]> git.ipfire.org Git - thirdparty/linux.git/blame - security/selinux/hooks.c
projects / thirdparty / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
fs: port xattr to mnt_idmap
[thirdparty/linux.git] / security / selinux / hooks.c
CommitLineData
d2912cb1 1// SPDX-License-Identifier: GPL-2.0-only
1da177e4
LT		 2/*
3 * NSA Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7efbb60b 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
1da177e4
LT		 11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
1da177e4 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 16 * <dgoeddel@trustedcs.com>
ed6d76e4 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 18 * Paul Moore <paul@paul-moore.com>
788e7dd4 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 21 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 22 */
23
1da177e4 24#include <linux/init.h>
0b24dcb7 25#include <linux/kd.h>
1da177e4 26#include <linux/kernel.h>
b89999d0 27#include <linux/kernel_read_file.h>
1da177e4 28#include <linux/errno.h>
3f07c014 29#include <linux/sched/signal.h>
29930025 30#include <linux/sched/task.h>
3c4ed7bd 31#include <linux/lsm_hooks.h>
1da177e4
LT		 32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
0b24dcb7 39#include <linux/proc_fs.h>
1da177e4 40#include <linux/swap.h>
1da177e4
LT		 41#include <linux/spinlock.h>
42#include <linux/syscalls.h>
2a7dba39 43#include <linux/dcache.h>
1da177e4 44#include <linux/file.h>
9f3acc31 45#include <linux/fdtable.h>
1da177e4
LT		 46#include <linux/namei.h>
47#include <linux/mount.h>
442155c1
DH		 48#include <linux/fs_context.h>
49#include <linux/fs_parser.h>
1da177e4
LT		 50#include <linux/netfilter_ipv4.h>
51#include <linux/netfilter_ipv6.h>
52#include <linux/tty.h>
53#include <net/icmp.h>
227b60f5 54#include <net/ip.h> /* for local_port_range[] */
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 56#include <net/inet_connection_sock.h>
220deb96 57#include <net/net_namespace.h>
d621d35e 58#include <net/netlabel.h>
f5269710 59#include <linux/uaccess.h>
1da177e4 60#include <asm/ioctls.h>
60063497 61#include <linux/atomic.h>
1da177e4
LT		 62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
77954983 65#include <net/netlink.h>
1da177e4
LT		 66#include <linux/tcp.h>
67#include <linux/udp.h>
2ee92d46 68#include <linux/dccp.h>
d452930f
RH		 69#include <linux/sctp.h>
70#include <net/sctp/structs.h>
1da177e4
LT		 71#include <linux/quota.h>
72#include <linux/un.h> /* for Unix socket types */
73#include <net/af_unix.h> /* for Unix socket types */
74#include <linux/parser.h>
75#include <linux/nfs_mount.h>
76#include <net/ipv6.h>
77#include <linux/hugetlb.h>
78#include <linux/personality.h>
1da177e4 79#include <linux/audit.h>
6931dfc9 80#include <linux/string.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
ec27c356 88#include <linux/bpf.h>
ec882da5
OM		 89#include <linux/kernfs.h>
90#include <linux/stringhash.h> /* for hashlen_string() */
e262e32d 91#include <uapi/linux/mount.h>
ac5656d8
AG		 92#include <linux/fsnotify.h>
93#include <linux/fanotify.h>
f4d653dc 94#include <linux/io_uring.h>
1da177e4
LT		 95
96#include "avc.h"
97#include "objsec.h"
98#include "netif.h"
224dfbd8 99#include "netnode.h"
3e112172 100#include "netport.h"
409dcf31 101#include "ibpkey.h"
d28d1e08 102#include "xfrm.h"
c60475bf 103#include "netlabel.h"
9d57a7f9 104#include "audit.h"
7b98a585 105#include "avc_ss.h"
1da177e4 106
aa8e712c
SS		 107struct selinux_state selinux_state;
108
d621d35e 109/* SECMARK reference count */
56a4ca99 110static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 111
1da177e4 112#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
6c5a682e 113static int selinux_enforcing_boot __initdata;
1da177e4
LT		 114
115static int __init enforcing_setup(char *str)
116{
f5269710 117 unsigned long enforcing;
29707b20 118 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 119 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 120 return 1;
121}
122__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 123#else
124#define selinux_enforcing_boot 1
1da177e4
LT		 125#endif
126
6c5a682e 127int selinux_enabled_boot __initdata = 1;
1da177e4 128#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
1da177e4
LT		 129static int __init selinux_enabled_setup(char *str)
130{
f5269710 131 unsigned long enabled;
29707b20 132 if (!kstrtoul(str, 0, &enabled))
6c5a682e 133 selinux_enabled_boot = enabled ? 1 : 0;
1da177e4
LT		 134 return 1;
135}
136__setup("selinux=", selinux_enabled_setup);
137#endif
138
aa8e712c
SS		 139static unsigned int selinux_checkreqprot_boot =
140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141
142static int __init checkreqprot_setup(char *str)
143{
144 unsigned long checkreqprot;
145
e9c38f9f 146 if (!kstrtoul(str, 0, &checkreqprot)) {
aa8e712c 147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
e9c38f9f 148 if (checkreqprot)
81200b02 149 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
e9c38f9f 150 }
aa8e712c
SS		 151 return 1;
152}
153__setup("checkreqprot=", checkreqprot_setup);
154
d621d35e
PM		 155/**
156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157 *
158 * Description:
159 * This function checks the SECMARK reference counter to see if any SECMARK
160 * targets are currently configured, if the reference counter is greater than
161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 162 * enabled, false (0) if SECMARK is disabled. If the always_check_network
163 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 164 *
165 */
166static int selinux_secmark_enabled(void)
167{
aa8e712c
SS		 168 return (selinux_policycap_alwaysnetwork() ||
169 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 170}
171
172/**
173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174 *
175 * Description:
176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
177 * (1) if any are enabled or false (0) if neither are enabled. If the
178 * always_check_network policy capability is enabled, peer labeling
179 * is always considered enabled.
180 *
181 */
182static int selinux_peerlbl_enabled(void)
183{
aa8e712c
SS		 184 return (selinux_policycap_alwaysnetwork() ||
185 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 186}
187
615e51fd
PM		 188static int selinux_netcache_avc_callback(u32 event)
189{
190 if (event == AVC_CALLBACK_RESET) {
191 sel_netif_flush();
192 sel_netnode_flush();
193 sel_netport_flush();
194 synchronize_net();
195 }
196 return 0;
197}
198
8f408ab6
DJ		 199static int selinux_lsm_notifier_avc_callback(u32 event)
200{
409dcf31
DJ		 201 if (event == AVC_CALLBACK_RESET) {
202 sel_ib_pkey_flush();
42df744c 203 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 204 }
8f408ab6
DJ		 205
206 return 0;
207}
208
d84f4f99
DH		 209/*
210 * initialise the security for the init task
211 */
212static void cred_init_security(void)
1da177e4
LT		 213{
214 struct task_security_struct *tsec;
215
cdeea454 216 tsec = selinux_cred(unrcu_pointer(current->real_cred));
d84f4f99 217 tsec->osid = tsec->sid = SECINITSID_KERNEL;
1da177e4
LT		 218}
219
88e67f3b
DH		 220/*
221 * get the security ID of a set of credentials
222 */
223static inline u32 cred_sid(const struct cred *cred)
224{
225 const struct task_security_struct *tsec;
226
0c6cfa62 227 tsec = selinux_cred(cred);
88e67f3b
DH		 228 return tsec->sid;
229}
230
275bb41e 231/*
3b11a1de 232 * get the objective security ID of a task
275bb41e 233 */
eb1231f7 234static inline u32 task_sid_obj(const struct task_struct *task)
275bb41e 235{
275bb41e
DH		 236 u32 sid;
237
238 rcu_read_lock();
88e67f3b 239 sid = cred_sid(__task_cred(task));
275bb41e
DH		 240 rcu_read_unlock();
241 return sid;
242}
243
5d226df4
AG		 244static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
245
246/*
247 * Try reloading inode security labels that have been marked as invalid. The
248 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 249 * allowed; when set to false, returns -ECHILD when the label is
e9193288 250 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 251 */
252static int __inode_security_revalidate(struct inode *inode,
e9193288 253 struct dentry *dentry,
5d226df4
AG		 254 bool may_sleep)
255{
80788c22 256 struct inode_security_struct *isec = selinux_inode(inode);
5d226df4
AG		 257
258 might_sleep_if(may_sleep);
259
65cddd50 260 if (selinux_initialized(&selinux_state) &&
aa8e712c 261 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 262 if (!may_sleep)
263 return -ECHILD;
264
265 /*
266 * Try reloading the inode security label. This will fail if
267 * @opt_dentry is NULL and no dentry for this inode can be
268 * found; in that case, continue using the old label.
269 */
e9193288 270 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 271 }
272 return 0;
273}
274
5d226df4
AG		 275static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
276{
80788c22 277 return selinux_inode(inode);
5d226df4
AG		 278}
279
280static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
281{
282 int error;
283
284 error = __inode_security_revalidate(inode, NULL, !rcu);
285 if (error)
286 return ERR_PTR(error);
80788c22 287 return selinux_inode(inode);
5d226df4
AG		 288}
289
83da53c5
AG		 290/*
291 * Get the security label of an inode.
292 */
293static struct inode_security_struct *inode_security(struct inode *inode)
294{
5d226df4 295 __inode_security_revalidate(inode, NULL, true);
80788c22 296 return selinux_inode(inode);
83da53c5
AG		 297}
298
2c97165b
PM		 299static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
300{
301 struct inode *inode = d_backing_inode(dentry);
302
80788c22 303 return selinux_inode(inode);
2c97165b
PM		 304}
305
83da53c5
AG		 306/*
307 * Get the security label of a dentry's backing inode.
308 */
309static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
310{
311 struct inode *inode = d_backing_inode(dentry);
312
5d226df4 313 __inode_security_revalidate(inode, dentry, true);
80788c22 314 return selinux_inode(inode);
83da53c5
AG		 315}
316
1da177e4
LT		 317static void inode_free_security(struct inode *inode)
318{
80788c22 319 struct inode_security_struct *isec = selinux_inode(inode);
afb1cbe3 320 struct superblock_security_struct *sbsec;
1da177e4 321
afb1cbe3
CS		 322 if (!isec)
323 return;
1aea7808 324 sbsec = selinux_superblock(inode->i_sb);
9629d04a
WL		 325 /*
326 * As not all inode security structures are in a list, we check for
327 * empty list outside of the lock to make sure that we won't waste
328 * time taking a lock doing nothing.
329 *
330 * The list_del_init() function can be safely called more than once.
331 * It should not be possible for this function to be called with
332 * concurrent list_add(), but for better safety against future changes
333 * in the code, we use list_empty_careful() here.
334 */
335 if (!list_empty_careful(&isec->list)) {
336 spin_lock(&sbsec->isec_lock);
1da177e4 337 list_del_init(&isec->list);
9629d04a
WL		 338 spin_unlock(&sbsec->isec_lock);
339 }
1da177e4
LT		 340}
341
bd323655 342struct selinux_mnt_opts {
b8b87fd9
SM		 343 u32 fscontext_sid;
344 u32 context_sid;
345 u32 rootcontext_sid;
346 u32 defcontext_sid;
bd323655
AV		 347};
348
204cc0cc
AV		 349static void selinux_free_mnt_opts(void *mnt_opts)
350{
70f4169a 351 kfree(mnt_opts);
204cc0cc
AV		 352}
353
1da177e4 354enum {
31e87930 355 Opt_error = -1,
442155c1
DH		 356 Opt_context = 0,
357 Opt_defcontext = 1,
1da177e4 358 Opt_fscontext = 2,
442155c1
DH		 359 Opt_rootcontext = 3,
360 Opt_seclabel = 4,
1da177e4
LT		 361};
362
da3d76ab 363#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
169d68ef
AV		 364static struct {
365 const char *name;
366 int len;
367 int opt;
368 bool has_arg;
369} tokens[] = {
da3d76ab
AV		 370 A(context, true),
371 A(fscontext, true),
372 A(defcontext, true),
373 A(rootcontext, true),
374 A(seclabel, false),
1da177e4 375};
169d68ef
AV		 376#undef A
377
378static int match_opt_prefix(char *s, int l, char **arg)
379{
380 int i;
381
382 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
383 size_t len = tokens[i].len;
384 if (len > l || memcmp(s, tokens[i].name, len))
385 continue;
386 if (tokens[i].has_arg) {
387 if (len == l || s[len] != '=')
388 continue;
389 *arg = s + len + 1;
390 } else if (len != l)
391 continue;
392 return tokens[i].opt;
393 }
394 return Opt_error;
395}
1da177e4
LT		 396
397#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
398
c312feb2
EP		 399static int may_context_mount_sb_relabel(u32 sid,
400 struct superblock_security_struct *sbsec,
275bb41e 401 const struct cred *cred)
c312feb2 402{
0c6cfa62 403 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 404 int rc;
405
6b6bc620
SS		 406 rc = avc_has_perm(&selinux_state,
407 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 408 FILESYSTEM__RELABELFROM, NULL);
409 if (rc)
410 return rc;
411
6b6bc620
SS		 412 rc = avc_has_perm(&selinux_state,
413 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 414 FILESYSTEM__RELABELTO, NULL);
415 return rc;
416}
417
0808925e
EP		 418static int may_context_mount_inode_relabel(u32 sid,
419 struct superblock_security_struct *sbsec,
275bb41e 420 const struct cred *cred)
0808925e 421{
0c6cfa62 422 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e 423 int rc;
6b6bc620
SS		 424 rc = avc_has_perm(&selinux_state,
425 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 426 FILESYSTEM__RELABELFROM, NULL);
427 if (rc)
428 return rc;
429
6b6bc620
SS		 430 rc = avc_has_perm(&selinux_state,
431 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 432 FILESYSTEM__ASSOCIATE, NULL);
433 return rc;
434}
435
a83d6dda 436static int selinux_is_genfs_special_handling(struct super_block *sb)
b43e725d 437{
a83d6dda
OM		 438 /* Special handling. Genfs but also in-core setxattr handler */
439 return !strcmp(sb->s_type->name, "sysfs") ||
d5f3a5f6
MS		 440 !strcmp(sb->s_type->name, "pstore") ||
441 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 442 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 443 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 444 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 445 (!strcmp(sb->s_type->name, "cgroup") ||
446 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 447}
448
a83d6dda
OM		 449static int selinux_is_sblabel_mnt(struct super_block *sb)
450{
1aea7808 451 struct superblock_security_struct *sbsec = selinux_superblock(sb);
a83d6dda
OM		 452
453 /*
454 * IMPORTANT: Double-check logic in this function when adding a new
455 * SECURITY_FS_USE_* definition!
456 */
457 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
458
459 switch (sbsec->behavior) {
460 case SECURITY_FS_USE_XATTR:
461 case SECURITY_FS_USE_TRANS:
462 case SECURITY_FS_USE_TASK:
463 case SECURITY_FS_USE_NATIVE:
464 return 1;
465
466 case SECURITY_FS_USE_GENFS:
467 return selinux_is_genfs_special_handling(sb);
468
469 /* Never allow relabeling on context mounts */
470 case SECURITY_FS_USE_MNTPOINT:
471 case SECURITY_FS_USE_NONE:
472 default:
473 return 0;
474 }
475}
476
08abe46b
OM		 477static int sb_check_xattr_support(struct super_block *sb)
478{
0266c25e 479 struct superblock_security_struct *sbsec = selinux_superblock(sb);
08abe46b
OM		 480 struct dentry *root = sb->s_root;
481 struct inode *root_inode = d_backing_inode(root);
482 u32 sid;
483 int rc;
484
485 /*
486 * Make sure that the xattr handler exists and that no
487 * error other than -ENODATA is returned by getxattr on
488 * the root directory. -ENODATA is ok, as this may be
489 * the first boot of the SELinux kernel before we have
490 * assigned xattr values to the filesystem.
