]> git.ipfire.org Git - people/arne_f/kernel.git/blame - security/selinux/hooks.c
projects / people / arne_f / kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: do not override context on context mounts
[people/arne_f/kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
7efbb60b 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
d452930f
RH		 70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
1da177e4
LT		 72#include <linux/quota.h>
73#include <linux/un.h> /* for Unix socket types */
74#include <net/af_unix.h> /* for Unix socket types */
75#include <linux/parser.h>
76#include <linux/nfs_mount.h>
77#include <net/ipv6.h>
78#include <linux/hugetlb.h>
79#include <linux/personality.h>
1da177e4 80#include <linux/audit.h>
6931dfc9 81#include <linux/string.h>
877ce7c1 82#include <linux/selinux.h>
23970741 83#include <linux/mutex.h>
f06febc9 84#include <linux/posix-timers.h>
00234592 85#include <linux/syslog.h>
3486740a 86#include <linux/user_namespace.h>
44fc7ea0 87#include <linux/export.h>
40401530
AV		 88#include <linux/msg.h>
89#include <linux/shm.h>
ec27c356 90#include <linux/bpf.h>
e262e32d 91#include <uapi/linux/mount.h>
1da177e4
LT		 92
93#include "avc.h"
94#include "objsec.h"
95#include "netif.h"
224dfbd8 96#include "netnode.h"
3e112172 97#include "netport.h"
409dcf31 98#include "ibpkey.h"
d28d1e08 99#include "xfrm.h"
c60475bf 100#include "netlabel.h"
9d57a7f9 101#include "audit.h"
7b98a585 102#include "avc_ss.h"
1da177e4 103
aa8e712c
SS		 104struct selinux_state selinux_state;
105
d621d35e 106/* SECMARK reference count */
56a4ca99 107static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 108
1da177e4 109#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
aa8e712c 110static int selinux_enforcing_boot;
1da177e4
LT		 111
112static int __init enforcing_setup(char *str)
113{
f5269710 114 unsigned long enforcing;
29707b20 115 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 116 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 117 return 1;
118}
119__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 120#else
121#define selinux_enforcing_boot 1
1da177e4
LT		 122#endif
123
124#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
125int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
126
127static int __init selinux_enabled_setup(char *str)
128{
f5269710 129 unsigned long enabled;
29707b20 130 if (!kstrtoul(str, 0, &enabled))
f5269710 131 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 132 return 1;
133}
134__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 135#else
136int selinux_enabled = 1;
1da177e4
LT		 137#endif
138
aa8e712c
SS		 139static unsigned int selinux_checkreqprot_boot =
140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141
142static int __init checkreqprot_setup(char *str)
143{
144 unsigned long checkreqprot;
145
146 if (!kstrtoul(str, 0, &checkreqprot))
147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148 return 1;
149}
150__setup("checkreqprot=", checkreqprot_setup);
151
e18b890b 152static struct kmem_cache *sel_inode_cache;
63205654 153static struct kmem_cache *file_security_cache;
7cae7e26 154
d621d35e
PM		 155/**
156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157 *
158 * Description:
159 * This function checks the SECMARK reference counter to see if any SECMARK
160 * targets are currently configured, if the reference counter is greater than
161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 162 * enabled, false (0) if SECMARK is disabled. If the always_check_network
163 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 164 *
165 */
166static int selinux_secmark_enabled(void)
167{
aa8e712c
SS		 168 return (selinux_policycap_alwaysnetwork() ||
169 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 170}
171
172/**
173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174 *
175 * Description:
176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
177 * (1) if any are enabled or false (0) if neither are enabled. If the
178 * always_check_network policy capability is enabled, peer labeling
179 * is always considered enabled.
180 *
181 */
182static int selinux_peerlbl_enabled(void)
183{
aa8e712c
SS		 184 return (selinux_policycap_alwaysnetwork() ||
185 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 186}
187
615e51fd
PM		 188static int selinux_netcache_avc_callback(u32 event)
189{
190 if (event == AVC_CALLBACK_RESET) {
191 sel_netif_flush();
192 sel_netnode_flush();
193 sel_netport_flush();
194 synchronize_net();
195 }
196 return 0;
197}
198
8f408ab6
DJ		 199static int selinux_lsm_notifier_avc_callback(u32 event)
200{
409dcf31
DJ		 201 if (event == AVC_CALLBACK_RESET) {
202 sel_ib_pkey_flush();
8f408ab6 203 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 204 }
8f408ab6
DJ		 205
206 return 0;
207}
208
d84f4f99
DH		 209/*
210 * initialise the security for the init task
211 */
212static void cred_init_security(void)
1da177e4 213{
3b11a1de 214 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 215 struct task_security_struct *tsec;
216
89d155ef 217 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 218 if (!tsec)
d84f4f99 219 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 220
d84f4f99 221 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 222 cred->security = tsec;
1da177e4
LT		 223}
224
88e67f3b
DH		 225/*
226 * get the security ID of a set of credentials
227 */
228static inline u32 cred_sid(const struct cred *cred)
229{
230 const struct task_security_struct *tsec;
231
232 tsec = cred->security;
233 return tsec->sid;
234}
235
275bb41e 236/*
3b11a1de 237 * get the objective security ID of a task
275bb41e
DH		 238 */
239static inline u32 task_sid(const struct task_struct *task)
240{
275bb41e
DH		 241 u32 sid;
242
243 rcu_read_lock();
88e67f3b 244 sid = cred_sid(__task_cred(task));
275bb41e
DH		 245 rcu_read_unlock();
246 return sid;
247}
248
88e67f3b
DH		 249/* Allocate and free functions for each kind of security blob. */
250
1da177e4
LT		 251static int inode_alloc_security(struct inode *inode)
252{
1da177e4 253 struct inode_security_struct *isec;
275bb41e 254 u32 sid = current_sid();
1da177e4 255
a02fe132 256 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 257 if (!isec)
258 return -ENOMEM;
259
9287aed2 260 spin_lock_init(&isec->lock);
1da177e4 261 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 262 isec->inode = inode;
263 isec->sid = SECINITSID_UNLABELED;
264 isec->sclass = SECCLASS_FILE;
275bb41e 265 isec->task_sid = sid;
42059112 266 isec->initialized = LABEL_INVALID;
1da177e4
LT		 267 inode->i_security = isec;
268
269 return 0;
270}
271
5d226df4
AG		 272static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
273
274/*
275 * Try reloading inode security labels that have been marked as invalid. The
276 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 277 * allowed; when set to false, returns -ECHILD when the label is
e9193288 278 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 279 */
280static int __inode_security_revalidate(struct inode *inode,
e9193288 281 struct dentry *dentry,
5d226df4
AG		 282 bool may_sleep)
283{
284 struct inode_security_struct *isec = inode->i_security;
285
286 might_sleep_if(may_sleep);
287
aa8e712c
SS		 288 if (selinux_state.initialized &&
289 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 290 if (!may_sleep)
291 return -ECHILD;
292
293 /*
294 * Try reloading the inode security label. This will fail if
295 * @opt_dentry is NULL and no dentry for this inode can be
296 * found; in that case, continue using the old label.
297 */
e9193288 298 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 299 }
300 return 0;
301}
302
5d226df4
AG		 303static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304{
305 return inode->i_security;
306}
307
308static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
309{
310 int error;
311
312 error = __inode_security_revalidate(inode, NULL, !rcu);
313 if (error)
314 return ERR_PTR(error);
315 return inode->i_security;
316}
317
83da53c5
AG		 318/*
319 * Get the security label of an inode.
320 */
321static struct inode_security_struct *inode_security(struct inode *inode)
322{
5d226df4 323 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 324 return inode->i_security;
325}
326
2c97165b
PM		 327static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328{
329 struct inode *inode = d_backing_inode(dentry);
330
331 return inode->i_security;
332}
333
83da53c5
AG		 334/*
335 * Get the security label of a dentry's backing inode.
336 */
337static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338{
339 struct inode *inode = d_backing_inode(dentry);
340
5d226df4 341 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 342 return inode->i_security;
343}
344
3dc91d43
SR		 345static void inode_free_rcu(struct rcu_head *head)
346{
347 struct inode_security_struct *isec;
348
349 isec = container_of(head, struct inode_security_struct, rcu);
350 kmem_cache_free(sel_inode_cache, isec);
351}
352
1da177e4
LT		 353static void inode_free_security(struct inode *inode)
354{
355 struct inode_security_struct *isec = inode->i_security;
356 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
357
9629d04a
WL		 358 /*
359 * As not all inode security structures are in a list, we check for
360 * empty list outside of the lock to make sure that we won't waste
361 * time taking a lock doing nothing.
362 *
363 * The list_del_init() function can be safely called more than once.
364 * It should not be possible for this function to be called with
365 * concurrent list_add(), but for better safety against future changes
366 * in the code, we use list_empty_careful() here.
367 */
368 if (!list_empty_careful(&isec->list)) {
369 spin_lock(&sbsec->isec_lock);
1da177e4 370 list_del_init(&isec->list);
9629d04a
WL		 371 spin_unlock(&sbsec->isec_lock);
372 }
1da177e4 373
3dc91d43
SR		 374 /*
375 * The inode may still be referenced in a path walk and
376 * a call to selinux_inode_permission() can be made
377 * after inode_free_security() is called. Ideally, the VFS
378 * wouldn't do this, but fixing that is a much harder
379 * job. For now, simply free the i_security via RCU, and
380 * leave the current inode->i_security pointer intact.
381 * The inode will be freed after the RCU grace period too.
382 */
383 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 384}
385
386static int file_alloc_security(struct file *file)
387{
1da177e4 388 struct file_security_struct *fsec;
275bb41e 389 u32 sid = current_sid();
1da177e4 390
63205654 391 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 392 if (!fsec)
393 return -ENOMEM;
394
275bb41e
DH		 395 fsec->sid = sid;
396 fsec->fown_sid = sid;
1da177e4
LT		 397 file->f_security = fsec;
398
399 return 0;
400}
401
402static void file_free_security(struct file *file)
403{
404 struct file_security_struct *fsec = file->f_security;
1da177e4 405 file->f_security = NULL;
63205654 406 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 407}
408
409static int superblock_alloc_security(struct super_block *sb)
410{
411 struct superblock_security_struct *sbsec;
412
89d155ef 413 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 414 if (!sbsec)
415 return -ENOMEM;
416
bc7e982b 417 mutex_init(&sbsec->lock);
1da177e4
LT		 418 INIT_LIST_HEAD(&sbsec->isec_head);
419 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 420 sbsec->sb = sb;
421 sbsec->sid = SECINITSID_UNLABELED;
422 sbsec->def_sid = SECINITSID_FILE;
c312feb2 423 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 424 sb->s_security = sbsec;
425
426 return 0;
427}
428
429static void superblock_free_security(struct super_block *sb)
430{
431 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 432 sb->s_security = NULL;
433 kfree(sbsec);
434}
435
bd323655
AV		 436struct selinux_mnt_opts {
437 const char *fscontext, *context, *rootcontext, *defcontext;
438};
439
204cc0cc
AV		 440static void selinux_free_mnt_opts(void *mnt_opts)
441{
bd323655
AV		 442 struct selinux_mnt_opts *opts = mnt_opts;
443 kfree(opts->fscontext);
444 kfree(opts->context);
445 kfree(opts->rootcontext);
446 kfree(opts->defcontext);
204cc0cc
AV		 447 kfree(opts);
448}
449
1da177e4
LT		 450static inline int inode_doinit(struct inode *inode)
451{
452 return inode_doinit_with_dentry(inode, NULL);
453}
454
455enum {
31e87930 456 Opt_error = -1,
1da177e4
LT		 457 Opt_context = 1,
458 Opt_fscontext = 2,
c9180a57
EP		 459 Opt_defcontext = 3,
460 Opt_rootcontext = 4,
da3d76ab 461 Opt_seclabel = 5,
1da177e4
LT		 462};
463
da3d76ab 464#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
169d68ef
AV		 465static struct {
466 const char *name;
467 int len;
468 int opt;
469 bool has_arg;
470} tokens[] = {
da3d76ab
AV		 471 A(context, true),
472 A(fscontext, true),
473 A(defcontext, true),
474 A(rootcontext, true),
475 A(seclabel, false),
1da177e4 476};
169d68ef
AV		 477#undef A
478
479static int match_opt_prefix(char *s, int l, char **arg)
480{
481 int i;
482
483 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
484 size_t len = tokens[i].len;
485 if (len > l || memcmp(s, tokens[i].name, len))
486 continue;
487 if (tokens[i].has_arg) {
488 if (len == l || s[len] != '=')
489 continue;
490 *arg = s + len + 1;
491 } else if (len != l)
492 continue;
493 return tokens[i].opt;
494 }
495 return Opt_error;
496}
1da177e4
LT		 497
498#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
499
c312feb2
EP		 500static int may_context_mount_sb_relabel(u32 sid,
501 struct superblock_security_struct *sbsec,
275bb41e 502 const struct cred *cred)
c312feb2 503{
275bb41e 504 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 505 int rc;
506
6b6bc620
SS		 507 rc = avc_has_perm(&selinux_state,
508 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 509 FILESYSTEM__RELABELFROM, NULL);
510 if (rc)
511 return rc;
512
6b6bc620
SS		 513 rc = avc_has_perm(&selinux_state,
514 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 515 FILESYSTEM__RELABELTO, NULL);
516 return rc;
517}
518
0808925e
EP		 519static int may_context_mount_inode_relabel(u32 sid,
520 struct superblock_security_struct *sbsec,
275bb41e 521 const struct cred *cred)
0808925e 522{
275bb41e 523 const struct task_security_struct *tsec = cred->security;
0808925e 524 int rc;
6b6bc620
SS		 525 rc = avc_has_perm(&selinux_state,
526 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 527 FILESYSTEM__RELABELFROM, NULL);
528 if (rc)
529 return rc;
530
6b6bc620
SS		 531 rc = avc_has_perm(&selinux_state,
532 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 533 FILESYSTEM__ASSOCIATE, NULL);
534 return rc;
535}
536
a83d6dda 537static int selinux_is_genfs_special_handling(struct super_block *sb)
b43e725d 538{
a83d6dda
OM		 539 /* Special handling. Genfs but also in-core setxattr handler */
540 return !strcmp(sb->s_type->name, "sysfs") ||
d5f3a5f6
MS		 541 !strcmp(sb->s_type->name, "pstore") ||
542 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 543 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 544 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 545 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 546 (!strcmp(sb->s_type->name, "cgroup") ||
547 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 548}
549
a83d6dda
OM		 550static int selinux_is_sblabel_mnt(struct super_block *sb)
551{
552 struct superblock_security_struct *sbsec = sb->s_security;
553
554 /*
555 * IMPORTANT: Double-check logic in this function when adding a new
556 * SECURITY_FS_USE_* definition!
