]> git.ipfire.org Git - thirdparty/linux.git/blame - security/selinux/hooks.c
projects / thirdparty / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: fix a missing-check bug in selinux_sb_eat_lsm_opts()
[thirdparty/linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
7efbb60b 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
442155c1
DH		 51#include <linux/fs_context.h>
52#include <linux/fs_parser.h>
1da177e4
LT		 53#include <linux/netfilter_ipv4.h>
54#include <linux/netfilter_ipv6.h>
55#include <linux/tty.h>
56#include <net/icmp.h>
227b60f5 57#include <net/ip.h> /* for local_port_range[] */
1da177e4 58#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 59#include <net/inet_connection_sock.h>
220deb96 60#include <net/net_namespace.h>
d621d35e 61#include <net/netlabel.h>
f5269710 62#include <linux/uaccess.h>
1da177e4 63#include <asm/ioctls.h>
60063497 64#include <linux/atomic.h>
1da177e4
LT		 65#include <linux/bitops.h>
66#include <linux/interrupt.h>
67#include <linux/netdevice.h> /* for network interface checks */
77954983 68#include <net/netlink.h>
1da177e4
LT		 69#include <linux/tcp.h>
70#include <linux/udp.h>
2ee92d46 71#include <linux/dccp.h>
d452930f
RH		 72#include <linux/sctp.h>
73#include <net/sctp/structs.h>
1da177e4
LT		 74#include <linux/quota.h>
75#include <linux/un.h> /* for Unix socket types */
76#include <net/af_unix.h> /* for Unix socket types */
77#include <linux/parser.h>
78#include <linux/nfs_mount.h>
79#include <net/ipv6.h>
80#include <linux/hugetlb.h>
81#include <linux/personality.h>
1da177e4 82#include <linux/audit.h>
6931dfc9 83#include <linux/string.h>
23970741 84#include <linux/mutex.h>
f06febc9 85#include <linux/posix-timers.h>
00234592 86#include <linux/syslog.h>
3486740a 87#include <linux/user_namespace.h>
44fc7ea0 88#include <linux/export.h>
40401530
AV		 89#include <linux/msg.h>
90#include <linux/shm.h>
ec27c356 91#include <linux/bpf.h>
ec882da5
OM		 92#include <linux/kernfs.h>
93#include <linux/stringhash.h> /* for hashlen_string() */
e262e32d 94#include <uapi/linux/mount.h>
1da177e4
LT		 95
96#include "avc.h"
97#include "objsec.h"
98#include "netif.h"
224dfbd8 99#include "netnode.h"
3e112172 100#include "netport.h"
409dcf31 101#include "ibpkey.h"
d28d1e08 102#include "xfrm.h"
c60475bf 103#include "netlabel.h"
9d57a7f9 104#include "audit.h"
7b98a585 105#include "avc_ss.h"
1da177e4 106
aa8e712c
SS		 107struct selinux_state selinux_state;
108
d621d35e 109/* SECMARK reference count */
56a4ca99 110static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 111
1da177e4 112#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
aa8e712c 113static int selinux_enforcing_boot;
1da177e4
LT		 114
115static int __init enforcing_setup(char *str)
116{
f5269710 117 unsigned long enforcing;
29707b20 118 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 119 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 120 return 1;
121}
122__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 123#else
124#define selinux_enforcing_boot 1
1da177e4
LT		 125#endif
126
be6ec88f 127int selinux_enabled __lsm_ro_after_init = 1;
1da177e4 128#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
1da177e4
LT		 129static int __init selinux_enabled_setup(char *str)
130{
f5269710 131 unsigned long enabled;
29707b20 132 if (!kstrtoul(str, 0, &enabled))
f5269710 133 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 134 return 1;
135}
136__setup("selinux=", selinux_enabled_setup);
137#endif
138
aa8e712c
SS		 139static unsigned int selinux_checkreqprot_boot =
140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141
142static int __init checkreqprot_setup(char *str)
143{
144 unsigned long checkreqprot;
145
146 if (!kstrtoul(str, 0, &checkreqprot))
147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148 return 1;
149}
150__setup("checkreqprot=", checkreqprot_setup);
151
d621d35e
PM		 152/**
153 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
154 *
155 * Description:
156 * This function checks the SECMARK reference counter to see if any SECMARK
157 * targets are currently configured, if the reference counter is greater than
158 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 159 * enabled, false (0) if SECMARK is disabled. If the always_check_network
160 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 161 *
162 */
163static int selinux_secmark_enabled(void)
164{
aa8e712c
SS		 165 return (selinux_policycap_alwaysnetwork() ||
166 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 167}
168
169/**
170 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
171 *
172 * Description:
173 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
174 * (1) if any are enabled or false (0) if neither are enabled. If the
175 * always_check_network policy capability is enabled, peer labeling
176 * is always considered enabled.
177 *
178 */
179static int selinux_peerlbl_enabled(void)
180{
aa8e712c
SS		 181 return (selinux_policycap_alwaysnetwork() ||
182 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 183}
184
615e51fd
PM		 185static int selinux_netcache_avc_callback(u32 event)
186{
187 if (event == AVC_CALLBACK_RESET) {
188 sel_netif_flush();
189 sel_netnode_flush();
190 sel_netport_flush();
191 synchronize_net();
192 }
193 return 0;
194}
195
8f408ab6
DJ		 196static int selinux_lsm_notifier_avc_callback(u32 event)
197{
409dcf31
DJ		 198 if (event == AVC_CALLBACK_RESET) {
199 sel_ib_pkey_flush();
8f408ab6 200 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 201 }
8f408ab6
DJ		 202
203 return 0;
204}
205
d84f4f99
DH		 206/*
207 * initialise the security for the init task
208 */
209static void cred_init_security(void)
1da177e4 210{
3b11a1de 211 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 212 struct task_security_struct *tsec;
213
bbd3662a 214 tsec = selinux_cred(cred);
d84f4f99 215 tsec->osid = tsec->sid = SECINITSID_KERNEL;
1da177e4
LT		 216}
217
88e67f3b
DH		 218/*
219 * get the security ID of a set of credentials
220 */
221static inline u32 cred_sid(const struct cred *cred)
222{
223 const struct task_security_struct *tsec;
224
0c6cfa62 225 tsec = selinux_cred(cred);
88e67f3b
DH		 226 return tsec->sid;
227}
228
275bb41e 229/*
3b11a1de 230 * get the objective security ID of a task
275bb41e
DH		 231 */
232static inline u32 task_sid(const struct task_struct *task)
233{
275bb41e
DH		 234 u32 sid;
235
236 rcu_read_lock();
88e67f3b 237 sid = cred_sid(__task_cred(task));
275bb41e
DH		 238 rcu_read_unlock();
239 return sid;
240}
241
88e67f3b
DH		 242/* Allocate and free functions for each kind of security blob. */
243
1da177e4
LT		 244static int inode_alloc_security(struct inode *inode)
245{
afb1cbe3 246 struct inode_security_struct *isec = selinux_inode(inode);
275bb41e 247 u32 sid = current_sid();
1da177e4 248
9287aed2 249 spin_lock_init(&isec->lock);
1da177e4 250 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 251 isec->inode = inode;
252 isec->sid = SECINITSID_UNLABELED;
253 isec->sclass = SECCLASS_FILE;
275bb41e 254 isec->task_sid = sid;
42059112 255 isec->initialized = LABEL_INVALID;
1da177e4
LT		 256
257 return 0;
258}
259
5d226df4
AG		 260static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
261
262/*
263 * Try reloading inode security labels that have been marked as invalid. The
264 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 265 * allowed; when set to false, returns -ECHILD when the label is
e9193288 266 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 267 */
268static int __inode_security_revalidate(struct inode *inode,
e9193288 269 struct dentry *dentry,
5d226df4
AG		 270 bool may_sleep)
271{
80788c22 272 struct inode_security_struct *isec = selinux_inode(inode);
5d226df4
AG		 273
274 might_sleep_if(may_sleep);
275
aa8e712c
SS		 276 if (selinux_state.initialized &&
277 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 278 if (!may_sleep)
279 return -ECHILD;
280
281 /*
282 * Try reloading the inode security label. This will fail if
283 * @opt_dentry is NULL and no dentry for this inode can be
284 * found; in that case, continue using the old label.