491 */
492 if (!(root_inode->i_opflags & IOP_XATTR)) {
493 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
494 sb->s_id, sb->s_type->name);
495 goto fallback;
496 }
497
498 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
499 if (rc < 0 && rc != -ENODATA) {
500 if (rc == -EOPNOTSUPP) {
501 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
502 sb->s_id, sb->s_type->name);
503 goto fallback;
504 } else {
505 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
506 sb->s_id, sb->s_type->name, -rc);
507 return rc;
508 }
509 }
510 return 0;
511
512fallback:
513 /* No xattr support - try to fallback to genfs if possible. */
514 rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/",
515 SECCLASS_DIR, &sid);
516 if (rc)
517 return -EOPNOTSUPP;
518
519 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
520 sb->s_id, sb->s_type->name);
521 sbsec->behavior = SECURITY_FS_USE_GENFS;
522 sbsec->sid = sid;
523 return 0;
524}
525
c9180a57 526static int sb_finish_set_opts(struct super_block *sb)
1da177e4 527{
1aea7808 528 struct superblock_security_struct *sbsec = selinux_superblock(sb);
c9180a57 529 struct dentry *root = sb->s_root;
c6f493d6 530 struct inode *root_inode = d_backing_inode(root);
c9180a57 531 int rc = 0;
1da177e4 532
c9180a57 533 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
08abe46b
OM		 534 rc = sb_check_xattr_support(sb);
535 if (rc)
536 return rc;
c9180a57 537 }
1da177e4 538
eadcabc6 539 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 540
541 /*
542 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
543 * leave the flag untouched because sb_clone_mnt_opts might be handing
544 * us a superblock that needs the flag to be cleared.
545 */
b43e725d 546 if (selinux_is_sblabel_mnt(sb))
12f348b9 547 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 548 else
549 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 550
c9180a57
EP		 551 /* Initialize the root inode. */
552 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 553
c9180a57
EP		 554 /* Initialize any other inodes associated with the superblock, e.g.
555 inodes created prior to initial policy load or inodes created
556 during get_sb by a pseudo filesystem that directly
557 populates itself. */
558 spin_lock(&sbsec->isec_lock);
8d64124a 559 while (!list_empty(&sbsec->isec_head)) {
c9180a57 560 struct inode_security_struct *isec =
8d64124a 561 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 562 struct inode_security_struct, list);
563 struct inode *inode = isec->inode;
923190d3 564 list_del_init(&isec->list);
c9180a57
EP		 565 spin_unlock(&sbsec->isec_lock);
566 inode = igrab(inode);
567 if (inode) {
568 if (!IS_PRIVATE(inode))
cb89e246 569 inode_doinit_with_dentry(inode, NULL);
c9180a57
EP		 570 iput(inode);
571 }
572 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 573 }
574 spin_unlock(&sbsec->isec_lock);
c9180a57
EP		 575 return rc;
576}
1da177e4 577
c9180a57
EP		 578static int bad_option(struct superblock_security_struct *sbsec, char flag,
579 u32 old_sid, u32 new_sid)
580{
0d90a7ec
DQ		 581 char mnt_flags = sbsec->flags & SE_MNTMASK;
582
c9180a57 583 /* check if the old mount command had the same options */
0d90a7ec 584 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 585 if (!(sbsec->flags & flag) ||
586 (old_sid != new_sid))
587 return 1;
588
589 /* check if we were passed the same options twice,
590 * aka someone passed context=a,context=b
591 */
0d90a7ec
DQ		 592 if (!(sbsec->flags & SE_SBINITIALIZED))
593 if (mnt_flags & flag)
c9180a57
EP		 594 return 1;
595 return 0;
596}
e0007529 597
c9180a57
EP		 598/*
599 * Allow filesystems with binary mount data to explicitly set mount point
600 * labeling information.
601 */
e0007529 602static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 603 void *mnt_opts,
649f6e77
DQ		 604 unsigned long kern_flags,
605 unsigned long *set_kern_flags)
c9180a57 606{
275bb41e 607 const struct cred *cred = current_cred();
1aea7808 608 struct superblock_security_struct *sbsec = selinux_superblock(sb);
b159e86b 609 struct dentry *root = sb->s_root;
bd323655 610 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 611 struct inode_security_struct *root_isec;
c9180a57
EP		 612 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
613 u32 defcontext_sid = 0;
bd323655 614 int rc = 0;
c9180a57
EP		 615
616 mutex_lock(&sbsec->lock);
617
65cddd50 618 if (!selinux_initialized(&selinux_state)) {
bd323655 619 if (!opts) {
c9180a57
EP		 620 /* Defer initialization until selinux_complete_init,
621 after the initial policy is loaded and the security
622 server is ready to handle calls. */
c9180a57
EP		 623 goto out;
624 }
625 rc = -EINVAL;
c103a91e 626 pr_warn("SELinux: Unable to set superblock options "
744ba35e 627 "before the security server is initialized\n");
1da177e4 628 goto out;
c9180a57 629 }
649f6e77
DQ		 630 if (kern_flags && !set_kern_flags) {
631 /* Specifying internal flags without providing a place to
632 * place the results is not allowed */
633 rc = -EINVAL;
634 goto out;
635 }
1da177e4 636
e0007529
EP		 637 /*
638 * Binary mount data FS will come through this function twice. Once
639 * from an explicit call and once from the generic calls from the vfs.
640 * Since the generic VFS calls will not contain any security mount data
641 * we need to skip the double mount verification.
642 *
643 * This does open a hole in which we will not notice if the first
9691e4f9 644 * mount using this sb set explicit options and a second mount using
e0007529
EP		 645 * this sb does not set any security options. (The first options
646 * will be used for both mounts)
647 */
0d90a7ec 648 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 649 && !opts)
f5269710 650 goto out;
e0007529 651
2c97165b
PM		 652 root_isec = backing_inode_security_novalidate(root);
653
c9180a57
EP		 654 /*
655 * parse the mount options, check if they are valid sids.
656 * also check if someone is trying to mount the same sb more
657 * than once with different security options.
658 */
bd323655 659 if (opts) {
70f4169a
OM		 660 if (opts->fscontext_sid) {
661 fscontext_sid = opts->fscontext_sid;
c9180a57
EP		 662 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
663 fscontext_sid))
664 goto out_double_mount;
c9180a57 665 sbsec->flags |= FSCONTEXT_MNT;
bd323655 666 }
70f4169a
OM		 667 if (opts->context_sid) {
668 context_sid = opts->context_sid;
c9180a57
EP		 669 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
670 context_sid))
671 goto out_double_mount;
c9180a57 672 sbsec->flags |= CONTEXT_MNT;
bd323655 673 }
70f4169a
OM		 674 if (opts->rootcontext_sid) {
675 rootcontext_sid = opts->rootcontext_sid;
c9180a57
EP		 676 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
677 rootcontext_sid))
678 goto out_double_mount;
c9180a57 679 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655 680 }
70f4169a
OM		 681 if (opts->defcontext_sid) {
682 defcontext_sid = opts->defcontext_sid;
c9180a57
EP		 683 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
684 defcontext_sid))
685 goto out_double_mount;
c9180a57 686 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 687 }
c9180a57
EP		 688 }
689
0d90a7ec 690 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 691 /* previously mounted with options, but not on this attempt? */
bd323655 692 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 693 goto out_double_mount;
694 rc = 0;
695 goto out;
696 }
697
089be43e 698 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 699 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
700
8e014720 701 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 702 !strcmp(sb->s_type->name, "tracefs") ||
a20456ae 703 !strcmp(sb->s_type->name, "binder") ||
4ca54d3d 704 !strcmp(sb->s_type->name, "bpf") ||
8a764ef1
CG		 705 !strcmp(sb->s_type->name, "pstore") ||
706 !strcmp(sb->s_type->name, "securityfs"))
b754026b
OM		 707 sbsec->flags |= SE_SBGENFS;
708
709 if (!strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 710 !strcmp(sb->s_type->name, "cgroup") ||
711 !strcmp(sb->s_type->name, "cgroup2"))
b754026b 712 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
c9180a57 713
eb9ae686
DQ		 714 if (!sbsec->behavior) {
715 /*
716 * Determine the labeling behavior to use for this
717 * filesystem type.
718 */
aa8e712c 719 rc = security_fs_use(&selinux_state, sb);
eb9ae686 720 if (rc) {
c103a91e 721 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 722 __func__, sb->s_type->name, rc);
723 goto out;
724 }
c9180a57 725 }
aad82892
SF		 726
727 /*
01593d32
SS		 728 * If this is a user namespace mount and the filesystem type is not
729 * explicitly whitelisted, then no contexts are allowed on the command
730 * line and security labels must be ignored.
aad82892 731 */
01593d32
SS		 732 if (sb->s_user_ns != &init_user_ns &&
733 strcmp(sb->s_type->name, "tmpfs") &&
734 strcmp(sb->s_type->name, "ramfs") &&
7fa2e79a
VG		 735 strcmp(sb->s_type->name, "devpts") &&
736 strcmp(sb->s_type->name, "overlay")) {
aad82892
SF		 737 if (context_sid || fscontext_sid || rootcontext_sid ||
738 defcontext_sid) {
739 rc = -EACCES;
740 goto out;
741 }
742 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
743 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 744 rc = security_transition_sid(&selinux_state,
745 current_sid(),
746 current_sid(),
aad82892
SF		 747 SECCLASS_FILE, NULL,
748 &sbsec->mntpoint_sid);
749 if (rc)
750 goto out;
751 }
752 goto out_set_opts;
753 }
754
c9180a57
EP		 755 /* sets the context of the superblock for the fs being mounted. */
756 if (fscontext_sid) {
275bb41e 757 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 758 if (rc)
c9180a57 759 goto out;
1da177e4 760
c9180a57 761 sbsec->sid = fscontext_sid;
c312feb2
EP		 762 }
763
764 /*
765 * Switch to using mount point labeling behavior.
766 * sets the label used on all file below the mountpoint, and will set
767 * the superblock context if not already set.
768 */
eb9ae686
DQ		 769 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
770 sbsec->behavior = SECURITY_FS_USE_NATIVE;
771 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
772 }
773
c9180a57
EP		 774 if (context_sid) {
775 if (!fscontext_sid) {
275bb41e
DH		 776 rc = may_context_mount_sb_relabel(context_sid, sbsec,
777 cred);
b04ea3ce 778 if (rc)
c9180a57
EP		 779 goto out;
780 sbsec->sid = context_sid;
b04ea3ce 781 } else {
275bb41e
DH		 782 rc = may_context_mount_inode_relabel(context_sid, sbsec,
783 cred);
b04ea3ce 784 if (rc)
c9180a57 785 goto out;
b04ea3ce 786 }
c9180a57
EP		 787 if (!rootcontext_sid)
788 rootcontext_sid = context_sid;
1da177e4 789
c9180a57 790 sbsec->mntpoint_sid = context_sid;
c312feb2 791 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 792 }
793
c9180a57 794 if (rootcontext_sid) {
275bb41e
DH		 795 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
796 cred);
0808925e 797 if (rc)
c9180a57 798 goto out;
0808925e 799
c9180a57 800 root_isec->sid = rootcontext_sid;
6f3be9f5 801 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 802 }
803
c9180a57 804 if (defcontext_sid) {
eb9ae686
DQ		 805 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
806 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 807 rc = -EINVAL;
c103a91e 808 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 809 "invalid for this filesystem type\n");
810 goto out;
1da177e4
LT		 811 }
812
c9180a57
EP		 813 if (defcontext_sid != sbsec->def_sid) {
814 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 815 sbsec, cred);
c9180a57
EP		 816 if (rc)
817 goto out;
818 }
1da177e4 819
c9180a57 820 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 821 }
822
aad82892 823out_set_opts:
c9180a57 824 rc = sb_finish_set_opts(sb);
1da177e4 825out:
c9180a57 826 mutex_unlock(&sbsec->lock);
1da177e4 827 return rc;
c9180a57
EP		 828out_double_mount:
829 rc = -EINVAL;
c103a91e 830 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 831 "security settings for (dev %s, type %s)\n", sb->s_id,
832 sb->s_type->name);
c9180a57 833 goto out;
1da177e4
LT		 834}
835
094f7b69
JL		 836static int selinux_cmp_sb_context(const struct super_block *oldsb,
837 const struct super_block *newsb)
838{
1aea7808
CS		 839 struct superblock_security_struct *old = selinux_superblock(oldsb);
840 struct superblock_security_struct *new = selinux_superblock(newsb);
094f7b69
JL		 841 char oldflags = old->flags & SE_MNTMASK;
842 char newflags = new->flags & SE_MNTMASK;
843
844 if (oldflags != newflags)
845 goto mismatch;
846 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
847 goto mismatch;
848 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
849 goto mismatch;
850 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
851 goto mismatch;
852 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 853 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
854 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 855 if (oldroot->sid != newroot->sid)
856 goto mismatch;
857 }
858 return 0;
859mismatch:
c103a91e 860 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 861 "different security settings for (dev %s, "
862 "type %s)\n", newsb->s_id, newsb->s_type->name);
863 return -EBUSY;
864}
865
866static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 867 struct super_block *newsb,
868 unsigned long kern_flags,
869 unsigned long *set_kern_flags)
1da177e4 870{
0b4d3452 871 int rc = 0;
1aea7808
CS		 872 const struct superblock_security_struct *oldsbsec =
873 selinux_superblock(oldsb);
874 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
1da177e4 875
c9180a57
EP		 876 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
877 int set_context = (oldsbsec->flags & CONTEXT_MNT);
878 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 879
0f5e6420
EP		 880 /*
881 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 882 * mount options. thus we can safely deal with this superblock later
0f5e6420 883 */
65cddd50 884 if (!selinux_initialized(&selinux_state))
094f7b69 885 return 0;
c9180a57 886
0b4d3452
SM		 887 /*
888 * Specifying internal flags without providing a place to
889 * place the results is not allowed.
890 */
891 if (kern_flags && !set_kern_flags)
892 return -EINVAL;
893
c9180a57 894 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 895 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 896
094f7b69 897 /* if fs is reusing a sb, make sure that the contexts match */
3815a245
BF		 898 if (newsbsec->flags & SE_SBINITIALIZED) {
899 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
900 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
094f7b69 901 return selinux_cmp_sb_context(oldsb, newsb);
3815a245 902 }
5a552617 903
c9180a57
EP		 904 mutex_lock(&newsbsec->lock);
905
906 newsbsec->flags = oldsbsec->flags;
907
908 newsbsec->sid = oldsbsec->sid;
909 newsbsec->def_sid = oldsbsec->def_sid;
910 newsbsec->behavior = oldsbsec->behavior;
911
0b4d3452
SM		 912 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
913 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 914 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 915 if (rc)
916 goto out;
917 }
918
919 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
920 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
921 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
922 }
923
c9180a57
EP		 924 if (set_context) {
925 u32 sid = oldsbsec->mntpoint_sid;
926
927 if (!set_fscontext)
928 newsbsec->sid = sid;
929 if (!set_rootcontext) {
83da53c5 930 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 931 newisec->sid = sid;
932 }
933 newsbsec->mntpoint_sid = sid;
1da177e4 934 }
c9180a57 935 if (set_rootcontext) {
83da53c5
AG		 936 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
937 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 938
c9180a57 939 newisec->sid = oldisec->sid;
1da177e4
LT		 940 }
941
c9180a57 942 sb_finish_set_opts(newsb);
0b4d3452 943out:
c9180a57 944 mutex_unlock(&newsbsec->lock);
0b4d3452 945 return rc;
c9180a57
EP		 946}
947
ef54ccb6
XJ		 948/*
949 * NOTE: the caller is resposible for freeing the memory even if on error.
