]> git.ipfire.org Git - thirdparty/linux.git/blame - security/selinux/hooks.c
projects / thirdparty / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'hid-for-linus-2025070502' of git://git.kernel.org/pub/scm/linux/kernel...
[thirdparty/linux.git] / security / selinux / hooks.c
CommitLineData
d2912cb1 1// SPDX-License-Identifier: GPL-2.0-only
1da177e4 2/*
90aa4f5e 3 * Security-Enhanced Linux (SELinux) security module
1da177e4
LT		 4 *
5 * This file contains the SELinux hook function implementations.
6 *
0fe53224 7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com>
828dfe1d
EP		 8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
1da177e4
LT		 11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
1da177e4 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 16 * <dgoeddel@trustedcs.com>
ed6d76e4 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 18 * Paul Moore <paul@paul-moore.com>
788e7dd4 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 21 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 22 */
23
1da177e4 24#include <linux/init.h>
0b24dcb7 25#include <linux/kd.h>
1da177e4 26#include <linux/kernel.h>
b89999d0 27#include <linux/kernel_read_file.h>
1da177e4 28#include <linux/errno.h>
3f07c014 29#include <linux/sched/signal.h>
29930025 30#include <linux/sched/task.h>
3c4ed7bd 31#include <linux/lsm_hooks.h>
1da177e4
LT		 32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
0b24dcb7 39#include <linux/proc_fs.h>
1da177e4 40#include <linux/swap.h>
1da177e4
LT		 41#include <linux/spinlock.h>
42#include <linux/syscalls.h>
2a7dba39 43#include <linux/dcache.h>
1da177e4 44#include <linux/file.h>
9f3acc31 45#include <linux/fdtable.h>
1da177e4
LT		 46#include <linux/namei.h>
47#include <linux/mount.h>
442155c1
DH		 48#include <linux/fs_context.h>
49#include <linux/fs_parser.h>
1da177e4
LT		 50#include <linux/netfilter_ipv4.h>
51#include <linux/netfilter_ipv6.h>
52#include <linux/tty.h>
53#include <net/icmp.h>
227b60f5 54#include <net/ip.h> /* for local_port_range[] */
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 56#include <net/inet_connection_sock.h>
220deb96 57#include <net/net_namespace.h>
d621d35e 58#include <net/netlabel.h>
f5269710 59#include <linux/uaccess.h>
1da177e4 60#include <asm/ioctls.h>
60063497 61#include <linux/atomic.h>
1da177e4
LT		 62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
77954983 65#include <net/netlink.h>
1da177e4
LT		 66#include <linux/tcp.h>
67#include <linux/udp.h>
d452930f
RH		 68#include <linux/sctp.h>
69#include <net/sctp/structs.h>
1da177e4
LT		 70#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */
73#include <linux/parser.h>
74#include <linux/nfs_mount.h>
75#include <net/ipv6.h>
76#include <linux/hugetlb.h>
77#include <linux/personality.h>
1da177e4 78#include <linux/audit.h>
6931dfc9 79#include <linux/string.h>
23970741 80#include <linux/mutex.h>
f06febc9 81#include <linux/posix-timers.h>
00234592 82#include <linux/syslog.h>
3486740a 83#include <linux/user_namespace.h>
44fc7ea0 84#include <linux/export.h>
40401530
AV		 85#include <linux/msg.h>
86#include <linux/shm.h>
bc46ef3c 87#include <uapi/linux/shm.h>
ec27c356 88#include <linux/bpf.h>
ec882da5
OM		 89#include <linux/kernfs.h>
90#include <linux/stringhash.h> /* for hashlen_string() */
e262e32d 91#include <uapi/linux/mount.h>
ac5656d8
AG		 92#include <linux/fsnotify.h>
93#include <linux/fanotify.h>
b66509b8 94#include <linux/io_uring/cmd.h>
f3b8788c 95#include <uapi/linux/lsm.h>
1da177e4
LT		 96
97#include "avc.h"
98#include "objsec.h"
99#include "netif.h"
224dfbd8 100#include "netnode.h"
3e112172 101#include "netport.h"
409dcf31 102#include "ibpkey.h"
d28d1e08 103#include "xfrm.h"
c60475bf 104#include "netlabel.h"
9d57a7f9 105#include "audit.h"
7b98a585 106#include "avc_ss.h"
1da177e4 107
6bcdfd2c
RS		 108#define SELINUX_INODE_INIT_XATTRS 1
109
aa8e712c
SS		 110struct selinux_state selinux_state;
111
d621d35e 112/* SECMARK reference count */
56a4ca99 113static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 114
1da177e4 115#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
6c5a682e 116static int selinux_enforcing_boot __initdata;
1da177e4
LT		 117
118static int __init enforcing_setup(char *str)
119{
f5269710 120 unsigned long enforcing;
29707b20 121 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 122 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 123 return 1;
124}
125__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 126#else
127#define selinux_enforcing_boot 1
1da177e4
LT		 128#endif
129
6c5a682e 130int selinux_enabled_boot __initdata = 1;
1da177e4 131#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
1da177e4
LT		 132static int __init selinux_enabled_setup(char *str)
133{
f5269710 134 unsigned long enabled;
29707b20 135 if (!kstrtoul(str, 0, &enabled))
6c5a682e 136 selinux_enabled_boot = enabled ? 1 : 0;
1da177e4
LT		 137 return 1;
138}
139__setup("selinux=", selinux_enabled_setup);
140#endif
141
aa8e712c
SS		 142static int __init checkreqprot_setup(char *str)
143{
144 unsigned long checkreqprot;
145
e9c38f9f 146 if (!kstrtoul(str, 0, &checkreqprot)) {
e9c38f9f 147 if (checkreqprot)
a7e4676e 148 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n");
e9c38f9f 149 }
aa8e712c
SS		 150 return 1;
151}
152__setup("checkreqprot=", checkreqprot_setup);
153
d621d35e
PM		 154/**
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156 *
157 * Description:
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 163 *
164 */
165static int selinux_secmark_enabled(void)
166{
aa8e712c
SS		 167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 169}
170
171/**
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173 *
174 * Description:
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
179 *
180 */
181static int selinux_peerlbl_enabled(void)
182{
aa8e712c
SS		 183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 185}
186
615e51fd
PM		 187static int selinux_netcache_avc_callback(u32 event)
188{
189 if (event == AVC_CALLBACK_RESET) {
190 sel_netif_flush();
191 sel_netnode_flush();
192 sel_netport_flush();
193 synchronize_net();
194 }
195 return 0;
196}
197
8f408ab6
DJ		 198static int selinux_lsm_notifier_avc_callback(u32 event)
199{
409dcf31
DJ		 200 if (event == AVC_CALLBACK_RESET) {
201 sel_ib_pkey_flush();
42df744c 202 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 203 }
8f408ab6
DJ		 204
205 return 0;
206}
207
d84f4f99
DH		 208/*
209 * initialise the security for the init task
210 */
211static void cred_init_security(void)
1da177e4
LT		 212{
213 struct task_security_struct *tsec;
214
5d7ddc59
PM		 215 /* NOTE: the lsm framework zeros out the buffer on allocation */
216
cdeea454 217 tsec = selinux_cred(unrcu_pointer(current->real_cred));
5d7ddc59 218 tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL;
1da177e4
LT		 219}
220
88e67f3b
DH		 221/*
222 * get the security ID of a set of credentials
223 */
224static inline u32 cred_sid(const struct cred *cred)
225{
226 const struct task_security_struct *tsec;
227
0c6cfa62 228 tsec = selinux_cred(cred);
88e67f3b
DH		 229 return tsec->sid;
230}
231
dd51fcd4
PA		 232static void __ad_net_init(struct common_audit_data *ad,
233 struct lsm_network_audit *net,
234 int ifindex, struct sock *sk, u16 family)
235{
236 ad->type = LSM_AUDIT_DATA_NET;
237 ad->u.net = net;
238 net->netif = ifindex;
239 net->sk = sk;
240 net->family = family;
241}
242
243static void ad_net_init_from_sk(struct common_audit_data *ad,
244 struct lsm_network_audit *net,
245 struct sock *sk)
246{
247 __ad_net_init(ad, net, 0, sk, 0);
248}
249
250static void ad_net_init_from_iif(struct common_audit_data *ad,
251 struct lsm_network_audit *net,
252 int ifindex, u16 family)
253{
3876043a 254 __ad_net_init(ad, net, ifindex, NULL, family);
dd51fcd4
PA		 255}
256
275bb41e 257/*
3b11a1de 258 * get the objective security ID of a task
275bb41e 259 */
eb1231f7 260static inline u32 task_sid_obj(const struct task_struct *task)
275bb41e 261{
275bb41e
DH		 262 u32 sid;
263
264 rcu_read_lock();
88e67f3b 265 sid = cred_sid(__task_cred(task));
275bb41e
DH		 266 rcu_read_unlock();
267 return sid;
268}
269
5d226df4
AG		 270static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
271
272/*
273 * Try reloading inode security labels that have been marked as invalid. The
274 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 275 * allowed; when set to false, returns -ECHILD when the label is
e9193288 276 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 277 */
278static int __inode_security_revalidate(struct inode *inode,
e9193288 279 struct dentry *dentry,
5d226df4
AG		 280 bool may_sleep)
281{
5d7ddc59
PM		 282 if (!selinux_initialized())
283 return 0;
5d226df4 284
5d7ddc59
PM		 285 if (may_sleep)
286 might_sleep();
287 else
288 return -ECHILD;
5d226df4 289
2571bb9d 290 /*
5d7ddc59
PM		 291 * Check to ensure that an inode's SELinux state is valid and try
292 * reloading the inode security label if necessary. This will fail if
293 * @dentry is NULL and no dentry for this inode can be found; in that
294 * case, continue using the old label.
2571bb9d 295 */
5d7ddc59 296 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 297 return 0;
298}
299
5d226df4
AG		 300static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
301{
80788c22 302 return selinux_inode(inode);
5d226df4
AG		 303}
304
5d7ddc59
PM		 305static inline struct inode_security_struct *inode_security_rcu(struct inode *inode,
306 bool rcu)
5d226df4 307{
5d7ddc59
PM		 308 int rc;
309 struct inode_security_struct *isec = selinux_inode(inode);
5d226df4 310
5d7ddc59
PM		 311 /* check below is racy, but revalidate will recheck with lock held */
312 if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
313 return isec;
314 rc = __inode_security_revalidate(inode, NULL, !rcu);
315 if (rc)
316 return ERR_PTR(rc);
317 return isec;
5d226df4
AG		 318}
319
83da53c5
AG		 320/*
321 * Get the security label of an inode.
322 */
5d7ddc59 323static inline struct inode_security_struct *inode_security(struct inode *inode)
83da53c5 324{
5d7ddc59
PM		 325 struct inode_security_struct *isec = selinux_inode(inode);
326
327 /* check below is racy, but revalidate will recheck with lock held */
328 if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
329 return isec;
5d226df4 330 __inode_security_revalidate(inode, NULL, true);
5d7ddc59 331 return isec;
83da53c5
AG		 332}
333
5d7ddc59 334static inline struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
2c97165b 335{
5d7ddc59 336 return selinux_inode(d_backing_inode(dentry));
2c97165b
PM		 337}
338
83da53c5
AG		 339/*
340 * Get the security label of a dentry's backing inode.
341 */
5d7ddc59 342static inline struct inode_security_struct *backing_inode_security(struct dentry *dentry)
83da53c5
AG		 343{
344 struct inode *inode = d_backing_inode(dentry);
5d7ddc59 345 struct inode_security_struct *isec = selinux_inode(inode);
83da53c5 346
5d7ddc59
PM		 347 /* check below is racy, but revalidate will recheck with lock held */
348 if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
349 return isec;
5d226df4 350 __inode_security_revalidate(inode, dentry, true);
5d7ddc59 351 return isec;
83da53c5
AG		 352}
353
1da177e4
LT		 354static void inode_free_security(struct inode *inode)
355{
80788c22 356 struct inode_security_struct *isec = selinux_inode(inode);
afb1cbe3 357 struct superblock_security_struct *sbsec;
1da177e4 358
afb1cbe3
CS		 359 if (!isec)
360 return;
1aea7808 361 sbsec = selinux_superblock(inode->i_sb);
9629d04a
WL		 362 /*
363 * As not all inode security structures are in a list, we check for
364 * empty list outside of the lock to make sure that we won't waste
365 * time taking a lock doing nothing.
366 *
367 * The list_del_init() function can be safely called more than once.
368 * It should not be possible for this function to be called with
369 * concurrent list_add(), but for better safety against future changes
370 * in the code, we use list_empty_careful() here.
371 */
372 if (!list_empty_careful(&isec->list)) {
373 spin_lock(&sbsec->isec_lock);
1da177e4 374 list_del_init(&isec->list);
9629d04a
WL		 375 spin_unlock(&sbsec->isec_lock);
376 }
1da177e4
LT		 377}
378
bd323655 379struct selinux_mnt_opts {
b8b87fd9
SM		 380 u32 fscontext_sid;
381 u32 context_sid;
382 u32 rootcontext_sid;
383 u32 defcontext_sid;
bd323655
AV		 384};
385
204cc0cc
AV		 386static void selinux_free_mnt_opts(void *mnt_opts)
387{
70f4169a 388 kfree(mnt_opts);
204cc0cc
AV		 389}
390
1da177e4 391enum {
31e87930 392 Opt_error = -1,
442155c1
DH		 393 Opt_context = 0,
394 Opt_defcontext = 1,
1da177e4 395 Opt_fscontext = 2,
442155c1
DH		 396 Opt_rootcontext = 3,
397 Opt_seclabel = 4,
1da177e4
LT		 398};
399
da3d76ab 400#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
4158cb60 401static const struct {
169d68ef
AV		 402 const char *name;
403 int len;
404 int opt;
405 bool has_arg;
406} tokens[] = {
da3d76ab
AV		 407 A(context, true),
408 A(fscontext, true),
409 A(defcontext, true),
410 A(rootcontext, true),
411 A(seclabel, false),
1da177e4 412};
169d68ef
AV		 413#undef A
414
415static int match_opt_prefix(char *s, int l, char **arg)
416{
c75c7945 417 unsigned int i;
169d68ef
AV		 418
419 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
420 size_t len = tokens[i].len;
421 if (len > l || memcmp(s, tokens[i].name, len))
422 continue;
423 if (tokens[i].has_arg) {
424 if (len == l || s[len] != '=')
425 continue;
426 *arg = s + len + 1;
427 } else if (len != l)
428 continue;
429 return tokens[i].opt;
430 }
431 return Opt_error;
432}
1da177e4
LT		 433
434#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
435
c312feb2
EP		 436static int may_context_mount_sb_relabel(u32 sid,
437 struct superblock_security_struct *sbsec,
275bb41e 438 const struct cred *cred)
c312feb2 439{
0c6cfa62 440 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 441 int rc;
442
e67b7985 443 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 444 FILESYSTEM__RELABELFROM, NULL);
445 if (rc)
446 return rc;
447
e67b7985 448 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 449 FILESYSTEM__RELABELTO, NULL);
450 return rc;
451}
452
0808925e
EP		 453static int may_context_mount_inode_relabel(u32 sid,
454 struct superblock_security_struct *sbsec,
275bb41e 455 const struct cred *cred)
0808925e 456{
0c6cfa62 457 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e 458 int rc;
e67b7985 459 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 460 FILESYSTEM__RELABELFROM, NULL);
461 if (rc)
462 return rc;
463
e67b7985 464 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 465 FILESYSTEM__ASSOCIATE, NULL);
466 return rc;
467}
468
a83d6dda 469static int selinux_is_genfs_special_handling(struct super_block *sb)
b43e725d 470{
a83d6dda
OM		 471 /* Special handling. Genfs but also in-core setxattr handler */
472 return !strcmp(sb->s_type->name, "sysfs") ||
d5f3a5f6
MS		 473 !strcmp(sb->s_type->name, "pstore") ||
474 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 475 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 476 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 477 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 478 (!strcmp(sb->s_type->name, "cgroup") ||
479 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 480}
481
a83d6dda
OM		 482static int selinux_is_sblabel_mnt(struct super_block *sb)
483{
1aea7808 484 struct superblock_security_struct *sbsec = selinux_superblock(sb);
a83d6dda
OM		 485
486 /*
487 * IMPORTANT: Double-check logic in this function when adding a new
488 * SECURITY_FS_USE_* definition!
489 */
490 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
491
492 switch (sbsec->behavior) {
493 case SECURITY_FS_USE_XATTR:
494 case SECURITY_FS_USE_TRANS:
495 case SECURITY_FS_USE_TASK:
496 case SECURITY_FS_USE_NATIVE:
497 return 1;
498
499 case SECURITY_FS_USE_GENFS:
500 return selinux_is_genfs_special_handling(sb);
501
502 /* Never allow relabeling on context mounts */
503 case SECURITY_FS_USE_MNTPOINT:
504 case SECURITY_FS_USE_NONE:
505 default:
506 return 0;
507 }
508}
509
08abe46b
OM		 510static int sb_check_xattr_support(struct super_block *sb)
511{
0266c25e 512 struct superblock_security_struct *sbsec = selinux_superblock(sb);
08abe46b
OM		 513 struct dentry *root = sb->s_root;
514 struct inode *root_inode = d_backing_inode(root);
515 u32 sid;
516 int rc;
517
518 /*
519 * Make sure that the xattr handler exists and that no
520 * error other than -ENODATA is returned by getxattr on
521 * the root directory. -ENODATA is ok, as this may be
522 * the first boot of the SELinux kernel before we have
523 * assigned xattr values to the filesystem.