285 */
e9193288 286 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 287 }
288 return 0;
289}
290
5d226df4
AG		 291static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
292{
80788c22 293 return selinux_inode(inode);
5d226df4
AG		 294}
295
296static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
297{
298 int error;
299
300 error = __inode_security_revalidate(inode, NULL, !rcu);
301 if (error)
302 return ERR_PTR(error);
80788c22 303 return selinux_inode(inode);
5d226df4
AG		 304}
305
83da53c5
AG		 306/*
307 * Get the security label of an inode.
308 */
309static struct inode_security_struct *inode_security(struct inode *inode)
310{
5d226df4 311 __inode_security_revalidate(inode, NULL, true);
80788c22 312 return selinux_inode(inode);
83da53c5
AG		 313}
314
2c97165b
PM		 315static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
316{
317 struct inode *inode = d_backing_inode(dentry);
318
80788c22 319 return selinux_inode(inode);
2c97165b
PM		 320}
321
83da53c5
AG		 322/*
323 * Get the security label of a dentry's backing inode.
324 */
325static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
326{
327 struct inode *inode = d_backing_inode(dentry);
328
5d226df4 329 __inode_security_revalidate(inode, dentry, true);
80788c22 330 return selinux_inode(inode);
83da53c5
AG		 331}
332
1da177e4
LT		 333static void inode_free_security(struct inode *inode)
334{
80788c22 335 struct inode_security_struct *isec = selinux_inode(inode);
afb1cbe3 336 struct superblock_security_struct *sbsec;
1da177e4 337
afb1cbe3
CS		 338 if (!isec)
339 return;
340 sbsec = inode->i_sb->s_security;
9629d04a
WL		 341 /*
342 * As not all inode security structures are in a list, we check for
343 * empty list outside of the lock to make sure that we won't waste
344 * time taking a lock doing nothing.
345 *
346 * The list_del_init() function can be safely called more than once.
347 * It should not be possible for this function to be called with
348 * concurrent list_add(), but for better safety against future changes
349 * in the code, we use list_empty_careful() here.
350 */
351 if (!list_empty_careful(&isec->list)) {
352 spin_lock(&sbsec->isec_lock);
1da177e4 353 list_del_init(&isec->list);
9629d04a
WL		 354 spin_unlock(&sbsec->isec_lock);
355 }
1da177e4
LT		 356}
357
358static int file_alloc_security(struct file *file)
359{
33bf60ca 360 struct file_security_struct *fsec = selinux_file(file);
275bb41e 361 u32 sid = current_sid();
1da177e4 362
275bb41e
DH		 363 fsec->sid = sid;
364 fsec->fown_sid = sid;
1da177e4
LT		 365
366 return 0;
367}
368
1da177e4
LT		 369static int superblock_alloc_security(struct super_block *sb)
370{
371 struct superblock_security_struct *sbsec;
372
89d155ef 373 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 374 if (!sbsec)
375 return -ENOMEM;
376
bc7e982b 377 mutex_init(&sbsec->lock);
1da177e4
LT		 378 INIT_LIST_HEAD(&sbsec->isec_head);
379 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 380 sbsec->sb = sb;
381 sbsec->sid = SECINITSID_UNLABELED;
382 sbsec->def_sid = SECINITSID_FILE;
c312feb2 383 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 384 sb->s_security = sbsec;
385
386 return 0;
387}
388
389static void superblock_free_security(struct super_block *sb)
390{
391 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 392 sb->s_security = NULL;
393 kfree(sbsec);
394}
395
bd323655
AV		 396struct selinux_mnt_opts {
397 const char *fscontext, *context, *rootcontext, *defcontext;
398};
399
204cc0cc
AV		 400static void selinux_free_mnt_opts(void *mnt_opts)
401{
bd323655
AV		 402 struct selinux_mnt_opts *opts = mnt_opts;
403 kfree(opts->fscontext);
404 kfree(opts->context);
405 kfree(opts->rootcontext);
406 kfree(opts->defcontext);
204cc0cc
AV		 407 kfree(opts);
408}
409
1da177e4
LT		 410static inline int inode_doinit(struct inode *inode)
411{
412 return inode_doinit_with_dentry(inode, NULL);
413}
414
415enum {
31e87930 416 Opt_error = -1,
442155c1
DH		 417 Opt_context = 0,
418 Opt_defcontext = 1,
1da177e4 419 Opt_fscontext = 2,
442155c1
DH		 420 Opt_rootcontext = 3,
421 Opt_seclabel = 4,
1da177e4
LT		 422};
423
da3d76ab 424#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
169d68ef
AV		 425static struct {
426 const char *name;
427 int len;
428 int opt;
429 bool has_arg;
430} tokens[] = {
da3d76ab
AV		 431 A(context, true),
432 A(fscontext, true),
433 A(defcontext, true),
434 A(rootcontext, true),
435 A(seclabel, false),
1da177e4 436};
169d68ef
AV		 437#undef A
438
439static int match_opt_prefix(char *s, int l, char **arg)
440{
441 int i;
442
443 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
444 size_t len = tokens[i].len;
445 if (len > l || memcmp(s, tokens[i].name, len))
446 continue;
447 if (tokens[i].has_arg) {
448 if (len == l || s[len] != '=')
449 continue;
450 *arg = s + len + 1;
451 } else if (len != l)
452 continue;
453 return tokens[i].opt;
454 }
455 return Opt_error;
456}
1da177e4
LT		 457
458#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
459
c312feb2
EP		 460static int may_context_mount_sb_relabel(u32 sid,
461 struct superblock_security_struct *sbsec,
275bb41e 462 const struct cred *cred)
c312feb2 463{
0c6cfa62 464 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 465 int rc;
466
6b6bc620
SS		 467 rc = avc_has_perm(&selinux_state,
468 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 469 FILESYSTEM__RELABELFROM, NULL);
470 if (rc)
471 return rc;
472
6b6bc620
SS		 473 rc = avc_has_perm(&selinux_state,
474 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 475 FILESYSTEM__RELABELTO, NULL);
476 return rc;
477}
478
0808925e
EP		 479static int may_context_mount_inode_relabel(u32 sid,
480 struct superblock_security_struct *sbsec,
275bb41e 481 const struct cred *cred)
0808925e 482{
0c6cfa62 483 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e 484 int rc;
6b6bc620
SS		 485 rc = avc_has_perm(&selinux_state,
486 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 487 FILESYSTEM__RELABELFROM, NULL);
488 if (rc)
489 return rc;
490
6b6bc620
SS		 491 rc = avc_has_perm(&selinux_state,
492 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 493 FILESYSTEM__ASSOCIATE, NULL);
494 return rc;
495}
496
a83d6dda 497static int selinux_is_genfs_special_handling(struct super_block *sb)
b43e725d 498{
a83d6dda
OM		 499 /* Special handling. Genfs but also in-core setxattr handler */
500 return !strcmp(sb->s_type->name, "sysfs") ||
d5f3a5f6
MS		 501 !strcmp(sb->s_type->name, "pstore") ||
502 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 503 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 504 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 505 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 506 (!strcmp(sb->s_type->name, "cgroup") ||
507 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 508}
509
a83d6dda
OM		 510static int selinux_is_sblabel_mnt(struct super_block *sb)
511{
512 struct superblock_security_struct *sbsec = sb->s_security;
513
514 /*
515 * IMPORTANT: Double-check logic in this function when adding a new
516 * SECURITY_FS_USE_* definition!
