG		 2902 rc = selinux_determine_inode_label(current_security(),
2903 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2904 inode_mode_to_security_class(mode),
2905 &newsid);
2906 if (rc)
2907 return rc;
d47be3df
DQ		 2908
2909 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2910}
2911
a518b0a5
VG		 2912static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2913 struct qstr *name,
2914 const struct cred *old,
2915 struct cred *new)
2916{
2917 u32 newsid;
2918 int rc;
2919 struct task_security_struct *tsec;
2920
2921 rc = selinux_determine_inode_label(old->security,
2922 d_inode(dentry->d_parent), name,
2923 inode_mode_to_security_class(mode),
2924 &newsid);
2925 if (rc)
2926 return rc;
2927
2928 tsec = new->security;
2929 tsec->create_sid = newsid;
2930 return 0;
2931}
2932
5e41ff9e 2933static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2934 const struct qstr *qstr,
2935 const char **name,
2a7dba39 2936 void **value, size_t *len)
5e41ff9e 2937{
5fb49870 2938 const struct task_security_struct *tsec = current_security();
5e41ff9e 2939 struct superblock_security_struct *sbsec;
c0d4f464 2940 u32 newsid, clen;
5e41ff9e 2941 int rc;
9548906b 2942 char *context;
5e41ff9e 2943
5e41ff9e 2944 sbsec = dir->i_sb->s_security;
5e41ff9e 2945
275bb41e
DH		 2946 newsid = tsec->create_sid;
2947
c957f6df 2948 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2949 dir, qstr,
2950 inode_mode_to_security_class(inode->i_mode),
2951 &newsid);
2952 if (rc)
2953 return rc;
5e41ff9e 2954
296fddf7 2955 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2956 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2957 struct inode_security_struct *isec = inode->i_security;
2958 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2959 isec->sid = newsid;
6f3be9f5 2960 isec->initialized = LABEL_INITIALIZED;
296fddf7 2961 }
5e41ff9e 2962
12f348b9 2963 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2964 return -EOPNOTSUPP;
2965
9548906b
TH		 2966 if (name)
2967 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2968
570bc1c2 2969 if (value && len) {
12b29f34 2970 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2971 if (rc)
570bc1c2 2972 return rc;
570bc1c2
SS		 2973 *value = context;
2974 *len = clen;
5e41ff9e 2975 }
5e41ff9e 2976
5e41ff9e
SS		 2977 return 0;
2978}
2979
4acdaf27 2980static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2981{
2982 return may_create(dir, dentry, SECCLASS_FILE);
2983}
2984
1da177e4
LT		 2985static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2986{
1da177e4
LT		 2987 return may_link(dir, old_dentry, MAY_LINK);
2988}
2989
1da177e4
LT		 2990static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2991{
1da177e4
LT		 2992 return may_link(dir, dentry, MAY_UNLINK);
2993}
2994
2995static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2996{
2997 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2998}
2999
18bb1db3 3000static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 3001{
3002 return may_create(dir, dentry, SECCLASS_DIR);
3003}
3004
1da177e4
LT		 3005static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3006{
3007 return may_link(dir, dentry, MAY_RMDIR);
3008}
3009
1a67aafb 3010static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 3011{
1da177e4
LT		 3012 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3013}
3014
1da177e4 3015static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 3016 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 3017{
3018 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3019}
3020
1da177e4
LT		 3021static int selinux_inode_readlink(struct dentry *dentry)
3022{
88e67f3b
DH		 3023 const struct cred *cred = current_cred();
3024
2875fa00 3025 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3026}
3027
bda0be7a
N		 3028static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3029 bool rcu)
1da177e4 3030{
88e67f3b 3031 const struct cred *cred = current_cred();
bda0be7a
N		 3032 struct common_audit_data ad;
3033 struct inode_security_struct *isec;
3034 u32 sid;
1da177e4 3035
bda0be7a
N		 3036 validate_creds(cred);
3037
3038 ad.type = LSM_AUDIT_DATA_DENTRY;
3039 ad.u.dentry = dentry;
3040 sid = cred_sid(cred);
