]> git.ipfire.org Git - thirdparty/linux.git/blame - security/selinux/hooks.c
projects / thirdparty / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: regularize Opt_... names a bit
[thirdparty/linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
7efbb60b 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
d452930f
RH		 70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
1da177e4
LT		 72#include <linux/quota.h>
73#include <linux/un.h> /* for Unix socket types */
74#include <net/af_unix.h> /* for Unix socket types */
75#include <linux/parser.h>
76#include <linux/nfs_mount.h>
77#include <net/ipv6.h>
78#include <linux/hugetlb.h>
79#include <linux/personality.h>
1da177e4 80#include <linux/audit.h>
6931dfc9 81#include <linux/string.h>
877ce7c1 82#include <linux/selinux.h>
23970741 83#include <linux/mutex.h>
f06febc9 84#include <linux/posix-timers.h>
00234592 85#include <linux/syslog.h>
3486740a 86#include <linux/user_namespace.h>
44fc7ea0 87#include <linux/export.h>
40401530
AV		 88#include <linux/msg.h>
89#include <linux/shm.h>
ec27c356 90#include <linux/bpf.h>
e262e32d 91#include <uapi/linux/mount.h>
1da177e4
LT		 92
93#include "avc.h"
94#include "objsec.h"
95#include "netif.h"
224dfbd8 96#include "netnode.h"
3e112172 97#include "netport.h"
409dcf31 98#include "ibpkey.h"
d28d1e08 99#include "xfrm.h"
c60475bf 100#include "netlabel.h"
9d57a7f9 101#include "audit.h"
7b98a585 102#include "avc_ss.h"
1da177e4 103
aa8e712c
SS		 104struct selinux_state selinux_state;
105
d621d35e 106/* SECMARK reference count */
56a4ca99 107static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 108
1da177e4 109#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
aa8e712c 110static int selinux_enforcing_boot;
1da177e4
LT		 111
112static int __init enforcing_setup(char *str)
113{
f5269710 114 unsigned long enforcing;
29707b20 115 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 116 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 117 return 1;
118}
119__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 120#else
121#define selinux_enforcing_boot 1
1da177e4
LT		 122#endif
123
124#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
125int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
126
127static int __init selinux_enabled_setup(char *str)
128{
f5269710 129 unsigned long enabled;
29707b20 130 if (!kstrtoul(str, 0, &enabled))
f5269710 131 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 132 return 1;
133}
134__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 135#else
136int selinux_enabled = 1;
1da177e4
LT		 137#endif
138
aa8e712c
SS		 139static unsigned int selinux_checkreqprot_boot =
140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141
142static int __init checkreqprot_setup(char *str)
143{
144 unsigned long checkreqprot;
145
146 if (!kstrtoul(str, 0, &checkreqprot))
147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148 return 1;
149}
150__setup("checkreqprot=", checkreqprot_setup);
151
e18b890b 152static struct kmem_cache *sel_inode_cache;
63205654 153static struct kmem_cache *file_security_cache;
7cae7e26 154
d621d35e
PM		 155/**
156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157 *
158 * Description:
159 * This function checks the SECMARK reference counter to see if any SECMARK
160 * targets are currently configured, if the reference counter is greater than
161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 162 * enabled, false (0) if SECMARK is disabled. If the always_check_network
163 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 164 *
165 */
166static int selinux_secmark_enabled(void)
167{
aa8e712c
SS		 168 return (selinux_policycap_alwaysnetwork() ||
169 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 170}
171
172/**
173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174 *
175 * Description:
176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
177 * (1) if any are enabled or false (0) if neither are enabled. If the
178 * always_check_network policy capability is enabled, peer labeling
179 * is always considered enabled.
180 *
181 */
182static int selinux_peerlbl_enabled(void)
183{
aa8e712c
SS		 184 return (selinux_policycap_alwaysnetwork() ||
185 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 186}
187
615e51fd
PM		 188static int selinux_netcache_avc_callback(u32 event)
189{
190 if (event == AVC_CALLBACK_RESET) {
191 sel_netif_flush();
192 sel_netnode_flush();
193 sel_netport_flush();
194 synchronize_net();
195 }
196 return 0;
197}
198
8f408ab6
DJ		 199static int selinux_lsm_notifier_avc_callback(u32 event)
200{
409dcf31
DJ		 201 if (event == AVC_CALLBACK_RESET) {
202 sel_ib_pkey_flush();
8f408ab6 203 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 204 }
8f408ab6
DJ		 205
206 return 0;
207}
208
d84f4f99
DH		 209/*
210 * initialise the security for the init task
211 */
212static void cred_init_security(void)
1da177e4 213{
3b11a1de 214 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 215 struct task_security_struct *tsec;
216
89d155ef 217 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 218 if (!tsec)
d84f4f99 219 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 220
d84f4f99 221 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 222 cred->security = tsec;
1da177e4
LT		 223}
224
88e67f3b
DH		 225/*
226 * get the security ID of a set of credentials
227 */
228static inline u32 cred_sid(const struct cred *cred)
229{
230 const struct task_security_struct *tsec;
231
232 tsec = cred->security;
233 return tsec->sid;
234}
235
275bb41e 236/*
3b11a1de 237 * get the objective security ID of a task
275bb41e
DH		 238 */
239static inline u32 task_sid(const struct task_struct *task)
240{
275bb41e
DH		 241 u32 sid;
242
243 rcu_read_lock();
88e67f3b 244 sid = cred_sid(__task_cred(task));
275bb41e
DH		 245 rcu_read_unlock();
246 return sid;
247}
248
88e67f3b
DH		 249/* Allocate and free functions for each kind of security blob. */
250
1da177e4
LT		 251static int inode_alloc_security(struct inode *inode)
252{
1da177e4 253 struct inode_security_struct *isec;
275bb41e 254 u32 sid = current_sid();
1da177e4 255
a02fe132 256 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 257 if (!isec)
258 return -ENOMEM;
259
9287aed2 260 spin_lock_init(&isec->lock);
1da177e4 261 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 262 isec->inode = inode;
263 isec->sid = SECINITSID_UNLABELED;
264 isec->sclass = SECCLASS_FILE;
275bb41e 265 isec->task_sid = sid;
42059112 266 isec->initialized = LABEL_INVALID;
1da177e4
LT		 267 inode->i_security = isec;
268
269 return 0;
270}
271
5d226df4
AG		 272static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
273
274/*
275 * Try reloading inode security labels that have been marked as invalid. The
276 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 277 * allowed; when set to false, returns -ECHILD when the label is
e9193288 278 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 279 */
280static int __inode_security_revalidate(struct inode *inode,
e9193288 281 struct dentry *dentry,
5d226df4
AG		 282 bool may_sleep)
283{
284 struct inode_security_struct *isec = inode->i_security;
285
286 might_sleep_if(may_sleep);
287
aa8e712c
SS		 288 if (selinux_state.initialized &&
289 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 290 if (!may_sleep)
291 return -ECHILD;
292
293 /*
294 * Try reloading the inode security label. This will fail if
295 * @opt_dentry is NULL and no dentry for this inode can be
296 * found; in that case, continue using the old label.
297 */
e9193288 298 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 299 }
300 return 0;
301}
302
5d226df4
AG		 303static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304{
305 return inode->i_security;
306}
307
308static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
309{
310 int error;
311
312 error = __inode_security_revalidate(inode, NULL, !rcu);
313 if (error)
314 return ERR_PTR(error);
315 return inode->i_security;
316}
317
83da53c5
AG		 318/*
319 * Get the security label of an inode.
320 */
321static struct inode_security_struct *inode_security(struct inode *inode)
322{
5d226df4 323 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 324 return inode->i_security;
325}
326
2c97165b
PM		 327static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328{
329 struct inode *inode = d_backing_inode(dentry);
330
331 return inode->i_security;
332}
333
83da53c5
AG		 334/*
335 * Get the security label of a dentry's backing inode.
336 */
337static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338{
339 struct inode *inode = d_backing_inode(dentry);
340
5d226df4 341 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 342 return inode->i_security;
343}
344
3dc91d43
SR		 345static void inode_free_rcu(struct rcu_head *head)
346{
347 struct inode_security_struct *isec;
348
349 isec = container_of(head, struct inode_security_struct, rcu);
350 kmem_cache_free(sel_inode_cache, isec);
351}
352
1da177e4
LT		 353static void inode_free_security(struct inode *inode)
354{
355 struct inode_security_struct *isec = inode->i_security;
356 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
357
9629d04a
WL		 358 /*
359 * As not all inode security structures are in a list, we check for
360 * empty list outside of the lock to make sure that we won't waste
361 * time taking a lock doing nothing.
362 *
363 * The list_del_init() function can be safely called more than once.
364 * It should not be possible for this function to be called with
365 * concurrent list_add(), but for better safety against future changes
366 * in the code, we use list_empty_careful() here.
367 */
368 if (!list_empty_careful(&isec->list)) {
369 spin_lock(&sbsec->isec_lock);
1da177e4 370 list_del_init(&isec->list);
9629d04a
WL		 371 spin_unlock(&sbsec->isec_lock);
372 }
1da177e4 373
3dc91d43
SR		 374 /*
375 * The inode may still be referenced in a path walk and
376 * a call to selinux_inode_permission() can be made
377 * after inode_free_security() is called. Ideally, the VFS
378 * wouldn't do this, but fixing that is a much harder
379 * job. For now, simply free the i_security via RCU, and
380 * leave the current inode->i_security pointer intact.
381 * The inode will be freed after the RCU grace period too.
382 */
383 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 384}
385
386static int file_alloc_security(struct file *file)
387{
1da177e4 388 struct file_security_struct *fsec;
275bb41e 389 u32 sid = current_sid();
1da177e4 390
63205654 391 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 392 if (!fsec)
393 return -ENOMEM;
394
275bb41e
DH		 395 fsec->sid = sid;
396 fsec->fown_sid = sid;
1da177e4
LT		 397 file->f_security = fsec;
398
399 return 0;
400}
401
402static void file_free_security(struct file *file)
403{
404 struct file_security_struct *fsec = file->f_security;
1da177e4 405 file->f_security = NULL;
63205654 406 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 407}
408
409static int superblock_alloc_security(struct super_block *sb)
410{
411 struct superblock_security_struct *sbsec;
412
89d155ef 413 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 414 if (!sbsec)
415 return -ENOMEM;
416
bc7e982b 417 mutex_init(&sbsec->lock);
1da177e4
LT		 418 INIT_LIST_HEAD(&sbsec->isec_head);
419 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 420 sbsec->sb = sb;
421 sbsec->sid = SECINITSID_UNLABELED;
422 sbsec->def_sid = SECINITSID_FILE;
c312feb2 423 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 424 sb->s_security = sbsec;
425
426 return 0;
427}
428
429static void superblock_free_security(struct super_block *sb)
430{
431 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 432 sb->s_security = NULL;
433 kfree(sbsec);
434}
435
bd323655
AV		 436struct selinux_mnt_opts {
437 const char *fscontext, *context, *rootcontext, *defcontext;
438};
439
204cc0cc
AV		 440static void selinux_free_mnt_opts(void *mnt_opts)
441{
bd323655
AV		 442 struct selinux_mnt_opts *opts = mnt_opts;
443 kfree(opts->fscontext);
444 kfree(opts->context);
445 kfree(opts->rootcontext);
446 kfree(opts->defcontext);
204cc0cc
AV		 447 kfree(opts);
448}
449
1da177e4
LT		 450static inline int inode_doinit(struct inode *inode)
451{
452 return inode_doinit_with_dentry(inode, NULL);
453}
454
455enum {
31e87930 456 Opt_error = -1,
1da177e4
LT		 457 Opt_context = 1,
458 Opt_fscontext = 2,
c9180a57
EP		 459 Opt_defcontext = 3,
460 Opt_rootcontext = 4,
da3d76ab 461 Opt_seclabel = 5,
1da177e4
LT		 462};
463
da3d76ab 464#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
169d68ef
AV		 465static struct {
466 const char *name;
467 int len;
468 int opt;
469 bool has_arg;
470} tokens[] = {
da3d76ab
AV		 471 A(context, true),
472 A(fscontext, true),
473 A(defcontext, true),
474 A(rootcontext, true),
475 A(seclabel, false),
1da177e4 476};
169d68ef
AV		 477#undef A
478
479static int match_opt_prefix(char *s, int l, char **arg)
480{
481 int i;
482
483 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
484 size_t len = tokens[i].len;
485 if (len > l || memcmp(s, tokens[i].name, len))
486 continue;
487 if (tokens[i].has_arg) {
488 if (len == l || s[len] != '=')
489 continue;
490 *arg = s + len + 1;
491 } else if (len != l)
492 continue;
493 return tokens[i].opt;
494 }
495 return Opt_error;
496}
1da177e4
LT		 497
498#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
499
c312feb2
EP		 500static int may_context_mount_sb_relabel(u32 sid,
501 struct superblock_security_struct *sbsec,
275bb41e 502 const struct cred *cred)
c312feb2 503{
275bb41e 504 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 505 int rc;
506
6b6bc620
SS		 507 rc = avc_has_perm(&selinux_state,
508 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 509 FILESYSTEM__RELABELFROM, NULL);
510 if (rc)
511 return rc;
512
6b6bc620
SS		 513 rc = avc_has_perm(&selinux_state,
514 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 515 FILESYSTEM__RELABELTO, NULL);
516 return rc;
517}
518
0808925e
EP		 519static int may_context_mount_inode_relabel(u32 sid,
520 struct superblock_security_struct *sbsec,
275bb41e 521 const struct cred *cred)
0808925e 522{
275bb41e 523 const struct task_security_struct *tsec = cred->security;
0808925e 524 int rc;
6b6bc620
SS		 525 rc = avc_has_perm(&selinux_state,
526 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 527 FILESYSTEM__RELABELFROM, NULL);
528 if (rc)
529 return rc;
530
6b6bc620
SS		 531 rc = avc_has_perm(&selinux_state,
532 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 533 FILESYSTEM__ASSOCIATE, NULL);
534 return rc;
535}
536
b43e725d
EP		 537static int selinux_is_sblabel_mnt(struct super_block *sb)
538{
539 struct superblock_security_struct *sbsec = sb->s_security;
540
d5f3a5f6
MS		 541 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
542 sbsec->behavior == SECURITY_FS_USE_TRANS ||
543 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 544 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 545 /* Special handling. Genfs but also in-core setxattr handler */
546 !strcmp(sb->s_type->name, "sysfs") ||
547 !strcmp(sb->s_type->name, "pstore") ||
548 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 549 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 550 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 551 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 552 (!strcmp(sb->s_type->name, "cgroup") ||
553 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 554}
555
c9180a57 556static int sb_finish_set_opts(struct super_block *sb)
1da177e4 557{
1da177e4 558 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 559 struct dentry *root = sb->s_root;
c6f493d6 560 struct inode *root_inode = d_backing_inode(root);
c9180a57 561 int rc = 0;
1da177e4 562
c9180a57
EP		 563 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
564 /* Make sure that the xattr handler exists and that no
565 error other than -ENODATA is returned by getxattr on
566 the root directory. -ENODATA is ok, as this may be
567 the first boot of the SELinux kernel before we have
568 assigned xattr values to the filesystem. */
5d6c3191 569 if (!(root_inode->i_opflags & IOP_XATTR)) {
c103a91e 570 pr_warn("SELinux: (dev %s, type %s) has no "
29b1deb2 571 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 572 rc = -EOPNOTSUPP;
573 goto out;
574 }
5d6c3191
AG		 575
576 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 577 if (rc < 0 && rc != -ENODATA) {
578 if (rc == -EOPNOTSUPP)
c103a91e 579 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 580 "%s) has no security xattr handler\n",
581 sb->s_id, sb->s_type->name);
c9180a57 582 else
c103a91e 583 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 584 "%s) getxattr errno %d\n", sb->s_id,
585 sb->s_type->name, -rc);
c9180a57
EP		 586 goto out;
587 }
588 }
1da177e4 589
eadcabc6 590 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 591
592 /*
593 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
594 * leave the flag untouched because sb_clone_mnt_opts might be handing
595 * us a superblock that needs the flag to be cleared.