517 */
518 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
519
520 switch (sbsec->behavior) {
521 case SECURITY_FS_USE_XATTR:
522 case SECURITY_FS_USE_TRANS:
523 case SECURITY_FS_USE_TASK:
524 case SECURITY_FS_USE_NATIVE:
525 return 1;
526
527 case SECURITY_FS_USE_GENFS:
528 return selinux_is_genfs_special_handling(sb);
529
530 /* Never allow relabeling on context mounts */
531 case SECURITY_FS_USE_MNTPOINT:
532 case SECURITY_FS_USE_NONE:
533 default:
534 return 0;
535 }
536}
537
c9180a57 538static int sb_finish_set_opts(struct super_block *sb)
1da177e4 539{
1da177e4 540 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 541 struct dentry *root = sb->s_root;
c6f493d6 542 struct inode *root_inode = d_backing_inode(root);
c9180a57 543 int rc = 0;
1da177e4 544
c9180a57
EP		 545 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
546 /* Make sure that the xattr handler exists and that no
547 error other than -ENODATA is returned by getxattr on
548 the root directory. -ENODATA is ok, as this may be
549 the first boot of the SELinux kernel before we have
550 assigned xattr values to the filesystem. */
5d6c3191 551 if (!(root_inode->i_opflags & IOP_XATTR)) {
c103a91e 552 pr_warn("SELinux: (dev %s, type %s) has no "
29b1deb2 553 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 554 rc = -EOPNOTSUPP;
555 goto out;
556 }
5d6c3191
AG		 557
558 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 559 if (rc < 0 && rc != -ENODATA) {
560 if (rc == -EOPNOTSUPP)
c103a91e 561 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 562 "%s) has no security xattr handler\n",
563 sb->s_id, sb->s_type->name);
c9180a57 564 else
c103a91e 565 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 566 "%s) getxattr errno %d\n", sb->s_id,
567 sb->s_type->name, -rc);
c9180a57
EP		 568 goto out;
569 }
570 }
1da177e4 571
eadcabc6 572 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 573
574 /*
575 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
576 * leave the flag untouched because sb_clone_mnt_opts might be handing
577 * us a superblock that needs the flag to be cleared.
578 */
b43e725d 579 if (selinux_is_sblabel_mnt(sb))
12f348b9 580 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 581 else
582 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 583
c9180a57
EP		 584 /* Initialize the root inode. */
585 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 586
c9180a57
EP		 587 /* Initialize any other inodes associated with the superblock, e.g.
588 inodes created prior to initial policy load or inodes created
589 during get_sb by a pseudo filesystem that directly
590 populates itself. */
591 spin_lock(&sbsec->isec_lock);
8d64124a 592 while (!list_empty(&sbsec->isec_head)) {
c9180a57 593 struct inode_security_struct *isec =
8d64124a 594 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 595 struct inode_security_struct, list);
596 struct inode *inode = isec->inode;
923190d3 597 list_del_init(&isec->list);
c9180a57
EP		 598 spin_unlock(&sbsec->isec_lock);
599 inode = igrab(inode);
600 if (inode) {
601 if (!IS_PRIVATE(inode))
602 inode_doinit(inode);
603 iput(inode);
604 }
605 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 606 }
607 spin_unlock(&sbsec->isec_lock);
608out:
609 return rc;
610}
1da177e4 611
c9180a57
EP		 612static int bad_option(struct superblock_security_struct *sbsec, char flag,
613 u32 old_sid, u32 new_sid)
614{
0d90a7ec
DQ		 615 char mnt_flags = sbsec->flags & SE_MNTMASK;
616
c9180a57 617 /* check if the old mount command had the same options */
0d90a7ec 618 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 619 if (!(sbsec->flags & flag) ||
620 (old_sid != new_sid))
621 return 1;
622
623 /* check if we were passed the same options twice,
624 * aka someone passed context=a,context=b
625 */
0d90a7ec
DQ		 626 if (!(sbsec->flags & SE_SBINITIALIZED))
627 if (mnt_flags & flag)
c9180a57
EP		 628 return 1;
629 return 0;
630}
e0007529 631
bd323655
AV		 632static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
633{
634 int rc = security_context_str_to_sid(&selinux_state, s,
635 sid, GFP_KERNEL);
636 if (rc)
637 pr_warn("SELinux: security_context_str_to_sid"
638 "(%s) failed for (dev %s, type %s) errno=%d\n",
639 s, sb->s_id, sb->s_type->name, rc);
640 return rc;
641}
642
c9180a57
EP		 643/*
644 * Allow filesystems with binary mount data to explicitly set mount point
645 * labeling information.
646 */
e0007529 647static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 648 void *mnt_opts,
649f6e77
DQ		 649 unsigned long kern_flags,
650 unsigned long *set_kern_flags)
c9180a57 651{
275bb41e 652 const struct cred *cred = current_cred();
c9180a57 653 struct superblock_security_struct *sbsec = sb->s_security;
83da53c5 654 struct dentry *root = sbsec->sb->s_root;
bd323655 655 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 656 struct inode_security_struct *root_isec;
c9180a57
EP		 657 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
658 u32 defcontext_sid = 0;
bd323655 659 int rc = 0;
c9180a57
EP		 660
661 mutex_lock(&sbsec->lock);
662
aa8e712c 663 if (!selinux_state.initialized) {
bd323655 664 if (!opts) {
c9180a57
EP		 665 /* Defer initialization until selinux_complete_init,
666 after the initial policy is loaded and the security
667 server is ready to handle calls. */
c9180a57
EP		 668 goto out;
669 }
670 rc = -EINVAL;
c103a91e 671 pr_warn("SELinux: Unable to set superblock options "
744ba35e 672 "before the security server is initialized\n");
1da177e4 673 goto out;
c9180a57 674 }
649f6e77
DQ		 675 if (kern_flags && !set_kern_flags) {
676 /* Specifying internal flags without providing a place to
677 * place the results is not allowed */
678 rc = -EINVAL;
679 goto out;
680 }
1da177e4 681
e0007529
EP		 682 /*
683 * Binary mount data FS will come through this function twice. Once
684 * from an explicit call and once from the generic calls from the vfs.
