]> git.ipfire.org Git - thirdparty/linux.git/blame - security/selinux/hooks.c
projects / thirdparty / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Smack: Abstract use of cred security blob
[thirdparty/linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
7efbb60b 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
d452930f
RH		 70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
1da177e4
LT		 72#include <linux/quota.h>
73#include <linux/un.h> /* for Unix socket types */
74#include <net/af_unix.h> /* for Unix socket types */
75#include <linux/parser.h>
76#include <linux/nfs_mount.h>
77#include <net/ipv6.h>
78#include <linux/hugetlb.h>
79#include <linux/personality.h>
1da177e4 80#include <linux/audit.h>
6931dfc9 81#include <linux/string.h>
877ce7c1 82#include <linux/selinux.h>
23970741 83#include <linux/mutex.h>
f06febc9 84#include <linux/posix-timers.h>
00234592 85#include <linux/syslog.h>
3486740a 86#include <linux/user_namespace.h>
44fc7ea0 87#include <linux/export.h>
40401530
AV		 88#include <linux/msg.h>
89#include <linux/shm.h>
ec27c356 90#include <linux/bpf.h>
e262e32d 91#include <uapi/linux/mount.h>
1da177e4
LT		 92
93#include "avc.h"
94#include "objsec.h"
95#include "netif.h"
224dfbd8 96#include "netnode.h"
3e112172 97#include "netport.h"
409dcf31 98#include "ibpkey.h"
d28d1e08 99#include "xfrm.h"
c60475bf 100#include "netlabel.h"
9d57a7f9 101#include "audit.h"
7b98a585 102#include "avc_ss.h"
1da177e4 103
aa8e712c
SS		 104struct selinux_state selinux_state;
105
d621d35e 106/* SECMARK reference count */
56a4ca99 107static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 108
1da177e4 109#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
aa8e712c 110static int selinux_enforcing_boot;
1da177e4
LT		 111
112static int __init enforcing_setup(char *str)
113{
f5269710 114 unsigned long enforcing;
29707b20 115 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 116 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 117 return 1;
118}
119__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 120#else
121#define selinux_enforcing_boot 1
1da177e4
LT		 122#endif
123
be6ec88f 124int selinux_enabled __lsm_ro_after_init = 1;
1da177e4 125#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
1da177e4
LT		 126static int __init selinux_enabled_setup(char *str)
127{
f5269710 128 unsigned long enabled;
29707b20 129 if (!kstrtoul(str, 0, &enabled))
f5269710 130 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 131 return 1;
132}
133__setup("selinux=", selinux_enabled_setup);
134#endif
135
aa8e712c
SS		 136static unsigned int selinux_checkreqprot_boot =
137 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
138
139static int __init checkreqprot_setup(char *str)
140{
141 unsigned long checkreqprot;
142
143 if (!kstrtoul(str, 0, &checkreqprot))
144 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
145 return 1;
146}
147__setup("checkreqprot=", checkreqprot_setup);
148
e18b890b 149static struct kmem_cache *sel_inode_cache;
63205654 150static struct kmem_cache *file_security_cache;
7cae7e26 151
d621d35e
PM		 152/**
153 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
154 *
155 * Description:
156 * This function checks the SECMARK reference counter to see if any SECMARK
157 * targets are currently configured, if the reference counter is greater than
158 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 159 * enabled, false (0) if SECMARK is disabled. If the always_check_network
160 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 161 *
162 */
163static int selinux_secmark_enabled(void)
164{
aa8e712c
SS		 165 return (selinux_policycap_alwaysnetwork() ||
166 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 167}
168
169/**
170 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
171 *
172 * Description:
173 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
174 * (1) if any are enabled or false (0) if neither are enabled. If the
175 * always_check_network policy capability is enabled, peer labeling
176 * is always considered enabled.
177 *
178 */
179static int selinux_peerlbl_enabled(void)
180{
aa8e712c
SS		 181 return (selinux_policycap_alwaysnetwork() ||
182 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 183}
184
615e51fd
PM		 185static int selinux_netcache_avc_callback(u32 event)
186{
187 if (event == AVC_CALLBACK_RESET) {
188 sel_netif_flush();
189 sel_netnode_flush();
190 sel_netport_flush();
191 synchronize_net();
192 }
193 return 0;
194}
195
8f408ab6
DJ		 196static int selinux_lsm_notifier_avc_callback(u32 event)
197{
409dcf31
DJ		 198 if (event == AVC_CALLBACK_RESET) {
199 sel_ib_pkey_flush();
8f408ab6 200 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 201 }
8f408ab6
DJ		 202
203 return 0;
204}
205
d84f4f99
DH		 206/*
207 * initialise the security for the init task
208 */
209static void cred_init_security(void)
1da177e4 210{
3b11a1de 211 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 212 struct task_security_struct *tsec;
213
89d155ef 214 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 215 if (!tsec)
d84f4f99 216 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 217
d84f4f99 218 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 219 cred->security = tsec;
1da177e4
LT		 220}
221
88e67f3b
DH		 222/*
223 * get the security ID of a set of credentials
224 */
225static inline u32 cred_sid(const struct cred *cred)
226{
227 const struct task_security_struct *tsec;
228
229 tsec = cred->security;
230 return tsec->sid;
231}
232
275bb41e 233/*
3b11a1de 234 * get the objective security ID of a task
275bb41e
DH		 235 */
236static inline u32 task_sid(const struct task_struct *task)
237{
275bb41e
DH		 238 u32 sid;
239
240 rcu_read_lock();
88e67f3b 241 sid = cred_sid(__task_cred(task));
275bb41e
DH		 242 rcu_read_unlock();
243 return sid;
244}
245
88e67f3b
DH		 246/* Allocate and free functions for each kind of security blob. */
247
1da177e4
LT		 248static int inode_alloc_security(struct inode *inode)
249{
1da177e4 250 struct inode_security_struct *isec;
275bb41e 251 u32 sid = current_sid();
1da177e4 252
a02fe132 253 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 254 if (!isec)
255 return -ENOMEM;
256
9287aed2 257 spin_lock_init(&isec->lock);
1da177e4 258 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 259 isec->inode = inode;
260 isec->sid = SECINITSID_UNLABELED;
261 isec->sclass = SECCLASS_FILE;
275bb41e 262 isec->task_sid = sid;
42059112 263 isec->initialized = LABEL_INVALID;
1da177e4
LT		 264 inode->i_security = isec;
265
266 return 0;
267}
268
5d226df4
AG		 269static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
270
271/*
272 * Try reloading inode security labels that have been marked as invalid. The
273 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 274 * allowed; when set to false, returns -ECHILD when the label is
e9193288 275 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 276 */
277static int __inode_security_revalidate(struct inode *inode,
e9193288 278 struct dentry *dentry,
5d226df4
AG		 279 bool may_sleep)
280{
281 struct inode_security_struct *isec = inode->i_security;
282
283 might_sleep_if(may_sleep);
284
aa8e712c
SS		 285 if (selinux_state.initialized &&
286 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 287 if (!may_sleep)
288 return -ECHILD;
289
290 /*
291 * Try reloading the inode security label. This will fail if
292 * @opt_dentry is NULL and no dentry for this inode can be
293 * found; in that case, continue using the old label.
294 */
e9193288 295 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 296 }
297 return 0;
298}
299
5d226df4
AG		 300static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
301{
302 return inode->i_security;
303}
304
305static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
306{
307 int error;
308
309 error = __inode_security_revalidate(inode, NULL, !rcu);
310 if (error)
311 return ERR_PTR(error);
312 return inode->i_security;
313}
314
83da53c5
AG		 315/*
316 * Get the security label of an inode.
317 */
318static struct inode_security_struct *inode_security(struct inode *inode)
319{
5d226df4 320 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 321 return inode->i_security;
322}
323
2c97165b
PM		 324static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
325{
326 struct inode *inode = d_backing_inode(dentry);
327
328 return inode->i_security;
329}
330
83da53c5
AG		 331/*
332 * Get the security label of a dentry's backing inode.
333 */
334static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
335{
336 struct inode *inode = d_backing_inode(dentry);
337
5d226df4 338 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 339 return inode->i_security;
340}
341
3dc91d43
SR		 342static void inode_free_rcu(struct rcu_head *head)
343{
344 struct inode_security_struct *isec;
345
346 isec = container_of(head, struct inode_security_struct, rcu);
347 kmem_cache_free(sel_inode_cache, isec);
348}
349
1da177e4
LT		 350static void inode_free_security(struct inode *inode)
351{
352 struct inode_security_struct *isec = inode->i_security;
353 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
354
9629d04a
WL		 355 /*
356 * As not all inode security structures are in a list, we check for
357 * empty list outside of the lock to make sure that we won't waste
358 * time taking a lock doing nothing.
359 *
360 * The list_del_init() function can be safely called more than once.
361 * It should not be possible for this function to be called with
362 * concurrent list_add(), but for better safety against future changes
363 * in the code, we use list_empty_careful() here.
364 */
365 if (!list_empty_careful(&isec->list)) {
366 spin_lock(&sbsec->isec_lock);
1da177e4 367 list_del_init(&isec->list);
9629d04a
WL		 368 spin_unlock(&sbsec->isec_lock);
369 }
1da177e4 370
3dc91d43
SR		 371 /*
372 * The inode may still be referenced in a path walk and
373 * a call to selinux_inode_permission() can be made
374 * after inode_free_security() is called. Ideally, the VFS
375 * wouldn't do this, but fixing that is a much harder
376 * job. For now, simply free the i_security via RCU, and
377 * leave the current inode->i_security pointer intact.
378 * The inode will be freed after the RCU grace period too.
379 */
380 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 381}
382
383static int file_alloc_security(struct file *file)
384{
1da177e4 385 struct file_security_struct *fsec;
275bb41e 386 u32 sid = current_sid();
1da177e4 387
63205654 388 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 389 if (!fsec)
390 return -ENOMEM;
391
275bb41e
DH		 392 fsec->sid = sid;
393 fsec->fown_sid = sid;
1da177e4
LT		 394 file->f_security = fsec;
395
396 return 0;
397}
398
399static void file_free_security(struct file *file)
400{
401 struct file_security_struct *fsec = file->f_security;
1da177e4 402 file->f_security = NULL;
63205654 403 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 404}
405
406static int superblock_alloc_security(struct super_block *sb)
407{
408 struct superblock_security_struct *sbsec;
409
89d155ef 410 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 411 if (!sbsec)
412 return -ENOMEM;
413
bc7e982b 414 mutex_init(&sbsec->lock);
1da177e4
LT		 415 INIT_LIST_HEAD(&sbsec->isec_head);
416 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 417 sbsec->sb = sb;
418 sbsec->sid = SECINITSID_UNLABELED;
419 sbsec->def_sid = SECINITSID_FILE;
c312feb2 420 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 421 sb->s_security = sbsec;
422
423 return 0;
424}
425
426static void superblock_free_security(struct super_block *sb)
427{
428 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 429 sb->s_security = NULL;
430 kfree(sbsec);
431}
432
bd323655
AV		 433struct selinux_mnt_opts {
434 const char *fscontext, *context, *rootcontext, *defcontext;
435};
436
204cc0cc
AV		 437static void selinux_free_mnt_opts(void *mnt_opts)
438{
bd323655
AV		 439 struct selinux_mnt_opts *opts = mnt_opts;
440 kfree(opts->fscontext);
441 kfree(opts->context);
442 kfree(opts->rootcontext);
443 kfree(opts->defcontext);
204cc0cc
AV		 444 kfree(opts);
445}
446
1da177e4
LT		 447static inline int inode_doinit(struct inode *inode)
448{
449 return inode_doinit_with_dentry(inode, NULL);
450}
451
452enum {
31e87930 453 Opt_error = -1,
1da177e4
LT		 454 Opt_context = 1,
455 Opt_fscontext = 2,
c9180a57
EP		 456 Opt_defcontext = 3,
457 Opt_rootcontext = 4,
da3d76ab 458 Opt_seclabel = 5,
1da177e4
LT		 459};
460
da3d76ab 461#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
169d68ef
AV		 462static struct {
463 const char *name;
464 int len;
465 int opt;
466 bool has_arg;
467} tokens[] = {
da3d76ab
AV		 468 A(context, true),
469 A(fscontext, true),
470 A(defcontext, true),
471 A(rootcontext, true),
472 A(seclabel, false),
1da177e4 473};
169d68ef
AV		 474#undef A
475
476static int match_opt_prefix(char *s, int l, char **arg)
477{
478 int i;
479
480 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
481 size_t len = tokens[i].len;
482 if (len > l || memcmp(s, tokens[i].name, len))
483 continue;
484 if (tokens[i].has_arg) {
485 if (len == l || s[len] != '=')
486 continue;
487 *arg = s + len + 1;
488 } else if (len != l)
489 continue;
490 return tokens[i].opt;
491 }
492 return Opt_error;
493}
1da177e4
LT		 494
495#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
496
c312feb2
EP		 497static int may_context_mount_sb_relabel(u32 sid,
498 struct superblock_security_struct *sbsec,
275bb41e 499 const struct cred *cred)
c312feb2 500{
275bb41e 501 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 502 int rc;
503
6b6bc620
SS		 504 rc = avc_has_perm(&selinux_state,
505 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 506 FILESYSTEM__RELABELFROM, NULL);
507 if (rc)
508 return rc;
509
6b6bc620
SS		 510 rc = avc_has_perm(&selinux_state,
511 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 512 FILESYSTEM__RELABELTO, NULL);
513 return rc;
514}
515
0808925e
EP		 516static int may_context_mount_inode_relabel(u32 sid,
517 struct superblock_security_struct *sbsec,
275bb41e 518 const struct cred *cred)
0808925e 519{
275bb41e 520 const struct task_security_struct *tsec = cred->security;
0808925e 521 int rc;
6b6bc620
SS		 522 rc = avc_has_perm(&selinux_state,
523 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 524 FILESYSTEM__RELABELFROM, NULL);
525 if (rc)
526 return rc;
527
6b6bc620
SS		 528 rc = avc_has_perm(&selinux_state,
529 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 530 FILESYSTEM__ASSOCIATE, NULL);
531 return rc;
532}
533
b43e725d
EP		 534static int selinux_is_sblabel_mnt(struct super_block *sb)
535{
536 struct superblock_security_struct *sbsec = sb->s_security;
537
d5f3a5f6
MS		 538 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
539 sbsec->behavior == SECURITY_FS_USE_TRANS ||
540 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 541 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 542 /* Special handling. Genfs but also in-core setxattr handler */
543 !strcmp(sb->s_type->name, "sysfs") ||
544 !strcmp(sb->s_type->name, "pstore") ||
545 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 546 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 547 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 548 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 549 (!strcmp(sb->s_type->name, "cgroup") ||
550 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 551}
552
c9180a57 553static int sb_finish_set_opts(struct super_block *sb)
1da177e4 554{
1da177e4 555 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 556 struct dentry *root = sb->s_root;
c6f493d6 557 struct inode *root_inode = d_backing_inode(root);
c9180a57 558 int rc = 0;
1da177e4 559
c9180a57
EP		 560 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
561 /* Make sure that the xattr handler exists and that no
562 error other than -ENODATA is returned by getxattr on
563 the root directory. -ENODATA is ok, as this may be
564 the first boot of the SELinux kernel before we have
565 assigned xattr values to the filesystem. */
5d6c3191 566 if (!(root_inode->i_opflags & IOP_XATTR)) {
c103a91e 567 pr_warn("SELinux: (dev %s, type %s) has no "
29b1deb2 568 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 569 rc = -EOPNOTSUPP;
570 goto out;
571 }
5d6c3191
AG		 572
573 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 574 if (rc < 0 && rc != -ENODATA) {
575 if (rc == -EOPNOTSUPP)
c103a91e 576 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 577 "%s) has no security xattr handler\n",
578 sb->s_id, sb->s_type->name);
c9180a57 579 else
c103a91e 580 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 581 "%s) getxattr errno %d\n", sb->s_id,
582 sb->s_type->name, -rc);
c9180a57
EP		 583 goto out;
584 }
585 }
1da177e4 586
eadcabc6 587 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 588
589 /*
590 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
591 * leave the flag untouched because sb_clone_mnt_opts might be handing
592 * us a superblock that needs the flag to be cleared.