596 */
b43e725d 597 if (selinux_is_sblabel_mnt(sb))
12f348b9 598 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 599 else
600 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 601
c9180a57
EP		 602 /* Initialize the root inode. */
603 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 604
c9180a57
EP		 605 /* Initialize any other inodes associated with the superblock, e.g.
606 inodes created prior to initial policy load or inodes created
607 during get_sb by a pseudo filesystem that directly
608 populates itself. */
609 spin_lock(&sbsec->isec_lock);
8d64124a 610 while (!list_empty(&sbsec->isec_head)) {
c9180a57 611 struct inode_security_struct *isec =
8d64124a 612 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 613 struct inode_security_struct, list);
614 struct inode *inode = isec->inode;
923190d3 615 list_del_init(&isec->list);
c9180a57
EP		 616 spin_unlock(&sbsec->isec_lock);
617 inode = igrab(inode);
618 if (inode) {
619 if (!IS_PRIVATE(inode))
620 inode_doinit(inode);
621 iput(inode);
622 }
623 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 624 }
625 spin_unlock(&sbsec->isec_lock);
626out:
627 return rc;
628}
1da177e4 629
c9180a57
EP		 630static int bad_option(struct superblock_security_struct *sbsec, char flag,
631 u32 old_sid, u32 new_sid)
632{
0d90a7ec
DQ		 633 char mnt_flags = sbsec->flags & SE_MNTMASK;
634
c9180a57 635 /* check if the old mount command had the same options */
0d90a7ec 636 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 637 if (!(sbsec->flags & flag) ||
638 (old_sid != new_sid))
639 return 1;
640
641 /* check if we were passed the same options twice,
642 * aka someone passed context=a,context=b
643 */
0d90a7ec
DQ		 644 if (!(sbsec->flags & SE_SBINITIALIZED))
645 if (mnt_flags & flag)
c9180a57
EP		 646 return 1;
647 return 0;
648}
e0007529 649
bd323655
AV		 650static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
651{
652 int rc = security_context_str_to_sid(&selinux_state, s,
653 sid, GFP_KERNEL);
654 if (rc)
655 pr_warn("SELinux: security_context_str_to_sid"
656 "(%s) failed for (dev %s, type %s) errno=%d\n",
657 s, sb->s_id, sb->s_type->name, rc);
658 return rc;
659}
660
c9180a57
EP		 661/*
662 * Allow filesystems with binary mount data to explicitly set mount point
663 * labeling information.
664 */
e0007529 665static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 666 void *mnt_opts,
649f6e77
DQ		 667 unsigned long kern_flags,
668 unsigned long *set_kern_flags)
c9180a57 669{
275bb41e 670 const struct cred *cred = current_cred();
c9180a57 671 struct superblock_security_struct *sbsec = sb->s_security;
83da53c5 672 struct dentry *root = sbsec->sb->s_root;
bd323655 673 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 674 struct inode_security_struct *root_isec;
c9180a57
EP		 675 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
676 u32 defcontext_sid = 0;
bd323655 677 int rc = 0;
c9180a57
EP		 678
679 mutex_lock(&sbsec->lock);
680
aa8e712c 681 if (!selinux_state.initialized) {
bd323655 682 if (!opts) {
c9180a57
EP		 683 /* Defer initialization until selinux_complete_init,
684 after the initial policy is loaded and the security
685 server is ready to handle calls. */
c9180a57
EP		 686 goto out;
687 }
688 rc = -EINVAL;
c103a91e 689 pr_warn("SELinux: Unable to set superblock options "
744ba35e 690 "before the security server is initialized\n");
1da177e4 691 goto out;
c9180a57 692 }
649f6e77
DQ		 693 if (kern_flags && !set_kern_flags) {
694 /* Specifying internal flags without providing a place to
695 * place the results is not allowed */
696 rc = -EINVAL;
697 goto out;
698 }
1da177e4 699
e0007529
EP		 700 /*
701 * Binary mount data FS will come through this function twice. Once
702 * from an explicit call and once from the generic calls from the vfs.
703 * Since the generic VFS calls will not contain any security mount data
704 * we need to skip the double mount verification.
705 *
706 * This does open a hole in which we will not notice if the first
707 * mount using this sb set explict options and a second mount using
708 * this sb does not set any security options. (The first options
709 * will be used for both mounts)
710 */
0d90a7ec 711 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 712 && !opts)
f5269710 713 goto out;
e0007529 714
2c97165b
PM		 715 root_isec = backing_inode_security_novalidate(root);
716
c9180a57
EP		 717 /*
718 * parse the mount options, check if they are valid sids.
719 * also check if someone is trying to mount the same sb more
720 * than once with different security options.
721 */
bd323655
AV		 722 if (opts) {
723 if (opts->fscontext) {
724 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
725 if (rc)
726 goto out;
c9180a57
EP		 727 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
728 fscontext_sid))
729 goto out_double_mount;
c9180a57 730 sbsec->flags |= FSCONTEXT_MNT;
bd323655
AV		 731 }
732 if (opts->context) {
733 rc = parse_sid(sb, opts->context, &context_sid);
734 if (rc)
735 goto out;
c9180a57
EP		 736 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
737 context_sid))
738 goto out_double_mount;
c9180a57 739 sbsec->flags |= CONTEXT_MNT;
bd323655
AV		 740 }
741 if (opts->rootcontext) {
742 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
743 if (rc)
744 goto out;
c9180a57
EP		 745 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
746 rootcontext_sid))
747 goto out_double_mount;
c9180a57 748 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655
AV		 749 }
750 if (opts->defcontext) {
751 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
752 if (rc)
753 goto out;
c9180a57
EP		 754 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
755 defcontext_sid))
756 goto out_double_mount;
c9180a57 757 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 758 }
c9180a57
EP		 759 }
760
0d90a7ec 761 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 762 /* previously mounted with options, but not on this attempt? */
bd323655 763 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 764 goto out_double_mount;
765 rc = 0;
766 goto out;
767 }
768
089be43e 769 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 770 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
771
8e014720 772 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 773 !strcmp(sb->s_type->name, "tracefs") ||
8e014720 774 !strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 775 !strcmp(sb->s_type->name, "pstore") ||
776 !strcmp(sb->s_type->name, "cgroup") ||
777 !strcmp(sb->s_type->name, "cgroup2"))
134509d5 778 sbsec->flags |= SE_SBGENFS;
c9180a57 779
eb9ae686
DQ		 780 if (!sbsec->behavior) {
781 /*
782 * Determine the labeling behavior to use for this
783 * filesystem type.
784 */
aa8e712c 785 rc = security_fs_use(&selinux_state, sb);
eb9ae686 786 if (rc) {
c103a91e 787 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 788 __func__, sb->s_type->name, rc);
789 goto out;
790 }
c9180a57 791 }
aad82892
SF		 792
793 /*
01593d32
SS		 794 * If this is a user namespace mount and the filesystem type is not
795 * explicitly whitelisted, then no contexts are allowed on the command
796 * line and security labels must be ignored.
aad82892 797 */
01593d32
SS		 798 if (sb->s_user_ns != &init_user_ns &&
799 strcmp(sb->s_type->name, "tmpfs") &&
800 strcmp(sb->s_type->name, "ramfs") &&
801 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 802 if (context_sid || fscontext_sid || rootcontext_sid ||
803 defcontext_sid) {
804 rc = -EACCES;
805 goto out;
806 }
807 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
808 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 809 rc = security_transition_sid(&selinux_state,
810 current_sid(),
811 current_sid(),
aad82892
SF		 812 SECCLASS_FILE, NULL,
813 &sbsec->mntpoint_sid);
814 if (rc)
815 goto out;
816 }
817 goto out_set_opts;
818 }
819
c9180a57
EP		 820 /* sets the context of the superblock for the fs being mounted. */
821 if (fscontext_sid) {
275bb41e 822 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 823 if (rc)
c9180a57 824 goto out;
1da177e4 825
c9180a57 826 sbsec->sid = fscontext_sid;
c312feb2
EP		 827 }
828
829 /*
830 * Switch to using mount point labeling behavior.
831 * sets the label used on all file below the mountpoint, and will set
832 * the superblock context if not already set.
833 */
eb9ae686
DQ		 834 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
835 sbsec->behavior = SECURITY_FS_USE_NATIVE;
836 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
837 }
838
c9180a57
EP		 839 if (context_sid) {
840 if (!fscontext_sid) {
275bb41e
DH		 841 rc = may_context_mount_sb_relabel(context_sid, sbsec,
842 cred);
b04ea3ce 843 if (rc)
c9180a57
EP		 844 goto out;
845 sbsec->sid = context_sid;
b04ea3ce 846 } else {
275bb41e
DH		 847 rc = may_context_mount_inode_relabel(context_sid, sbsec,
848 cred);
b04ea3ce 849 if (rc)
c9180a57 850 goto out;
b04ea3ce 851 }
c9180a57
EP		 852 if (!rootcontext_sid)
853 rootcontext_sid = context_sid;
1da177e4 854
c9180a57 855 sbsec->mntpoint_sid = context_sid;
c312feb2 856 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 857 }
858
c9180a57 859 if (rootcontext_sid) {
275bb41e
DH		 860 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
861 cred);
0808925e 862 if (rc)
c9180a57 863 goto out;
0808925e 864
c9180a57 865 root_isec->sid = rootcontext_sid;
6f3be9f5 866 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 867 }
868
c9180a57 869 if (defcontext_sid) {
eb9ae686
DQ		 870 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
871 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 872 rc = -EINVAL;
c103a91e 873 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 874 "invalid for this filesystem type\n");
875 goto out;
1da177e4
LT		 876 }
877
c9180a57
EP		 878 if (defcontext_sid != sbsec->def_sid) {
879 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 880 sbsec, cred);
c9180a57
EP		 881 if (rc)
882 goto out;
883 }
1da177e4 884
c9180a57 885 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 886 }
887
aad82892 888out_set_opts:
c9180a57 889 rc = sb_finish_set_opts(sb);
1da177e4 890out:
c9180a57 891 mutex_unlock(&sbsec->lock);
1da177e4 892 return rc;
c9180a57
EP		 893out_double_mount:
894 rc = -EINVAL;
c103a91e 895 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 896 "security settings for (dev %s, type %s)\n", sb->s_id,
897 sb->s_type->name);
c9180a57 898 goto out;
1da177e4
LT		 899}
900
094f7b69
JL		 901static int selinux_cmp_sb_context(const struct super_block *oldsb,
902 const struct super_block *newsb)
903{
904 struct superblock_security_struct *old = oldsb->s_security;
905 struct superblock_security_struct *new = newsb->s_security;
906 char oldflags = old->flags & SE_MNTMASK;
907 char newflags = new->flags & SE_MNTMASK;
908
909 if (oldflags != newflags)
910 goto mismatch;
911 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
912 goto mismatch;
913 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
914 goto mismatch;
915 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
916 goto mismatch;
917 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 918 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
919 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 920 if (oldroot->sid != newroot->sid)
921 goto mismatch;
922 }
923 return 0;
924mismatch:
c103a91e 925 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 926 "different security settings for (dev %s, "
927 "type %s)\n", newsb->s_id, newsb->s_type->name);
928 return -EBUSY;
929}
930
931static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 932 struct super_block *newsb,
933 unsigned long kern_flags,
934 unsigned long *set_kern_flags)
1da177e4 935{
0b4d3452 936 int rc = 0;
c9180a57
EP		 937 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
938 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 939
c9180a57
EP		 940 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
941 int set_context = (oldsbsec->flags & CONTEXT_MNT);
942 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 943
0f5e6420
EP		 944 /*
945 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 946 * mount options. thus we can safely deal with this superblock later
0f5e6420 947 */
aa8e712c 948 if (!selinux_state.initialized)
094f7b69 949 return 0;
c9180a57 950
0b4d3452
SM		 951 /*
952 * Specifying internal flags without providing a place to
953 * place the results is not allowed.