685 * Since the generic VFS calls will not contain any security mount data
686 * we need to skip the double mount verification.
687 *
688 * This does open a hole in which we will not notice if the first
689 * mount using this sb set explict options and a second mount using
690 * this sb does not set any security options. (The first options
691 * will be used for both mounts)
692 */
0d90a7ec 693 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 694 && !opts)
f5269710 695 goto out;
e0007529 696
2c97165b
PM		 697 root_isec = backing_inode_security_novalidate(root);
698
c9180a57
EP		 699 /*
700 * parse the mount options, check if they are valid sids.
701 * also check if someone is trying to mount the same sb more
702 * than once with different security options.
703 */
bd323655
AV		 704 if (opts) {
705 if (opts->fscontext) {
706 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
707 if (rc)
708 goto out;
c9180a57
EP		 709 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
710 fscontext_sid))
711 goto out_double_mount;
c9180a57 712 sbsec->flags |= FSCONTEXT_MNT;
bd323655
AV		 713 }
714 if (opts->context) {
715 rc = parse_sid(sb, opts->context, &context_sid);
716 if (rc)
717 goto out;
c9180a57
EP		 718 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
719 context_sid))
720 goto out_double_mount;
c9180a57 721 sbsec->flags |= CONTEXT_MNT;
bd323655
AV		 722 }
723 if (opts->rootcontext) {
724 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
725 if (rc)
726 goto out;
c9180a57
EP		 727 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
728 rootcontext_sid))
729 goto out_double_mount;
c9180a57 730 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655
AV		 731 }
732 if (opts->defcontext) {
733 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
734 if (rc)
735 goto out;
c9180a57
EP		 736 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
737 defcontext_sid))
738 goto out_double_mount;
c9180a57 739 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 740 }
c9180a57
EP		 741 }
742
0d90a7ec 743 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 744 /* previously mounted with options, but not on this attempt? */
bd323655 745 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 746 goto out_double_mount;
747 rc = 0;
748 goto out;
749 }
750
089be43e 751 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 752 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
753
8e014720 754 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 755 !strcmp(sb->s_type->name, "tracefs") ||
b754026b
OM		 756 !strcmp(sb->s_type->name, "pstore"))
757 sbsec->flags |= SE_SBGENFS;
758
759 if (!strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 760 !strcmp(sb->s_type->name, "cgroup") ||
761 !strcmp(sb->s_type->name, "cgroup2"))
b754026b 762 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
c9180a57 763
eb9ae686
DQ		 764 if (!sbsec->behavior) {
765 /*
766 * Determine the labeling behavior to use for this
767 * filesystem type.
768 */
aa8e712c 769 rc = security_fs_use(&selinux_state, sb);
eb9ae686 770 if (rc) {
c103a91e 771 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 772 __func__, sb->s_type->name, rc);
773 goto out;
774 }
c9180a57 775 }
aad82892
SF		 776
777 /*
01593d32
SS		 778 * If this is a user namespace mount and the filesystem type is not
779 * explicitly whitelisted, then no contexts are allowed on the command
780 * line and security labels must be ignored.
aad82892 781 */
01593d32
SS		 782 if (sb->s_user_ns != &init_user_ns &&
783 strcmp(sb->s_type->name, "tmpfs") &&
784 strcmp(sb->s_type->name, "ramfs") &&
785 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 786 if (context_sid || fscontext_sid || rootcontext_sid ||
787 defcontext_sid) {
788 rc = -EACCES;
789 goto out;
790 }
791 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
792 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 793 rc = security_transition_sid(&selinux_state,
794 current_sid(),
795 current_sid(),
aad82892
SF		 796 SECCLASS_FILE, NULL,
797 &sbsec->mntpoint_sid);
798 if (rc)
799 goto out;
800 }
801 goto out_set_opts;
802 }
803
c9180a57
EP		 804 /* sets the context of the superblock for the fs being mounted. */
805 if (fscontext_sid) {
275bb41e 806 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 807 if (rc)
c9180a57 808 goto out;
1da177e4 809
c9180a57 810 sbsec->sid = fscontext_sid;
c312feb2
EP		 811 }
812
813 /*
814 * Switch to using mount point labeling behavior.
815 * sets the label used on all file below the mountpoint, and will set
816 * the superblock context if not already set.
817 */
eb9ae686
DQ		 818 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
819 sbsec->behavior = SECURITY_FS_USE_NATIVE;
820 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
821 }
822
c9180a57
EP		 823 if (context_sid) {
824 if (!fscontext_sid) {
275bb41e
DH		 825 rc = may_context_mount_sb_relabel(context_sid, sbsec,
826 cred);
b04ea3ce 827 if (rc)
c9180a57
EP		 828 goto out;
829 sbsec->sid = context_sid;
b04ea3ce 830 } else {
275bb41e
DH		 831 rc = may_context_mount_inode_relabel(context_sid, sbsec,
832 cred);
b04ea3ce 833 if (rc)
c9180a57 834 goto out;
b04ea3ce 835 }
c9180a57
EP		 836 if (!rootcontext_sid)
837 rootcontext_sid = context_sid;
1da177e4 838
c9180a57 839 sbsec->mntpoint_sid = context_sid;
c312feb2 840 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 841 }
842
c9180a57 843 if (rootcontext_sid) {
275bb41e
DH		 844 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
845 cred);
0808925e 846 if (rc)
c9180a57 847 goto out;
0808925e 848
c9180a57 849 root_isec->sid = rootcontext_sid;
6f3be9f5 850 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 851 }
852
c9180a57 853 if (defcontext_sid) {
eb9ae686
DQ		 854 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
855 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 856 rc = -EINVAL;
c103a91e 857 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 858 "invalid for this filesystem type\n");
859 goto out;
1da177e4
LT		 860 }
861
c9180a57
EP		 862 if (defcontext_sid != sbsec->def_sid) {
863 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 864 sbsec, cred);
c9180a57
EP		 865 if (rc)
866 goto out;
867 }
1da177e4 868
c9180a57 869 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 870 }
871
aad82892 872out_set_opts:
c9180a57 873 rc = sb_finish_set_opts(sb);
1da177e4 874out:
c9180a57 875 mutex_unlock(&sbsec->lock);
1da177e4 876 return rc;
c9180a57
EP		 877out_double_mount:
878 rc = -EINVAL;
c103a91e 879 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 880 "security settings for (dev %s, type %s)\n", sb->s_id,
881 sb->s_type->name);
c9180a57 882 goto out;
1da177e4
LT		 883}
884
094f7b69
JL		 885static int selinux_cmp_sb_context(const struct super_block *oldsb,
886 const struct super_block *newsb)
887{
888 struct superblock_security_struct *old = oldsb->s_security;
889 struct superblock_security_struct *new = newsb->s_security;
890 char oldflags = old->flags & SE_MNTMASK;
891 char newflags = new->flags & SE_MNTMASK;
892
893 if (oldflags != newflags)
894 goto mismatch;
895 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
896 goto mismatch;
897 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
898 goto mismatch;
899 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
900 goto mismatch;
901 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 902 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
903 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 904 if (oldroot->sid != newroot->sid)
905 goto mismatch;
906 }
907 return 0;
908mismatch:
c103a91e 909 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 910 "different security settings for (dev %s, "
911 "type %s)\n", newsb->s_id, newsb->s_type->name);
912 return -EBUSY;
913}
914
915static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 916 struct super_block *newsb,
917 unsigned long kern_flags,
918 unsigned long *set_kern_flags)
1da177e4 919{
0b4d3452 920 int rc = 0;
c9180a57
EP		 921 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
922 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 923
c9180a57
EP		 924 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
925 int set_context = (oldsbsec->flags & CONTEXT_MNT);
926 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 927
0f5e6420
EP		 928 /*
929 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 930 * mount options. thus we can safely deal with this superblock later
0f5e6420 931 */
aa8e712c 932 if (!selinux_state.initialized)
094f7b69 933 return 0;
c9180a57 934
0b4d3452
SM		 935 /*
936 * Specifying internal flags without providing a place to
937 * place the results is not allowed.