524 */
525 if (!(root_inode->i_opflags & IOP_XATTR)) {
526 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
527 sb->s_id, sb->s_type->name);
528 goto fallback;
529 }
530
531 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
532 if (rc < 0 && rc != -ENODATA) {
533 if (rc == -EOPNOTSUPP) {
534 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
535 sb->s_id, sb->s_type->name);
536 goto fallback;
537 } else {
538 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
539 sb->s_id, sb->s_type->name, -rc);
540 return rc;
541 }
542 }
543 return 0;
544
545fallback:
546 /* No xattr support - try to fallback to genfs if possible. */
e67b7985 547 rc = security_genfs_sid(sb->s_type->name, "/",
08abe46b
OM		 548 SECCLASS_DIR, &sid);
549 if (rc)
550 return -EOPNOTSUPP;
551
552 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
553 sb->s_id, sb->s_type->name);
554 sbsec->behavior = SECURITY_FS_USE_GENFS;
555 sbsec->sid = sid;
556 return 0;
557}
558
c9180a57 559static int sb_finish_set_opts(struct super_block *sb)
1da177e4 560{
1aea7808 561 struct superblock_security_struct *sbsec = selinux_superblock(sb);
c9180a57 562 struct dentry *root = sb->s_root;
c6f493d6 563 struct inode *root_inode = d_backing_inode(root);
c9180a57 564 int rc = 0;
1da177e4 565
c9180a57 566 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
08abe46b
OM		 567 rc = sb_check_xattr_support(sb);
568 if (rc)
569 return rc;
c9180a57 570 }
1da177e4 571
eadcabc6 572 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 573
574 /*
575 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
576 * leave the flag untouched because sb_clone_mnt_opts might be handing
577 * us a superblock that needs the flag to be cleared.
578 */
b43e725d 579 if (selinux_is_sblabel_mnt(sb))
12f348b9 580 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 581 else
582 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 583
c9180a57
EP		 584 /* Initialize the root inode. */
585 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 586
c9180a57
EP		 587 /* Initialize any other inodes associated with the superblock, e.g.
588 inodes created prior to initial policy load or inodes created
589 during get_sb by a pseudo filesystem that directly
590 populates itself. */
591 spin_lock(&sbsec->isec_lock);
8d64124a 592 while (!list_empty(&sbsec->isec_head)) {
c9180a57 593 struct inode_security_struct *isec =
8d64124a 594 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 595 struct inode_security_struct, list);
596 struct inode *inode = isec->inode;
923190d3 597 list_del_init(&isec->list);
c9180a57
EP		 598 spin_unlock(&sbsec->isec_lock);
599 inode = igrab(inode);
600 if (inode) {
601 if (!IS_PRIVATE(inode))
cb89e246 602 inode_doinit_with_dentry(inode, NULL);
c9180a57
EP		 603 iput(inode);
604 }
605 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 606 }
607 spin_unlock(&sbsec->isec_lock);
c9180a57
EP		 608 return rc;
609}
1da177e4 610
c9180a57
EP		 611static int bad_option(struct superblock_security_struct *sbsec, char flag,
612 u32 old_sid, u32 new_sid)
613{
0d90a7ec
DQ		 614 char mnt_flags = sbsec->flags & SE_MNTMASK;
615
c9180a57 616 /* check if the old mount command had the same options */
0d90a7ec 617 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 618 if (!(sbsec->flags & flag) ||
619 (old_sid != new_sid))
620 return 1;
621
622 /* check if we were passed the same options twice,
623 * aka someone passed context=a,context=b
624 */
0d90a7ec
DQ		 625 if (!(sbsec->flags & SE_SBINITIALIZED))
626 if (mnt_flags & flag)
c9180a57
EP		 627 return 1;
628 return 0;
629}
e0007529 630
c9180a57
EP		 631/*
632 * Allow filesystems with binary mount data to explicitly set mount point
633 * labeling information.
634 */
e0007529 635static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 636 void *mnt_opts,
649f6e77
DQ		 637 unsigned long kern_flags,
638 unsigned long *set_kern_flags)
c9180a57 639{
275bb41e 640 const struct cred *cred = current_cred();
1aea7808 641 struct superblock_security_struct *sbsec = selinux_superblock(sb);
b159e86b 642 struct dentry *root = sb->s_root;
bd323655 643 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 644 struct inode_security_struct *root_isec;
c9180a57
EP		 645 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
646 u32 defcontext_sid = 0;
bd323655 647 int rc = 0;
c9180a57 648
cec5fe70
OM		 649 /*
650 * Specifying internal flags without providing a place to
651 * place the results is not allowed
652 */
653 if (kern_flags && !set_kern_flags)
654 return -EINVAL;
655
c9180a57
EP		 656 mutex_lock(&sbsec->lock);
657
e67b7985 658 if (!selinux_initialized()) {
bd323655 659 if (!opts) {
c9180a57
EP		 660 /* Defer initialization until selinux_complete_init,
661 after the initial policy is loaded and the security
662 server is ready to handle calls. */
cec5fe70
OM		 663 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
664 sbsec->flags |= SE_SBNATIVE;
665 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
666 }
c9180a57
EP		 667 goto out;
668 }
669 rc = -EINVAL;
c103a91e 670 pr_warn("SELinux: Unable to set superblock options "
744ba35e 671 "before the security server is initialized\n");
1da177e4 672 goto out;
c9180a57 673 }
1da177e4 674
e0007529
EP		 675 /*
676 * Binary mount data FS will come through this function twice. Once
677 * from an explicit call and once from the generic calls from the vfs.
678 * Since the generic VFS calls will not contain any security mount data
679 * we need to skip the double mount verification.
680 *
681 * This does open a hole in which we will not notice if the first
9691e4f9 682 * mount using this sb set explicit options and a second mount using
e0007529
EP		 683 * this sb does not set any security options. (The first options
684 * will be used for both mounts)
685 */
0d90a7ec 686 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 687 && !opts)
f5269710 688 goto out;
e0007529 689
2c97165b
PM		 690 root_isec = backing_inode_security_novalidate(root);
691
c9180a57
EP		 692 /*
693 * parse the mount options, check if they are valid sids.
694 * also check if someone is trying to mount the same sb more
695 * than once with different security options.
696 */
bd323655 697 if (opts) {
70f4169a
OM		 698 if (opts->fscontext_sid) {
699 fscontext_sid = opts->fscontext_sid;
c9180a57
EP		 700 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
701 fscontext_sid))
702 goto out_double_mount;
c9180a57 703 sbsec->flags |= FSCONTEXT_MNT;
bd323655 704 }
70f4169a
OM		 705 if (opts->context_sid) {
706 context_sid = opts->context_sid;
c9180a57
EP		 707 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
708 context_sid))
709 goto out_double_mount;
c9180a57 710 sbsec->flags |= CONTEXT_MNT;
bd323655 711 }
70f4169a
OM		 712 if (opts->rootcontext_sid) {
713 rootcontext_sid = opts->rootcontext_sid;
c9180a57
EP		 714 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
715 rootcontext_sid))
716 goto out_double_mount;
c9180a57 717 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655 718 }
70f4169a
OM		 719 if (opts->defcontext_sid) {
720 defcontext_sid = opts->defcontext_sid;
c9180a57
EP		 721 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
722 defcontext_sid))
723 goto out_double_mount;
c9180a57 724 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 725 }
c9180a57
EP		 726 }
727
0d90a7ec 728 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 729 /* previously mounted with options, but not on this attempt? */
bd323655 730 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 731 goto out_double_mount;
732 rc = 0;
733 goto out;
734 }
735
089be43e 736 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 737 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
738
8e014720 739 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 740 !strcmp(sb->s_type->name, "tracefs") ||
a20456ae 741 !strcmp(sb->s_type->name, "binder") ||
4ca54d3d 742 !strcmp(sb->s_type->name, "bpf") ||
8a764ef1
CG		 743 !strcmp(sb->s_type->name, "pstore") ||
744 !strcmp(sb->s_type->name, "securityfs"))
b754026b
OM		 745 sbsec->flags |= SE_SBGENFS;
746
747 if (!strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 748 !strcmp(sb->s_type->name, "cgroup") ||
749 !strcmp(sb->s_type->name, "cgroup2"))
b754026b 750 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
c9180a57 751
eb9ae686
DQ		 752 if (!sbsec->behavior) {
753 /*
754 * Determine the labeling behavior to use for this
755 * filesystem type.
756 */
e67b7985 757 rc = security_fs_use(sb);
eb9ae686 758 if (rc) {
c103a91e 759 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 760 __func__, sb->s_type->name, rc);
761 goto out;
762 }
c9180a57 763 }
aad82892
SF		 764
765 /*
01593d32
SS		 766 * If this is a user namespace mount and the filesystem type is not
767 * explicitly whitelisted, then no contexts are allowed on the command
768 * line and security labels must be ignored.
aad82892 769 */
01593d32
SS		 770 if (sb->s_user_ns != &init_user_ns &&
771 strcmp(sb->s_type->name, "tmpfs") &&
772 strcmp(sb->s_type->name, "ramfs") &&
7fa2e79a
VG		 773 strcmp(sb->s_type->name, "devpts") &&
774 strcmp(sb->s_type->name, "overlay")) {
aad82892
SF		 775 if (context_sid || fscontext_sid || rootcontext_sid ||
776 defcontext_sid) {
777 rc = -EACCES;
778 goto out;
779 }
780 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
781 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
e67b7985 782 rc = security_transition_sid(current_sid(),
aa8e712c 783 current_sid(),
aad82892
SF		 784 SECCLASS_FILE, NULL,
785 &sbsec->mntpoint_sid);
786 if (rc)
787 goto out;
788 }
789 goto out_set_opts;
790 }
791
c9180a57
EP		 792 /* sets the context of the superblock for the fs being mounted. */
793 if (fscontext_sid) {
275bb41e 794 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 795 if (rc)
c9180a57 796 goto out;
1da177e4 797
c9180a57 798 sbsec->sid = fscontext_sid;
c312feb2
EP		 799 }
800
801 /*
802 * Switch to using mount point labeling behavior.
803 * sets the label used on all file below the mountpoint, and will set
804 * the superblock context if not already set.
805 */
cec5fe70
OM		 806 if (sbsec->flags & SE_SBNATIVE) {
807 /*
808 * This means we are initializing a superblock that has been
809 * mounted before the SELinux was initialized and the
810 * filesystem requested native labeling. We had already
811 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
812 * in the original mount attempt, so now we just need to set
813 * the SECURITY_FS_USE_NATIVE behavior.
814 */
815 sbsec->behavior = SECURITY_FS_USE_NATIVE;
816 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
eb9ae686
DQ		 817 sbsec->behavior = SECURITY_FS_USE_NATIVE;
818 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
819 }
820
c9180a57
EP		 821 if (context_sid) {
822 if (!fscontext_sid) {
275bb41e
DH		 823 rc = may_context_mount_sb_relabel(context_sid, sbsec,
824 cred);
b04ea3ce 825 if (rc)
c9180a57
EP		 826 goto out;
827 sbsec->sid = context_sid;
b04ea3ce 828 } else {
275bb41e
DH		 829 rc = may_context_mount_inode_relabel(context_sid, sbsec,
830 cred);
b04ea3ce 831 if (rc)
c9180a57 832 goto out;
b04ea3ce 833 }
c9180a57
EP		 834 if (!rootcontext_sid)
835 rootcontext_sid = context_sid;
1da177e4 836
c9180a57 837 sbsec->mntpoint_sid = context_sid;
c312feb2 838 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 839 }
840
c9180a57 841 if (rootcontext_sid) {
275bb41e
DH		 842 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
843 cred);
0808925e 844 if (rc)
c9180a57 845 goto out;
0808925e 846
c9180a57 847 root_isec->sid = rootcontext_sid;
6f3be9f5 848 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 849 }
850
c9180a57 851 if (defcontext_sid) {
eb9ae686
DQ		 852 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
853 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 854 rc = -EINVAL;
c103a91e 855 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 856 "invalid for this filesystem type\n");
857 goto out;
1da177e4
LT		 858 }
859
c9180a57
EP		 860 if (defcontext_sid != sbsec->def_sid) {
861 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 862 sbsec, cred);
c9180a57
EP		 863 if (rc)
864 goto out;
865 }
1da177e4 866
c9180a57 867 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 868 }
869
aad82892 870out_set_opts:
c9180a57 871 rc = sb_finish_set_opts(sb);
1da177e4 872out:
c9180a57 873 mutex_unlock(&sbsec->lock);
1da177e4 874 return rc;
c9180a57
EP		 875out_double_mount:
876 rc = -EINVAL;
c103a91e 877 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 878 "security settings for (dev %s, type %s)\n", sb->s_id,
879 sb->s_type->name);
c9180a57 880 goto out;
1da177e4
LT		 881}
882
094f7b69
JL		 883static int selinux_cmp_sb_context(const struct super_block *oldsb,
884 const struct super_block *newsb)
885{
1aea7808
CS		 886 struct superblock_security_struct *old = selinux_superblock(oldsb);
887 struct superblock_security_struct *new = selinux_superblock(newsb);
094f7b69
JL		 888 char oldflags = old->flags & SE_MNTMASK;
889 char newflags = new->flags & SE_MNTMASK;
890
891 if (oldflags != newflags)
892 goto mismatch;
893 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
894 goto mismatch;
895 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
896 goto mismatch;
897 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
898 goto mismatch;
899 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 900 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
901 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 902 if (oldroot->sid != newroot->sid)
903 goto mismatch;
904 }
905 return 0;
906mismatch:
c103a91e 907 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 908 "different security settings for (dev %s, "
909 "type %s)\n", newsb->s_id, newsb->s_type->name);
910 return -EBUSY;
911}
912
913static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 914 struct super_block *newsb,
915 unsigned long kern_flags,
916 unsigned long *set_kern_flags)
1da177e4 917{
0b4d3452 918 int rc = 0;
1aea7808
CS		 919 const struct superblock_security_struct *oldsbsec =
920 selinux_superblock(oldsb);
921 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
1da177e4 922
c9180a57
EP		 923 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
924 int set_context = (oldsbsec->flags & CONTEXT_MNT);
925 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 926
0b4d3452
SM		 927 /*
928 * Specifying internal flags without providing a place to
929 * place the results is not allowed.
930 */
931 if (kern_flags && !set_kern_flags)
932 return -EINVAL;
933
cec5fe70
OM		 934 mutex_lock(&newsbsec->lock);
935
936 /*
937 * if the parent was able to be mounted it clearly had no special lsm
938 * mount options. thus we can safely deal with this superblock later
939 */
940 if (!selinux_initialized()) {
941 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
942 newsbsec->flags |= SE_SBNATIVE;
943 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
944 }
945 goto out;
946 }
947
c9180a57 948 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 949 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 950
094f7b69 951 /* if fs is reusing a sb, make sure that the contexts match */
3815a245 952 if (newsbsec->flags & SE_SBINITIALIZED) {
cec5fe70 953 mutex_unlock(&newsbsec->lock);
3815a245
BF		 954 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
955 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
094f7b69 956 return selinux_cmp_sb_context(oldsb, newsb);
3815a245 957 }
5a552617 958
c9180a57
EP		 959 newsbsec->flags = oldsbsec->flags;
960
961 newsbsec->sid = oldsbsec->sid;
962 newsbsec->def_sid = oldsbsec->def_sid;
963 newsbsec->behavior = oldsbsec->behavior;
964
0b4d3452
SM		 965 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
966 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
e67b7985 967 rc = security_fs_use(newsb);
0b4d3452
SM		 968 if (rc)
969 goto out;
970 }
971
972 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
973 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
974 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
975 }
976
c9180a57
EP		 977 if (set_context) {
978 u32 sid = oldsbsec->mntpoint_sid;
979
980 if (!set_fscontext)
981 newsbsec->sid = sid;
982 if (!set_rootcontext) {
83da53c5 983 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 984 newisec->sid = sid;
985 }
986 newsbsec->mntpoint_sid = sid;
1da177e4 987 }
c9180a57 988 if (set_rootcontext) {
83da53c5
AG		 989 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
990 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 991
c9180a57 992 newisec->sid = oldisec->sid;
1da177e4
LT		 993 }
994
c9180a57 995 sb_finish_set_opts(newsb);
0b4d3452 996out:
c9180a57 997 mutex_unlock(&newsbsec->lock);
0b4d3452 998 return rc;
c9180a57
EP		 999}
1000
ef54ccb6 1001/*
3d9047a0 1002 * NOTE: the caller is responsible for freeing the memory even if on error.