557 */
558 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
559
560 switch (sbsec->behavior) {
561 case SECURITY_FS_USE_XATTR:
562 case SECURITY_FS_USE_TRANS:
563 case SECURITY_FS_USE_TASK:
564 case SECURITY_FS_USE_NATIVE:
565 return 1;
566
567 case SECURITY_FS_USE_GENFS:
568 return selinux_is_genfs_special_handling(sb);
569
570 /* Never allow relabeling on context mounts */
571 case SECURITY_FS_USE_MNTPOINT:
572 case SECURITY_FS_USE_NONE:
573 default:
574 return 0;
575 }
576}
577
c9180a57 578static int sb_finish_set_opts(struct super_block *sb)
1da177e4 579{
1da177e4 580 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 581 struct dentry *root = sb->s_root;
c6f493d6 582 struct inode *root_inode = d_backing_inode(root);
c9180a57 583 int rc = 0;
1da177e4 584
c9180a57
EP		 585 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
586 /* Make sure that the xattr handler exists and that no
587 error other than -ENODATA is returned by getxattr on
588 the root directory. -ENODATA is ok, as this may be
589 the first boot of the SELinux kernel before we have
590 assigned xattr values to the filesystem. */
5d6c3191 591 if (!(root_inode->i_opflags & IOP_XATTR)) {
c103a91e 592 pr_warn("SELinux: (dev %s, type %s) has no "
29b1deb2 593 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 594 rc = -EOPNOTSUPP;
595 goto out;
596 }
5d6c3191
AG		 597
598 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 599 if (rc < 0 && rc != -ENODATA) {
600 if (rc == -EOPNOTSUPP)
c103a91e 601 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 602 "%s) has no security xattr handler\n",
603 sb->s_id, sb->s_type->name);
c9180a57 604 else
c103a91e 605 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 606 "%s) getxattr errno %d\n", sb->s_id,
607 sb->s_type->name, -rc);
c9180a57
EP		 608 goto out;
609 }
610 }
1da177e4 611
eadcabc6 612 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 613
614 /*
615 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
616 * leave the flag untouched because sb_clone_mnt_opts might be handing
617 * us a superblock that needs the flag to be cleared.
618 */
b43e725d 619 if (selinux_is_sblabel_mnt(sb))
12f348b9 620 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 621 else
622 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 623
c9180a57
EP		 624 /* Initialize the root inode. */
625 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 626
c9180a57
EP		 627 /* Initialize any other inodes associated with the superblock, e.g.
628 inodes created prior to initial policy load or inodes created
629 during get_sb by a pseudo filesystem that directly
630 populates itself. */
631 spin_lock(&sbsec->isec_lock);
8d64124a 632 while (!list_empty(&sbsec->isec_head)) {
c9180a57 633 struct inode_security_struct *isec =
8d64124a 634 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 635 struct inode_security_struct, list);
636 struct inode *inode = isec->inode;
923190d3 637 list_del_init(&isec->list);
c9180a57
EP		 638 spin_unlock(&sbsec->isec_lock);
639 inode = igrab(inode);
640 if (inode) {
641 if (!IS_PRIVATE(inode))
642 inode_doinit(inode);
643 iput(inode);
644 }
645 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 646 }
647 spin_unlock(&sbsec->isec_lock);
648out:
649 return rc;
650}
1da177e4 651
c9180a57
EP		 652static int bad_option(struct superblock_security_struct *sbsec, char flag,
653 u32 old_sid, u32 new_sid)
654{
0d90a7ec
DQ		 655 char mnt_flags = sbsec->flags & SE_MNTMASK;
656
c9180a57 657 /* check if the old mount command had the same options */
0d90a7ec 658 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 659 if (!(sbsec->flags & flag) ||
660 (old_sid != new_sid))
661 return 1;
662
663 /* check if we were passed the same options twice,
664 * aka someone passed context=a,context=b
665 */
0d90a7ec
DQ		 666 if (!(sbsec->flags & SE_SBINITIALIZED))
667 if (mnt_flags & flag)
c9180a57
EP		 668 return 1;
669 return 0;
670}
e0007529 671
bd323655
AV		 672static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
673{
674 int rc = security_context_str_to_sid(&selinux_state, s,
675 sid, GFP_KERNEL);
676 if (rc)
677 pr_warn("SELinux: security_context_str_to_sid"
678 "(%s) failed for (dev %s, type %s) errno=%d\n",
679 s, sb->s_id, sb->s_type->name, rc);
680 return rc;
681}
682
c9180a57
EP		 683/*
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
686 */
e0007529 687static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 688 void *mnt_opts,
649f6e77
DQ		 689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
c9180a57 691{
275bb41e 692 const struct cred *cred = current_cred();
c9180a57 693 struct superblock_security_struct *sbsec = sb->s_security;
83da53c5 694 struct dentry *root = sbsec->sb->s_root;
bd323655 695 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 696 struct inode_security_struct *root_isec;
c9180a57
EP		 697 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
698 u32 defcontext_sid = 0;
bd323655 699 int rc = 0;
c9180a57
EP		 700
701 mutex_lock(&sbsec->lock);
702
aa8e712c 703 if (!selinux_state.initialized) {
bd323655 704 if (!opts) {
c9180a57
EP		 705 /* Defer initialization until selinux_complete_init,
706 after the initial policy is loaded and the security
707 server is ready to handle calls. */
c9180a57
EP		 708 goto out;
709 }
710 rc = -EINVAL;
c103a91e 711 pr_warn("SELinux: Unable to set superblock options "
744ba35e 712 "before the security server is initialized\n");
1da177e4 713 goto out;
c9180a57 714 }
649f6e77
DQ		 715 if (kern_flags && !set_kern_flags) {
716 /* Specifying internal flags without providing a place to
717 * place the results is not allowed */
718 rc = -EINVAL;
719 goto out;
720 }
1da177e4 721
e0007529
EP		 722 /*
723 * Binary mount data FS will come through this function twice. Once
724 * from an explicit call and once from the generic calls from the vfs.
725 * Since the generic VFS calls will not contain any security mount data
726 * we need to skip the double mount verification.
727 *
728 * This does open a hole in which we will not notice if the first
729 * mount using this sb set explict options and a second mount using
730 * this sb does not set any security options. (The first options
731 * will be used for both mounts)
732 */
0d90a7ec 733 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 734 && !opts)
f5269710 735 goto out;
e0007529 736
2c97165b
PM		 737 root_isec = backing_inode_security_novalidate(root);
738
c9180a57
EP		 739 /*
740 * parse the mount options, check if they are valid sids.
741 * also check if someone is trying to mount the same sb more
742 * than once with different security options.
743 */
bd323655
AV		 744 if (opts) {
745 if (opts->fscontext) {
746 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
747 if (rc)
748 goto out;
c9180a57
EP		 749 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
750 fscontext_sid))
751 goto out_double_mount;
c9180a57 752 sbsec->flags |= FSCONTEXT_MNT;
bd323655
AV		 753 }
754 if (opts->context) {
755 rc = parse_sid(sb, opts->context, &context_sid);
756 if (rc)
757 goto out;
c9180a57
EP		 758 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
759 context_sid))
760 goto out_double_mount;
c9180a57 761 sbsec->flags |= CONTEXT_MNT;
bd323655
AV		 762 }
763 if (opts->rootcontext) {
764 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
765 if (rc)
766 goto out;
c9180a57
EP		 767 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
768 rootcontext_sid))
769 goto out_double_mount;
c9180a57 770 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655
AV		 771 }
772 if (opts->defcontext) {
773 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
774 if (rc)
775 goto out;
c9180a57
EP		 776 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
777 defcontext_sid))
778 goto out_double_mount;
c9180a57 779 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 780 }
c9180a57
EP		 781 }
782
0d90a7ec 783 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 784 /* previously mounted with options, but not on this attempt? */
bd323655 785 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 786 goto out_double_mount;
787 rc = 0;
788 goto out;
789 }
790
089be43e 791 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 792 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
793
8e014720 794 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 795 !strcmp(sb->s_type->name, "tracefs") ||
8e014720 796 !strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 797 !strcmp(sb->s_type->name, "pstore") ||
798 !strcmp(sb->s_type->name, "cgroup") ||
799 !strcmp(sb->s_type->name, "cgroup2"))
134509d5 800 sbsec->flags |= SE_SBGENFS;
c9180a57 801
eb9ae686
DQ		 802 if (!sbsec->behavior) {
803 /*
804 * Determine the labeling behavior to use for this
805 * filesystem type.
806 */
aa8e712c 807 rc = security_fs_use(&selinux_state, sb);
eb9ae686 808 if (rc) {
c103a91e 809 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 810 __func__, sb->s_type->name, rc);
811 goto out;
812 }
c9180a57 813 }
aad82892
SF		 814
815 /*
01593d32
SS		 816 * If this is a user namespace mount and the filesystem type is not
817 * explicitly whitelisted, then no contexts are allowed on the command
818 * line and security labels must be ignored.
aad82892 819 */
01593d32
SS		 820 if (sb->s_user_ns != &init_user_ns &&
821 strcmp(sb->s_type->name, "tmpfs") &&
822 strcmp(sb->s_type->name, "ramfs") &&
823 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 824 if (context_sid || fscontext_sid || rootcontext_sid ||
825 defcontext_sid) {
826 rc = -EACCES;
827 goto out;
828 }
829 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
830 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 831 rc = security_transition_sid(&selinux_state,
832 current_sid(),
833 current_sid(),
aad82892
SF		 834 SECCLASS_FILE, NULL,
835 &sbsec->mntpoint_sid);
836 if (rc)
837 goto out;
838 }
839 goto out_set_opts;
840 }
841
c9180a57
EP		 842 /* sets the context of the superblock for the fs being mounted. */
843 if (fscontext_sid) {
275bb41e 844 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 845 if (rc)
c9180a57 846 goto out;
1da177e4 847
c9180a57 848 sbsec->sid = fscontext_sid;
c312feb2
EP		 849 }
850
851 /*
852 * Switch to using mount point labeling behavior.
853 * sets the label used on all file below the mountpoint, and will set
854 * the superblock context if not already set.
855 */
eb9ae686
DQ		 856 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
857 sbsec->behavior = SECURITY_FS_USE_NATIVE;
858 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
859 }
860
c9180a57
EP		 861 if (context_sid) {
862 if (!fscontext_sid) {
275bb41e
DH		 863 rc = may_context_mount_sb_relabel(context_sid, sbsec,
864 cred);
b04ea3ce 865 if (rc)
c9180a57
EP		 866 goto out;
867 sbsec->sid = context_sid;
b04ea3ce 868 } else {
275bb41e
DH		 869 rc = may_context_mount_inode_relabel(context_sid, sbsec,
870 cred);
b04ea3ce 871 if (rc)
c9180a57 872 goto out;
b04ea3ce 873 }
c9180a57
EP		 874 if (!rootcontext_sid)
875 rootcontext_sid = context_sid;
1da177e4 876
c9180a57 877 sbsec->mntpoint_sid = context_sid;
c312feb2 878 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 879 }
880
c9180a57 881 if (rootcontext_sid) {
275bb41e
DH		 882 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
883 cred);
0808925e 884 if (rc)
c9180a57 885 goto out;
0808925e 886
c9180a57 887 root_isec->sid = rootcontext_sid;
6f3be9f5 888 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 889 }
890
c9180a57 891 if (defcontext_sid) {
eb9ae686
DQ		 892 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
893 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 894 rc = -EINVAL;
c103a91e 895 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 896 "invalid for this filesystem type\n");
897 goto out;
1da177e4
LT		 898 }
899
c9180a57
EP		 900 if (defcontext_sid != sbsec->def_sid) {
901 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 902 sbsec, cred);
c9180a57
EP		 903 if (rc)
904 goto out;
905 }
1da177e4 906
c9180a57 907 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 908 }
909
aad82892 910out_set_opts:
c9180a57 911 rc = sb_finish_set_opts(sb);
1da177e4 912out:
c9180a57 913 mutex_unlock(&sbsec->lock);
1da177e4 914 return rc;
c9180a57
EP		 915out_double_mount:
916 rc = -EINVAL;
c103a91e 917 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 918 "security settings for (dev %s, type %s)\n", sb->s_id,
919 sb->s_type->name);
c9180a57 920 goto out;
1da177e4
LT		 921}
922
094f7b69
JL		 923static int selinux_cmp_sb_context(const struct super_block *oldsb,
924 const struct super_block *newsb)
925{
926 struct superblock_security_struct *old = oldsb->s_security;
927 struct superblock_security_struct *new = newsb->s_security;
928 char oldflags = old->flags & SE_MNTMASK;
929 char newflags = new->flags & SE_MNTMASK;
930
931 if (oldflags != newflags)
932 goto mismatch;
933 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
934 goto mismatch;
935 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
936 goto mismatch;
937 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
938 goto mismatch;
939 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 940 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
941 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 942 if (oldroot->sid != newroot->sid)
943 goto mismatch;
944 }
945 return 0;
946mismatch:
c103a91e 947 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 948 "different security settings for (dev %s, "
949 "type %s)\n", newsb->s_id, newsb->s_type->name);
950 return -EBUSY;
951}
952
953static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 954 struct super_block *newsb,
955 unsigned long kern_flags,
956 unsigned long *set_kern_flags)
1da177e4 957{
0b4d3452 958 int rc = 0;
c9180a57
EP		 959 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
960 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 961
c9180a57
EP		 962 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
963 int set_context = (oldsbsec->flags & CONTEXT_MNT);
964 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 965
0f5e6420
EP		 966 /*
967 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 968 * mount options. thus we can safely deal with this superblock later
0f5e6420 969 */
aa8e712c 970 if (!selinux_state.initialized)
094f7b69 971 return 0;
c9180a57 972
0b4d3452
SM		 973 /*
974 * Specifying internal flags without providing a place to
975 * place the results is not allowed.