938 */
939 if (kern_flags && !set_kern_flags)
940 return -EINVAL;
941
c9180a57 942 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 943 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 944
094f7b69 945 /* if fs is reusing a sb, make sure that the contexts match */
3815a245
BF		 946 if (newsbsec->flags & SE_SBINITIALIZED) {
947 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
948 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
094f7b69 949 return selinux_cmp_sb_context(oldsb, newsb);
3815a245 950 }
5a552617 951
c9180a57
EP		 952 mutex_lock(&newsbsec->lock);
953
954 newsbsec->flags = oldsbsec->flags;
955
956 newsbsec->sid = oldsbsec->sid;
957 newsbsec->def_sid = oldsbsec->def_sid;
958 newsbsec->behavior = oldsbsec->behavior;
959
0b4d3452
SM		 960 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
961 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 962 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 963 if (rc)
964 goto out;
965 }
966
967 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
968 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
969 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
970 }
971
c9180a57
EP		 972 if (set_context) {
973 u32 sid = oldsbsec->mntpoint_sid;
974
975 if (!set_fscontext)
976 newsbsec->sid = sid;
977 if (!set_rootcontext) {
83da53c5 978 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 979 newisec->sid = sid;
980 }
981 newsbsec->mntpoint_sid = sid;
1da177e4 982 }
c9180a57 983 if (set_rootcontext) {
83da53c5
AG		 984 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
985 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 986
c9180a57 987 newisec->sid = oldisec->sid;
1da177e4
LT		 988 }
989
c9180a57 990 sb_finish_set_opts(newsb);
0b4d3452 991out:
c9180a57 992 mutex_unlock(&newsbsec->lock);
0b4d3452 993 return rc;
c9180a57
EP		 994}
995
ba641862 996static int selinux_add_opt(int token, const char *s, void **mnt_opts)
c9180a57 997{
ba641862 998 struct selinux_mnt_opts *opts = *mnt_opts;
1da177e4 999
da3d76ab 1000 if (token == Opt_seclabel) /* eaten and completely ignored */
169d68ef 1001 return 0;
e0007529 1002
ba641862
AV		 1003 if (!opts) {
1004 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1005 if (!opts)
1006 return -ENOMEM;
1007 *mnt_opts = opts;
c9180a57 1008 }
ba641862
AV		 1009 if (!s)
1010 return -ENOMEM;
1011 switch (token) {
1012 case Opt_context:
1013 if (opts->context || opts->defcontext)
1014 goto Einval;
1015 opts->context = s;
1016 break;
1017 case Opt_fscontext:
1018 if (opts->fscontext)
1019 goto Einval;
1020 opts->fscontext = s;
1021 break;
1022 case Opt_rootcontext:
1023 if (opts->rootcontext)
1024 goto Einval;
1025 opts->rootcontext = s;
1026 break;
1027 case Opt_defcontext:
1028 if (opts->context || opts->defcontext)
1029 goto Einval;
1030 opts->defcontext = s;
1031 break;
c9180a57 1032 }
e0007529 1033 return 0;
ba641862
AV		 1034Einval:
1035 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862 1036 return -EINVAL;
1da177e4 1037}
e0007529 1038
757cbe59
AV		 1039static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1040 void **mnt_opts)
c9180a57 1041{
757cbe59
AV		 1042 int token = Opt_error;
1043 int rc, i;
e0007529 1044
757cbe59
AV		 1045 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1046 if (strcmp(option, tokens[i].name) == 0) {
1047 token = tokens[i].opt;
1048 break;
169d68ef 1049 }
757cbe59 1050 }
e0007529 1051
757cbe59
AV		 1052 if (token == Opt_error)
1053 return -EINVAL;
e0007529 1054
e2e0e097 1055 if (token != Opt_seclabel) {
757cbe59 1056 val = kmemdup_nul(val, len, GFP_KERNEL);
e2e0e097
GZ		 1057 if (!val) {
1058 rc = -ENOMEM;
1059 goto free_opt;
1060 }
1061 }
757cbe59
AV		 1062 rc = selinux_add_opt(token, val, mnt_opts);
1063 if (unlikely(rc)) {
1064 kfree(val);
e2e0e097
GZ		 1065 goto free_opt;
1066 }
1067 return rc;
1068
1069free_opt:
1070 if (*mnt_opts) {
1071 selinux_free_mnt_opts(*mnt_opts);
1072 *mnt_opts = NULL;
1da177e4 1073 }
e0007529
EP		 1074 return rc;
1075}
1da177e4 1076
e3489f89 1077static int show_sid(struct seq_file *m, u32 sid)
2069f457 1078{
e3489f89
AV		 1079 char *context = NULL;
1080 u32 len;
1081 int rc;
11689d47 1082
e3489f89
AV		 1083 rc = security_sid_to_context(&selinux_state, sid,
1084 &context, &len);
1085 if (!rc) {
1086 bool has_comma = context && strchr(context, ',');
2069f457 1087
442155c1 1088 seq_putc(m, '=');
2069f457
EP		 1089 if (has_comma)
1090 seq_putc(m, '\"');
e3489f89 1091 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1092 if (has_comma)
1093 seq_putc(m, '\"');
1094 }
e3489f89
AV		 1095 kfree(context);
1096 return rc;
2069f457
EP		 1097}
1098
1099static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1100{
e3489f89 1101 struct superblock_security_struct *sbsec = sb->s_security;
2069f457
EP		 1102 int rc;
1103
e3489f89
AV		 1104 if (!(sbsec->flags & SE_SBINITIALIZED))
1105 return 0;
2069f457 1106
e3489f89
AV		 1107 if (!selinux_state.initialized)
1108 return 0;
2069f457 1109
e3489f89
AV		 1110 if (sbsec->flags & FSCONTEXT_MNT) {
1111 seq_putc(m, ',');
1112 seq_puts(m, FSCONTEXT_STR);
1113 rc = show_sid(m, sbsec->sid);
1114 if (rc)
1115 return rc;
1116 }
1117 if (sbsec->flags & CONTEXT_MNT) {
1118 seq_putc(m, ',');
1119 seq_puts(m, CONTEXT_STR);
1120 rc = show_sid(m, sbsec->mntpoint_sid);
1121 if (rc)
1122 return rc;
1123 }
1124 if (sbsec->flags & DEFCONTEXT_MNT) {
1125 seq_putc(m, ',');
1126 seq_puts(m, DEFCONTEXT_STR);
1127 rc = show_sid(m, sbsec->def_sid);
1128 if (rc)
1129 return rc;
1130 }
1131 if (sbsec->flags & ROOTCONTEXT_MNT) {
1132 struct dentry *root = sbsec->sb->s_root;
1133 struct inode_security_struct *isec = backing_inode_security(root);
1134 seq_putc(m, ',');
1135 seq_puts(m, ROOTCONTEXT_STR);
1136 rc = show_sid(m, isec->sid);
1137 if (rc)
1138 return rc;
1139 }