593 */
b43e725d 594 if (selinux_is_sblabel_mnt(sb))
12f348b9 595 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 596 else
597 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 598
c9180a57
EP		 599 /* Initialize the root inode. */
600 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 601
c9180a57
EP		 602 /* Initialize any other inodes associated with the superblock, e.g.
603 inodes created prior to initial policy load or inodes created
604 during get_sb by a pseudo filesystem that directly
605 populates itself. */
606 spin_lock(&sbsec->isec_lock);
8d64124a 607 while (!list_empty(&sbsec->isec_head)) {
c9180a57 608 struct inode_security_struct *isec =
8d64124a 609 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 610 struct inode_security_struct, list);
611 struct inode *inode = isec->inode;
923190d3 612 list_del_init(&isec->list);
c9180a57
EP		 613 spin_unlock(&sbsec->isec_lock);
614 inode = igrab(inode);
615 if (inode) {
616 if (!IS_PRIVATE(inode))
617 inode_doinit(inode);
618 iput(inode);
619 }
620 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 621 }
622 spin_unlock(&sbsec->isec_lock);
623out:
624 return rc;
625}
1da177e4 626
c9180a57
EP		 627static int bad_option(struct superblock_security_struct *sbsec, char flag,
628 u32 old_sid, u32 new_sid)
629{
0d90a7ec
DQ		 630 char mnt_flags = sbsec->flags & SE_MNTMASK;
631
c9180a57 632 /* check if the old mount command had the same options */
0d90a7ec 633 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 634 if (!(sbsec->flags & flag) ||
635 (old_sid != new_sid))
636 return 1;
637
638 /* check if we were passed the same options twice,
639 * aka someone passed context=a,context=b
640 */
0d90a7ec
DQ		 641 if (!(sbsec->flags & SE_SBINITIALIZED))
642 if (mnt_flags & flag)
c9180a57
EP		 643 return 1;
644 return 0;
645}
e0007529 646
bd323655
AV		 647static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
648{
649 int rc = security_context_str_to_sid(&selinux_state, s,
650 sid, GFP_KERNEL);
651 if (rc)
652 pr_warn("SELinux: security_context_str_to_sid"
653 "(%s) failed for (dev %s, type %s) errno=%d\n",
654 s, sb->s_id, sb->s_type->name, rc);
655 return rc;
656}
657
c9180a57
EP		 658/*
659 * Allow filesystems with binary mount data to explicitly set mount point
660 * labeling information.
661 */
e0007529 662static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 663 void *mnt_opts,
649f6e77
DQ		 664 unsigned long kern_flags,
665 unsigned long *set_kern_flags)
c9180a57 666{
275bb41e 667 const struct cred *cred = current_cred();
c9180a57 668 struct superblock_security_struct *sbsec = sb->s_security;
83da53c5 669 struct dentry *root = sbsec->sb->s_root;
bd323655 670 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 671 struct inode_security_struct *root_isec;
c9180a57
EP		 672 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
673 u32 defcontext_sid = 0;
bd323655 674 int rc = 0;
c9180a57
EP		 675
676 mutex_lock(&sbsec->lock);
677
aa8e712c 678 if (!selinux_state.initialized) {
bd323655 679 if (!opts) {
c9180a57
EP		 680 /* Defer initialization until selinux_complete_init,
681 after the initial policy is loaded and the security
682 server is ready to handle calls. */
c9180a57
EP		 683 goto out;
684 }
685 rc = -EINVAL;
c103a91e 686 pr_warn("SELinux: Unable to set superblock options "
744ba35e 687 "before the security server is initialized\n");
1da177e4 688 goto out;
c9180a57 689 }
649f6e77
DQ		 690 if (kern_flags && !set_kern_flags) {
691 /* Specifying internal flags without providing a place to
692 * place the results is not allowed */
693 rc = -EINVAL;
694 goto out;
695 }
1da177e4 696
e0007529
EP		 697 /*
698 * Binary mount data FS will come through this function twice. Once
699 * from an explicit call and once from the generic calls from the vfs.
700 * Since the generic VFS calls will not contain any security mount data
701 * we need to skip the double mount verification.
702 *
703 * This does open a hole in which we will not notice if the first
704 * mount using this sb set explict options and a second mount using
705 * this sb does not set any security options. (The first options
706 * will be used for both mounts)
707 */
0d90a7ec 708 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 709 && !opts)
f5269710 710 goto out;
e0007529 711
2c97165b
PM		 712 root_isec = backing_inode_security_novalidate(root);
713
c9180a57
EP		 714 /*
715 * parse the mount options, check if they are valid sids.
716 * also check if someone is trying to mount the same sb more
717 * than once with different security options.
718 */
bd323655
AV		 719 if (opts) {
720 if (opts->fscontext) {
721 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
722 if (rc)
723 goto out;
c9180a57
EP		 724 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
725 fscontext_sid))
726 goto out_double_mount;
c9180a57 727 sbsec->flags |= FSCONTEXT_MNT;
bd323655
AV		 728 }
729 if (opts->context) {
730 rc = parse_sid(sb, opts->context, &context_sid);
731 if (rc)
732 goto out;
c9180a57
EP		 733 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
734 context_sid))
735 goto out_double_mount;
c9180a57 736 sbsec->flags |= CONTEXT_MNT;
bd323655
AV		 737 }
738 if (opts->rootcontext) {
739 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
740 if (rc)
741 goto out;
c9180a57
EP		 742 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
743 rootcontext_sid))
744 goto out_double_mount;
c9180a57 745 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655
AV		 746 }
747 if (opts->defcontext) {
748 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
749 if (rc)
750 goto out;
c9180a57
EP		 751 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
752 defcontext_sid))
753 goto out_double_mount;
c9180a57 754 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 755 }
c9180a57
EP		 756 }
757
0d90a7ec 758 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 759 /* previously mounted with options, but not on this attempt? */
bd323655 760 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 761 goto out_double_mount;
762 rc = 0;
763 goto out;
764 }
765
089be43e 766 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 767 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
768
8e014720 769 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 770 !strcmp(sb->s_type->name, "tracefs") ||
8e014720 771 !strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 772 !strcmp(sb->s_type->name, "pstore") ||
773 !strcmp(sb->s_type->name, "cgroup") ||
774 !strcmp(sb->s_type->name, "cgroup2"))
134509d5 775 sbsec->flags |= SE_SBGENFS;
c9180a57 776
eb9ae686
DQ		 777 if (!sbsec->behavior) {
778 /*
779 * Determine the labeling behavior to use for this
780 * filesystem type.
781 */
aa8e712c 782 rc = security_fs_use(&selinux_state, sb);
eb9ae686 783 if (rc) {
c103a91e 784 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 785 __func__, sb->s_type->name, rc);
786 goto out;
787 }
c9180a57 788 }
aad82892
SF		 789
790 /*
01593d32
SS		 791 * If this is a user namespace mount and the filesystem type is not
792 * explicitly whitelisted, then no contexts are allowed on the command
793 * line and security labels must be ignored.
aad82892 794 */
01593d32
SS		 795 if (sb->s_user_ns != &init_user_ns &&
796 strcmp(sb->s_type->name, "tmpfs") &&
797 strcmp(sb->s_type->name, "ramfs") &&
798 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 799 if (context_sid || fscontext_sid || rootcontext_sid ||
800 defcontext_sid) {
801 rc = -EACCES;
802 goto out;
803 }
804 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
805 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 806 rc = security_transition_sid(&selinux_state,
807 current_sid(),
808 current_sid(),
aad82892
SF		 809 SECCLASS_FILE, NULL,
810 &sbsec->mntpoint_sid);
811 if (rc)
812 goto out;
813 }
814 goto out_set_opts;
815 }
816
c9180a57
EP		 817 /* sets the context of the superblock for the fs being mounted. */
818 if (fscontext_sid) {
275bb41e 819 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 820 if (rc)
c9180a57 821 goto out;
1da177e4 822
c9180a57 823 sbsec->sid = fscontext_sid;
c312feb2
EP		 824 }
825
826 /*
827 * Switch to using mount point labeling behavior.
828 * sets the label used on all file below the mountpoint, and will set
829 * the superblock context if not already set.
830 */
eb9ae686
DQ		 831 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
832 sbsec->behavior = SECURITY_FS_USE_NATIVE;
833 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
834 }
835
c9180a57
EP		 836 if (context_sid) {
837 if (!fscontext_sid) {
275bb41e
DH		 838 rc = may_context_mount_sb_relabel(context_sid, sbsec,
839 cred);
b04ea3ce 840 if (rc)
c9180a57
EP		 841 goto out;
842 sbsec->sid = context_sid;
b04ea3ce 843 } else {
275bb41e
DH		 844 rc = may_context_mount_inode_relabel(context_sid, sbsec,
845 cred);
b04ea3ce 846 if (rc)
c9180a57 847 goto out;
b04ea3ce 848 }
c9180a57
EP		 849 if (!rootcontext_sid)
850 rootcontext_sid = context_sid;
1da177e4 851
c9180a57 852 sbsec->mntpoint_sid = context_sid;
c312feb2 853 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 854 }
855
c9180a57 856 if (rootcontext_sid) {
275bb41e
DH		 857 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
858 cred);
0808925e 859 if (rc)
c9180a57 860 goto out;
0808925e 861
c9180a57 862 root_isec->sid = rootcontext_sid;
6f3be9f5 863 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 864 }
865
c9180a57 866 if (defcontext_sid) {
eb9ae686
DQ		 867 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
868 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 869 rc = -EINVAL;
c103a91e 870 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 871 "invalid for this filesystem type\n");
872 goto out;
1da177e4
LT		 873 }
874
c9180a57
EP		 875 if (defcontext_sid != sbsec->def_sid) {
876 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 877 sbsec, cred);
c9180a57
EP		 878 if (rc)
879 goto out;
880 }
1da177e4 881
c9180a57 882 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 883 }
884
aad82892 885out_set_opts:
c9180a57 886 rc = sb_finish_set_opts(sb);
1da177e4 887out:
c9180a57 888 mutex_unlock(&sbsec->lock);
1da177e4 889 return rc;
c9180a57
EP		 890out_double_mount:
891 rc = -EINVAL;
c103a91e 892 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 893 "security settings for (dev %s, type %s)\n", sb->s_id,
894 sb->s_type->name);
c9180a57 895 goto out;
1da177e4
LT		 896}
897
094f7b69
JL		 898static int selinux_cmp_sb_context(const struct super_block *oldsb,
899 const struct super_block *newsb)
900{
901 struct superblock_security_struct *old = oldsb->s_security;
902 struct superblock_security_struct *new = newsb->s_security;
903 char oldflags = old->flags & SE_MNTMASK;
904 char newflags = new->flags & SE_MNTMASK;
905
906 if (oldflags != newflags)
907 goto mismatch;
908 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
909 goto mismatch;
910 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
911 goto mismatch;
912 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
913 goto mismatch;
914 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 915 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
916 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 917 if (oldroot->sid != newroot->sid)
918 goto mismatch;
919 }
920 return 0;
921mismatch:
c103a91e 922 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 923 "different security settings for (dev %s, "
924 "type %s)\n", newsb->s_id, newsb->s_type->name);
925 return -EBUSY;
926}
927
928static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 929 struct super_block *newsb,
930 unsigned long kern_flags,
931 unsigned long *set_kern_flags)
1da177e4 932{
0b4d3452 933 int rc = 0;
c9180a57
EP		 934 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
935 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 936
c9180a57
EP		 937 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
938 int set_context = (oldsbsec->flags & CONTEXT_MNT);
939 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 940
0f5e6420
EP		 941 /*
942 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 943 * mount options. thus we can safely deal with this superblock later
0f5e6420 944 */
aa8e712c 945 if (!selinux_state.initialized)
094f7b69 946 return 0;
c9180a57 947
0b4d3452
SM		 948 /*
949 * Specifying internal flags without providing a place to
950 * place the results is not allowed.