5d226df4
AG		 3041 isec = inode_security_rcu(inode, rcu);
3042 if (IS_ERR(isec))
3043 return PTR_ERR(isec);
bda0be7a
N		 3044
3045 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3046 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3047}
3048
d4cf970d
EP		 3049static noinline int audit_inode_permission(struct inode *inode,
3050 u32 perms, u32 audited, u32 denied,
626b9740 3051 int result,
d4cf970d 3052 unsigned flags)
1da177e4 3053{
b782e0a6 3054 struct common_audit_data ad;
d4cf970d
EP		 3055 struct inode_security_struct *isec = inode->i_security;
3056 int rc;
3057
50c205f5 3058 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3059 ad.u.inode = inode;
3060
3061 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 3062 audited, denied, result, &ad, flags);
d4cf970d
EP		 3063 if (rc)
3064 return rc;
3065 return 0;
3066}
3067
e74f71eb 3068static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3069{
88e67f3b 3070 const struct cred *cred = current_cred();
b782e0a6
EP		 3071 u32 perms;
3072 bool from_access;
cf1dd1da 3073 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3074 struct inode_security_struct *isec;
3075 u32 sid;
3076 struct av_decision avd;
3077 int rc, rc2;
3078 u32 audited, denied;
1da177e4 3079
b782e0a6 3080 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3081 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3082
b782e0a6
EP		 3083 /* No permission to check. Existence test. */
3084 if (!mask)
1da177e4 3085 return 0;
1da177e4 3086
2e334057 3087 validate_creds(cred);
b782e0a6 3088
2e334057
EP		 3089 if (unlikely(IS_PRIVATE(inode)))
3090 return 0;
b782e0a6
EP		 3091
3092 perms = file_mask_to_av(inode->i_mode, mask);
3093
2e334057 3094 sid = cred_sid(cred);
5d226df4
AG		 3095 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3096 if (IS_ERR(isec))
3097 return PTR_ERR(isec);
2e334057
EP		 3098
3099 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3100 audited = avc_audit_required(perms, &avd, rc,
3101 from_access ? FILE__AUDIT_ACCESS : 0,
3102 &denied);
3103 if (likely(!audited))
3104 return rc;
3105
626b9740 3106 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3107 if (rc2)
3108 return rc2;
3109 return rc;
1da177e4
LT		 3110}
3111
3112static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3113{
88e67f3b 3114 const struct cred *cred = current_cred();
ccb54478 3115 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3116 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3117 __u32 av = FILE__WRITE;
1da177e4 3118
bc6a6008
AW		 3119 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3120 if (ia_valid & ATTR_FORCE) {
3121 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3122 ATTR_FORCE);
3123 if (!ia_valid)
3124 return 0;
3125 }
1da177e4 3126
bc6a6008
AW		 3127 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3128 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3129 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3130
ccb54478
SS		 3131 if (selinux_policycap_openperm &&
3132 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3133 (ia_valid & ATTR_SIZE) &&
3134 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3135 av |= FILE__OPEN;
3136
3137 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3138}
3139
3f7036a0 3140static int selinux_inode_getattr(const struct path *path)
1da177e4 3141{
3f7036a0 3142 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3143}
3144
db59000a
SS		 3145static bool has_cap_mac_admin(bool audit)
3146{
3147 const struct cred *cred = current_cred();
3148 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3149
3150 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3151 return false;
3152 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3153 return false;
3154 return true;
3155}
3156
8f0cfa52
DH		 3157static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3158 const void *value, size_t size, int flags)
1da177e4 3159{
c6f493d6 3160 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3161 struct inode_security_struct *isec;
1da177e4 3162 struct superblock_security_struct *sbsec;
2bf49690 3163 struct common_audit_data ad;
275bb41e 3164 u32 newsid, sid = current_sid();
1da177e4