1140 if (sbsec->flags & SBLABEL_MNT) {
1141 seq_putc(m, ',');
442155c1 1142 seq_puts(m, SECLABEL_STR);
e3489f89
AV		 1143 }
1144 return 0;
2069f457
EP		 1145}
1146
1da177e4
LT		 1147static inline u16 inode_mode_to_security_class(umode_t mode)
1148{
1149 switch (mode & S_IFMT) {
1150 case S_IFSOCK:
1151 return SECCLASS_SOCK_FILE;
1152 case S_IFLNK:
1153 return SECCLASS_LNK_FILE;
1154 case S_IFREG:
1155 return SECCLASS_FILE;
1156 case S_IFBLK:
1157 return SECCLASS_BLK_FILE;
1158 case S_IFDIR:
1159 return SECCLASS_DIR;
1160 case S_IFCHR:
1161 return SECCLASS_CHR_FILE;
1162 case S_IFIFO:
1163 return SECCLASS_FIFO_FILE;
1164
1165 }
1166
1167 return SECCLASS_FILE;
1168}
1169
13402580
JM		 1170static inline int default_protocol_stream(int protocol)
1171{
1172 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1173}
1174
1175static inline int default_protocol_dgram(int protocol)
1176{
1177 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1178}
1179
1da177e4
LT		 1180static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1181{
aa8e712c 1182 int extsockclass = selinux_policycap_extsockclass();
da69a530 1183
1da177e4
LT		 1184 switch (family) {
1185 case PF_UNIX:
1186 switch (type) {
1187 case SOCK_STREAM:
1188 case SOCK_SEQPACKET:
1189 return SECCLASS_UNIX_STREAM_SOCKET;
1190 case SOCK_DGRAM:
2a764b52 1191 case SOCK_RAW:
1da177e4
LT		 1192 return SECCLASS_UNIX_DGRAM_SOCKET;
1193 }
1194 break;
1195 case PF_INET:
1196 case PF_INET6:
1197 switch (type) {
1198 case SOCK_STREAM:
da69a530 1199 case SOCK_SEQPACKET:
13402580
JM		 1200 if (default_protocol_stream(protocol))
1201 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1202 else if (extsockclass && protocol == IPPROTO_SCTP)
1203 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1204 else
1205 return SECCLASS_RAWIP_SOCKET;
1da177e4 1206 case SOCK_DGRAM:
13402580
JM		 1207 if (default_protocol_dgram(protocol))
1208 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1209 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1210 protocol == IPPROTO_ICMPV6))
da69a530 1211 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1212 else
1213 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1214 case SOCK_DCCP:
1215 return SECCLASS_DCCP_SOCKET;
13402580 1216 default:
1da177e4
LT		 1217 return SECCLASS_RAWIP_SOCKET;
1218 }
1219 break;
1220 case PF_NETLINK:
1221 switch (protocol) {
1222 case NETLINK_ROUTE:
1223 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1224 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1225 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1226 case NETLINK_NFLOG:
1227 return SECCLASS_NETLINK_NFLOG_SOCKET;
1228 case NETLINK_XFRM:
1229 return SECCLASS_NETLINK_XFRM_SOCKET;
1230 case NETLINK_SELINUX:
1231 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1232 case NETLINK_ISCSI:
1233 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1234 case NETLINK_AUDIT:
1235 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1236 case NETLINK_FIB_LOOKUP:
1237 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1238 case NETLINK_CONNECTOR:
1239 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1240 case NETLINK_NETFILTER:
1241 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1242 case NETLINK_DNRTMSG:
1243 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1244 case NETLINK_KOBJECT_UEVENT:
1245 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1246 case NETLINK_GENERIC:
1247 return SECCLASS_NETLINK_GENERIC_SOCKET;
1248 case NETLINK_SCSITRANSPORT:
1249 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1250 case NETLINK_RDMA:
1251 return SECCLASS_NETLINK_RDMA_SOCKET;
1252 case NETLINK_CRYPTO:
1253 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1254 default:
1255 return SECCLASS_NETLINK_SOCKET;
1256 }
1257 case PF_PACKET:
1258 return SECCLASS_PACKET_SOCKET;
1259 case PF_KEY:
1260 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1261 case PF_APPLETALK:
1262 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1263 }
1264
da69a530
SS		 1265 if (extsockclass) {
1266 switch (family) {
1267 case PF_AX25:
1268 return SECCLASS_AX25_SOCKET;
1269 case PF_IPX:
1270 return SECCLASS_IPX_SOCKET;
1271 case PF_NETROM:
1272 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1273 case PF_ATMPVC:
1274 return SECCLASS_ATMPVC_SOCKET;
1275 case PF_X25:
1276 return SECCLASS_X25_SOCKET;
1277 case PF_ROSE:
1278 return SECCLASS_ROSE_SOCKET;
1279 case PF_DECnet:
1280 return SECCLASS_DECNET_SOCKET;
1281 case PF_ATMSVC:
1282 return SECCLASS_ATMSVC_SOCKET;
1283 case PF_RDS:
1284 return SECCLASS_RDS_SOCKET;
1285 case PF_IRDA:
1286 return SECCLASS_IRDA_SOCKET;
1287 case PF_PPPOX:
1288 return SECCLASS_PPPOX_SOCKET;
1289 case PF_LLC:
1290 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1291 case PF_CAN:
1292 return SECCLASS_CAN_SOCKET;
1293 case PF_TIPC:
1294 return SECCLASS_TIPC_SOCKET;
1295 case PF_BLUETOOTH:
1296 return SECCLASS_BLUETOOTH_SOCKET;
1297 case PF_IUCV:
1298 return SECCLASS_IUCV_SOCKET;
1299 case PF_RXRPC:
1300 return SECCLASS_RXRPC_SOCKET;
1301 case PF_ISDN:
1302 return SECCLASS_ISDN_SOCKET;
1303 case PF_PHONET:
1304 return SECCLASS_PHONET_SOCKET;
1305 case PF_IEEE802154:
1306 return SECCLASS_IEEE802154_SOCKET;
1307 case PF_CAIF:
1308 return SECCLASS_CAIF_SOCKET;
1309 case PF_ALG:
1310 return SECCLASS_ALG_SOCKET;
1311 case PF_NFC:
1312 return SECCLASS_NFC_SOCKET;
1313 case PF_VSOCK:
1314 return SECCLASS_VSOCK_SOCKET;
1315 case PF_KCM:
1316 return SECCLASS_KCM_SOCKET;
1317 case PF_QIPCRTR:
1318 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1319 case PF_SMC:
1320 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1321 case PF_XDP:
1322 return SECCLASS_XDP_SOCKET;
1323#if PF_MAX > 45
da69a530
SS		 1324#error New address family defined, please update this function.