954 */
955 if (kern_flags && !set_kern_flags)
956 return -EINVAL;
957
c9180a57 958 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 959 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 960
094f7b69 961 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 962 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 963 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 964
c9180a57
EP		 965 mutex_lock(&newsbsec->lock);
966
967 newsbsec->flags = oldsbsec->flags;
968
969 newsbsec->sid = oldsbsec->sid;
970 newsbsec->def_sid = oldsbsec->def_sid;
971 newsbsec->behavior = oldsbsec->behavior;
972
0b4d3452
SM		 973 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
974 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 975 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 976 if (rc)
977 goto out;
978 }
979
980 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
981 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
982 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
983 }
984
c9180a57
EP		 985 if (set_context) {
986 u32 sid = oldsbsec->mntpoint_sid;
987
988 if (!set_fscontext)
989 newsbsec->sid = sid;
990 if (!set_rootcontext) {
83da53c5 991 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 992 newisec->sid = sid;
993 }
994 newsbsec->mntpoint_sid = sid;
1da177e4 995 }
c9180a57 996 if (set_rootcontext) {
83da53c5
AG		 997 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
998 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 999
c9180a57 1000 newisec->sid = oldisec->sid;
1da177e4
LT		 1001 }
1002
c9180a57 1003 sb_finish_set_opts(newsb);
0b4d3452 1004out:
c9180a57 1005 mutex_unlock(&newsbsec->lock);
0b4d3452 1006 return rc;
c9180a57
EP		 1007}
1008
ba641862
AV		 1009static int selinux_add_opt(int token, const char *s, void **mnt_opts)
1010{
1011 struct selinux_mnt_opts *opts = *mnt_opts;
1012
da3d76ab 1013 if (token == Opt_seclabel) /* eaten and completely ignored */
169d68ef
AV		 1014 return 0;
1015
ba641862
AV		 1016 if (!opts) {
1017 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1018 if (!opts)
1019 return -ENOMEM;
1020 *mnt_opts = opts;
1021 }
1022 if (!s)
1023 return -ENOMEM;
1024 switch (token) {
1025 case Opt_context:
1026 if (opts->context || opts->defcontext)
1027 goto Einval;
1028 opts->context = s;
1029 break;
1030 case Opt_fscontext:
1031 if (opts->fscontext)
1032 goto Einval;
1033 opts->fscontext = s;
1034 break;
1035 case Opt_rootcontext:
1036 if (opts->rootcontext)
1037 goto Einval;
1038 opts->rootcontext = s;
1039 break;
1040 case Opt_defcontext:
1041 if (opts->context || opts->defcontext)
1042 goto Einval;
1043 opts->defcontext = s;
1044 break;
1045 }
1046 return 0;
1047Einval:
1048 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862
AV		 1049 return -EINVAL;
1050}
1051
2e1479d9 1052static int selinux_parse_opts_str(char *options,
204cc0cc 1053 void **mnt_opts)
c9180a57 1054{
169d68ef
AV		 1055 char *p = options, *next;
1056 int rc;
1da177e4 1057
c9180a57 1058 /* Standard string-based options. */
169d68ef
AV		 1059 for (p = options; *p; p = next) {
1060 int token, len;
1061 char *arg = NULL;
1da177e4 1062
169d68ef
AV		 1063 next = strchr(p, '|');
1064 if (next) {
1065 len = next++ - p;
1066 } else {
1067 len = strlen(p);
1068 next = p + len;
1069 }
1da177e4 1070
169d68ef 1071 if (!len)
ba641862 1072 continue;
169d68ef
AV		 1073
1074 token = match_opt_prefix(p, len, &arg);
1075 if (arg)
1076 arg = kmemdup_nul(arg, p + len - arg, GFP_KERNEL);
ba641862 1077 rc = selinux_add_opt(token, arg, mnt_opts);
169d68ef 1078 if (rc) {
ba641862 1079 kfree(arg);
169d68ef
AV		 1080 selinux_free_mnt_opts(*mnt_opts);
1081 *mnt_opts = NULL;
ba641862 1082 return rc;
1da177e4 1083 }
1da177e4 1084 }
e0007529 1085 return 0;
1da177e4
LT		 1086}
1087
e3489f89 1088static int show_sid(struct seq_file *m, u32 sid)
2069f457 1089{
e3489f89
AV		 1090 char *context = NULL;
1091 u32 len;
1092 int rc;
11689d47 1093
e3489f89
AV		 1094 rc = security_sid_to_context(&selinux_state, sid,
1095 &context, &len);
1096 if (!rc) {
1097 bool has_comma = context && strchr(context, ',');
2069f457 1098
2069f457
EP		 1099 if (has_comma)
1100 seq_putc(m, '\"');
e3489f89 1101 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1102 if (has_comma)
1103 seq_putc(m, '\"');
1104 }
e3489f89
AV		 1105 kfree(context);
1106 return rc;
2069f457
EP		 1107}
1108
1109static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1110{
e3489f89 1111 struct superblock_security_struct *sbsec = sb->s_security;
2069f457
EP		 1112 int rc;
1113
e3489f89
AV		 1114 if (!(sbsec->flags & SE_SBINITIALIZED))
1115 return 0;
2069f457 1116
e3489f89
AV		 1117 if (!selinux_state.initialized)
1118 return 0;
2069f457 1119
e3489f89
AV		 1120 if (sbsec->flags & FSCONTEXT_MNT) {
1121 seq_putc(m, ',');
1122 seq_puts(m, FSCONTEXT_STR);
1123 rc = show_sid(m, sbsec->sid);
1124 if (rc)
1125 return rc;
1126 }
1127 if (sbsec->flags & CONTEXT_MNT) {
1128 seq_putc(m, ',');
1129 seq_puts(m, CONTEXT_STR);
1130 rc = show_sid(m, sbsec->mntpoint_sid);
1131 if (rc)
1132 return rc;
1133 }
1134 if (sbsec->flags & DEFCONTEXT_MNT) {
1135 seq_putc(m, ',');
1136 seq_puts(m, DEFCONTEXT_STR);
1137 rc = show_sid(m, sbsec->def_sid);
1138 if (rc)
1139 return rc;
1140 }
1141 if (sbsec->flags & ROOTCONTEXT_MNT) {
1142 struct dentry *root = sbsec->sb->s_root;
1143 struct inode_security_struct *isec = backing_inode_security(root);
1144 seq_putc(m, ',');
1145 seq_puts(m, ROOTCONTEXT_STR);
1146 rc = show_sid(m, isec->sid);
1147 if (rc)
1148 return rc;
1149 }
1150 if (sbsec->flags & SBLABEL_MNT) {
1151 seq_putc(m, ',');
1152 seq_puts(m, LABELSUPP_STR);
1153 }
1154 return 0;
2069f457
EP		 1155}
1156
1da177e4
LT		 1157static inline u16 inode_mode_to_security_class(umode_t mode)
1158{
1159 switch (mode & S_IFMT) {
1160 case S_IFSOCK:
1161 return SECCLASS_SOCK_FILE;
1162 case S_IFLNK:
1163 return SECCLASS_LNK_FILE;
1164 case S_IFREG:
1165 return SECCLASS_FILE;
1166 case S_IFBLK:
1167 return SECCLASS_BLK_FILE;
1168 case S_IFDIR:
1169 return SECCLASS_DIR;
1170 case S_IFCHR:
1171 return SECCLASS_CHR_FILE;
1172 case S_IFIFO:
1173 return SECCLASS_FIFO_FILE;
1174
1175 }
1176
1177 return SECCLASS_FILE;
1178}
1179
13402580
JM		 1180static inline int default_protocol_stream(int protocol)
1181{
1182 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1183}
1184
1185static inline int default_protocol_dgram(int protocol)
1186{
1187 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1188}
1189
1da177e4
LT		 1190static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1191{
aa8e712c 1192 int extsockclass = selinux_policycap_extsockclass();
da69a530 1193
1da177e4
LT		 1194 switch (family) {
1195 case PF_UNIX:
1196 switch (type) {
1197 case SOCK_STREAM:
1198 case SOCK_SEQPACKET:
1199 return SECCLASS_UNIX_STREAM_SOCKET;
1200 case SOCK_DGRAM:
2a764b52 1201 case SOCK_RAW:
1da177e4
LT		 1202 return SECCLASS_UNIX_DGRAM_SOCKET;
1203 }
1204 break;
1205 case PF_INET:
1206 case PF_INET6:
1207 switch (type) {
1208 case SOCK_STREAM:
da69a530 1209 case SOCK_SEQPACKET:
13402580
JM		 1210 if (default_protocol_stream(protocol))
1211 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1212 else if (extsockclass && protocol == IPPROTO_SCTP)
1213 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1214 else
1215 return SECCLASS_RAWIP_SOCKET;
1da177e4 1216 case SOCK_DGRAM:
13402580
JM		 1217 if (default_protocol_dgram(protocol))
1218 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1219 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1220 protocol == IPPROTO_ICMPV6))
da69a530 1221 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1222 else
1223 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1224 case SOCK_DCCP:
1225 return SECCLASS_DCCP_SOCKET;
13402580 1226 default:
1da177e4
LT		 1227 return SECCLASS_RAWIP_SOCKET;
1228 }
1229 break;
1230 case PF_NETLINK:
1231 switch (protocol) {
1232 case NETLINK_ROUTE:
1233 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1234 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1235 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1236 case NETLINK_NFLOG:
1237 return SECCLASS_NETLINK_NFLOG_SOCKET;
1238 case NETLINK_XFRM:
1239 return SECCLASS_NETLINK_XFRM_SOCKET;
1240 case NETLINK_SELINUX:
1241 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1242 case NETLINK_ISCSI:
1243 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1244 case NETLINK_AUDIT:
1245 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1246 case NETLINK_FIB_LOOKUP:
1247 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1248 case NETLINK_CONNECTOR:
1249 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1250 case NETLINK_NETFILTER:
1251 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1252 case NETLINK_DNRTMSG:
1253 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1254 case NETLINK_KOBJECT_UEVENT:
1255 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1256 case NETLINK_GENERIC:
1257 return SECCLASS_NETLINK_GENERIC_SOCKET;
1258 case NETLINK_SCSITRANSPORT:
1259 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1260 case NETLINK_RDMA:
1261 return SECCLASS_NETLINK_RDMA_SOCKET;
1262 case NETLINK_CRYPTO:
1263 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1264 default:
1265 return SECCLASS_NETLINK_SOCKET;
1266 }
1267 case PF_PACKET:
1268 return SECCLASS_PACKET_SOCKET;
1269 case PF_KEY:
1270 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1271 case PF_APPLETALK:
1272 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1273 }
1274
da69a530
SS		 1275 if (extsockclass) {
1276 switch (family) {
1277 case PF_AX25:
1278 return SECCLASS_AX25_SOCKET;
1279 case PF_IPX:
1280 return SECCLASS_IPX_SOCKET;
1281 case PF_NETROM:
1282 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1283 case PF_ATMPVC:
1284 return SECCLASS_ATMPVC_SOCKET;
1285 case PF_X25:
1286 return SECCLASS_X25_SOCKET;
1287 case PF_ROSE:
1288 return SECCLASS_ROSE_SOCKET;
1289 case PF_DECnet:
1290 return SECCLASS_DECNET_SOCKET;
1291 case PF_ATMSVC:
1292 return SECCLASS_ATMSVC_SOCKET;
1293 case PF_RDS:
1294 return SECCLASS_RDS_SOCKET;
1295 case PF_IRDA:
1296 return SECCLASS_IRDA_SOCKET;
1297 case PF_PPPOX:
1298 return SECCLASS_PPPOX_SOCKET;
1299 case PF_LLC:
1300 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1301 case PF_CAN:
1302 return SECCLASS_CAN_SOCKET;
1303 case PF_TIPC:
1304 return SECCLASS_TIPC_SOCKET;
1305 case PF_BLUETOOTH:
1306 return SECCLASS_BLUETOOTH_SOCKET;
1307 case PF_IUCV:
1308 return SECCLASS_IUCV_SOCKET;
1309 case PF_RXRPC:
1310 return SECCLASS_RXRPC_SOCKET;
1311 case PF_ISDN:
1312 return SECCLASS_ISDN_SOCKET;
1313 case PF_PHONET:
1314 return SECCLASS_PHONET_SOCKET;
1315 case PF_IEEE802154:
1316 return SECCLASS_IEEE802154_SOCKET;
1317 case PF_CAIF:
1318 return SECCLASS_CAIF_SOCKET;
1319 case PF_ALG:
1320 return SECCLASS_ALG_SOCKET;
1321 case PF_NFC:
1322 return SECCLASS_NFC_SOCKET;
1323 case PF_VSOCK:
1324 return SECCLASS_VSOCK_SOCKET;
1325 case PF_KCM:
1326 return SECCLASS_KCM_SOCKET;
1327 case PF_QIPCRTR:
1328 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1329 case PF_SMC:
1330 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1331 case PF_XDP:
1332 return SECCLASS_XDP_SOCKET;
1333#if PF_MAX > 45
da69a530
SS		 1334#error New address family defined, please update this function.
1335#endif
1336 }
1337 }
1338
1da177e4
LT		 1339 return SECCLASS_SOCKET;
1340}
1341
134509d5
SS		 1342static int selinux_genfs_get_sid(struct dentry *dentry,
1343 u16 tclass,
1344 u16 flags,
1345 u32 *sid)
1da177e4 1346{
8e6c9693 1347 int rc;
fc64005c 1348 struct super_block *sb = dentry->d_sb;
8e6c9693 1349 char *buffer, *path;
1da177e4 1350
828dfe1d 1351 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1352 if (!buffer)
1353 return -ENOMEM;
1354
8e6c9693
LAG		 1355 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1356 if (IS_ERR(path))
1357 rc = PTR_ERR(path);
1358 else {
134509d5
SS		 1359 if (flags & SE_SBPROC) {
1360 /* each process gets a /proc/PID/ entry. Strip off the
1361 * PID part to get a valid selinux labeling.
1362 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1363 while (path[1] >= '0' && path[1] <= '9') {
1364 path[1] = '/';
1365 path++;
1366 }
8e6c9693 1367 }
aa8e712c
SS		 1368 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1369 path, tclass, sid);
7bb185ed
SS		 1370 if (rc == -ENOENT) {
1371 /* No match in policy, mark as unlabeled. */
1372 *sid = SECINITSID_UNLABELED;
1373 rc = 0;
1374 }
1da177e4 1375 }
1da177e4
LT		 1376 free_page((unsigned long)buffer);
1377 return rc;
1378}
1da177e4
LT		 1379
1380/* The inode's security attributes must be initialized before first use. */
1381static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1382{
1383 struct superblock_security_struct *sbsec = NULL;
1384 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1385 u32 task_sid, sid = 0;
1386 u16 sclass;
1da177e4
LT		 1387 struct dentry *dentry;
1388#define INITCONTEXTLEN 255
1389 char *context = NULL;
1390 unsigned len = 0;
1391 int rc = 0;
1da177e4 1392
6f3be9f5 1393 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1394 return 0;
1da177e4 1395
9287aed2 1396 spin_lock(&isec->lock);
6f3be9f5 1397 if (isec->initialized == LABEL_INITIALIZED)
23970741 1398 goto out_unlock;
1da177e4 1399
13457d07
AG		 1400 if (isec->sclass == SECCLASS_FILE)
1401 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1402
1da177e4 1403 sbsec = inode->i_sb->s_security;
0d90a7ec 1404 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1405 /* Defer initialization until selinux_complete_init,
1406 after the initial policy is loaded and the security
1407 server is ready to handle calls. */
1408 spin_lock(&sbsec->isec_lock);
1409 if (list_empty(&isec->list))
1410 list_add(&isec->list, &sbsec->isec_head);
1411 spin_unlock(&sbsec->isec_lock);
23970741 1412 goto out_unlock;
1da177e4
LT		 1413 }
1414
9287aed2
AG		 1415 sclass = isec->sclass;
1416 task_sid = isec->task_sid;
1417 sid = isec->sid;
1418 isec->initialized = LABEL_PENDING;
1419 spin_unlock(&isec->lock);
1420
1da177e4 1421 switch (sbsec->behavior) {
eb9ae686
DQ		 1422 case SECURITY_FS_USE_NATIVE:
1423 break;
1da177e4 1424 case SECURITY_FS_USE_XATTR:
5d6c3191 1425 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1426 sid = sbsec->def_sid;
1da177e4
LT		 1427 break;
1428 }
1da177e4
LT		 1429 /* Need a dentry, since the xattr API requires one.