LT		 3165 int rc = 0;
3166
6b240306
EB		 3167 if (strcmp(name, XATTR_NAME_SELINUX)) {
3168 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3169 if (rc)
3170 return rc;
3171
3172 /* Not an attribute we recognize, so just check the
3173 ordinary setattr permission. */
3174 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3175 }
1da177e4
LT		 3176
3177 sbsec = inode->i_sb->s_security;
12f348b9 3178 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3179 return -EOPNOTSUPP;
3180
2e149670 3181 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3182 return -EPERM;
3183
50c205f5 3184 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3185 ad.u.dentry = dentry;
1da177e4 3186
20cdef8d 3187 isec = backing_inode_security(dentry);
275bb41e 3188 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3189 FILE__RELABELFROM, &ad);
3190 if (rc)
3191 return rc;
3192
52a4c640 3193 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3194 if (rc == -EINVAL) {
db59000a 3195 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3196 struct audit_buffer *ab;
3197 size_t audit_size;
d6ea83ec
EP		 3198
3199 /* We strip a nul only if it is at the end, otherwise the
3200 * context contains a nul and we should audit that */
e3fea3f7 3201 if (value) {
add24372
CIK		 3202 const char *str = value;
3203
e3fea3f7
AV		 3204 if (str[size - 1] == '\0')
3205 audit_size = size - 1;
3206 else
3207 audit_size = size;
3208 } else {
e3fea3f7
AV		 3209 audit_size = 0;
3210 }
d6ea83ec
EP		 3211 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3212 audit_log_format(ab, "op=setxattr invalid_context=");
3213 audit_log_n_untrustedstring(ab, value, audit_size);
3214 audit_log_end(ab);
3215
12b29f34 3216 return rc;
d6ea83ec 3217 }
12b29f34
SS		 3218 rc = security_context_to_sid_force(value, size, &newsid);
3219 }
1da177e4
LT		 3220 if (rc)
3221 return rc;
3222
275bb41e 3223 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3224 FILE__RELABELTO, &ad);
3225 if (rc)
3226 return rc;
3227
275bb41e 3228 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3229 isec->sclass);
1da177e4
LT		 3230 if (rc)
3231 return rc;
3232
3233 return avc_has_perm(newsid,
3234 sbsec->sid,
3235 SECCLASS_FILESYSTEM,
3236 FILESYSTEM__ASSOCIATE,
3237 &ad);
3238}
3239
8f0cfa52 3240static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3241 const void *value, size_t size,
8f0cfa52 3242 int flags)
1da177e4 3243{
c6f493d6 3244 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3245 struct inode_security_struct *isec;
1da177e4
LT		 3246 u32 newsid;
3247 int rc;
3248
3249 if (strcmp(name, XATTR_NAME_SELINUX)) {
3250 /* Not an attribute we recognize, so nothing to do. */
3251 return;
3252 }
3253
12b29f34 3254 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3255 if (rc) {
12b29f34
SS		 3256 printk(KERN_ERR "SELinux: unable to map context to SID"
3257 "for (%s, %lu), rc=%d\n",
3258 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3259 return;
3260 }
3261
20cdef8d 3262 isec = backing_inode_security(dentry);
9287aed2 3263 spin_lock(&isec->lock);
aa9c2669 3264 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3265 isec->sid = newsid;
6f3be9f5 3266 isec->initialized = LABEL_INITIALIZED;
9287aed2 3267 spin_unlock(&isec->lock);
aa9c2669 3268
1da177e4
LT		 3269 return;
3270}
3271
8f0cfa52 3272static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3273{
88e67f3b
DH		 3274 const struct cred *cred = current_cred();
3275
2875fa00 3276 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3277}
3278
828dfe1d 3279static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3280{
88e67f3b
DH		 3281 const struct cred *cred = current_cred();
3282
2875fa00 3283 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3284}
3285
8f0cfa52 3286static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3287{
6b240306
EB		 3288 if (strcmp(name, XATTR_NAME_SELINUX)) {
3289 int rc = cap_inode_removexattr(dentry, name);
3290 if (rc)
3291 return rc;
3292
3293 /* Not an attribute we recognize, so just check the
3294 ordinary setattr permission. */
3295 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3296 }
1da177e4
LT		 3297
3298 /* No one is allowed to remove a SELinux security label.