951 */
952 if (kern_flags && !set_kern_flags)
953 return -EINVAL;
954
c9180a57 955 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 956 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 957
094f7b69 958 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 959 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 960 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 961
c9180a57
EP		 962 mutex_lock(&newsbsec->lock);
963
964 newsbsec->flags = oldsbsec->flags;
965
966 newsbsec->sid = oldsbsec->sid;
967 newsbsec->def_sid = oldsbsec->def_sid;
968 newsbsec->behavior = oldsbsec->behavior;
969
0b4d3452
SM		 970 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
971 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 972 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 973 if (rc)
974 goto out;
975 }
976
977 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
978 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
979 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
980 }
981
c9180a57
EP		 982 if (set_context) {
983 u32 sid = oldsbsec->mntpoint_sid;
984
985 if (!set_fscontext)
986 newsbsec->sid = sid;
987 if (!set_rootcontext) {
83da53c5 988 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 989 newisec->sid = sid;
990 }
991 newsbsec->mntpoint_sid = sid;
1da177e4 992 }
c9180a57 993 if (set_rootcontext) {
83da53c5
AG		 994 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
995 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 996
c9180a57 997 newisec->sid = oldisec->sid;
1da177e4
LT		 998 }
999
c9180a57 1000 sb_finish_set_opts(newsb);
0b4d3452 1001out:
c9180a57 1002 mutex_unlock(&newsbsec->lock);
0b4d3452 1003 return rc;
c9180a57
EP		 1004}
1005
ba641862 1006static int selinux_add_opt(int token, const char *s, void **mnt_opts)
c9180a57 1007{
ba641862 1008 struct selinux_mnt_opts *opts = *mnt_opts;
1da177e4 1009
da3d76ab 1010 if (token == Opt_seclabel) /* eaten and completely ignored */
169d68ef 1011 return 0;
e0007529 1012
ba641862
AV		 1013 if (!opts) {
1014 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1015 if (!opts)
1016 return -ENOMEM;
1017 *mnt_opts = opts;
c9180a57 1018 }
ba641862
AV		 1019 if (!s)
1020 return -ENOMEM;
1021 switch (token) {
1022 case Opt_context:
1023 if (opts->context || opts->defcontext)
1024 goto Einval;
1025 opts->context = s;
1026 break;
1027 case Opt_fscontext:
1028 if (opts->fscontext)
1029 goto Einval;
1030 opts->fscontext = s;
1031 break;
1032 case Opt_rootcontext:
1033 if (opts->rootcontext)
1034 goto Einval;
1035 opts->rootcontext = s;
1036 break;
1037 case Opt_defcontext:
1038 if (opts->context || opts->defcontext)
1039 goto Einval;
1040 opts->defcontext = s;
1041 break;
c9180a57 1042 }
e0007529 1043 return 0;
ba641862
AV		 1044Einval:
1045 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862 1046 return -EINVAL;
1da177e4 1047}
e0007529 1048
757cbe59
AV		 1049static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1050 void **mnt_opts)
c9180a57 1051{
757cbe59
AV		 1052 int token = Opt_error;
1053 int rc, i;
e0007529 1054
757cbe59
AV		 1055 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1056 if (strcmp(option, tokens[i].name) == 0) {
1057 token = tokens[i].opt;
1058 break;
169d68ef 1059 }
757cbe59 1060 }
e0007529 1061
757cbe59
AV		 1062 if (token == Opt_error)
1063 return -EINVAL;
e0007529 1064
757cbe59
AV		 1065 if (token != Opt_seclabel)
1066 val = kmemdup_nul(val, len, GFP_KERNEL);
1067 rc = selinux_add_opt(token, val, mnt_opts);
1068 if (unlikely(rc)) {
1069 kfree(val);
1070 if (*mnt_opts) {
169d68ef
AV		 1071 selinux_free_mnt_opts(*mnt_opts);
1072 *mnt_opts = NULL;
1da177e4 1073 }
1da177e4 1074 }
e0007529
EP		 1075 return rc;
1076}
1da177e4 1077
e3489f89 1078static int show_sid(struct seq_file *m, u32 sid)
2069f457 1079{
e3489f89
AV		 1080 char *context = NULL;
1081 u32 len;
1082 int rc;
11689d47 1083
e3489f89
AV		 1084 rc = security_sid_to_context(&selinux_state, sid,
1085 &context, &len);
1086 if (!rc) {
1087 bool has_comma = context && strchr(context, ',');
2069f457 1088
2069f457
EP		 1089 if (has_comma)
1090 seq_putc(m, '\"');
e3489f89 1091 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1092 if (has_comma)
1093 seq_putc(m, '\"');
1094 }
e3489f89
AV		 1095 kfree(context);
1096 return rc;
2069f457
EP		 1097}
1098
1099static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1100{
e3489f89 1101 struct superblock_security_struct *sbsec = sb->s_security;
2069f457
EP		 1102 int rc;
1103
e3489f89
AV		 1104 if (!(sbsec->flags & SE_SBINITIALIZED))
1105 return 0;
2069f457 1106
e3489f89
AV		 1107 if (!selinux_state.initialized)
1108 return 0;
2069f457 1109
e3489f89
AV		 1110 if (sbsec->flags & FSCONTEXT_MNT) {
1111 seq_putc(m, ',');
1112 seq_puts(m, FSCONTEXT_STR);
1113 rc = show_sid(m, sbsec->sid);
1114 if (rc)
1115 return rc;
1116 }
1117 if (sbsec->flags & CONTEXT_MNT) {
1118 seq_putc(m, ',');
1119 seq_puts(m, CONTEXT_STR);
1120 rc = show_sid(m, sbsec->mntpoint_sid);
1121 if (rc)
1122 return rc;
1123 }
1124 if (sbsec->flags & DEFCONTEXT_MNT) {
1125 seq_putc(m, ',');
1126 seq_puts(m, DEFCONTEXT_STR);
1127 rc = show_sid(m, sbsec->def_sid);
1128 if (rc)
1129 return rc;
1130 }
1131 if (sbsec->flags & ROOTCONTEXT_MNT) {
1132 struct dentry *root = sbsec->sb->s_root;
1133 struct inode_security_struct *isec = backing_inode_security(root);
1134 seq_putc(m, ',');
1135 seq_puts(m, ROOTCONTEXT_STR);
1136 rc = show_sid(m, isec->sid);
1137 if (rc)
1138 return rc;
1139 }
1140 if (sbsec->flags & SBLABEL_MNT) {
1141 seq_putc(m, ',');
1142 seq_puts(m, LABELSUPP_STR);
1143 }
1144 return 0;
2069f457
EP		 1145}
1146
1da177e4
LT		 1147static inline u16 inode_mode_to_security_class(umode_t mode)
1148{
1149 switch (mode & S_IFMT) {
1150 case S_IFSOCK:
1151 return SECCLASS_SOCK_FILE;
1152 case S_IFLNK:
1153 return SECCLASS_LNK_FILE;
1154 case S_IFREG:
1155 return SECCLASS_FILE;
1156 case S_IFBLK:
1157 return SECCLASS_BLK_FILE;
1158 case S_IFDIR:
1159 return SECCLASS_DIR;
1160 case S_IFCHR:
1161 return SECCLASS_CHR_FILE;
1162 case S_IFIFO:
1163 return SECCLASS_FIFO_FILE;
1164
1165 }
1166
1167 return SECCLASS_FILE;
1168}
1169
13402580
JM		 1170static inline int default_protocol_stream(int protocol)
1171{
1172 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1173}
1174
1175static inline int default_protocol_dgram(int protocol)
1176{
1177 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1178}
1179
1da177e4
LT		 1180static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1181{
aa8e712c 1182 int extsockclass = selinux_policycap_extsockclass();
da69a530 1183
1da177e4
LT		 1184 switch (family) {
1185 case PF_UNIX:
1186 switch (type) {
1187 case SOCK_STREAM:
1188 case SOCK_SEQPACKET:
1189 return SECCLASS_UNIX_STREAM_SOCKET;
1190 case SOCK_DGRAM:
2a764b52 1191 case SOCK_RAW:
1da177e4
LT		 1192 return SECCLASS_UNIX_DGRAM_SOCKET;
1193 }
1194 break;
1195 case PF_INET:
1196 case PF_INET6:
1197 switch (type) {
1198 case SOCK_STREAM:
da69a530 1199 case SOCK_SEQPACKET:
13402580
JM		 1200 if (default_protocol_stream(protocol))
1201 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1202 else if (extsockclass && protocol == IPPROTO_SCTP)
1203 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1204 else
1205 return SECCLASS_RAWIP_SOCKET;
1da177e4 1206 case SOCK_DGRAM:
13402580
JM		 1207 if (default_protocol_dgram(protocol))
1208 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1209 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1210 protocol == IPPROTO_ICMPV6))
da69a530 1211 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1212 else
1213 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1214 case SOCK_DCCP:
1215 return SECCLASS_DCCP_SOCKET;
13402580 1216 default:
1da177e4
LT		 1217 return SECCLASS_RAWIP_SOCKET;
1218 }
1219 break;
1220 case PF_NETLINK:
1221 switch (protocol) {
1222 case NETLINK_ROUTE:
1223 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1224 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1225 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1226 case NETLINK_NFLOG:
1227 return SECCLASS_NETLINK_NFLOG_SOCKET;
1228 case NETLINK_XFRM:
1229 return SECCLASS_NETLINK_XFRM_SOCKET;
1230 case NETLINK_SELINUX:
1231 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1232 case NETLINK_ISCSI:
1233 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1234 case NETLINK_AUDIT:
1235 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1236 case NETLINK_FIB_LOOKUP:
1237 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1238 case NETLINK_CONNECTOR:
1239 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1240 case NETLINK_NETFILTER:
1241 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1242 case NETLINK_DNRTMSG:
1243 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1244 case NETLINK_KOBJECT_UEVENT:
1245 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1246 case NETLINK_GENERIC:
1247 return SECCLASS_NETLINK_GENERIC_SOCKET;
1248 case NETLINK_SCSITRANSPORT:
1249 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1250 case NETLINK_RDMA:
1251 return SECCLASS_NETLINK_RDMA_SOCKET;
1252 case NETLINK_CRYPTO:
1253 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1254 default:
1255 return SECCLASS_NETLINK_SOCKET;
1256 }
1257 case PF_PACKET:
1258 return SECCLASS_PACKET_SOCKET;
1259 case PF_KEY:
1260 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1261 case PF_APPLETALK:
1262 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1263 }
1264
da69a530
SS		 1265 if (extsockclass) {
1266 switch (family) {
1267 case PF_AX25:
1268 return SECCLASS_AX25_SOCKET;
1269 case PF_IPX:
1270 return SECCLASS_IPX_SOCKET;
1271 case PF_NETROM:
1272 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1273 case PF_ATMPVC:
1274 return SECCLASS_ATMPVC_SOCKET;
1275 case PF_X25:
1276 return SECCLASS_X25_SOCKET;
1277 case PF_ROSE:
1278 return SECCLASS_ROSE_SOCKET;
1279 case PF_DECnet:
1280 return SECCLASS_DECNET_SOCKET;
1281 case PF_ATMSVC:
1282 return SECCLASS_ATMSVC_SOCKET;
1283 case PF_RDS:
1284 return SECCLASS_RDS_SOCKET;
1285 case PF_IRDA:
1286 return SECCLASS_IRDA_SOCKET;
1287 case PF_PPPOX:
1288 return SECCLASS_PPPOX_SOCKET;
1289 case PF_LLC:
1290 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1291 case PF_CAN:
1292 return SECCLASS_CAN_SOCKET;
1293 case PF_TIPC:
1294 return SECCLASS_TIPC_SOCKET;
1295 case PF_BLUETOOTH:
1296 return SECCLASS_BLUETOOTH_SOCKET;
1297 case PF_IUCV:
1298 return SECCLASS_IUCV_SOCKET;
1299 case PF_RXRPC:
1300 return SECCLASS_RXRPC_SOCKET;
1301 case PF_ISDN:
1302 return SECCLASS_ISDN_SOCKET;
1303 case PF_PHONET:
1304 return SECCLASS_PHONET_SOCKET;
1305 case PF_IEEE802154:
1306 return SECCLASS_IEEE802154_SOCKET;
1307 case PF_CAIF:
1308 return SECCLASS_CAIF_SOCKET;
1309 case PF_ALG:
1310 return SECCLASS_ALG_SOCKET;
1311 case PF_NFC:
1312 return SECCLASS_NFC_SOCKET;
1313 case PF_VSOCK:
1314 return SECCLASS_VSOCK_SOCKET;
1315 case PF_KCM:
1316 return SECCLASS_KCM_SOCKET;
1317 case PF_QIPCRTR:
1318 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1319 case PF_SMC:
1320 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1321 case PF_XDP:
1322 return SECCLASS_XDP_SOCKET;
1323#if PF_MAX > 45
da69a530
SS		 1324#error New address family defined, please update this function.
1325#endif
1326 }
1327 }
1328
1da177e4
LT		 1329 return SECCLASS_SOCKET;
1330}
1331
134509d5
SS		 1332static int selinux_genfs_get_sid(struct dentry *dentry,
1333 u16 tclass,
1334 u16 flags,
1335 u32 *sid)
1da177e4 1336{
8e6c9693 1337 int rc;
fc64005c 1338 struct super_block *sb = dentry->d_sb;
8e6c9693 1339 char *buffer, *path;
1da177e4 1340
828dfe1d 1341 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1342 if (!buffer)
1343 return -ENOMEM;
1344
8e6c9693
LAG		 1345 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1346 if (IS_ERR(path))
1347 rc = PTR_ERR(path);
1348 else {
134509d5
SS		 1349 if (flags & SE_SBPROC) {
1350 /* each process gets a /proc/PID/ entry. Strip off the
1351 * PID part to get a valid selinux labeling.
1352 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1353 while (path[1] >= '0' && path[1] <= '9') {
1354 path[1] = '/';
1355 path++;
1356 }
8e6c9693 1357 }
aa8e712c
SS		 1358 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1359 path, tclass, sid);
7bb185ed
SS		 1360 if (rc == -ENOENT) {
1361 /* No match in policy, mark as unlabeled. */
1362 *sid = SECINITSID_UNLABELED;
1363 rc = 0;
1364 }
1da177e4 1365 }
1da177e4
LT		 1366 free_page((unsigned long)buffer);
1367 return rc;
1368}
1da177e4
LT		 1369
1370/* The inode's security attributes must be initialized before first use. */
1371static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1372{
1373 struct superblock_security_struct *sbsec = NULL;
1374 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1375 u32 task_sid, sid = 0;
1376 u16 sclass;
1da177e4
LT		 1377 struct dentry *dentry;
1378#define INITCONTEXTLEN 255
1379 char *context = NULL;
1380 unsigned len = 0;
1381 int rc = 0;
1da177e4 1382
6f3be9f5 1383 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1384 return 0;
1da177e4 1385
9287aed2 1386 spin_lock(&isec->lock);
6f3be9f5 1387 if (isec->initialized == LABEL_INITIALIZED)
23970741 1388 goto out_unlock;
1da177e4 1389
13457d07
AG		 1390 if (isec->sclass == SECCLASS_FILE)
1391 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1392
1da177e4 1393 sbsec = inode->i_sb->s_security;
0d90a7ec 1394 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1395 /* Defer initialization until selinux_complete_init,
1396 after the initial policy is loaded and the security
1397 server is ready to handle calls. */
1398 spin_lock(&sbsec->isec_lock);
1399 if (list_empty(&isec->list))
1400 list_add(&isec->list, &sbsec->isec_head);
1401 spin_unlock(&sbsec->isec_lock);
23970741 1402 goto out_unlock;
1da177e4
LT		 1403 }
1404
9287aed2
AG		 1405 sclass = isec->sclass;
1406 task_sid = isec->task_sid;
1407 sid = isec->sid;
1408 isec->initialized = LABEL_PENDING;
1409 spin_unlock(&isec->lock);
1410
1da177e4 1411 switch (sbsec->behavior) {
eb9ae686
DQ		 1412 case SECURITY_FS_USE_NATIVE:
1413 break;
1da177e4 1414 case SECURITY_FS_USE_XATTR:
5d6c3191 1415 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1416 sid = sbsec->def_sid;
1da177e4
LT		 1417 break;
1418 }
1da177e4
LT		 1419 /* Need a dentry, since the xattr API requires one.