950 */
ba641862 951static int selinux_add_opt(int token, const char *s, void **mnt_opts)
c9180a57 952{
ba641862 953 struct selinux_mnt_opts *opts = *mnt_opts;
70f4169a
OM		 954 u32 *dst_sid;
955 int rc;
1da177e4 956
6cd9d4b9
PM		 957 if (token == Opt_seclabel)
958 /* eaten and completely ignored */
169d68ef 959 return 0;
2e08df3c 960 if (!s)
ef54ccb6 961 return -EINVAL;
e0007529 962
70f4169a
OM		 963 if (!selinux_initialized(&selinux_state)) {
964 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
965 return -EINVAL;
966 }
967
ba641862 968 if (!opts) {
6cd9d4b9 969 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
ba641862
AV		 970 if (!opts)
971 return -ENOMEM;
972 *mnt_opts = opts;
c9180a57 973 }
2e08df3c 974
ba641862
AV		 975 switch (token) {
976 case Opt_context:
70f4169a 977 if (opts->context_sid || opts->defcontext_sid)
6cd9d4b9 978 goto err;
70f4169a 979 dst_sid = &opts->context_sid;
ba641862
AV		 980 break;
981 case Opt_fscontext:
70f4169a 982 if (opts->fscontext_sid)
6cd9d4b9 983 goto err;
70f4169a 984 dst_sid = &opts->fscontext_sid;
ba641862
AV		 985 break;
986 case Opt_rootcontext:
70f4169a 987 if (opts->rootcontext_sid)
6cd9d4b9 988 goto err;
70f4169a 989 dst_sid = &opts->rootcontext_sid;
ba641862
AV		 990 break;
991 case Opt_defcontext:
70f4169a 992 if (opts->context_sid || opts->defcontext_sid)
6cd9d4b9 993 goto err;
70f4169a 994 dst_sid = &opts->defcontext_sid;
ba641862 995 break;
70f4169a
OM		 996 default:
997 WARN_ON(1);
998 return -EINVAL;
c9180a57 999 }
70f4169a
OM		 1000 rc = security_context_str_to_sid(&selinux_state, s, dst_sid, GFP_KERNEL);
1001 if (rc)
1002 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1003 s, rc);
1004 return rc;
e2e0e097 1005
6cd9d4b9 1006err:
ba641862 1007 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862 1008 return -EINVAL;
e0007529 1009}
1da177e4 1010
e3489f89 1011static int show_sid(struct seq_file *m, u32 sid)
2069f457 1012{
e3489f89
AV		 1013 char *context = NULL;
1014 u32 len;
1015 int rc;
11689d47 1016
e3489f89
AV		 1017 rc = security_sid_to_context(&selinux_state, sid,
1018 &context, &len);
1019 if (!rc) {
4d3d0ed6 1020 bool has_comma = strchr(context, ',');
2069f457 1021
442155c1 1022 seq_putc(m, '=');
2069f457
EP		 1023 if (has_comma)
1024 seq_putc(m, '\"');
e3489f89 1025 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1026 if (has_comma)
1027 seq_putc(m, '\"');
1028 }
e3489f89
AV		 1029 kfree(context);
1030 return rc;
2069f457
EP		 1031}
1032
1033static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1034{
1aea7808 1035 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2069f457
EP		 1036 int rc;
1037
e3489f89
AV		 1038 if (!(sbsec->flags & SE_SBINITIALIZED))
1039 return 0;
2069f457 1040
65cddd50 1041 if (!selinux_initialized(&selinux_state))
e3489f89 1042 return 0;
2069f457 1043
e3489f89
AV		 1044 if (sbsec->flags & FSCONTEXT_MNT) {
1045 seq_putc(m, ',');
1046 seq_puts(m, FSCONTEXT_STR);
1047 rc = show_sid(m, sbsec->sid);
1048 if (rc)
1049 return rc;
1050 }
1051 if (sbsec->flags & CONTEXT_MNT) {
1052 seq_putc(m, ',');
1053 seq_puts(m, CONTEXT_STR);
1054 rc = show_sid(m, sbsec->mntpoint_sid);
1055 if (rc)
1056 return rc;
1057 }
1058 if (sbsec->flags & DEFCONTEXT_MNT) {
1059 seq_putc(m, ',');
1060 seq_puts(m, DEFCONTEXT_STR);
1061 rc = show_sid(m, sbsec->def_sid);
1062 if (rc)
1063 return rc;
1064 }
1065 if (sbsec->flags & ROOTCONTEXT_MNT) {
b159e86b 1066 struct dentry *root = sb->s_root;
e3489f89
AV		 1067 struct inode_security_struct *isec = backing_inode_security(root);
1068 seq_putc(m, ',');
1069 seq_puts(m, ROOTCONTEXT_STR);
1070 rc = show_sid(m, isec->sid);
1071 if (rc)
1072 return rc;
1073 }
1074 if (sbsec->flags & SBLABEL_MNT) {
1075 seq_putc(m, ',');
442155c1 1076 seq_puts(m, SECLABEL_STR);
e3489f89
AV		 1077 }
1078 return 0;
2069f457
EP		 1079}
1080
1da177e4
LT		 1081static inline u16 inode_mode_to_security_class(umode_t mode)
1082{
1083 switch (mode & S_IFMT) {
1084 case S_IFSOCK:
1085 return SECCLASS_SOCK_FILE;
1086 case S_IFLNK:
1087 return SECCLASS_LNK_FILE;
1088 case S_IFREG:
1089 return SECCLASS_FILE;
1090 case S_IFBLK:
1091 return SECCLASS_BLK_FILE;
1092 case S_IFDIR:
1093 return SECCLASS_DIR;
1094 case S_IFCHR:
1095 return SECCLASS_CHR_FILE;
1096 case S_IFIFO:
1097 return SECCLASS_FIFO_FILE;
1098
1099 }
1100
1101 return SECCLASS_FILE;
1102}
1103
13402580
JM		 1104static inline int default_protocol_stream(int protocol)
1105{
95ca9072
PA		 1106 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1107 protocol == IPPROTO_MPTCP);
13402580
JM		 1108}
1109
1110static inline int default_protocol_dgram(int protocol)
1111{
1112 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1113}
1114
1da177e4
LT		 1115static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1116{
aa8e712c 1117 int extsockclass = selinux_policycap_extsockclass();
da69a530 1118
1da177e4
LT		 1119 switch (family) {
1120 case PF_UNIX:
1121 switch (type) {
1122 case SOCK_STREAM:
1123 case SOCK_SEQPACKET:
1124 return SECCLASS_UNIX_STREAM_SOCKET;
1125 case SOCK_DGRAM:
2a764b52 1126 case SOCK_RAW:
1da177e4
LT		 1127 return SECCLASS_UNIX_DGRAM_SOCKET;
1128 }
1129 break;
1130 case PF_INET:
1131 case PF_INET6:
1132 switch (type) {
1133 case SOCK_STREAM:
da69a530 1134 case SOCK_SEQPACKET:
13402580
JM		 1135 if (default_protocol_stream(protocol))
1136 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1137 else if (extsockclass && protocol == IPPROTO_SCTP)
1138 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1139 else
1140 return SECCLASS_RAWIP_SOCKET;
1da177e4 1141 case SOCK_DGRAM:
13402580
JM		 1142 if (default_protocol_dgram(protocol))
1143 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1144 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1145 protocol == IPPROTO_ICMPV6))
da69a530 1146 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1147 else
1148 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1149 case SOCK_DCCP:
1150 return SECCLASS_DCCP_SOCKET;
13402580 1151 default:
1da177e4
LT		 1152 return SECCLASS_RAWIP_SOCKET;
1153 }
1154 break;
1155 case PF_NETLINK:
1156 switch (protocol) {
1157 case NETLINK_ROUTE:
1158 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1159 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1160 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1161 case NETLINK_NFLOG:
1162 return SECCLASS_NETLINK_NFLOG_SOCKET;
1163 case NETLINK_XFRM:
1164 return SECCLASS_NETLINK_XFRM_SOCKET;
1165 case NETLINK_SELINUX:
1166 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1167 case NETLINK_ISCSI:
1168 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1169 case NETLINK_AUDIT:
1170 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1171 case NETLINK_FIB_LOOKUP:
1172 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1173 case NETLINK_CONNECTOR:
1174 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1175 case NETLINK_NETFILTER:
1176 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1177 case NETLINK_DNRTMSG:
1178 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1179 case NETLINK_KOBJECT_UEVENT:
1180 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1181 case NETLINK_GENERIC:
1182 return SECCLASS_NETLINK_GENERIC_SOCKET;
1183 case NETLINK_SCSITRANSPORT:
1184 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1185 case NETLINK_RDMA:
1186 return SECCLASS_NETLINK_RDMA_SOCKET;
1187 case NETLINK_CRYPTO:
1188 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1189 default:
1190 return SECCLASS_NETLINK_SOCKET;
1191 }
1192 case PF_PACKET:
1193 return SECCLASS_PACKET_SOCKET;
1194 case PF_KEY:
1195 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1196 case PF_APPLETALK:
1197 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1198 }
1199
da69a530
SS		 1200 if (extsockclass) {
1201 switch (family) {
1202 case PF_AX25:
1203 return SECCLASS_AX25_SOCKET;
1204 case PF_IPX:
1205 return SECCLASS_IPX_SOCKET;
1206 case PF_NETROM:
1207 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1208 case PF_ATMPVC:
1209 return SECCLASS_ATMPVC_SOCKET;
1210 case PF_X25:
1211 return SECCLASS_X25_SOCKET;
1212 case PF_ROSE:
1213 return SECCLASS_ROSE_SOCKET;
1214 case PF_DECnet:
1215 return SECCLASS_DECNET_SOCKET;
1216 case PF_ATMSVC:
1217 return SECCLASS_ATMSVC_SOCKET;
1218 case PF_RDS:
1219 return SECCLASS_RDS_SOCKET;
1220 case PF_IRDA:
1221 return SECCLASS_IRDA_SOCKET;
1222 case PF_PPPOX:
1223 return SECCLASS_PPPOX_SOCKET;
1224 case PF_LLC:
1225 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1226 case PF_CAN:
1227 return SECCLASS_CAN_SOCKET;
1228 case PF_TIPC:
1229 return SECCLASS_TIPC_SOCKET;
1230 case PF_BLUETOOTH:
1231 return SECCLASS_BLUETOOTH_SOCKET;
1232 case PF_IUCV:
1233 return SECCLASS_IUCV_SOCKET;
1234 case PF_RXRPC:
1235 return SECCLASS_RXRPC_SOCKET;
1236 case PF_ISDN:
1237 return SECCLASS_ISDN_SOCKET;
1238 case PF_PHONET:
1239 return SECCLASS_PHONET_SOCKET;
1240 case PF_IEEE802154:
1241 return SECCLASS_IEEE802154_SOCKET;
1242 case PF_CAIF:
1243 return SECCLASS_CAIF_SOCKET;
1244 case PF_ALG:
1245 return SECCLASS_ALG_SOCKET;
1246 case PF_NFC:
1247 return SECCLASS_NFC_SOCKET;
1248 case PF_VSOCK:
1249 return SECCLASS_VSOCK_SOCKET;
1250 case PF_KCM:
1251 return SECCLASS_KCM_SOCKET;
1252 case PF_QIPCRTR:
1253 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1254 case PF_SMC:
1255 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1256 case PF_XDP:
1257 return SECCLASS_XDP_SOCKET;
bc49d816
JK		 1258 case PF_MCTP:
1259 return SECCLASS_MCTP_SOCKET;
1260#if PF_MAX > 46
da69a530
SS		 1261#error New address family defined, please update this function.
1262#endif
1263 }
1264 }
1265
1da177e4
LT		 1266 return SECCLASS_SOCKET;
1267}
1268
134509d5
SS		 1269static int selinux_genfs_get_sid(struct dentry *dentry,
1270 u16 tclass,
1271 u16 flags,
1272 u32 *sid)
1da177e4 1273{
8e6c9693 1274 int rc;
fc64005c 1275 struct super_block *sb = dentry->d_sb;
8e6c9693 1276 char *buffer, *path;
1da177e4 1277
828dfe1d 1278 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1279 if (!buffer)
1280 return -ENOMEM;
1281
8e6c9693
LAG		 1282 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1283 if (IS_ERR(path))
1284 rc = PTR_ERR(path);
1285 else {
134509d5
SS		 1286 if (flags & SE_SBPROC) {
1287 /* each process gets a /proc/PID/ entry. Strip off the
1288 * PID part to get a valid selinux labeling.
1289 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1290 while (path[1] >= '0' && path[1] <= '9') {
1291 path[1] = '/';
1292 path++;
1293 }
8e6c9693 1294 }
aa8e712c
SS		 1295 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1296 path, tclass, sid);
7bb185ed
SS		 1297 if (rc == -ENOENT) {
1298 /* No match in policy, mark as unlabeled. */
1299 *sid = SECINITSID_UNLABELED;
1300 rc = 0;
1301 }
1da177e4 1302 }
1da177e4
LT		 1303 free_page((unsigned long)buffer);
1304 return rc;
1305}
1da177e4 1306
b754026b
OM		 1307static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1308 u32 def_sid, u32 *sid)
1309{
1310#define INITCONTEXTLEN 255
1311 char *context;
1312 unsigned int len;
1313 int rc;
1314
1315 len = INITCONTEXTLEN;
1316 context = kmalloc(len + 1, GFP_NOFS);
1317 if (!context)
1318 return -ENOMEM;
1319
1320 context[len] = '\0';
1321 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1322 if (rc == -ERANGE) {
1323 kfree(context);
1324
1325 /* Need a larger buffer. Query for the right size. */
1326 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1327 if (rc < 0)
1328 return rc;
1329
1330 len = rc;
1331 context = kmalloc(len + 1, GFP_NOFS);
1332 if (!context)
1333 return -ENOMEM;
1334
1335 context[len] = '\0';
1336 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1337 context, len);
1338 }
1339 if (rc < 0) {
1340 kfree(context);
1341 if (rc != -ENODATA) {
1342 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1343 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1344 return rc;
1345 }
1346 *sid = def_sid;
1347 return 0;
1348 }
1349
1350 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1351 def_sid, GFP_NOFS);
1352 if (rc) {
1353 char *dev = inode->i_sb->s_id;
1354 unsigned long ino = inode->i_ino;
1355
1356 if (rc == -EINVAL) {
1357 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1358 ino, dev, context);
1359 } else {
1360 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1361 __func__, context, -rc, dev, ino);
1362 }
1363 }
1364 kfree(context);
1365 return 0;
1366}
1367
1da177e4
LT		 1368/* The inode's security attributes must be initialized before first use. */
1369static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1370{
1371 struct superblock_security_struct *sbsec = NULL;
80788c22 1372 struct inode_security_struct *isec = selinux_inode(inode);
9287aed2
AG		 1373 u32 task_sid, sid = 0;
1374 u16 sclass;
1da177e4 1375 struct dentry *dentry;
1da177e4 1376 int rc = 0;
1da177e4 1377
6f3be9f5 1378 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1379 return 0;
1da177e4 1380
9287aed2 1381 spin_lock(&isec->lock);
6f3be9f5 1382 if (isec->initialized == LABEL_INITIALIZED)
23970741 1383 goto out_unlock;
1da177e4 1384
13457d07
AG		 1385 if (isec->sclass == SECCLASS_FILE)
1386 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1387
1aea7808 1388 sbsec = selinux_superblock(inode->i_sb);
0d90a7ec 1389 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1390 /* Defer initialization until selinux_complete_init,
1391 after the initial policy is loaded and the security
1392 server is ready to handle calls. */
1393 spin_lock(&sbsec->isec_lock);
1394 if (list_empty(&isec->list))
1395 list_add(&isec->list, &sbsec->isec_head);
1396 spin_unlock(&sbsec->isec_lock);
23970741 1397 goto out_unlock;
1da177e4
LT		 1398 }
1399
9287aed2
AG		 1400 sclass = isec->sclass;
1401 task_sid = isec->task_sid;
1402 sid = isec->sid;
1403 isec->initialized = LABEL_PENDING;
1404 spin_unlock(&isec->lock);
1405
1da177e4 1406 switch (sbsec->behavior) {
eb9ae686
DQ		 1407 case SECURITY_FS_USE_NATIVE:
1408 break;
1da177e4 1409 case SECURITY_FS_USE_XATTR:
5d6c3191 1410 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1411 sid = sbsec->def_sid;
1da177e4
LT		 1412 break;
1413 }
1da177e4
LT		 1414 /* Need a dentry, since the xattr API requires one.
1415 Life would be simpler if we could just pass the inode. */
1416 if (opt_dentry) {
1417 /* Called from d_instantiate or d_splice_alias. */
1418 dentry = dget(opt_dentry);
1419 } else {
b127125d
AV		 1420 /*
1421 * Called from selinux_complete_init, try to find a dentry.
1422 * Some filesystems really want a connected one, so try
1423 * that first. We could split SECURITY_FS_USE_XATTR in
1424 * two, depending upon that...
1425 */
1da177e4 1426 dentry = d_find_alias(inode);
b127125d
AV		 1427 if (!dentry)
1428 dentry = d_find_any_alias(inode);
1da177e4
LT		 1429 }
1430 if (!dentry) {
df7f54c0
EP		 1431 /*
1432 * this is can be hit on boot when a file is accessed
1433 * before the policy is loaded. When we load policy we
1434 * may find inodes that have no dentry on the
1435 * sbsec->isec_head list. No reason to complain as these
1436 * will get fixed up the next time we go through
1437 * inode_doinit with a dentry, before these inodes could
1438 * be used again by userspace.