1430 Life would be simpler if we could just pass the inode. */
1431 if (opt_dentry) {
1432 /* Called from d_instantiate or d_splice_alias. */
1433 dentry = dget(opt_dentry);
1434 } else {
b127125d
AV		 1435 /*
1436 * Called from selinux_complete_init, try to find a dentry.
1437 * Some filesystems really want a connected one, so try
1438 * that first. We could split SECURITY_FS_USE_XATTR in
1439 * two, depending upon that...
1440 */
1da177e4 1441 dentry = d_find_alias(inode);
b127125d
AV		 1442 if (!dentry)
1443 dentry = d_find_any_alias(inode);
1da177e4
LT		 1444 }
1445 if (!dentry) {
df7f54c0
EP		 1446 /*
1447 * this is can be hit on boot when a file is accessed
1448 * before the policy is loaded. When we load policy we
1449 * may find inodes that have no dentry on the
1450 * sbsec->isec_head list. No reason to complain as these
1451 * will get fixed up the next time we go through
1452 * inode_doinit with a dentry, before these inodes could
1453 * be used again by userspace.
1454 */
9287aed2 1455 goto out;
1da177e4
LT		 1456 }
1457
1458 len = INITCONTEXTLEN;
4cb912f1 1459 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1460 if (!context) {
1461 rc = -ENOMEM;
1462 dput(dentry);
9287aed2 1463 goto out;
1da177e4 1464 }
4cb912f1 1465 context[len] = '\0';
5d6c3191 1466 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1467 if (rc == -ERANGE) {
314dabb8
JM		 1468 kfree(context);
1469
1da177e4 1470 /* Need a larger buffer. Query for the right size. */
5d6c3191 1471 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1472 if (rc < 0) {
1473 dput(dentry);
9287aed2 1474 goto out;
1da177e4 1475 }
1da177e4 1476 len = rc;
4cb912f1 1477 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1478 if (!context) {
1479 rc = -ENOMEM;
1480 dput(dentry);
9287aed2 1481 goto out;
1da177e4 1482 }
4cb912f1 1483 context[len] = '\0';
5d6c3191 1484 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1485 }
1486 dput(dentry);
1487 if (rc < 0) {
1488 if (rc != -ENODATA) {
c103a91e 1489 pr_warn("SELinux: %s: getxattr returned "
dd6f953a 1490 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1491 -rc, inode->i_sb->s_id, inode->i_ino);
1492 kfree(context);
9287aed2 1493 goto out;
1da177e4
LT		 1494 }
1495 /* Map ENODATA to the default file SID */
1496 sid = sbsec->def_sid;
1497 rc = 0;
1498 } else {
aa8e712c
SS		 1499 rc = security_context_to_sid_default(&selinux_state,
1500 context, rc, &sid,
869ab514
SS		 1501 sbsec->def_sid,
1502 GFP_NOFS);
1da177e4 1503 if (rc) {
4ba0a8ad
EP		 1504 char *dev = inode->i_sb->s_id;
1505 unsigned long ino = inode->i_ino;
1506
1507 if (rc == -EINVAL) {
1508 if (printk_ratelimit())
c103a91e 1509 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
4ba0a8ad
EP		 1510 "context=%s. This indicates you may need to relabel the inode or the "
1511 "filesystem in question.\n", ino, dev, context);
1512 } else {
c103a91e 1513 pr_warn("SELinux: %s: context_to_sid(%s) "
4ba0a8ad
EP		 1514 "returned %d for dev=%s ino=%ld\n",
1515 __func__, context, -rc, dev, ino);
1516 }
1da177e4
LT		 1517 kfree(context);
1518 /* Leave with the unlabeled SID */
1519 rc = 0;
1520 break;
1521 }
1522 }
1523 kfree(context);
1da177e4
LT		 1524 break;
1525 case SECURITY_FS_USE_TASK:
9287aed2 1526 sid = task_sid;
1da177e4
LT		 1527 break;
1528 case SECURITY_FS_USE_TRANS:
1529 /* Default to the fs SID. */
9287aed2 1530 sid = sbsec->sid;
1da177e4
LT		 1531
1532 /* Try to obtain a transition SID. */
aa8e712c
SS		 1533 rc = security_transition_sid(&selinux_state, task_sid, sid,
1534 sclass, NULL, &sid);
1da177e4 1535 if (rc)
9287aed2 1536 goto out;
1da177e4 1537 break;
c312feb2 1538 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1539 sid = sbsec->mntpoint_sid;
c312feb2 1540 break;
1da177e4 1541 default:
c312feb2 1542 /* Default to the fs superblock SID. */
9287aed2 1543 sid = sbsec->sid;
1da177e4 1544
134509d5 1545 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1546 /* We must have a dentry to determine the label on
1547 * procfs inodes */
b127125d 1548 if (opt_dentry) {
f64410ec
PM		 1549 /* Called from d_instantiate or
1550 * d_splice_alias. */
1551 dentry = dget(opt_dentry);
b127125d 1552 } else {
f64410ec 1553 /* Called from selinux_complete_init, try to
b127125d
AV		 1554 * find a dentry. Some filesystems really want
1555 * a connected one, so try that first.
1556 */
f64410ec 1557 dentry = d_find_alias(inode);
b127125d
AV		 1558 if (!dentry)
1559 dentry = d_find_any_alias(inode);
1560 }
f64410ec
PM		 1561 /*
1562 * This can be hit on boot when a file is accessed
1563 * before the policy is loaded. When we load policy we
1564 * may find inodes that have no dentry on the
1565 * sbsec->isec_head list. No reason to complain as
1566 * these will get fixed up the next time we go through
1567 * inode_doinit() with a dentry, before these inodes
1568 * could be used again by userspace.
1569 */
1570 if (!dentry)
9287aed2
AG		 1571 goto out;
1572 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1573 sbsec->flags, &sid);
f64410ec
PM		 1574 dput(dentry);
1575 if (rc)
9287aed2 1576 goto out;
1da177e4
LT		 1577 }
1578 break;
1579 }
1580
9287aed2
AG		 1581out:
1582 spin_lock(&isec->lock);
1583 if (isec->initialized == LABEL_PENDING) {
1584 if (!sid || rc) {
1585 isec->initialized = LABEL_INVALID;
1586 goto out_unlock;
1587 }
1588
1589 isec->initialized = LABEL_INITIALIZED;
1590 isec->sid = sid;
1591 }
1da177e4 1592
23970741 1593out_unlock:
9287aed2 1594 spin_unlock(&isec->lock);
1da177e4
LT		 1595 return rc;
1596}
1597
1598/* Convert a Linux signal to an access vector. */
1599static inline u32 signal_to_av(int sig)
1600{
1601 u32 perm = 0;
1602
1603 switch (sig) {
1604 case SIGCHLD:
1605 /* Commonly granted from child to parent. */
1606 perm = PROCESS__SIGCHLD;
1607 break;
1608 case SIGKILL:
1609 /* Cannot be caught or ignored */
1610 perm = PROCESS__SIGKILL;
1611 break;
1612 case SIGSTOP:
1613 /* Cannot be caught or ignored */
1614 perm = PROCESS__SIGSTOP;
1615 break;
1616 default:
1617 /* All other signals. */
1618 perm = PROCESS__SIGNAL;
1619 break;
1620 }
1621
1622 return perm;
1623}
1624
b68e418c
SS		 1625#if CAP_LAST_CAP > 63
1626#error Fix SELinux to handle capabilities > 63.
1627#endif
1628
1da177e4 1629/* Check whether a task is allowed to use a capability. */
6a9de491 1630static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1631 int cap, int audit, bool initns)
1da177e4 1632{
2bf49690 1633 struct common_audit_data ad;
06112163 1634 struct av_decision avd;
b68e418c 1635 u16 sclass;
3699c53c 1636 u32 sid = cred_sid(cred);
b68e418c 1637 u32 av = CAP_TO_MASK(cap);
06112163 1638 int rc;
1da177e4 1639
50c205f5 1640 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1641 ad.u.cap = cap;
1642
b68e418c
SS		 1643 switch (CAP_TO_INDEX(cap)) {
1644 case 0:
8e4ff6f2 1645 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1646 break;
1647 case 1:
8e4ff6f2 1648 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1649 break;
1650 default:
c103a91e 1651 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1652 BUG();
a35c6c83 1653 return -EINVAL;
b68e418c 1654 }
06112163 1655
6b6bc620
SS		 1656 rc = avc_has_perm_noaudit(&selinux_state,
1657 sid, sid, sclass, av, 0, &avd);
9ade0cf4 1658 if (audit == SECURITY_CAP_AUDIT) {
6b6bc620
SS		 1659 int rc2 = avc_audit(&selinux_state,
1660 sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1661 if (rc2)
1662 return rc2;
1663 }
06112163 1664 return rc;
1da177e4
LT		 1665}
1666
1da177e4
LT		 1667/* Check whether a task has a particular permission to an inode.
1668 The 'adp' parameter is optional and allows other audit
1669 data to be passed (e.g. the dentry). */
88e67f3b 1670static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1671 struct inode *inode,
1672 u32 perms,
19e49834 1673 struct common_audit_data *adp)
1da177e4 1674{
1da177e4 1675 struct inode_security_struct *isec;
275bb41e 1676 u32 sid;
1da177e4 1677
e0e81739
DH		 1678 validate_creds(cred);
1679
828dfe1d 1680 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1681 return 0;
1682
88e67f3b 1683 sid = cred_sid(cred);
1da177e4
LT		 1684 isec = inode->i_security;
1685
6b6bc620
SS		 1686 return avc_has_perm(&selinux_state,
1687 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1688}
1689
1690/* Same as inode_has_perm, but pass explicit audit data containing
1691 the dentry to help the auditing code to more easily generate the
1692 pathname if needed. */
88e67f3b 1693static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1694 struct dentry *dentry,
1695 u32 av)
1696{
c6f493d6 1697 struct inode *inode = d_backing_inode(dentry);
2bf49690 1698 struct common_audit_data ad;
88e67f3b 1699
50c205f5 1700 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1701 ad.u.dentry = dentry;
5d226df4 1702 __inode_security_revalidate(inode, dentry, true);
19e49834 1703 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1704}
1705
1706/* Same as inode_has_perm, but pass explicit audit data containing
1707 the path to help the auditing code to more easily generate the
1708 pathname if needed. */
1709static inline int path_has_perm(const struct cred *cred,
3f7036a0 1710 const struct path *path,
2875fa00
EP		 1711 u32 av)
1712{
c6f493d6 1713 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1714 struct common_audit_data ad;
1715
50c205f5 1716 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1717 ad.u.path = *path;
5d226df4 1718 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1719 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1720}
1721
13f8e981
DH		 1722/* Same as path_has_perm, but uses the inode from the file struct. */
1723static inline int file_path_has_perm(const struct cred *cred,
1724 struct file *file,
1725 u32 av)
1726{
1727 struct common_audit_data ad;
1728
43af5de7
VG		 1729 ad.type = LSM_AUDIT_DATA_FILE;
1730 ad.u.file = file;
19e49834 1731 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1732}
1733
f66e448c
CF		 1734#ifdef CONFIG_BPF_SYSCALL
1735static int bpf_fd_pass(struct file *file, u32 sid);
1736#endif
1737
1da177e4
LT		 1738/* Check whether a task can use an open file descriptor to
1739 access an inode in a given way. Check access to the
1740 descriptor itself, and then use dentry_has_perm to
1741 check a particular permission to the file.
1742 Access to the descriptor is implicitly granted if it
1743 has the same SID as the process. If av is zero, then
1744 access to the file is not checked, e.g. for cases
1745 where only the descriptor is affected like seek. */
88e67f3b
DH		 1746static int file_has_perm(const struct cred *cred,
1747 struct file *file,
1748 u32 av)
1da177e4 1749{
1da177e4 1750 struct file_security_struct *fsec = file->f_security;
496ad9aa 1751 struct inode *inode = file_inode(file);
2bf49690 1752 struct common_audit_data ad;
88e67f3b 1753 u32 sid = cred_sid(cred);
1da177e4
LT		 1754 int rc;
1755
43af5de7
VG		 1756 ad.type = LSM_AUDIT_DATA_FILE;
1757 ad.u.file = file;
1da177e4 1758
275bb41e 1759 if (sid != fsec->sid) {
6b6bc620
SS		 1760 rc = avc_has_perm(&selinux_state,
1761 sid, fsec->sid,
1da177e4
LT		 1762 SECCLASS_FD,
1763 FD__USE,
1764 &ad);
1765 if (rc)
88e67f3b 1766 goto out;
1da177e4
LT		 1767 }
1768
f66e448c
CF		 1769#ifdef CONFIG_BPF_SYSCALL
1770 rc = bpf_fd_pass(file, cred_sid(cred));
1771 if (rc)
1772 return rc;
1773#endif
1774
1da177e4 1775 /* av is zero if only checking access to the descriptor. */
88e67f3b 1776 rc = 0;
1da177e4 1777 if (av)
19e49834 1778 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1779
88e67f3b
DH		 1780out:
1781 return rc;
1da177e4
LT		 1782}
1783
c3c188b2
DH		 1784/*
1785 * Determine the label for an inode that might be unioned.