1420 Life would be simpler if we could just pass the inode. */
1421 if (opt_dentry) {
1422 /* Called from d_instantiate or d_splice_alias. */
1423 dentry = dget(opt_dentry);
1424 } else {
b127125d
AV		 1425 /*
1426 * Called from selinux_complete_init, try to find a dentry.
1427 * Some filesystems really want a connected one, so try
1428 * that first. We could split SECURITY_FS_USE_XATTR in
1429 * two, depending upon that...
1430 */
1da177e4 1431 dentry = d_find_alias(inode);
b127125d
AV		 1432 if (!dentry)
1433 dentry = d_find_any_alias(inode);
1da177e4
LT		 1434 }
1435 if (!dentry) {
df7f54c0
EP		 1436 /*
1437 * this is can be hit on boot when a file is accessed
1438 * before the policy is loaded. When we load policy we
1439 * may find inodes that have no dentry on the
1440 * sbsec->isec_head list. No reason to complain as these
1441 * will get fixed up the next time we go through
1442 * inode_doinit with a dentry, before these inodes could
1443 * be used again by userspace.
1444 */
9287aed2 1445 goto out;
1da177e4
LT		 1446 }
1447
1448 len = INITCONTEXTLEN;
4cb912f1 1449 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1450 if (!context) {
1451 rc = -ENOMEM;
1452 dput(dentry);
9287aed2 1453 goto out;
1da177e4 1454 }
4cb912f1 1455 context[len] = '\0';
5d6c3191 1456 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1457 if (rc == -ERANGE) {
314dabb8
JM		 1458 kfree(context);
1459
1da177e4 1460 /* Need a larger buffer. Query for the right size. */
5d6c3191 1461 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1462 if (rc < 0) {
1463 dput(dentry);
9287aed2 1464 goto out;
1da177e4 1465 }
1da177e4 1466 len = rc;
4cb912f1 1467 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1468 if (!context) {
1469 rc = -ENOMEM;
1470 dput(dentry);
9287aed2 1471 goto out;
1da177e4 1472 }
4cb912f1 1473 context[len] = '\0';
5d6c3191 1474 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1475 }
1476 dput(dentry);
1477 if (rc < 0) {
1478 if (rc != -ENODATA) {
c103a91e 1479 pr_warn("SELinux: %s: getxattr returned "
dd6f953a 1480 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1481 -rc, inode->i_sb->s_id, inode->i_ino);
1482 kfree(context);
9287aed2 1483 goto out;
1da177e4
LT		 1484 }
1485 /* Map ENODATA to the default file SID */
1486 sid = sbsec->def_sid;
1487 rc = 0;
1488 } else {
aa8e712c
SS		 1489 rc = security_context_to_sid_default(&selinux_state,
1490 context, rc, &sid,
869ab514
SS		 1491 sbsec->def_sid,
1492 GFP_NOFS);
1da177e4 1493 if (rc) {
4ba0a8ad
EP		 1494 char *dev = inode->i_sb->s_id;
1495 unsigned long ino = inode->i_ino;
1496
1497 if (rc == -EINVAL) {
1498 if (printk_ratelimit())
c103a91e 1499 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
4ba0a8ad
EP		 1500 "context=%s. This indicates you may need to relabel the inode or the "
1501 "filesystem in question.\n", ino, dev, context);
1502 } else {
c103a91e 1503 pr_warn("SELinux: %s: context_to_sid(%s) "
4ba0a8ad
EP		 1504 "returned %d for dev=%s ino=%ld\n",
1505 __func__, context, -rc, dev, ino);
1506 }
1da177e4
LT		 1507 kfree(context);
1508 /* Leave with the unlabeled SID */
1509 rc = 0;
1510 break;
1511 }
1512 }
1513 kfree(context);
1da177e4
LT		 1514 break;
1515 case SECURITY_FS_USE_TASK:
9287aed2 1516 sid = task_sid;
1da177e4
LT		 1517 break;
1518 case SECURITY_FS_USE_TRANS:
1519 /* Default to the fs SID. */
9287aed2 1520 sid = sbsec->sid;
1da177e4
LT		 1521
1522 /* Try to obtain a transition SID. */
aa8e712c
SS		 1523 rc = security_transition_sid(&selinux_state, task_sid, sid,
1524 sclass, NULL, &sid);
1da177e4 1525 if (rc)
9287aed2 1526 goto out;
1da177e4 1527 break;
c312feb2 1528 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1529 sid = sbsec->mntpoint_sid;
c312feb2 1530 break;
1da177e4 1531 default:
c312feb2 1532 /* Default to the fs superblock SID. */
9287aed2 1533 sid = sbsec->sid;
1da177e4 1534
134509d5 1535 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1536 /* We must have a dentry to determine the label on
1537 * procfs inodes */
b127125d 1538 if (opt_dentry) {
f64410ec
PM		 1539 /* Called from d_instantiate or
1540 * d_splice_alias. */
1541 dentry = dget(opt_dentry);
b127125d 1542 } else {
f64410ec 1543 /* Called from selinux_complete_init, try to
b127125d
AV		 1544 * find a dentry. Some filesystems really want
1545 * a connected one, so try that first.
1546 */
f64410ec 1547 dentry = d_find_alias(inode);
b127125d
AV		 1548 if (!dentry)
1549 dentry = d_find_any_alias(inode);
1550 }
f64410ec
PM		 1551 /*
1552 * This can be hit on boot when a file is accessed
1553 * before the policy is loaded. When we load policy we
1554 * may find inodes that have no dentry on the
1555 * sbsec->isec_head list. No reason to complain as
1556 * these will get fixed up the next time we go through
1557 * inode_doinit() with a dentry, before these inodes
1558 * could be used again by userspace.
1559 */
1560 if (!dentry)
9287aed2
AG		 1561 goto out;
1562 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1563 sbsec->flags, &sid);
f64410ec
PM		 1564 dput(dentry);
1565 if (rc)
9287aed2 1566 goto out;
1da177e4
LT		 1567 }
1568 break;
1569 }
1570
9287aed2
AG		 1571out:
1572 spin_lock(&isec->lock);
1573 if (isec->initialized == LABEL_PENDING) {
1574 if (!sid || rc) {
1575 isec->initialized = LABEL_INVALID;
1576 goto out_unlock;
1577 }
1578
1579 isec->initialized = LABEL_INITIALIZED;
1580 isec->sid = sid;
1581 }
1da177e4 1582
23970741 1583out_unlock:
9287aed2 1584 spin_unlock(&isec->lock);
1da177e4
LT		 1585 return rc;
1586}
1587
1588/* Convert a Linux signal to an access vector. */
1589static inline u32 signal_to_av(int sig)
1590{
1591 u32 perm = 0;
1592
1593 switch (sig) {
1594 case SIGCHLD:
1595 /* Commonly granted from child to parent. */
1596 perm = PROCESS__SIGCHLD;
1597 break;
1598 case SIGKILL:
1599 /* Cannot be caught or ignored */
1600 perm = PROCESS__SIGKILL;
1601 break;
1602 case SIGSTOP:
1603 /* Cannot be caught or ignored */
1604 perm = PROCESS__SIGSTOP;
1605 break;
1606 default:
1607 /* All other signals. */
1608 perm = PROCESS__SIGNAL;
1609 break;
1610 }
1611
1612 return perm;
1613}
1614
b68e418c
SS		 1615#if CAP_LAST_CAP > 63
1616#error Fix SELinux to handle capabilities > 63.
1617#endif
1618
1da177e4 1619/* Check whether a task is allowed to use a capability. */
6a9de491 1620static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1621 int cap, int audit, bool initns)
1da177e4 1622{
2bf49690 1623 struct common_audit_data ad;
06112163 1624 struct av_decision avd;
b68e418c 1625 u16 sclass;
3699c53c 1626 u32 sid = cred_sid(cred);
b68e418c 1627 u32 av = CAP_TO_MASK(cap);
06112163 1628 int rc;
1da177e4 1629
50c205f5 1630 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1631 ad.u.cap = cap;
1632
b68e418c
SS		 1633 switch (CAP_TO_INDEX(cap)) {
1634 case 0:
8e4ff6f2 1635 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1636 break;
1637 case 1:
8e4ff6f2 1638 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1639 break;
1640 default:
c103a91e 1641 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1642 BUG();
a35c6c83 1643 return -EINVAL;
b68e418c 1644 }
06112163 1645
6b6bc620
SS		 1646 rc = avc_has_perm_noaudit(&selinux_state,
1647 sid, sid, sclass, av, 0, &avd);
9ade0cf4 1648 if (audit == SECURITY_CAP_AUDIT) {
6b6bc620
SS		 1649 int rc2 = avc_audit(&selinux_state,
1650 sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1651 if (rc2)
1652 return rc2;
1653 }
06112163 1654 return rc;
1da177e4
LT		 1655}
1656
1da177e4
LT		 1657/* Check whether a task has a particular permission to an inode.
1658 The 'adp' parameter is optional and allows other audit
1659 data to be passed (e.g. the dentry). */
88e67f3b 1660static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1661 struct inode *inode,
1662 u32 perms,
19e49834 1663 struct common_audit_data *adp)
1da177e4 1664{
1da177e4 1665 struct inode_security_struct *isec;
275bb41e 1666 u32 sid;
1da177e4 1667
e0e81739
DH		 1668 validate_creds(cred);
1669
828dfe1d 1670 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1671 return 0;
1672
88e67f3b 1673 sid = cred_sid(cred);
1da177e4
LT		 1674 isec = inode->i_security;
1675
6b6bc620
SS		 1676 return avc_has_perm(&selinux_state,
1677 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1678}
1679
1680/* Same as inode_has_perm, but pass explicit audit data containing
1681 the dentry to help the auditing code to more easily generate the
1682 pathname if needed. */
88e67f3b 1683static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1684 struct dentry *dentry,
1685 u32 av)
1686{
c6f493d6 1687 struct inode *inode = d_backing_inode(dentry);
2bf49690 1688 struct common_audit_data ad;
88e67f3b 1689
50c205f5 1690 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1691 ad.u.dentry = dentry;
5d226df4 1692 __inode_security_revalidate(inode, dentry, true);
19e49834 1693 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1694}
1695
1696/* Same as inode_has_perm, but pass explicit audit data containing
1697 the path to help the auditing code to more easily generate the
1698 pathname if needed. */
1699static inline int path_has_perm(const struct cred *cred,
3f7036a0 1700 const struct path *path,
2875fa00
EP		 1701 u32 av)
1702{
c6f493d6 1703 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1704 struct common_audit_data ad;
1705
50c205f5 1706 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1707 ad.u.path = *path;
5d226df4 1708 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1709 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1710}
1711
13f8e981
DH		 1712/* Same as path_has_perm, but uses the inode from the file struct. */
1713static inline int file_path_has_perm(const struct cred *cred,
1714 struct file *file,
1715 u32 av)
1716{
1717 struct common_audit_data ad;
1718
43af5de7
VG		 1719 ad.type = LSM_AUDIT_DATA_FILE;
1720 ad.u.file = file;
19e49834 1721 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1722}
1723
f66e448c
CF		 1724#ifdef CONFIG_BPF_SYSCALL
1725static int bpf_fd_pass(struct file *file, u32 sid);
1726#endif
1727
1da177e4
LT		 1728/* Check whether a task can use an open file descriptor to
1729 access an inode in a given way. Check access to the
1730 descriptor itself, and then use dentry_has_perm to
1731 check a particular permission to the file.
1732 Access to the descriptor is implicitly granted if it
1733 has the same SID as the process. If av is zero, then
1734 access to the file is not checked, e.g. for cases
1735 where only the descriptor is affected like seek. */
88e67f3b
DH		 1736static int file_has_perm(const struct cred *cred,
1737 struct file *file,
1738 u32 av)
1da177e4 1739{
1da177e4 1740 struct file_security_struct *fsec = file->f_security;
496ad9aa 1741 struct inode *inode = file_inode(file);
2bf49690 1742 struct common_audit_data ad;
88e67f3b 1743 u32 sid = cred_sid(cred);
1da177e4
LT		 1744 int rc;
1745
43af5de7
VG		 1746 ad.type = LSM_AUDIT_DATA_FILE;
1747 ad.u.file = file;
1da177e4 1748
275bb41e 1749 if (sid != fsec->sid) {
6b6bc620
SS		 1750 rc = avc_has_perm(&selinux_state,
1751 sid, fsec->sid,
1da177e4
LT		 1752 SECCLASS_FD,
1753 FD__USE,
1754 &ad);
1755 if (rc)
88e67f3b 1756 goto out;
1da177e4
LT		 1757 }
1758
f66e448c
CF		 1759#ifdef CONFIG_BPF_SYSCALL
1760 rc = bpf_fd_pass(file, cred_sid(cred));
1761 if (rc)
1762 return rc;
1763#endif
1764
1da177e4 1765 /* av is zero if only checking access to the descriptor. */
88e67f3b 1766 rc = 0;
1da177e4 1767 if (av)
19e49834 1768 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1769
88e67f3b
DH		 1770out:
1771 return rc;
1da177e4
LT		 1772}
1773
c3c188b2
DH		 1774/*
1775 * Determine the label for an inode that might be unioned.