976 */
977 if (kern_flags && !set_kern_flags)
978 return -EINVAL;
979
c9180a57 980 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 981 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 982
094f7b69 983 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 984 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 985 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 986
c9180a57
EP		 987 mutex_lock(&newsbsec->lock);
988
989 newsbsec->flags = oldsbsec->flags;
990
991 newsbsec->sid = oldsbsec->sid;
992 newsbsec->def_sid = oldsbsec->def_sid;
993 newsbsec->behavior = oldsbsec->behavior;
994
0b4d3452
SM		 995 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
996 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 997 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 998 if (rc)
999 goto out;
1000 }
1001
1002 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1003 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1004 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1005 }
1006
c9180a57
EP		 1007 if (set_context) {
1008 u32 sid = oldsbsec->mntpoint_sid;
1009
1010 if (!set_fscontext)
1011 newsbsec->sid = sid;
1012 if (!set_rootcontext) {
83da53c5 1013 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1014 newisec->sid = sid;
1015 }
1016 newsbsec->mntpoint_sid = sid;
1da177e4 1017 }
c9180a57 1018 if (set_rootcontext) {
83da53c5
AG		 1019 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1020 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1021
c9180a57 1022 newisec->sid = oldisec->sid;
1da177e4
LT		 1023 }
1024
c9180a57 1025 sb_finish_set_opts(newsb);
0b4d3452 1026out:
c9180a57 1027 mutex_unlock(&newsbsec->lock);
0b4d3452 1028 return rc;
c9180a57
EP		 1029}
1030
ba641862 1031static int selinux_add_opt(int token, const char *s, void **mnt_opts)
c9180a57 1032{
ba641862 1033 struct selinux_mnt_opts *opts = *mnt_opts;
1da177e4 1034
da3d76ab 1035 if (token == Opt_seclabel) /* eaten and completely ignored */
169d68ef 1036 return 0;
e0007529 1037
ba641862
AV		 1038 if (!opts) {
1039 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1040 if (!opts)
1041 return -ENOMEM;
1042 *mnt_opts = opts;
c9180a57 1043 }
ba641862
AV		 1044 if (!s)
1045 return -ENOMEM;
1046 switch (token) {
1047 case Opt_context:
1048 if (opts->context || opts->defcontext)
1049 goto Einval;
1050 opts->context = s;
1051 break;
1052 case Opt_fscontext:
1053 if (opts->fscontext)
1054 goto Einval;
1055 opts->fscontext = s;
1056 break;
1057 case Opt_rootcontext:
1058 if (opts->rootcontext)
1059 goto Einval;
1060 opts->rootcontext = s;
1061 break;
1062 case Opt_defcontext:
1063 if (opts->context || opts->defcontext)
1064 goto Einval;
1065 opts->defcontext = s;
1066 break;
c9180a57 1067 }
e0007529 1068 return 0;
ba641862
AV		 1069Einval:
1070 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862 1071 return -EINVAL;
1da177e4 1072}
e0007529 1073
757cbe59
AV		 1074static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1075 void **mnt_opts)
c9180a57 1076{
757cbe59
AV		 1077 int token = Opt_error;
1078 int rc, i;
e0007529 1079
757cbe59
AV		 1080 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1081 if (strcmp(option, tokens[i].name) == 0) {
1082 token = tokens[i].opt;
1083 break;
169d68ef 1084 }
757cbe59 1085 }
e0007529 1086
757cbe59
AV		 1087 if (token == Opt_error)
1088 return -EINVAL;
e0007529 1089
757cbe59
AV		 1090 if (token != Opt_seclabel)
1091 val = kmemdup_nul(val, len, GFP_KERNEL);
1092 rc = selinux_add_opt(token, val, mnt_opts);
1093 if (unlikely(rc)) {
1094 kfree(val);
1095 if (*mnt_opts) {
169d68ef
AV		 1096 selinux_free_mnt_opts(*mnt_opts);
1097 *mnt_opts = NULL;
1da177e4 1098 }
1da177e4 1099 }
e0007529
EP		 1100 return rc;
1101}
1da177e4 1102
e3489f89 1103static int show_sid(struct seq_file *m, u32 sid)
2069f457 1104{
e3489f89
AV		 1105 char *context = NULL;
1106 u32 len;
1107 int rc;
11689d47 1108
e3489f89
AV		 1109 rc = security_sid_to_context(&selinux_state, sid,
1110 &context, &len);
1111 if (!rc) {
1112 bool has_comma = context && strchr(context, ',');
2069f457 1113
2069f457
EP		 1114 if (has_comma)
1115 seq_putc(m, '\"');
e3489f89 1116 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1117 if (has_comma)
1118 seq_putc(m, '\"');
1119 }
e3489f89
AV		 1120 kfree(context);
1121 return rc;
2069f457
EP		 1122}
1123
1124static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1125{
e3489f89 1126 struct superblock_security_struct *sbsec = sb->s_security;
2069f457
EP		 1127 int rc;
1128
e3489f89
AV		 1129 if (!(sbsec->flags & SE_SBINITIALIZED))
1130 return 0;
2069f457 1131
e3489f89
AV		 1132 if (!selinux_state.initialized)
1133 return 0;
2069f457 1134
e3489f89
AV		 1135 if (sbsec->flags & FSCONTEXT_MNT) {
1136 seq_putc(m, ',');
1137 seq_puts(m, FSCONTEXT_STR);
1138 rc = show_sid(m, sbsec->sid);
1139 if (rc)
1140 return rc;
1141 }
1142 if (sbsec->flags & CONTEXT_MNT) {
1143 seq_putc(m, ',');
1144 seq_puts(m, CONTEXT_STR);
1145 rc = show_sid(m, sbsec->mntpoint_sid);
1146 if (rc)
1147 return rc;
1148 }
1149 if (sbsec->flags & DEFCONTEXT_MNT) {
1150 seq_putc(m, ',');
1151 seq_puts(m, DEFCONTEXT_STR);
1152 rc = show_sid(m, sbsec->def_sid);
1153 if (rc)
1154 return rc;
1155 }
1156 if (sbsec->flags & ROOTCONTEXT_MNT) {
1157 struct dentry *root = sbsec->sb->s_root;
1158 struct inode_security_struct *isec = backing_inode_security(root);
1159 seq_putc(m, ',');
1160 seq_puts(m, ROOTCONTEXT_STR);
1161 rc = show_sid(m, isec->sid);
1162 if (rc)
1163 return rc;
1164 }
1165 if (sbsec->flags & SBLABEL_MNT) {
1166 seq_putc(m, ',');
1167 seq_puts(m, LABELSUPP_STR);
1168 }
1169 return 0;
2069f457
EP		 1170}
1171
1da177e4
LT		 1172static inline u16 inode_mode_to_security_class(umode_t mode)
1173{
1174 switch (mode & S_IFMT) {
1175 case S_IFSOCK:
1176 return SECCLASS_SOCK_FILE;
1177 case S_IFLNK:
1178 return SECCLASS_LNK_FILE;
1179 case S_IFREG:
1180 return SECCLASS_FILE;
1181 case S_IFBLK:
1182 return SECCLASS_BLK_FILE;
1183 case S_IFDIR:
1184 return SECCLASS_DIR;
1185 case S_IFCHR:
1186 return SECCLASS_CHR_FILE;
1187 case S_IFIFO:
1188 return SECCLASS_FIFO_FILE;
1189
1190 }
1191
1192 return SECCLASS_FILE;
1193}
1194
13402580
JM		 1195static inline int default_protocol_stream(int protocol)
1196{
1197 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1198}
1199
1200static inline int default_protocol_dgram(int protocol)
1201{
1202 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1203}
1204
1da177e4
LT		 1205static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1206{
aa8e712c 1207 int extsockclass = selinux_policycap_extsockclass();
da69a530 1208
1da177e4
LT		 1209 switch (family) {
1210 case PF_UNIX:
1211 switch (type) {
1212 case SOCK_STREAM:
1213 case SOCK_SEQPACKET:
1214 return SECCLASS_UNIX_STREAM_SOCKET;
1215 case SOCK_DGRAM:
2a764b52 1216 case SOCK_RAW:
1da177e4
LT		 1217 return SECCLASS_UNIX_DGRAM_SOCKET;
1218 }
1219 break;
1220 case PF_INET:
1221 case PF_INET6:
1222 switch (type) {
1223 case SOCK_STREAM:
da69a530 1224 case SOCK_SEQPACKET:
13402580
JM		 1225 if (default_protocol_stream(protocol))
1226 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1227 else if (extsockclass && protocol == IPPROTO_SCTP)
1228 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1229 else
1230 return SECCLASS_RAWIP_SOCKET;
1da177e4 1231 case SOCK_DGRAM:
13402580
JM		 1232 if (default_protocol_dgram(protocol))
1233 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1234 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1235 protocol == IPPROTO_ICMPV6))
da69a530 1236 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1237 else
1238 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1239 case SOCK_DCCP:
1240 return SECCLASS_DCCP_SOCKET;
13402580 1241 default:
1da177e4
LT		 1242 return SECCLASS_RAWIP_SOCKET;
1243 }
1244 break;
1245 case PF_NETLINK:
1246 switch (protocol) {
1247 case NETLINK_ROUTE:
1248 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1249 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1250 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1251 case NETLINK_NFLOG:
1252 return SECCLASS_NETLINK_NFLOG_SOCKET;
1253 case NETLINK_XFRM:
1254 return SECCLASS_NETLINK_XFRM_SOCKET;
1255 case NETLINK_SELINUX:
1256 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1257 case NETLINK_ISCSI:
1258 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1259 case NETLINK_AUDIT:
1260 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1261 case NETLINK_FIB_LOOKUP:
1262 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1263 case NETLINK_CONNECTOR:
1264 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1265 case NETLINK_NETFILTER:
1266 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1267 case NETLINK_DNRTMSG:
1268 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1269 case NETLINK_KOBJECT_UEVENT:
1270 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1271 case NETLINK_GENERIC:
1272 return SECCLASS_NETLINK_GENERIC_SOCKET;
1273 case NETLINK_SCSITRANSPORT:
1274 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1275 case NETLINK_RDMA:
1276 return SECCLASS_NETLINK_RDMA_SOCKET;
1277 case NETLINK_CRYPTO:
1278 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1279 default:
1280 return SECCLASS_NETLINK_SOCKET;
1281 }
1282 case PF_PACKET:
1283 return SECCLASS_PACKET_SOCKET;
1284 case PF_KEY:
1285 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1286 case PF_APPLETALK:
1287 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1288 }
1289
da69a530
SS		 1290 if (extsockclass) {
1291 switch (family) {
1292 case PF_AX25:
1293 return SECCLASS_AX25_SOCKET;
1294 case PF_IPX:
1295 return SECCLASS_IPX_SOCKET;
1296 case PF_NETROM:
1297 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1298 case PF_ATMPVC:
1299 return SECCLASS_ATMPVC_SOCKET;
1300 case PF_X25:
1301 return SECCLASS_X25_SOCKET;
1302 case PF_ROSE:
1303 return SECCLASS_ROSE_SOCKET;
1304 case PF_DECnet:
1305 return SECCLASS_DECNET_SOCKET;
1306 case PF_ATMSVC:
1307 return SECCLASS_ATMSVC_SOCKET;
1308 case PF_RDS:
1309 return SECCLASS_RDS_SOCKET;
1310 case PF_IRDA:
1311 return SECCLASS_IRDA_SOCKET;
1312 case PF_PPPOX:
1313 return SECCLASS_PPPOX_SOCKET;
1314 case PF_LLC:
1315 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1316 case PF_CAN:
1317 return SECCLASS_CAN_SOCKET;
1318 case PF_TIPC:
1319 return SECCLASS_TIPC_SOCKET;
1320 case PF_BLUETOOTH:
1321 return SECCLASS_BLUETOOTH_SOCKET;
1322 case PF_IUCV:
1323 return SECCLASS_IUCV_SOCKET;
1324 case PF_RXRPC:
1325 return SECCLASS_RXRPC_SOCKET;
1326 case PF_ISDN:
1327 return SECCLASS_ISDN_SOCKET;
1328 case PF_PHONET:
1329 return SECCLASS_PHONET_SOCKET;
1330 case PF_IEEE802154:
1331 return SECCLASS_IEEE802154_SOCKET;
1332 case PF_CAIF:
1333 return SECCLASS_CAIF_SOCKET;
1334 case PF_ALG:
1335 return SECCLASS_ALG_SOCKET;
1336 case PF_NFC:
1337 return SECCLASS_NFC_SOCKET;
1338 case PF_VSOCK:
1339 return SECCLASS_VSOCK_SOCKET;
1340 case PF_KCM:
1341 return SECCLASS_KCM_SOCKET;
1342 case PF_QIPCRTR:
1343 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1344 case PF_SMC:
1345 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1346 case PF_XDP:
1347 return SECCLASS_XDP_SOCKET;
1348#if PF_MAX > 45
da69a530
SS		 1349#error New address family defined, please update this function.
1350#endif
1351 }
1352 }
1353
1da177e4
LT		 1354 return SECCLASS_SOCKET;
1355}
1356
134509d5
SS		 1357static int selinux_genfs_get_sid(struct dentry *dentry,
1358 u16 tclass,
1359 u16 flags,
1360 u32 *sid)
1da177e4 1361{
8e6c9693 1362 int rc;
fc64005c 1363 struct super_block *sb = dentry->d_sb;
8e6c9693 1364 char *buffer, *path;
1da177e4 1365
828dfe1d 1366 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1367 if (!buffer)
1368 return -ENOMEM;
1369
8e6c9693
LAG		 1370 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1371 if (IS_ERR(path))
1372 rc = PTR_ERR(path);
1373 else {
134509d5
SS		 1374 if (flags & SE_SBPROC) {
1375 /* each process gets a /proc/PID/ entry. Strip off the
1376 * PID part to get a valid selinux labeling.
1377 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1378 while (path[1] >= '0' && path[1] <= '9') {
1379 path[1] = '/';
1380 path++;
1381 }
8e6c9693 1382 }
aa8e712c
SS		 1383 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1384 path, tclass, sid);
7bb185ed
SS		 1385 if (rc == -ENOENT) {
1386 /* No match in policy, mark as unlabeled. */
1387 *sid = SECINITSID_UNLABELED;
1388 rc = 0;
1389 }
1da177e4 1390 }
1da177e4
LT		 1391 free_page((unsigned long)buffer);
1392 return rc;
1393}
1da177e4
LT		 1394
1395/* The inode's security attributes must be initialized before first use. */
1396static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1397{
1398 struct superblock_security_struct *sbsec = NULL;
1399 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1400 u32 task_sid, sid = 0;
1401 u16 sclass;
1da177e4
LT		 1402 struct dentry *dentry;
1403#define INITCONTEXTLEN 255
1404 char *context = NULL;
1405 unsigned len = 0;
1406 int rc = 0;
1da177e4 1407
6f3be9f5 1408 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1409 return 0;
1da177e4 1410
9287aed2 1411 spin_lock(&isec->lock);
6f3be9f5 1412 if (isec->initialized == LABEL_INITIALIZED)
23970741 1413 goto out_unlock;
1da177e4 1414
13457d07
AG		 1415 if (isec->sclass == SECCLASS_FILE)
1416 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1417
1da177e4 1418 sbsec = inode->i_sb->s_security;
0d90a7ec 1419 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1420 /* Defer initialization until selinux_complete_init,
1421 after the initial policy is loaded and the security
1422 server is ready to handle calls. */
1423 spin_lock(&sbsec->isec_lock);
1424 if (list_empty(&isec->list))
1425 list_add(&isec->list, &sbsec->isec_head);
1426 spin_unlock(&sbsec->isec_lock);
23970741 1427 goto out_unlock;
1da177e4
LT		 1428 }
1429
9287aed2
AG		 1430 sclass = isec->sclass;
1431 task_sid = isec->task_sid;
1432 sid = isec->sid;
1433 isec->initialized = LABEL_PENDING;
1434 spin_unlock(&isec->lock);
1435
1da177e4 1436 switch (sbsec->behavior) {
eb9ae686
DQ		 1437 case SECURITY_FS_USE_NATIVE:
1438 break;
1da177e4 1439 case SECURITY_FS_USE_XATTR:
5d6c3191 1440 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1441 sid = sbsec->def_sid;
1da177e4
LT		 1442 break;
1443 }
1da177e4
LT		 1444 /* Need a dentry, since the xattr API requires one.