1439 */
200ea5a2 1440 goto out_invalid;
1da177e4
LT		 1441 }
1442
b754026b
OM		 1443 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1444 &sid);
1da177e4 1445 dput(dentry);
b754026b
OM		 1446 if (rc)
1447 goto out;
1da177e4
LT		 1448 break;
1449 case SECURITY_FS_USE_TASK:
9287aed2 1450 sid = task_sid;
1da177e4
LT		 1451 break;
1452 case SECURITY_FS_USE_TRANS:
1453 /* Default to the fs SID. */
9287aed2 1454 sid = sbsec->sid;
1da177e4
LT		 1455
1456 /* Try to obtain a transition SID. */
aa8e712c
SS		 1457 rc = security_transition_sid(&selinux_state, task_sid, sid,
1458 sclass, NULL, &sid);
1da177e4 1459 if (rc)
9287aed2 1460 goto out;
1da177e4 1461 break;
c312feb2 1462 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1463 sid = sbsec->mntpoint_sid;
c312feb2 1464 break;
1da177e4 1465 default:
c312feb2 1466 /* Default to the fs superblock SID. */
9287aed2 1467 sid = sbsec->sid;
1da177e4 1468
7470d0d1
CG		 1469 if ((sbsec->flags & SE_SBGENFS) &&
1470 (!S_ISLNK(inode->i_mode) ||
1471 selinux_policycap_genfs_seclabel_symlinks())) {
f64410ec
PM		 1472 /* We must have a dentry to determine the label on
1473 * procfs inodes */
b127125d 1474 if (opt_dentry) {
f64410ec
PM		 1475 /* Called from d_instantiate or
1476 * d_splice_alias. */
1477 dentry = dget(opt_dentry);
b127125d 1478 } else {
f64410ec 1479 /* Called from selinux_complete_init, try to
b127125d
AV		 1480 * find a dentry. Some filesystems really want
1481 * a connected one, so try that first.
1482 */
f64410ec 1483 dentry = d_find_alias(inode);
b127125d
AV		 1484 if (!dentry)
1485 dentry = d_find_any_alias(inode);
1486 }
f64410ec
PM		 1487 /*
1488 * This can be hit on boot when a file is accessed
1489 * before the policy is loaded. When we load policy we
1490 * may find inodes that have no dentry on the
1491 * sbsec->isec_head list. No reason to complain as
1492 * these will get fixed up the next time we go through
1493 * inode_doinit() with a dentry, before these inodes
1494 * could be used again by userspace.
1495 */
1496 if (!dentry)
200ea5a2 1497 goto out_invalid;
9287aed2 1498 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1499 sbsec->flags, &sid);
b754026b
OM		 1500 if (rc) {
1501 dput(dentry);
9287aed2 1502 goto out;
b754026b
OM		 1503 }
1504
1505 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1506 (inode->i_opflags & IOP_XATTR)) {
1507 rc = inode_doinit_use_xattr(inode, dentry,
1508 sid, &sid);
1509 if (rc) {
1510 dput(dentry);
1511 goto out;
1512 }
1513 }
1514 dput(dentry);
1da177e4
LT		 1515 }
1516 break;
1517 }
1518
9287aed2
AG		 1519out:
1520 spin_lock(&isec->lock);
1521 if (isec->initialized == LABEL_PENDING) {
200ea5a2 1522 if (rc) {
9287aed2
AG		 1523 isec->initialized = LABEL_INVALID;
1524 goto out_unlock;
1525 }
9287aed2
AG		 1526 isec->initialized = LABEL_INITIALIZED;
1527 isec->sid = sid;
1528 }
1da177e4 1529
23970741 1530out_unlock:
9287aed2 1531 spin_unlock(&isec->lock);
1da177e4 1532 return rc;
200ea5a2
PM		 1533
1534out_invalid:
1535 spin_lock(&isec->lock);
1536 if (isec->initialized == LABEL_PENDING) {
1537 isec->initialized = LABEL_INVALID;
1538 isec->sid = sid;
1539 }
1540 spin_unlock(&isec->lock);
1541 return 0;
1da177e4
LT		 1542}
1543
1544/* Convert a Linux signal to an access vector. */
1545static inline u32 signal_to_av(int sig)
1546{
1547 u32 perm = 0;
1548
1549 switch (sig) {
1550 case SIGCHLD:
1551 /* Commonly granted from child to parent. */
1552 perm = PROCESS__SIGCHLD;
1553 break;
1554 case SIGKILL:
1555 /* Cannot be caught or ignored */
1556 perm = PROCESS__SIGKILL;
1557 break;
1558 case SIGSTOP:
1559 /* Cannot be caught or ignored */
1560 perm = PROCESS__SIGSTOP;
1561 break;
1562 default:
1563 /* All other signals. */
1564 perm = PROCESS__SIGNAL;
1565 break;
1566 }
1567
1568 return perm;
1569}
1570
b68e418c
SS		 1571#if CAP_LAST_CAP > 63
1572#error Fix SELinux to handle capabilities > 63.
1573#endif
1574
1da177e4 1575/* Check whether a task is allowed to use a capability. */
6a9de491 1576static int cred_has_capability(const struct cred *cred,
c1a85a00 1577 int cap, unsigned int opts, bool initns)
1da177e4 1578{
2bf49690 1579 struct common_audit_data ad;
06112163 1580 struct av_decision avd;
b68e418c 1581 u16 sclass;
3699c53c 1582 u32 sid = cred_sid(cred);
b68e418c 1583 u32 av = CAP_TO_MASK(cap);
06112163 1584 int rc;
1da177e4 1585
50c205f5 1586 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1587 ad.u.cap = cap;
1588
b68e418c
SS		 1589 switch (CAP_TO_INDEX(cap)) {
1590 case 0:
8e4ff6f2 1591 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1592 break;
1593 case 1:
8e4ff6f2 1594 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1595 break;
1596 default:
c103a91e 1597 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1598 BUG();
a35c6c83 1599 return -EINVAL;
b68e418c 1600 }
06112163 1601
6b6bc620
SS		 1602 rc = avc_has_perm_noaudit(&selinux_state,
1603 sid, sid, sclass, av, 0, &avd);
c1a85a00 1604 if (!(opts & CAP_OPT_NOAUDIT)) {
6b6bc620 1605 int rc2 = avc_audit(&selinux_state,
d99cf13f 1606 sid, sid, sclass, av, &avd, rc, &ad);
9ade0cf4
EP		 1607 if (rc2)
1608 return rc2;
1609 }
06112163 1610 return rc;
1da177e4
LT		 1611}
1612
1da177e4
LT		 1613/* Check whether a task has a particular permission to an inode.
1614 The 'adp' parameter is optional and allows other audit
1615 data to be passed (e.g. the dentry). */
88e67f3b 1616static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1617 struct inode *inode,
1618 u32 perms,
19e49834 1619 struct common_audit_data *adp)
1da177e4 1620{
1da177e4 1621 struct inode_security_struct *isec;
275bb41e 1622 u32 sid;
1da177e4 1623
e0e81739
DH		 1624 validate_creds(cred);
1625
828dfe1d 1626 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1627 return 0;
1628
88e67f3b 1629 sid = cred_sid(cred);
80788c22 1630 isec = selinux_inode(inode);
1da177e4 1631
6b6bc620
SS		 1632 return avc_has_perm(&selinux_state,
1633 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1634}
1635
1636/* Same as inode_has_perm, but pass explicit audit data containing
1637 the dentry to help the auditing code to more easily generate the
1638 pathname if needed. */
88e67f3b 1639static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1640 struct dentry *dentry,
1641 u32 av)
1642{
c6f493d6 1643 struct inode *inode = d_backing_inode(dentry);
2bf49690 1644 struct common_audit_data ad;
88e67f3b 1645
50c205f5 1646 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1647 ad.u.dentry = dentry;
5d226df4 1648 __inode_security_revalidate(inode, dentry, true);
19e49834 1649 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1650}
1651
1652/* Same as inode_has_perm, but pass explicit audit data containing
1653 the path to help the auditing code to more easily generate the
1654 pathname if needed. */
1655static inline int path_has_perm(const struct cred *cred,
3f7036a0 1656 const struct path *path,
2875fa00
EP		 1657 u32 av)
1658{
c6f493d6 1659 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1660 struct common_audit_data ad;
1661
50c205f5 1662 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1663 ad.u.path = *path;
5d226df4 1664 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1665 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1666}
1667
13f8e981
DH		 1668/* Same as path_has_perm, but uses the inode from the file struct. */
1669static inline int file_path_has_perm(const struct cred *cred,
1670 struct file *file,
1671 u32 av)
1672{
1673 struct common_audit_data ad;
1674
43af5de7
VG		 1675 ad.type = LSM_AUDIT_DATA_FILE;
1676 ad.u.file = file;
19e49834 1677 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1678}
1679
f66e448c
CF		 1680#ifdef CONFIG_BPF_SYSCALL
1681static int bpf_fd_pass(struct file *file, u32 sid);
1682#endif
1683
1da177e4
LT		 1684/* Check whether a task can use an open file descriptor to
1685 access an inode in a given way. Check access to the
1686 descriptor itself, and then use dentry_has_perm to
1687 check a particular permission to the file.
1688 Access to the descriptor is implicitly granted if it
1689 has the same SID as the process. If av is zero, then
1690 access to the file is not checked, e.g. for cases
1691 where only the descriptor is affected like seek. */
88e67f3b
DH		 1692static int file_has_perm(const struct cred *cred,
1693 struct file *file,
1694 u32 av)
1da177e4 1695{
bb6c6b02 1696 struct file_security_struct *fsec = selinux_file(file);
496ad9aa 1697 struct inode *inode = file_inode(file);
2bf49690 1698 struct common_audit_data ad;
88e67f3b 1699 u32 sid = cred_sid(cred);
1da177e4
LT		 1700 int rc;
1701
43af5de7
VG		 1702 ad.type = LSM_AUDIT_DATA_FILE;
1703 ad.u.file = file;
1da177e4 1704
275bb41e 1705 if (sid != fsec->sid) {
6b6bc620
SS		 1706 rc = avc_has_perm(&selinux_state,
1707 sid, fsec->sid,
1da177e4
LT		 1708 SECCLASS_FD,
1709 FD__USE,
1710 &ad);
1711 if (rc)
88e67f3b 1712 goto out;
1da177e4
LT		 1713 }
1714
f66e448c
CF		 1715#ifdef CONFIG_BPF_SYSCALL
1716 rc = bpf_fd_pass(file, cred_sid(cred));
1717 if (rc)
1718 return rc;
1719#endif
1720
1da177e4 1721 /* av is zero if only checking access to the descriptor. */
88e67f3b 1722 rc = 0;
1da177e4 1723 if (av)
19e49834 1724 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1725
88e67f3b
DH		 1726out:
1727 return rc;
1da177e4
LT		 1728}
1729
c3c188b2
DH		 1730/*
1731 * Determine the label for an inode that might be unioned.
1732 */
c957f6df
VG		 1733static int
1734selinux_determine_inode_label(const struct task_security_struct *tsec,
1735 struct inode *dir,
1736 const struct qstr *name, u16 tclass,
1737 u32 *_new_isid)
c3c188b2 1738{
1aea7808
CS		 1739 const struct superblock_security_struct *sbsec =
1740 selinux_superblock(dir->i_sb);
c3c188b2
DH		 1741
1742 if ((sbsec->flags & SE_SBINITIALIZED) &&
1743 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1744 *_new_isid = sbsec->mntpoint_sid;
1745 } else if ((sbsec->flags & SBLABEL_MNT) &&
1746 tsec->create_sid) {
1747 *_new_isid = tsec->create_sid;
1748 } else {
20cdef8d 1749 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1750 return security_transition_sid(&selinux_state, tsec->sid,
1751 dsec->sid, tclass,
c3c188b2
DH		 1752 name, _new_isid);
1753 }
1754
1755 return 0;
1756}
1757
1da177e4
LT		 1758/* Check whether a task can create a file. */
1759static int may_create(struct inode *dir,
1760 struct dentry *dentry,
1761 u16 tclass)
1762{
0c6cfa62 1763 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1764 struct inode_security_struct *dsec;
1765 struct superblock_security_struct *sbsec;
275bb41e 1766 u32 sid, newsid;
2bf49690 1767 struct common_audit_data ad;
1da177e4
LT		 1768 int rc;
1769
83da53c5 1770 dsec = inode_security(dir);
1aea7808 1771 sbsec = selinux_superblock(dir->i_sb);
1da177e4 1772
275bb41e 1773 sid = tsec->sid;
275bb41e 1774
50c205f5 1775 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1776 ad.u.dentry = dentry;
1da177e4 1777
6b6bc620
SS		 1778 rc = avc_has_perm(&selinux_state,
1779 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1780 DIR__ADD_NAME | DIR__SEARCH,
1781 &ad);
1782 if (rc)
1783 return rc;
1784
210a2928
YG		 1785 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1786 &newsid);
c3c188b2
DH		 1787 if (rc)
1788 return rc;
1da177e4 1789
6b6bc620
SS		 1790 rc = avc_has_perm(&selinux_state,
1791 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1792 if (rc)
1793 return rc;
1794
6b6bc620
SS		 1795 return avc_has_perm(&selinux_state,
1796 newsid, sbsec->sid,
1da177e4
LT		 1797 SECCLASS_FILESYSTEM,
1798 FILESYSTEM__ASSOCIATE, &ad);
1799}
1800
828dfe1d
EP		 1801#define MAY_LINK 0
1802#define MAY_UNLINK 1
1803#define MAY_RMDIR 2
1da177e4
LT		 1804
1805/* Check whether a task can link, unlink, or rmdir a file/directory. */
1806static int may_link(struct inode *dir,
1807 struct dentry *dentry,
1808 int kind)
1809
1810{
1da177e4 1811 struct inode_security_struct *dsec, *isec;
2bf49690 1812 struct common_audit_data ad;
275bb41e 1813 u32 sid = current_sid();
1da177e4
LT		 1814 u32 av;
1815 int rc;
1816
83da53c5
AG		 1817 dsec = inode_security(dir);
1818 isec = backing_inode_security(dentry);
1da177e4 1819
50c205f5 1820 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1821 ad.u.dentry = dentry;
1da177e4
LT		 1822
1823 av = DIR__SEARCH;
1824 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 1825 rc = avc_has_perm(&selinux_state,
1826 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1827 if (rc)
1828 return rc;
1829
1830 switch (kind) {
1831 case MAY_LINK:
1832 av = FILE__LINK;
1833 break;
1834 case MAY_UNLINK:
1835 av = FILE__UNLINK;
1836 break;
1837 case MAY_RMDIR:
1838 av = DIR__RMDIR;
1839 break;
1840 default:
c103a91e 1841 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1842 __func__, kind);
1da177e4
LT		 1843 return 0;
1844 }
1845
6b6bc620
SS		 1846 rc = avc_has_perm(&selinux_state,
1847 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1848 return rc;
1849}
1850
1851static inline int may_rename(struct inode *old_dir,
1852 struct dentry *old_dentry,
1853 struct inode *new_dir,
1854 struct dentry *new_dentry)
1855{
1da177e4 1856 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1857 struct common_audit_data ad;
275bb41e 1858 u32 sid = current_sid();
1da177e4
LT		 1859 u32 av;
1860 int old_is_dir, new_is_dir;
1861 int rc;
1862
83da53c5
AG		 1863 old_dsec = inode_security(old_dir);
1864 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1865 old_is_dir = d_is_dir(old_dentry);
83da53c5 1866 new_dsec = inode_security(new_dir);
1da177e4 1867
50c205f5 1868 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1869
a269434d 1870 ad.u.dentry = old_dentry;
6b6bc620
SS		 1871 rc = avc_has_perm(&selinux_state,
1872 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1873 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1874 if (rc)
1875 return rc;
6b6bc620
SS		 1876 rc = avc_has_perm(&selinux_state,
1877 sid, old_isec->sid,
1da177e4
LT		 1878 old_isec->sclass, FILE__RENAME, &ad);
1879 if (rc)
1880 return rc;
1881 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 1882 rc = avc_has_perm(&selinux_state,
1883 sid, old_isec->sid,
1da177e4
LT		 1884 old_isec->sclass, DIR__REPARENT, &ad);
1885 if (rc)
1886 return rc;
1887 }
1888
a269434d 1889 ad.u.dentry = new_dentry;
1da177e4 1890 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1891 if (d_is_positive(new_dentry))
1da177e4 1892 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 1893 rc = avc_has_perm(&selinux_state,
1894 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1895 if (rc)
1896 return rc;
2c616d4d 1897 if (d_is_positive(new_dentry)) {
83da53c5 1898 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1899 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 1900 rc = avc_has_perm(&selinux_state,
1901 sid, new_isec->sid,
1da177e4
LT		 1902 new_isec->sclass,
1903 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1904 if (rc)
1905 return rc;
1906 }
1907
1908 return 0;
1909}
1910
1911/* Check whether a task can perform a filesystem operation. */
88e67f3b 1912static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1913 struct super_block *sb,
1914 u32 perms,
2bf49690 1915 struct common_audit_data *ad)
1da177e4 1916{
1da177e4 1917 struct superblock_security_struct *sbsec;
88e67f3b 1918 u32 sid = cred_sid(cred);
1da177e4 1919
1aea7808 1920 sbsec = selinux_superblock(sb);
6b6bc620
SS		 1921 return avc_has_perm(&selinux_state,
1922 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1923}
1924
1925/* Convert a Linux mode and permission mask to an access vector. */
1926static inline u32 file_mask_to_av(int mode, int mask)
1927{
1928 u32 av = 0;
1929
dba19c60 1930 if (!S_ISDIR(mode)) {
1da177e4
LT		 1931 if (mask & MAY_EXEC)
1932 av |= FILE__EXECUTE;
1933 if (mask & MAY_READ)
1934 av |= FILE__READ;
1935
1936 if (mask & MAY_APPEND)
1937 av |= FILE__APPEND;
1938 else if (mask & MAY_WRITE)
1939 av |= FILE__WRITE;
1940
1941 } else {
1942 if (mask & MAY_EXEC)
1943 av |= DIR__SEARCH;
1944 if (mask & MAY_WRITE)
1945 av |= DIR__WRITE;
1946 if (mask & MAY_READ)
1947 av |= DIR__READ;
1948 }
1949
1950 return av;
1951}
1952
8b6a5a37
EP		 1953/* Convert a Linux file to an access vector. */
1954static inline u32 file_to_av(struct file *file)
1955{
1956 u32 av = 0;
1957
1958 if (file->f_mode & FMODE_READ)
1959 av |= FILE__READ;
1960 if (file->f_mode & FMODE_WRITE) {
1961 if (file->f_flags & O_APPEND)
1962 av |= FILE__APPEND;
1963 else
1964 av |= FILE__WRITE;
1965 }
1966 if (!av) {
1967 /*
1968 * Special file opened with flags 3 for ioctl-only use.