1776 */
c957f6df
VG		 1777static int
1778selinux_determine_inode_label(const struct task_security_struct *tsec,
1779 struct inode *dir,
1780 const struct qstr *name, u16 tclass,
1781 u32 *_new_isid)
c3c188b2
DH		 1782{
1783 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1784
1785 if ((sbsec->flags & SE_SBINITIALIZED) &&
1786 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1787 *_new_isid = sbsec->mntpoint_sid;
1788 } else if ((sbsec->flags & SBLABEL_MNT) &&
1789 tsec->create_sid) {
1790 *_new_isid = tsec->create_sid;
1791 } else {
20cdef8d 1792 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1793 return security_transition_sid(&selinux_state, tsec->sid,
1794 dsec->sid, tclass,
c3c188b2
DH		 1795 name, _new_isid);
1796 }
1797
1798 return 0;
1799}
1800
1da177e4
LT		 1801/* Check whether a task can create a file. */
1802static int may_create(struct inode *dir,
1803 struct dentry *dentry,
1804 u16 tclass)
1805{
5fb49870 1806 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1807 struct inode_security_struct *dsec;
1808 struct superblock_security_struct *sbsec;
275bb41e 1809 u32 sid, newsid;
2bf49690 1810 struct common_audit_data ad;
1da177e4
LT		 1811 int rc;
1812
83da53c5 1813 dsec = inode_security(dir);
1da177e4
LT		 1814 sbsec = dir->i_sb->s_security;
1815
275bb41e 1816 sid = tsec->sid;
275bb41e 1817
50c205f5 1818 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1819 ad.u.dentry = dentry;
1da177e4 1820
6b6bc620
SS		 1821 rc = avc_has_perm(&selinux_state,
1822 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1823 DIR__ADD_NAME | DIR__SEARCH,
1824 &ad);
1825 if (rc)
1826 return rc;
1827
c957f6df
VG		 1828 rc = selinux_determine_inode_label(current_security(), dir,
1829 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1830 if (rc)
1831 return rc;
1da177e4 1832
6b6bc620
SS		 1833 rc = avc_has_perm(&selinux_state,
1834 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1835 if (rc)
1836 return rc;
1837
6b6bc620
SS		 1838 return avc_has_perm(&selinux_state,
1839 newsid, sbsec->sid,
1da177e4
LT		 1840 SECCLASS_FILESYSTEM,
1841 FILESYSTEM__ASSOCIATE, &ad);
1842}
1843
828dfe1d
EP		 1844#define MAY_LINK 0
1845#define MAY_UNLINK 1
1846#define MAY_RMDIR 2
1da177e4
LT		 1847
1848/* Check whether a task can link, unlink, or rmdir a file/directory. */
1849static int may_link(struct inode *dir,
1850 struct dentry *dentry,
1851 int kind)
1852
1853{
1da177e4 1854 struct inode_security_struct *dsec, *isec;
2bf49690 1855 struct common_audit_data ad;
275bb41e 1856 u32 sid = current_sid();
1da177e4
LT		 1857 u32 av;
1858 int rc;
1859
83da53c5
AG		 1860 dsec = inode_security(dir);
1861 isec = backing_inode_security(dentry);
1da177e4 1862
50c205f5 1863 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1864 ad.u.dentry = dentry;
1da177e4
LT		 1865
1866 av = DIR__SEARCH;
1867 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 1868 rc = avc_has_perm(&selinux_state,
1869 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1870 if (rc)
1871 return rc;
1872
1873 switch (kind) {
1874 case MAY_LINK:
1875 av = FILE__LINK;
1876 break;
1877 case MAY_UNLINK:
1878 av = FILE__UNLINK;
1879 break;
1880 case MAY_RMDIR:
1881 av = DIR__RMDIR;
1882 break;
1883 default:
c103a91e 1884 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1885 __func__, kind);
1da177e4
LT		 1886 return 0;
1887 }
1888
6b6bc620
SS		 1889 rc = avc_has_perm(&selinux_state,
1890 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1891 return rc;
1892}
1893
1894static inline int may_rename(struct inode *old_dir,
1895 struct dentry *old_dentry,
1896 struct inode *new_dir,
1897 struct dentry *new_dentry)
1898{
1da177e4 1899 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1900 struct common_audit_data ad;
275bb41e 1901 u32 sid = current_sid();
1da177e4
LT		 1902 u32 av;
1903 int old_is_dir, new_is_dir;
1904 int rc;
1905
83da53c5
AG		 1906 old_dsec = inode_security(old_dir);
1907 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1908 old_is_dir = d_is_dir(old_dentry);
83da53c5 1909 new_dsec = inode_security(new_dir);
1da177e4 1910
50c205f5 1911 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1912
a269434d 1913 ad.u.dentry = old_dentry;
6b6bc620
SS		 1914 rc = avc_has_perm(&selinux_state,
1915 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1916 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1917 if (rc)
1918 return rc;
6b6bc620
SS		 1919 rc = avc_has_perm(&selinux_state,
1920 sid, old_isec->sid,
1da177e4
LT		 1921 old_isec->sclass, FILE__RENAME, &ad);
1922 if (rc)
1923 return rc;
1924 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 1925 rc = avc_has_perm(&selinux_state,
1926 sid, old_isec->sid,
1da177e4
LT		 1927 old_isec->sclass, DIR__REPARENT, &ad);
1928 if (rc)
1929 return rc;
1930 }
1931
a269434d 1932 ad.u.dentry = new_dentry;
1da177e4 1933 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1934 if (d_is_positive(new_dentry))
1da177e4 1935 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 1936 rc = avc_has_perm(&selinux_state,
1937 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1938 if (rc)
1939 return rc;
2c616d4d 1940 if (d_is_positive(new_dentry)) {
83da53c5 1941 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1942 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 1943 rc = avc_has_perm(&selinux_state,
1944 sid, new_isec->sid,
1da177e4
LT		 1945 new_isec->sclass,
1946 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1947 if (rc)
1948 return rc;
1949 }
1950
1951 return 0;
1952}
1953
1954/* Check whether a task can perform a filesystem operation. */
88e67f3b 1955static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1956 struct super_block *sb,
1957 u32 perms,
2bf49690 1958 struct common_audit_data *ad)
1da177e4 1959{
1da177e4 1960 struct superblock_security_struct *sbsec;
88e67f3b 1961 u32 sid = cred_sid(cred);
1da177e4 1962
1da177e4 1963 sbsec = sb->s_security;
6b6bc620
SS		 1964 return avc_has_perm(&selinux_state,
1965 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1966}
1967
1968/* Convert a Linux mode and permission mask to an access vector. */
1969static inline u32 file_mask_to_av(int mode, int mask)
1970{
1971 u32 av = 0;
1972
dba19c60 1973 if (!S_ISDIR(mode)) {
1da177e4
LT		 1974 if (mask & MAY_EXEC)
1975 av |= FILE__EXECUTE;
1976 if (mask & MAY_READ)
1977 av |= FILE__READ;
1978
1979 if (mask & MAY_APPEND)
1980 av |= FILE__APPEND;
1981 else if (mask & MAY_WRITE)
1982 av |= FILE__WRITE;
1983
1984 } else {
1985 if (mask & MAY_EXEC)
1986 av |= DIR__SEARCH;
1987 if (mask & MAY_WRITE)
1988 av |= DIR__WRITE;
1989 if (mask & MAY_READ)
1990 av |= DIR__READ;
1991 }
1992
1993 return av;
1994}
1995
8b6a5a37
EP		 1996/* Convert a Linux file to an access vector. */
1997static inline u32 file_to_av(struct file *file)
1998{
1999 u32 av = 0;
2000
2001 if (file->f_mode & FMODE_READ)
2002 av |= FILE__READ;
2003 if (file->f_mode & FMODE_WRITE) {
2004 if (file->f_flags & O_APPEND)
2005 av |= FILE__APPEND;
2006 else
2007 av |= FILE__WRITE;
2008 }
2009 if (!av) {
2010 /*
2011 * Special file opened with flags 3 for ioctl-only use.
2012 */
2013 av = FILE__IOCTL;
2014 }
2015
2016 return av;
2017}
2018
b0c636b9 2019/*
8b6a5a37 2020 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2021 * open permission.
2022 */
8b6a5a37 2023static inline u32 open_file_to_av(struct file *file)
b0c636b9 2024{
8b6a5a37 2025 u32 av = file_to_av(file);
ccb54478 2026 struct inode *inode = file_inode(file);
b0c636b9 2027
aa8e712c
SS		 2028 if (selinux_policycap_openperm() &&
2029 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2030 av |= FILE__OPEN;
2031
b0c636b9
EP		 2032 return av;
2033}
2034
1da177e4
LT		 2035/* Hook functions begin here. */
2036
79af7307
SS		 2037static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2038{
2039 u32 mysid = current_sid();
2040 u32 mgrsid = task_sid(mgr);
2041
6b6bc620
SS		 2042 return avc_has_perm(&selinux_state,
2043 mysid, mgrsid, SECCLASS_BINDER,
79af7307
SS		 2044 BINDER__SET_CONTEXT_MGR, NULL);
2045}
2046
2047static int selinux_binder_transaction(struct task_struct *from,
2048 struct task_struct *to)
2049{
2050 u32 mysid = current_sid();
2051 u32 fromsid = task_sid(from);
2052 u32 tosid = task_sid(to);
2053 int rc;
2054
2055 if (mysid != fromsid) {
6b6bc620
SS		 2056 rc = avc_has_perm(&selinux_state,
2057 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2058 BINDER__IMPERSONATE, NULL);
2059 if (rc)
2060 return rc;
2061 }
2062
6b6bc620
SS		 2063 return avc_has_perm(&selinux_state,
2064 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
79af7307
SS		 2065 NULL);
2066}
2067
2068static int selinux_binder_transfer_binder(struct task_struct *from,
2069 struct task_struct *to)
2070{
2071 u32 fromsid = task_sid(from);
2072 u32 tosid = task_sid(to);
2073
6b6bc620
SS		 2074 return avc_has_perm(&selinux_state,
2075 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2076 NULL);
2077}
2078
2079static int selinux_binder_transfer_file(struct task_struct *from,
2080 struct task_struct *to,
2081 struct file *file)
2082{
2083 u32 sid = task_sid(to);
2084 struct file_security_struct *fsec = file->f_security;
83da53c5 2085 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2086 struct inode_security_struct *isec;
79af7307
SS		 2087 struct common_audit_data ad;
2088 int rc;
2089
2090 ad.type = LSM_AUDIT_DATA_PATH;
2091 ad.u.path = file->f_path;
2092
2093 if (sid != fsec->sid) {
6b6bc620
SS		 2094 rc = avc_has_perm(&selinux_state,
2095 sid, fsec->sid,
79af7307
SS		 2096 SECCLASS_FD,
2097 FD__USE,
2098 &ad);
2099 if (rc)
2100 return rc;
2101 }
2102
f66e448c
CF		 2103#ifdef CONFIG_BPF_SYSCALL
2104 rc = bpf_fd_pass(file, sid);
2105 if (rc)
2106 return rc;
2107#endif
2108
83da53c5 2109 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2110 return 0;
2111
20cdef8d 2112 isec = backing_inode_security(dentry);
6b6bc620
SS		 2113 return avc_has_perm(&selinux_state,
2114 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2115 &ad);
2116}
2117
9e48858f 2118static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2119 unsigned int mode)
1da177e4 2120{
be0554c9
SS		 2121 u32 sid = current_sid();
2122 u32 csid = task_sid(child);
2123
2124 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2125 return avc_has_perm(&selinux_state,
2126 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2127
6b6bc620
SS		 2128 return avc_has_perm(&selinux_state,
2129 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2130}
2131
2132static int selinux_ptrace_traceme(struct task_struct *parent)
2133{
6b6bc620
SS		 2134 return avc_has_perm(&selinux_state,
2135 task_sid(parent), current_sid(), SECCLASS_PROCESS,
be0554c9 2136 PROCESS__PTRACE, NULL);
1da177e4
LT		 2137}
2138
2139static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2140 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2141{
6b6bc620
SS		 2142 return avc_has_perm(&selinux_state,
2143 current_sid(), task_sid(target), SECCLASS_PROCESS,
be0554c9 2144 PROCESS__GETCAP, NULL);
1da177e4
LT		 2145}
2146
d84f4f99
DH		 2147static int selinux_capset(struct cred *new, const struct cred *old,
2148 const kernel_cap_t *effective,
2149 const kernel_cap_t *inheritable,
2150 const kernel_cap_t *permitted)
1da177e4 2151{
6b6bc620
SS		 2152 return avc_has_perm(&selinux_state,
2153 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2154 PROCESS__SETCAP, NULL);
1da177e4
LT		 2155}
2156
5626d3e8
JM		 2157/*
2158 * (This comment used to live with the selinux_task_setuid hook,
2159 * which was removed).
2160 *
2161 * Since setuid only affects the current process, and since the SELinux
2162 * controls are not based on the Linux identity attributes, SELinux does not
2163 * need to control this operation. However, SELinux does control the use of
2164 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2165 */
2166
6a9de491
EP		 2167static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2168 int cap, int audit)
1da177e4 2169{
8e4ff6f2 2170 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2171}
2172
1da177e4
LT		 2173static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2174{
88e67f3b 2175 const struct cred *cred = current_cred();
1da177e4
LT		 2176 int rc = 0;
2177
2178 if (!sb)
2179 return 0;
2180
2181 switch (cmds) {
828dfe1d
EP		 2182 case Q_SYNC:
2183 case Q_QUOTAON:
2184 case Q_QUOTAOFF:
2185 case Q_SETINFO:
2186 case Q_SETQUOTA:
88e67f3b 2187 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2188 break;
2189 case Q_GETFMT:
2190 case Q_GETINFO:
2191 case Q_GETQUOTA:
88e67f3b 2192 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2193 break;
2194 default:
2195 rc = 0; /* let the kernel handle invalid cmds */
2196 break;
1da177e4
LT		 2197 }
2198 return rc;
2199}
2200
2201static int selinux_quota_on(struct dentry *dentry)
2202{
88e67f3b
DH		 2203 const struct cred *cred = current_cred();
2204
2875fa00 2205 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2206}
2207
12b3052c 2208static int selinux_syslog(int type)
1da177e4 2209{
1da177e4 2210 switch (type) {
d78ca3cd
KC		 2211 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2212 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2213 return avc_has_perm(&selinux_state,
2214 current_sid(), SECINITSID_KERNEL,
be0554c9 2215 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2216 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2217 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2218 /* Set level of messages printed to console */
2219 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2220 return avc_has_perm(&selinux_state,
2221 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2222 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2223 NULL);
1da177e4 2224 }
be0554c9 2225 /* All other syslog types */
6b6bc620
SS		 2226 return avc_has_perm(&selinux_state,
2227 current_sid(), SECINITSID_KERNEL,
be0554c9 2228 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2229}
2230
2231/*
2232 * Check that a process has enough memory to allocate a new virtual
2233 * mapping. 0 means there is enough memory for the allocation to
2234 * succeed and -ENOMEM implies there is not.
2235 *
1da177e4
LT		 2236 * Do not audit the selinux permission check, as this is applied to all
2237 * processes that allocate mappings.