ef54ccb6 1003 */
ba641862 1004static int selinux_add_opt(int token, const char *s, void **mnt_opts)
c9180a57 1005{
ba641862 1006 struct selinux_mnt_opts *opts = *mnt_opts;
70f4169a
OM		 1007 u32 *dst_sid;
1008 int rc;
1da177e4 1009
6cd9d4b9
PM		 1010 if (token == Opt_seclabel)
1011 /* eaten and completely ignored */
169d68ef 1012 return 0;
2e08df3c 1013 if (!s)
ef54ccb6 1014 return -EINVAL;
e0007529 1015
e67b7985 1016 if (!selinux_initialized()) {
70f4169a
OM		 1017 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1018 return -EINVAL;
1019 }
1020
ba641862 1021 if (!opts) {
6cd9d4b9 1022 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
ba641862
AV		 1023 if (!opts)
1024 return -ENOMEM;
1025 *mnt_opts = opts;
c9180a57 1026 }
2e08df3c 1027
ba641862
AV		 1028 switch (token) {
1029 case Opt_context:
70f4169a 1030 if (opts->context_sid || opts->defcontext_sid)
6cd9d4b9 1031 goto err;
70f4169a 1032 dst_sid = &opts->context_sid;
ba641862
AV		 1033 break;
1034 case Opt_fscontext:
70f4169a 1035 if (opts->fscontext_sid)
6cd9d4b9 1036 goto err;
70f4169a 1037 dst_sid = &opts->fscontext_sid;
ba641862
AV		 1038 break;
1039 case Opt_rootcontext:
70f4169a 1040 if (opts->rootcontext_sid)
6cd9d4b9 1041 goto err;
70f4169a 1042 dst_sid = &opts->rootcontext_sid;
ba641862
AV		 1043 break;
1044 case Opt_defcontext:
70f4169a 1045 if (opts->context_sid || opts->defcontext_sid)
6cd9d4b9 1046 goto err;
70f4169a 1047 dst_sid = &opts->defcontext_sid;
ba641862 1048 break;
70f4169a
OM		 1049 default:
1050 WARN_ON(1);
1051 return -EINVAL;
c9180a57 1052 }
e67b7985 1053 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
70f4169a
OM		 1054 if (rc)
1055 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1056 s, rc);
1057 return rc;
e2e0e097 1058
6cd9d4b9 1059err:
ba641862 1060 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862 1061 return -EINVAL;
e0007529 1062}
1da177e4 1063
e3489f89 1064static int show_sid(struct seq_file *m, u32 sid)
2069f457 1065{
e3489f89
AV		 1066 char *context = NULL;
1067 u32 len;
1068 int rc;
11689d47 1069
e67b7985 1070 rc = security_sid_to_context(sid, &context, &len);
e3489f89 1071 if (!rc) {
4d3d0ed6 1072 bool has_comma = strchr(context, ',');
2069f457 1073
442155c1 1074 seq_putc(m, '=');
2069f457
EP		 1075 if (has_comma)
1076 seq_putc(m, '\"');
e3489f89 1077 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1078 if (has_comma)
1079 seq_putc(m, '\"');
1080 }
e3489f89
AV		 1081 kfree(context);
1082 return rc;
2069f457
EP		 1083}
1084
1085static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1086{
1aea7808 1087 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2069f457
EP		 1088 int rc;
1089
e3489f89
AV		 1090 if (!(sbsec->flags & SE_SBINITIALIZED))
1091 return 0;
2069f457 1092
e67b7985 1093 if (!selinux_initialized())
e3489f89 1094 return 0;
2069f457 1095
e3489f89
AV		 1096 if (sbsec->flags & FSCONTEXT_MNT) {
1097 seq_putc(m, ',');
1098 seq_puts(m, FSCONTEXT_STR);
1099 rc = show_sid(m, sbsec->sid);
1100 if (rc)
1101 return rc;
1102 }
1103 if (sbsec->flags & CONTEXT_MNT) {
1104 seq_putc(m, ',');
1105 seq_puts(m, CONTEXT_STR);
1106 rc = show_sid(m, sbsec->mntpoint_sid);
1107 if (rc)
1108 return rc;
1109 }
1110 if (sbsec->flags & DEFCONTEXT_MNT) {
1111 seq_putc(m, ',');
1112 seq_puts(m, DEFCONTEXT_STR);
1113 rc = show_sid(m, sbsec->def_sid);
1114 if (rc)
1115 return rc;
1116 }
1117 if (sbsec->flags & ROOTCONTEXT_MNT) {
b159e86b 1118 struct dentry *root = sb->s_root;
e3489f89
AV		 1119 struct inode_security_struct *isec = backing_inode_security(root);
1120 seq_putc(m, ',');
1121 seq_puts(m, ROOTCONTEXT_STR);
1122 rc = show_sid(m, isec->sid);
1123 if (rc)
1124 return rc;
1125 }
1126 if (sbsec->flags & SBLABEL_MNT) {
1127 seq_putc(m, ',');
442155c1 1128 seq_puts(m, SECLABEL_STR);
e3489f89
AV		 1129 }
1130 return 0;
2069f457
EP		 1131}
1132
1da177e4
LT		 1133static inline u16 inode_mode_to_security_class(umode_t mode)
1134{
1135 switch (mode & S_IFMT) {
1136 case S_IFSOCK:
1137 return SECCLASS_SOCK_FILE;
1138 case S_IFLNK:
1139 return SECCLASS_LNK_FILE;
1140 case S_IFREG:
1141 return SECCLASS_FILE;
1142 case S_IFBLK:
1143 return SECCLASS_BLK_FILE;
1144 case S_IFDIR:
1145 return SECCLASS_DIR;
1146 case S_IFCHR:
1147 return SECCLASS_CHR_FILE;
1148 case S_IFIFO:
1149 return SECCLASS_FIFO_FILE;
1150
1151 }
1152
1153 return SECCLASS_FILE;
1154}
1155
13402580
JM		 1156static inline int default_protocol_stream(int protocol)
1157{
95ca9072
PA		 1158 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1159 protocol == IPPROTO_MPTCP);
13402580
JM		 1160}
1161
1162static inline int default_protocol_dgram(int protocol)
1163{
1164 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1165}
1166
1da177e4
LT		 1167static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1168{
a13479bb 1169 bool extsockclass = selinux_policycap_extsockclass();
da69a530 1170
1da177e4
LT		 1171 switch (family) {
1172 case PF_UNIX:
1173 switch (type) {
1174 case SOCK_STREAM:
1175 case SOCK_SEQPACKET:
1176 return SECCLASS_UNIX_STREAM_SOCKET;
1177 case SOCK_DGRAM:
2a764b52 1178 case SOCK_RAW:
1da177e4
LT		 1179 return SECCLASS_UNIX_DGRAM_SOCKET;
1180 }
1181 break;
1182 case PF_INET:
1183 case PF_INET6:
1184 switch (type) {
1185 case SOCK_STREAM:
da69a530 1186 case SOCK_SEQPACKET:
13402580
JM		 1187 if (default_protocol_stream(protocol))
1188 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1189 else if (extsockclass && protocol == IPPROTO_SCTP)
1190 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1191 else
1192 return SECCLASS_RAWIP_SOCKET;
1da177e4 1193 case SOCK_DGRAM:
13402580
JM		 1194 if (default_protocol_dgram(protocol))
1195 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1196 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1197 protocol == IPPROTO_ICMPV6))
da69a530 1198 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1199 else
1200 return SECCLASS_RAWIP_SOCKET;
1201 default:
1da177e4
LT		 1202 return SECCLASS_RAWIP_SOCKET;
1203 }
1204 break;
1205 case PF_NETLINK:
1206 switch (protocol) {
1207 case NETLINK_ROUTE:
1208 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1209 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1210 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1211 case NETLINK_NFLOG:
1212 return SECCLASS_NETLINK_NFLOG_SOCKET;
1213 case NETLINK_XFRM:
1214 return SECCLASS_NETLINK_XFRM_SOCKET;
1215 case NETLINK_SELINUX:
1216 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1217 case NETLINK_ISCSI:
1218 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1219 case NETLINK_AUDIT:
1220 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1221 case NETLINK_FIB_LOOKUP:
1222 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1223 case NETLINK_CONNECTOR:
1224 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1225 case NETLINK_NETFILTER:
1226 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1227 case NETLINK_DNRTMSG:
1228 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1229 case NETLINK_KOBJECT_UEVENT:
1230 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1231 case NETLINK_GENERIC:
1232 return SECCLASS_NETLINK_GENERIC_SOCKET;
1233 case NETLINK_SCSITRANSPORT:
1234 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1235 case NETLINK_RDMA:
1236 return SECCLASS_NETLINK_RDMA_SOCKET;
1237 case NETLINK_CRYPTO:
1238 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1239 default:
1240 return SECCLASS_NETLINK_SOCKET;
1241 }
1242 case PF_PACKET:
1243 return SECCLASS_PACKET_SOCKET;
1244 case PF_KEY:
1245 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1246 case PF_APPLETALK:
1247 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1248 }
1249
da69a530
SS		 1250 if (extsockclass) {
1251 switch (family) {
1252 case PF_AX25:
1253 return SECCLASS_AX25_SOCKET;
1254 case PF_IPX:
1255 return SECCLASS_IPX_SOCKET;
1256 case PF_NETROM:
1257 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1258 case PF_ATMPVC:
1259 return SECCLASS_ATMPVC_SOCKET;
1260 case PF_X25:
1261 return SECCLASS_X25_SOCKET;
1262 case PF_ROSE:
1263 return SECCLASS_ROSE_SOCKET;
1264 case PF_DECnet:
1265 return SECCLASS_DECNET_SOCKET;
1266 case PF_ATMSVC:
1267 return SECCLASS_ATMSVC_SOCKET;
1268 case PF_RDS:
1269 return SECCLASS_RDS_SOCKET;
1270 case PF_IRDA:
1271 return SECCLASS_IRDA_SOCKET;
1272 case PF_PPPOX:
1273 return SECCLASS_PPPOX_SOCKET;
1274 case PF_LLC:
1275 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1276 case PF_CAN:
1277 return SECCLASS_CAN_SOCKET;
1278 case PF_TIPC:
1279 return SECCLASS_TIPC_SOCKET;
1280 case PF_BLUETOOTH:
1281 return SECCLASS_BLUETOOTH_SOCKET;
1282 case PF_IUCV:
1283 return SECCLASS_IUCV_SOCKET;
1284 case PF_RXRPC:
1285 return SECCLASS_RXRPC_SOCKET;
1286 case PF_ISDN:
1287 return SECCLASS_ISDN_SOCKET;
1288 case PF_PHONET:
1289 return SECCLASS_PHONET_SOCKET;
1290 case PF_IEEE802154:
1291 return SECCLASS_IEEE802154_SOCKET;
1292 case PF_CAIF:
1293 return SECCLASS_CAIF_SOCKET;
1294 case PF_ALG:
1295 return SECCLASS_ALG_SOCKET;
1296 case PF_NFC:
1297 return SECCLASS_NFC_SOCKET;
1298 case PF_VSOCK:
1299 return SECCLASS_VSOCK_SOCKET;
1300 case PF_KCM:
1301 return SECCLASS_KCM_SOCKET;
1302 case PF_QIPCRTR:
1303 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1304 case PF_SMC:
1305 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1306 case PF_XDP:
1307 return SECCLASS_XDP_SOCKET;
bc49d816
JK		 1308 case PF_MCTP:
1309 return SECCLASS_MCTP_SOCKET;
1310#if PF_MAX > 46
da69a530
SS		 1311#error New address family defined, please update this function.
1312#endif
1313 }
1314 }
1315
1da177e4
LT		 1316 return SECCLASS_SOCKET;
1317}
1318
134509d5
SS		 1319static int selinux_genfs_get_sid(struct dentry *dentry,
1320 u16 tclass,
1321 u16 flags,
1322 u32 *sid)
1da177e4 1323{
8e6c9693 1324 int rc;
fc64005c 1325 struct super_block *sb = dentry->d_sb;
8e6c9693 1326 char *buffer, *path;
1da177e4 1327
828dfe1d 1328 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1329 if (!buffer)
1330 return -ENOMEM;
1331
8e6c9693
LAG		 1332 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1333 if (IS_ERR(path))
1334 rc = PTR_ERR(path);
1335 else {
134509d5
SS		 1336 if (flags & SE_SBPROC) {
1337 /* each process gets a /proc/PID/ entry. Strip off the
1338 * PID part to get a valid selinux labeling.
1339 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1340 while (path[1] >= '0' && path[1] <= '9') {
1341 path[1] = '/';
1342 path++;
1343 }
8e6c9693 1344 }
e67b7985 1345 rc = security_genfs_sid(sb->s_type->name,
aa8e712c 1346 path, tclass, sid);
7bb185ed
SS		 1347 if (rc == -ENOENT) {
1348 /* No match in policy, mark as unlabeled. */
1349 *sid = SECINITSID_UNLABELED;
1350 rc = 0;
1351 }
1da177e4 1352 }
1da177e4
LT		 1353 free_page((unsigned long)buffer);
1354 return rc;
1355}
1da177e4 1356
b754026b
OM		 1357static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1358 u32 def_sid, u32 *sid)
1359{
1360#define INITCONTEXTLEN 255
1361 char *context;
1362 unsigned int len;
1363 int rc;
1364
1365 len = INITCONTEXTLEN;
1366 context = kmalloc(len + 1, GFP_NOFS);
1367 if (!context)
1368 return -ENOMEM;
1369
1370 context[len] = '\0';
1371 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1372 if (rc == -ERANGE) {
1373 kfree(context);
1374
1375 /* Need a larger buffer. Query for the right size. */
1376 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1377 if (rc < 0)
1378 return rc;
1379
1380 len = rc;
1381 context = kmalloc(len + 1, GFP_NOFS);
1382 if (!context)
1383 return -ENOMEM;
1384
1385 context[len] = '\0';
1386 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1387 context, len);
1388 }
1389 if (rc < 0) {
1390 kfree(context);
1391 if (rc != -ENODATA) {
1392 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1393 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1394 return rc;
1395 }
1396 *sid = def_sid;
1397 return 0;
1398 }
1399
e67b7985 1400 rc = security_context_to_sid_default(context, rc, sid,
b754026b
OM		 1401 def_sid, GFP_NOFS);
1402 if (rc) {
1403 char *dev = inode->i_sb->s_id;
1404 unsigned long ino = inode->i_ino;
1405
1406 if (rc == -EINVAL) {
1407 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1408 ino, dev, context);
1409 } else {
1410 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1411 __func__, context, -rc, dev, ino);
1412 }
1413 }
1414 kfree(context);
1415 return 0;
1416}
1417
1da177e4
LT		 1418/* The inode's security attributes must be initialized before first use. */
1419static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1420{
1421 struct superblock_security_struct *sbsec = NULL;
80788c22 1422 struct inode_security_struct *isec = selinux_inode(inode);
9287aed2
AG		 1423 u32 task_sid, sid = 0;
1424 u16 sclass;
1da177e4 1425 struct dentry *dentry;
1da177e4 1426 int rc = 0;
1da177e4 1427
6f3be9f5 1428 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1429 return 0;
1da177e4 1430
9287aed2 1431 spin_lock(&isec->lock);
6f3be9f5 1432 if (isec->initialized == LABEL_INITIALIZED)
23970741 1433 goto out_unlock;
1da177e4 1434
13457d07
AG		 1435 if (isec->sclass == SECCLASS_FILE)
1436 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1437
1aea7808 1438 sbsec = selinux_superblock(inode->i_sb);
0d90a7ec 1439 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1440 /* Defer initialization until selinux_complete_init,
1441 after the initial policy is loaded and the security
1442 server is ready to handle calls. */
1443 spin_lock(&sbsec->isec_lock);
1444 if (list_empty(&isec->list))
1445 list_add(&isec->list, &sbsec->isec_head);
1446 spin_unlock(&sbsec->isec_lock);
23970741 1447 goto out_unlock;
1da177e4
LT		 1448 }
1449
9287aed2
AG		 1450 sclass = isec->sclass;
1451 task_sid = isec->task_sid;
1452 sid = isec->sid;
1453 isec->initialized = LABEL_PENDING;
1454 spin_unlock(&isec->lock);
1455
1da177e4 1456 switch (sbsec->behavior) {
cec5fe70
OM		 1457 /*
1458 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1459 * via xattr when called from delayed_superblock_init().
1460 */
eb9ae686 1461 case SECURITY_FS_USE_NATIVE:
1da177e4 1462 case SECURITY_FS_USE_XATTR:
5d6c3191 1463 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1464 sid = sbsec->def_sid;
1da177e4
LT		 1465 break;
1466 }
1da177e4
LT		 1467 /* Need a dentry, since the xattr API requires one.
1468 Life would be simpler if we could just pass the inode. */
1469 if (opt_dentry) {
1470 /* Called from d_instantiate or d_splice_alias. */
1471 dentry = dget(opt_dentry);
1472 } else {
b127125d
AV		 1473 /*
1474 * Called from selinux_complete_init, try to find a dentry.
1475 * Some filesystems really want a connected one, so try
1476 * that first. We could split SECURITY_FS_USE_XATTR in
1477 * two, depending upon that...
1478 */
1da177e4 1479 dentry = d_find_alias(inode);
b127125d
AV		 1480 if (!dentry)
1481 dentry = d_find_any_alias(inode);
1da177e4
LT		 1482 }
1483 if (!dentry) {
df7f54c0
EP		 1484 /*
1485 * this is can be hit on boot when a file is accessed
1486 * before the policy is loaded. When we load policy we
1487 * may find inodes that have no dentry on the
1488 * sbsec->isec_head list. No reason to complain as these
1489 * will get fixed up the next time we go through
1490 * inode_doinit with a dentry, before these inodes could
1491 * be used again by userspace.
1492 */
200ea5a2 1493 goto out_invalid;
1da177e4
LT		 1494 }
1495
b754026b
OM		 1496 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1497 &sid);
1da177e4 1498 dput(dentry);
b754026b
OM		 1499 if (rc)
1500 goto out;
1da177e4
LT		 1501 break;
1502 case SECURITY_FS_USE_TASK:
9287aed2 1503 sid = task_sid;
1da177e4
LT		 1504 break;
1505 case SECURITY_FS_USE_TRANS:
1506 /* Default to the fs SID. */
9287aed2 1507 sid = sbsec->sid;
1da177e4
LT		 1508
1509 /* Try to obtain a transition SID. */
e67b7985 1510 rc = security_transition_sid(task_sid, sid,
aa8e712c 1511 sclass, NULL, &sid);
1da177e4 1512 if (rc)
9287aed2 1513 goto out;
1da177e4 1514 break;
c312feb2 1515 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1516 sid = sbsec->mntpoint_sid;
c312feb2 1517 break;
1da177e4 1518 default:
c312feb2 1519 /* Default to the fs superblock SID. */
9287aed2 1520 sid = sbsec->sid;
1da177e4 1521
7470d0d1
CG		 1522 if ((sbsec->flags & SE_SBGENFS) &&
1523 (!S_ISLNK(inode->i_mode) ||
1524 selinux_policycap_genfs_seclabel_symlinks())) {
f64410ec
PM		 1525 /* We must have a dentry to determine the label on
1526 * procfs inodes */
b127125d 1527 if (opt_dentry) {
f64410ec
PM		 1528 /* Called from d_instantiate or
1529 * d_splice_alias. */
1530 dentry = dget(opt_dentry);
b127125d 1531 } else {
f64410ec 1532 /* Called from selinux_complete_init, try to
b127125d
AV		 1533 * find a dentry. Some filesystems really want
1534 * a connected one, so try that first.