1786 */
c957f6df
VG		 1787static int
1788selinux_determine_inode_label(const struct task_security_struct *tsec,
1789 struct inode *dir,
1790 const struct qstr *name, u16 tclass,
1791 u32 *_new_isid)
c3c188b2
DH		 1792{
1793 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1794
1795 if ((sbsec->flags & SE_SBINITIALIZED) &&
1796 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1797 *_new_isid = sbsec->mntpoint_sid;
1798 } else if ((sbsec->flags & SBLABEL_MNT) &&
1799 tsec->create_sid) {
1800 *_new_isid = tsec->create_sid;
1801 } else {
20cdef8d 1802 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1803 return security_transition_sid(&selinux_state, tsec->sid,
1804 dsec->sid, tclass,
c3c188b2
DH		 1805 name, _new_isid);
1806 }
1807
1808 return 0;
1809}
1810
1da177e4
LT		 1811/* Check whether a task can create a file. */
1812static int may_create(struct inode *dir,
1813 struct dentry *dentry,
1814 u16 tclass)
1815{
5fb49870 1816 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1817 struct inode_security_struct *dsec;
1818 struct superblock_security_struct *sbsec;
275bb41e 1819 u32 sid, newsid;
2bf49690 1820 struct common_audit_data ad;
1da177e4
LT		 1821 int rc;
1822
83da53c5 1823 dsec = inode_security(dir);
1da177e4
LT		 1824 sbsec = dir->i_sb->s_security;
1825
275bb41e 1826 sid = tsec->sid;
275bb41e 1827
50c205f5 1828 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1829 ad.u.dentry = dentry;
1da177e4 1830
6b6bc620
SS		 1831 rc = avc_has_perm(&selinux_state,
1832 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1833 DIR__ADD_NAME | DIR__SEARCH,
1834 &ad);
1835 if (rc)
1836 return rc;
1837
c957f6df
VG		 1838 rc = selinux_determine_inode_label(current_security(), dir,
1839 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1840 if (rc)
1841 return rc;
1da177e4 1842
6b6bc620
SS		 1843 rc = avc_has_perm(&selinux_state,
1844 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1845 if (rc)
1846 return rc;
1847
6b6bc620
SS		 1848 return avc_has_perm(&selinux_state,
1849 newsid, sbsec->sid,
1da177e4
LT		 1850 SECCLASS_FILESYSTEM,
1851 FILESYSTEM__ASSOCIATE, &ad);
1852}
1853
828dfe1d
EP		 1854#define MAY_LINK 0
1855#define MAY_UNLINK 1
1856#define MAY_RMDIR 2
1da177e4
LT		 1857
1858/* Check whether a task can link, unlink, or rmdir a file/directory. */
1859static int may_link(struct inode *dir,
1860 struct dentry *dentry,
1861 int kind)
1862
1863{
1da177e4 1864 struct inode_security_struct *dsec, *isec;
2bf49690 1865 struct common_audit_data ad;
275bb41e 1866 u32 sid = current_sid();
1da177e4
LT		 1867 u32 av;
1868 int rc;
1869
83da53c5
AG		 1870 dsec = inode_security(dir);
1871 isec = backing_inode_security(dentry);
1da177e4 1872
50c205f5 1873 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1874 ad.u.dentry = dentry;
1da177e4
LT		 1875
1876 av = DIR__SEARCH;
1877 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 1878 rc = avc_has_perm(&selinux_state,
1879 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1880 if (rc)
1881 return rc;
1882
1883 switch (kind) {
1884 case MAY_LINK:
1885 av = FILE__LINK;
1886 break;
1887 case MAY_UNLINK:
1888 av = FILE__UNLINK;
1889 break;
1890 case MAY_RMDIR:
1891 av = DIR__RMDIR;
1892 break;
1893 default:
c103a91e 1894 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1895 __func__, kind);
1da177e4
LT		 1896 return 0;
1897 }
1898
6b6bc620
SS		 1899 rc = avc_has_perm(&selinux_state,
1900 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1901 return rc;
1902}
1903
1904static inline int may_rename(struct inode *old_dir,
1905 struct dentry *old_dentry,
1906 struct inode *new_dir,
1907 struct dentry *new_dentry)
1908{
1da177e4 1909 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1910 struct common_audit_data ad;
275bb41e 1911 u32 sid = current_sid();
1da177e4
LT		 1912 u32 av;
1913 int old_is_dir, new_is_dir;
1914 int rc;
1915
83da53c5
AG		 1916 old_dsec = inode_security(old_dir);
1917 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1918 old_is_dir = d_is_dir(old_dentry);
83da53c5 1919 new_dsec = inode_security(new_dir);
1da177e4 1920
50c205f5 1921 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1922
a269434d 1923 ad.u.dentry = old_dentry;
6b6bc620
SS		 1924 rc = avc_has_perm(&selinux_state,
1925 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1926 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1927 if (rc)
1928 return rc;
6b6bc620
SS		 1929 rc = avc_has_perm(&selinux_state,
1930 sid, old_isec->sid,
1da177e4
LT		 1931 old_isec->sclass, FILE__RENAME, &ad);
1932 if (rc)
1933 return rc;
1934 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 1935 rc = avc_has_perm(&selinux_state,
1936 sid, old_isec->sid,
1da177e4
LT		 1937 old_isec->sclass, DIR__REPARENT, &ad);
1938 if (rc)
1939 return rc;
1940 }
1941
a269434d 1942 ad.u.dentry = new_dentry;
1da177e4 1943 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1944 if (d_is_positive(new_dentry))
1da177e4 1945 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 1946 rc = avc_has_perm(&selinux_state,
1947 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1948 if (rc)
1949 return rc;
2c616d4d 1950 if (d_is_positive(new_dentry)) {
83da53c5 1951 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1952 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 1953 rc = avc_has_perm(&selinux_state,
1954 sid, new_isec->sid,
1da177e4
LT		 1955 new_isec->sclass,
1956 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1957 if (rc)
1958 return rc;
1959 }
1960
1961 return 0;
1962}
1963
1964/* Check whether a task can perform a filesystem operation. */
88e67f3b 1965static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1966 struct super_block *sb,
1967 u32 perms,
2bf49690 1968 struct common_audit_data *ad)
1da177e4 1969{
1da177e4 1970 struct superblock_security_struct *sbsec;
88e67f3b 1971 u32 sid = cred_sid(cred);
1da177e4 1972
1da177e4 1973 sbsec = sb->s_security;
6b6bc620
SS		 1974 return avc_has_perm(&selinux_state,
1975 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1976}
1977
1978/* Convert a Linux mode and permission mask to an access vector. */
1979static inline u32 file_mask_to_av(int mode, int mask)
1980{
1981 u32 av = 0;
1982
dba19c60 1983 if (!S_ISDIR(mode)) {
1da177e4
LT		 1984 if (mask & MAY_EXEC)
1985 av |= FILE__EXECUTE;
1986 if (mask & MAY_READ)
1987 av |= FILE__READ;
1988
1989 if (mask & MAY_APPEND)
1990 av |= FILE__APPEND;
1991 else if (mask & MAY_WRITE)
1992 av |= FILE__WRITE;
1993
1994 } else {
1995 if (mask & MAY_EXEC)
1996 av |= DIR__SEARCH;
1997 if (mask & MAY_WRITE)
1998 av |= DIR__WRITE;
1999 if (mask & MAY_READ)
2000 av |= DIR__READ;
2001 }
2002
2003 return av;
2004}
2005
8b6a5a37
EP		 2006/* Convert a Linux file to an access vector. */
2007static inline u32 file_to_av(struct file *file)
2008{
2009 u32 av = 0;
2010
2011 if (file->f_mode & FMODE_READ)
2012 av |= FILE__READ;
2013 if (file->f_mode & FMODE_WRITE) {
2014 if (file->f_flags & O_APPEND)
2015 av |= FILE__APPEND;
2016 else
2017 av |= FILE__WRITE;
2018 }
2019 if (!av) {
2020 /*
2021 * Special file opened with flags 3 for ioctl-only use.
2022 */
2023 av = FILE__IOCTL;
2024 }
2025
2026 return av;
2027}
2028
b0c636b9 2029/*
8b6a5a37 2030 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2031 * open permission.
2032 */
8b6a5a37 2033static inline u32 open_file_to_av(struct file *file)
b0c636b9 2034{
8b6a5a37 2035 u32 av = file_to_av(file);
ccb54478 2036 struct inode *inode = file_inode(file);
b0c636b9 2037
aa8e712c
SS		 2038 if (selinux_policycap_openperm() &&
2039 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2040 av |= FILE__OPEN;
2041
b0c636b9
EP		 2042 return av;
2043}
2044
1da177e4
LT		 2045/* Hook functions begin here. */
2046
79af7307
SS		 2047static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2048{
2049 u32 mysid = current_sid();
2050 u32 mgrsid = task_sid(mgr);
2051
6b6bc620
SS		 2052 return avc_has_perm(&selinux_state,
2053 mysid, mgrsid, SECCLASS_BINDER,
79af7307
SS		 2054 BINDER__SET_CONTEXT_MGR, NULL);
2055}
2056
2057static int selinux_binder_transaction(struct task_struct *from,
2058 struct task_struct *to)
2059{
2060 u32 mysid = current_sid();
2061 u32 fromsid = task_sid(from);
2062 u32 tosid = task_sid(to);
2063 int rc;
2064
2065 if (mysid != fromsid) {
6b6bc620
SS		 2066 rc = avc_has_perm(&selinux_state,
2067 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2068 BINDER__IMPERSONATE, NULL);
2069 if (rc)
2070 return rc;
2071 }
2072
6b6bc620
SS		 2073 return avc_has_perm(&selinux_state,
2074 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
79af7307
SS		 2075 NULL);
2076}
2077
2078static int selinux_binder_transfer_binder(struct task_struct *from,
2079 struct task_struct *to)
2080{
2081 u32 fromsid = task_sid(from);
2082 u32 tosid = task_sid(to);
2083
6b6bc620
SS		 2084 return avc_has_perm(&selinux_state,
2085 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2086 NULL);
2087}
2088
2089static int selinux_binder_transfer_file(struct task_struct *from,
2090 struct task_struct *to,
2091 struct file *file)
2092{
2093 u32 sid = task_sid(to);
2094 struct file_security_struct *fsec = file->f_security;
83da53c5 2095 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2096 struct inode_security_struct *isec;
79af7307
SS		 2097 struct common_audit_data ad;
2098 int rc;
2099
2100 ad.type = LSM_AUDIT_DATA_PATH;
2101 ad.u.path = file->f_path;
2102
2103 if (sid != fsec->sid) {
6b6bc620
SS		 2104 rc = avc_has_perm(&selinux_state,
2105 sid, fsec->sid,
79af7307
SS		 2106 SECCLASS_FD,
2107 FD__USE,
2108 &ad);
2109 if (rc)
2110 return rc;
2111 }
2112
f66e448c
CF		 2113#ifdef CONFIG_BPF_SYSCALL
2114 rc = bpf_fd_pass(file, sid);
2115 if (rc)
2116 return rc;
2117#endif
2118
83da53c5 2119 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2120 return 0;
2121
20cdef8d 2122 isec = backing_inode_security(dentry);
6b6bc620
SS		 2123 return avc_has_perm(&selinux_state,
2124 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2125 &ad);
2126}
2127
9e48858f 2128static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2129 unsigned int mode)
1da177e4 2130{
be0554c9
SS		 2131 u32 sid = current_sid();
2132 u32 csid = task_sid(child);
2133
2134 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2135 return avc_has_perm(&selinux_state,
2136 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2137
6b6bc620
SS		 2138 return avc_has_perm(&selinux_state,
2139 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2140}
2141
2142static int selinux_ptrace_traceme(struct task_struct *parent)
2143{
6b6bc620
SS		 2144 return avc_has_perm(&selinux_state,
2145 task_sid(parent), current_sid(), SECCLASS_PROCESS,
be0554c9 2146 PROCESS__PTRACE, NULL);
1da177e4
LT		 2147}
2148
2149static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2150 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2151{
6b6bc620
SS		 2152 return avc_has_perm(&selinux_state,
2153 current_sid(), task_sid(target), SECCLASS_PROCESS,
be0554c9 2154 PROCESS__GETCAP, NULL);
1da177e4
LT		 2155}
2156
d84f4f99
DH		 2157static int selinux_capset(struct cred *new, const struct cred *old,
2158 const kernel_cap_t *effective,
2159 const kernel_cap_t *inheritable,
2160 const kernel_cap_t *permitted)
1da177e4 2161{
6b6bc620
SS		 2162 return avc_has_perm(&selinux_state,
2163 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2164 PROCESS__SETCAP, NULL);
1da177e4
LT		 2165}
2166
5626d3e8
JM		 2167/*
2168 * (This comment used to live with the selinux_task_setuid hook,
2169 * which was removed).
2170 *
2171 * Since setuid only affects the current process, and since the SELinux
2172 * controls are not based on the Linux identity attributes, SELinux does not
2173 * need to control this operation. However, SELinux does control the use of
2174 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2175 */
2176
6a9de491
EP		 2177static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2178 int cap, int audit)
1da177e4 2179{
8e4ff6f2 2180 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2181}
2182
1da177e4
LT		 2183static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2184{
88e67f3b 2185 const struct cred *cred = current_cred();
1da177e4
LT		 2186 int rc = 0;
2187
2188 if (!sb)
2189 return 0;
2190
2191 switch (cmds) {
828dfe1d
EP		 2192 case Q_SYNC:
2193 case Q_QUOTAON:
2194 case Q_QUOTAOFF:
2195 case Q_SETINFO:
2196 case Q_SETQUOTA:
88e67f3b 2197 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2198 break;
2199 case Q_GETFMT:
2200 case Q_GETINFO:
2201 case Q_GETQUOTA:
88e67f3b 2202 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2203 break;
2204 default:
2205 rc = 0; /* let the kernel handle invalid cmds */
2206 break;
1da177e4
LT		 2207 }
2208 return rc;
2209}
2210
2211static int selinux_quota_on(struct dentry *dentry)
2212{
88e67f3b
DH		 2213 const struct cred *cred = current_cred();
2214
2875fa00 2215 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2216}
2217
12b3052c 2218static int selinux_syslog(int type)
1da177e4 2219{
1da177e4 2220 switch (type) {
d78ca3cd
KC		 2221 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2222 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2223 return avc_has_perm(&selinux_state,
2224 current_sid(), SECINITSID_KERNEL,
be0554c9 2225 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2226 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2227 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2228 /* Set level of messages printed to console */
2229 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2230 return avc_has_perm(&selinux_state,
2231 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2232 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2233 NULL);
1da177e4 2234 }
be0554c9 2235 /* All other syslog types */
6b6bc620
SS		 2236 return avc_has_perm(&selinux_state,
2237 current_sid(), SECINITSID_KERNEL,
be0554c9 2238 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2239}
2240
2241/*
2242 * Check that a process has enough memory to allocate a new virtual
2243 * mapping. 0 means there is enough memory for the allocation to
2244 * succeed and -ENOMEM implies there is not.
2245 *
1da177e4
LT		 2246 * Do not audit the selinux permission check, as this is applied to all
2247 * processes that allocate mappings.
2248 */
34b4e4aa 2249static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2250{
2251 int rc, cap_sys_admin = 0;
1da177e4 2252
b1d9e6b0 2253 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2254 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2255 if (rc == 0)
2256 cap_sys_admin = 1;
2257
b1d9e6b0 2258 return cap_sys_admin;
1da177e4
LT		 2259}
2260
2261/* binprm security operations */
2262
be0554c9 2263static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2264{
2265 u32 sid = 0;
2266 struct task_struct *tracer;
2267
2268 rcu_read_lock();
be0554c9 2269 tracer = ptrace_parent(current);
0c6181cb
PM		 2270 if (tracer)
2271 sid = task_sid(tracer);
2272 rcu_read_unlock();
2273
2274 return sid;
2275}
2276
7b0d0b40
SS		 2277static int check_nnp_nosuid(const struct linux_binprm *bprm,
2278 const struct task_security_struct *old_tsec,
2279 const struct task_security_struct *new_tsec)
2280{
2281 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2282 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2283 int rc;
af63f419 2284 u32 av;
7b0d0b40
SS		 2285
2286 if (!nnp && !nosuid)
2287 return 0; /* neither NNP nor nosuid */
2288
2289 if (new_tsec->sid == old_tsec->sid)
2290 return 0; /* No change in credentials */
2291
2292 /*
af63f419
SS		 2293 * If the policy enables the nnp_nosuid_transition policy capability,
2294 * then we permit transitions under NNP or nosuid if the
2295 * policy allows the corresponding permission between
2296 * the old and new contexts.