1325#endif
1326 }
1327 }
1328
1da177e4
LT		 1329 return SECCLASS_SOCKET;
1330}
1331
134509d5
SS		 1332static int selinux_genfs_get_sid(struct dentry *dentry,
1333 u16 tclass,
1334 u16 flags,
1335 u32 *sid)
1da177e4 1336{
8e6c9693 1337 int rc;
fc64005c 1338 struct super_block *sb = dentry->d_sb;
8e6c9693 1339 char *buffer, *path;
1da177e4 1340
828dfe1d 1341 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1342 if (!buffer)
1343 return -ENOMEM;
1344
8e6c9693
LAG		 1345 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1346 if (IS_ERR(path))
1347 rc = PTR_ERR(path);
1348 else {
134509d5
SS		 1349 if (flags & SE_SBPROC) {
1350 /* each process gets a /proc/PID/ entry. Strip off the
1351 * PID part to get a valid selinux labeling.
1352 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1353 while (path[1] >= '0' && path[1] <= '9') {
1354 path[1] = '/';
1355 path++;
1356 }
8e6c9693 1357 }
aa8e712c
SS		 1358 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1359 path, tclass, sid);
7bb185ed
SS		 1360 if (rc == -ENOENT) {
1361 /* No match in policy, mark as unlabeled. */
1362 *sid = SECINITSID_UNLABELED;
1363 rc = 0;
1364 }
1da177e4 1365 }
1da177e4
LT		 1366 free_page((unsigned long)buffer);
1367 return rc;
1368}
1da177e4 1369
b754026b
OM		 1370static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1371 u32 def_sid, u32 *sid)
1372{
1373#define INITCONTEXTLEN 255
1374 char *context;
1375 unsigned int len;
1376 int rc;
1377
1378 len = INITCONTEXTLEN;
1379 context = kmalloc(len + 1, GFP_NOFS);
1380 if (!context)
1381 return -ENOMEM;
1382
1383 context[len] = '\0';
1384 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1385 if (rc == -ERANGE) {
1386 kfree(context);
1387
1388 /* Need a larger buffer. Query for the right size. */
1389 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1390 if (rc < 0)
1391 return rc;
1392
1393 len = rc;
1394 context = kmalloc(len + 1, GFP_NOFS);
1395 if (!context)
1396 return -ENOMEM;
1397
1398 context[len] = '\0';
1399 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1400 context, len);
1401 }
1402 if (rc < 0) {
1403 kfree(context);
1404 if (rc != -ENODATA) {
1405 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1406 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1407 return rc;
1408 }
1409 *sid = def_sid;
1410 return 0;
1411 }
1412
1413 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1414 def_sid, GFP_NOFS);
1415 if (rc) {
1416 char *dev = inode->i_sb->s_id;
1417 unsigned long ino = inode->i_ino;
1418
1419 if (rc == -EINVAL) {
1420 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1421 ino, dev, context);
1422 } else {
1423 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1424 __func__, context, -rc, dev, ino);
1425 }
1426 }
1427 kfree(context);
1428 return 0;
1429}
1430
1da177e4
LT		 1431/* The inode's security attributes must be initialized before first use. */
1432static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1433{
1434 struct superblock_security_struct *sbsec = NULL;
80788c22 1435 struct inode_security_struct *isec = selinux_inode(inode);
9287aed2
AG		 1436 u32 task_sid, sid = 0;
1437 u16 sclass;
1da177e4 1438 struct dentry *dentry;
1da177e4 1439 int rc = 0;
1da177e4 1440
6f3be9f5 1441 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1442 return 0;
1da177e4 1443
9287aed2 1444 spin_lock(&isec->lock);
6f3be9f5 1445 if (isec->initialized == LABEL_INITIALIZED)
23970741 1446 goto out_unlock;
1da177e4 1447
13457d07
AG		 1448 if (isec->sclass == SECCLASS_FILE)
1449 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1450
1da177e4 1451 sbsec = inode->i_sb->s_security;
0d90a7ec 1452 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1453 /* Defer initialization until selinux_complete_init,
1454 after the initial policy is loaded and the security
1455 server is ready to handle calls. */
1456 spin_lock(&sbsec->isec_lock);
1457 if (list_empty(&isec->list))
1458 list_add(&isec->list, &sbsec->isec_head);
1459 spin_unlock(&sbsec->isec_lock);
23970741 1460 goto out_unlock;
1da177e4
LT		 1461 }
1462
9287aed2
AG		 1463 sclass = isec->sclass;
1464 task_sid = isec->task_sid;
1465 sid = isec->sid;
1466 isec->initialized = LABEL_PENDING;
1467 spin_unlock(&isec->lock);
1468
1da177e4 1469 switch (sbsec->behavior) {
eb9ae686
DQ		 1470 case SECURITY_FS_USE_NATIVE:
1471 break;
1da177e4 1472 case SECURITY_FS_USE_XATTR:
5d6c3191 1473 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1474 sid = sbsec->def_sid;
1da177e4
LT		 1475 break;
1476 }
1da177e4
LT		 1477 /* Need a dentry, since the xattr API requires one.
1478 Life would be simpler if we could just pass the inode. */
1479 if (opt_dentry) {
1480 /* Called from d_instantiate or d_splice_alias. */
1481 dentry = dget(opt_dentry);
1482 } else {
b127125d
AV		 1483 /*
1484 * Called from selinux_complete_init, try to find a dentry.
1485 * Some filesystems really want a connected one, so try
1486 * that first. We could split SECURITY_FS_USE_XATTR in
1487 * two, depending upon that...
1488 */
1da177e4 1489 dentry = d_find_alias(inode);
b127125d
AV		 1490 if (!dentry)
1491 dentry = d_find_any_alias(inode);
1da177e4
LT		 1492 }
1493 if (!dentry) {
df7f54c0
EP		 1494 /*
1495 * this is can be hit on boot when a file is accessed
1496 * before the policy is loaded. When we load policy we
1497 * may find inodes that have no dentry on the
1498 * sbsec->isec_head list. No reason to complain as these
1499 * will get fixed up the next time we go through
1500 * inode_doinit with a dentry, before these inodes could
1501 * be used again by userspace.