1445 Life would be simpler if we could just pass the inode. */
1446 if (opt_dentry) {
1447 /* Called from d_instantiate or d_splice_alias. */
1448 dentry = dget(opt_dentry);
1449 } else {
b127125d
AV		 1450 /*
1451 * Called from selinux_complete_init, try to find a dentry.
1452 * Some filesystems really want a connected one, so try
1453 * that first. We could split SECURITY_FS_USE_XATTR in
1454 * two, depending upon that...
1455 */
1da177e4 1456 dentry = d_find_alias(inode);
b127125d
AV		 1457 if (!dentry)
1458 dentry = d_find_any_alias(inode);
1da177e4
LT		 1459 }
1460 if (!dentry) {
df7f54c0
EP		 1461 /*
1462 * this is can be hit on boot when a file is accessed
1463 * before the policy is loaded. When we load policy we
1464 * may find inodes that have no dentry on the
1465 * sbsec->isec_head list. No reason to complain as these
1466 * will get fixed up the next time we go through
1467 * inode_doinit with a dentry, before these inodes could
1468 * be used again by userspace.
1469 */
9287aed2 1470 goto out;
1da177e4
LT		 1471 }
1472
1473 len = INITCONTEXTLEN;
4cb912f1 1474 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1475 if (!context) {
1476 rc = -ENOMEM;
1477 dput(dentry);
9287aed2 1478 goto out;
1da177e4 1479 }
4cb912f1 1480 context[len] = '\0';
5d6c3191 1481 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1482 if (rc == -ERANGE) {
314dabb8
JM		 1483 kfree(context);
1484
1da177e4 1485 /* Need a larger buffer. Query for the right size. */
5d6c3191 1486 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1487 if (rc < 0) {
1488 dput(dentry);
9287aed2 1489 goto out;
1da177e4 1490 }
1da177e4 1491 len = rc;
4cb912f1 1492 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1493 if (!context) {
1494 rc = -ENOMEM;
1495 dput(dentry);
9287aed2 1496 goto out;
1da177e4 1497 }
4cb912f1 1498 context[len] = '\0';
5d6c3191 1499 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1500 }
1501 dput(dentry);
1502 if (rc < 0) {
1503 if (rc != -ENODATA) {
c103a91e 1504 pr_warn("SELinux: %s: getxattr returned "
dd6f953a 1505 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1506 -rc, inode->i_sb->s_id, inode->i_ino);
1507 kfree(context);
9287aed2 1508 goto out;
1da177e4
LT		 1509 }
1510 /* Map ENODATA to the default file SID */
1511 sid = sbsec->def_sid;
1512 rc = 0;
1513 } else {
aa8e712c
SS		 1514 rc = security_context_to_sid_default(&selinux_state,
1515 context, rc, &sid,
869ab514
SS		 1516 sbsec->def_sid,
1517 GFP_NOFS);
1da177e4 1518 if (rc) {
4ba0a8ad
EP		 1519 char *dev = inode->i_sb->s_id;
1520 unsigned long ino = inode->i_ino;
1521
1522 if (rc == -EINVAL) {
1523 if (printk_ratelimit())
c103a91e 1524 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
4ba0a8ad
EP		 1525 "context=%s. This indicates you may need to relabel the inode or the "
1526 "filesystem in question.\n", ino, dev, context);
1527 } else {
c103a91e 1528 pr_warn("SELinux: %s: context_to_sid(%s) "
4ba0a8ad
EP		 1529 "returned %d for dev=%s ino=%ld\n",
1530 __func__, context, -rc, dev, ino);
1531 }
1da177e4
LT		 1532 kfree(context);
1533 /* Leave with the unlabeled SID */
1534 rc = 0;
1535 break;
1536 }
1537 }
1538 kfree(context);
1da177e4
LT		 1539 break;
1540 case SECURITY_FS_USE_TASK:
9287aed2 1541 sid = task_sid;
1da177e4
LT		 1542 break;
1543 case SECURITY_FS_USE_TRANS:
1544 /* Default to the fs SID. */
9287aed2 1545 sid = sbsec->sid;
1da177e4
LT		 1546
1547 /* Try to obtain a transition SID. */
aa8e712c
SS		 1548 rc = security_transition_sid(&selinux_state, task_sid, sid,
1549 sclass, NULL, &sid);
1da177e4 1550 if (rc)
9287aed2 1551 goto out;
1da177e4 1552 break;
c312feb2 1553 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1554 sid = sbsec->mntpoint_sid;
c312feb2 1555 break;
1da177e4 1556 default:
c312feb2 1557 /* Default to the fs superblock SID. */
9287aed2 1558 sid = sbsec->sid;
1da177e4 1559
134509d5 1560 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1561 /* We must have a dentry to determine the label on
1562 * procfs inodes */
b127125d 1563 if (opt_dentry) {
f64410ec
PM		 1564 /* Called from d_instantiate or
1565 * d_splice_alias. */
1566 dentry = dget(opt_dentry);
b127125d 1567 } else {
f64410ec 1568 /* Called from selinux_complete_init, try to
b127125d
AV		 1569 * find a dentry. Some filesystems really want
1570 * a connected one, so try that first.
1571 */
f64410ec 1572 dentry = d_find_alias(inode);
b127125d
AV		 1573 if (!dentry)
1574 dentry = d_find_any_alias(inode);
1575 }
f64410ec
PM		 1576 /*
1577 * This can be hit on boot when a file is accessed
1578 * before the policy is loaded. When we load policy we
1579 * may find inodes that have no dentry on the
1580 * sbsec->isec_head list. No reason to complain as
1581 * these will get fixed up the next time we go through
1582 * inode_doinit() with a dentry, before these inodes
1583 * could be used again by userspace.
1584 */
1585 if (!dentry)
9287aed2
AG		 1586 goto out;
1587 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1588 sbsec->flags, &sid);
f64410ec
PM		 1589 dput(dentry);
1590 if (rc)
9287aed2 1591 goto out;
1da177e4
LT		 1592 }
1593 break;
1594 }
1595
9287aed2
AG		 1596out:
1597 spin_lock(&isec->lock);
1598 if (isec->initialized == LABEL_PENDING) {
1599 if (!sid || rc) {
1600 isec->initialized = LABEL_INVALID;
1601 goto out_unlock;
1602 }
1603
1604 isec->initialized = LABEL_INITIALIZED;
1605 isec->sid = sid;
1606 }
1da177e4 1607
23970741 1608out_unlock:
9287aed2 1609 spin_unlock(&isec->lock);
1da177e4
LT		 1610 return rc;
1611}
1612
1613/* Convert a Linux signal to an access vector. */
1614static inline u32 signal_to_av(int sig)
1615{
1616 u32 perm = 0;
1617
1618 switch (sig) {
1619 case SIGCHLD:
1620 /* Commonly granted from child to parent. */
1621 perm = PROCESS__SIGCHLD;
1622 break;
1623 case SIGKILL:
1624 /* Cannot be caught or ignored */
1625 perm = PROCESS__SIGKILL;
1626 break;
1627 case SIGSTOP:
1628 /* Cannot be caught or ignored */
1629 perm = PROCESS__SIGSTOP;
1630 break;
1631 default:
1632 /* All other signals. */
1633 perm = PROCESS__SIGNAL;
1634 break;
1635 }
1636
1637 return perm;
1638}
1639
b68e418c
SS		 1640#if CAP_LAST_CAP > 63
1641#error Fix SELinux to handle capabilities > 63.
1642#endif
1643
1da177e4 1644/* Check whether a task is allowed to use a capability. */
6a9de491 1645static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1646 int cap, int audit, bool initns)
1da177e4 1647{
2bf49690 1648 struct common_audit_data ad;
06112163 1649 struct av_decision avd;
b68e418c 1650 u16 sclass;
3699c53c 1651 u32 sid = cred_sid(cred);
b68e418c 1652 u32 av = CAP_TO_MASK(cap);
06112163 1653 int rc;
1da177e4 1654
50c205f5 1655 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1656 ad.u.cap = cap;
1657
b68e418c
SS		 1658 switch (CAP_TO_INDEX(cap)) {
1659 case 0:
8e4ff6f2 1660 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1661 break;
1662 case 1:
8e4ff6f2 1663 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1664 break;
1665 default:
c103a91e 1666 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1667 BUG();
a35c6c83 1668 return -EINVAL;
b68e418c 1669 }
06112163 1670
6b6bc620
SS		 1671 rc = avc_has_perm_noaudit(&selinux_state,
1672 sid, sid, sclass, av, 0, &avd);
9ade0cf4 1673 if (audit == SECURITY_CAP_AUDIT) {
6b6bc620
SS		 1674 int rc2 = avc_audit(&selinux_state,
1675 sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1676 if (rc2)
1677 return rc2;
1678 }
06112163 1679 return rc;
1da177e4
LT		 1680}
1681
1da177e4
LT		 1682/* Check whether a task has a particular permission to an inode.
1683 The 'adp' parameter is optional and allows other audit
1684 data to be passed (e.g. the dentry). */
88e67f3b 1685static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1686 struct inode *inode,
1687 u32 perms,
19e49834 1688 struct common_audit_data *adp)
1da177e4 1689{
1da177e4 1690 struct inode_security_struct *isec;
275bb41e 1691 u32 sid;
1da177e4 1692
e0e81739
DH		 1693 validate_creds(cred);
1694
828dfe1d 1695 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1696 return 0;
1697
88e67f3b 1698 sid = cred_sid(cred);
1da177e4
LT		 1699 isec = inode->i_security;
1700
6b6bc620
SS		 1701 return avc_has_perm(&selinux_state,
1702 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1703}
1704
1705/* Same as inode_has_perm, but pass explicit audit data containing
1706 the dentry to help the auditing code to more easily generate the
1707 pathname if needed. */
88e67f3b 1708static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1709 struct dentry *dentry,
1710 u32 av)
1711{
c6f493d6 1712 struct inode *inode = d_backing_inode(dentry);
2bf49690 1713 struct common_audit_data ad;
88e67f3b 1714
50c205f5 1715 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1716 ad.u.dentry = dentry;
5d226df4 1717 __inode_security_revalidate(inode, dentry, true);
19e49834 1718 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1719}
1720
1721/* Same as inode_has_perm, but pass explicit audit data containing
1722 the path to help the auditing code to more easily generate the
1723 pathname if needed. */
1724static inline int path_has_perm(const struct cred *cred,
3f7036a0 1725 const struct path *path,
2875fa00
EP		 1726 u32 av)
1727{
c6f493d6 1728 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1729 struct common_audit_data ad;
1730
50c205f5 1731 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1732 ad.u.path = *path;
5d226df4 1733 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1734 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1735}
1736
13f8e981
DH		 1737/* Same as path_has_perm, but uses the inode from the file struct. */
1738static inline int file_path_has_perm(const struct cred *cred,
1739 struct file *file,
1740 u32 av)
1741{
1742 struct common_audit_data ad;
1743
43af5de7
VG		 1744 ad.type = LSM_AUDIT_DATA_FILE;
1745 ad.u.file = file;
19e49834 1746 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1747}
1748
f66e448c
CF		 1749#ifdef CONFIG_BPF_SYSCALL
1750static int bpf_fd_pass(struct file *file, u32 sid);
1751#endif
1752
1da177e4
LT		 1753/* Check whether a task can use an open file descriptor to
1754 access an inode in a given way. Check access to the
1755 descriptor itself, and then use dentry_has_perm to
1756 check a particular permission to the file.
1757 Access to the descriptor is implicitly granted if it
1758 has the same SID as the process. If av is zero, then
1759 access to the file is not checked, e.g. for cases
1760 where only the descriptor is affected like seek. */
88e67f3b
DH		 1761static int file_has_perm(const struct cred *cred,
1762 struct file *file,
1763 u32 av)
1da177e4 1764{
1da177e4 1765 struct file_security_struct *fsec = file->f_security;
496ad9aa 1766 struct inode *inode = file_inode(file);
2bf49690 1767 struct common_audit_data ad;
88e67f3b 1768 u32 sid = cred_sid(cred);
1da177e4
LT		 1769 int rc;
1770
43af5de7
VG		 1771 ad.type = LSM_AUDIT_DATA_FILE;
1772 ad.u.file = file;
1da177e4 1773
275bb41e 1774 if (sid != fsec->sid) {
6b6bc620
SS		 1775 rc = avc_has_perm(&selinux_state,
1776 sid, fsec->sid,
1da177e4
LT		 1777 SECCLASS_FD,
1778 FD__USE,
1779 &ad);
1780 if (rc)
88e67f3b 1781 goto out;
1da177e4
LT		 1782 }
1783
f66e448c
CF		 1784#ifdef CONFIG_BPF_SYSCALL
1785 rc = bpf_fd_pass(file, cred_sid(cred));
1786 if (rc)
1787 return rc;
1788#endif
1789
1da177e4 1790 /* av is zero if only checking access to the descriptor. */
88e67f3b 1791 rc = 0;
1da177e4 1792 if (av)
19e49834 1793 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1794
88e67f3b
DH		 1795out:
1796 return rc;
1da177e4
LT		 1797}
1798
c3c188b2
DH		 1799/*
1800 * Determine the label for an inode that might be unioned.