7b0d0b40 2297 */
aa8e712c 2298 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2299 av = 0;
7b0d0b40 2300 if (nnp)
af63f419
SS		 2301 av |= PROCESS2__NNP_TRANSITION;
2302 if (nosuid)
2303 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2304 rc = avc_has_perm(&selinux_state,
2305 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2306 SECCLASS_PROCESS2, av, NULL);
2307 if (!rc)
2308 return 0;
7b0d0b40 2309 }
af63f419
SS		 2310
2311 /*
2312 * We also permit NNP or nosuid transitions to bounded SIDs,
2313 * i.e. SIDs that are guaranteed to only be allowed a subset
2314 * of the permissions of the current SID.
2315 */
aa8e712c
SS		 2316 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2317 new_tsec->sid);
af63f419
SS		 2318 if (!rc)
2319 return 0;
2320
2321 /*
2322 * On failure, preserve the errno values for NNP vs nosuid.
2323 * NNP: Operation not permitted for caller.
2324 * nosuid: Permission denied to file.
2325 */
2326 if (nnp)
2327 return -EPERM;
2328 return -EACCES;
7b0d0b40
SS		 2329}
2330
a6f76f23 2331static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2332{
a6f76f23
DH		 2333 const struct task_security_struct *old_tsec;
2334 struct task_security_struct *new_tsec;
1da177e4 2335 struct inode_security_struct *isec;
2bf49690 2336 struct common_audit_data ad;
496ad9aa 2337 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2338 int rc;
2339
a6f76f23
DH		 2340 /* SELinux context only depends on initial program or script and not
2341 * the script interpreter */
ddb4a144 2342 if (bprm->called_set_creds)
1da177e4
LT		 2343 return 0;
2344
a6f76f23
DH		 2345 old_tsec = current_security();
2346 new_tsec = bprm->cred->security;
83da53c5 2347 isec = inode_security(inode);
1da177e4
LT		 2348
2349 /* Default to the current task SID. */
a6f76f23
DH		 2350 new_tsec->sid = old_tsec->sid;
2351 new_tsec->osid = old_tsec->sid;
1da177e4 2352
28eba5bf 2353 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2354 new_tsec->create_sid = 0;
2355 new_tsec->keycreate_sid = 0;
2356 new_tsec->sockcreate_sid = 0;
1da177e4 2357
a6f76f23
DH		 2358 if (old_tsec->exec_sid) {
2359 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2360 /* Reset exec SID on execve. */
a6f76f23 2361 new_tsec->exec_sid = 0;
259e5e6c 2362
7b0d0b40
SS		 2363 /* Fail on NNP or nosuid if not an allowed transition. */
2364 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2365 if (rc)
2366 return rc;
1da177e4
LT		 2367 } else {
2368 /* Check for a default transition on this program. */
aa8e712c
SS		 2369 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2370 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2371 &new_tsec->sid);
1da177e4
LT		 2372 if (rc)
2373 return rc;
7b0d0b40
SS		 2374
2375 /*
2376 * Fallback to old SID on NNP or nosuid if not an allowed
2377 * transition.
2378 */
2379 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2380 if (rc)
2381 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2382 }
2383
43af5de7
VG		 2384 ad.type = LSM_AUDIT_DATA_FILE;
2385 ad.u.file = bprm->file;
1da177e4 2386
a6f76f23 2387 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2388 rc = avc_has_perm(&selinux_state,
2389 old_tsec->sid, isec->sid,
1da177e4
LT		 2390 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2391 if (rc)
2392 return rc;
2393 } else {
2394 /* Check permissions for the transition. */
6b6bc620
SS		 2395 rc = avc_has_perm(&selinux_state,
2396 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2397 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2398 if (rc)
2399 return rc;
2400
6b6bc620
SS		 2401 rc = avc_has_perm(&selinux_state,
2402 new_tsec->sid, isec->sid,
1da177e4
LT		 2403 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2404 if (rc)
2405 return rc;
2406
a6f76f23
DH		 2407 /* Check for shared state */
2408 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2409 rc = avc_has_perm(&selinux_state,
2410 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2411 SECCLASS_PROCESS, PROCESS__SHARE,
2412 NULL);
2413 if (rc)
2414 return -EPERM;
2415 }
2416
2417 /* Make sure that anyone attempting to ptrace over a task that
2418 * changes its SID has the appropriate permit */
9227dd2a 2419 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2420 u32 ptsid = ptrace_parent_sid();
a6f76f23 2421 if (ptsid != 0) {
6b6bc620
SS		 2422 rc = avc_has_perm(&selinux_state,
2423 ptsid, new_tsec->sid,
a6f76f23
DH		 2424 SECCLASS_PROCESS,
2425 PROCESS__PTRACE, NULL);
2426 if (rc)
2427 return -EPERM;
2428 }
2429 }
1da177e4 2430
a6f76f23
DH		 2431 /* Clear any possibly unsafe personality bits on exec: */
2432 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2433
1da177e4
LT		 2434 /* Enable secure mode for SIDs transitions unless
2435 the noatsecure permission is granted between
2436 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2437 rc = avc_has_perm(&selinux_state,
2438 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2439 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2440 NULL);
2441 bprm->secureexec |= !!rc;
1da177e4
LT		 2442 }
2443
62874c3a 2444 return 0;
1da177e4
LT		 2445}
2446
c3c073f8
AV		 2447static int match_file(const void *p, struct file *file, unsigned fd)
2448{
2449 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2450}
2451
1da177e4 2452/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2453static inline void flush_unauthorized_files(const struct cred *cred,
2454 struct files_struct *files)
1da177e4 2455{
1da177e4 2456 struct file *file, *devnull = NULL;
b20c8122 2457 struct tty_struct *tty;
24ec839c 2458 int drop_tty = 0;
c3c073f8 2459 unsigned n;
1da177e4 2460
24ec839c 2461 tty = get_current_tty();
1da177e4 2462 if (tty) {
4a510969 2463 spin_lock(&tty->files_lock);
37dd0bd0 2464 if (!list_empty(&tty->tty_files)) {
d996b62a 2465 struct tty_file_private *file_priv;
37dd0bd0 2466
1da177e4 2467 /* Revalidate access to controlling tty.
13f8e981
DH		 2468 Use file_path_has_perm on the tty path directly
2469 rather than using file_has_perm, as this particular
2470 open file may belong to another process and we are
2471 only interested in the inode-based check here. */
d996b62a
NP		 2472 file_priv = list_first_entry(&tty->tty_files,
2473 struct tty_file_private, list);
2474 file = file_priv->file;
13f8e981 2475 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2476 drop_tty = 1;
1da177e4 2477 }
4a510969 2478 spin_unlock(&tty->files_lock);
452a00d2 2479 tty_kref_put(tty);
1da177e4 2480 }
98a27ba4
EB		 2481 /* Reset controlling tty. */
2482 if (drop_tty)
2483 no_tty();
1da177e4
LT		 2484
2485 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2486 n = iterate_fd(files, 0, match_file, cred);
2487 if (!n) /* none found? */
2488 return;
1da177e4 2489
c3c073f8 2490 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2491 if (IS_ERR(devnull))
2492 devnull = NULL;
2493 /* replace all the matching ones with this */
2494 do {
2495 replace_fd(n - 1, devnull, 0);
2496 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2497 if (devnull)
c3c073f8 2498 fput(devnull);
1da177e4
LT		 2499}
2500
a6f76f23
DH		 2501/*
2502 * Prepare a process for imminent new credential changes due to exec
2503 */
2504static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2505{
a6f76f23
DH		 2506 struct task_security_struct *new_tsec;
2507 struct rlimit *rlim, *initrlim;
2508 int rc, i;
d84f4f99 2509
a6f76f23
DH		 2510 new_tsec = bprm->cred->security;
2511 if (new_tsec->sid == new_tsec->osid)
2512 return;
1da177e4 2513
a6f76f23
DH		 2514 /* Close files for which the new task SID is not authorized. */
2515 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2516
a6f76f23
DH		 2517 /* Always clear parent death signal on SID transitions. */
2518 current->pdeath_signal = 0;
0356357c 2519
a6f76f23
DH		 2520 /* Check whether the new SID can inherit resource limits from the old
2521 * SID. If not, reset all soft limits to the lower of the current
2522 * task's hard limit and the init task's soft limit.
2523 *
2524 * Note that the setting of hard limits (even to lower them) can be
2525 * controlled by the setrlimit check. The inclusion of the init task's
2526 * soft limit into the computation is to avoid resetting soft limits
2527 * higher than the default soft limit for cases where the default is
2528 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2529 */
6b6bc620
SS		 2530 rc = avc_has_perm(&selinux_state,
2531 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2532 PROCESS__RLIMITINH, NULL);
2533 if (rc) {
eb2d55a3
ON		 2534 /* protect against do_prlimit() */
2535 task_lock(current);
a6f76f23
DH		 2536 for (i = 0; i < RLIM_NLIMITS; i++) {
2537 rlim = current->signal->rlim + i;
2538 initrlim = init_task.signal->rlim + i;
2539 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2540 }
eb2d55a3 2541 task_unlock(current);
baa73d9e
NP		 2542 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2543 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2544 }
2545}
2546
2547/*
a6f76f23
DH		 2548 * Clean up the process immediately after the installation of new credentials
2549 * due to exec
1da177e4 2550 */
a6f76f23 2551static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2552{
a6f76f23 2553 const struct task_security_struct *tsec = current_security();
1da177e4 2554 struct itimerval itimer;
a6f76f23 2555 u32 osid, sid;
1da177e4
LT		 2556 int rc, i;
2557
a6f76f23
DH		 2558 osid = tsec->osid;
2559 sid = tsec->sid;
2560
2561 if (sid == osid)
1da177e4
LT		 2562 return;
2563
a6f76f23
DH		 2564 /* Check whether the new SID can inherit signal state from the old SID.
2565 * If not, clear itimers to avoid subsequent signal generation and
2566 * flush and unblock signals.
2567 *
2568 * This must occur _after_ the task SID has been updated so that any
2569 * kill done after the flush will be checked against the new SID.