1535 */
f64410ec 1536 dentry = d_find_alias(inode);
b127125d
AV		 1537 if (!dentry)
1538 dentry = d_find_any_alias(inode);
1539 }
f64410ec
PM		 1540 /*
1541 * This can be hit on boot when a file is accessed
1542 * before the policy is loaded. When we load policy we
1543 * may find inodes that have no dentry on the
1544 * sbsec->isec_head list. No reason to complain as
1545 * these will get fixed up the next time we go through
1546 * inode_doinit() with a dentry, before these inodes
1547 * could be used again by userspace.
1548 */
1549 if (!dentry)
200ea5a2 1550 goto out_invalid;
9287aed2 1551 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1552 sbsec->flags, &sid);
b754026b
OM		 1553 if (rc) {
1554 dput(dentry);
9287aed2 1555 goto out;
b754026b
OM		 1556 }
1557
1558 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1559 (inode->i_opflags & IOP_XATTR)) {
1560 rc = inode_doinit_use_xattr(inode, dentry,
1561 sid, &sid);
1562 if (rc) {
1563 dput(dentry);
1564 goto out;
1565 }
1566 }
1567 dput(dentry);
1da177e4
LT		 1568 }
1569 break;
1570 }
1571
9287aed2
AG		 1572out:
1573 spin_lock(&isec->lock);
1574 if (isec->initialized == LABEL_PENDING) {
200ea5a2 1575 if (rc) {
9287aed2
AG		 1576 isec->initialized = LABEL_INVALID;
1577 goto out_unlock;
1578 }
9287aed2
AG		 1579 isec->initialized = LABEL_INITIALIZED;
1580 isec->sid = sid;
1581 }
1da177e4 1582
23970741 1583out_unlock:
9287aed2 1584 spin_unlock(&isec->lock);
1da177e4 1585 return rc;
200ea5a2
PM		 1586
1587out_invalid:
1588 spin_lock(&isec->lock);
1589 if (isec->initialized == LABEL_PENDING) {
1590 isec->initialized = LABEL_INVALID;
1591 isec->sid = sid;
1592 }
1593 spin_unlock(&isec->lock);
1594 return 0;
1da177e4
LT		 1595}
1596
1597/* Convert a Linux signal to an access vector. */
1598static inline u32 signal_to_av(int sig)
1599{
1600 u32 perm = 0;
1601
1602 switch (sig) {
1603 case SIGCHLD:
1604 /* Commonly granted from child to parent. */
1605 perm = PROCESS__SIGCHLD;
1606 break;
1607 case SIGKILL:
1608 /* Cannot be caught or ignored */
1609 perm = PROCESS__SIGKILL;
1610 break;
1611 case SIGSTOP:
1612 /* Cannot be caught or ignored */
1613 perm = PROCESS__SIGSTOP;
1614 break;
1615 default:
1616 /* All other signals. */
1617 perm = PROCESS__SIGNAL;
1618 break;
1619 }
1620
1621 return perm;
1622}
1623
b68e418c
SS		 1624#if CAP_LAST_CAP > 63
1625#error Fix SELinux to handle capabilities > 63.
1626#endif
1627
1da177e4 1628/* Check whether a task is allowed to use a capability. */
6a9de491 1629static int cred_has_capability(const struct cred *cred,
c1a85a00 1630 int cap, unsigned int opts, bool initns)
1da177e4 1631{
2bf49690 1632 struct common_audit_data ad;
06112163 1633 struct av_decision avd;
b68e418c 1634 u16 sclass;
3699c53c 1635 u32 sid = cred_sid(cred);
b68e418c 1636 u32 av = CAP_TO_MASK(cap);
06112163 1637 int rc;
1da177e4 1638
50c205f5 1639 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1640 ad.u.cap = cap;
1641
b68e418c
SS		 1642 switch (CAP_TO_INDEX(cap)) {
1643 case 0:
8e4ff6f2 1644 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1645 break;
1646 case 1:
8e4ff6f2 1647 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1648 break;
1649 default:
c103a91e 1650 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1651 BUG();
a35c6c83 1652 return -EINVAL;
b68e418c 1653 }
06112163 1654
e67b7985 1655 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
c1a85a00 1656 if (!(opts & CAP_OPT_NOAUDIT)) {
e67b7985 1657 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
9ade0cf4
EP		 1658 if (rc2)
1659 return rc2;
1660 }
06112163 1661 return rc;
1da177e4
LT		 1662}
1663
1da177e4
LT		 1664/* Check whether a task has a particular permission to an inode.
1665 The 'adp' parameter is optional and allows other audit
1666 data to be passed (e.g. the dentry). */
88e67f3b 1667static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1668 struct inode *inode,
1669 u32 perms,
19e49834 1670 struct common_audit_data *adp)
1da177e4 1671{
1da177e4 1672 struct inode_security_struct *isec;
275bb41e 1673 u32 sid;
1da177e4 1674
828dfe1d 1675 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1676 return 0;
1677
88e67f3b 1678 sid = cred_sid(cred);
80788c22 1679 isec = selinux_inode(inode);
1da177e4 1680
e67b7985 1681 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1682}
1683
1684/* Same as inode_has_perm, but pass explicit audit data containing
1685 the dentry to help the auditing code to more easily generate the
1686 pathname if needed. */
88e67f3b 1687static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1688 struct dentry *dentry,
1689 u32 av)
1690{
2bf49690 1691 struct common_audit_data ad;
5d7ddc59
PM		 1692 struct inode *inode = d_backing_inode(dentry);
1693 struct inode_security_struct *isec = selinux_inode(inode);
88e67f3b 1694
50c205f5 1695 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1696 ad.u.dentry = dentry;
5d7ddc59
PM		 1697 /* check below is racy, but revalidate will recheck with lock held */
1698 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED)))
1699 __inode_security_revalidate(inode, dentry, true);
19e49834 1700 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1701}
1702
1703/* Same as inode_has_perm, but pass explicit audit data containing
1704 the path to help the auditing code to more easily generate the
1705 pathname if needed. */
1706static inline int path_has_perm(const struct cred *cred,
3f7036a0 1707 const struct path *path,
2875fa00
EP		 1708 u32 av)
1709{
2875fa00 1710 struct common_audit_data ad;
5d7ddc59
PM		 1711 struct inode *inode = d_backing_inode(path->dentry);
1712 struct inode_security_struct *isec = selinux_inode(inode);
2875fa00 1713
50c205f5 1714 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1715 ad.u.path = *path;
5d7ddc59
PM		 1716 /* check below is racy, but revalidate will recheck with lock held */
1717 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED)))
1718 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1719 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1720}
1721
13f8e981
DH		 1722/* Same as path_has_perm, but uses the inode from the file struct. */
1723static inline int file_path_has_perm(const struct cred *cred,
1724 struct file *file,
1725 u32 av)
1726{
1727 struct common_audit_data ad;
1728
43af5de7
VG		 1729 ad.type = LSM_AUDIT_DATA_FILE;
1730 ad.u.file = file;
19e49834 1731 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1732}
1733
f66e448c 1734#ifdef CONFIG_BPF_SYSCALL
8e4672d6 1735static int bpf_fd_pass(const struct file *file, u32 sid);
f66e448c
CF		 1736#endif
1737
1da177e4
LT		 1738/* Check whether a task can use an open file descriptor to
1739 access an inode in a given way. Check access to the
1740 descriptor itself, and then use dentry_has_perm to
1741 check a particular permission to the file.
1742 Access to the descriptor is implicitly granted if it
1743 has the same SID as the process. If av is zero, then
1744 access to the file is not checked, e.g. for cases
1745 where only the descriptor is affected like seek. */
88e67f3b
DH		 1746static int file_has_perm(const struct cred *cred,
1747 struct file *file,
1748 u32 av)
1da177e4 1749{
bb6c6b02 1750 struct file_security_struct *fsec = selinux_file(file);
496ad9aa 1751 struct inode *inode = file_inode(file);
2bf49690 1752 struct common_audit_data ad;
88e67f3b 1753 u32 sid = cred_sid(cred);
1da177e4
LT		 1754 int rc;
1755
43af5de7
VG		 1756 ad.type = LSM_AUDIT_DATA_FILE;
1757 ad.u.file = file;
1da177e4 1758
275bb41e 1759 if (sid != fsec->sid) {
e67b7985 1760 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1761 SECCLASS_FD,
1762 FD__USE,
1763 &ad);
1764 if (rc)
88e67f3b 1765 goto out;
1da177e4
LT		 1766 }
1767
f66e448c
CF		 1768#ifdef CONFIG_BPF_SYSCALL
1769 rc = bpf_fd_pass(file, cred_sid(cred));
1770 if (rc)
1771 return rc;
1772#endif
1773
1da177e4 1774 /* av is zero if only checking access to the descriptor. */
88e67f3b 1775 rc = 0;
1da177e4 1776 if (av)
19e49834 1777 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1778
88e67f3b
DH		 1779out:
1780 return rc;
1da177e4
LT		 1781}
1782
c3c188b2
DH		 1783/*
1784 * Determine the label for an inode that might be unioned.
1785 */
c957f6df
VG		 1786static int
1787selinux_determine_inode_label(const struct task_security_struct *tsec,
1788 struct inode *dir,
1789 const struct qstr *name, u16 tclass,
1790 u32 *_new_isid)
c3c188b2 1791{
1aea7808
CS		 1792 const struct superblock_security_struct *sbsec =
1793 selinux_superblock(dir->i_sb);
c3c188b2
DH		 1794
1795 if ((sbsec->flags & SE_SBINITIALIZED) &&
1796 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1797 *_new_isid = sbsec->mntpoint_sid;
1798 } else if ((sbsec->flags & SBLABEL_MNT) &&
1799 tsec->create_sid) {
1800 *_new_isid = tsec->create_sid;
1801 } else {
20cdef8d 1802 const struct inode_security_struct *dsec = inode_security(dir);
e67b7985 1803 return security_transition_sid(tsec->sid,
aa8e712c 1804 dsec->sid, tclass,
c3c188b2
DH		 1805 name, _new_isid);
1806 }
1807
1808 return 0;
1809}
1810
1da177e4
LT		 1811/* Check whether a task can create a file. */
1812static int may_create(struct inode *dir,
1813 struct dentry *dentry,
1814 u16 tclass)
1815{
0c6cfa62 1816 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1817 struct inode_security_struct *dsec;
1818 struct superblock_security_struct *sbsec;
275bb41e 1819 u32 sid, newsid;
2bf49690 1820 struct common_audit_data ad;
1da177e4
LT		 1821 int rc;
1822
83da53c5 1823 dsec = inode_security(dir);
1aea7808 1824 sbsec = selinux_superblock(dir->i_sb);
1da177e4 1825
275bb41e 1826 sid = tsec->sid;
275bb41e 1827
50c205f5 1828 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1829 ad.u.dentry = dentry;
1da177e4 1830
e67b7985 1831 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1832 DIR__ADD_NAME | DIR__SEARCH,
1833 &ad);
1834 if (rc)
1835 return rc;
1836
210a2928
YG		 1837 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1838 &newsid);
c3c188b2
DH		 1839 if (rc)
1840 return rc;
1da177e4 1841
e67b7985 1842 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1843 if (rc)
1844 return rc;
1845
e67b7985 1846 return avc_has_perm(newsid, sbsec->sid,
1da177e4
LT		 1847 SECCLASS_FILESYSTEM,
1848 FILESYSTEM__ASSOCIATE, &ad);
1849}
1850
828dfe1d
EP		 1851#define MAY_LINK 0
1852#define MAY_UNLINK 1
1853#define MAY_RMDIR 2
1da177e4
LT		 1854
1855/* Check whether a task can link, unlink, or rmdir a file/directory. */
1856static int may_link(struct inode *dir,
1857 struct dentry *dentry,
1858 int kind)
1859
1860{
1da177e4 1861 struct inode_security_struct *dsec, *isec;
2bf49690 1862 struct common_audit_data ad;
275bb41e 1863 u32 sid = current_sid();
1da177e4
LT		 1864 u32 av;
1865 int rc;
1866
83da53c5
AG		 1867 dsec = inode_security(dir);
1868 isec = backing_inode_security(dentry);
1da177e4 1869
50c205f5 1870 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1871 ad.u.dentry = dentry;
1da177e4
LT		 1872
1873 av = DIR__SEARCH;
1874 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
e67b7985 1875 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1876 if (rc)
1877 return rc;
1878
1879 switch (kind) {
1880 case MAY_LINK:
1881 av = FILE__LINK;
1882 break;
1883 case MAY_UNLINK:
1884 av = FILE__UNLINK;
1885 break;
1886 case MAY_RMDIR:
1887 av = DIR__RMDIR;
1888 break;
1889 default:
c103a91e 1890 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1891 __func__, kind);
1da177e4
LT		 1892 return 0;
1893 }
1894
e67b7985 1895 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1896 return rc;
1897}
1898
1899static inline int may_rename(struct inode *old_dir,
1900 struct dentry *old_dentry,
1901 struct inode *new_dir,
1902 struct dentry *new_dentry)
1903{
1da177e4 1904 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1905 struct common_audit_data ad;
275bb41e 1906 u32 sid = current_sid();
1da177e4
LT		 1907 u32 av;
1908 int old_is_dir, new_is_dir;
1909 int rc;
1910
83da53c5
AG		 1911 old_dsec = inode_security(old_dir);
1912 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1913 old_is_dir = d_is_dir(old_dentry);
83da53c5 1914 new_dsec = inode_security(new_dir);
1da177e4 1915
50c205f5 1916 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1917
a269434d 1918 ad.u.dentry = old_dentry;
e67b7985 1919 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1920 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1921 if (rc)
1922 return rc;
e67b7985 1923 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1924 old_isec->sclass, FILE__RENAME, &ad);
1925 if (rc)
1926 return rc;
1927 if (old_is_dir && new_dir != old_dir) {
e67b7985 1928 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1929 old_isec->sclass, DIR__REPARENT, &ad);
1930 if (rc)
1931 return rc;
1932 }
1933
a269434d 1934 ad.u.dentry = new_dentry;
1da177e4 1935 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1936 if (d_is_positive(new_dentry))
1da177e4 1937 av |= DIR__REMOVE_NAME;
e67b7985 1938 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1939 if (rc)
1940 return rc;
2c616d4d 1941 if (d_is_positive(new_dentry)) {
83da53c5 1942 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1943 new_is_dir = d_is_dir(new_dentry);
e67b7985 1944 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1945 new_isec->sclass,
1946 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1947 if (rc)
1948 return rc;
1949 }
1950
1951 return 0;
1952}
1953
1954/* Check whether a task can perform a filesystem operation. */
88e67f3b 1955static int superblock_has_perm(const struct cred *cred,
25cc71d1 1956 const struct super_block *sb,
1da177e4 1957 u32 perms,
2bf49690 1958 struct common_audit_data *ad)
1da177e4 1959{
1da177e4 1960 struct superblock_security_struct *sbsec;
88e67f3b 1961 u32 sid = cred_sid(cred);
1da177e4 1962
1aea7808 1963 sbsec = selinux_superblock(sb);
e67b7985 1964 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1965}
1966
1967/* Convert a Linux mode and permission mask to an access vector. */
1968static inline u32 file_mask_to_av(int mode, int mask)
1969{
1970 u32 av = 0;
1971
dba19c60 1972 if (!S_ISDIR(mode)) {
1da177e4
LT		 1973 if (mask & MAY_EXEC)
1974 av |= FILE__EXECUTE;
1975 if (mask & MAY_READ)
1976 av |= FILE__READ;
1977
1978 if (mask & MAY_APPEND)
1979 av |= FILE__APPEND;
1980 else if (mask & MAY_WRITE)
1981 av |= FILE__WRITE;
1982
1983 } else {
1984 if (mask & MAY_EXEC)
1985 av |= DIR__SEARCH;
1986 if (mask & MAY_WRITE)
1987 av |= DIR__WRITE;
1988 if (mask & MAY_READ)
1989 av |= DIR__READ;
1990 }
1991
1992 return av;
1993}
1994
8b6a5a37 1995/* Convert a Linux file to an access vector. */
8e4672d6 1996static inline u32 file_to_av(const struct file *file)
8b6a5a37
EP		 1997{
1998 u32 av = 0;
1999
2000 if (file->f_mode & FMODE_READ)
2001 av |= FILE__READ;
2002 if (file->f_mode & FMODE_WRITE) {
2003 if (file->f_flags & O_APPEND)
2004 av |= FILE__APPEND;
2005 else
2006 av |= FILE__WRITE;
2007 }
2008 if (!av) {
2009 /*
2010 * Special file opened with flags 3 for ioctl-only use.
2011 */
2012 av = FILE__IOCTL;
2013 }
2014
2015 return av;
2016}
2017
b0c636b9 2018/*
c76a2f9e 2019 * Convert a file to an access vector and include the correct
b0c636b9
EP		 2020 * open permission.