1801 */
c957f6df
VG		 1802static int
1803selinux_determine_inode_label(const struct task_security_struct *tsec,
1804 struct inode *dir,
1805 const struct qstr *name, u16 tclass,
1806 u32 *_new_isid)
c3c188b2
DH		 1807{
1808 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1809
1810 if ((sbsec->flags & SE_SBINITIALIZED) &&
1811 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1812 *_new_isid = sbsec->mntpoint_sid;
1813 } else if ((sbsec->flags & SBLABEL_MNT) &&
1814 tsec->create_sid) {
1815 *_new_isid = tsec->create_sid;
1816 } else {
20cdef8d 1817 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1818 return security_transition_sid(&selinux_state, tsec->sid,
1819 dsec->sid, tclass,
c3c188b2
DH		 1820 name, _new_isid);
1821 }
1822
1823 return 0;
1824}
1825
1da177e4
LT		 1826/* Check whether a task can create a file. */
1827static int may_create(struct inode *dir,
1828 struct dentry *dentry,
1829 u16 tclass)
1830{
5fb49870 1831 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1832 struct inode_security_struct *dsec;
1833 struct superblock_security_struct *sbsec;
275bb41e 1834 u32 sid, newsid;
2bf49690 1835 struct common_audit_data ad;
1da177e4
LT		 1836 int rc;
1837
83da53c5 1838 dsec = inode_security(dir);
1da177e4
LT		 1839 sbsec = dir->i_sb->s_security;
1840
275bb41e 1841 sid = tsec->sid;
275bb41e 1842
50c205f5 1843 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1844 ad.u.dentry = dentry;
1da177e4 1845
6b6bc620
SS		 1846 rc = avc_has_perm(&selinux_state,
1847 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1848 DIR__ADD_NAME | DIR__SEARCH,
1849 &ad);
1850 if (rc)
1851 return rc;
1852
c957f6df
VG		 1853 rc = selinux_determine_inode_label(current_security(), dir,
1854 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1855 if (rc)
1856 return rc;
1da177e4 1857
6b6bc620
SS		 1858 rc = avc_has_perm(&selinux_state,
1859 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1860 if (rc)
1861 return rc;
1862
6b6bc620
SS		 1863 return avc_has_perm(&selinux_state,
1864 newsid, sbsec->sid,
1da177e4
LT		 1865 SECCLASS_FILESYSTEM,
1866 FILESYSTEM__ASSOCIATE, &ad);
1867}
1868
828dfe1d
EP		 1869#define MAY_LINK 0
1870#define MAY_UNLINK 1
1871#define MAY_RMDIR 2
1da177e4
LT		 1872
1873/* Check whether a task can link, unlink, or rmdir a file/directory. */
1874static int may_link(struct inode *dir,
1875 struct dentry *dentry,
1876 int kind)
1877
1878{
1da177e4 1879 struct inode_security_struct *dsec, *isec;
2bf49690 1880 struct common_audit_data ad;
275bb41e 1881 u32 sid = current_sid();
1da177e4
LT		 1882 u32 av;
1883 int rc;
1884
83da53c5
AG		 1885 dsec = inode_security(dir);
1886 isec = backing_inode_security(dentry);
1da177e4 1887
50c205f5 1888 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1889 ad.u.dentry = dentry;
1da177e4
LT		 1890
1891 av = DIR__SEARCH;
1892 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 1893 rc = avc_has_perm(&selinux_state,
1894 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1895 if (rc)
1896 return rc;
1897
1898 switch (kind) {
1899 case MAY_LINK:
1900 av = FILE__LINK;
1901 break;
1902 case MAY_UNLINK:
1903 av = FILE__UNLINK;
1904 break;
1905 case MAY_RMDIR:
1906 av = DIR__RMDIR;
1907 break;
1908 default:
c103a91e 1909 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1910 __func__, kind);
1da177e4
LT		 1911 return 0;
1912 }
1913
6b6bc620
SS		 1914 rc = avc_has_perm(&selinux_state,
1915 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1916 return rc;
1917}
1918
1919static inline int may_rename(struct inode *old_dir,
1920 struct dentry *old_dentry,
1921 struct inode *new_dir,
1922 struct dentry *new_dentry)
1923{
1da177e4 1924 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1925 struct common_audit_data ad;
275bb41e 1926 u32 sid = current_sid();
1da177e4
LT		 1927 u32 av;
1928 int old_is_dir, new_is_dir;
1929 int rc;
1930
83da53c5
AG		 1931 old_dsec = inode_security(old_dir);
1932 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1933 old_is_dir = d_is_dir(old_dentry);
83da53c5 1934 new_dsec = inode_security(new_dir);
1da177e4 1935
50c205f5 1936 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1937
a269434d 1938 ad.u.dentry = old_dentry;
6b6bc620
SS		 1939 rc = avc_has_perm(&selinux_state,
1940 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1941 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1942 if (rc)
1943 return rc;
6b6bc620
SS		 1944 rc = avc_has_perm(&selinux_state,
1945 sid, old_isec->sid,
1da177e4
LT		 1946 old_isec->sclass, FILE__RENAME, &ad);
1947 if (rc)
1948 return rc;
1949 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 1950 rc = avc_has_perm(&selinux_state,
1951 sid, old_isec->sid,
1da177e4
LT		 1952 old_isec->sclass, DIR__REPARENT, &ad);
1953 if (rc)
1954 return rc;
1955 }
1956
a269434d 1957 ad.u.dentry = new_dentry;
1da177e4 1958 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1959 if (d_is_positive(new_dentry))
1da177e4 1960 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 1961 rc = avc_has_perm(&selinux_state,
1962 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1963 if (rc)
1964 return rc;
2c616d4d 1965 if (d_is_positive(new_dentry)) {
83da53c5 1966 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1967 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 1968 rc = avc_has_perm(&selinux_state,
1969 sid, new_isec->sid,
1da177e4
LT		 1970 new_isec->sclass,
1971 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1972 if (rc)
1973 return rc;
1974 }
1975
1976 return 0;
1977}
1978
1979/* Check whether a task can perform a filesystem operation. */
88e67f3b 1980static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1981 struct super_block *sb,
1982 u32 perms,
2bf49690 1983 struct common_audit_data *ad)
1da177e4 1984{
1da177e4 1985 struct superblock_security_struct *sbsec;
88e67f3b 1986 u32 sid = cred_sid(cred);
1da177e4 1987
1da177e4 1988 sbsec = sb->s_security;
6b6bc620
SS		 1989 return avc_has_perm(&selinux_state,
1990 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1991}
1992
1993/* Convert a Linux mode and permission mask to an access vector. */
1994static inline u32 file_mask_to_av(int mode, int mask)
1995{
1996 u32 av = 0;
1997
dba19c60 1998 if (!S_ISDIR(mode)) {
1da177e4
LT		 1999 if (mask & MAY_EXEC)
2000 av |= FILE__EXECUTE;
2001 if (mask & MAY_READ)
2002 av |= FILE__READ;
2003
2004 if (mask & MAY_APPEND)
2005 av |= FILE__APPEND;
2006 else if (mask & MAY_WRITE)
2007 av |= FILE__WRITE;
2008
2009 } else {
2010 if (mask & MAY_EXEC)
2011 av |= DIR__SEARCH;
2012 if (mask & MAY_WRITE)
2013 av |= DIR__WRITE;
2014 if (mask & MAY_READ)
2015 av |= DIR__READ;
2016 }
2017
2018 return av;
2019}
2020
8b6a5a37
EP		 2021/* Convert a Linux file to an access vector. */
2022static inline u32 file_to_av(struct file *file)
2023{
2024 u32 av = 0;
2025
2026 if (file->f_mode & FMODE_READ)
2027 av |= FILE__READ;
2028 if (file->f_mode & FMODE_WRITE) {
2029 if (file->f_flags & O_APPEND)
2030 av |= FILE__APPEND;
2031 else
2032 av |= FILE__WRITE;
2033 }
2034 if (!av) {
2035 /*
2036 * Special file opened with flags 3 for ioctl-only use.
2037 */
2038 av = FILE__IOCTL;
2039 }
2040
2041 return av;
2042}
2043
b0c636b9 2044/*
8b6a5a37 2045 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2046 * open permission.
2047 */
8b6a5a37 2048static inline u32 open_file_to_av(struct file *file)
b0c636b9 2049{
8b6a5a37 2050 u32 av = file_to_av(file);
ccb54478 2051 struct inode *inode = file_inode(file);
b0c636b9 2052
aa8e712c
SS		 2053 if (selinux_policycap_openperm() &&
2054 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2055 av |= FILE__OPEN;
2056
b0c636b9
EP		 2057 return av;
2058}
2059
1da177e4
LT		 2060/* Hook functions begin here. */
2061
79af7307
SS		 2062static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2063{
2064 u32 mysid = current_sid();
2065 u32 mgrsid = task_sid(mgr);
2066
6b6bc620
SS		 2067 return avc_has_perm(&selinux_state,
2068 mysid, mgrsid, SECCLASS_BINDER,
79af7307
SS		 2069 BINDER__SET_CONTEXT_MGR, NULL);
2070}
2071
2072static int selinux_binder_transaction(struct task_struct *from,
2073 struct task_struct *to)
2074{
2075 u32 mysid = current_sid();
2076 u32 fromsid = task_sid(from);
2077 u32 tosid = task_sid(to);
2078 int rc;
2079
2080 if (mysid != fromsid) {
6b6bc620
SS		 2081 rc = avc_has_perm(&selinux_state,
2082 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2083 BINDER__IMPERSONATE, NULL);
2084 if (rc)
2085 return rc;
2086 }
2087
6b6bc620
SS		 2088 return avc_has_perm(&selinux_state,
2089 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
79af7307
SS		 2090 NULL);
2091}
2092
2093static int selinux_binder_transfer_binder(struct task_struct *from,
2094 struct task_struct *to)
2095{
2096 u32 fromsid = task_sid(from);
2097 u32 tosid = task_sid(to);
2098
6b6bc620
SS		 2099 return avc_has_perm(&selinux_state,
2100 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2101 NULL);
2102}
2103
2104static int selinux_binder_transfer_file(struct task_struct *from,
2105 struct task_struct *to,
2106 struct file *file)
2107{
2108 u32 sid = task_sid(to);
2109 struct file_security_struct *fsec = file->f_security;
83da53c5 2110 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2111 struct inode_security_struct *isec;
79af7307
SS		 2112 struct common_audit_data ad;
2113 int rc;
2114
2115 ad.type = LSM_AUDIT_DATA_PATH;
2116 ad.u.path = file->f_path;
2117
2118 if (sid != fsec->sid) {
6b6bc620
SS		 2119 rc = avc_has_perm(&selinux_state,
2120 sid, fsec->sid,
79af7307
SS		 2121 SECCLASS_FD,
2122 FD__USE,
2123 &ad);
2124 if (rc)
2125 return rc;
2126 }
2127
f66e448c
CF		 2128#ifdef CONFIG_BPF_SYSCALL
2129 rc = bpf_fd_pass(file, sid);
2130 if (rc)
2131 return rc;
2132#endif
2133
83da53c5 2134 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2135 return 0;
2136
20cdef8d 2137 isec = backing_inode_security(dentry);
6b6bc620
SS		 2138 return avc_has_perm(&selinux_state,
2139 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2140 &ad);
2141}
2142
9e48858f 2143static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2144 unsigned int mode)
1da177e4 2145{
be0554c9
SS		 2146 u32 sid = current_sid();
2147 u32 csid = task_sid(child);
2148
2149 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2150 return avc_has_perm(&selinux_state,
2151 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2152
6b6bc620
SS		 2153 return avc_has_perm(&selinux_state,
2154 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2155}
2156
2157static int selinux_ptrace_traceme(struct task_struct *parent)
2158{
6b6bc620
SS		 2159 return avc_has_perm(&selinux_state,
2160 task_sid(parent), current_sid(), SECCLASS_PROCESS,
be0554c9 2161 PROCESS__PTRACE, NULL);
1da177e4
LT		 2162}
2163
2164static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2165 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2166{
6b6bc620
SS		 2167 return avc_has_perm(&selinux_state,
2168 current_sid(), task_sid(target), SECCLASS_PROCESS,
be0554c9 2169 PROCESS__GETCAP, NULL);
1da177e4
LT		 2170}
2171
d84f4f99
DH		 2172static int selinux_capset(struct cred *new, const struct cred *old,
2173 const kernel_cap_t *effective,
2174 const kernel_cap_t *inheritable,
2175 const kernel_cap_t *permitted)
1da177e4 2176{
6b6bc620
SS		 2177 return avc_has_perm(&selinux_state,
2178 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2179 PROCESS__SETCAP, NULL);
1da177e4
LT		 2180}
2181
5626d3e8
JM		 2182/*
2183 * (This comment used to live with the selinux_task_setuid hook,
2184 * which was removed).
2185 *
2186 * Since setuid only affects the current process, and since the SELinux
2187 * controls are not based on the Linux identity attributes, SELinux does not
2188 * need to control this operation. However, SELinux does control the use of
2189 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2190 */
2191
6a9de491
EP		 2192static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2193 int cap, int audit)
1da177e4 2194{
8e4ff6f2 2195 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2196}
2197
1da177e4
LT		 2198static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2199{
88e67f3b 2200 const struct cred *cred = current_cred();
1da177e4
LT		 2201 int rc = 0;
2202
2203 if (!sb)
2204 return 0;
2205
2206 switch (cmds) {
828dfe1d
EP		 2207 case Q_SYNC:
2208 case Q_QUOTAON:
2209 case Q_QUOTAOFF:
2210 case Q_SETINFO:
2211 case Q_SETQUOTA:
88e67f3b 2212 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2213 break;
2214 case Q_GETFMT:
2215 case Q_GETINFO:
2216 case Q_GETQUOTA:
88e67f3b 2217 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2218 break;
2219 default:
2220 rc = 0; /* let the kernel handle invalid cmds */
2221 break;
1da177e4
LT		 2222 }
2223 return rc;
2224}
2225
2226static int selinux_quota_on(struct dentry *dentry)
2227{
88e67f3b
DH		 2228 const struct cred *cred = current_cred();
2229
2875fa00 2230 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2231}
2232
12b3052c 2233static int selinux_syslog(int type)
1da177e4 2234{
1da177e4 2235 switch (type) {
d78ca3cd
KC		 2236 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2237 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2238 return avc_has_perm(&selinux_state,
2239 current_sid(), SECINITSID_KERNEL,
be0554c9 2240 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2241 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2242 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2243 /* Set level of messages printed to console */
2244 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2245 return avc_has_perm(&selinux_state,
2246 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2247 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2248 NULL);
1da177e4 2249 }
be0554c9 2250 /* All other syslog types */
6b6bc620
SS		 2251 return avc_has_perm(&selinux_state,
2252 current_sid(), SECINITSID_KERNEL,
be0554c9 2253 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2254}
2255
2256/*
2257 * Check that a process has enough memory to allocate a new virtual
2258 * mapping. 0 means there is enough memory for the allocation to
2259 * succeed and -ENOMEM implies there is not.
2260 *
1da177e4
LT		 2261 * Do not audit the selinux permission check, as this is applied to all
2262 * processes that allocate mappings.