1969 */
1970 av = FILE__IOCTL;
1971 }
1972
1973 return av;
1974}
1975
b0c636b9 1976/*
c76a2f9e 1977 * Convert a file to an access vector and include the correct
b0c636b9
EP		 1978 * open permission.
1979 */
8b6a5a37 1980static inline u32 open_file_to_av(struct file *file)
b0c636b9 1981{
8b6a5a37 1982 u32 av = file_to_av(file);
ccb54478 1983 struct inode *inode = file_inode(file);
b0c636b9 1984
aa8e712c
SS		 1985 if (selinux_policycap_openperm() &&
1986 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 1987 av |= FILE__OPEN;
1988
b0c636b9
EP		 1989 return av;
1990}
1991
1da177e4
LT		 1992/* Hook functions begin here. */
1993
52f88693 1994static int selinux_binder_set_context_mgr(const struct cred *mgr)
79af7307 1995{
6b6bc620 1996 return avc_has_perm(&selinux_state,
52f88693 1997 current_sid(), cred_sid(mgr), SECCLASS_BINDER,
79af7307
SS		 1998 BINDER__SET_CONTEXT_MGR, NULL);
1999}
2000
52f88693
TK		 2001static int selinux_binder_transaction(const struct cred *from,
2002 const struct cred *to)
79af7307
SS		 2003{
2004 u32 mysid = current_sid();
52f88693
TK		 2005 u32 fromsid = cred_sid(from);
2006 u32 tosid = cred_sid(to);
79af7307
SS		 2007 int rc;
2008
2009 if (mysid != fromsid) {
6b6bc620
SS		 2010 rc = avc_has_perm(&selinux_state,
2011 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2012 BINDER__IMPERSONATE, NULL);
2013 if (rc)
2014 return rc;
2015 }
2016
52f88693 2017 return avc_has_perm(&selinux_state, fromsid, tosid,
eb1231f7 2018 SECCLASS_BINDER, BINDER__CALL, NULL);
79af7307
SS		 2019}
2020
52f88693
TK		 2021static int selinux_binder_transfer_binder(const struct cred *from,
2022 const struct cred *to)
79af7307 2023{
6b6bc620 2024 return avc_has_perm(&selinux_state,
52f88693 2025 cred_sid(from), cred_sid(to),
eb1231f7 2026 SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2027 NULL);
2028}
2029
52f88693
TK		 2030static int selinux_binder_transfer_file(const struct cred *from,
2031 const struct cred *to,
79af7307
SS		 2032 struct file *file)
2033{
52f88693 2034 u32 sid = cred_sid(to);
bb6c6b02 2035 struct file_security_struct *fsec = selinux_file(file);
83da53c5 2036 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2037 struct inode_security_struct *isec;
79af7307
SS		 2038 struct common_audit_data ad;
2039 int rc;
2040
2041 ad.type = LSM_AUDIT_DATA_PATH;
2042 ad.u.path = file->f_path;
2043
2044 if (sid != fsec->sid) {
6b6bc620
SS		 2045 rc = avc_has_perm(&selinux_state,
2046 sid, fsec->sid,
79af7307
SS		 2047 SECCLASS_FD,
2048 FD__USE,
2049 &ad);
2050 if (rc)
2051 return rc;
2052 }
2053
f66e448c
CF		 2054#ifdef CONFIG_BPF_SYSCALL
2055 rc = bpf_fd_pass(file, sid);
2056 if (rc)
2057 return rc;
2058#endif
2059
83da53c5 2060 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2061 return 0;
2062
20cdef8d 2063 isec = backing_inode_security(dentry);
6b6bc620
SS		 2064 return avc_has_perm(&selinux_state,
2065 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2066 &ad);
2067}
2068
9e48858f 2069static int selinux_ptrace_access_check(struct task_struct *child,
eb1231f7 2070 unsigned int mode)
1da177e4 2071{
be0554c9 2072 u32 sid = current_sid();
eb1231f7 2073 u32 csid = task_sid_obj(child);
be0554c9
SS		 2074
2075 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2076 return avc_has_perm(&selinux_state,
2077 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2078
6b6bc620
SS		 2079 return avc_has_perm(&selinux_state,
2080 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2081}
2082
2083static int selinux_ptrace_traceme(struct task_struct *parent)
2084{
6b6bc620 2085 return avc_has_perm(&selinux_state,
a3727a8b 2086 task_sid_obj(parent), task_sid_obj(current),
eb1231f7 2087 SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
1da177e4
LT		 2088}
2089
2090static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2091 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2092{
6b6bc620 2093 return avc_has_perm(&selinux_state,
eb1231f7 2094 current_sid(), task_sid_obj(target), SECCLASS_PROCESS,
be0554c9 2095 PROCESS__GETCAP, NULL);
1da177e4
LT		 2096}
2097
d84f4f99
DH		 2098static int selinux_capset(struct cred *new, const struct cred *old,
2099 const kernel_cap_t *effective,
2100 const kernel_cap_t *inheritable,
2101 const kernel_cap_t *permitted)
1da177e4 2102{
6b6bc620
SS		 2103 return avc_has_perm(&selinux_state,
2104 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2105 PROCESS__SETCAP, NULL);
1da177e4
LT		 2106}
2107
5626d3e8
JM		 2108/*
2109 * (This comment used to live with the selinux_task_setuid hook,
2110 * which was removed).
2111 *
2112 * Since setuid only affects the current process, and since the SELinux
2113 * controls are not based on the Linux identity attributes, SELinux does not
2114 * need to control this operation. However, SELinux does control the use of
2115 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2116 */
2117
6a9de491 2118static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
c1a85a00 2119 int cap, unsigned int opts)
1da177e4 2120{
c1a85a00 2121 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
1da177e4
LT		 2122}
2123
1da177e4
LT		 2124static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2125{
88e67f3b 2126 const struct cred *cred = current_cred();
1da177e4
LT		 2127 int rc = 0;
2128
2129 if (!sb)
2130 return 0;
2131
2132 switch (cmds) {
828dfe1d
EP		 2133 case Q_SYNC:
2134 case Q_QUOTAON:
2135 case Q_QUOTAOFF:
2136 case Q_SETINFO:
2137 case Q_SETQUOTA:
e4cfa05e
RH		 2138 case Q_XQUOTAOFF:
2139 case Q_XQUOTAON:
2140 case Q_XSETQLIM:
88e67f3b 2141 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2142 break;
2143 case Q_GETFMT:
2144 case Q_GETINFO:
2145 case Q_GETQUOTA:
e4cfa05e
RH		 2146 case Q_XGETQUOTA:
2147 case Q_XGETQSTAT:
2148 case Q_XGETQSTATV:
2149 case Q_XGETNEXTQUOTA:
88e67f3b 2150 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2151 break;
2152 default:
2153 rc = 0; /* let the kernel handle invalid cmds */
2154 break;
1da177e4
LT		 2155 }
2156 return rc;
2157}
2158
2159static int selinux_quota_on(struct dentry *dentry)
2160{
88e67f3b
DH		 2161 const struct cred *cred = current_cred();
2162
2875fa00 2163 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2164}
2165
12b3052c 2166static int selinux_syslog(int type)
1da177e4 2167{
1da177e4 2168 switch (type) {
d78ca3cd
KC		 2169 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2170 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2171 return avc_has_perm(&selinux_state,
2172 current_sid(), SECINITSID_KERNEL,
be0554c9 2173 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2174 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2175 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2176 /* Set level of messages printed to console */
2177 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2178 return avc_has_perm(&selinux_state,
2179 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2180 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2181 NULL);
1da177e4 2182 }
be0554c9 2183 /* All other syslog types */
6b6bc620
SS		 2184 return avc_has_perm(&selinux_state,
2185 current_sid(), SECINITSID_KERNEL,
be0554c9 2186 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2187}
2188
2189/*
2190 * Check that a process has enough memory to allocate a new virtual
2191 * mapping. 0 means there is enough memory for the allocation to
2192 * succeed and -ENOMEM implies there is not.
2193 *
1da177e4
LT		 2194 * Do not audit the selinux permission check, as this is applied to all
2195 * processes that allocate mappings.
2196 */
34b4e4aa 2197static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2198{
2199 int rc, cap_sys_admin = 0;
1da177e4 2200
b1d9e6b0 2201 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
c1a85a00 2202 CAP_OPT_NOAUDIT, true);
1da177e4
LT		 2203 if (rc == 0)
2204 cap_sys_admin = 1;
2205
b1d9e6b0 2206 return cap_sys_admin;
1da177e4
LT		 2207}
2208
2209/* binprm security operations */
2210
be0554c9 2211static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2212{
2213 u32 sid = 0;
2214 struct task_struct *tracer;
2215
2216 rcu_read_lock();
be0554c9 2217 tracer = ptrace_parent(current);
0c6181cb 2218 if (tracer)
eb1231f7 2219 sid = task_sid_obj(tracer);
0c6181cb
PM		 2220 rcu_read_unlock();
2221
2222 return sid;
2223}
2224
7b0d0b40
SS		 2225static int check_nnp_nosuid(const struct linux_binprm *bprm,
2226 const struct task_security_struct *old_tsec,
2227 const struct task_security_struct *new_tsec)
2228{
2229 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2230 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2231 int rc;
af63f419 2232 u32 av;
7b0d0b40
SS		 2233
2234 if (!nnp && !nosuid)
2235 return 0; /* neither NNP nor nosuid */
2236
2237 if (new_tsec->sid == old_tsec->sid)
2238 return 0; /* No change in credentials */
2239
2240 /*
af63f419
SS		 2241 * If the policy enables the nnp_nosuid_transition policy capability,
2242 * then we permit transitions under NNP or nosuid if the
2243 * policy allows the corresponding permission between
2244 * the old and new contexts.
7b0d0b40 2245 */
aa8e712c 2246 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2247 av = 0;
7b0d0b40 2248 if (nnp)
af63f419
SS		 2249 av |= PROCESS2__NNP_TRANSITION;
2250 if (nosuid)
2251 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2252 rc = avc_has_perm(&selinux_state,
2253 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2254 SECCLASS_PROCESS2, av, NULL);
2255 if (!rc)
2256 return 0;
7b0d0b40 2257 }
af63f419
SS		 2258
2259 /*
2260 * We also permit NNP or nosuid transitions to bounded SIDs,
2261 * i.e. SIDs that are guaranteed to only be allowed a subset
2262 * of the permissions of the current SID.
2263 */
aa8e712c
SS		 2264 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2265 new_tsec->sid);
af63f419
SS		 2266 if (!rc)
2267 return 0;
2268
2269 /*
2270 * On failure, preserve the errno values for NNP vs nosuid.
2271 * NNP: Operation not permitted for caller.
2272 * nosuid: Permission denied to file.
2273 */
2274 if (nnp)
2275 return -EPERM;
2276 return -EACCES;
7b0d0b40
SS		 2277}
2278
b8bff599 2279static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
1da177e4 2280{
a6f76f23
DH		 2281 const struct task_security_struct *old_tsec;
2282 struct task_security_struct *new_tsec;
1da177e4 2283 struct inode_security_struct *isec;
2bf49690 2284 struct common_audit_data ad;
496ad9aa 2285 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2286 int rc;
2287
a6f76f23
DH		 2288 /* SELinux context only depends on initial program or script and not
2289 * the script interpreter */
1da177e4 2290
0c6cfa62
CS		 2291 old_tsec = selinux_cred(current_cred());
2292 new_tsec = selinux_cred(bprm->cred);
83da53c5 2293 isec = inode_security(inode);
1da177e4
LT		 2294
2295 /* Default to the current task SID. */
a6f76f23
DH		 2296 new_tsec->sid = old_tsec->sid;
2297 new_tsec->osid = old_tsec->sid;
1da177e4 2298
28eba5bf 2299 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2300 new_tsec->create_sid = 0;
2301 new_tsec->keycreate_sid = 0;
2302 new_tsec->sockcreate_sid = 0;
1da177e4 2303
a6f76f23
DH		 2304 if (old_tsec->exec_sid) {
2305 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2306 /* Reset exec SID on execve. */
a6f76f23 2307 new_tsec->exec_sid = 0;
259e5e6c 2308
7b0d0b40
SS		 2309 /* Fail on NNP or nosuid if not an allowed transition. */
2310 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2311 if (rc)
2312 return rc;
1da177e4
LT		 2313 } else {
2314 /* Check for a default transition on this program. */
aa8e712c
SS		 2315 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2316 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2317 &new_tsec->sid);
1da177e4
LT		 2318 if (rc)
2319 return rc;
7b0d0b40
SS		 2320
2321 /*
2322 * Fallback to old SID on NNP or nosuid if not an allowed
2323 * transition.
2324 */
2325 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2326 if (rc)
2327 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2328 }
2329
43af5de7
VG		 2330 ad.type = LSM_AUDIT_DATA_FILE;
2331 ad.u.file = bprm->file;
1da177e4 2332
a6f76f23 2333 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2334 rc = avc_has_perm(&selinux_state,
2335 old_tsec->sid, isec->sid,
1da177e4
LT		 2336 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2337 if (rc)
2338 return rc;
2339 } else {
2340 /* Check permissions for the transition. */
6b6bc620
SS		 2341 rc = avc_has_perm(&selinux_state,
2342 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2343 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2344 if (rc)
2345 return rc;
2346
6b6bc620
SS		 2347 rc = avc_has_perm(&selinux_state,
2348 new_tsec->sid, isec->sid,
1da177e4
LT		 2349 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2350 if (rc)
2351 return rc;
2352
a6f76f23
DH		 2353 /* Check for shared state */
2354 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2355 rc = avc_has_perm(&selinux_state,
2356 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2357 SECCLASS_PROCESS, PROCESS__SHARE,
2358 NULL);
2359 if (rc)
2360 return -EPERM;
2361 }
2362
2363 /* Make sure that anyone attempting to ptrace over a task that
2364 * changes its SID has the appropriate permit */
9227dd2a 2365 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2366 u32 ptsid = ptrace_parent_sid();
a6f76f23 2367 if (ptsid != 0) {
6b6bc620
SS		 2368 rc = avc_has_perm(&selinux_state,
2369 ptsid, new_tsec->sid,
a6f76f23
DH		 2370 SECCLASS_PROCESS,
2371 PROCESS__PTRACE, NULL);
2372 if (rc)
2373 return -EPERM;
2374 }
2375 }
1da177e4 2376
a6f76f23
DH		 2377 /* Clear any possibly unsafe personality bits on exec: */
2378 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2379
1da177e4
LT		 2380 /* Enable secure mode for SIDs transitions unless
2381 the noatsecure permission is granted between
2382 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2383 rc = avc_has_perm(&selinux_state,
2384 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2385 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2386 NULL);
2387 bprm->secureexec |= !!rc;
1da177e4
LT		 2388 }
2389
62874c3a 2390 return 0;
1da177e4
LT		 2391}
2392
c3c073f8
AV		 2393static int match_file(const void *p, struct file *file, unsigned fd)
2394{
2395 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2396}
2397
1da177e4 2398/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2399static inline void flush_unauthorized_files(const struct cred *cred,
2400 struct files_struct *files)
1da177e4 2401{
1da177e4 2402 struct file *file, *devnull = NULL;
b20c8122 2403 struct tty_struct *tty;
24ec839c 2404 int drop_tty = 0;
c3c073f8 2405 unsigned n;
1da177e4 2406
24ec839c 2407 tty = get_current_tty();
1da177e4 2408 if (tty) {
4a510969 2409 spin_lock(&tty->files_lock);
37dd0bd0 2410 if (!list_empty(&tty->tty_files)) {
d996b62a 2411 struct tty_file_private *file_priv;
37dd0bd0 2412
1da177e4 2413 /* Revalidate access to controlling tty.