3299 You can change the label, but all data must be labeled. */
3300 return -EACCES;
3301}
3302
d381d8a9 3303/*
abc69bb6 3304 * Copy the inode security context value to the user.
d381d8a9
JM		 3305 *
3306 * Permission check is handled by selinux_inode_getxattr hook.
3307 */
ea861dfd 3308static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3309{
42492594
DQ		 3310 u32 size;
3311 int error;
3312 char *context = NULL;
20cdef8d 3313 struct inode_security_struct *isec;
d381d8a9 3314
8c8570fb
DK		 3315 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3316 return -EOPNOTSUPP;
d381d8a9 3317
abc69bb6
SS		 3318 /*
3319 * If the caller has CAP_MAC_ADMIN, then get the raw context
3320 * value even if it is not defined by current policy; otherwise,
3321 * use the in-core value under current policy.
3322 * Use the non-auditing forms of the permission checks since
3323 * getxattr may be called by unprivileged processes commonly
3324 * and lack of permission just means that we fall back to the
3325 * in-core context value, not a denial.
3326 */
20cdef8d 3327 isec = inode_security(inode);
db59000a 3328 if (has_cap_mac_admin(false))
abc69bb6
SS		 3329 error = security_sid_to_context_force(isec->sid, &context,
3330 &size);
3331 else
3332 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3333 if (error)
3334 return error;
3335 error = size;
3336 if (alloc) {
3337 *buffer = context;
3338 goto out_nofree;
3339 }
3340 kfree(context);
3341out_nofree:
3342 return error;
1da177e4
LT		 3343}
3344
3345static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3346 const void *value, size_t size, int flags)
1da177e4 3347{
2c97165b 3348 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3349 u32 newsid;
3350 int rc;
3351
3352 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3353 return -EOPNOTSUPP;
3354
3355 if (!value || !size)
3356 return -EACCES;
3357
20ba96ae 3358 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3359 if (rc)
3360 return rc;
3361
9287aed2 3362 spin_lock(&isec->lock);
aa9c2669 3363 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3364 isec->sid = newsid;
6f3be9f5 3365 isec->initialized = LABEL_INITIALIZED;
9287aed2 3366 spin_unlock(&isec->lock);
1da177e4
LT		 3367 return 0;
3368}
3369
3370static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3371{
3372 const int len = sizeof(XATTR_NAME_SELINUX);
3373 if (buffer && len <= buffer_size)
3374 memcpy(buffer, XATTR_NAME_SELINUX, len);
3375 return len;
3376}
3377
d6335d77 3378static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3379{
e817c2f3 3380 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3381 *secid = isec->sid;
3382}
3383
56909eb3
VG		 3384static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3385{
3386 u32 sid;
3387 struct task_security_struct *tsec;
3388 struct cred *new_creds = *new;
3389
3390 if (new_creds == NULL) {
3391 new_creds = prepare_creds();
3392 if (!new_creds)
3393 return -ENOMEM;
3394 }
3395
3396 tsec = new_creds->security;
3397 /* Get label from overlay inode and set it in create_sid */
3398 selinux_inode_getsecid(d_inode(src), &sid);
3399 tsec->create_sid = sid;
3400 *new = new_creds;
3401 return 0;
3402}
3403
19472b69
VG		 3404static int selinux_inode_copy_up_xattr(const char *name)
3405{
3406 /* The copy_up hook above sets the initial context on an inode, but we
3407 * don't then want to overwrite it by blindly copying all the lower
3408 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3409 */
3410 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3411 return 1; /* Discard */
3412 /*
3413 * Any other attribute apart from SELINUX is not claimed, supported
3414 * by selinux.