2238 */
34b4e4aa 2239static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2240{
2241 int rc, cap_sys_admin = 0;
1da177e4 2242
b1d9e6b0 2243 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2244 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2245 if (rc == 0)
2246 cap_sys_admin = 1;
2247
b1d9e6b0 2248 return cap_sys_admin;
1da177e4
LT		 2249}
2250
2251/* binprm security operations */
2252
be0554c9 2253static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2254{
2255 u32 sid = 0;
2256 struct task_struct *tracer;
2257
2258 rcu_read_lock();
be0554c9 2259 tracer = ptrace_parent(current);
0c6181cb
PM		 2260 if (tracer)
2261 sid = task_sid(tracer);
2262 rcu_read_unlock();
2263
2264 return sid;
2265}
2266
7b0d0b40
SS		 2267static int check_nnp_nosuid(const struct linux_binprm *bprm,
2268 const struct task_security_struct *old_tsec,
2269 const struct task_security_struct *new_tsec)
2270{
2271 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2272 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2273 int rc;
af63f419 2274 u32 av;
7b0d0b40
SS		 2275
2276 if (!nnp && !nosuid)
2277 return 0; /* neither NNP nor nosuid */
2278
2279 if (new_tsec->sid == old_tsec->sid)
2280 return 0; /* No change in credentials */
2281
2282 /*
af63f419
SS		 2283 * If the policy enables the nnp_nosuid_transition policy capability,
2284 * then we permit transitions under NNP or nosuid if the
2285 * policy allows the corresponding permission between
2286 * the old and new contexts.
7b0d0b40 2287 */
aa8e712c 2288 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2289 av = 0;
7b0d0b40 2290 if (nnp)
af63f419
SS		 2291 av |= PROCESS2__NNP_TRANSITION;
2292 if (nosuid)
2293 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2294 rc = avc_has_perm(&selinux_state,
2295 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2296 SECCLASS_PROCESS2, av, NULL);
2297 if (!rc)
2298 return 0;
7b0d0b40 2299 }
af63f419
SS		 2300
2301 /*
2302 * We also permit NNP or nosuid transitions to bounded SIDs,
2303 * i.e. SIDs that are guaranteed to only be allowed a subset
2304 * of the permissions of the current SID.
2305 */
aa8e712c
SS		 2306 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2307 new_tsec->sid);
af63f419
SS		 2308 if (!rc)
2309 return 0;
2310
2311 /*
2312 * On failure, preserve the errno values for NNP vs nosuid.
2313 * NNP: Operation not permitted for caller.
2314 * nosuid: Permission denied to file.
2315 */
2316 if (nnp)
2317 return -EPERM;
2318 return -EACCES;
7b0d0b40
SS		 2319}
2320
a6f76f23 2321static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2322{
a6f76f23
DH		 2323 const struct task_security_struct *old_tsec;
2324 struct task_security_struct *new_tsec;
1da177e4 2325 struct inode_security_struct *isec;
2bf49690 2326 struct common_audit_data ad;
496ad9aa 2327 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2328 int rc;
2329
a6f76f23
DH		 2330 /* SELinux context only depends on initial program or script and not
2331 * the script interpreter */
ddb4a144 2332 if (bprm->called_set_creds)
1da177e4
LT		 2333 return 0;
2334
a6f76f23
DH		 2335 old_tsec = current_security();
2336 new_tsec = bprm->cred->security;
83da53c5 2337 isec = inode_security(inode);
1da177e4
LT		 2338
2339 /* Default to the current task SID. */
a6f76f23
DH		 2340 new_tsec->sid = old_tsec->sid;
2341 new_tsec->osid = old_tsec->sid;
1da177e4 2342
28eba5bf 2343 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2344 new_tsec->create_sid = 0;
2345 new_tsec->keycreate_sid = 0;
2346 new_tsec->sockcreate_sid = 0;
1da177e4 2347
a6f76f23
DH		 2348 if (old_tsec->exec_sid) {
2349 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2350 /* Reset exec SID on execve. */
a6f76f23 2351 new_tsec->exec_sid = 0;
259e5e6c 2352
7b0d0b40
SS		 2353 /* Fail on NNP or nosuid if not an allowed transition. */
2354 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2355 if (rc)
2356 return rc;
1da177e4
LT		 2357 } else {
2358 /* Check for a default transition on this program. */
aa8e712c
SS		 2359 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2360 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2361 &new_tsec->sid);
1da177e4
LT		 2362 if (rc)
2363 return rc;
7b0d0b40
SS		 2364
2365 /*
2366 * Fallback to old SID on NNP or nosuid if not an allowed
2367 * transition.
2368 */
2369 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2370 if (rc)
2371 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2372 }
2373
43af5de7
VG		 2374 ad.type = LSM_AUDIT_DATA_FILE;
2375 ad.u.file = bprm->file;
1da177e4 2376
a6f76f23 2377 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2378 rc = avc_has_perm(&selinux_state,
2379 old_tsec->sid, isec->sid,
1da177e4
LT		 2380 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2381 if (rc)
2382 return rc;
2383 } else {
2384 /* Check permissions for the transition. */
6b6bc620
SS		 2385 rc = avc_has_perm(&selinux_state,
2386 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2387 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2388 if (rc)
2389 return rc;
2390
6b6bc620
SS		 2391 rc = avc_has_perm(&selinux_state,
2392 new_tsec->sid, isec->sid,
1da177e4
LT		 2393 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2394 if (rc)
2395 return rc;
2396
a6f76f23
DH		 2397 /* Check for shared state */
2398 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2399 rc = avc_has_perm(&selinux_state,
2400 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2401 SECCLASS_PROCESS, PROCESS__SHARE,
2402 NULL);
2403 if (rc)
2404 return -EPERM;
2405 }
2406
2407 /* Make sure that anyone attempting to ptrace over a task that
2408 * changes its SID has the appropriate permit */
9227dd2a 2409 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2410 u32 ptsid = ptrace_parent_sid();
a6f76f23 2411 if (ptsid != 0) {
6b6bc620
SS		 2412 rc = avc_has_perm(&selinux_state,
2413 ptsid, new_tsec->sid,
a6f76f23
DH		 2414 SECCLASS_PROCESS,
2415 PROCESS__PTRACE, NULL);
2416 if (rc)
2417 return -EPERM;
2418 }
2419 }
1da177e4 2420
a6f76f23
DH		 2421 /* Clear any possibly unsafe personality bits on exec: */
2422 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2423
1da177e4
LT		 2424 /* Enable secure mode for SIDs transitions unless
2425 the noatsecure permission is granted between
2426 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2427 rc = avc_has_perm(&selinux_state,
2428 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2429 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2430 NULL);
2431 bprm->secureexec |= !!rc;
1da177e4
LT		 2432 }
2433
62874c3a 2434 return 0;
1da177e4
LT		 2435}
2436
c3c073f8
AV		 2437static int match_file(const void *p, struct file *file, unsigned fd)
2438{
2439 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2440}
2441
1da177e4 2442/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2443static inline void flush_unauthorized_files(const struct cred *cred,
2444 struct files_struct *files)
1da177e4 2445{
1da177e4 2446 struct file *file, *devnull = NULL;
b20c8122 2447 struct tty_struct *tty;
24ec839c 2448 int drop_tty = 0;
c3c073f8 2449 unsigned n;
1da177e4 2450
24ec839c 2451 tty = get_current_tty();
1da177e4 2452 if (tty) {
4a510969 2453 spin_lock(&tty->files_lock);
37dd0bd0 2454 if (!list_empty(&tty->tty_files)) {
d996b62a 2455 struct tty_file_private *file_priv;
37dd0bd0 2456
1da177e4 2457 /* Revalidate access to controlling tty.
13f8e981
DH		 2458 Use file_path_has_perm on the tty path directly
2459 rather than using file_has_perm, as this particular
2460 open file may belong to another process and we are
2461 only interested in the inode-based check here. */
d996b62a
NP		 2462 file_priv = list_first_entry(&tty->tty_files,
2463 struct tty_file_private, list);
2464 file = file_priv->file;
13f8e981 2465 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2466 drop_tty = 1;
1da177e4 2467 }
4a510969 2468 spin_unlock(&tty->files_lock);
452a00d2 2469 tty_kref_put(tty);
1da177e4 2470 }
98a27ba4
EB		 2471 /* Reset controlling tty. */
2472 if (drop_tty)
2473 no_tty();
1da177e4
LT		 2474
2475 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2476 n = iterate_fd(files, 0, match_file, cred);
2477 if (!n) /* none found? */
2478 return;
1da177e4 2479
c3c073f8 2480 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2481 if (IS_ERR(devnull))
2482 devnull = NULL;
2483 /* replace all the matching ones with this */
2484 do {
2485 replace_fd(n - 1, devnull, 0);
2486 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2487 if (devnull)
c3c073f8 2488 fput(devnull);
1da177e4
LT		 2489}
2490
a6f76f23
DH		 2491/*
2492 * Prepare a process for imminent new credential changes due to exec
2493 */
2494static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2495{
a6f76f23
DH		 2496 struct task_security_struct *new_tsec;
2497 struct rlimit *rlim, *initrlim;
2498 int rc, i;
d84f4f99 2499
a6f76f23
DH		 2500 new_tsec = bprm->cred->security;
2501 if (new_tsec->sid == new_tsec->osid)
2502 return;
1da177e4 2503
a6f76f23
DH		 2504 /* Close files for which the new task SID is not authorized. */
2505 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2506
a6f76f23
DH		 2507 /* Always clear parent death signal on SID transitions. */
2508 current->pdeath_signal = 0;
0356357c 2509
a6f76f23
DH		 2510 /* Check whether the new SID can inherit resource limits from the old
2511 * SID. If not, reset all soft limits to the lower of the current
2512 * task's hard limit and the init task's soft limit.
2513 *
2514 * Note that the setting of hard limits (even to lower them) can be
2515 * controlled by the setrlimit check. The inclusion of the init task's
2516 * soft limit into the computation is to avoid resetting soft limits
2517 * higher than the default soft limit for cases where the default is
2518 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2519 */
6b6bc620
SS		 2520 rc = avc_has_perm(&selinux_state,
2521 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2522 PROCESS__RLIMITINH, NULL);
2523 if (rc) {
eb2d55a3
ON		 2524 /* protect against do_prlimit() */
2525 task_lock(current);
a6f76f23
DH		 2526 for (i = 0; i < RLIM_NLIMITS; i++) {
2527 rlim = current->signal->rlim + i;
2528 initrlim = init_task.signal->rlim + i;
2529 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2530 }
eb2d55a3 2531 task_unlock(current);
baa73d9e
NP		 2532 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2533 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2534 }
2535}
2536
2537/*
a6f76f23
DH		 2538 * Clean up the process immediately after the installation of new credentials
2539 * due to exec
1da177e4 2540 */
a6f76f23 2541static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2542{
a6f76f23 2543 const struct task_security_struct *tsec = current_security();
1da177e4 2544 struct itimerval itimer;
a6f76f23 2545 u32 osid, sid;
1da177e4
LT		 2546 int rc, i;
2547
a6f76f23
DH		 2548 osid = tsec->osid;
2549 sid = tsec->sid;
2550
2551 if (sid == osid)
1da177e4
LT		 2552 return;
2553
a6f76f23
DH		 2554 /* Check whether the new SID can inherit signal state from the old SID.
2555 * If not, clear itimers to avoid subsequent signal generation and
2556 * flush and unblock signals.
2557 *
2558 * This must occur _after_ the task SID has been updated so that any
2559 * kill done after the flush will be checked against the new SID.