2263 */
34b4e4aa 2264static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2265{
2266 int rc, cap_sys_admin = 0;
1da177e4 2267
b1d9e6b0 2268 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2269 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2270 if (rc == 0)
2271 cap_sys_admin = 1;
2272
b1d9e6b0 2273 return cap_sys_admin;
1da177e4
LT		 2274}
2275
2276/* binprm security operations */
2277
be0554c9 2278static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2279{
2280 u32 sid = 0;
2281 struct task_struct *tracer;
2282
2283 rcu_read_lock();
be0554c9 2284 tracer = ptrace_parent(current);
0c6181cb
PM		 2285 if (tracer)
2286 sid = task_sid(tracer);
2287 rcu_read_unlock();
2288
2289 return sid;
2290}
2291
7b0d0b40
SS		 2292static int check_nnp_nosuid(const struct linux_binprm *bprm,
2293 const struct task_security_struct *old_tsec,
2294 const struct task_security_struct *new_tsec)
2295{
2296 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2297 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2298 int rc;
af63f419 2299 u32 av;
7b0d0b40
SS		 2300
2301 if (!nnp && !nosuid)
2302 return 0; /* neither NNP nor nosuid */
2303
2304 if (new_tsec->sid == old_tsec->sid)
2305 return 0; /* No change in credentials */
2306
2307 /*
af63f419
SS		 2308 * If the policy enables the nnp_nosuid_transition policy capability,
2309 * then we permit transitions under NNP or nosuid if the
2310 * policy allows the corresponding permission between
2311 * the old and new contexts.
7b0d0b40 2312 */
aa8e712c 2313 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2314 av = 0;
7b0d0b40 2315 if (nnp)
af63f419
SS		 2316 av |= PROCESS2__NNP_TRANSITION;
2317 if (nosuid)
2318 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2319 rc = avc_has_perm(&selinux_state,
2320 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2321 SECCLASS_PROCESS2, av, NULL);
2322 if (!rc)
2323 return 0;
7b0d0b40 2324 }
af63f419
SS		 2325
2326 /*
2327 * We also permit NNP or nosuid transitions to bounded SIDs,
2328 * i.e. SIDs that are guaranteed to only be allowed a subset
2329 * of the permissions of the current SID.
2330 */
aa8e712c
SS		 2331 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2332 new_tsec->sid);
af63f419
SS		 2333 if (!rc)
2334 return 0;
2335
2336 /*
2337 * On failure, preserve the errno values for NNP vs nosuid.
2338 * NNP: Operation not permitted for caller.
2339 * nosuid: Permission denied to file.
2340 */
2341 if (nnp)
2342 return -EPERM;
2343 return -EACCES;
7b0d0b40
SS		 2344}
2345
a6f76f23 2346static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2347{
a6f76f23
DH		 2348 const struct task_security_struct *old_tsec;
2349 struct task_security_struct *new_tsec;
1da177e4 2350 struct inode_security_struct *isec;
2bf49690 2351 struct common_audit_data ad;
496ad9aa 2352 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2353 int rc;
2354
a6f76f23
DH		 2355 /* SELinux context only depends on initial program or script and not
2356 * the script interpreter */
ddb4a144 2357 if (bprm->called_set_creds)
1da177e4
LT		 2358 return 0;
2359
a6f76f23
DH		 2360 old_tsec = current_security();
2361 new_tsec = bprm->cred->security;
83da53c5 2362 isec = inode_security(inode);
1da177e4
LT		 2363
2364 /* Default to the current task SID. */
a6f76f23
DH		 2365 new_tsec->sid = old_tsec->sid;
2366 new_tsec->osid = old_tsec->sid;
1da177e4 2367
28eba5bf 2368 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2369 new_tsec->create_sid = 0;
2370 new_tsec->keycreate_sid = 0;
2371 new_tsec->sockcreate_sid = 0;
1da177e4 2372
a6f76f23
DH		 2373 if (old_tsec->exec_sid) {
2374 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2375 /* Reset exec SID on execve. */
a6f76f23 2376 new_tsec->exec_sid = 0;
259e5e6c 2377
7b0d0b40
SS		 2378 /* Fail on NNP or nosuid if not an allowed transition. */
2379 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2380 if (rc)
2381 return rc;
1da177e4
LT		 2382 } else {
2383 /* Check for a default transition on this program. */
aa8e712c
SS		 2384 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2385 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2386 &new_tsec->sid);
1da177e4
LT		 2387 if (rc)
2388 return rc;
7b0d0b40
SS		 2389
2390 /*
2391 * Fallback to old SID on NNP or nosuid if not an allowed
2392 * transition.
2393 */
2394 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2395 if (rc)
2396 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2397 }
2398
43af5de7
VG		 2399 ad.type = LSM_AUDIT_DATA_FILE;
2400 ad.u.file = bprm->file;
1da177e4 2401
a6f76f23 2402 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2403 rc = avc_has_perm(&selinux_state,
2404 old_tsec->sid, isec->sid,
1da177e4
LT		 2405 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2406 if (rc)
2407 return rc;
2408 } else {
2409 /* Check permissions for the transition. */
6b6bc620
SS		 2410 rc = avc_has_perm(&selinux_state,
2411 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2412 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2413 if (rc)
2414 return rc;
2415
6b6bc620
SS		 2416 rc = avc_has_perm(&selinux_state,
2417 new_tsec->sid, isec->sid,
1da177e4
LT		 2418 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2419 if (rc)
2420 return rc;
2421
a6f76f23
DH		 2422 /* Check for shared state */
2423 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2424 rc = avc_has_perm(&selinux_state,
2425 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2426 SECCLASS_PROCESS, PROCESS__SHARE,
2427 NULL);
2428 if (rc)
2429 return -EPERM;
2430 }
2431
2432 /* Make sure that anyone attempting to ptrace over a task that
2433 * changes its SID has the appropriate permit */
9227dd2a 2434 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2435 u32 ptsid = ptrace_parent_sid();
a6f76f23 2436 if (ptsid != 0) {
6b6bc620
SS		 2437 rc = avc_has_perm(&selinux_state,
2438 ptsid, new_tsec->sid,
a6f76f23
DH		 2439 SECCLASS_PROCESS,
2440 PROCESS__PTRACE, NULL);
2441 if (rc)
2442 return -EPERM;
2443 }
2444 }
1da177e4 2445
a6f76f23
DH		 2446 /* Clear any possibly unsafe personality bits on exec: */
2447 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2448
1da177e4
LT		 2449 /* Enable secure mode for SIDs transitions unless
2450 the noatsecure permission is granted between
2451 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2452 rc = avc_has_perm(&selinux_state,
2453 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2454 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2455 NULL);
2456 bprm->secureexec |= !!rc;
1da177e4
LT		 2457 }
2458
62874c3a 2459 return 0;
1da177e4
LT		 2460}
2461
c3c073f8
AV		 2462static int match_file(const void *p, struct file *file, unsigned fd)
2463{
2464 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2465}
2466
1da177e4 2467/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2468static inline void flush_unauthorized_files(const struct cred *cred,
2469 struct files_struct *files)
1da177e4 2470{
1da177e4 2471 struct file *file, *devnull = NULL;
b20c8122 2472 struct tty_struct *tty;
24ec839c 2473 int drop_tty = 0;
c3c073f8 2474 unsigned n;
1da177e4 2475
24ec839c 2476 tty = get_current_tty();
1da177e4 2477 if (tty) {
4a510969 2478 spin_lock(&tty->files_lock);
37dd0bd0 2479 if (!list_empty(&tty->tty_files)) {
d996b62a 2480 struct tty_file_private *file_priv;
37dd0bd0 2481
1da177e4 2482 /* Revalidate access to controlling tty.
13f8e981
DH		 2483 Use file_path_has_perm on the tty path directly
2484 rather than using file_has_perm, as this particular
2485 open file may belong to another process and we are
2486 only interested in the inode-based check here. */
d996b62a
NP		 2487 file_priv = list_first_entry(&tty->tty_files,
2488 struct tty_file_private, list);
2489 file = file_priv->file;
13f8e981 2490 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2491 drop_tty = 1;
1da177e4 2492 }
4a510969 2493 spin_unlock(&tty->files_lock);
452a00d2 2494 tty_kref_put(tty);
1da177e4 2495 }
98a27ba4
EB		 2496 /* Reset controlling tty. */
2497 if (drop_tty)
2498 no_tty();
1da177e4
LT		 2499
2500 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2501 n = iterate_fd(files, 0, match_file, cred);
2502 if (!n) /* none found? */
2503 return;
1da177e4 2504
c3c073f8 2505 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2506 if (IS_ERR(devnull))
2507 devnull = NULL;
2508 /* replace all the matching ones with this */
2509 do {
2510 replace_fd(n - 1, devnull, 0);
2511 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2512 if (devnull)
c3c073f8 2513 fput(devnull);
1da177e4
LT		 2514}
2515
a6f76f23
DH		 2516/*
2517 * Prepare a process for imminent new credential changes due to exec
2518 */
2519static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2520{
a6f76f23
DH		 2521 struct task_security_struct *new_tsec;
2522 struct rlimit *rlim, *initrlim;
2523 int rc, i;
d84f4f99 2524
a6f76f23
DH		 2525 new_tsec = bprm->cred->security;
2526 if (new_tsec->sid == new_tsec->osid)
2527 return;
1da177e4 2528
a6f76f23
DH		 2529 /* Close files for which the new task SID is not authorized. */
2530 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2531
a6f76f23
DH		 2532 /* Always clear parent death signal on SID transitions. */
2533 current->pdeath_signal = 0;
0356357c 2534
a6f76f23
DH		 2535 /* Check whether the new SID can inherit resource limits from the old
2536 * SID. If not, reset all soft limits to the lower of the current
2537 * task's hard limit and the init task's soft limit.
2538 *
2539 * Note that the setting of hard limits (even to lower them) can be
2540 * controlled by the setrlimit check. The inclusion of the init task's
2541 * soft limit into the computation is to avoid resetting soft limits
2542 * higher than the default soft limit for cases where the default is
2543 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2544 */
6b6bc620
SS		 2545 rc = avc_has_perm(&selinux_state,
2546 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2547 PROCESS__RLIMITINH, NULL);
2548 if (rc) {
eb2d55a3
ON		 2549 /* protect against do_prlimit() */
2550 task_lock(current);
a6f76f23
DH		 2551 for (i = 0; i < RLIM_NLIMITS; i++) {
2552 rlim = current->signal->rlim + i;
2553 initrlim = init_task.signal->rlim + i;
2554 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2555 }
eb2d55a3 2556 task_unlock(current);
baa73d9e
NP		 2557 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2558 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2559 }
2560}
2561
2562/*
a6f76f23
DH		 2563 * Clean up the process immediately after the installation of new credentials
2564 * due to exec
1da177e4 2565 */
a6f76f23 2566static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2567{
a6f76f23 2568 const struct task_security_struct *tsec = current_security();
1da177e4 2569 struct itimerval itimer;
a6f76f23 2570 u32 osid, sid;
1da177e4
LT		 2571 int rc, i;
2572
a6f76f23
DH		 2573 osid = tsec->osid;
2574 sid = tsec->sid;
2575
2576 if (sid == osid)
1da177e4
LT		 2577 return;
2578
a6f76f23
DH		 2579 /* Check whether the new SID can inherit signal state from the old SID.
2580 * If not, clear itimers to avoid subsequent signal generation and
2581 * flush and unblock signals.
2582 *
2583 * This must occur _after_ the task SID has been updated so that any
2584 * kill done after the flush will be checked against the new SID.