2570 */
6b6bc620
SS		 2571 rc = avc_has_perm(&selinux_state,
2572 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2573 if (rc) {
baa73d9e
NP		 2574 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2575 memset(&itimer, 0, sizeof itimer);
2576 for (i = 0; i < 3; i++)
2577 do_setitimer(i, &itimer, NULL);
2578 }
1da177e4 2579 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2580 if (!fatal_signal_pending(current)) {
2581 flush_sigqueue(&current->pending);
2582 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2583 flush_signal_handlers(current, 1);
2584 sigemptyset(&current->blocked);
9e7c8f8c 2585 recalc_sigpending();
3bcac026 2586 }
1da177e4
LT		 2587 spin_unlock_irq(&current->sighand->siglock);
2588 }
2589
a6f76f23
DH		 2590 /* Wake up the parent if it is waiting so that it can recheck
2591 * wait permission to the new task SID. */
ecd6de3c 2592 read_lock(&tasklist_lock);
0b7570e7 2593 __wake_up_parent(current, current->real_parent);
ecd6de3c 2594 read_unlock(&tasklist_lock);
1da177e4
LT		 2595}
2596
2597/* superblock security operations */
2598
2599static int selinux_sb_alloc_security(struct super_block *sb)
2600{
2601 return superblock_alloc_security(sb);
2602}
2603
2604static void selinux_sb_free_security(struct super_block *sb)
2605{
2606 superblock_free_security(sb);
2607}
2608
2609static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2610{
2611 if (plen > olen)
2612 return 0;
2613
2614 return !memcmp(prefix, option, plen);
2615}
2616
2617static inline int selinux_option(char *option, int len)
2618{
832cbd9a
EP		 2619 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2620 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2621 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2622 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2623 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2624}
2625
2626static inline void take_option(char **to, char *from, int *first, int len)
2627{
2628 if (!*first) {
2629 **to = ',';
2630 *to += 1;
3528a953 2631 } else
1da177e4
LT		 2632 *first = 0;
2633 memcpy(*to, from, len);
2634 *to += len;
2635}
2636
828dfe1d
EP		 2637static inline void take_selinux_option(char **to, char *from, int *first,
2638 int len)
3528a953
CO		 2639{
2640 int current_size = 0;
2641
2642 if (!*first) {
2643 **to = '|';
2644 *to += 1;
828dfe1d 2645 } else
3528a953
CO		 2646 *first = 0;
2647
2648 while (current_size < len) {
2649 if (*from != '"') {
2650 **to = *from;
2651 *to += 1;
2652 }
2653 from += 1;
2654 current_size += 1;
2655 }
2656}
2657
e0007529 2658static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2659{
2660 int fnosec, fsec, rc = 0;
2661 char *in_save, *in_curr, *in_end;
2662 char *sec_curr, *nosec_save, *nosec;
3528a953 2663 int open_quote = 0;
1da177e4
LT		 2664
2665 in_curr = orig;
2666 sec_curr = copy;
2667
1da177e4
LT		 2668 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2669 if (!nosec) {
2670 rc = -ENOMEM;
2671 goto out;
2672 }
2673
2674 nosec_save = nosec;
2675 fnosec = fsec = 1;
2676 in_save = in_end = orig;
2677
2678 do {
3528a953
CO		 2679 if (*in_end == '"')
2680 open_quote = !open_quote;
2681 if ((*in_end == ',' && open_quote == 0) ||
2682 *in_end == '\0') {
1da177e4
LT		 2683 int len = in_end - in_curr;
2684
2685 if (selinux_option(in_curr, len))
3528a953 2686 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2687 else
2688 take_option(&nosec, in_curr, &fnosec, len);
2689
2690 in_curr = in_end + 1;
2691 }
2692 } while (*in_end++);
2693
6931dfc9 2694 strcpy(in_save, nosec_save);
da3caa20 2695 free_page((unsigned long)nosec_save);
1da177e4
LT		 2696out:
2697 return rc;
2698}
2699
204cc0cc 2700static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
5b400239
AV		 2701{
2702 char *s = (char *)get_zeroed_page(GFP_KERNEL);
2703 int err;
2704
2705 if (!s)
2706 return -ENOMEM;
2707 err = selinux_sb_copy_data(options, s);
2708 if (!err)
204cc0cc 2709 err = selinux_parse_opts_str(s, mnt_opts);
5b400239
AV		 2710 free_page((unsigned long)s);
2711 return err;
2712}
2713
204cc0cc 2714static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2715{
bd323655 2716 struct selinux_mnt_opts *opts = mnt_opts;
026eb167 2717 struct superblock_security_struct *sbsec = sb->s_security;
bd323655
AV		 2718 u32 sid;
2719 int rc;
026eb167
EP		 2720
2721 if (!(sbsec->flags & SE_SBINITIALIZED))
2722 return 0;
2723
204cc0cc
AV		 2724 if (!opts)
2725 return 0;
2726
bd323655
AV		 2727 if (opts->fscontext) {
2728 rc = parse_sid(sb, opts->fscontext, &sid);
2729 if (rc)
c039bc3c 2730 return rc;
bd323655
AV		 2731 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2732 goto out_bad_option;
2733 }
2734 if (opts->context) {
2735 rc = parse_sid(sb, opts->context, &sid);
2736 if (rc)
2737 return rc;
2738 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2739 goto out_bad_option;
2740 }
2741 if (opts->rootcontext) {
2742 struct inode_security_struct *root_isec;
2743 root_isec = backing_inode_security(sb->s_root);
2744 rc = parse_sid(sb, opts->rootcontext, &sid);
2745 if (rc)
2746 return rc;
2747 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2748 goto out_bad_option;
2749 }
2750 if (opts->defcontext) {
2751 rc = parse_sid(sb, opts->defcontext, &sid);
2752 if (rc)
2753 return rc;
2754 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2755 goto out_bad_option;
026eb167 2756 }
c039bc3c 2757 return 0;
026eb167 2758
026eb167 2759out_bad_option:
c103a91e 2760 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2761 "during remount (dev %s, type=%s)\n", sb->s_id,
2762 sb->s_type->name);
c039bc3c 2763 return -EINVAL;
026eb167
EP		 2764}
2765
a10d7c22 2766static int selinux_sb_kern_mount(struct super_block *sb)
1da177e4 2767{
88e67f3b 2768 const struct cred *cred = current_cred();
2bf49690 2769 struct common_audit_data ad;
74192246 2770
50c205f5 2771 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2772 ad.u.dentry = sb->s_root;
88e67f3b 2773 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2774}
2775
726c3342 2776static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2777{
88e67f3b 2778 const struct cred *cred = current_cred();
2bf49690 2779 struct common_audit_data ad;
1da177e4 2780
50c205f5 2781 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2782 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2783 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2784}
2785
808d4e3c 2786static int selinux_mount(const char *dev_name,
8a04c43b 2787 const struct path *path,
808d4e3c 2788 const char *type,
828dfe1d
EP		 2789 unsigned long flags,
2790 void *data)
1da177e4 2791{
88e67f3b 2792 const struct cred *cred = current_cred();
1da177e4
LT		 2793
2794 if (flags & MS_REMOUNT)
d8c9584e 2795 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2796 FILESYSTEM__REMOUNT, NULL);
1da177e4 2797 else
2875fa00 2798 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2799}
2800
2801static int selinux_umount(struct vfsmount *mnt, int flags)
2802{
88e67f3b 2803 const struct cred *cred = current_cred();
1da177e4 2804
88e67f3b 2805 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2806 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2807}
2808
2809/* inode security operations */
2810
2811static int selinux_inode_alloc_security(struct inode *inode)
2812{
2813 return inode_alloc_security(inode);
2814}
2815
2816static void selinux_inode_free_security(struct inode *inode)
2817{
2818 inode_free_security(inode);
2819}
2820
d47be3df 2821static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2822 const struct qstr *name, void **ctx,
d47be3df
DQ		 2823 u32 *ctxlen)
2824{
d47be3df
DQ		 2825 u32 newsid;
2826 int rc;
2827
c957f6df
VG		 2828 rc = selinux_determine_inode_label(current_security(),
2829 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2830 inode_mode_to_security_class(mode),
2831 &newsid);
2832 if (rc)
2833 return rc;
d47be3df 2834
aa8e712c
SS		 2835 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2836 ctxlen);
d47be3df
DQ		 2837}
2838
a518b0a5
VG		 2839static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2840 struct qstr *name,
2841 const struct cred *old,
2842 struct cred *new)
2843{
2844 u32 newsid;
2845 int rc;
2846 struct task_security_struct *tsec;
2847
2848 rc = selinux_determine_inode_label(old->security,
2849 d_inode(dentry->d_parent), name,
2850 inode_mode_to_security_class(mode),
2851 &newsid);
2852 if (rc)
2853 return rc;
2854
2855 tsec = new->security;
2856 tsec->create_sid = newsid;
2857 return 0;
2858}
2859
5e41ff9e 2860static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2861 const struct qstr *qstr,
2862 const char **name,
2a7dba39 2863 void **value, size_t *len)
5e41ff9e 2864{
5fb49870 2865 const struct task_security_struct *tsec = current_security();
5e41ff9e 2866 struct superblock_security_struct *sbsec;
c0d4f464 2867 u32 newsid, clen;
5e41ff9e 2868 int rc;
9548906b 2869 char *context;
5e41ff9e 2870
5e41ff9e 2871 sbsec = dir->i_sb->s_security;
5e41ff9e 2872
275bb41e
DH		 2873 newsid = tsec->create_sid;
2874
c957f6df 2875 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2876 dir, qstr,
2877 inode_mode_to_security_class(inode->i_mode),
2878 &newsid);
2879 if (rc)
2880 return rc;
5e41ff9e 2881
296fddf7 2882 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2883 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2884 struct inode_security_struct *isec = inode->i_security;
2885 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2886 isec->sid = newsid;
6f3be9f5 2887 isec->initialized = LABEL_INITIALIZED;
296fddf7 2888 }
5e41ff9e 2889
aa8e712c 2890 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2891 return -EOPNOTSUPP;
2892
9548906b
TH		 2893 if (name)
2894 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2895
570bc1c2 2896 if (value && len) {
aa8e712c
SS		 2897 rc = security_sid_to_context_force(&selinux_state, newsid,
2898 &context, &clen);
9548906b 2899 if (rc)
570bc1c2 2900 return rc;
570bc1c2
SS		 2901 *value = context;
2902 *len = clen;
5e41ff9e 2903 }
5e41ff9e 2904
5e41ff9e
SS		 2905 return 0;
2906}
2907
4acdaf27 2908static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2909{
2910 return may_create(dir, dentry, SECCLASS_FILE);
2911}
2912
1da177e4
LT		 2913static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2914{
1da177e4
LT		 2915 return may_link(dir, old_dentry, MAY_LINK);
2916}
2917
1da177e4
LT		 2918static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2919{
1da177e4
LT		 2920 return may_link(dir, dentry, MAY_UNLINK);
2921}
2922
2923static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2924{
2925 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2926}
2927
18bb1db3 2928static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2929{
2930 return may_create(dir, dentry, SECCLASS_DIR);
2931}
2932
1da177e4
LT		 2933static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2934{
2935 return may_link(dir, dentry, MAY_RMDIR);
2936}
2937
1a67aafb 2938static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2939{
1da177e4
LT		 2940 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2941}
2942
1da177e4 2943static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2944 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2945{
2946 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2947}
2948
1da177e4
LT		 2949static int selinux_inode_readlink(struct dentry *dentry)
2950{
88e67f3b
DH		 2951 const struct cred *cred = current_cred();
2952
2875fa00 2953 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2954}
2955
bda0be7a
N		 2956static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2957 bool rcu)
1da177e4 2958{
88e67f3b 2959 const struct cred *cred = current_cred();
bda0be7a
N		 2960 struct common_audit_data ad;
2961 struct inode_security_struct *isec;
2962 u32 sid;
1da177e4 2963
bda0be7a
N		 2964 validate_creds(cred);
2965
2966 ad.type = LSM_AUDIT_DATA_DENTRY;
2967 ad.u.dentry = dentry;
2968 sid = cred_sid(cred);
5d226df4
AG		 2969 isec = inode_security_rcu(inode, rcu);
2970 if (IS_ERR(isec))
2971 return PTR_ERR(isec);
bda0be7a 2972
6b6bc620
SS		 2973 return avc_has_perm_flags(&selinux_state,
2974 sid, isec->sid, isec->sclass, FILE__READ, &ad,
bda0be7a 2975 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2976}
2977
d4cf970d
EP		 2978static noinline int audit_inode_permission(struct inode *inode,
2979 u32 perms, u32 audited, u32 denied,
626b9740 2980 int result,
d4cf970d 2981 unsigned flags)
1da177e4 2982{
b782e0a6 2983 struct common_audit_data ad;
d4cf970d
EP		 2984 struct inode_security_struct *isec = inode->i_security;
2985 int rc;
2986
50c205f5 2987 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2988 ad.u.inode = inode;
2989
6b6bc620
SS		 2990 rc = slow_avc_audit(&selinux_state,
2991 current_sid(), isec->sid, isec->sclass, perms,
626b9740 2992 audited, denied, result, &ad, flags);
d4cf970d
EP		 2993 if (rc)
2994 return rc;
2995 return 0;
2996}
2997
e74f71eb 2998static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2999{
88e67f3b 3000 const struct cred *cred = current_cred();
b782e0a6
EP		 3001 u32 perms;
3002 bool from_access;
cf1dd1da 3003 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3004 struct inode_security_struct *isec;
3005 u32 sid;
3006 struct av_decision avd;
3007 int rc, rc2;
3008 u32 audited, denied;
1da177e4 3009
b782e0a6 3010 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3011 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3012
b782e0a6
EP		 3013 /* No permission to check. Existence test. */
3014 if (!mask)
1da177e4 3015 return 0;
1da177e4 3016
2e334057 3017 validate_creds(cred);
b782e0a6 3018
2e334057
EP		 3019 if (unlikely(IS_PRIVATE(inode)))
3020 return 0;
b782e0a6
EP		 3021
3022 perms = file_mask_to_av(inode->i_mode, mask);
3023
2e334057 3024 sid = cred_sid(cred);
5d226df4
AG		 3025 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3026 if (IS_ERR(isec))
3027 return PTR_ERR(isec);
2e334057 3028
6b6bc620
SS		 3029 rc = avc_has_perm_noaudit(&selinux_state,
3030 sid, isec->sid, isec->sclass, perms, 0, &avd);
2e334057
EP		 3031 audited = avc_audit_required(perms, &avd, rc,
3032 from_access ? FILE__AUDIT_ACCESS : 0,
3033 &denied);
3034 if (likely(!audited))
3035 return rc;
3036
626b9740 3037 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3038 if (rc2)
3039 return rc2;
3040 return rc;
1da177e4
LT		 3041}
3042
3043static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3044{
88e67f3b 3045 const struct cred *cred = current_cred();
ccb54478 3046 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3047 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3048 __u32 av = FILE__WRITE;
1da177e4 3049
bc6a6008
AW		 3050 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3051 if (ia_valid & ATTR_FORCE) {
3052 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3053 ATTR_FORCE);
3054 if (!ia_valid)
3055 return 0;
3056 }
1da177e4 3057
bc6a6008
AW		 3058 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3059 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3060 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3061
aa8e712c 3062 if (selinux_policycap_openperm() &&
ccb54478
SS		 3063 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3064 (ia_valid & ATTR_SIZE) &&
3065 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3066 av |= FILE__OPEN;
3067
3068 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3069}
3070
3f7036a0 3071static int selinux_inode_getattr(const struct path *path)
1da177e4 3072{
3f7036a0 3073 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3074}
3075
db59000a
SS		 3076static bool has_cap_mac_admin(bool audit)
3077{
3078 const struct cred *cred = current_cred();
3079 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3080
3081 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3082 return false;
3083 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3084 return false;
3085 return true;
3086}
3087
8f0cfa52
DH		 3088static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3089 const void *value, size_t size, int flags)
1da177e4 3090{
c6f493d6 3091 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3092 struct inode_security_struct *isec;
1da177e4 3093 struct superblock_security_struct *sbsec;
2bf49690 3094 struct common_audit_data ad;
275bb41e 3095 u32 newsid, sid = current_sid();
1da177e4
LT		 3096 int rc = 0;
3097
6b240306
EB		 3098 if (strcmp(name, XATTR_NAME_SELINUX)) {
3099 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3100 if (rc)
3101 return rc;
3102
3103 /* Not an attribute we recognize, so just check the
3104 ordinary setattr permission. */
3105 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3106 }
1da177e4
LT		 3107
3108 sbsec = inode->i_sb->s_security;
12f348b9 3109 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3110 return -EOPNOTSUPP;
3111
2e149670 3112 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3113 return -EPERM;
3114
50c205f5 3115 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3116 ad.u.dentry = dentry;
1da177e4 3117
20cdef8d 3118 isec = backing_inode_security(dentry);
6b6bc620
SS		 3119 rc = avc_has_perm(&selinux_state,
3120 sid, isec->sid, isec->sclass,
1da177e4
LT		 3121 FILE__RELABELFROM, &ad);
3122 if (rc)
3123 return rc;
3124
aa8e712c
SS		 3125 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3126 GFP_KERNEL);
12b29f34 3127 if (rc == -EINVAL) {
db59000a 3128 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3129 struct audit_buffer *ab;
3130 size_t audit_size;
d6ea83ec
EP		 3131
3132 /* We strip a nul only if it is at the end, otherwise the
3133 * context contains a nul and we should audit that */
e3fea3f7 3134 if (value) {
add24372
CIK		 3135 const char *str = value;
3136
e3fea3f7
AV		 3137 if (str[size - 1] == '\0')
3138 audit_size = size - 1;
3139 else
3140 audit_size = size;
3141 } else {
e3fea3f7
AV		 3142 audit_size = 0;
3143 }
cdfb6b34
RGB		 3144 ab = audit_log_start(audit_context(),
3145 GFP_ATOMIC, AUDIT_SELINUX_ERR);
d6ea83ec
EP		 3146 audit_log_format(ab, "op=setxattr invalid_context=");
3147 audit_log_n_untrustedstring(ab, value, audit_size);
3148 audit_log_end(ab);
3149
12b29f34 3150 return rc;
d6ea83ec 3151 }
aa8e712c
SS		 3152 rc = security_context_to_sid_force(&selinux_state, value,
3153 size, &newsid);
12b29f34 3154 }
1da177e4
LT		 3155 if (rc)
3156 return rc;
3157
6b6bc620
SS		 3158 rc = avc_has_perm(&selinux_state,
3159 sid, newsid, isec->sclass,
1da177e4
LT		 3160 FILE__RELABELTO, &ad);
3161 if (rc)
3162 return rc;
3163
aa8e712c
SS		 3164 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3165 sid, isec->sclass);
1da177e4
LT		 3166 if (rc)
3167 return rc;
3168
6b6bc620
SS		 3169 return avc_has_perm(&selinux_state,
3170 newsid,
1da177e4
LT		 3171 sbsec->sid,
3172 SECCLASS_FILESYSTEM,
3173 FILESYSTEM__ASSOCIATE,
3174 &ad);
3175}
3176
8f0cfa52 3177static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3178 const void *value, size_t size,
8f0cfa52 3179 int flags)
1da177e4 3180{
c6f493d6 3181 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3182 struct inode_security_struct *isec;
1da177e4
LT		 3183 u32 newsid;
3184 int rc;
3185
3186 if (strcmp(name, XATTR_NAME_SELINUX)) {
3187 /* Not an attribute we recognize, so nothing to do. */
3188 return;
3189 }
3190
aa8e712c
SS		 3191 rc = security_context_to_sid_force(&selinux_state, value, size,
3192 &newsid);
1da177e4 3193 if (rc) {
c103a91e 3194 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3195 "for (%s, %lu), rc=%d\n",
3196 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3197 return;
3198 }
3199
20cdef8d 3200 isec = backing_inode_security(dentry);
9287aed2 3201 spin_lock(&isec->lock);
aa9c2669 3202 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3203 isec->sid = newsid;
6f3be9f5 3204 isec->initialized = LABEL_INITIALIZED;
9287aed2 3205 spin_unlock(&isec->lock);
aa9c2669 3206
1da177e4
LT		 3207 return;
3208}
3209
8f0cfa52 3210static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3211{
88e67f3b
DH		 3212 const struct cred *cred = current_cred();
3213
2875fa00 3214 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3215}
3216
828dfe1d 3217static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3218{
88e67f3b
DH		 3219 const struct cred *cred = current_cred();
3220
2875fa00 3221 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3222}
3223
8f0cfa52 3224static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3225{
6b240306
EB		 3226 if (strcmp(name, XATTR_NAME_SELINUX)) {
3227 int rc = cap_inode_removexattr(dentry, name);
3228 if (rc)
3229 return rc;
3230
3231 /* Not an attribute we recognize, so just check the
3232 ordinary setattr permission. */
3233 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3234 }
1da177e4
LT		 3235
3236 /* No one is allowed to remove a SELinux security label.