2560 */
6b6bc620
SS		 2561 rc = avc_has_perm(&selinux_state,
2562 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2563 if (rc) {
baa73d9e
NP		 2564 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2565 memset(&itimer, 0, sizeof itimer);
2566 for (i = 0; i < 3; i++)
2567 do_setitimer(i, &itimer, NULL);
2568 }
1da177e4 2569 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2570 if (!fatal_signal_pending(current)) {
2571 flush_sigqueue(&current->pending);
2572 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2573 flush_signal_handlers(current, 1);
2574 sigemptyset(&current->blocked);
9e7c8f8c 2575 recalc_sigpending();
3bcac026 2576 }
1da177e4
LT		 2577 spin_unlock_irq(&current->sighand->siglock);
2578 }
2579
a6f76f23
DH		 2580 /* Wake up the parent if it is waiting so that it can recheck
2581 * wait permission to the new task SID. */
ecd6de3c 2582 read_lock(&tasklist_lock);
0b7570e7 2583 __wake_up_parent(current, current->real_parent);
ecd6de3c 2584 read_unlock(&tasklist_lock);
1da177e4
LT		 2585}
2586
2587/* superblock security operations */
2588
2589static int selinux_sb_alloc_security(struct super_block *sb)
2590{
2591 return superblock_alloc_security(sb);
2592}
2593
2594static void selinux_sb_free_security(struct super_block *sb)
2595{
2596 superblock_free_security(sb);
2597}
2598
99dbbb59 2599static inline int opt_len(const char *s)
1da177e4 2600{
99dbbb59
AV		 2601 bool open_quote = false;
2602 int len;
2603 char c;
1da177e4 2604
99dbbb59
AV		 2605 for (len = 0; (c = s[len]) != '\0'; len++) {
2606 if (c == '"')
2607 open_quote = !open_quote;
2608 if (c == ',' && !open_quote)
2609 break;
3528a953 2610 }
99dbbb59 2611 return len;
3528a953
CO		 2612}
2613
99dbbb59 2614static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
1da177e4 2615{
99dbbb59
AV		 2616 char *from = options;
2617 char *to = options;
2618 bool first = true;
1da177e4 2619
99dbbb59
AV		 2620 while (1) {
2621 int len = opt_len(from);
2622 int token, rc;
2623 char *arg = NULL;
1da177e4 2624
99dbbb59 2625 token = match_opt_prefix(from, len, &arg);
1da177e4 2626
99dbbb59
AV		 2627 if (token != Opt_error) {
2628 char *p, *q;
1da177e4 2629
99dbbb59
AV		 2630 /* strip quotes */
2631 if (arg) {
2632 for (p = q = arg; p < from + len; p++) {
2633 char c = *p;
2634 if (c != '"')
2635 *q++ = c;
2636 }
2637 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2638 }
2639 rc = selinux_add_opt(token, arg, mnt_opts);
2640 if (unlikely(rc)) {
2641 kfree(arg);
2642 if (*mnt_opts) {
2643 selinux_free_mnt_opts(*mnt_opts);
2644 *mnt_opts = NULL;
2645 }
2646 return rc;
2647 }
2648 } else {
2649 if (!first) { // copy with preceding comma
2650 from--;
2651 len++;
2652 }
2653 if (to != from)
2654 memmove(to, from, len);
2655 to += len;
2656 first = false;
1da177e4 2657 }
99dbbb59
AV		 2658 if (!from[len])
2659 break;
2660 from += len + 1;
2661 }
2662 *to = '\0';
2663 return 0;
1da177e4
LT		 2664}
2665
204cc0cc 2666static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2667{
bd323655 2668 struct selinux_mnt_opts *opts = mnt_opts;
026eb167 2669 struct superblock_security_struct *sbsec = sb->s_security;
bd323655
AV		 2670 u32 sid;
2671 int rc;
026eb167
EP		 2672
2673 if (!(sbsec->flags & SE_SBINITIALIZED))
2674 return 0;
2675
204cc0cc 2676 if (!opts)
026eb167
EP		 2677 return 0;
2678
bd323655
AV		 2679 if (opts->fscontext) {
2680 rc = parse_sid(sb, opts->fscontext, &sid);
2681 if (rc)
c039bc3c 2682 return rc;
bd323655
AV		 2683 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2684 goto out_bad_option;
026eb167 2685 }
bd323655
AV		 2686 if (opts->context) {
2687 rc = parse_sid(sb, opts->context, &sid);
2688 if (rc)
2689 return rc;
2690 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2691 goto out_bad_option;
2692 }
2693 if (opts->rootcontext) {
2694 struct inode_security_struct *root_isec;
2695 root_isec = backing_inode_security(sb->s_root);
2696 rc = parse_sid(sb, opts->rootcontext, &sid);
2697 if (rc)
2698 return rc;
2699 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2700 goto out_bad_option;
2701 }
2702 if (opts->defcontext) {
2703 rc = parse_sid(sb, opts->defcontext, &sid);
2704 if (rc)
2705 return rc;
2706 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2707 goto out_bad_option;
026eb167 2708 }
c039bc3c 2709 return 0;
026eb167 2710
026eb167 2711out_bad_option:
c103a91e 2712 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2713 "during remount (dev %s, type=%s)\n", sb->s_id,
2714 sb->s_type->name);
c039bc3c 2715 return -EINVAL;
026eb167
EP		 2716}
2717
a10d7c22 2718static int selinux_sb_kern_mount(struct super_block *sb)
1da177e4 2719{
88e67f3b 2720 const struct cred *cred = current_cred();
2bf49690 2721 struct common_audit_data ad;
74192246 2722
50c205f5 2723 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2724 ad.u.dentry = sb->s_root;
88e67f3b 2725 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2726}
2727
726c3342 2728static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2729{
88e67f3b 2730 const struct cred *cred = current_cred();
2bf49690 2731 struct common_audit_data ad;
1da177e4 2732
50c205f5 2733 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2734 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2735 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2736}
2737
808d4e3c 2738static int selinux_mount(const char *dev_name,
8a04c43b 2739 const struct path *path,
808d4e3c 2740 const char *type,
828dfe1d
EP		 2741 unsigned long flags,
2742 void *data)
1da177e4 2743{
88e67f3b 2744 const struct cred *cred = current_cred();
1da177e4
LT		 2745
2746 if (flags & MS_REMOUNT)
d8c9584e 2747 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2748 FILESYSTEM__REMOUNT, NULL);
1da177e4 2749 else
2875fa00 2750 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2751}
2752
2753static int selinux_umount(struct vfsmount *mnt, int flags)
2754{
88e67f3b 2755 const struct cred *cred = current_cred();
1da177e4 2756
88e67f3b 2757 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2758 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2759}
2760
2761/* inode security operations */
2762
2763static int selinux_inode_alloc_security(struct inode *inode)
2764{
2765 return inode_alloc_security(inode);
2766}
2767
2768static void selinux_inode_free_security(struct inode *inode)
2769{
2770 inode_free_security(inode);
2771}
2772
d47be3df 2773static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2774 const struct qstr *name, void **ctx,
d47be3df
DQ		 2775 u32 *ctxlen)
2776{
d47be3df
DQ		 2777 u32 newsid;
2778 int rc;
2779
c957f6df
VG		 2780 rc = selinux_determine_inode_label(current_security(),
2781 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2782 inode_mode_to_security_class(mode),
2783 &newsid);
2784 if (rc)
2785 return rc;
d47be3df 2786
aa8e712c
SS		 2787 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2788 ctxlen);
d47be3df
DQ		 2789}
2790
a518b0a5
VG		 2791static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2792 struct qstr *name,
2793 const struct cred *old,
2794 struct cred *new)
2795{
2796 u32 newsid;
2797 int rc;
2798 struct task_security_struct *tsec;
2799
2800 rc = selinux_determine_inode_label(old->security,
2801 d_inode(dentry->d_parent), name,
2802 inode_mode_to_security_class(mode),
2803 &newsid);
2804 if (rc)
2805 return rc;
2806
2807 tsec = new->security;
2808 tsec->create_sid = newsid;
2809 return 0;
2810}
2811
5e41ff9e 2812static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2813 const struct qstr *qstr,
2814 const char **name,
2a7dba39 2815 void **value, size_t *len)
5e41ff9e 2816{
5fb49870 2817 const struct task_security_struct *tsec = current_security();
5e41ff9e 2818 struct superblock_security_struct *sbsec;
c0d4f464 2819 u32 newsid, clen;
5e41ff9e 2820 int rc;
9548906b 2821 char *context;
5e41ff9e 2822
5e41ff9e 2823 sbsec = dir->i_sb->s_security;
5e41ff9e 2824
275bb41e
DH		 2825 newsid = tsec->create_sid;
2826
c957f6df 2827 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2828 dir, qstr,
2829 inode_mode_to_security_class(inode->i_mode),
2830 &newsid);
2831 if (rc)
2832 return rc;
5e41ff9e 2833
296fddf7 2834 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2835 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2836 struct inode_security_struct *isec = inode->i_security;
2837 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2838 isec->sid = newsid;
6f3be9f5 2839 isec->initialized = LABEL_INITIALIZED;
296fddf7 2840 }
5e41ff9e 2841
aa8e712c 2842 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2843 return -EOPNOTSUPP;
2844
9548906b
TH		 2845 if (name)
2846 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2847
570bc1c2 2848 if (value && len) {
aa8e712c
SS		 2849 rc = security_sid_to_context_force(&selinux_state, newsid,
2850 &context, &clen);
9548906b 2851 if (rc)
570bc1c2 2852 return rc;
570bc1c2
SS		 2853 *value = context;
2854 *len = clen;
5e41ff9e 2855 }
5e41ff9e 2856
5e41ff9e
SS		 2857 return 0;
2858}
2859
4acdaf27 2860static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2861{
2862 return may_create(dir, dentry, SECCLASS_FILE);
2863}
2864
1da177e4
LT		 2865static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2866{
1da177e4
LT		 2867 return may_link(dir, old_dentry, MAY_LINK);
2868}
2869
1da177e4
LT		 2870static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2871{
1da177e4
LT		 2872 return may_link(dir, dentry, MAY_UNLINK);
2873}
2874
2875static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2876{
2877 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2878}
2879
18bb1db3 2880static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2881{
2882 return may_create(dir, dentry, SECCLASS_DIR);
2883}
2884
1da177e4
LT		 2885static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2886{
2887 return may_link(dir, dentry, MAY_RMDIR);
2888}
2889
1a67aafb 2890static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2891{
1da177e4
LT		 2892 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2893}
2894
1da177e4 2895static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2896 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2897{
2898 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2899}
2900
1da177e4
LT		 2901static int selinux_inode_readlink(struct dentry *dentry)
2902{
88e67f3b
DH		 2903 const struct cred *cred = current_cred();
2904
2875fa00 2905 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2906}
2907
bda0be7a
N		 2908static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2909 bool rcu)
1da177e4 2910{
88e67f3b 2911 const struct cred *cred = current_cred();
bda0be7a
N		 2912 struct common_audit_data ad;
2913 struct inode_security_struct *isec;
2914 u32 sid;
1da177e4 2915
bda0be7a
N		 2916 validate_creds(cred);
2917
2918 ad.type = LSM_AUDIT_DATA_DENTRY;
2919 ad.u.dentry = dentry;
2920 sid = cred_sid(cred);
5d226df4
AG		 2921 isec = inode_security_rcu(inode, rcu);
2922 if (IS_ERR(isec))
2923 return PTR_ERR(isec);
bda0be7a 2924
6b6bc620
SS		 2925 return avc_has_perm_flags(&selinux_state,
2926 sid, isec->sid, isec->sclass, FILE__READ, &ad,
bda0be7a 2927 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2928}
2929
d4cf970d
EP		 2930static noinline int audit_inode_permission(struct inode *inode,
2931 u32 perms, u32 audited, u32 denied,
626b9740 2932 int result,
d4cf970d 2933 unsigned flags)
1da177e4 2934{
b782e0a6 2935 struct common_audit_data ad;
d4cf970d
EP		 2936 struct inode_security_struct *isec = inode->i_security;
2937 int rc;
2938
50c205f5 2939 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2940 ad.u.inode = inode;
2941
6b6bc620
SS		 2942 rc = slow_avc_audit(&selinux_state,
2943 current_sid(), isec->sid, isec->sclass, perms,
626b9740 2944 audited, denied, result, &ad, flags);
d4cf970d
EP		 2945 if (rc)
2946 return rc;
2947 return 0;
2948}
2949
e74f71eb 2950static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2951{
88e67f3b 2952 const struct cred *cred = current_cred();
b782e0a6
EP		 2953 u32 perms;
2954 bool from_access;
cf1dd1da 2955 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2956 struct inode_security_struct *isec;
2957 u32 sid;
2958 struct av_decision avd;
2959 int rc, rc2;
2960 u32 audited, denied;
1da177e4 2961
b782e0a6 2962 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2963 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2964
b782e0a6
EP		 2965 /* No permission to check. Existence test. */
2966 if (!mask)
1da177e4 2967 return 0;
1da177e4 2968
2e334057 2969 validate_creds(cred);
b782e0a6 2970
2e334057
EP		 2971 if (unlikely(IS_PRIVATE(inode)))
2972 return 0;
b782e0a6
EP		 2973
2974 perms = file_mask_to_av(inode->i_mode, mask);
2975
2e334057 2976 sid = cred_sid(cred);
5d226df4
AG		 2977 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2978 if (IS_ERR(isec))
2979 return PTR_ERR(isec);
2e334057 2980
6b6bc620
SS		 2981 rc = avc_has_perm_noaudit(&selinux_state,
2982 sid, isec->sid, isec->sclass, perms, 0, &avd);
2e334057
EP		 2983 audited = avc_audit_required(perms, &avd, rc,
2984 from_access ? FILE__AUDIT_ACCESS : 0,
2985 &denied);
2986 if (likely(!audited))
2987 return rc;
2988
626b9740 2989 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 2990 if (rc2)
2991 return rc2;
2992 return rc;
1da177e4
LT		 2993}
2994
2995static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2996{
88e67f3b 2997 const struct cred *cred = current_cred();
ccb54478 2998 struct inode *inode = d_backing_inode(dentry);
bc6a6008 2999 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3000 __u32 av = FILE__WRITE;
1da177e4 3001
bc6a6008
AW		 3002 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3003 if (ia_valid & ATTR_FORCE) {
3004 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3005 ATTR_FORCE);
3006 if (!ia_valid)
3007 return 0;
3008 }
1da177e4 3009
bc6a6008
AW		 3010 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3011 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3012 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3013
aa8e712c 3014 if (selinux_policycap_openperm() &&
ccb54478
SS		 3015 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3016 (ia_valid & ATTR_SIZE) &&
3017 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3018 av |= FILE__OPEN;
3019
3020 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3021}
3022
3f7036a0 3023static int selinux_inode_getattr(const struct path *path)
1da177e4 3024{
3f7036a0 3025 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3026}
3027
db59000a
SS		 3028static bool has_cap_mac_admin(bool audit)
3029{
3030 const struct cred *cred = current_cred();
3031 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3032
3033 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3034 return false;
3035 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3036 return false;
3037 return true;
3038}
3039
8f0cfa52
DH		 3040static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3041 const void *value, size_t size, int flags)
1da177e4 3042{
c6f493d6 3043 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3044 struct inode_security_struct *isec;
1da177e4 3045 struct superblock_security_struct *sbsec;
2bf49690 3046 struct common_audit_data ad;
275bb41e 3047 u32 newsid, sid = current_sid();
1da177e4
LT		 3048 int rc = 0;
3049
6b240306
EB		 3050 if (strcmp(name, XATTR_NAME_SELINUX)) {
3051 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3052 if (rc)
3053 return rc;
3054
3055 /* Not an attribute we recognize, so just check the
3056 ordinary setattr permission. */
3057 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3058 }
1da177e4
LT		 3059
3060 sbsec = inode->i_sb->s_security;
12f348b9 3061 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3062 return -EOPNOTSUPP;
3063
2e149670 3064 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3065 return -EPERM;
3066
50c205f5 3067 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3068 ad.u.dentry = dentry;
1da177e4 3069
20cdef8d 3070 isec = backing_inode_security(dentry);
6b6bc620
SS		 3071 rc = avc_has_perm(&selinux_state,
3072 sid, isec->sid, isec->sclass,
1da177e4
LT		 3073 FILE__RELABELFROM, &ad);
3074 if (rc)
3075 return rc;
3076
aa8e712c
SS		 3077 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3078 GFP_KERNEL);
12b29f34 3079 if (rc == -EINVAL) {
db59000a 3080 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3081 struct audit_buffer *ab;
3082 size_t audit_size;
d6ea83ec
EP		 3083
3084 /* We strip a nul only if it is at the end, otherwise the
3085 * context contains a nul and we should audit that */
e3fea3f7 3086 if (value) {
add24372
CIK		 3087 const char *str = value;
3088
e3fea3f7
AV		 3089 if (str[size - 1] == '\0')
3090 audit_size = size - 1;
3091 else
3092 audit_size = size;
3093 } else {
e3fea3f7
AV		 3094 audit_size = 0;
3095 }
cdfb6b34
RGB		 3096 ab = audit_log_start(audit_context(),
3097 GFP_ATOMIC, AUDIT_SELINUX_ERR);
d6ea83ec
EP		 3098 audit_log_format(ab, "op=setxattr invalid_context=");
3099 audit_log_n_untrustedstring(ab, value, audit_size);
3100 audit_log_end(ab);
3101
12b29f34 3102 return rc;
d6ea83ec 3103 }
aa8e712c
SS		 3104 rc = security_context_to_sid_force(&selinux_state, value,
3105 size, &newsid);
12b29f34 3106 }
1da177e4
LT		 3107 if (rc)
3108 return rc;
3109
6b6bc620
SS		 3110 rc = avc_has_perm(&selinux_state,
3111 sid, newsid, isec->sclass,
1da177e4
LT		 3112 FILE__RELABELTO, &ad);
3113 if (rc)
3114 return rc;
3115
aa8e712c
SS		 3116 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3117 sid, isec->sclass);
1da177e4
LT		 3118 if (rc)
3119 return rc;
3120
6b6bc620
SS		 3121 return avc_has_perm(&selinux_state,
3122 newsid,
1da177e4
LT		 3123 sbsec->sid,
3124 SECCLASS_FILESYSTEM,
3125 FILESYSTEM__ASSOCIATE,
3126 &ad);
3127}
3128
8f0cfa52 3129static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3130 const void *value, size_t size,
8f0cfa52 3131 int flags)
1da177e4 3132{
c6f493d6 3133 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3134 struct inode_security_struct *isec;
1da177e4
LT		 3135 u32 newsid;
3136 int rc;
3137
3138 if (strcmp(name, XATTR_NAME_SELINUX)) {
3139 /* Not an attribute we recognize, so nothing to do. */
3140 return;
3141 }
3142
aa8e712c
SS		 3143 rc = security_context_to_sid_force(&selinux_state, value, size,
3144 &newsid);
1da177e4 3145 if (rc) {
c103a91e 3146 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3147 "for (%s, %lu), rc=%d\n",
3148 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3149 return;
3150 }
3151
20cdef8d 3152 isec = backing_inode_security(dentry);
9287aed2 3153 spin_lock(&isec->lock);
aa9c2669 3154 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3155 isec->sid = newsid;
6f3be9f5 3156 isec->initialized = LABEL_INITIALIZED;
9287aed2 3157 spin_unlock(&isec->lock);
aa9c2669 3158
1da177e4
LT		 3159 return;
3160}
3161
8f0cfa52 3162static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3163{
88e67f3b
DH		 3164 const struct cred *cred = current_cred();
3165
2875fa00 3166 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3167}
3168
828dfe1d 3169static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3170{
88e67f3b
DH		 3171 const struct cred *cred = current_cred();
3172
2875fa00 3173 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3174}
3175
8f0cfa52 3176static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3177{
6b240306
EB		 3178 if (strcmp(name, XATTR_NAME_SELINUX)) {
3179 int rc = cap_inode_removexattr(dentry, name);
3180 if (rc)
3181 return rc;
3182
3183 /* Not an attribute we recognize, so just check the
3184 ordinary setattr permission. */
3185 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3186 }
1da177e4
LT		 3187
3188 /* No one is allowed to remove a SELinux security label.