2585 */
6b6bc620
SS		 2586 rc = avc_has_perm(&selinux_state,
2587 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2588 if (rc) {
baa73d9e
NP		 2589 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2590 memset(&itimer, 0, sizeof itimer);
2591 for (i = 0; i < 3; i++)
2592 do_setitimer(i, &itimer, NULL);
2593 }
1da177e4 2594 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2595 if (!fatal_signal_pending(current)) {
2596 flush_sigqueue(&current->pending);
2597 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2598 flush_signal_handlers(current, 1);
2599 sigemptyset(&current->blocked);
9e7c8f8c 2600 recalc_sigpending();
3bcac026 2601 }
1da177e4
LT		 2602 spin_unlock_irq(&current->sighand->siglock);
2603 }
2604
a6f76f23
DH		 2605 /* Wake up the parent if it is waiting so that it can recheck
2606 * wait permission to the new task SID. */
ecd6de3c 2607 read_lock(&tasklist_lock);
0b7570e7 2608 __wake_up_parent(current, current->real_parent);
ecd6de3c 2609 read_unlock(&tasklist_lock);
1da177e4
LT		 2610}
2611
2612/* superblock security operations */
2613
2614static int selinux_sb_alloc_security(struct super_block *sb)
2615{
2616 return superblock_alloc_security(sb);
2617}
2618
2619static void selinux_sb_free_security(struct super_block *sb)
2620{
2621 superblock_free_security(sb);
2622}
2623
99dbbb59 2624static inline int opt_len(const char *s)
1da177e4 2625{
99dbbb59
AV		 2626 bool open_quote = false;
2627 int len;
2628 char c;
1da177e4 2629
99dbbb59
AV		 2630 for (len = 0; (c = s[len]) != '\0'; len++) {
2631 if (c == '"')
2632 open_quote = !open_quote;
2633 if (c == ',' && !open_quote)
2634 break;
3528a953 2635 }
99dbbb59 2636 return len;
3528a953
CO		 2637}
2638
99dbbb59 2639static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
1da177e4 2640{
99dbbb59
AV		 2641 char *from = options;
2642 char *to = options;
2643 bool first = true;
1da177e4 2644
99dbbb59
AV		 2645 while (1) {
2646 int len = opt_len(from);
2647 int token, rc;
2648 char *arg = NULL;
1da177e4 2649
99dbbb59 2650 token = match_opt_prefix(from, len, &arg);
1da177e4 2651
99dbbb59
AV		 2652 if (token != Opt_error) {
2653 char *p, *q;
1da177e4 2654
99dbbb59
AV		 2655 /* strip quotes */
2656 if (arg) {
2657 for (p = q = arg; p < from + len; p++) {
2658 char c = *p;
2659 if (c != '"')
2660 *q++ = c;
2661 }
2662 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2663 }
2664 rc = selinux_add_opt(token, arg, mnt_opts);
2665 if (unlikely(rc)) {
2666 kfree(arg);
2667 if (*mnt_opts) {
2668 selinux_free_mnt_opts(*mnt_opts);
2669 *mnt_opts = NULL;
2670 }
2671 return rc;
2672 }
2673 } else {
2674 if (!first) { // copy with preceding comma
2675 from--;
2676 len++;
2677 }
2678 if (to != from)
2679 memmove(to, from, len);
2680 to += len;
2681 first = false;
1da177e4 2682 }
99dbbb59
AV		 2683 if (!from[len])
2684 break;
2685 from += len + 1;
2686 }
2687 *to = '\0';
2688 return 0;
1da177e4
LT		 2689}
2690
204cc0cc 2691static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2692{
bd323655 2693 struct selinux_mnt_opts *opts = mnt_opts;
026eb167 2694 struct superblock_security_struct *sbsec = sb->s_security;
bd323655
AV		 2695 u32 sid;
2696 int rc;
026eb167
EP		 2697
2698 if (!(sbsec->flags & SE_SBINITIALIZED))
2699 return 0;
2700
204cc0cc 2701 if (!opts)
026eb167
EP		 2702 return 0;
2703
bd323655
AV		 2704 if (opts->fscontext) {
2705 rc = parse_sid(sb, opts->fscontext, &sid);
2706 if (rc)
c039bc3c 2707 return rc;
bd323655
AV		 2708 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2709 goto out_bad_option;
026eb167 2710 }
bd323655
AV		 2711 if (opts->context) {
2712 rc = parse_sid(sb, opts->context, &sid);
2713 if (rc)
2714 return rc;
2715 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2716 goto out_bad_option;
2717 }
2718 if (opts->rootcontext) {
2719 struct inode_security_struct *root_isec;
2720 root_isec = backing_inode_security(sb->s_root);
2721 rc = parse_sid(sb, opts->rootcontext, &sid);
2722 if (rc)
2723 return rc;
2724 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2725 goto out_bad_option;
2726 }
2727 if (opts->defcontext) {
2728 rc = parse_sid(sb, opts->defcontext, &sid);
2729 if (rc)
2730 return rc;
2731 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2732 goto out_bad_option;
026eb167 2733 }
c039bc3c 2734 return 0;
026eb167 2735
026eb167 2736out_bad_option:
c103a91e 2737 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2738 "during remount (dev %s, type=%s)\n", sb->s_id,
2739 sb->s_type->name);
c039bc3c 2740 return -EINVAL;
026eb167
EP		 2741}
2742
a10d7c22 2743static int selinux_sb_kern_mount(struct super_block *sb)
1da177e4 2744{
88e67f3b 2745 const struct cred *cred = current_cred();
2bf49690 2746 struct common_audit_data ad;
74192246 2747
50c205f5 2748 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2749 ad.u.dentry = sb->s_root;
88e67f3b 2750 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2751}
2752
726c3342 2753static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2754{
88e67f3b 2755 const struct cred *cred = current_cred();
2bf49690 2756 struct common_audit_data ad;
1da177e4 2757
50c205f5 2758 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2759 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2760 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2761}
2762
808d4e3c 2763static int selinux_mount(const char *dev_name,
8a04c43b 2764 const struct path *path,
808d4e3c 2765 const char *type,
828dfe1d
EP		 2766 unsigned long flags,
2767 void *data)
1da177e4 2768{
88e67f3b 2769 const struct cred *cred = current_cred();
1da177e4
LT		 2770
2771 if (flags & MS_REMOUNT)
d8c9584e 2772 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2773 FILESYSTEM__REMOUNT, NULL);
1da177e4 2774 else
2875fa00 2775 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2776}
2777
2778static int selinux_umount(struct vfsmount *mnt, int flags)
2779{
88e67f3b 2780 const struct cred *cred = current_cred();
1da177e4 2781
88e67f3b 2782 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2783 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2784}
2785
2786/* inode security operations */
2787
2788static int selinux_inode_alloc_security(struct inode *inode)
2789{
2790 return inode_alloc_security(inode);
2791}
2792
2793static void selinux_inode_free_security(struct inode *inode)
2794{
2795 inode_free_security(inode);
2796}
2797
d47be3df 2798static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2799 const struct qstr *name, void **ctx,
d47be3df
DQ		 2800 u32 *ctxlen)
2801{
d47be3df
DQ		 2802 u32 newsid;
2803 int rc;
2804
c957f6df
VG		 2805 rc = selinux_determine_inode_label(current_security(),
2806 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2807 inode_mode_to_security_class(mode),
2808 &newsid);
2809 if (rc)
2810 return rc;
d47be3df 2811
aa8e712c
SS		 2812 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2813 ctxlen);
d47be3df
DQ		 2814}
2815
a518b0a5
VG		 2816static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2817 struct qstr *name,
2818 const struct cred *old,
2819 struct cred *new)
2820{
2821 u32 newsid;
2822 int rc;
2823 struct task_security_struct *tsec;
2824
2825 rc = selinux_determine_inode_label(old->security,
2826 d_inode(dentry->d_parent), name,
2827 inode_mode_to_security_class(mode),
2828 &newsid);
2829 if (rc)
2830 return rc;
2831
2832 tsec = new->security;
2833 tsec->create_sid = newsid;
2834 return 0;
2835}
2836
5e41ff9e 2837static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2838 const struct qstr *qstr,
2839 const char **name,
2a7dba39 2840 void **value, size_t *len)
5e41ff9e 2841{
5fb49870 2842 const struct task_security_struct *tsec = current_security();
5e41ff9e 2843 struct superblock_security_struct *sbsec;
c0d4f464 2844 u32 newsid, clen;
5e41ff9e 2845 int rc;
9548906b 2846 char *context;
5e41ff9e 2847
5e41ff9e 2848 sbsec = dir->i_sb->s_security;
5e41ff9e 2849
275bb41e
DH		 2850 newsid = tsec->create_sid;
2851
c957f6df 2852 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2853 dir, qstr,
2854 inode_mode_to_security_class(inode->i_mode),
2855 &newsid);
2856 if (rc)
2857 return rc;
5e41ff9e 2858
296fddf7 2859 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2860 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2861 struct inode_security_struct *isec = inode->i_security;
2862 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2863 isec->sid = newsid;
6f3be9f5 2864 isec->initialized = LABEL_INITIALIZED;
296fddf7 2865 }
5e41ff9e 2866
aa8e712c 2867 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2868 return -EOPNOTSUPP;
2869
9548906b
TH		 2870 if (name)
2871 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2872
570bc1c2 2873 if (value && len) {
aa8e712c
SS		 2874 rc = security_sid_to_context_force(&selinux_state, newsid,
2875 &context, &clen);
9548906b 2876 if (rc)
570bc1c2 2877 return rc;
570bc1c2
SS		 2878 *value = context;
2879 *len = clen;
5e41ff9e 2880 }
5e41ff9e 2881
5e41ff9e
SS		 2882 return 0;
2883}
2884
4acdaf27 2885static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2886{
2887 return may_create(dir, dentry, SECCLASS_FILE);
2888}
2889
1da177e4
LT		 2890static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2891{
1da177e4
LT		 2892 return may_link(dir, old_dentry, MAY_LINK);
2893}
2894
1da177e4
LT		 2895static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2896{
1da177e4
LT		 2897 return may_link(dir, dentry, MAY_UNLINK);
2898}
2899
2900static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2901{
2902 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2903}
2904
18bb1db3 2905static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2906{
2907 return may_create(dir, dentry, SECCLASS_DIR);
2908}
2909
1da177e4
LT		 2910static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2911{
2912 return may_link(dir, dentry, MAY_RMDIR);
2913}
2914
1a67aafb 2915static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2916{
1da177e4
LT		 2917 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2918}
2919
1da177e4 2920static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2921 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2922{
2923 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2924}
2925
1da177e4
LT		 2926static int selinux_inode_readlink(struct dentry *dentry)
2927{
88e67f3b
DH		 2928 const struct cred *cred = current_cred();
2929
2875fa00 2930 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2931}
2932
bda0be7a
N		 2933static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2934 bool rcu)
1da177e4 2935{
88e67f3b 2936 const struct cred *cred = current_cred();
bda0be7a
N		 2937 struct common_audit_data ad;
2938 struct inode_security_struct *isec;
2939 u32 sid;
1da177e4 2940
bda0be7a
N		 2941 validate_creds(cred);
2942
2943 ad.type = LSM_AUDIT_DATA_DENTRY;
2944 ad.u.dentry = dentry;
2945 sid = cred_sid(cred);
5d226df4
AG		 2946 isec = inode_security_rcu(inode, rcu);
2947 if (IS_ERR(isec))
2948 return PTR_ERR(isec);
bda0be7a 2949
e46e01ee
SS		 2950 return avc_has_perm(&selinux_state,
2951 sid, isec->sid, isec->sclass, FILE__READ, &ad);
1da177e4
LT		 2952}
2953
d4cf970d
EP		 2954static noinline int audit_inode_permission(struct inode *inode,
2955 u32 perms, u32 audited, u32 denied,
626b9740 2956 int result,
d4cf970d 2957 unsigned flags)
1da177e4 2958{
b782e0a6 2959 struct common_audit_data ad;
d4cf970d
EP		 2960 struct inode_security_struct *isec = inode->i_security;
2961 int rc;
2962
50c205f5 2963 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2964 ad.u.inode = inode;
2965
6b6bc620
SS		 2966 rc = slow_avc_audit(&selinux_state,
2967 current_sid(), isec->sid, isec->sclass, perms,
626b9740 2968 audited, denied, result, &ad, flags);
d4cf970d
EP		 2969 if (rc)
2970 return rc;
2971 return 0;
2972}
2973
e74f71eb 2974static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2975{
88e67f3b 2976 const struct cred *cred = current_cred();
b782e0a6
EP		 2977 u32 perms;
2978 bool from_access;
cf1dd1da 2979 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2980 struct inode_security_struct *isec;
2981 u32 sid;
2982 struct av_decision avd;
2983 int rc, rc2;
2984 u32 audited, denied;
1da177e4 2985
b782e0a6 2986 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2987 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2988
b782e0a6
EP		 2989 /* No permission to check. Existence test. */
2990 if (!mask)
1da177e4 2991 return 0;
1da177e4 2992
2e334057 2993 validate_creds(cred);
b782e0a6 2994
2e334057
EP		 2995 if (unlikely(IS_PRIVATE(inode)))
2996 return 0;
b782e0a6
EP		 2997
2998 perms = file_mask_to_av(inode->i_mode, mask);
2999
2e334057 3000 sid = cred_sid(cred);
5d226df4
AG		 3001 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3002 if (IS_ERR(isec))
3003 return PTR_ERR(isec);
2e334057 3004
6b6bc620 3005 rc = avc_has_perm_noaudit(&selinux_state,
3a28cff3
SS		 3006 sid, isec->sid, isec->sclass, perms,
3007 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3008 &avd);
2e334057
EP		 3009 audited = avc_audit_required(perms, &avd, rc,
3010 from_access ? FILE__AUDIT_ACCESS : 0,
3011 &denied);
3012 if (likely(!audited))
3013 return rc;
3014
626b9740 3015 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3016 if (rc2)
3017 return rc2;
3018 return rc;
1da177e4
LT		 3019}
3020
3021static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3022{
88e67f3b 3023 const struct cred *cred = current_cred();
ccb54478 3024 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3025 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3026 __u32 av = FILE__WRITE;
1da177e4 3027
bc6a6008
AW		 3028 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3029 if (ia_valid & ATTR_FORCE) {
3030 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3031 ATTR_FORCE);
3032 if (!ia_valid)
3033 return 0;
3034 }
1da177e4 3035
bc6a6008
AW		 3036 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3037 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3038 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3039
aa8e712c 3040 if (selinux_policycap_openperm() &&
ccb54478
SS		 3041 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3042 (ia_valid & ATTR_SIZE) &&
3043 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3044 av |= FILE__OPEN;
3045
3046 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3047}
3048
3f7036a0 3049static int selinux_inode_getattr(const struct path *path)
1da177e4 3050{
3f7036a0 3051 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3052}
3053
db59000a
SS		 3054static bool has_cap_mac_admin(bool audit)
3055{
3056 const struct cred *cred = current_cred();
3057 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3058
3059 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3060 return false;
3061 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3062 return false;
3063 return true;
3064}
3065
8f0cfa52
DH		 3066static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3067 const void *value, size_t size, int flags)
1da177e4 3068{
c6f493d6 3069 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3070 struct inode_security_struct *isec;
1da177e4 3071 struct superblock_security_struct *sbsec;
2bf49690 3072 struct common_audit_data ad;
275bb41e 3073 u32 newsid, sid = current_sid();
1da177e4
LT		 3074 int rc = 0;
3075
6b240306
EB		 3076 if (strcmp(name, XATTR_NAME_SELINUX)) {
3077 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3078 if (rc)
3079 return rc;
3080
3081 /* Not an attribute we recognize, so just check the
3082 ordinary setattr permission. */
3083 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3084 }
1da177e4
LT		 3085
3086 sbsec = inode->i_sb->s_security;
12f348b9 3087 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3088 return -EOPNOTSUPP;
3089
2e149670 3090 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3091 return -EPERM;
3092
50c205f5 3093 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3094 ad.u.dentry = dentry;
1da177e4 3095
20cdef8d 3096 isec = backing_inode_security(dentry);
6b6bc620
SS		 3097 rc = avc_has_perm(&selinux_state,
3098 sid, isec->sid, isec->sclass,
1da177e4
LT		 3099 FILE__RELABELFROM, &ad);
3100 if (rc)
3101 return rc;
3102
aa8e712c
SS		 3103 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3104 GFP_KERNEL);
12b29f34 3105 if (rc == -EINVAL) {
db59000a 3106 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3107 struct audit_buffer *ab;
3108 size_t audit_size;
d6ea83ec
EP		 3109
3110 /* We strip a nul only if it is at the end, otherwise the
3111 * context contains a nul and we should audit that */
e3fea3f7 3112 if (value) {
add24372
CIK		 3113 const char *str = value;
3114
e3fea3f7
AV		 3115 if (str[size - 1] == '\0')
3116 audit_size = size - 1;
3117 else
3118 audit_size = size;
3119 } else {
e3fea3f7
AV		 3120 audit_size = 0;
3121 }
cdfb6b34
RGB		 3122 ab = audit_log_start(audit_context(),
3123 GFP_ATOMIC, AUDIT_SELINUX_ERR);
d6ea83ec
EP		 3124 audit_log_format(ab, "op=setxattr invalid_context=");
3125 audit_log_n_untrustedstring(ab, value, audit_size);
3126 audit_log_end(ab);
3127
12b29f34 3128 return rc;
d6ea83ec 3129 }
aa8e712c
SS		 3130 rc = security_context_to_sid_force(&selinux_state, value,
3131 size, &newsid);
12b29f34 3132 }
1da177e4
LT		 3133 if (rc)
3134 return rc;
3135
6b6bc620
SS		 3136 rc = avc_has_perm(&selinux_state,
3137 sid, newsid, isec->sclass,
1da177e4
LT		 3138 FILE__RELABELTO, &ad);
3139 if (rc)
3140 return rc;
3141
aa8e712c
SS		 3142 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3143 sid, isec->sclass);
1da177e4
LT		 3144 if (rc)
3145 return rc;
3146
6b6bc620
SS		 3147 return avc_has_perm(&selinux_state,
3148 newsid,
1da177e4
LT		 3149 sbsec->sid,
3150 SECCLASS_FILESYSTEM,
3151 FILESYSTEM__ASSOCIATE,
3152 &ad);
3153}
3154
8f0cfa52 3155static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3156 const void *value, size_t size,
8f0cfa52 3157 int flags)
1da177e4 3158{
c6f493d6 3159 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3160 struct inode_security_struct *isec;
1da177e4
LT		 3161 u32 newsid;
3162 int rc;
3163
3164 if (strcmp(name, XATTR_NAME_SELINUX)) {
3165 /* Not an attribute we recognize, so nothing to do. */
3166 return;
3167 }
3168
aa8e712c
SS		 3169 rc = security_context_to_sid_force(&selinux_state, value, size,
3170 &newsid);
1da177e4 3171 if (rc) {
c103a91e 3172 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3173 "for (%s, %lu), rc=%d\n",
3174 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3175 return;
3176 }
3177
20cdef8d 3178 isec = backing_inode_security(dentry);
9287aed2 3179 spin_lock(&isec->lock);
aa9c2669 3180 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3181 isec->sid = newsid;
6f3be9f5 3182 isec->initialized = LABEL_INITIALIZED;
9287aed2 3183 spin_unlock(&isec->lock);
aa9c2669 3184
1da177e4
LT		 3185 return;
3186}
3187
8f0cfa52 3188static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3189{
88e67f3b
DH		 3190 const struct cred *cred = current_cred();
3191
2875fa00 3192 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3193}
3194
828dfe1d 3195static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3196{
88e67f3b
DH		 3197 const struct cred *cred = current_cred();
3198
2875fa00 3199 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3200}
3201
8f0cfa52 3202static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3203{
6b240306
EB		 3204 if (strcmp(name, XATTR_NAME_SELINUX)) {
3205 int rc = cap_inode_removexattr(dentry, name);
3206 if (rc)
3207 return rc;
3208
3209 /* Not an attribute we recognize, so just check the
3210 ordinary setattr permission. */
3211 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3212 }
1da177e4
LT		 3213
3214 /* No one is allowed to remove a SELinux security label.