2021 */
8b6a5a37 2022static inline u32 open_file_to_av(struct file *file)
b0c636b9 2023{
8b6a5a37 2024 u32 av = file_to_av(file);
ccb54478 2025 struct inode *inode = file_inode(file);
b0c636b9 2026
aa8e712c
SS		 2027 if (selinux_policycap_openperm() &&
2028 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2029 av |= FILE__OPEN;
2030
b0c636b9
EP		 2031 return av;
2032}
2033
1da177e4
LT		 2034/* Hook functions begin here. */
2035
52f88693 2036static int selinux_binder_set_context_mgr(const struct cred *mgr)
79af7307 2037{
e67b7985 2038 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
79af7307
SS		 2039 BINDER__SET_CONTEXT_MGR, NULL);
2040}
2041
52f88693
TK		 2042static int selinux_binder_transaction(const struct cred *from,
2043 const struct cred *to)
79af7307
SS		 2044{
2045 u32 mysid = current_sid();
52f88693
TK		 2046 u32 fromsid = cred_sid(from);
2047 u32 tosid = cred_sid(to);
79af7307
SS		 2048 int rc;
2049
2050 if (mysid != fromsid) {
e67b7985 2051 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2052 BINDER__IMPERSONATE, NULL);
2053 if (rc)
2054 return rc;
2055 }
2056
e67b7985 2057 return avc_has_perm(fromsid, tosid,
eb1231f7 2058 SECCLASS_BINDER, BINDER__CALL, NULL);
79af7307
SS		 2059}
2060
52f88693
TK		 2061static int selinux_binder_transfer_binder(const struct cred *from,
2062 const struct cred *to)
79af7307 2063{
e67b7985 2064 return avc_has_perm(cred_sid(from), cred_sid(to),
eb1231f7 2065 SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2066 NULL);
2067}
2068
52f88693
TK		 2069static int selinux_binder_transfer_file(const struct cred *from,
2070 const struct cred *to,
8e4672d6 2071 const struct file *file)
79af7307 2072{
52f88693 2073 u32 sid = cred_sid(to);
bb6c6b02 2074 struct file_security_struct *fsec = selinux_file(file);
83da53c5 2075 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2076 struct inode_security_struct *isec;
79af7307
SS		 2077 struct common_audit_data ad;
2078 int rc;
2079
2080 ad.type = LSM_AUDIT_DATA_PATH;
2081 ad.u.path = file->f_path;
2082
2083 if (sid != fsec->sid) {
e67b7985 2084 rc = avc_has_perm(sid, fsec->sid,
79af7307
SS		 2085 SECCLASS_FD,
2086 FD__USE,
2087 &ad);
2088 if (rc)
2089 return rc;
2090 }
2091
f66e448c
CF		 2092#ifdef CONFIG_BPF_SYSCALL
2093 rc = bpf_fd_pass(file, sid);
2094 if (rc)
2095 return rc;
2096#endif
2097
83da53c5 2098 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2099 return 0;
2100
20cdef8d 2101 isec = backing_inode_security(dentry);
e67b7985 2102 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2103 &ad);
2104}
2105
9e48858f 2106static int selinux_ptrace_access_check(struct task_struct *child,
eb1231f7 2107 unsigned int mode)
1da177e4 2108{
be0554c9 2109 u32 sid = current_sid();
eb1231f7 2110 u32 csid = task_sid_obj(child);
be0554c9
SS		 2111
2112 if (mode & PTRACE_MODE_READ)
e67b7985
SS		 2113 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2114 NULL);
006ebb40 2115
e67b7985
SS		 2116 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2117 NULL);
5cd9c58f
DH		 2118}
2119
2120static int selinux_ptrace_traceme(struct task_struct *parent)
2121{
e67b7985 2122 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
eb1231f7 2123 SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
1da177e4
LT		 2124}
2125
6672efbb 2126static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2127 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2128{
e67b7985
SS		 2129 return avc_has_perm(current_sid(), task_sid_obj(target),
2130 SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
1da177e4
LT		 2131}
2132
d84f4f99
DH		 2133static int selinux_capset(struct cred *new, const struct cred *old,
2134 const kernel_cap_t *effective,
2135 const kernel_cap_t *inheritable,
2136 const kernel_cap_t *permitted)
1da177e4 2137{
e67b7985 2138 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2139 PROCESS__SETCAP, NULL);
1da177e4
LT		 2140}
2141
5626d3e8
JM		 2142/*
2143 * (This comment used to live with the selinux_task_setuid hook,
2144 * which was removed).
2145 *
2146 * Since setuid only affects the current process, and since the SELinux
2147 * controls are not based on the Linux identity attributes, SELinux does not
2148 * need to control this operation. However, SELinux does control the use of
2149 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2150 */
2151
6a9de491 2152static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
c1a85a00 2153 int cap, unsigned int opts)
1da177e4 2154{
c1a85a00 2155 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
1da177e4
LT		 2156}
2157
25cc71d1 2158static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb)
1da177e4 2159{
88e67f3b 2160 const struct cred *cred = current_cred();
1da177e4
LT		 2161 int rc = 0;
2162
2163 if (!sb)
2164 return 0;
2165
2166 switch (cmds) {
828dfe1d
EP		 2167 case Q_SYNC:
2168 case Q_QUOTAON:
2169 case Q_QUOTAOFF:
2170 case Q_SETINFO:
2171 case Q_SETQUOTA:
e4cfa05e
RH		 2172 case Q_XQUOTAOFF:
2173 case Q_XQUOTAON:
2174 case Q_XSETQLIM:
88e67f3b 2175 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2176 break;
2177 case Q_GETFMT:
2178 case Q_GETINFO:
2179 case Q_GETQUOTA:
e4cfa05e
RH		 2180 case Q_XGETQUOTA:
2181 case Q_XGETQSTAT:
2182 case Q_XGETQSTATV:
2183 case Q_XGETNEXTQUOTA:
88e67f3b 2184 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2185 break;
2186 default:
2187 rc = 0; /* let the kernel handle invalid cmds */
2188 break;
1da177e4
LT		 2189 }
2190 return rc;
2191}
2192
2193static int selinux_quota_on(struct dentry *dentry)
2194{
88e67f3b
DH		 2195 const struct cred *cred = current_cred();
2196
2875fa00 2197 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2198}
2199
12b3052c 2200static int selinux_syslog(int type)
1da177e4 2201{
1da177e4 2202 switch (type) {
d78ca3cd
KC		 2203 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2204 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
e67b7985 2205 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
be0554c9 2206 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2207 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2208 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2209 /* Set level of messages printed to console */
2210 case SYSLOG_ACTION_CONSOLE_LEVEL:
e67b7985 2211 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2212 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2213 NULL);
1da177e4 2214 }
be0554c9 2215 /* All other syslog types */
e67b7985 2216 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
be0554c9 2217 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2218}
2219
2220/*
be72a575
XK		 2221 * Check permission for allocating a new virtual mapping. Returns
2222 * 0 if permission is granted, negative error code if not.
1da177e4 2223 *
1da177e4
LT		 2224 * Do not audit the selinux permission check, as this is applied to all
2225 * processes that allocate mappings.
2226 */
34b4e4aa 2227static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4 2228{
be72a575
XK		 2229 return cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2230 CAP_OPT_NOAUDIT, true);
1da177e4
LT		 2231}
2232
2233/* binprm security operations */
2234
be0554c9 2235static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2236{
2237 u32 sid = 0;
2238 struct task_struct *tracer;
2239
2240 rcu_read_lock();
be0554c9 2241 tracer = ptrace_parent(current);
0c6181cb 2242 if (tracer)
eb1231f7 2243 sid = task_sid_obj(tracer);
0c6181cb
PM		 2244 rcu_read_unlock();
2245
2246 return sid;
2247}
2248
7b0d0b40
SS		 2249static int check_nnp_nosuid(const struct linux_binprm *bprm,
2250 const struct task_security_struct *old_tsec,
2251 const struct task_security_struct *new_tsec)
2252{
2253 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2254 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2255 int rc;
af63f419 2256 u32 av;
7b0d0b40
SS		 2257
2258 if (!nnp && !nosuid)
2259 return 0; /* neither NNP nor nosuid */
2260
2261 if (new_tsec->sid == old_tsec->sid)
2262 return 0; /* No change in credentials */
2263
2264 /*
af63f419
SS		 2265 * If the policy enables the nnp_nosuid_transition policy capability,
2266 * then we permit transitions under NNP or nosuid if the
2267 * policy allows the corresponding permission between
2268 * the old and new contexts.
7b0d0b40 2269 */
aa8e712c 2270 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2271 av = 0;
7b0d0b40 2272 if (nnp)
af63f419
SS		 2273 av |= PROCESS2__NNP_TRANSITION;
2274 if (nosuid)
2275 av |= PROCESS2__NOSUID_TRANSITION;
e67b7985 2276 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
af63f419
SS		 2277 SECCLASS_PROCESS2, av, NULL);
2278 if (!rc)
2279 return 0;
7b0d0b40 2280 }
af63f419
SS		 2281
2282 /*
2283 * We also permit NNP or nosuid transitions to bounded SIDs,
2284 * i.e. SIDs that are guaranteed to only be allowed a subset
2285 * of the permissions of the current SID.
2286 */
e67b7985 2287 rc = security_bounded_transition(old_tsec->sid,
aa8e712c 2288 new_tsec->sid);
af63f419
SS		 2289 if (!rc)
2290 return 0;
2291
2292 /*
2293 * On failure, preserve the errno values for NNP vs nosuid.
2294 * NNP: Operation not permitted for caller.
2295 * nosuid: Permission denied to file.
2296 */
2297 if (nnp)
2298 return -EPERM;
2299 return -EACCES;
7b0d0b40
SS		 2300}
2301
b8bff599 2302static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
1da177e4 2303{
a6f76f23
DH		 2304 const struct task_security_struct *old_tsec;
2305 struct task_security_struct *new_tsec;
1da177e4 2306 struct inode_security_struct *isec;
2bf49690 2307 struct common_audit_data ad;
496ad9aa 2308 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2309 int rc;
2310
a6f76f23
DH		 2311 /* SELinux context only depends on initial program or script and not
2312 * the script interpreter */
1da177e4 2313
0c6cfa62
CS		 2314 old_tsec = selinux_cred(current_cred());
2315 new_tsec = selinux_cred(bprm->cred);
83da53c5 2316 isec = inode_security(inode);
1da177e4
LT		 2317
2318 /* Default to the current task SID. */
a6f76f23
DH		 2319 new_tsec->sid = old_tsec->sid;
2320 new_tsec->osid = old_tsec->sid;
1da177e4 2321
28eba5bf 2322 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2323 new_tsec->create_sid = 0;
2324 new_tsec->keycreate_sid = 0;
2325 new_tsec->sockcreate_sid = 0;
1da177e4 2326
ae254858
OM		 2327 /*
2328 * Before policy is loaded, label any task outside kernel space
2329 * as SECINITSID_INIT, so that any userspace tasks surviving from
2330 * early boot end up with a label different from SECINITSID_KERNEL
2331 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL).
2332 */
2333 if (!selinux_initialized()) {
2334 new_tsec->sid = SECINITSID_INIT;
2335 /* also clear the exec_sid just in case */
2336 new_tsec->exec_sid = 0;
2337 return 0;
2338 }
2339
a6f76f23
DH		 2340 if (old_tsec->exec_sid) {
2341 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2342 /* Reset exec SID on execve. */
a6f76f23 2343 new_tsec->exec_sid = 0;
259e5e6c 2344
7b0d0b40
SS		 2345 /* Fail on NNP or nosuid if not an allowed transition. */
2346 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2347 if (rc)
2348 return rc;
1da177e4
LT		 2349 } else {
2350 /* Check for a default transition on this program. */
e67b7985 2351 rc = security_transition_sid(old_tsec->sid,
aa8e712c 2352 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2353 &new_tsec->sid);
1da177e4
LT		 2354 if (rc)
2355 return rc;
7b0d0b40
SS		 2356
2357 /*
2358 * Fallback to old SID on NNP or nosuid if not an allowed
2359 * transition.
2360 */
2361 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2362 if (rc)
2363 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2364 }
2365
43af5de7
VG		 2366 ad.type = LSM_AUDIT_DATA_FILE;
2367 ad.u.file = bprm->file;
1da177e4 2368
a6f76f23 2369 if (new_tsec->sid == old_tsec->sid) {
e67b7985 2370 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2371 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2372 if (rc)
2373 return rc;
2374 } else {
2375 /* Check permissions for the transition. */
e67b7985 2376 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2377 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2378 if (rc)
2379 return rc;
2380
e67b7985 2381 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2382 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2383 if (rc)
2384 return rc;
2385
a6f76f23
DH		 2386 /* Check for shared state */
2387 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
e67b7985 2388 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2389 SECCLASS_PROCESS, PROCESS__SHARE,
2390 NULL);
2391 if (rc)
2392 return -EPERM;
2393 }
2394
2395 /* Make sure that anyone attempting to ptrace over a task that
2396 * changes its SID has the appropriate permit */
9227dd2a 2397 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2398 u32 ptsid = ptrace_parent_sid();
a6f76f23 2399 if (ptsid != 0) {
e67b7985 2400 rc = avc_has_perm(ptsid, new_tsec->sid,
a6f76f23
DH		 2401 SECCLASS_PROCESS,
2402 PROCESS__PTRACE, NULL);
2403 if (rc)
2404 return -EPERM;
2405 }
2406 }
1da177e4 2407
a6f76f23
DH		 2408 /* Clear any possibly unsafe personality bits on exec: */
2409 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2410
1da177e4
LT		 2411 /* Enable secure mode for SIDs transitions unless
2412 the noatsecure permission is granted between
2413 the two SIDs, i.e. ahp returns 0. */
e67b7985 2414 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2415 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2416 NULL);
2417 bprm->secureexec |= !!rc;
1da177e4
LT		 2418 }
2419
62874c3a 2420 return 0;
1da177e4
LT		 2421}
2422
c3c073f8
AV		 2423static int match_file(const void *p, struct file *file, unsigned fd)
2424{
2425 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2426}
2427
1da177e4 2428/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2429static inline void flush_unauthorized_files(const struct cred *cred,
2430 struct files_struct *files)
1da177e4 2431{
1da177e4 2432 struct file *file, *devnull = NULL;
b20c8122 2433 struct tty_struct *tty;
24ec839c 2434 int drop_tty = 0;
c3c073f8 2435 unsigned n;
1da177e4 2436
24ec839c 2437 tty = get_current_tty();
1da177e4 2438 if (tty) {
4a510969 2439 spin_lock(&tty->files_lock);
37dd0bd0 2440 if (!list_empty(&tty->tty_files)) {
d996b62a 2441 struct tty_file_private *file_priv;
37dd0bd0 2442
1da177e4 2443 /* Revalidate access to controlling tty.
13f8e981
DH		 2444 Use file_path_has_perm on the tty path directly
2445 rather than using file_has_perm, as this particular
2446 open file may belong to another process and we are
2447 only interested in the inode-based check here. */
d996b62a
NP		 2448 file_priv = list_first_entry(&tty->tty_files,
2449 struct tty_file_private, list);
2450 file = file_priv->file;
13f8e981 2451 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2452 drop_tty = 1;
1da177e4 2453 }
4a510969 2454 spin_unlock(&tty->files_lock);
452a00d2 2455 tty_kref_put(tty);
1da177e4 2456 }
98a27ba4
EB		 2457 /* Reset controlling tty. */
2458 if (drop_tty)
2459 no_tty();
1da177e4
LT		 2460
2461 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2462 n = iterate_fd(files, 0, match_file, cred);
2463 if (!n) /* none found? */
2464 return;
1da177e4 2465
c3c073f8 2466 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2467 if (IS_ERR(devnull))
2468 devnull = NULL;
2469 /* replace all the matching ones with this */
2470 do {
2471 replace_fd(n - 1, devnull, 0);
2472 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2473 if (devnull)
c3c073f8 2474 fput(devnull);
1da177e4
LT		 2475}
2476
a6f76f23
DH		 2477/*
2478 * Prepare a process for imminent new credential changes due to exec
2479 */
64fc9526 2480static void selinux_bprm_committing_creds(const struct linux_binprm *bprm)
1da177e4 2481{
a6f76f23
DH		 2482 struct task_security_struct *new_tsec;
2483 struct rlimit *rlim, *initrlim;
2484 int rc, i;
d84f4f99 2485
0c6cfa62 2486 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2487 if (new_tsec->sid == new_tsec->osid)
2488 return;
1da177e4 2489
a6f76f23
DH		 2490 /* Close files for which the new task SID is not authorized. */
2491 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2492
a6f76f23
DH		 2493 /* Always clear parent death signal on SID transitions. */
2494 current->pdeath_signal = 0;
0356357c 2495
a6f76f23
DH		 2496 /* Check whether the new SID can inherit resource limits from the old
2497 * SID. If not, reset all soft limits to the lower of the current
2498 * task's hard limit and the init task's soft limit.