13f8e981
DH		 2414 Use file_path_has_perm on the tty path directly
2415 rather than using file_has_perm, as this particular
2416 open file may belong to another process and we are
2417 only interested in the inode-based check here. */
d996b62a
NP		 2418 file_priv = list_first_entry(&tty->tty_files,
2419 struct tty_file_private, list);
2420 file = file_priv->file;
13f8e981 2421 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2422 drop_tty = 1;
1da177e4 2423 }
4a510969 2424 spin_unlock(&tty->files_lock);
452a00d2 2425 tty_kref_put(tty);
1da177e4 2426 }
98a27ba4
EB		 2427 /* Reset controlling tty. */
2428 if (drop_tty)
2429 no_tty();
1da177e4
LT		 2430
2431 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2432 n = iterate_fd(files, 0, match_file, cred);
2433 if (!n) /* none found? */
2434 return;
1da177e4 2435
c3c073f8 2436 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2437 if (IS_ERR(devnull))
2438 devnull = NULL;
2439 /* replace all the matching ones with this */
2440 do {
2441 replace_fd(n - 1, devnull, 0);
2442 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2443 if (devnull)
c3c073f8 2444 fput(devnull);
1da177e4
LT		 2445}
2446
a6f76f23
DH		 2447/*
2448 * Prepare a process for imminent new credential changes due to exec
2449 */
2450static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2451{
a6f76f23
DH		 2452 struct task_security_struct *new_tsec;
2453 struct rlimit *rlim, *initrlim;
2454 int rc, i;
d84f4f99 2455
0c6cfa62 2456 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2457 if (new_tsec->sid == new_tsec->osid)
2458 return;
1da177e4 2459
a6f76f23
DH		 2460 /* Close files for which the new task SID is not authorized. */
2461 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2462
a6f76f23
DH		 2463 /* Always clear parent death signal on SID transitions. */
2464 current->pdeath_signal = 0;
0356357c 2465
a6f76f23
DH		 2466 /* Check whether the new SID can inherit resource limits from the old
2467 * SID. If not, reset all soft limits to the lower of the current
2468 * task's hard limit and the init task's soft limit.
2469 *
2470 * Note that the setting of hard limits (even to lower them) can be
2471 * controlled by the setrlimit check. The inclusion of the init task's
2472 * soft limit into the computation is to avoid resetting soft limits
2473 * higher than the default soft limit for cases where the default is
2474 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2475 */
6b6bc620
SS		 2476 rc = avc_has_perm(&selinux_state,
2477 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2478 PROCESS__RLIMITINH, NULL);
2479 if (rc) {
eb2d55a3
ON		 2480 /* protect against do_prlimit() */
2481 task_lock(current);
a6f76f23
DH		 2482 for (i = 0; i < RLIM_NLIMITS; i++) {
2483 rlim = current->signal->rlim + i;
2484 initrlim = init_task.signal->rlim + i;
2485 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2486 }
eb2d55a3 2487 task_unlock(current);
baa73d9e
NP		 2488 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2489 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2490 }
2491}
2492
2493/*
a6f76f23
DH		 2494 * Clean up the process immediately after the installation of new credentials
2495 * due to exec
1da177e4 2496 */
a6f76f23 2497static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2498{
0c6cfa62 2499 const struct task_security_struct *tsec = selinux_cred(current_cred());
a6f76f23 2500 u32 osid, sid;
ddbc7d06 2501 int rc;
1da177e4 2502
a6f76f23
DH		 2503 osid = tsec->osid;
2504 sid = tsec->sid;
2505
2506 if (sid == osid)
1da177e4
LT		 2507 return;
2508
a6f76f23
DH		 2509 /* Check whether the new SID can inherit signal state from the old SID.
2510 * If not, clear itimers to avoid subsequent signal generation and
2511 * flush and unblock signals.
2512 *
2513 * This must occur _after_ the task SID has been updated so that any
2514 * kill done after the flush will be checked against the new SID.
2515 */
6b6bc620
SS		 2516 rc = avc_has_perm(&selinux_state,
2517 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2518 if (rc) {
ddbc7d06
AB		 2519 clear_itimer();
2520
0e326df0 2521 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
9e7c8f8c
ON		 2522 if (!fatal_signal_pending(current)) {
2523 flush_sigqueue(&current->pending);
2524 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2525 flush_signal_handlers(current, 1);
2526 sigemptyset(&current->blocked);
9e7c8f8c 2527 recalc_sigpending();
3bcac026 2528 }
0e326df0 2529 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
1da177e4
LT		 2530 }
2531
a6f76f23
DH		 2532 /* Wake up the parent if it is waiting so that it can recheck
2533 * wait permission to the new task SID. */
ecd6de3c 2534 read_lock(&tasklist_lock);
0e326df0 2535 __wake_up_parent(current, unrcu_pointer(current->real_parent));
ecd6de3c 2536 read_unlock(&tasklist_lock);
1da177e4
LT		 2537}
2538
2539/* superblock security operations */
2540
2541static int selinux_sb_alloc_security(struct super_block *sb)
2542{
1aea7808 2543 struct superblock_security_struct *sbsec = selinux_superblock(sb);
cb89e246
PM		 2544
2545 mutex_init(&sbsec->lock);
2546 INIT_LIST_HEAD(&sbsec->isec_head);
2547 spin_lock_init(&sbsec->isec_lock);
cb89e246
PM		 2548 sbsec->sid = SECINITSID_UNLABELED;
2549 sbsec->def_sid = SECINITSID_FILE;
2550 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
cb89e246
PM		 2551
2552 return 0;
1da177e4
LT		 2553}
2554
99dbbb59 2555static inline int opt_len(const char *s)
1da177e4 2556{
99dbbb59
AV		 2557 bool open_quote = false;
2558 int len;
2559 char c;
1da177e4 2560
99dbbb59
AV		 2561 for (len = 0; (c = s[len]) != '\0'; len++) {
2562 if (c == '"')
2563 open_quote = !open_quote;
2564 if (c == ',' && !open_quote)
2565 break;
3528a953 2566 }
99dbbb59 2567 return len;
3528a953
CO		 2568}
2569
99dbbb59 2570static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
1da177e4 2571{
99dbbb59
AV		 2572 char *from = options;
2573 char *to = options;
2574 bool first = true;
fec63753 2575 int rc;
1da177e4 2576
99dbbb59
AV		 2577 while (1) {
2578 int len = opt_len(from);
fec63753 2579 int token;
99dbbb59 2580 char *arg = NULL;
1da177e4 2581
99dbbb59 2582 token = match_opt_prefix(from, len, &arg);
1da177e4 2583
99dbbb59
AV		 2584 if (token != Opt_error) {
2585 char *p, *q;
1da177e4 2586
99dbbb59
AV		 2587 /* strip quotes */
2588 if (arg) {
2589 for (p = q = arg; p < from + len; p++) {
2590 char c = *p;
2591 if (c != '"')
2592 *q++ = c;
2593 }
2594 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
fec63753
GZ		 2595 if (!arg) {
2596 rc = -ENOMEM;
2597 goto free_opt;
2598 }
99dbbb59
AV		 2599 }
2600 rc = selinux_add_opt(token, arg, mnt_opts);
cad140d0
CG		 2601 kfree(arg);
2602 arg = NULL;
99dbbb59 2603 if (unlikely(rc)) {
fec63753 2604 goto free_opt;
99dbbb59
AV		 2605 }
2606 } else {
2607 if (!first) { // copy with preceding comma
2608 from--;
2609 len++;
2610 }
2611 if (to != from)
2612 memmove(to, from, len);
2613 to += len;
2614 first = false;
1da177e4 2615 }
99dbbb59
AV		 2616 if (!from[len])
2617 break;
2618 from += len + 1;
2619 }
2620 *to = '\0';
2621 return 0;
fec63753
GZ		 2622
2623free_opt:
2624 if (*mnt_opts) {
2625 selinux_free_mnt_opts(*mnt_opts);
2626 *mnt_opts = NULL;
2627 }
2628 return rc;
1da177e4
LT		 2629}
2630
69c4a42d
OK		 2631static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2632{
2633 struct selinux_mnt_opts *opts = mnt_opts;
0266c25e 2634 struct superblock_security_struct *sbsec = selinux_superblock(sb);
69c4a42d
OK		 2635
2636 /*
2637 * Superblock not initialized (i.e. no options) - reject if any
2638 * options specified, otherwise accept.
2639 */
2640 if (!(sbsec->flags & SE_SBINITIALIZED))
2641 return opts ? 1 : 0;
2642
2643 /*
2644 * Superblock initialized and no options specified - reject if
2645 * superblock has any options set, otherwise accept.
2646 */
2647 if (!opts)
2648 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2649
70f4169a
OM		 2650 if (opts->fscontext_sid) {
2651 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2652 opts->fscontext_sid))
69c4a42d
OK		 2653 return 1;
2654 }
70f4169a
OM		 2655 if (opts->context_sid) {
2656 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2657 opts->context_sid))
69c4a42d
OK		 2658 return 1;
2659 }
70f4169a
OM		 2660 if (opts->rootcontext_sid) {
2661 struct inode_security_struct *root_isec;
b8b87fd9 2662
70f4169a
OM		 2663 root_isec = backing_inode_security(sb->s_root);
2664 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2665 opts->rootcontext_sid))
69c4a42d 2666 return 1;
70f4169a
OM		 2667 }
2668 if (opts->defcontext_sid) {
2669 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2670 opts->defcontext_sid))
69c4a42d
OK		 2671 return 1;
2672 }
2673 return 0;
2674}
2675
204cc0cc 2676static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2677{
bd323655 2678 struct selinux_mnt_opts *opts = mnt_opts;
1aea7808 2679 struct superblock_security_struct *sbsec = selinux_superblock(sb);
026eb167
EP		 2680
2681 if (!(sbsec->flags & SE_SBINITIALIZED))
2682 return 0;
2683
204cc0cc 2684 if (!opts)
026eb167
EP		 2685 return 0;
2686
70f4169a 2687 if (opts->fscontext_sid) {
6bc1968c
SM		 2688 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2689 opts->fscontext_sid))
bd323655 2690 goto out_bad_option;
026eb167 2691 }
70f4169a 2692 if (opts->context_sid) {
6bc1968c
SM		 2693 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2694 opts->context_sid))
bd323655
AV		 2695 goto out_bad_option;
2696 }
70f4169a 2697 if (opts->rootcontext_sid) {
bd323655
AV		 2698 struct inode_security_struct *root_isec;
2699 root_isec = backing_inode_security(sb->s_root);
6bc1968c
SM		 2700 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2701 opts->rootcontext_sid))
bd323655
AV		 2702 goto out_bad_option;
2703 }
70f4169a 2704 if (opts->defcontext_sid) {
6bc1968c
SM		 2705 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2706 opts->defcontext_sid))
bd323655 2707 goto out_bad_option;
026eb167 2708 }
c039bc3c 2709 return 0;
026eb167 2710
026eb167 2711out_bad_option:
c103a91e 2712 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2713 "during remount (dev %s, type=%s)\n", sb->s_id,
2714 sb->s_type->name);
c039bc3c 2715 return -EINVAL;
026eb167
EP		 2716}
2717
a10d7c22 2718static int selinux_sb_kern_mount(struct super_block *sb)
1da177e4 2719{
88e67f3b 2720 const struct cred *cred = current_cred();
2bf49690 2721 struct common_audit_data ad;
74192246 2722
50c205f5 2723 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2724 ad.u.dentry = sb->s_root;
88e67f3b 2725 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2726}
2727
726c3342 2728static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2729{
88e67f3b 2730 const struct cred *cred = current_cred();
2bf49690 2731 struct common_audit_data ad;
1da177e4 2732
50c205f5 2733 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2734 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2735 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2736}
2737
808d4e3c 2738static int selinux_mount(const char *dev_name,
8a04c43b 2739 const struct path *path,
808d4e3c 2740 const char *type,
828dfe1d
EP		 2741 unsigned long flags,
2742 void *data)
1da177e4 2743{
88e67f3b 2744 const struct cred *cred = current_cred();
1da177e4
LT		 2745
2746 if (flags & MS_REMOUNT)
d8c9584e 2747 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2748 FILESYSTEM__REMOUNT, NULL);
1da177e4 2749 else
2875fa00 2750 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2751}
2752
98aa0034
SS		 2753static int selinux_move_mount(const struct path *from_path,
2754 const struct path *to_path)
2755{
2756 const struct cred *cred = current_cred();
2757
2758 return path_has_perm(cred, to_path, FILE__MOUNTON);
2759}
2760
1da177e4
LT		 2761static int selinux_umount(struct vfsmount *mnt, int flags)
2762{
88e67f3b 2763 const struct cred *cred = current_cred();
1da177e4 2764
88e67f3b 2765 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2766 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2767}
2768
0b52075e
AV		 2769static int selinux_fs_context_dup(struct fs_context *fc,
2770 struct fs_context *src_fc)
2771{
2772 const struct selinux_mnt_opts *src = src_fc->security;
0b52075e
AV		 2773
2774 if (!src)
2775 return 0;
2776
70f4169a
OM		 2777 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2778 return fc->security ? 0 : -ENOMEM;
0b52075e
AV		 2779}
2780
d7167b14 2781static const struct fs_parameter_spec selinux_fs_parameters[] = {
442155c1
DH		 2782 fsparam_string(CONTEXT_STR, Opt_context),
2783 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2784 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2785 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2786 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2787 {}
2788};
2789
442155c1
DH		 2790static int selinux_fs_context_parse_param(struct fs_context *fc,
2791 struct fs_parameter *param)
2792{
2793 struct fs_parse_result result;
cad140d0 2794 int opt;
442155c1 2795
d7167b14 2796 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
442155c1
DH		 2797 if (opt < 0)
2798 return opt;
2799
cad140d0 2800 return selinux_add_opt(opt, param->string, &fc->security);
442155c1
DH		 2801}
2802
1da177e4
LT		 2803/* inode security operations */
2804
2805static int selinux_inode_alloc_security(struct inode *inode)
2806{
cb89e246
PM		 2807 struct inode_security_struct *isec = selinux_inode(inode);
2808 u32 sid = current_sid();
2809
2810 spin_lock_init(&isec->lock);
2811 INIT_LIST_HEAD(&isec->list);
2812 isec->inode = inode;
2813 isec->sid = SECINITSID_UNLABELED;
2814 isec->sclass = SECCLASS_FILE;
2815 isec->task_sid = sid;
2816 isec->initialized = LABEL_INVALID;
2817
2818 return 0;
1da177e4
LT		 2819}
2820
2821static void selinux_inode_free_security(struct inode *inode)
2822{
2823 inode_free_security(inode);
2824}
2825
d47be3df 2826static int selinux_dentry_init_security(struct dentry *dentry, int mode,
15bf3239
VG		 2827 const struct qstr *name,
2828 const char **xattr_name, void **ctx,
d47be3df
DQ		 2829 u32 *ctxlen)
2830{
d47be3df
DQ		 2831 u32 newsid;
2832 int rc;
2833
0c6cfa62 2834 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2835 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2836 inode_mode_to_security_class(mode),
2837 &newsid);
2838 if (rc)
2839 return rc;
d47be3df 2840
15bf3239
VG		 2841 if (xattr_name)
2842 *xattr_name = XATTR_NAME_SELINUX;
2843
aa8e712c
SS		 2844 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2845 ctxlen);
d47be3df
DQ		 2846}
2847
a518b0a5
VG		 2848static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2849 struct qstr *name,
2850 const struct cred *old,
2851 struct cred *new)
2852{
2853 u32 newsid;
2854 int rc;
2855 struct task_security_struct *tsec;
2856
0c6cfa62 2857 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2858 d_inode(dentry->d_parent), name,
2859 inode_mode_to_security_class(mode),
2860 &newsid);
2861 if (rc)
2862 return rc;
2863
0c6cfa62 2864 tsec = selinux_cred(new);
a518b0a5
VG		 2865 tsec->create_sid = newsid;
2866 return 0;
2867}
2868
5e41ff9e 2869static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2870 const struct qstr *qstr,
2871 const char **name,
2a7dba39 2872 void **value, size_t *len)
5e41ff9e 2873{
0c6cfa62 2874 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2875 struct superblock_security_struct *sbsec;
c0d4f464 2876 u32 newsid, clen;
5e41ff9e 2877 int rc;
9548906b 2878 char *context;
5e41ff9e 2879
1aea7808 2880 sbsec = selinux_superblock(dir->i_sb);
5e41ff9e 2881
275bb41e
DH		 2882 newsid = tsec->create_sid;
2883
210a2928 2884 rc = selinux_determine_inode_label(tsec, dir, qstr,
c3c188b2
DH		 2885 inode_mode_to_security_class(inode->i_mode),
2886 &newsid);
2887 if (rc)
2888 return rc;
5e41ff9e 2889
296fddf7 2890 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2891 if (sbsec->flags & SE_SBINITIALIZED) {
80788c22 2892 struct inode_security_struct *isec = selinux_inode(inode);
296fddf7
EP		 2893 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2894 isec->sid = newsid;
6f3be9f5 2895 isec->initialized = LABEL_INITIALIZED;
296fddf7 2896 }
5e41ff9e 2897
65cddd50
OM		 2898 if (!selinux_initialized(&selinux_state) ||
2899 !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2900 return -EOPNOTSUPP;
2901
9548906b
TH		 2902 if (name)
2903 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2904
570bc1c2 2905 if (value && len) {
aa8e712c
SS		 2906 rc = security_sid_to_context_force(&selinux_state, newsid,
2907 &context, &clen);
9548906b 2908 if (rc)
570bc1c2 2909 return rc;
570bc1c2
SS		 2910 *value = context;
2911 *len = clen;
5e41ff9e 2912 }
5e41ff9e 2913
5e41ff9e
SS		 2914 return 0;
2915}
2916
29cd6591
DC		 2917static int selinux_inode_init_security_anon(struct inode *inode,
2918 const struct qstr *name,
2919 const struct inode *context_inode)
2920{
2921 const struct task_security_struct *tsec = selinux_cred(current_cred());
2922 struct common_audit_data ad;
2923 struct inode_security_struct *isec;
2924 int rc;
2925
2926 if (unlikely(!selinux_initialized(&selinux_state)))
2927 return 0;
2928
2929 isec = selinux_inode(inode);
2930
2931 /*
2932 * We only get here once per ephemeral inode. The inode has
2933 * been initialized via inode_alloc_security but is otherwise
2934 * untouched.