3237 You can change the label, but all data must be labeled. */
3238 return -EACCES;
3239}
3240
d381d8a9 3241/*
abc69bb6 3242 * Copy the inode security context value to the user.
d381d8a9
JM		 3243 *
3244 * Permission check is handled by selinux_inode_getxattr hook.
3245 */
ea861dfd 3246static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3247{
42492594
DQ		 3248 u32 size;
3249 int error;
3250 char *context = NULL;
20cdef8d 3251 struct inode_security_struct *isec;
d381d8a9 3252
8c8570fb
DK		 3253 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3254 return -EOPNOTSUPP;
d381d8a9 3255
abc69bb6
SS		 3256 /*
3257 * If the caller has CAP_MAC_ADMIN, then get the raw context
3258 * value even if it is not defined by current policy; otherwise,
3259 * use the in-core value under current policy.
3260 * Use the non-auditing forms of the permission checks since
3261 * getxattr may be called by unprivileged processes commonly
3262 * and lack of permission just means that we fall back to the
3263 * in-core context value, not a denial.
3264 */
20cdef8d 3265 isec = inode_security(inode);
db59000a 3266 if (has_cap_mac_admin(false))
aa8e712c
SS		 3267 error = security_sid_to_context_force(&selinux_state,
3268 isec->sid, &context,
abc69bb6
SS		 3269 &size);
3270 else
aa8e712c
SS		 3271 error = security_sid_to_context(&selinux_state, isec->sid,
3272 &context, &size);
42492594
DQ		 3273 if (error)
3274 return error;
3275 error = size;
3276 if (alloc) {
3277 *buffer = context;
3278 goto out_nofree;
3279 }
3280 kfree(context);
3281out_nofree:
3282 return error;
1da177e4
LT		 3283}
3284
3285static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3286 const void *value, size_t size, int flags)
1da177e4 3287{
2c97165b 3288 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3289 u32 newsid;
3290 int rc;
3291
3292 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3293 return -EOPNOTSUPP;
3294
3295 if (!value || !size)
3296 return -EACCES;
3297
aa8e712c
SS		 3298 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3299 GFP_KERNEL);
1da177e4
LT		 3300 if (rc)
3301 return rc;
3302
9287aed2 3303 spin_lock(&isec->lock);
aa9c2669 3304 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3305 isec->sid = newsid;
6f3be9f5 3306 isec->initialized = LABEL_INITIALIZED;
9287aed2 3307 spin_unlock(&isec->lock);
1da177e4
LT		 3308 return 0;
3309}
3310
3311static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3312{
3313 const int len = sizeof(XATTR_NAME_SELINUX);
3314 if (buffer && len <= buffer_size)
3315 memcpy(buffer, XATTR_NAME_SELINUX, len);
3316 return len;
3317}
3318
d6335d77 3319static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3320{
e817c2f3 3321 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3322 *secid = isec->sid;
3323}
3324
56909eb3
VG		 3325static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3326{
3327 u32 sid;
3328 struct task_security_struct *tsec;
3329 struct cred *new_creds = *new;
3330
3331 if (new_creds == NULL) {
3332 new_creds = prepare_creds();
3333 if (!new_creds)
3334 return -ENOMEM;
3335 }
3336
3337 tsec = new_creds->security;
3338 /* Get label from overlay inode and set it in create_sid */
3339 selinux_inode_getsecid(d_inode(src), &sid);
3340 tsec->create_sid = sid;
3341 *new = new_creds;
3342 return 0;
3343}
3344
19472b69
VG		 3345static int selinux_inode_copy_up_xattr(const char *name)
3346{
3347 /* The copy_up hook above sets the initial context on an inode, but we
3348 * don't then want to overwrite it by blindly copying all the lower
3349 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3350 */
3351 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3352 return 1; /* Discard */
3353 /*
3354 * Any other attribute apart from SELINUX is not claimed, supported
3355 * by selinux.
3356 */
3357 return -EOPNOTSUPP;
3358}
3359
1da177e4
LT		 3360/* file security operations */
3361
788e7dd4 3362static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3363{
88e67f3b 3364 const struct cred *cred = current_cred();
496ad9aa 3365 struct inode *inode = file_inode(file);
1da177e4 3366
1da177e4
LT		 3367 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3368 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3369 mask |= MAY_APPEND;
3370
389fb800
PM		 3371 return file_has_perm(cred, file,
3372 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3373}
3374
788e7dd4
YN		 3375static int selinux_file_permission(struct file *file, int mask)
3376{
496ad9aa 3377 struct inode *inode = file_inode(file);
20dda18b 3378 struct file_security_struct *fsec = file->f_security;
b197367e 3379 struct inode_security_struct *isec;
20dda18b
SS		 3380 u32 sid = current_sid();
3381
389fb800 3382 if (!mask)
788e7dd4
YN		 3383 /* No permission to check. Existence test. */
3384 return 0;
788e7dd4 3385
b197367e 3386 isec = inode_security(inode);
20dda18b 3387 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3388 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3389 /* No change since file_open check. */
20dda18b
SS		 3390 return 0;
3391
788e7dd4
YN		 3392 return selinux_revalidate_file_permission(file, mask);
3393}
3394
1da177e4
LT		 3395static int selinux_file_alloc_security(struct file *file)
3396{
3397 return file_alloc_security(file);
3398}
3399
3400static void selinux_file_free_security(struct file *file)
3401{
3402 file_free_security(file);
3403}
3404
fa1aa143
JVS		 3405/*
3406 * Check whether a task has the ioctl permission and cmd
3407 * operation to an inode.
3408 */
1d2a168a 3409static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3410 u32 requested, u16 cmd)
3411{
3412 struct common_audit_data ad;
3413 struct file_security_struct *fsec = file->f_security;
3414 struct inode *inode = file_inode(file);
20cdef8d 3415 struct inode_security_struct *isec;
fa1aa143
JVS		 3416 struct lsm_ioctlop_audit ioctl;
3417 u32 ssid = cred_sid(cred);
3418 int rc;
3419 u8 driver = cmd >> 8;
3420 u8 xperm = cmd & 0xff;
3421
3422 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3423 ad.u.op = &ioctl;
3424 ad.u.op->cmd = cmd;
3425 ad.u.op->path = file->f_path;
3426
3427 if (ssid != fsec->sid) {
6b6bc620
SS		 3428 rc = avc_has_perm(&selinux_state,
3429 ssid, fsec->sid,
fa1aa143
JVS		 3430 SECCLASS_FD,
3431 FD__USE,
3432 &ad);
3433 if (rc)
3434 goto out;
3435 }
3436
3437 if (unlikely(IS_PRIVATE(inode)))
3438 return 0;
3439
20cdef8d 3440 isec = inode_security(inode);
6b6bc620
SS		 3441 rc = avc_has_extended_perms(&selinux_state,
3442 ssid, isec->sid, isec->sclass,
3443 requested, driver, xperm, &ad);
fa1aa143
JVS		 3444out:
3445 return rc;
3446}
3447
1da177e4
LT		 3448static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3449 unsigned long arg)
3450{
88e67f3b 3451 const struct cred *cred = current_cred();
0b24dcb7 3452 int error = 0;
1da177e4 3453
0b24dcb7
EP		 3454 switch (cmd) {
3455 case FIONREAD:
3456 /* fall through */
3457 case FIBMAP:
3458 /* fall through */
3459 case FIGETBSZ:
3460 /* fall through */
2f99c369 3461 case FS_IOC_GETFLAGS:
0b24dcb7 3462 /* fall through */
2f99c369 3463 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3464 error = file_has_perm(cred, file, FILE__GETATTR);
3465 break;
1da177e4 3466
2f99c369 3467 case FS_IOC_SETFLAGS:
0b24dcb7 3468 /* fall through */
2f99c369 3469 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3470 error = file_has_perm(cred, file, FILE__SETATTR);
3471 break;
3472
3473 /* sys_ioctl() checks */
3474 case FIONBIO:
3475 /* fall through */
3476 case FIOASYNC:
3477 error = file_has_perm(cred, file, 0);
3478 break;
1da177e4 3479
0b24dcb7
EP		 3480 case KDSKBENT:
3481 case KDSKBSENT:
6a9de491 3482 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3483 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3484 break;
3485
3486 /* default case assumes that the command will go
3487 * to the file's ioctl() function.
3488 */
3489 default:
fa1aa143 3490 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3491 }
3492 return error;
1da177e4
LT		 3493}
3494
fcaaade1
SS		 3495static int default_noexec;
3496
1da177e4
LT		 3497static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3498{
88e67f3b 3499 const struct cred *cred = current_cred();
be0554c9 3500 u32 sid = cred_sid(cred);
d84f4f99 3501 int rc = 0;
88e67f3b 3502
fcaaade1 3503 if (default_noexec &&
892e8cac
SS		 3504 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3505 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3506 /*
3507 * We are making executable an anonymous mapping or a
3508 * private file mapping that will also be writable.
3509 * This has an additional check.
3510 */
6b6bc620
SS		 3511 rc = avc_has_perm(&selinux_state,
3512 sid, sid, SECCLASS_PROCESS,
be0554c9 3513 PROCESS__EXECMEM, NULL);
1da177e4 3514 if (rc)
d84f4f99 3515 goto error;
1da177e4 3516 }
1da177e4
LT		 3517
3518 if (file) {
3519 /* read access is always possible with a mapping */
3520 u32 av = FILE__READ;
3521
3522 /* write access only matters if the mapping is shared */
3523 if (shared && (prot & PROT_WRITE))
3524 av |= FILE__WRITE;
3525
3526 if (prot & PROT_EXEC)
3527 av |= FILE__EXECUTE;
3528
88e67f3b 3529 return file_has_perm(cred, file, av);
1da177e4 3530 }
d84f4f99
DH		 3531
3532error:
3533 return rc;
1da177e4
LT		 3534}
3535
e5467859 3536static int selinux_mmap_addr(unsigned long addr)
1da177e4 3537{
b1d9e6b0 3538 int rc = 0;
1da177e4 3539
a2551df7 3540 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3541 u32 sid = current_sid();
6b6bc620
SS		 3542 rc = avc_has_perm(&selinux_state,
3543 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3544 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3545 }
3546
98883bfd 3547 return rc;
e5467859 3548}
1da177e4 3549
e5467859
AV		 3550static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3551 unsigned long prot, unsigned long flags)
3552{
3ba4bf5f
SS		 3553 struct common_audit_data ad;
3554 int rc;
3555
3556 if (file) {
3557 ad.type = LSM_AUDIT_DATA_FILE;
3558 ad.u.file = file;
3559 rc = inode_has_perm(current_cred(), file_inode(file),
3560 FILE__MAP, &ad);
3561 if (rc)
3562 return rc;
3563 }
3564
aa8e712c 3565 if (selinux_state.checkreqprot)
1da177e4
LT		 3566 prot = reqprot;
3567
3568 return file_map_prot_check(file, prot,
3569 (flags & MAP_TYPE) == MAP_SHARED);
3570}
3571
3572static int selinux_file_mprotect(struct vm_area_struct *vma,
3573 unsigned long reqprot,
3574 unsigned long prot)
3575{
88e67f3b 3576 const struct cred *cred = current_cred();
be0554c9 3577 u32 sid = cred_sid(cred);
1da177e4 3578
aa8e712c 3579 if (selinux_state.checkreqprot)
1da177e4
LT		 3580 prot = reqprot;
3581
fcaaade1
SS		 3582 if (default_noexec &&
3583 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3584 int rc = 0;
db4c9641
SS		 3585 if (vma->vm_start >= vma->vm_mm->start_brk &&
3586 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3587 rc = avc_has_perm(&selinux_state,
3588 sid, sid, SECCLASS_PROCESS,
be0554c9 3589 PROCESS__EXECHEAP, NULL);
db4c9641 3590 } else if (!vma->vm_file &&
c2316dbf
SS		 3591 ((vma->vm_start <= vma->vm_mm->start_stack &&
3592 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3593 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3594 rc = avc_has_perm(&selinux_state,
3595 sid, sid, SECCLASS_PROCESS,
be0554c9 3596 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3597 } else if (vma->vm_file && vma->anon_vma) {
3598 /*
3599 * We are making executable a file mapping that has
3600 * had some COW done. Since pages might have been
3601 * written, check ability to execute the possibly
3602 * modified content. This typically should only
3603 * occur for text relocations.
3604 */
d84f4f99 3605 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3606 }