2499 *
2500 * Note that the setting of hard limits (even to lower them) can be
2501 * controlled by the setrlimit check. The inclusion of the init task's
2502 * soft limit into the computation is to avoid resetting soft limits
2503 * higher than the default soft limit for cases where the default is
2504 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2505 */
e67b7985 2506 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2507 PROCESS__RLIMITINH, NULL);
2508 if (rc) {
eb2d55a3
ON		 2509 /* protect against do_prlimit() */
2510 task_lock(current);
a6f76f23
DH		 2511 for (i = 0; i < RLIM_NLIMITS; i++) {
2512 rlim = current->signal->rlim + i;
2513 initrlim = init_task.signal->rlim + i;
2514 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2515 }
eb2d55a3 2516 task_unlock(current);
baa73d9e
NP		 2517 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2518 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2519 }
2520}
2521
2522/*
a6f76f23
DH		 2523 * Clean up the process immediately after the installation of new credentials
2524 * due to exec
1da177e4 2525 */
a721f7b8 2526static void selinux_bprm_committed_creds(const struct linux_binprm *bprm)
1da177e4 2527{
0c6cfa62 2528 const struct task_security_struct *tsec = selinux_cred(current_cred());
a6f76f23 2529 u32 osid, sid;
ddbc7d06 2530 int rc;
1da177e4 2531
a6f76f23
DH		 2532 osid = tsec->osid;
2533 sid = tsec->sid;
2534
2535 if (sid == osid)
1da177e4
LT		 2536 return;
2537
a6f76f23
DH		 2538 /* Check whether the new SID can inherit signal state from the old SID.
2539 * If not, clear itimers to avoid subsequent signal generation and
2540 * flush and unblock signals.
2541 *
2542 * This must occur _after_ the task SID has been updated so that any
2543 * kill done after the flush will be checked against the new SID.
2544 */
e67b7985 2545 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2546 if (rc) {
ddbc7d06
AB		 2547 clear_itimer();
2548
0e326df0 2549 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
9e7c8f8c
ON		 2550 if (!fatal_signal_pending(current)) {
2551 flush_sigqueue(&current->pending);
2552 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2553 flush_signal_handlers(current, 1);
2554 sigemptyset(&current->blocked);
9e7c8f8c 2555 recalc_sigpending();
3bcac026 2556 }
0e326df0 2557 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
1da177e4
LT		 2558 }
2559
a6f76f23
DH		 2560 /* Wake up the parent if it is waiting so that it can recheck
2561 * wait permission to the new task SID. */
ecd6de3c 2562 read_lock(&tasklist_lock);
0e326df0 2563 __wake_up_parent(current, unrcu_pointer(current->real_parent));
ecd6de3c 2564 read_unlock(&tasklist_lock);
1da177e4
LT		 2565}
2566
2567/* superblock security operations */
2568
2569static int selinux_sb_alloc_security(struct super_block *sb)
2570{
1aea7808 2571 struct superblock_security_struct *sbsec = selinux_superblock(sb);
cb89e246
PM		 2572
2573 mutex_init(&sbsec->lock);
2574 INIT_LIST_HEAD(&sbsec->isec_head);
2575 spin_lock_init(&sbsec->isec_lock);
cb89e246
PM		 2576 sbsec->sid = SECINITSID_UNLABELED;
2577 sbsec->def_sid = SECINITSID_FILE;
2578 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
cb89e246
PM		 2579
2580 return 0;
1da177e4
LT		 2581}
2582
99dbbb59 2583static inline int opt_len(const char *s)
1da177e4 2584{
99dbbb59
AV		 2585 bool open_quote = false;
2586 int len;
2587 char c;
1da177e4 2588
99dbbb59
AV		 2589 for (len = 0; (c = s[len]) != '\0'; len++) {
2590 if (c == '"')
2591 open_quote = !open_quote;
2592 if (c == ',' && !open_quote)
2593 break;
3528a953 2594 }
99dbbb59 2595 return len;
3528a953
CO		 2596}
2597
99dbbb59 2598static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
1da177e4 2599{
99dbbb59
AV		 2600 char *from = options;
2601 char *to = options;
2602 bool first = true;
fec63753 2603 int rc;
1da177e4 2604
99dbbb59
AV		 2605 while (1) {
2606 int len = opt_len(from);
fec63753 2607 int token;
99dbbb59 2608 char *arg = NULL;
1da177e4 2609
99dbbb59 2610 token = match_opt_prefix(from, len, &arg);
1da177e4 2611
99dbbb59
AV		 2612 if (token != Opt_error) {
2613 char *p, *q;
1da177e4 2614
99dbbb59
AV		 2615 /* strip quotes */
2616 if (arg) {
2617 for (p = q = arg; p < from + len; p++) {
2618 char c = *p;
2619 if (c != '"')
2620 *q++ = c;
2621 }
2622 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
fec63753
GZ		 2623 if (!arg) {
2624 rc = -ENOMEM;
2625 goto free_opt;
2626 }
99dbbb59
AV		 2627 }
2628 rc = selinux_add_opt(token, arg, mnt_opts);
cad140d0
CG		 2629 kfree(arg);
2630 arg = NULL;
99dbbb59 2631 if (unlikely(rc)) {
fec63753 2632 goto free_opt;
99dbbb59
AV		 2633 }
2634 } else {
2635 if (!first) { // copy with preceding comma
2636 from--;
2637 len++;
2638 }
2639 if (to != from)
2640 memmove(to, from, len);
2641 to += len;
2642 first = false;
1da177e4 2643 }
99dbbb59
AV		 2644 if (!from[len])
2645 break;
2646 from += len + 1;
2647 }
2648 *to = '\0';
2649 return 0;
fec63753
GZ		 2650
2651free_opt:
2652 if (*mnt_opts) {
2653 selinux_free_mnt_opts(*mnt_opts);
2654 *mnt_opts = NULL;
2655 }
2656 return rc;
1da177e4
LT		 2657}
2658
69c4a42d
OK		 2659static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2660{
2661 struct selinux_mnt_opts *opts = mnt_opts;
0266c25e 2662 struct superblock_security_struct *sbsec = selinux_superblock(sb);
69c4a42d
OK		 2663
2664 /*
2665 * Superblock not initialized (i.e. no options) - reject if any
2666 * options specified, otherwise accept.
2667 */
2668 if (!(sbsec->flags & SE_SBINITIALIZED))
2669 return opts ? 1 : 0;
2670
2671 /*
2672 * Superblock initialized and no options specified - reject if
2673 * superblock has any options set, otherwise accept.
2674 */
2675 if (!opts)
2676 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2677
70f4169a
OM		 2678 if (opts->fscontext_sid) {
2679 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2680 opts->fscontext_sid))
69c4a42d
OK		 2681 return 1;
2682 }
70f4169a
OM		 2683 if (opts->context_sid) {
2684 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2685 opts->context_sid))
69c4a42d
OK		 2686 return 1;
2687 }
70f4169a
OM		 2688 if (opts->rootcontext_sid) {
2689 struct inode_security_struct *root_isec;
b8b87fd9 2690
70f4169a
OM		 2691 root_isec = backing_inode_security(sb->s_root);
2692 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2693 opts->rootcontext_sid))
69c4a42d 2694 return 1;
70f4169a
OM		 2695 }
2696 if (opts->defcontext_sid) {
2697 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2698 opts->defcontext_sid))
69c4a42d
OK		 2699 return 1;
2700 }
2701 return 0;
2702}
2703
204cc0cc 2704static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2705{
bd323655 2706 struct selinux_mnt_opts *opts = mnt_opts;
1aea7808 2707 struct superblock_security_struct *sbsec = selinux_superblock(sb);
026eb167
EP		 2708
2709 if (!(sbsec->flags & SE_SBINITIALIZED))
2710 return 0;
2711
204cc0cc 2712 if (!opts)
026eb167
EP		 2713 return 0;
2714
70f4169a 2715 if (opts->fscontext_sid) {
6bc1968c
SM		 2716 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2717 opts->fscontext_sid))
bd323655 2718 goto out_bad_option;
026eb167 2719 }
70f4169a 2720 if (opts->context_sid) {
6bc1968c
SM		 2721 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2722 opts->context_sid))
bd323655
AV		 2723 goto out_bad_option;
2724 }
70f4169a 2725 if (opts->rootcontext_sid) {
bd323655
AV		 2726 struct inode_security_struct *root_isec;
2727 root_isec = backing_inode_security(sb->s_root);
6bc1968c
SM		 2728 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2729 opts->rootcontext_sid))
bd323655
AV		 2730 goto out_bad_option;
2731 }
70f4169a 2732 if (opts->defcontext_sid) {
6bc1968c
SM		 2733 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2734 opts->defcontext_sid))
bd323655 2735 goto out_bad_option;
026eb167 2736 }
c039bc3c 2737 return 0;
026eb167 2738
026eb167 2739out_bad_option:
c103a91e 2740 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2741 "during remount (dev %s, type=%s)\n", sb->s_id,
2742 sb->s_type->name);
c039bc3c 2743 return -EINVAL;
026eb167
EP		 2744}
2745
20a2aa47 2746static int selinux_sb_kern_mount(const struct super_block *sb)
1da177e4 2747{
88e67f3b 2748 const struct cred *cred = current_cred();
2bf49690 2749 struct common_audit_data ad;
74192246 2750
50c205f5 2751 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2752 ad.u.dentry = sb->s_root;
88e67f3b 2753 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2754}
2755
726c3342 2756static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2757{
88e67f3b 2758 const struct cred *cred = current_cred();
2bf49690 2759 struct common_audit_data ad;
1da177e4 2760
50c205f5 2761 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2762 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2763 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2764}
2765
808d4e3c 2766static int selinux_mount(const char *dev_name,
8a04c43b 2767 const struct path *path,
808d4e3c 2768 const char *type,
828dfe1d
EP		 2769 unsigned long flags,
2770 void *data)
1da177e4 2771{
88e67f3b 2772 const struct cred *cred = current_cred();
1da177e4
LT		 2773
2774 if (flags & MS_REMOUNT)
d8c9584e 2775 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2776 FILESYSTEM__REMOUNT, NULL);
1da177e4 2777 else
2875fa00 2778 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2779}
2780
98aa0034
SS		 2781static int selinux_move_mount(const struct path *from_path,
2782 const struct path *to_path)
2783{
2784 const struct cred *cred = current_cred();
2785
2786 return path_has_perm(cred, to_path, FILE__MOUNTON);
2787}
2788
1da177e4
LT		 2789static int selinux_umount(struct vfsmount *mnt, int flags)
2790{
88e67f3b 2791 const struct cred *cred = current_cred();
1da177e4 2792
88e67f3b 2793 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2794 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2795}
2796
d80a8f1b
DH		 2797static int selinux_fs_context_submount(struct fs_context *fc,
2798 struct super_block *reference)
2799{
ccf1dab9 2800 const struct superblock_security_struct *sbsec = selinux_superblock(reference);
d80a8f1b
DH		 2801 struct selinux_mnt_opts *opts;
2802
ccf1dab9
OM		 2803 /*
2804 * Ensure that fc->security remains NULL when no options are set
2805 * as expected by selinux_set_mnt_opts().
2806 */
2807 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2808 return 0;
2809
d80a8f1b
DH		 2810 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2811 if (!opts)
2812 return -ENOMEM;
2813
d80a8f1b
DH		 2814 if (sbsec->flags & FSCONTEXT_MNT)
2815 opts->fscontext_sid = sbsec->sid;
2816 if (sbsec->flags & CONTEXT_MNT)
2817 opts->context_sid = sbsec->mntpoint_sid;
2818 if (sbsec->flags & DEFCONTEXT_MNT)
2819 opts->defcontext_sid = sbsec->def_sid;
2820 fc->security = opts;
2821 return 0;
2822}
2823
0b52075e
AV		 2824static int selinux_fs_context_dup(struct fs_context *fc,
2825 struct fs_context *src_fc)
2826{
2827 const struct selinux_mnt_opts *src = src_fc->security;
0b52075e
AV		 2828
2829 if (!src)
2830 return 0;
2831
70f4169a
OM		 2832 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2833 return fc->security ? 0 : -ENOMEM;
0b52075e
AV		 2834}
2835
d7167b14 2836static const struct fs_parameter_spec selinux_fs_parameters[] = {
442155c1
DH		 2837 fsparam_string(CONTEXT_STR, Opt_context),
2838 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2839 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2840 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2841 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2842 {}
2843};
2844
442155c1
DH		 2845static int selinux_fs_context_parse_param(struct fs_context *fc,
2846 struct fs_parameter *param)
2847{
2848 struct fs_parse_result result;
cad140d0 2849 int opt;
442155c1 2850
d7167b14 2851 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
442155c1
DH		 2852 if (opt < 0)
2853 return opt;
2854
cad140d0 2855 return selinux_add_opt(opt, param->string, &fc->security);
442155c1
DH		 2856}
2857
1da177e4
LT		 2858/* inode security operations */
2859
2860static int selinux_inode_alloc_security(struct inode *inode)
2861{
cb89e246
PM		 2862 struct inode_security_struct *isec = selinux_inode(inode);
2863 u32 sid = current_sid();
2864
2865 spin_lock_init(&isec->lock);
2866 INIT_LIST_HEAD(&isec->list);
2867 isec->inode = inode;
2868 isec->sid = SECINITSID_UNLABELED;
2869 isec->sclass = SECCLASS_FILE;
2870 isec->task_sid = sid;
2871 isec->initialized = LABEL_INVALID;
2872
2873 return 0;
1da177e4
LT		 2874}
2875
2876static void selinux_inode_free_security(struct inode *inode)
2877{
2878 inode_free_security(inode);
2879}
2880
d47be3df 2881static int selinux_dentry_init_security(struct dentry *dentry, int mode,
15bf3239 2882 const struct qstr *name,
b530104f
CS		 2883 const char **xattr_name,
2884 struct lsm_context *cp)
d47be3df 2885{
d47be3df
DQ		 2886 u32 newsid;
2887 int rc;
2888
0c6cfa62 2889 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2890 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2891 inode_mode_to_security_class(mode),
2892 &newsid);
2893 if (rc)
2894 return rc;
d47be3df 2895
15bf3239
VG		 2896 if (xattr_name)
2897 *xattr_name = XATTR_NAME_SELINUX;
2898
b530104f
CS		 2899 cp->id = LSM_ID_SELINUX;
2900 return security_sid_to_context(newsid, &cp->context, &cp->len);
d47be3df
DQ		 2901}
2902
a518b0a5
VG		 2903static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2904 struct qstr *name,
2905 const struct cred *old,
2906 struct cred *new)
2907{
2908 u32 newsid;
2909 int rc;
2910 struct task_security_struct *tsec;
2911
0c6cfa62 2912 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2913 d_inode(dentry->d_parent), name,
2914 inode_mode_to_security_class(mode),
2915 &newsid);
2916 if (rc)
2917 return rc;
2918
0c6cfa62 2919 tsec = selinux_cred(new);
a518b0a5
VG		 2920 tsec->create_sid = newsid;
2921 return 0;
2922}
2923
5e41ff9e 2924static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b 2925 const struct qstr *qstr,
6bcdfd2c 2926 struct xattr *xattrs, int *xattr_count)
5e41ff9e 2927{
0c6cfa62 2928 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2929 struct superblock_security_struct *sbsec;
6bcdfd2c 2930 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
c0d4f464 2931 u32 newsid, clen;
90593caf 2932 u16 newsclass;
5e41ff9e 2933 int rc;
9548906b 2934 char *context;
5e41ff9e 2935
1aea7808 2936 sbsec = selinux_superblock(dir->i_sb);
5e41ff9e 2937
275bb41e 2938 newsid = tsec->create_sid;
90593caf
PM		 2939 newsclass = inode_mode_to_security_class(inode->i_mode);
2940 rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid);
c3c188b2
DH		 2941 if (rc)
2942 return rc;
5e41ff9e 2943
296fddf7 2944 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2945 if (sbsec->flags & SE_SBINITIALIZED) {
80788c22 2946 struct inode_security_struct *isec = selinux_inode(inode);
90593caf 2947 isec->sclass = newsclass;
296fddf7 2948 isec->sid = newsid;
6f3be9f5 2949 isec->initialized = LABEL_INITIALIZED;
296fddf7 2950 }
5e41ff9e 2951
e67b7985 2952 if (!selinux_initialized() ||
65cddd50 2953 !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2954 return -EOPNOTSUPP;
2955
6bcdfd2c 2956 if (xattr) {
e67b7985 2957 rc = security_sid_to_context_force(newsid,
aa8e712c 2958 &context, &clen);
9548906b 2959 if (rc)
570bc1c2 2960 return rc;
6bcdfd2c
RS		 2961 xattr->value = context;
2962 xattr->value_len = clen;
2963 xattr->name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2964 }
5e41ff9e 2965
5e41ff9e
SS		 2966 return 0;
2967}
2968
29cd6591
DC		 2969static int selinux_inode_init_security_anon(struct inode *inode,
2970 const struct qstr *name,
2971 const struct inode *context_inode)
2972{
cdc12eb4 2973 u32 sid = current_sid();
29cd6591
DC		 2974 struct common_audit_data ad;
2975 struct inode_security_struct *isec;
2976 int rc;
2977
e67b7985 2978 if (unlikely(!selinux_initialized()))
29cd6591
DC		 2979 return 0;
2980
2981 isec = selinux_inode(inode);
2982
2983 /*
2984 * We only get here once per ephemeral inode. The inode has
2985 * been initialized via inode_alloc_security but is otherwise
2986 * untouched.
2987 */
2988
2989 if (context_inode) {
2990 struct inode_security_struct *context_isec =
2991 selinux_inode(context_inode);
2992 if (context_isec->initialized != LABEL_INITIALIZED) {
e5faa839 2993 pr_err("SELinux: context_inode is not initialized\n");
29cd6591
DC		 2994 return -EACCES;
2995 }
2996
2997 isec->sclass = context_isec->sclass;
2998 isec->sid = context_isec->sid;
2999 } else {
3000 isec->sclass = SECCLASS_ANON_INODE;
3001 rc = security_transition_sid(
cdc12eb4 3002 sid, sid,
29cd6591
DC		 3003 isec->sclass, name, &isec->sid);
3004 if (rc)
3005 return rc;
3006 }
3007
3008 isec->initialized = LABEL_INITIALIZED;
3009 /*
3010 * Now that we've initialized security, check whether we're
3011 * allowed to actually create this type of anonymous inode.