3415 */
3416 return -EOPNOTSUPP;
3417}
3418
1da177e4
LT		 3419/* file security operations */
3420
788e7dd4 3421static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3422{
88e67f3b 3423 const struct cred *cred = current_cred();
496ad9aa 3424 struct inode *inode = file_inode(file);
1da177e4 3425
1da177e4
LT		 3426 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3427 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3428 mask |= MAY_APPEND;
3429
389fb800
PM		 3430 return file_has_perm(cred, file,
3431 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3432}
3433
788e7dd4
YN		 3434static int selinux_file_permission(struct file *file, int mask)
3435{
496ad9aa 3436 struct inode *inode = file_inode(file);
20dda18b 3437 struct file_security_struct *fsec = file->f_security;
b197367e 3438 struct inode_security_struct *isec;
20dda18b
SS		 3439 u32 sid = current_sid();
3440
389fb800 3441 if (!mask)
788e7dd4
YN		 3442 /* No permission to check. Existence test. */
3443 return 0;
788e7dd4 3444
b197367e 3445 isec = inode_security(inode);
20dda18b
SS		 3446 if (sid == fsec->sid && fsec->isid == isec->sid &&
3447 fsec->pseqno == avc_policy_seqno())
83d49856 3448 /* No change since file_open check. */
20dda18b
SS		 3449 return 0;
3450
788e7dd4
YN		 3451 return selinux_revalidate_file_permission(file, mask);
3452}
3453
1da177e4
LT		 3454static int selinux_file_alloc_security(struct file *file)
3455{
3456 return file_alloc_security(file);
3457}
3458
3459static void selinux_file_free_security(struct file *file)
3460{
3461 file_free_security(file);
3462}
3463
fa1aa143
JVS		 3464/*
3465 * Check whether a task has the ioctl permission and cmd
3466 * operation to an inode.
3467 */
1d2a168a 3468static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3469 u32 requested, u16 cmd)
3470{
3471 struct common_audit_data ad;
3472 struct file_security_struct *fsec = file->f_security;
3473 struct inode *inode = file_inode(file);
20cdef8d 3474 struct inode_security_struct *isec;
fa1aa143
JVS		 3475 struct lsm_ioctlop_audit ioctl;
3476 u32 ssid = cred_sid(cred);
3477 int rc;
3478 u8 driver = cmd >> 8;
3479 u8 xperm = cmd & 0xff;
3480
3481 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3482 ad.u.op = &ioctl;
3483 ad.u.op->cmd = cmd;
3484 ad.u.op->path = file->f_path;
3485
3486 if (ssid != fsec->sid) {
3487 rc = avc_has_perm(ssid, fsec->sid,
3488 SECCLASS_FD,
3489 FD__USE,
3490 &ad);
3491 if (rc)
3492 goto out;
3493 }
3494
3495 if (unlikely(IS_PRIVATE(inode)))
3496 return 0;
3497
20cdef8d 3498 isec = inode_security(inode);
fa1aa143
JVS		 3499 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3500 requested, driver, xperm, &ad);
3501out:
3502 return rc;
3503}
3504
1da177e4
LT		 3505static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3506 unsigned long arg)
3507{
88e67f3b 3508 const struct cred *cred = current_cred();
0b24dcb7 3509 int error = 0;
1da177e4 3510
0b24dcb7
EP		 3511 switch (cmd) {
3512 case FIONREAD:
3513 /* fall through */
3514 case FIBMAP:
3515 /* fall through */
3516 case FIGETBSZ:
3517 /* fall through */
2f99c369 3518 case FS_IOC_GETFLAGS:
0b24dcb7 3519 /* fall through */
2f99c369 3520 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3521 error = file_has_perm(cred, file, FILE__GETATTR);
3522 break;
1da177e4 3523
2f99c369 3524 case FS_IOC_SETFLAGS:
0b24dcb7 3525 /* fall through */
2f99c369 3526 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3527 error = file_has_perm(cred, file, FILE__SETATTR);
3528 break;
3529
3530 /* sys_ioctl() checks */
3531 case FIONBIO:
3532 /* fall through */
3533 case FIOASYNC:
3534 error = file_has_perm(cred, file, 0);
3535 break;
1da177e4 3536
0b24dcb7
EP		 3537 case KDSKBENT:
3538 case KDSKBSENT:
6a9de491 3539 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3540 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3541 break;
3542
3543 /* default case assumes that the command will go
3544 * to the file's ioctl() function.