3215 You can change the label, but all data must be labeled. */
3216 return -EACCES;
3217}
3218
d381d8a9 3219/*
abc69bb6 3220 * Copy the inode security context value to the user.
d381d8a9
JM		 3221 *
3222 * Permission check is handled by selinux_inode_getxattr hook.
3223 */
ea861dfd 3224static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3225{
42492594
DQ		 3226 u32 size;
3227 int error;
3228 char *context = NULL;
20cdef8d 3229 struct inode_security_struct *isec;
d381d8a9 3230
8c8570fb
DK		 3231 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3232 return -EOPNOTSUPP;
d381d8a9 3233
abc69bb6
SS		 3234 /*
3235 * If the caller has CAP_MAC_ADMIN, then get the raw context
3236 * value even if it is not defined by current policy; otherwise,
3237 * use the in-core value under current policy.
3238 * Use the non-auditing forms of the permission checks since
3239 * getxattr may be called by unprivileged processes commonly
3240 * and lack of permission just means that we fall back to the
3241 * in-core context value, not a denial.
3242 */
20cdef8d 3243 isec = inode_security(inode);
db59000a 3244 if (has_cap_mac_admin(false))
aa8e712c
SS		 3245 error = security_sid_to_context_force(&selinux_state,
3246 isec->sid, &context,
abc69bb6
SS		 3247 &size);
3248 else
aa8e712c
SS		 3249 error = security_sid_to_context(&selinux_state, isec->sid,
3250 &context, &size);
42492594
DQ		 3251 if (error)
3252 return error;
3253 error = size;
3254 if (alloc) {
3255 *buffer = context;
3256 goto out_nofree;
3257 }
3258 kfree(context);
3259out_nofree:
3260 return error;
1da177e4
LT		 3261}
3262
3263static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3264 const void *value, size_t size, int flags)
1da177e4 3265{
2c97165b 3266 struct inode_security_struct *isec = inode_security_novalidate(inode);
53e0c2aa 3267 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1da177e4
LT		 3268 u32 newsid;
3269 int rc;
3270
3271 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3272 return -EOPNOTSUPP;
3273
53e0c2aa
OM		 3274 if (!(sbsec->flags & SBLABEL_MNT))
3275 return -EOPNOTSUPP;
3276
1da177e4
LT		 3277 if (!value || !size)
3278 return -EACCES;
3279
aa8e712c
SS		 3280 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3281 GFP_KERNEL);
1da177e4
LT		 3282 if (rc)
3283 return rc;
3284
9287aed2 3285 spin_lock(&isec->lock);
aa9c2669 3286 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3287 isec->sid = newsid;
6f3be9f5 3288 isec->initialized = LABEL_INITIALIZED;
9287aed2 3289 spin_unlock(&isec->lock);
1da177e4
LT		 3290 return 0;
3291}
3292
3293static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3294{
3295 const int len = sizeof(XATTR_NAME_SELINUX);
3296 if (buffer && len <= buffer_size)
3297 memcpy(buffer, XATTR_NAME_SELINUX, len);
3298 return len;
3299}
3300
d6335d77 3301static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3302{
e817c2f3 3303 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3304 *secid = isec->sid;
3305}
3306
56909eb3
VG		 3307static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3308{
3309 u32 sid;
3310 struct task_security_struct *tsec;
3311 struct cred *new_creds = *new;
3312
3313 if (new_creds == NULL) {
3314 new_creds = prepare_creds();
3315 if (!new_creds)
3316 return -ENOMEM;
3317 }
3318
3319 tsec = new_creds->security;
3320 /* Get label from overlay inode and set it in create_sid */
3321 selinux_inode_getsecid(d_inode(src), &sid);
3322 tsec->create_sid = sid;
3323 *new = new_creds;
3324 return 0;
3325}
3326
19472b69
VG		 3327static int selinux_inode_copy_up_xattr(const char *name)
3328{
3329 /* The copy_up hook above sets the initial context on an inode, but we
3330 * don't then want to overwrite it by blindly copying all the lower
3331 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3332 */
3333 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3334 return 1; /* Discard */
3335 /*
3336 * Any other attribute apart from SELINUX is not claimed, supported
3337 * by selinux.
3338 */
3339 return -EOPNOTSUPP;
3340}
3341
1da177e4
LT		 3342/* file security operations */
3343
788e7dd4 3344static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3345{
88e67f3b 3346 const struct cred *cred = current_cred();
496ad9aa 3347 struct inode *inode = file_inode(file);
1da177e4 3348
1da177e4
LT		 3349 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3350 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3351 mask |= MAY_APPEND;
3352
389fb800
PM		 3353 return file_has_perm(cred, file,
3354 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3355}
3356
788e7dd4
YN		 3357static int selinux_file_permission(struct file *file, int mask)
3358{
496ad9aa 3359 struct inode *inode = file_inode(file);
20dda18b 3360 struct file_security_struct *fsec = file->f_security;
b197367e 3361 struct inode_security_struct *isec;
20dda18b
SS		 3362 u32 sid = current_sid();
3363
389fb800 3364 if (!mask)
788e7dd4
YN		 3365 /* No permission to check. Existence test. */
3366 return 0;
788e7dd4 3367
b197367e 3368 isec = inode_security(inode);
20dda18b 3369 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3370 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3371 /* No change since file_open check. */
20dda18b
SS		 3372 return 0;
3373
788e7dd4
YN		 3374 return selinux_revalidate_file_permission(file, mask);
3375}
3376
1da177e4
LT		 3377static int selinux_file_alloc_security(struct file *file)
3378{
3379 return file_alloc_security(file);
3380}
3381
3382static void selinux_file_free_security(struct file *file)
3383{
3384 file_free_security(file);
3385}
3386
fa1aa143
JVS		 3387/*
3388 * Check whether a task has the ioctl permission and cmd
3389 * operation to an inode.
3390 */
1d2a168a 3391static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3392 u32 requested, u16 cmd)
3393{
3394 struct common_audit_data ad;
3395 struct file_security_struct *fsec = file->f_security;
3396 struct inode *inode = file_inode(file);
20cdef8d 3397 struct inode_security_struct *isec;
fa1aa143
JVS		 3398 struct lsm_ioctlop_audit ioctl;
3399 u32 ssid = cred_sid(cred);
3400 int rc;
3401 u8 driver = cmd >> 8;
3402 u8 xperm = cmd & 0xff;
3403
3404 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3405 ad.u.op = &ioctl;
3406 ad.u.op->cmd = cmd;
3407 ad.u.op->path = file->f_path;
3408
3409 if (ssid != fsec->sid) {
6b6bc620
SS		 3410 rc = avc_has_perm(&selinux_state,
3411 ssid, fsec->sid,
fa1aa143
JVS		 3412 SECCLASS_FD,
3413 FD__USE,
3414 &ad);
3415 if (rc)
3416 goto out;
3417 }
3418
3419 if (unlikely(IS_PRIVATE(inode)))
3420 return 0;
3421
20cdef8d 3422 isec = inode_security(inode);
6b6bc620
SS		 3423 rc = avc_has_extended_perms(&selinux_state,
3424 ssid, isec->sid, isec->sclass,
3425 requested, driver, xperm, &ad);
fa1aa143
JVS		 3426out:
3427 return rc;
3428}
3429
1da177e4
LT		 3430static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3431 unsigned long arg)
3432{
88e67f3b 3433 const struct cred *cred = current_cred();
0b24dcb7 3434 int error = 0;
1da177e4 3435
0b24dcb7
EP		 3436 switch (cmd) {
3437 case FIONREAD:
3438 /* fall through */
3439 case FIBMAP:
3440 /* fall through */
3441 case FIGETBSZ:
3442 /* fall through */
2f99c369 3443 case FS_IOC_GETFLAGS:
0b24dcb7 3444 /* fall through */
2f99c369 3445 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3446 error = file_has_perm(cred, file, FILE__GETATTR);
3447 break;
1da177e4 3448
2f99c369 3449 case FS_IOC_SETFLAGS:
0b24dcb7 3450 /* fall through */
2f99c369 3451 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3452 error = file_has_perm(cred, file, FILE__SETATTR);
3453 break;
3454
3455 /* sys_ioctl() checks */
3456 case FIONBIO:
3457 /* fall through */
3458 case FIOASYNC:
3459 error = file_has_perm(cred, file, 0);
3460 break;
1da177e4 3461
0b24dcb7
EP		 3462 case KDSKBENT:
3463 case KDSKBSENT:
6a9de491 3464 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3465 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3466 break;
3467
3468 /* default case assumes that the command will go
3469 * to the file's ioctl() function.
3470 */
3471 default:
fa1aa143 3472 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3473 }
3474 return error;
1da177e4
LT		 3475}
3476
fcaaade1
SS		 3477static int default_noexec;
3478
1da177e4
LT		 3479static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3480{
88e67f3b 3481 const struct cred *cred = current_cred();
be0554c9 3482 u32 sid = cred_sid(cred);
d84f4f99 3483 int rc = 0;
88e67f3b 3484
fcaaade1 3485 if (default_noexec &&
892e8cac
SS		 3486 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3487 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3488 /*
3489 * We are making executable an anonymous mapping or a
3490 * private file mapping that will also be writable.
3491 * This has an additional check.
3492 */
6b6bc620
SS		 3493 rc = avc_has_perm(&selinux_state,
3494 sid, sid, SECCLASS_PROCESS,
be0554c9 3495 PROCESS__EXECMEM, NULL);
1da177e4 3496 if (rc)
d84f4f99 3497 goto error;
1da177e4 3498 }
1da177e4
LT		 3499
3500 if (file) {
3501 /* read access is always possible with a mapping */
3502 u32 av = FILE__READ;
3503
3504 /* write access only matters if the mapping is shared */
3505 if (shared && (prot & PROT_WRITE))
3506 av |= FILE__WRITE;
3507
3508 if (prot & PROT_EXEC)
3509 av |= FILE__EXECUTE;
3510
88e67f3b 3511 return file_has_perm(cred, file, av);
1da177e4 3512 }
d84f4f99
DH		 3513
3514error:
3515 return rc;
1da177e4
LT		 3516}
3517
e5467859 3518static int selinux_mmap_addr(unsigned long addr)
1da177e4 3519{
b1d9e6b0 3520 int rc = 0;
1da177e4 3521
a2551df7 3522 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3523 u32 sid = current_sid();
6b6bc620
SS		 3524 rc = avc_has_perm(&selinux_state,
3525 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3526 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3527 }
3528
98883bfd 3529 return rc;
e5467859 3530}
1da177e4 3531
e5467859
AV		 3532static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3533 unsigned long prot, unsigned long flags)
3534{
3ba4bf5f
SS		 3535 struct common_audit_data ad;
3536 int rc;
3537
3538 if (file) {
3539 ad.type = LSM_AUDIT_DATA_FILE;
3540 ad.u.file = file;
3541 rc = inode_has_perm(current_cred(), file_inode(file),
3542 FILE__MAP, &ad);
3543 if (rc)
3544 return rc;
3545 }
3546
aa8e712c 3547 if (selinux_state.checkreqprot)
1da177e4
LT		 3548 prot = reqprot;
3549
3550 return file_map_prot_check(file, prot,
3551 (flags & MAP_TYPE) == MAP_SHARED);
3552}
3553
3554static int selinux_file_mprotect(struct vm_area_struct *vma,
3555 unsigned long reqprot,
3556 unsigned long prot)
3557{
88e67f3b 3558 const struct cred *cred = current_cred();
be0554c9 3559 u32 sid = cred_sid(cred);
1da177e4 3560
aa8e712c 3561 if (selinux_state.checkreqprot)
1da177e4
LT		 3562 prot = reqprot;
3563
fcaaade1
SS		 3564 if (default_noexec &&
3565 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3566 int rc = 0;
db4c9641
SS		 3567 if (vma->vm_start >= vma->vm_mm->start_brk &&
3568 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3569 rc = avc_has_perm(&selinux_state,
3570 sid, sid, SECCLASS_PROCESS,
be0554c9 3571 PROCESS__EXECHEAP, NULL);
db4c9641 3572 } else if (!vma->vm_file &&
c2316dbf
SS		 3573 ((vma->vm_start <= vma->vm_mm->start_stack &&
3574 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3575 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3576 rc = avc_has_perm(&selinux_state,
3577 sid, sid, SECCLASS_PROCESS,
be0554c9 3578 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3579 } else if (vma->vm_file && vma->anon_vma) {
3580 /*
3581 * We are making executable a file mapping that has
3582 * had some COW done. Since pages might have been
3583 * written, check ability to execute the possibly
3584 * modified content. This typically should only
3585 * occur for text relocations.
3586 */
d84f4f99 3587 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3588 }