3189 You can change the label, but all data must be labeled. */
3190 return -EACCES;
3191}
3192
d381d8a9 3193/*
abc69bb6 3194 * Copy the inode security context value to the user.
d381d8a9
JM		 3195 *
3196 * Permission check is handled by selinux_inode_getxattr hook.
3197 */
ea861dfd 3198static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3199{
42492594
DQ		 3200 u32 size;
3201 int error;
3202 char *context = NULL;
20cdef8d 3203 struct inode_security_struct *isec;
d381d8a9 3204
8c8570fb
DK		 3205 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3206 return -EOPNOTSUPP;
d381d8a9 3207
abc69bb6
SS		 3208 /*
3209 * If the caller has CAP_MAC_ADMIN, then get the raw context
3210 * value even if it is not defined by current policy; otherwise,
3211 * use the in-core value under current policy.
3212 * Use the non-auditing forms of the permission checks since
3213 * getxattr may be called by unprivileged processes commonly
3214 * and lack of permission just means that we fall back to the
3215 * in-core context value, not a denial.
3216 */
20cdef8d 3217 isec = inode_security(inode);
db59000a 3218 if (has_cap_mac_admin(false))
aa8e712c
SS		 3219 error = security_sid_to_context_force(&selinux_state,
3220 isec->sid, &context,
abc69bb6
SS		 3221 &size);
3222 else
aa8e712c
SS		 3223 error = security_sid_to_context(&selinux_state, isec->sid,
3224 &context, &size);
42492594
DQ		 3225 if (error)
3226 return error;
3227 error = size;
3228 if (alloc) {
3229 *buffer = context;
3230 goto out_nofree;
3231 }
3232 kfree(context);
3233out_nofree:
3234 return error;
1da177e4
LT		 3235}
3236
3237static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3238 const void *value, size_t size, int flags)
1da177e4 3239{
2c97165b 3240 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3241 u32 newsid;
3242 int rc;
3243
3244 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3245 return -EOPNOTSUPP;
3246
3247 if (!value || !size)
3248 return -EACCES;
3249
aa8e712c
SS		 3250 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3251 GFP_KERNEL);
1da177e4
LT		 3252 if (rc)
3253 return rc;
3254
9287aed2 3255 spin_lock(&isec->lock);
aa9c2669 3256 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3257 isec->sid = newsid;
6f3be9f5 3258 isec->initialized = LABEL_INITIALIZED;
9287aed2 3259 spin_unlock(&isec->lock);
1da177e4
LT		 3260 return 0;
3261}
3262
3263static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3264{
3265 const int len = sizeof(XATTR_NAME_SELINUX);
3266 if (buffer && len <= buffer_size)
3267 memcpy(buffer, XATTR_NAME_SELINUX, len);
3268 return len;
3269}
3270
d6335d77 3271static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3272{
e817c2f3 3273 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3274 *secid = isec->sid;
3275}
3276
56909eb3
VG		 3277static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3278{
3279 u32 sid;
3280 struct task_security_struct *tsec;
3281 struct cred *new_creds = *new;
3282
3283 if (new_creds == NULL) {
3284 new_creds = prepare_creds();
3285 if (!new_creds)
3286 return -ENOMEM;
3287 }
3288
3289 tsec = new_creds->security;
3290 /* Get label from overlay inode and set it in create_sid */
3291 selinux_inode_getsecid(d_inode(src), &sid);
3292 tsec->create_sid = sid;
3293 *new = new_creds;
3294 return 0;
3295}
3296
19472b69
VG		 3297static int selinux_inode_copy_up_xattr(const char *name)
3298{
3299 /* The copy_up hook above sets the initial context on an inode, but we
3300 * don't then want to overwrite it by blindly copying all the lower
3301 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3302 */
3303 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3304 return 1; /* Discard */
3305 /*
3306 * Any other attribute apart from SELINUX is not claimed, supported
3307 * by selinux.
3308 */
3309 return -EOPNOTSUPP;
3310}
3311
1da177e4
LT		 3312/* file security operations */
3313
788e7dd4 3314static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3315{
88e67f3b 3316 const struct cred *cred = current_cred();
496ad9aa 3317 struct inode *inode = file_inode(file);
1da177e4 3318
1da177e4
LT		 3319 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3320 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3321 mask |= MAY_APPEND;
3322
389fb800
PM		 3323 return file_has_perm(cred, file,
3324 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3325}
3326
788e7dd4
YN		 3327static int selinux_file_permission(struct file *file, int mask)
3328{
496ad9aa 3329 struct inode *inode = file_inode(file);
20dda18b 3330 struct file_security_struct *fsec = file->f_security;
b197367e 3331 struct inode_security_struct *isec;
20dda18b
SS		 3332 u32 sid = current_sid();
3333
389fb800 3334 if (!mask)
788e7dd4
YN		 3335 /* No permission to check. Existence test. */
3336 return 0;
788e7dd4 3337
b197367e 3338 isec = inode_security(inode);
20dda18b 3339 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3340 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3341 /* No change since file_open check. */
20dda18b
SS		 3342 return 0;
3343
788e7dd4
YN		 3344 return selinux_revalidate_file_permission(file, mask);
3345}
3346
1da177e4
LT		 3347static int selinux_file_alloc_security(struct file *file)
3348{
3349 return file_alloc_security(file);
3350}
3351
3352static void selinux_file_free_security(struct file *file)
3353{
3354 file_free_security(file);
3355}
3356
fa1aa143
JVS		 3357/*
3358 * Check whether a task has the ioctl permission and cmd
3359 * operation to an inode.
3360 */
1d2a168a 3361static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3362 u32 requested, u16 cmd)
3363{
3364 struct common_audit_data ad;
3365 struct file_security_struct *fsec = file->f_security;
3366 struct inode *inode = file_inode(file);
20cdef8d 3367 struct inode_security_struct *isec;
fa1aa143
JVS		 3368 struct lsm_ioctlop_audit ioctl;
3369 u32 ssid = cred_sid(cred);
3370 int rc;
3371 u8 driver = cmd >> 8;
3372 u8 xperm = cmd & 0xff;
3373
3374 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3375 ad.u.op = &ioctl;
3376 ad.u.op->cmd = cmd;
3377 ad.u.op->path = file->f_path;
3378
3379 if (ssid != fsec->sid) {
6b6bc620
SS		 3380 rc = avc_has_perm(&selinux_state,
3381 ssid, fsec->sid,
fa1aa143
JVS		 3382 SECCLASS_FD,
3383 FD__USE,
3384 &ad);
3385 if (rc)
3386 goto out;
3387 }
3388
3389 if (unlikely(IS_PRIVATE(inode)))
3390 return 0;
3391
20cdef8d 3392 isec = inode_security(inode);
6b6bc620
SS		 3393 rc = avc_has_extended_perms(&selinux_state,
3394 ssid, isec->sid, isec->sclass,
3395 requested, driver, xperm, &ad);
fa1aa143
JVS		 3396out:
3397 return rc;
3398}
3399
1da177e4
LT		 3400static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3401 unsigned long arg)
3402{
88e67f3b 3403 const struct cred *cred = current_cred();
0b24dcb7 3404 int error = 0;
1da177e4 3405
0b24dcb7
EP		 3406 switch (cmd) {
3407 case FIONREAD:
3408 /* fall through */
3409 case FIBMAP:
3410 /* fall through */
3411 case FIGETBSZ:
3412 /* fall through */
2f99c369 3413 case FS_IOC_GETFLAGS:
0b24dcb7 3414 /* fall through */
2f99c369 3415 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3416 error = file_has_perm(cred, file, FILE__GETATTR);
3417 break;
1da177e4 3418
2f99c369 3419 case FS_IOC_SETFLAGS:
0b24dcb7 3420 /* fall through */
2f99c369 3421 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3422 error = file_has_perm(cred, file, FILE__SETATTR);
3423 break;
3424
3425 /* sys_ioctl() checks */
3426 case FIONBIO:
3427 /* fall through */
3428 case FIOASYNC:
3429 error = file_has_perm(cred, file, 0);
3430 break;
1da177e4 3431
0b24dcb7
EP		 3432 case KDSKBENT:
3433 case KDSKBSENT:
6a9de491 3434 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3435 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3436 break;
3437
3438 /* default case assumes that the command will go
3439 * to the file's ioctl() function.
3440 */
3441 default:
fa1aa143 3442 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3443 }
3444 return error;
1da177e4
LT		 3445}
3446
fcaaade1
SS		 3447static int default_noexec;
3448
1da177e4
LT		 3449static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3450{
88e67f3b 3451 const struct cred *cred = current_cred();
be0554c9 3452 u32 sid = cred_sid(cred);
d84f4f99 3453 int rc = 0;
88e67f3b 3454
fcaaade1 3455 if (default_noexec &&
892e8cac
SS		 3456 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3457 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3458 /*
3459 * We are making executable an anonymous mapping or a
3460 * private file mapping that will also be writable.
3461 * This has an additional check.
3462 */
6b6bc620
SS		 3463 rc = avc_has_perm(&selinux_state,
3464 sid, sid, SECCLASS_PROCESS,
be0554c9 3465 PROCESS__EXECMEM, NULL);
1da177e4 3466 if (rc)
d84f4f99 3467 goto error;
1da177e4 3468 }
1da177e4
LT		 3469
3470 if (file) {
3471 /* read access is always possible with a mapping */
3472 u32 av = FILE__READ;
3473
3474 /* write access only matters if the mapping is shared */
3475 if (shared && (prot & PROT_WRITE))
3476 av |= FILE__WRITE;
3477
3478 if (prot & PROT_EXEC)
3479 av |= FILE__EXECUTE;
3480
88e67f3b 3481 return file_has_perm(cred, file, av);
1da177e4 3482 }
d84f4f99
DH		 3483
3484error:
3485 return rc;
1da177e4
LT		 3486}
3487
e5467859 3488static int selinux_mmap_addr(unsigned long addr)
1da177e4 3489{
b1d9e6b0 3490 int rc = 0;
1da177e4 3491
a2551df7 3492 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3493 u32 sid = current_sid();
6b6bc620
SS		 3494 rc = avc_has_perm(&selinux_state,
3495 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3496 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3497 }
3498
98883bfd 3499 return rc;
e5467859 3500}
1da177e4 3501
e5467859
AV		 3502static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3503 unsigned long prot, unsigned long flags)
3504{
3ba4bf5f
SS		 3505 struct common_audit_data ad;
3506 int rc;
3507
3508 if (file) {
3509 ad.type = LSM_AUDIT_DATA_FILE;
3510 ad.u.file = file;
3511 rc = inode_has_perm(current_cred(), file_inode(file),
3512 FILE__MAP, &ad);
3513 if (rc)
3514 return rc;
3515 }
3516
aa8e712c 3517 if (selinux_state.checkreqprot)
1da177e4
LT		 3518 prot = reqprot;
3519
3520 return file_map_prot_check(file, prot,
3521 (flags & MAP_TYPE) == MAP_SHARED);
3522}
3523
3524static int selinux_file_mprotect(struct vm_area_struct *vma,
3525 unsigned long reqprot,
3526 unsigned long prot)
3527{
88e67f3b 3528 const struct cred *cred = current_cred();
be0554c9 3529 u32 sid = cred_sid(cred);
1da177e4 3530
aa8e712c 3531 if (selinux_state.checkreqprot)
1da177e4
LT		 3532 prot = reqprot;
3533
fcaaade1
SS		 3534 if (default_noexec &&
3535 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3536 int rc = 0;
db4c9641
SS		 3537 if (vma->vm_start >= vma->vm_mm->start_brk &&
3538 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3539 rc = avc_has_perm(&selinux_state,
3540 sid, sid, SECCLASS_PROCESS,
be0554c9 3541 PROCESS__EXECHEAP, NULL);
db4c9641 3542 } else if (!vma->vm_file &&
c2316dbf
SS		 3543 ((vma->vm_start <= vma->vm_mm->start_stack &&
3544 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3545 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3546 rc = avc_has_perm(&selinux_state,
3547 sid, sid, SECCLASS_PROCESS,
be0554c9 3548 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3549 } else if (vma->vm_file && vma->anon_vma) {
3550 /*
3551 * We are making executable a file mapping that has
3552 * had some COW done. Since pages might have been
3553 * written, check ability to execute the possibly
3554 * modified content. This typically should only
3555 * occur for text relocations.
3556 */
d84f4f99 3557 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3558 }