2935 */
2936
2937 if (context_inode) {
2938 struct inode_security_struct *context_isec =
2939 selinux_inode(context_inode);
2940 if (context_isec->initialized != LABEL_INITIALIZED) {
2941 pr_err("SELinux: context_inode is not initialized");
2942 return -EACCES;
2943 }
2944
2945 isec->sclass = context_isec->sclass;
2946 isec->sid = context_isec->sid;
2947 } else {
2948 isec->sclass = SECCLASS_ANON_INODE;
2949 rc = security_transition_sid(
2950 &selinux_state, tsec->sid, tsec->sid,
2951 isec->sclass, name, &isec->sid);
2952 if (rc)
2953 return rc;
2954 }
2955
2956 isec->initialized = LABEL_INITIALIZED;
2957 /*
2958 * Now that we've initialized security, check whether we're
2959 * allowed to actually create this type of anonymous inode.
2960 */
2961
c29722fa
CG		 2962 ad.type = LSM_AUDIT_DATA_ANONINODE;
2963 ad.u.anonclass = name ? (const char *)name->name : "?";
29cd6591
DC		 2964
2965 return avc_has_perm(&selinux_state,
2966 tsec->sid,
2967 isec->sid,
2968 isec->sclass,
2969 FILE__CREATE,
2970 &ad);
2971}
2972
4acdaf27 2973static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2974{
2975 return may_create(dir, dentry, SECCLASS_FILE);
2976}
2977
1da177e4
LT		 2978static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2979{
1da177e4
LT		 2980 return may_link(dir, old_dentry, MAY_LINK);
2981}
2982
1da177e4
LT		 2983static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2984{
1da177e4
LT		 2985 return may_link(dir, dentry, MAY_UNLINK);
2986}
2987
2988static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2989{
2990 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2991}
2992
18bb1db3 2993static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2994{
2995 return may_create(dir, dentry, SECCLASS_DIR);
2996}
2997
1da177e4
LT		 2998static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2999{
3000 return may_link(dir, dentry, MAY_RMDIR);
3001}
3002
1a67aafb 3003static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 3004{
1da177e4
LT		 3005 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3006}
3007
1da177e4 3008static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 3009 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 3010{
3011 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3012}
3013
1da177e4
LT		 3014static int selinux_inode_readlink(struct dentry *dentry)
3015{
88e67f3b
DH		 3016 const struct cred *cred = current_cred();
3017
2875fa00 3018 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3019}
3020
bda0be7a
N		 3021static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3022 bool rcu)
1da177e4 3023{
88e67f3b 3024 const struct cred *cred = current_cred();
bda0be7a
N		 3025 struct common_audit_data ad;
3026 struct inode_security_struct *isec;
3027 u32 sid;
1da177e4 3028
bda0be7a
N		 3029 validate_creds(cred);
3030
3031 ad.type = LSM_AUDIT_DATA_DENTRY;
3032 ad.u.dentry = dentry;
3033 sid = cred_sid(cred);
5d226df4
AG		 3034 isec = inode_security_rcu(inode, rcu);
3035 if (IS_ERR(isec))
3036 return PTR_ERR(isec);
bda0be7a 3037
d99cf13f
AV		 3038 return avc_has_perm(&selinux_state,
3039 sid, isec->sid, isec->sclass, FILE__READ, &ad);
1da177e4
LT		 3040}
3041
d4cf970d
EP		 3042static noinline int audit_inode_permission(struct inode *inode,
3043 u32 perms, u32 audited, u32 denied,
0188d5c0 3044 int result)
1da177e4 3045{
b782e0a6 3046 struct common_audit_data ad;
80788c22 3047 struct inode_security_struct *isec = selinux_inode(inode);
d4cf970d 3048
50c205f5 3049 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3050 ad.u.inode = inode;
3051
b17ec22f 3052 return slow_avc_audit(&selinux_state,
6b6bc620 3053 current_sid(), isec->sid, isec->sclass, perms,
0188d5c0 3054 audited, denied, result, &ad);
d4cf970d
EP		 3055}
3056
e74f71eb 3057static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3058{
88e67f3b 3059 const struct cred *cred = current_cred();
b782e0a6
EP		 3060 u32 perms;
3061 bool from_access;
5298d0b9 3062 bool no_block = mask & MAY_NOT_BLOCK;
2e334057
EP		 3063 struct inode_security_struct *isec;
3064 u32 sid;
3065 struct av_decision avd;
3066 int rc, rc2;
3067 u32 audited, denied;
1da177e4 3068
b782e0a6 3069 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3070 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3071
b782e0a6
EP		 3072 /* No permission to check. Existence test. */
3073 if (!mask)
1da177e4 3074 return 0;
1da177e4 3075
2e334057 3076 validate_creds(cred);
b782e0a6 3077
2e334057
EP		 3078 if (unlikely(IS_PRIVATE(inode)))
3079 return 0;
b782e0a6
EP		 3080
3081 perms = file_mask_to_av(inode->i_mode, mask);
3082
2e334057 3083 sid = cred_sid(cred);
5298d0b9 3084 isec = inode_security_rcu(inode, no_block);
5d226df4
AG		 3085 if (IS_ERR(isec))
3086 return PTR_ERR(isec);
2e334057 3087
6b6bc620 3088 rc = avc_has_perm_noaudit(&selinux_state,
b17ec22f 3089 sid, isec->sid, isec->sclass, perms, 0,
3a28cff3 3090 &avd);
2e334057
EP		 3091 audited = avc_audit_required(perms, &avd, rc,
3092 from_access ? FILE__AUDIT_ACCESS : 0,
3093 &denied);
3094 if (likely(!audited))
3095 return rc;
3096
0188d5c0 3097 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
2e334057
EP		 3098 if (rc2)
3099 return rc2;
3100 return rc;
1da177e4
LT		 3101}
3102
3103static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3104{
88e67f3b 3105 const struct cred *cred = current_cred();
ccb54478 3106 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3107 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3108 __u32 av = FILE__WRITE;
1da177e4 3109
bc6a6008
AW		 3110 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3111 if (ia_valid & ATTR_FORCE) {
3112 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3113 ATTR_FORCE);
3114 if (!ia_valid)
3115 return 0;
3116 }
1da177e4 3117
bc6a6008
AW		 3118 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3119 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3120 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3121
aa8e712c 3122 if (selinux_policycap_openperm() &&
ccb54478
SS		 3123 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3124 (ia_valid & ATTR_SIZE) &&
3125 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3126 av |= FILE__OPEN;
3127
3128 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3129}
3130
3f7036a0 3131static int selinux_inode_getattr(const struct path *path)
1da177e4 3132{
3f7036a0 3133 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3134}
3135
db59000a
SS		 3136static bool has_cap_mac_admin(bool audit)
3137{
3138 const struct cred *cred = current_cred();
c1a85a00 3139 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
db59000a 3140
c1a85a00 3141 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
db59000a 3142 return false;
c1a85a00 3143 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
db59000a
SS		 3144 return false;
3145 return true;
3146}
3147
39f60c1c 3148static int selinux_inode_setxattr(struct mnt_idmap *idmap,
71bc356f 3149 struct dentry *dentry, const char *name,
8f0cfa52 3150 const void *value, size_t size, int flags)
1da177e4 3151{
c6f493d6 3152 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3153 struct inode_security_struct *isec;
1da177e4 3154 struct superblock_security_struct *sbsec;
2bf49690 3155 struct common_audit_data ad;
275bb41e 3156 u32 newsid, sid = current_sid();
39f60c1c 3157 struct user_namespace *mnt_userns = mnt_idmap_owner(idmap);
1da177e4
LT		 3158 int rc = 0;
3159
6b240306
EB		 3160 if (strcmp(name, XATTR_NAME_SELINUX)) {
3161 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3162 if (rc)
3163 return rc;
3164
3165 /* Not an attribute we recognize, so just check the
3166 ordinary setattr permission. */
3167 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3168 }
1da177e4 3169
65cddd50 3170 if (!selinux_initialized(&selinux_state))
71bc356f 3171 return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM);
3e3e24b4 3172
1aea7808 3173 sbsec = selinux_superblock(inode->i_sb);
12f348b9 3174 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3175 return -EOPNOTSUPP;
3176
71bc356f 3177 if (!inode_owner_or_capable(mnt_userns, inode))
1da177e4
LT		 3178 return -EPERM;
3179
50c205f5 3180 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3181 ad.u.dentry = dentry;
1da177e4 3182
20cdef8d 3183 isec = backing_inode_security(dentry);
6b6bc620
SS		 3184 rc = avc_has_perm(&selinux_state,
3185 sid, isec->sid, isec->sclass,
1da177e4
LT		 3186 FILE__RELABELFROM, &ad);
3187 if (rc)
3188 return rc;
3189
aa8e712c
SS		 3190 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3191 GFP_KERNEL);
12b29f34 3192 if (rc == -EINVAL) {
db59000a 3193 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3194 struct audit_buffer *ab;
3195 size_t audit_size;
d6ea83ec
EP		 3196
3197 /* We strip a nul only if it is at the end, otherwise the
3198 * context contains a nul and we should audit that */
e3fea3f7 3199 if (value) {
add24372
CIK		 3200 const char *str = value;
3201
e3fea3f7
AV		 3202 if (str[size - 1] == '\0')
3203 audit_size = size - 1;
3204 else
3205 audit_size = size;
3206 } else {
e3fea3f7
AV		 3207 audit_size = 0;
3208 }
cdfb6b34
RGB		 3209 ab = audit_log_start(audit_context(),
3210 GFP_ATOMIC, AUDIT_SELINUX_ERR);
893c47d1
AK		 3211 if (!ab)
3212 return rc;
d6ea83ec
EP		 3213 audit_log_format(ab, "op=setxattr invalid_context=");
3214 audit_log_n_untrustedstring(ab, value, audit_size);
3215 audit_log_end(ab);
3216
12b29f34 3217 return rc;
d6ea83ec 3218 }
aa8e712c
SS		 3219 rc = security_context_to_sid_force(&selinux_state, value,
3220 size, &newsid);
12b29f34 3221 }
1da177e4
LT		 3222 if (rc)
3223 return rc;
3224
6b6bc620
SS		 3225 rc = avc_has_perm(&selinux_state,
3226 sid, newsid, isec->sclass,
1da177e4
LT		 3227 FILE__RELABELTO, &ad);
3228 if (rc)
3229 return rc;
3230
aa8e712c
SS		 3231 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3232 sid, isec->sclass);
1da177e4
LT		 3233 if (rc)
3234 return rc;
3235
6b6bc620
SS		 3236 return avc_has_perm(&selinux_state,
3237 newsid,
1da177e4
LT		 3238 sbsec->sid,
3239 SECCLASS_FILESYSTEM,
3240 FILESYSTEM__ASSOCIATE,
3241 &ad);
3242}
3243
1bdeb218
CB		 3244static int selinux_inode_set_acl(struct user_namespace *mnt_userns,
3245 struct dentry *dentry, const char *acl_name,
3246 struct posix_acl *kacl)
3247{
3248 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3249}
3250
3251static int selinux_inode_get_acl(struct user_namespace *mnt_userns,
3252 struct dentry *dentry, const char *acl_name)
3253{
3254 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3255}
3256
3257static int selinux_inode_remove_acl(struct user_namespace *mnt_userns,
3258 struct dentry *dentry, const char *acl_name)
3259{
3260 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3261}
3262
8f0cfa52 3263static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3264 const void *value, size_t size,
8f0cfa52 3265 int flags)
1da177e4 3266{
c6f493d6 3267 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3268 struct inode_security_struct *isec;
1da177e4
LT		 3269 u32 newsid;
3270 int rc;
3271
3272 if (strcmp(name, XATTR_NAME_SELINUX)) {
3273 /* Not an attribute we recognize, so nothing to do. */
3274 return;
3275 }
3276
65cddd50 3277 if (!selinux_initialized(&selinux_state)) {
3e3e24b4
JL		 3278 /* If we haven't even been initialized, then we can't validate
3279 * against a policy, so leave the label as invalid. It may
3280 * resolve to a valid label on the next revalidation try if
3281 * we've since initialized.
3282 */
3283 return;
3284 }
3285
aa8e712c
SS		 3286 rc = security_context_to_sid_force(&selinux_state, value, size,
3287 &newsid);
1da177e4 3288 if (rc) {
c103a91e 3289 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3290 "for (%s, %lu), rc=%d\n",
3291 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3292 return;
3293 }
3294
20cdef8d 3295 isec = backing_inode_security(dentry);
9287aed2 3296 spin_lock(&isec->lock);
aa9c2669 3297 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3298 isec->sid = newsid;
6f3be9f5 3299 isec->initialized = LABEL_INITIALIZED;
9287aed2 3300 spin_unlock(&isec->lock);
1da177e4
LT		 3301}
3302
8f0cfa52 3303static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3304{
88e67f3b
DH		 3305 const struct cred *cred = current_cred();
3306
2875fa00 3307 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3308}
3309
828dfe1d 3310static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3311{
88e67f3b
DH		 3312 const struct cred *cred = current_cred();
3313
2875fa00 3314 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3315}
3316
39f60c1c 3317static int selinux_inode_removexattr(struct mnt_idmap *idmap,
71bc356f 3318 struct dentry *dentry, const char *name)
1da177e4 3319{
6b240306 3320 if (strcmp(name, XATTR_NAME_SELINUX)) {
39f60c1c 3321 int rc = cap_inode_removexattr(idmap, dentry, name);
6b240306
EB		 3322 if (rc)
3323 return rc;
3324
3325 /* Not an attribute we recognize, so just check the
3326 ordinary setattr permission. */
3327 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3328 }
1da177e4 3329
9530a3e0
SS		 3330 if (!selinux_initialized(&selinux_state))
3331 return 0;
3332
1da177e4
LT		 3333 /* No one is allowed to remove a SELinux security label.