3012 */
3013
c29722fa
CG		 3014 ad.type = LSM_AUDIT_DATA_ANONINODE;
3015 ad.u.anonclass = name ? (const char *)name->name : "?";
29cd6591 3016
cdc12eb4 3017 return avc_has_perm(sid,
29cd6591
DC		 3018 isec->sid,
3019 isec->sclass,
3020 FILE__CREATE,
3021 &ad);
3022}
3023
4acdaf27 3024static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 3025{
3026 return may_create(dir, dentry, SECCLASS_FILE);
3027}
3028
1da177e4
LT		 3029static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3030{
1da177e4
LT		 3031 return may_link(dir, old_dentry, MAY_LINK);
3032}
3033
1da177e4
LT		 3034static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3035{
1da177e4
LT		 3036 return may_link(dir, dentry, MAY_UNLINK);
3037}
3038
3039static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3040{
3041 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3042}
3043
18bb1db3 3044static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 3045{
3046 return may_create(dir, dentry, SECCLASS_DIR);
3047}
3048
1da177e4
LT		 3049static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3050{
3051 return may_link(dir, dentry, MAY_RMDIR);
3052}
3053
1a67aafb 3054static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 3055{
1da177e4
LT		 3056 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3057}
3058
1da177e4 3059static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 3060 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 3061{
3062 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3063}
3064
1da177e4
LT		 3065static int selinux_inode_readlink(struct dentry *dentry)
3066{
88e67f3b
DH		 3067 const struct cred *cred = current_cred();
3068
2875fa00 3069 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3070}
3071
bda0be7a
N		 3072static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3073 bool rcu)
1da177e4 3074{
bda0be7a
N		 3075 struct common_audit_data ad;
3076 struct inode_security_struct *isec;
cdc12eb4 3077 u32 sid = current_sid();
1da177e4 3078
bda0be7a
N		 3079 ad.type = LSM_AUDIT_DATA_DENTRY;
3080 ad.u.dentry = dentry;
5d226df4
AG		 3081 isec = inode_security_rcu(inode, rcu);
3082 if (IS_ERR(isec))
3083 return PTR_ERR(isec);
bda0be7a 3084
e67b7985 3085 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
1da177e4
LT		 3086}
3087
d4cf970d
EP		 3088static noinline int audit_inode_permission(struct inode *inode,
3089 u32 perms, u32 audited, u32 denied,
0188d5c0 3090 int result)
1da177e4 3091{
b782e0a6 3092 struct common_audit_data ad;
80788c22 3093 struct inode_security_struct *isec = selinux_inode(inode);
d4cf970d 3094
50c205f5 3095 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3096 ad.u.inode = inode;
3097
e67b7985 3098 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
0188d5c0 3099 audited, denied, result, &ad);
d4cf970d
EP		 3100}
3101
5d7ddc59
PM		 3102/**
3103 * task_avdcache_reset - Reset the task's AVD cache
3104 * @tsec: the task's security state
3105 *
3106 * Clear the task's AVD cache in @tsec and reset it to the current policy's
3107 * and task's info.
3108 */
3109static inline void task_avdcache_reset(struct task_security_struct *tsec)
1da177e4 3110{
5d7ddc59
PM		 3111 memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir));
3112 tsec->avdcache.sid = tsec->sid;
3113 tsec->avdcache.seqno = avc_policy_seqno();
3114 tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1;
3115}
3116
3117/**
3118 * task_avdcache_search - Search the task's AVD cache
3119 * @tsec: the task's security state
3120 * @isec: the inode to search for in the cache
3121 * @avdc: matching avd cache entry returned to the caller
3122 *
3123 * Search @tsec for a AVD cache entry that matches @isec and return it to the
3124 * caller via @avdc. Returns 0 if a match is found, negative values otherwise.
3125 */
3126static inline int task_avdcache_search(struct task_security_struct *tsec,
3127 struct inode_security_struct *isec,
3128 struct avdc_entry **avdc)
3129{
3130 int orig, iter;
3131
3132 /* focused on path walk optimization, only cache directories */
3133 if (isec->sclass != SECCLASS_DIR)
3134 return -ENOENT;
3135
3136 if (unlikely(tsec->sid != tsec->avdcache.sid ||
3137 tsec->avdcache.seqno != avc_policy_seqno())) {
3138 task_avdcache_reset(tsec);
3139 return -ENOENT;
3140 }
3141
3142 orig = iter = tsec->avdcache.dir_spot;
3143 do {
3144 if (tsec->avdcache.dir[iter].isid == isec->sid) {
3145 /* cache hit */
3146 tsec->avdcache.dir_spot = iter;
3147 *avdc = &tsec->avdcache.dir[iter];
3148 return 0;
3149 }
3150 iter = (iter - 1) & (TSEC_AVDC_DIR_SIZE - 1);
3151 } while (iter != orig);
3152
3153 return -ENOENT;
3154}
3155
3156/**
3157 * task_avdcache_update - Update the task's AVD cache
3158 * @tsec: the task's security state
3159 * @isec: the inode associated with the cache entry
05f1a939 3160 * @avd: the AVD to cache
5d7ddc59
PM		 3161 * @audited: the permission audit bitmask to cache
3162 *
3163 * Update the AVD cache in @tsec with the @avdc and @audited info associated
3164 * with @isec.
3165 */
3166static inline void task_avdcache_update(struct task_security_struct *tsec,
3167 struct inode_security_struct *isec,
3168 struct av_decision *avd,
3169 u32 audited)
3170{
3171 int spot;
3172
3173 /* focused on path walk optimization, only cache directories */
3174 if (isec->sclass != SECCLASS_DIR)
3175 return;
3176
3177 /* update cache */
3178 spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1);
3179 tsec->avdcache.dir_spot = spot;
3180 tsec->avdcache.dir[spot].isid = isec->sid;
3181 tsec->avdcache.dir[spot].audited = audited;
3182 tsec->avdcache.dir[spot].allowed = avd->allowed;
3183 tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE;
3184}
3185
3186/**
3187 * selinux_inode_permission - Check if the current task can access an inode
3188 * @inode: the inode that is being accessed
3189 * @requested: the accesses being requested
3190 *
3191 * Check if the current task is allowed to access @inode according to
3192 * @requested. Returns 0 if allowed, negative values otherwise.
3193 */
3194static int selinux_inode_permission(struct inode *inode, int requested)
3195{
3196 int mask;
b782e0a6 3197 u32 perms;
5d7ddc59 3198 struct task_security_struct *tsec;
2e334057 3199 struct inode_security_struct *isec;
5d7ddc59 3200 struct avdc_entry *avdc;
2e334057
EP		 3201 int rc, rc2;
3202 u32 audited, denied;
1da177e4 3203
5d7ddc59 3204 mask = requested & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
d09ca739 3205
b782e0a6
EP		 3206 /* No permission to check. Existence test. */
3207 if (!mask)
1da177e4 3208 return 0;
1da177e4 3209
5d7ddc59 3210 isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK);
5d226df4
AG		 3211 if (IS_ERR(isec))
3212 return PTR_ERR(isec);
5d7ddc59
PM		 3213 tsec = selinux_cred(current_cred());
3214 perms = file_mask_to_av(inode->i_mode, mask);
3215
3216 rc = task_avdcache_search(tsec, isec, &avdc);
3217 if (likely(!rc)) {
3218 /* Cache hit. */
3219 audited = perms & avdc->audited;
3220 denied = perms & ~avdc->allowed;
3221 if (unlikely(denied && enforcing_enabled() &&
3222 !avdc->permissive))
3223 rc = -EACCES;
3224 } else {
3225 struct av_decision avd;
3226
3227 /* Cache miss. */
3228 rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass,
3229 perms, 0, &avd);
3230 audited = avc_audit_required(perms, &avd, rc,
3231 (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0,
3232 &denied);
3233 task_avdcache_update(tsec, isec, &avd, audited);
3234 }
2e334057 3235
2e334057
EP		 3236 if (likely(!audited))
3237 return rc;
3238
0188d5c0 3239 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
2e334057
EP		 3240 if (rc2)
3241 return rc2;
5d7ddc59 3242
2e334057 3243 return rc;
1da177e4
LT		 3244}
3245
314a8dc7
RS		 3246static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
3247 struct iattr *iattr)
1da177e4 3248{
88e67f3b 3249 const struct cred *cred = current_cred();
ccb54478 3250 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3251 unsigned int ia_valid = iattr->ia_valid;
046b85a9 3252 u32 av = FILE__WRITE;
1da177e4 3253
bc6a6008
AW		 3254 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3255 if (ia_valid & ATTR_FORCE) {
3256 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3257 ATTR_FORCE);
3258 if (!ia_valid)
3259 return 0;
3260 }
1da177e4 3261
bc6a6008
AW		 3262 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3263 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3264 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3265
aa8e712c 3266 if (selinux_policycap_openperm() &&
ccb54478
SS		 3267 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3268 (ia_valid & ATTR_SIZE) &&
3269 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3270 av |= FILE__OPEN;
3271
3272 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3273}
3274
3f7036a0 3275static int selinux_inode_getattr(const struct path *path)
1da177e4 3276{
3f7036a0 3277 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3278}
3279
db59000a
SS		 3280static bool has_cap_mac_admin(bool audit)
3281{
3282 const struct cred *cred = current_cred();
c1a85a00 3283 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
db59000a 3284
c1a85a00 3285 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
db59000a 3286 return false;
c1a85a00 3287 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
db59000a
SS		 3288 return false;
3289 return true;
3290}
3291
61df7b82
PM		 3292/**
3293 * selinux_inode_xattr_skipcap - Skip the xattr capability checks?
3294 * @name: name of the xattr
3295 *
3296 * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs
3297 * named @name; the LSM layer should avoid enforcing any traditional
3298 * capability based access controls on this xattr. Returns 0 to indicate that
3299 * SELinux does not "own" the access control rights to xattrs named @name and is
3300 * deferring to the LSM layer for further access controls, including capability
3301 * based controls.
3302 */
3303static int selinux_inode_xattr_skipcap(const char *name)
3304{
3305 /* require capability check if not a selinux xattr */
3306 return !strcmp(name, XATTR_NAME_SELINUX);
3307}
3308
39f60c1c 3309static int selinux_inode_setxattr(struct mnt_idmap *idmap,
71bc356f 3310 struct dentry *dentry, const char *name,
8f0cfa52 3311 const void *value, size_t size, int flags)
1da177e4 3312{
c6f493d6 3313 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3314 struct inode_security_struct *isec;
1da177e4 3315 struct superblock_security_struct *sbsec;
2bf49690 3316 struct common_audit_data ad;
275bb41e 3317 u32 newsid, sid = current_sid();
1da177e4
LT		 3318 int rc = 0;
3319
61df7b82
PM		 3320 /* if not a selinux xattr, only check the ordinary setattr perm */
3321 if (strcmp(name, XATTR_NAME_SELINUX))
6b240306 3322 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
1da177e4 3323
e67b7985 3324 if (!selinux_initialized())
01beba79 3325 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3e3e24b4 3326
1aea7808 3327 sbsec = selinux_superblock(inode->i_sb);
12f348b9 3328 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3329 return -EOPNOTSUPP;
3330
01beba79 3331 if (!inode_owner_or_capable(idmap, inode))
1da177e4
LT		 3332 return -EPERM;
3333
50c205f5 3334 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3335 ad.u.dentry = dentry;
1da177e4 3336
20cdef8d 3337 isec = backing_inode_security(dentry);
e67b7985 3338 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3339 FILE__RELABELFROM, &ad);
3340 if (rc)
3341 return rc;
3342
e67b7985 3343 rc = security_context_to_sid(value, size, &newsid,
aa8e712c 3344 GFP_KERNEL);
12b29f34 3345 if (rc == -EINVAL) {
db59000a 3346 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3347 struct audit_buffer *ab;
3348 size_t audit_size;
d6ea83ec
EP		 3349
3350 /* We strip a nul only if it is at the end, otherwise the
3351 * context contains a nul and we should audit that */
e3fea3f7 3352 if (value) {
add24372
CIK		 3353 const char *str = value;
3354
e3fea3f7
AV		 3355 if (str[size - 1] == '\0')
3356 audit_size = size - 1;
3357 else
3358 audit_size = size;
3359 } else {
e3fea3f7
AV		 3360 audit_size = 0;
3361 }
cdfb6b34
RGB		 3362 ab = audit_log_start(audit_context(),
3363 GFP_ATOMIC, AUDIT_SELINUX_ERR);
893c47d1
AK		 3364 if (!ab)
3365 return rc;
d6ea83ec
EP		 3366 audit_log_format(ab, "op=setxattr invalid_context=");
3367 audit_log_n_untrustedstring(ab, value, audit_size);
3368 audit_log_end(ab);
3369
12b29f34 3370 return rc;
d6ea83ec 3371 }
e67b7985 3372 rc = security_context_to_sid_force(value,
aa8e712c 3373 size, &newsid);
12b29f34 3374 }
1da177e4
LT		 3375 if (rc)
3376 return rc;
3377
e67b7985 3378 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3379 FILE__RELABELTO, &ad);
3380 if (rc)
3381 return rc;
3382
e67b7985 3383 rc = security_validate_transition(isec->sid, newsid,
aa8e712c 3384 sid, isec->sclass);
1da177e4
LT		 3385 if (rc)
3386 return rc;
3387
e67b7985 3388 return avc_has_perm(newsid,
1da177e4
LT		 3389 sbsec->sid,
3390 SECCLASS_FILESYSTEM,
3391 FILESYSTEM__ASSOCIATE,
3392 &ad);
3393}
3394
700b7940 3395static int selinux_inode_set_acl(struct mnt_idmap *idmap,
1bdeb218
CB		 3396 struct dentry *dentry, const char *acl_name,
3397 struct posix_acl *kacl)
3398{
3399 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3400}
3401
700b7940 3402static int selinux_inode_get_acl(struct mnt_idmap *idmap,
1bdeb218
CB		 3403 struct dentry *dentry, const char *acl_name)
3404{
3405 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3406}
3407
700b7940 3408static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
1bdeb218
CB		 3409 struct dentry *dentry, const char *acl_name)
3410{
3411 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3412}
3413
8f0cfa52 3414static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3415 const void *value, size_t size,
8f0cfa52 3416 int flags)
1da177e4 3417{
c6f493d6 3418 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3419 struct inode_security_struct *isec;
1da177e4
LT		 3420 u32 newsid;
3421 int rc;
3422
3423 if (strcmp(name, XATTR_NAME_SELINUX)) {
3424 /* Not an attribute we recognize, so nothing to do. */
3425 return;
3426 }
3427
e67b7985 3428 if (!selinux_initialized()) {
3e3e24b4
JL		 3429 /* If we haven't even been initialized, then we can't validate
3430 * against a policy, so leave the label as invalid. It may
3431 * resolve to a valid label on the next revalidation try if
3432 * we've since initialized.
3433 */
3434 return;
3435 }
3436
e67b7985 3437 rc = security_context_to_sid_force(value, size,
aa8e712c 3438 &newsid);
1da177e4 3439 if (rc) {
c103a91e 3440 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3441 "for (%s, %lu), rc=%d\n",
3442 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3443 return;
3444 }
3445
20cdef8d 3446 isec = backing_inode_security(dentry);
9287aed2 3447 spin_lock(&isec->lock);
aa9c2669 3448 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3449 isec->sid = newsid;
6f3be9f5 3450 isec->initialized = LABEL_INITIALIZED;
9287aed2 3451 spin_unlock(&isec->lock);
1da177e4
LT		 3452}
3453
8f0cfa52 3454static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3455{
88e67f3b
DH		 3456 const struct cred *cred = current_cred();
3457
2875fa00 3458 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3459}
3460
828dfe1d 3461static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3462{
88e67f3b
DH		 3463 const struct cred *cred = current_cred();
3464
2875fa00 3465 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3466}
3467
39f60c1c 3468static int selinux_inode_removexattr(struct mnt_idmap *idmap,
71bc356f 3469 struct dentry *dentry, const char *name)
1da177e4 3470{
dd44477e
PM		 3471 /* if not a selinux xattr, only check the ordinary setattr perm */
3472 if (strcmp(name, XATTR_NAME_SELINUX))
6b240306 3473 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
1da177e4 3474
e67b7985 3475 if (!selinux_initialized())
9530a3e0
SS		 3476 return 0;
3477
1da177e4
LT		 3478 /* No one is allowed to remove a SELinux security label.
3479 You can change the label, but all data must be labeled. */
3480 return -EACCES;
3481}
3482
ac5656d8
AG		 3483static int selinux_path_notify(const struct path *path, u64 mask,
3484 unsigned int obj_type)
3485{
3486 int ret;
3487 u32 perm;
3488
3489 struct common_audit_data ad;
3490
3491 ad.type = LSM_AUDIT_DATA_PATH;
3492 ad.u.path = *path;
3493
3494 /*
3495 * Set permission needed based on the type of mark being set.
3496 * Performs an additional check for sb watches.