3545 */
3546 default:
fa1aa143 3547 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3548 }
3549 return error;
1da177e4
LT		 3550}
3551
fcaaade1
SS		 3552static int default_noexec;
3553
1da177e4
LT		 3554static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3555{
88e67f3b 3556 const struct cred *cred = current_cred();
be0554c9 3557 u32 sid = cred_sid(cred);
d84f4f99 3558 int rc = 0;
88e67f3b 3559
fcaaade1 3560 if (default_noexec &&
892e8cac
SS		 3561 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3562 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3563 /*
3564 * We are making executable an anonymous mapping or a
3565 * private file mapping that will also be writable.
3566 * This has an additional check.
3567 */
be0554c9
SS		 3568 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3569 PROCESS__EXECMEM, NULL);
1da177e4 3570 if (rc)
d84f4f99 3571 goto error;
1da177e4 3572 }
1da177e4
LT		 3573
3574 if (file) {
3575 /* read access is always possible with a mapping */
3576 u32 av = FILE__READ;
3577
3578 /* write access only matters if the mapping is shared */
3579 if (shared && (prot & PROT_WRITE))
3580 av |= FILE__WRITE;
3581
3582 if (prot & PROT_EXEC)
3583 av |= FILE__EXECUTE;
3584
88e67f3b 3585 return file_has_perm(cred, file, av);
1da177e4 3586 }
d84f4f99
DH		 3587
3588error:
3589 return rc;
1da177e4
LT		 3590}
3591
e5467859 3592static int selinux_mmap_addr(unsigned long addr)
1da177e4 3593{
b1d9e6b0 3594 int rc = 0;
1da177e4 3595
a2551df7 3596 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3597 u32 sid = current_sid();
ed032189
EP		 3598 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3599 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3600 }
3601
98883bfd 3602 return rc;
e5467859 3603}
1da177e4 3604
e5467859
AV		 3605static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3606 unsigned long prot, unsigned long flags)
3607{
3ba4bf5f
SS		 3608 struct common_audit_data ad;
3609 int rc;
3610
3611 if (file) {
3612 ad.type = LSM_AUDIT_DATA_FILE;
3613 ad.u.file = file;
3614 rc = inode_has_perm(current_cred(), file_inode(file),
3615 FILE__MAP, &ad);
3616 if (rc)
3617 return rc;
3618 }
3619
1da177e4
LT		 3620 if (selinux_checkreqprot)
3621 prot = reqprot;
3622
3623 return file_map_prot_check(file, prot,
3624 (flags & MAP_TYPE) == MAP_SHARED);
3625}
3626
3627static int selinux_file_mprotect(struct vm_area_struct *vma,
3628 unsigned long reqprot,
3629 unsigned long prot)
3630{
88e67f3b 3631 const struct cred *cred = current_cred();
be0554c9 3632 u32 sid = cred_sid(cred);
1da177e4
LT		 3633
3634 if (selinux_checkreqprot)
3635 prot = reqprot;
3636
fcaaade1
SS		 3637 if (default_noexec &&
3638 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3639 int rc = 0;
db4c9641
SS		 3640 if (vma->vm_start >= vma->vm_mm->start_brk &&
3641 vma->vm_end <= vma->vm_mm->brk) {
be0554c9
SS		 3642 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3643 PROCESS__EXECHEAP, NULL);
db4c9641 3644 } else if (!vma->vm_file &&
c2316dbf
SS		 3645 ((vma->vm_start <= vma->vm_mm->start_stack &&
3646 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3647 vma_is_stack_for_current(vma))) {
be0554c9
SS		 3648 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3649 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3650 } else if (vma->vm_file && vma->anon_vma) {
3651 /*
3652 * We are making executable a file mapping that has
3653 * had some COW done. Since pages might have been
3654 * written, check ability to execute the possibly
3655 * modified content. This typically should only
3656 * occur for text relocations.
3657 */
d84f4f99 3658 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3659 }