3334 You can change the label, but all data must be labeled. */
3335 return -EACCES;
3336}
3337
ac5656d8
AG		 3338static int selinux_path_notify(const struct path *path, u64 mask,
3339 unsigned int obj_type)
3340{
3341 int ret;
3342 u32 perm;
3343
3344 struct common_audit_data ad;
3345
3346 ad.type = LSM_AUDIT_DATA_PATH;
3347 ad.u.path = *path;
3348
3349 /*
3350 * Set permission needed based on the type of mark being set.
3351 * Performs an additional check for sb watches.
3352 */
3353 switch (obj_type) {
3354 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3355 perm = FILE__WATCH_MOUNT;
3356 break;
3357 case FSNOTIFY_OBJ_TYPE_SB:
3358 perm = FILE__WATCH_SB;
3359 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3360 FILESYSTEM__WATCH, &ad);
3361 if (ret)
3362 return ret;
3363 break;
3364 case FSNOTIFY_OBJ_TYPE_INODE:
3365 perm = FILE__WATCH;
3366 break;
3367 default:
3368 return -EINVAL;
3369 }
3370
3371 /* blocking watches require the file:watch_with_perm permission */
3372 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3373 perm |= FILE__WATCH_WITH_PERM;
3374
3375 /* watches on read-like events need the file:watch_reads permission */
3376 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3377 perm |= FILE__WATCH_READS;
3378
3379 return path_has_perm(current_cred(), path, perm);
3380}
3381
d381d8a9 3382/*
abc69bb6 3383 * Copy the inode security context value to the user.
d381d8a9
JM		 3384 *
3385 * Permission check is handled by selinux_inode_getxattr hook.
3386 */
4609e1f1 3387static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
71bc356f
CB		 3388 struct inode *inode, const char *name,
3389 void **buffer, bool alloc)
1da177e4 3390{
42492594
DQ		 3391 u32 size;
3392 int error;
3393 char *context = NULL;
20cdef8d 3394 struct inode_security_struct *isec;
d381d8a9 3395
c8e22261
JL		 3396 /*
3397 * If we're not initialized yet, then we can't validate contexts, so
3398 * just let vfs_getxattr fall back to using the on-disk xattr.
3399 */
3400 if (!selinux_initialized(&selinux_state) ||
3401 strcmp(name, XATTR_SELINUX_SUFFIX))
8c8570fb 3402 return -EOPNOTSUPP;
d381d8a9 3403
abc69bb6
SS		 3404 /*
3405 * If the caller has CAP_MAC_ADMIN, then get the raw context
3406 * value even if it is not defined by current policy; otherwise,
3407 * use the in-core value under current policy.
3408 * Use the non-auditing forms of the permission checks since
3409 * getxattr may be called by unprivileged processes commonly
3410 * and lack of permission just means that we fall back to the
3411 * in-core context value, not a denial.
3412 */
20cdef8d 3413 isec = inode_security(inode);
db59000a 3414 if (has_cap_mac_admin(false))
aa8e712c
SS		 3415 error = security_sid_to_context_force(&selinux_state,
3416 isec->sid, &context,
abc69bb6
SS		 3417 &size);
3418 else
aa8e712c
SS		 3419 error = security_sid_to_context(&selinux_state, isec->sid,
3420 &context, &size);
42492594
DQ		 3421 if (error)
3422 return error;
3423 error = size;
3424 if (alloc) {
3425 *buffer = context;
3426 goto out_nofree;
3427 }
3428 kfree(context);
3429out_nofree:
3430 return error;
1da177e4
LT		 3431}
3432
3433static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3434 const void *value, size_t size, int flags)
1da177e4 3435{
2c97165b 3436 struct inode_security_struct *isec = inode_security_novalidate(inode);
1aea7808 3437 struct superblock_security_struct *sbsec;
1da177e4
LT		 3438 u32 newsid;
3439 int rc;
3440
3441 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3442 return -EOPNOTSUPP;
3443
1aea7808 3444 sbsec = selinux_superblock(inode->i_sb);
53e0c2aa
OM		 3445 if (!(sbsec->flags & SBLABEL_MNT))
3446 return -EOPNOTSUPP;
3447
1da177e4
LT		 3448 if (!value || !size)
3449 return -EACCES;
3450
aa8e712c
SS		 3451 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3452 GFP_KERNEL);
1da177e4
LT		 3453 if (rc)
3454 return rc;
3455
9287aed2 3456 spin_lock(&isec->lock);
aa9c2669 3457 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3458 isec->sid = newsid;
6f3be9f5 3459 isec->initialized = LABEL_INITIALIZED;
9287aed2 3460 spin_unlock(&isec->lock);
1da177e4
LT		 3461 return 0;
3462}
3463
3464static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3465{
3466 const int len = sizeof(XATTR_NAME_SELINUX);
a9ffe682
AG		 3467
3468 if (!selinux_initialized(&selinux_state))
3469 return 0;
3470
1da177e4
LT		 3471 if (buffer && len <= buffer_size)
3472 memcpy(buffer, XATTR_NAME_SELINUX, len);
3473 return len;
3474}
3475
d6335d77 3476static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3477{
e817c2f3 3478 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3479 *secid = isec->sid;
3480}
3481
56909eb3
VG		 3482static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3483{
3484 u32 sid;
3485 struct task_security_struct *tsec;
3486 struct cred *new_creds = *new;
3487
3488 if (new_creds == NULL) {
3489 new_creds = prepare_creds();
3490 if (!new_creds)
3491 return -ENOMEM;
3492 }
3493
0c6cfa62 3494 tsec = selinux_cred(new_creds);
56909eb3
VG		 3495 /* Get label from overlay inode and set it in create_sid */
3496 selinux_inode_getsecid(d_inode(src), &sid);
3497 tsec->create_sid = sid;
3498 *new = new_creds;
3499 return 0;
3500}
3501
19472b69
VG		 3502static int selinux_inode_copy_up_xattr(const char *name)
3503{
3504 /* The copy_up hook above sets the initial context on an inode, but we
3505 * don't then want to overwrite it by blindly copying all the lower
3506 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3507 */
3508 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3509 return 1; /* Discard */
3510 /*
3511 * Any other attribute apart from SELINUX is not claimed, supported
3512 * by selinux.
3513 */
3514 return -EOPNOTSUPP;
3515}
3516
ec882da5
OM		 3517/* kernfs node operations */
3518
c72c4cde
Y		 3519static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3520 struct kernfs_node *kn)
ec882da5 3521{
169ce0c0 3522 const struct task_security_struct *tsec = selinux_cred(current_cred());
ec882da5
OM		 3523 u32 parent_sid, newsid, clen;
3524 int rc;
3525 char *context;
3526
1537ad15 3527 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
ec882da5
OM		 3528 if (rc == -ENODATA)
3529 return 0;
3530 else if (rc < 0)
3531 return rc;
3532
3533 clen = (u32)rc;
3534 context = kmalloc(clen, GFP_KERNEL);
3535 if (!context)
3536 return -ENOMEM;
3537
1537ad15 3538 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
ec882da5
OM		 3539 if (rc < 0) {
3540 kfree(context);
3541 return rc;
3542 }
3543
3544 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3545 GFP_KERNEL);
3546 kfree(context);
3547 if (rc)
3548 return rc;
3549
3550 if (tsec->create_sid) {
3551 newsid = tsec->create_sid;
3552 } else {
3553 u16 secclass = inode_mode_to_security_class(kn->mode);
3554 struct qstr q;
3555
3556 q.name = kn->name;
3557 q.hash_len = hashlen_string(kn_dir, kn->name);
3558
3559 rc = security_transition_sid(&selinux_state, tsec->sid,
3560 parent_sid, secclass, &q,
3561 &newsid);
3562 if (rc)
3563 return rc;
3564 }
3565
3566 rc = security_sid_to_context_force(&selinux_state, newsid,
3567 &context, &clen);
3568 if (rc)
3569 return rc;
3570
1537ad15
OM		 3571 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3572 XATTR_CREATE);
ec882da5
OM		 3573 kfree(context);
3574 return rc;
3575}
3576
3577
1da177e4
LT		 3578/* file security operations */
3579
788e7dd4 3580static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3581{
88e67f3b 3582 const struct cred *cred = current_cred();
496ad9aa 3583 struct inode *inode = file_inode(file);
1da177e4 3584
1da177e4
LT		 3585 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3586 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3587 mask |= MAY_APPEND;
3588
389fb800
PM		 3589 return file_has_perm(cred, file,
3590 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3591}
3592
788e7dd4
YN		 3593static int selinux_file_permission(struct file *file, int mask)
3594{
496ad9aa 3595 struct inode *inode = file_inode(file);
bb6c6b02 3596 struct file_security_struct *fsec = selinux_file(file);
b197367e 3597 struct inode_security_struct *isec;
20dda18b
SS		 3598 u32 sid = current_sid();
3599
389fb800 3600 if (!mask)
788e7dd4
YN		 3601 /* No permission to check. Existence test. */
3602 return 0;
788e7dd4 3603
b197367e 3604 isec = inode_security(inode);
20dda18b 3605 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3606 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3607 /* No change since file_open check. */
20dda18b
SS		 3608 return 0;
3609
788e7dd4
YN		 3610 return selinux_revalidate_file_permission(file, mask);
3611}
3612
1da177e4
LT		 3613static int selinux_file_alloc_security(struct file *file)
3614{
cb89e246
PM		 3615 struct file_security_struct *fsec = selinux_file(file);
3616 u32 sid = current_sid();
3617
3618 fsec->sid = sid;
3619 fsec->fown_sid = sid;
3620
3621 return 0;
1da177e4
LT		 3622}
3623
fa1aa143
JVS		 3624/*
3625 * Check whether a task has the ioctl permission and cmd
3626 * operation to an inode.
3627 */
1d2a168a 3628static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3629 u32 requested, u16 cmd)
3630{
3631 struct common_audit_data ad;
bb6c6b02 3632 struct file_security_struct *fsec = selinux_file(file);
fa1aa143 3633 struct inode *inode = file_inode(file);
20cdef8d 3634 struct inode_security_struct *isec;
fa1aa143
JVS		 3635 struct lsm_ioctlop_audit ioctl;
3636 u32 ssid = cred_sid(cred);
3637 int rc;
3638 u8 driver = cmd >> 8;
3639 u8 xperm = cmd & 0xff;
3640
3641 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3642 ad.u.op = &ioctl;
3643 ad.u.op->cmd = cmd;
3644 ad.u.op->path = file->f_path;
3645
3646 if (ssid != fsec->sid) {
6b6bc620
SS		 3647 rc = avc_has_perm(&selinux_state,
3648 ssid, fsec->sid,
fa1aa143
JVS		 3649 SECCLASS_FD,
3650 FD__USE,
3651 &ad);
3652 if (rc)
3653 goto out;
3654 }
3655
3656 if (unlikely(IS_PRIVATE(inode)))
3657 return 0;
3658
20cdef8d 3659 isec = inode_security(inode);
6b6bc620
SS		 3660 rc = avc_has_extended_perms(&selinux_state,
3661 ssid, isec->sid, isec->sclass,
3662 requested, driver, xperm, &ad);
fa1aa143
JVS		 3663out:
3664 return rc;
3665}
3666
1da177e4
LT		 3667static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3668 unsigned long arg)
3669{
88e67f3b 3670 const struct cred *cred = current_cred();
0b24dcb7 3671 int error = 0;
1da177e4 3672
0b24dcb7
EP		 3673 switch (cmd) {
3674 case FIONREAD:
0b24dcb7 3675 case FIBMAP:
0b24dcb7 3676 case FIGETBSZ:
2f99c369 3677 case FS_IOC_GETFLAGS:
2f99c369 3678 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3679 error = file_has_perm(cred, file, FILE__GETATTR);
3680 break;
1da177e4 3681
2f99c369 3682 case FS_IOC_SETFLAGS:
2f99c369 3683 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3684 error = file_has_perm(cred, file, FILE__SETATTR);
3685 break;
3686
3687 /* sys_ioctl() checks */
3688 case FIONBIO:
0b24dcb7
EP		 3689 case FIOASYNC:
3690 error = file_has_perm(cred, file, 0);
3691 break;
1da177e4 3692
0b24dcb7
EP		 3693 case KDSKBENT:
3694 case KDSKBSENT:
6a9de491 3695 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
c1a85a00 3696 CAP_OPT_NONE, true);
0b24dcb7
EP		 3697 break;
3698
65881e1d
RH		 3699 case FIOCLEX:
3700 case FIONCLEX:
3701 if (!selinux_policycap_ioctl_skip_cloexec())
3702 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3703 break;
3704
0b24dcb7
EP		 3705 /* default case assumes that the command will go
3706 * to the file's ioctl() function.
3707 */
3708 default:
fa1aa143 3709 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3710 }
3711 return error;
1da177e4
LT		 3712}
3713
b78b7d59 3714static int default_noexec __ro_after_init;
fcaaade1 3715
1da177e4
LT		 3716static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3717{
88e67f3b 3718 const struct cred *cred = current_cred();
be0554c9 3719 u32 sid = cred_sid(cred);
d84f4f99 3720 int rc = 0;
88e67f3b 3721
fcaaade1 3722 if (default_noexec &&
892e8cac
SS		 3723 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3724 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3725 /*
3726 * We are making executable an anonymous mapping or a
3727 * private file mapping that will also be writable.
3728 * This has an additional check.
3729 */
6b6bc620
SS		 3730 rc = avc_has_perm(&selinux_state,
3731 sid, sid, SECCLASS_PROCESS,
be0554c9 3732 PROCESS__EXECMEM, NULL);
1da177e4 3733 if (rc)
d84f4f99 3734 goto error;
1da177e4 3735 }
1da177e4
LT		 3736
3737 if (file) {
3738 /* read access is always possible with a mapping */
3739 u32 av = FILE__READ;
3740
3741 /* write access only matters if the mapping is shared */
3742 if (shared && (prot & PROT_WRITE))
3743 av |= FILE__WRITE;
3744
3745 if (prot & PROT_EXEC)
3746 av |= FILE__EXECUTE;
3747
88e67f3b 3748 return file_has_perm(cred, file, av);
1da177e4 3749 }
d84f4f99
DH		 3750
3751error:
3752 return rc;
1da177e4
LT		 3753}
3754
e5467859 3755static int selinux_mmap_addr(unsigned long addr)
1da177e4 3756{
b1d9e6b0 3757 int rc = 0;
1da177e4 3758
a2551df7 3759 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3760 u32 sid = current_sid();
6b6bc620
SS		 3761 rc = avc_has_perm(&selinux_state,
3762 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3763 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3764 }
3765
98883bfd 3766 return rc;
e5467859 3767}
1da177e4 3768
e5467859
AV		 3769static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3770 unsigned long prot, unsigned long flags)
3771{
3ba4bf5f
SS		 3772 struct common_audit_data ad;
3773 int rc;
3774
3775 if (file) {
3776 ad.type = LSM_AUDIT_DATA_FILE;
3777 ad.u.file = file;
3778 rc = inode_has_perm(current_cred(), file_inode(file),
3779 FILE__MAP, &ad);
3780 if (rc)
3781 return rc;
3782 }
3783
8861d0af 3784 if (checkreqprot_get(&selinux_state))
1da177e4
LT		 3785 prot = reqprot;
3786
3787 return file_map_prot_check(file, prot,
3788 (flags & MAP_TYPE) == MAP_SHARED);
3789}
3790
3791static int selinux_file_mprotect(struct vm_area_struct *vma,
3792 unsigned long reqprot,
3793 unsigned long prot)
3794{
88e67f3b 3795 const struct cred *cred = current_cred();
be0554c9 3796 u32 sid = cred_sid(cred);
1da177e4 3797
8861d0af 3798 if (checkreqprot_get(&selinux_state))
1da177e4
LT		 3799 prot = reqprot;
3800
fcaaade1
SS		 3801 if (default_noexec &&
3802 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3803 int rc = 0;
db4c9641
SS		 3804 if (vma->vm_start >= vma->vm_mm->start_brk &&
3805 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3806 rc = avc_has_perm(&selinux_state,
3807 sid, sid, SECCLASS_PROCESS,
be0554c9 3808 PROCESS__EXECHEAP, NULL);
db4c9641 3809 } else if (!vma->vm_file &&
c2316dbf
SS		 3810 ((vma->vm_start <= vma->vm_mm->start_stack &&
3811 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3812 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3813 rc = avc_has_perm(&selinux_state,
3814 sid, sid, SECCLASS_PROCESS,
be0554c9 3815 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3816 } else if (vma->vm_file && vma->anon_vma) {
3817 /*
3818 * We are making executable a file mapping that has
3819 * had some COW done. Since pages might have been
3820 * written, check ability to execute the possibly
3821 * modified content. This typically should only
3822 * occur for text relocations.
3823 */
d84f4f99 3824 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3825 }