3497 */
3498 switch (obj_type) {
3499 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3500 perm = FILE__WATCH_MOUNT;
3501 break;
3502 case FSNOTIFY_OBJ_TYPE_SB:
3503 perm = FILE__WATCH_SB;
3504 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3505 FILESYSTEM__WATCH, &ad);
3506 if (ret)
3507 return ret;
3508 break;
3509 case FSNOTIFY_OBJ_TYPE_INODE:
3510 perm = FILE__WATCH;
3511 break;
7d90fb52
MS		 3512 case FSNOTIFY_OBJ_TYPE_MNTNS:
3513 perm = FILE__WATCH_MOUNTNS;
3514 break;
ac5656d8
AG		 3515 default:
3516 return -EINVAL;
3517 }
3518
3519 /* blocking watches require the file:watch_with_perm permission */
3520 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3521 perm |= FILE__WATCH_WITH_PERM;
3522
3523 /* watches on read-like events need the file:watch_reads permission */
f156524e
AG		 3524 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_PRE_ACCESS |
3525 FS_CLOSE_NOWRITE))
ac5656d8
AG		 3526 perm |= FILE__WATCH_READS;
3527
3528 return path_has_perm(current_cred(), path, perm);
3529}
3530
d381d8a9 3531/*
abc69bb6 3532 * Copy the inode security context value to the user.
d381d8a9
JM		 3533 *
3534 * Permission check is handled by selinux_inode_getxattr hook.
3535 */
4609e1f1 3536static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
71bc356f
CB		 3537 struct inode *inode, const char *name,
3538 void **buffer, bool alloc)
1da177e4 3539{
42492594
DQ		 3540 u32 size;
3541 int error;
3542 char *context = NULL;
20cdef8d 3543 struct inode_security_struct *isec;
d381d8a9 3544
c8e22261
JL		 3545 /*
3546 * If we're not initialized yet, then we can't validate contexts, so
3547 * just let vfs_getxattr fall back to using the on-disk xattr.
3548 */
e67b7985 3549 if (!selinux_initialized() ||
c8e22261 3550 strcmp(name, XATTR_SELINUX_SUFFIX))
8c8570fb 3551 return -EOPNOTSUPP;
d381d8a9 3552
abc69bb6
SS		 3553 /*
3554 * If the caller has CAP_MAC_ADMIN, then get the raw context
3555 * value even if it is not defined by current policy; otherwise,
3556 * use the in-core value under current policy.
3557 * Use the non-auditing forms of the permission checks since
3558 * getxattr may be called by unprivileged processes commonly
3559 * and lack of permission just means that we fall back to the
3560 * in-core context value, not a denial.
3561 */
20cdef8d 3562 isec = inode_security(inode);
db59000a 3563 if (has_cap_mac_admin(false))
e67b7985 3564 error = security_sid_to_context_force(isec->sid, &context,
abc69bb6
SS		 3565 &size);
3566 else
e67b7985 3567 error = security_sid_to_context(isec->sid,
aa8e712c 3568 &context, &size);
42492594
DQ		 3569 if (error)
3570 return error;
3571 error = size;
3572 if (alloc) {
3573 *buffer = context;
3574 goto out_nofree;
3575 }
3576 kfree(context);
3577out_nofree:
3578 return error;
1da177e4
LT		 3579}
3580
3581static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3582 const void *value, size_t size, int flags)
1da177e4 3583{
2c97165b 3584 struct inode_security_struct *isec = inode_security_novalidate(inode);
1aea7808 3585 struct superblock_security_struct *sbsec;
1da177e4
LT		 3586 u32 newsid;
3587 int rc;
3588
3589 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3590 return -EOPNOTSUPP;
3591
1aea7808 3592 sbsec = selinux_superblock(inode->i_sb);
53e0c2aa
OM		 3593 if (!(sbsec->flags & SBLABEL_MNT))
3594 return -EOPNOTSUPP;
3595
1da177e4
LT		 3596 if (!value || !size)
3597 return -EACCES;
3598
e67b7985 3599 rc = security_context_to_sid(value, size, &newsid,
aa8e712c 3600 GFP_KERNEL);
1da177e4
LT		 3601 if (rc)
3602 return rc;
3603
9287aed2 3604 spin_lock(&isec->lock);
aa9c2669 3605 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3606 isec->sid = newsid;
6f3be9f5 3607 isec->initialized = LABEL_INITIALIZED;
9287aed2 3608 spin_unlock(&isec->lock);
1da177e4
LT		 3609 return 0;
3610}
3611
3612static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3613{
3614 const int len = sizeof(XATTR_NAME_SELINUX);
a9ffe682 3615
e67b7985 3616 if (!selinux_initialized())
a9ffe682
AG		 3617 return 0;
3618
1da177e4
LT		 3619 if (buffer && len <= buffer_size)
3620 memcpy(buffer, XATTR_NAME_SELINUX, len);
3621 return len;
3622}
3623
07f9d2c1 3624static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop)
713a04ae 3625{
e817c2f3 3626 struct inode_security_struct *isec = inode_security_novalidate(inode);
07f9d2c1
CS		 3627
3628 prop->selinux.secid = isec->sid;
713a04ae
AD		 3629}
3630
56909eb3
VG		 3631static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3632{
07f9d2c1 3633 struct lsm_prop prop;
56909eb3
VG		 3634 struct task_security_struct *tsec;
3635 struct cred *new_creds = *new;
3636
3637 if (new_creds == NULL) {
3638 new_creds = prepare_creds();
3639 if (!new_creds)
3640 return -ENOMEM;
3641 }
3642
0c6cfa62 3643 tsec = selinux_cred(new_creds);
56909eb3 3644 /* Get label from overlay inode and set it in create_sid */
07f9d2c1
CS		 3645 selinux_inode_getlsmprop(d_inode(src), &prop);
3646 tsec->create_sid = prop.selinux.secid;
56909eb3
VG		 3647 *new = new_creds;
3648 return 0;
3649}
3650
32538047 3651static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name)
19472b69
VG		 3652{
3653 /* The copy_up hook above sets the initial context on an inode, but we
3654 * don't then want to overwrite it by blindly copying all the lower
7c655bee
DD		 3655 * xattrs up. Instead, filter out SELinux-related xattrs following
3656 * policy load.
19472b69 3657 */
924e19c3
XK		 3658 if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX))
3659 return -ECANCELED; /* Discard */
19472b69
VG		 3660 /*
3661 * Any other attribute apart from SELINUX is not claimed, supported
3662 * by selinux.
3663 */
3664 return -EOPNOTSUPP;
3665}
3666
ec882da5
OM		 3667/* kernfs node operations */
3668
c72c4cde
Y		 3669static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3670 struct kernfs_node *kn)
ec882da5 3671{
169ce0c0 3672 const struct task_security_struct *tsec = selinux_cred(current_cred());
ec882da5
OM		 3673 u32 parent_sid, newsid, clen;
3674 int rc;
3675 char *context;
3676
1537ad15 3677 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
ec882da5
OM		 3678 if (rc == -ENODATA)
3679 return 0;
3680 else if (rc < 0)
3681 return rc;
3682
3683 clen = (u32)rc;
3684 context = kmalloc(clen, GFP_KERNEL);
3685 if (!context)
3686 return -ENOMEM;
3687
1537ad15 3688 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
ec882da5
OM		 3689 if (rc < 0) {
3690 kfree(context);
3691 return rc;
3692 }
3693
e67b7985 3694 rc = security_context_to_sid(context, clen, &parent_sid,
ec882da5
OM		 3695 GFP_KERNEL);
3696 kfree(context);
3697 if (rc)
3698 return rc;
3699
3700 if (tsec->create_sid) {
3701 newsid = tsec->create_sid;
3702 } else {
3703 u16 secclass = inode_mode_to_security_class(kn->mode);
741c10b0 3704 const char *kn_name;
ec882da5
OM		 3705 struct qstr q;
3706
741c10b0
SAS		 3707 /* kn is fresh, can't be renamed, name goes not away */
3708 kn_name = rcu_dereference_check(kn->name, true);
3709 q.name = kn_name;
3710 q.hash_len = hashlen_string(kn_dir, kn_name);
ec882da5 3711
e67b7985 3712 rc = security_transition_sid(tsec->sid,
ec882da5
OM		 3713 parent_sid, secclass, &q,
3714 &newsid);
3715 if (rc)
3716 return rc;
3717 }
3718
e67b7985 3719 rc = security_sid_to_context_force(newsid,
ec882da5
OM		 3720 &context, &clen);
3721 if (rc)
3722 return rc;
3723
1537ad15
OM		 3724 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3725 XATTR_CREATE);
ec882da5
OM		 3726 kfree(context);
3727 return rc;
3728}
3729
3730
1da177e4
LT		 3731/* file security operations */
3732
788e7dd4 3733static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3734{
88e67f3b 3735 const struct cred *cred = current_cred();
496ad9aa 3736 struct inode *inode = file_inode(file);
1da177e4 3737
1da177e4
LT		 3738 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3739 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3740 mask |= MAY_APPEND;
3741
389fb800
PM		 3742 return file_has_perm(cred, file,
3743 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3744}
3745
788e7dd4
YN		 3746static int selinux_file_permission(struct file *file, int mask)
3747{
496ad9aa 3748 struct inode *inode = file_inode(file);
bb6c6b02 3749 struct file_security_struct *fsec = selinux_file(file);
b197367e 3750 struct inode_security_struct *isec;
20dda18b
SS		 3751 u32 sid = current_sid();
3752
389fb800 3753 if (!mask)
788e7dd4
YN		 3754 /* No permission to check. Existence test. */
3755 return 0;
788e7dd4 3756
b197367e 3757 isec = inode_security(inode);
20dda18b 3758 if (sid == fsec->sid && fsec->isid == isec->sid &&
e67b7985 3759 fsec->pseqno == avc_policy_seqno())
83d49856 3760 /* No change since file_open check. */
20dda18b
SS		 3761 return 0;
3762
788e7dd4
YN		 3763 return selinux_revalidate_file_permission(file, mask);
3764}
3765
1da177e4
LT		 3766static int selinux_file_alloc_security(struct file *file)
3767{
cb89e246
PM		 3768 struct file_security_struct *fsec = selinux_file(file);
3769 u32 sid = current_sid();
3770
3771 fsec->sid = sid;
3772 fsec->fown_sid = sid;
3773
3774 return 0;
1da177e4
LT		 3775}
3776
fa1aa143
JVS		 3777/*
3778 * Check whether a task has the ioctl permission and cmd
3779 * operation to an inode.
3780 */
1d2a168a 3781static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3782 u32 requested, u16 cmd)
3783{
3784 struct common_audit_data ad;
bb6c6b02 3785 struct file_security_struct *fsec = selinux_file(file);
fa1aa143 3786 struct inode *inode = file_inode(file);
20cdef8d 3787 struct inode_security_struct *isec;
fa1aa143
JVS		 3788 struct lsm_ioctlop_audit ioctl;
3789 u32 ssid = cred_sid(cred);
3790 int rc;
3791 u8 driver = cmd >> 8;
3792 u8 xperm = cmd & 0xff;
3793
3794 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3795 ad.u.op = &ioctl;
3796 ad.u.op->cmd = cmd;
3797 ad.u.op->path = file->f_path;
3798
3799 if (ssid != fsec->sid) {
e67b7985 3800 rc = avc_has_perm(ssid, fsec->sid,
fa1aa143
JVS		 3801 SECCLASS_FD,
3802 FD__USE,
3803 &ad);
3804 if (rc)
3805 goto out;
3806 }
3807
3808 if (unlikely(IS_PRIVATE(inode)))
3809 return 0;
3810
20cdef8d 3811 isec = inode_security(inode);
5e7f0efd
TW		 3812 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, requested,
3813 driver, AVC_EXT_IOCTL, xperm, &ad);
fa1aa143
JVS		 3814out:
3815 return rc;
3816}
3817
1da177e4
LT		 3818static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3819 unsigned long arg)
3820{
88e67f3b 3821 const struct cred *cred = current_cred();
0b24dcb7 3822 int error = 0;
1da177e4 3823
0b24dcb7
EP		 3824 switch (cmd) {
3825 case FIONREAD:
0b24dcb7 3826 case FIBMAP:
0b24dcb7 3827 case FIGETBSZ:
2f99c369 3828 case FS_IOC_GETFLAGS:
2f99c369 3829 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3830 error = file_has_perm(cred, file, FILE__GETATTR);
3831 break;
1da177e4 3832
2f99c369 3833 case FS_IOC_SETFLAGS:
2f99c369 3834 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3835 error = file_has_perm(cred, file, FILE__SETATTR);
3836 break;
3837
3838 /* sys_ioctl() checks */
3839 case FIONBIO:
0b24dcb7
EP		 3840 case FIOASYNC:
3841 error = file_has_perm(cred, file, 0);
3842 break;
1da177e4 3843
0b24dcb7
EP		 3844 case KDSKBENT:
3845 case KDSKBSENT:
6a9de491 3846 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
c1a85a00 3847 CAP_OPT_NONE, true);
0b24dcb7
EP		 3848 break;
3849
65881e1d
RH		 3850 case FIOCLEX:
3851 case FIONCLEX:
3852 if (!selinux_policycap_ioctl_skip_cloexec())
3853 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3854 break;
3855
0b24dcb7
EP		 3856 /* default case assumes that the command will go
3857 * to the file's ioctl() function.
3858 */
3859 default:
fa1aa143 3860 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3861 }
3862 return error;
1da177e4
LT		 3863}
3864
f1bb47a3
AP		 3865static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3866 unsigned long arg)
3867{
3868 /*
3869 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3870 * make sure we don't compare 32-bit flags to 64-bit flags.
3871 */
3872 switch (cmd) {
3873 case FS_IOC32_GETFLAGS:
3874 cmd = FS_IOC_GETFLAGS;
3875 break;
3876 case FS_IOC32_SETFLAGS:
3877 cmd = FS_IOC_SETFLAGS;
3878 break;
3879 case FS_IOC32_GETVERSION:
3880 cmd = FS_IOC_GETVERSION;
3881 break;
3882 case FS_IOC32_SETVERSION:
3883 cmd = FS_IOC_SETVERSION;
3884 break;
3885 default:
3886 break;
3887 }
3888
3889 return selinux_file_ioctl(file, cmd, arg);
3890}
3891
b78b7d59 3892static int default_noexec __ro_after_init;
fcaaade1 3893
1da177e4
LT		 3894static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3895{
88e67f3b 3896 const struct cred *cred = current_cred();
be0554c9 3897 u32 sid = cred_sid(cred);
d84f4f99 3898 int rc = 0;
88e67f3b 3899
fcaaade1 3900 if (default_noexec &&
892e8cac
SS		 3901 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3902 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3903 /*
3904 * We are making executable an anonymous mapping or a
3905 * private file mapping that will also be writable.
3906 * This has an additional check.
3907 */
e67b7985 3908 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
be0554c9 3909 PROCESS__EXECMEM, NULL);
1da177e4 3910 if (rc)
d84f4f99 3911 goto error;
1da177e4 3912 }
1da177e4
LT		 3913
3914 if (file) {
3915 /* read access is always possible with a mapping */
3916 u32 av = FILE__READ;
3917
3918 /* write access only matters if the mapping is shared */
3919 if (shared && (prot & PROT_WRITE))
3920 av |= FILE__WRITE;
3921
3922 if (prot & PROT_EXEC)
3923 av |= FILE__EXECUTE;
3924
88e67f3b 3925 return file_has_perm(cred, file, av);
1da177e4 3926 }
d84f4f99
DH		 3927
3928error:
3929 return rc;
1da177e4
LT		 3930}
3931
e5467859 3932static int selinux_mmap_addr(unsigned long addr)
1da177e4 3933{
b1d9e6b0 3934 int rc = 0;
1da177e4 3935
a2551df7 3936 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3937 u32 sid = current_sid();
e67b7985 3938 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
ed032189 3939 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3940 }
3941
98883bfd 3942 return rc;
e5467859 3943}
1da177e4 3944
a7e4676e
PM		 3945static int selinux_mmap_file(struct file *file,
3946 unsigned long reqprot __always_unused,
e5467859
AV		 3947 unsigned long prot, unsigned long flags)
3948{
3ba4bf5f
SS		 3949 struct common_audit_data ad;
3950 int rc;
3951
3952 if (file) {
3953 ad.type = LSM_AUDIT_DATA_FILE;
3954 ad.u.file = file;
3955 rc = inode_has_perm(current_cred(), file_inode(file),
3956 FILE__MAP, &ad);
3957 if (rc)
3958 return rc;
3959 }
3960
1da177e4
LT		 3961 return file_map_prot_check(file, prot,
3962 (flags & MAP_TYPE) == MAP_SHARED);
3963}
3964
3965static int selinux_file_mprotect(struct vm_area_struct *vma,
a7e4676e 3966 unsigned long reqprot __always_unused,
1da177e4
LT		 3967 unsigned long prot)
3968{
88e67f3b 3969 const struct cred *cred = current_cred();
be0554c9 3970 u32 sid = cred_sid(cred);
1da177e4 3971
fcaaade1
SS		 3972 if (default_noexec &&
3973 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3974 int rc = 0;
05a3d6e9
PM		 3975 /*
3976 * We don't use the vma_is_initial_heap() helper as it has
3977 * a history of problems and is currently broken on systems
3978 * where there is no heap, e.g. brk == start_brk. Before
3979 * replacing the conditional below with vma_is_initial_heap(),
3980 * or something similar, please ensure that the logic is the
3981 * same as what we have below or you have tested every possible
3982 * corner case you can think to test.
3983 */
3984 if (vma->vm_start >= vma->vm_mm->start_brk &&
3985 vma->vm_end <= vma->vm_mm->brk) {
e67b7985 3986 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
be0554c9 3987 PROCESS__EXECHEAP, NULL);
68df1baf 3988 } else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
d17af505 3989 vma_is_stack_for_current(vma))) {
e67b7985 3990 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
be0554c9 3991 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3992 } else if (vma->vm_file && vma->anon_vma) {
3993 /*
3994 * We are making executable a file mapping that has
3995 * had some COW done. Since pages might have been
3996 * written, check ability to execute the possibly
3997 * modified content. This typically should only
3998 * occur for text relocations.
3999 */
d84f4f99 4000 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 4001 }