1502 */
9287aed2 1503 goto out;
1da177e4
LT		 1504 }
1505
b754026b
OM		 1506 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1507 &sid);
1da177e4 1508 dput(dentry);
b754026b
OM		 1509 if (rc)
1510 goto out;
1da177e4
LT		 1511 break;
1512 case SECURITY_FS_USE_TASK:
9287aed2 1513 sid = task_sid;
1da177e4
LT		 1514 break;
1515 case SECURITY_FS_USE_TRANS:
1516 /* Default to the fs SID. */
9287aed2 1517 sid = sbsec->sid;
1da177e4
LT		 1518
1519 /* Try to obtain a transition SID. */
aa8e712c
SS		 1520 rc = security_transition_sid(&selinux_state, task_sid, sid,
1521 sclass, NULL, &sid);
1da177e4 1522 if (rc)
9287aed2 1523 goto out;
1da177e4 1524 break;
c312feb2 1525 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1526 sid = sbsec->mntpoint_sid;
c312feb2 1527 break;
1da177e4 1528 default:
c312feb2 1529 /* Default to the fs superblock SID. */
9287aed2 1530 sid = sbsec->sid;
1da177e4 1531
134509d5 1532 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1533 /* We must have a dentry to determine the label on
1534 * procfs inodes */
b127125d 1535 if (opt_dentry) {
f64410ec
PM		 1536 /* Called from d_instantiate or
1537 * d_splice_alias. */
1538 dentry = dget(opt_dentry);
b127125d 1539 } else {
f64410ec 1540 /* Called from selinux_complete_init, try to
b127125d
AV		 1541 * find a dentry. Some filesystems really want
1542 * a connected one, so try that first.
1543 */
f64410ec 1544 dentry = d_find_alias(inode);
b127125d
AV		 1545 if (!dentry)
1546 dentry = d_find_any_alias(inode);
1547 }
f64410ec
PM		 1548 /*
1549 * This can be hit on boot when a file is accessed
1550 * before the policy is loaded. When we load policy we
1551 * may find inodes that have no dentry on the
1552 * sbsec->isec_head list. No reason to complain as
1553 * these will get fixed up the next time we go through
1554 * inode_doinit() with a dentry, before these inodes
1555 * could be used again by userspace.
1556 */
1557 if (!dentry)
9287aed2
AG		 1558 goto out;
1559 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1560 sbsec->flags, &sid);
b754026b
OM		 1561 if (rc) {
1562 dput(dentry);
9287aed2 1563 goto out;
b754026b
OM		 1564 }
1565
1566 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1567 (inode->i_opflags & IOP_XATTR)) {
1568 rc = inode_doinit_use_xattr(inode, dentry,
1569 sid, &sid);
1570 if (rc) {
1571 dput(dentry);
1572 goto out;
1573 }
1574 }
1575 dput(dentry);
1da177e4
LT		 1576 }
1577 break;
1578 }
1579
9287aed2
AG		 1580out:
1581 spin_lock(&isec->lock);
1582 if (isec->initialized == LABEL_PENDING) {
1583 if (!sid || rc) {
1584 isec->initialized = LABEL_INVALID;
1585 goto out_unlock;
1586 }
1587
1588 isec->initialized = LABEL_INITIALIZED;
1589 isec->sid = sid;
1590 }
1da177e4 1591
23970741 1592out_unlock:
9287aed2 1593 spin_unlock(&isec->lock);
1da177e4
LT		 1594 return rc;
1595}
1596
1597/* Convert a Linux signal to an access vector. */
1598static inline u32 signal_to_av(int sig)
1599{
1600 u32 perm = 0;
1601
1602 switch (sig) {
1603 case SIGCHLD:
1604 /* Commonly granted from child to parent. */
1605 perm = PROCESS__SIGCHLD;
1606 break;
1607 case SIGKILL:
1608 /* Cannot be caught or ignored */
1609 perm = PROCESS__SIGKILL;
1610 break;
1611 case SIGSTOP:
1612 /* Cannot be caught or ignored */
1613 perm = PROCESS__SIGSTOP;
1614 break;
1615 default:
1616 /* All other signals. */
1617 perm = PROCESS__SIGNAL;
1618 break;
1619 }
1620
1621 return perm;
1622}
1623
b68e418c
SS		 1624#if CAP_LAST_CAP > 63
1625#error Fix SELinux to handle capabilities > 63.
1626#endif
1627
1da177e4 1628/* Check whether a task is allowed to use a capability. */
6a9de491 1629static int cred_has_capability(const struct cred *cred,
c1a85a00 1630 int cap, unsigned int opts, bool initns)
1da177e4 1631{
2bf49690 1632 struct common_audit_data ad;
06112163 1633 struct av_decision avd;
b68e418c 1634 u16 sclass;
3699c53c 1635 u32 sid = cred_sid(cred);
b68e418c 1636 u32 av = CAP_TO_MASK(cap);
06112163 1637 int rc;
1da177e4 1638
50c205f5 1639 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1640 ad.u.cap = cap;
1641
b68e418c
SS		 1642 switch (CAP_TO_INDEX(cap)) {
1643 case 0:
8e4ff6f2 1644 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1645 break;
1646 case 1:
8e4ff6f2 1647 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1648 break;
1649 default:
c103a91e 1650 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1651 BUG();
a35c6c83 1652 return -EINVAL;
b68e418c 1653 }
06112163 1654
6b6bc620
SS		 1655 rc = avc_has_perm_noaudit(&selinux_state,
1656 sid, sid, sclass, av, 0, &avd);
c1a85a00 1657 if (!(opts & CAP_OPT_NOAUDIT)) {
6b6bc620
SS		 1658 int rc2 = avc_audit(&selinux_state,
1659 sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1660 if (rc2)
1661 return rc2;
1662 }
06112163 1663 return rc;
1da177e4
LT		 1664}
1665
1da177e4
LT		 1666/* Check whether a task has a particular permission to an inode.
1667 The 'adp' parameter is optional and allows other audit
1668 data to be passed (e.g. the dentry). */
88e67f3b 1669static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1670 struct inode *inode,
1671 u32 perms,
19e49834 1672 struct common_audit_data *adp)
1da177e4 1673{
1da177e4 1674 struct inode_security_struct *isec;
275bb41e 1675 u32 sid;
1da177e4 1676
e0e81739
DH		 1677 validate_creds(cred);
1678
828dfe1d 1679 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1680 return 0;
1681
88e67f3b 1682 sid = cred_sid(cred);
80788c22 1683 isec = selinux_inode(inode);
1da177e4 1684
6b6bc620
SS		 1685 return avc_has_perm(&selinux_state,
1686 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1687}
1688
1689/* Same as inode_has_perm, but pass explicit audit data containing
1690 the dentry to help the auditing code to more easily generate the
1691 pathname if needed. */
88e67f3b 1692static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1693 struct dentry *dentry,
1694 u32 av)
1695{
c6f493d6 1696 struct inode *inode = d_backing_inode(dentry);
2bf49690 1697 struct common_audit_data ad;
88e67f3b 1698
50c205f5 1699 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1700 ad.u.dentry = dentry;
5d226df4 1701 __inode_security_revalidate(inode, dentry, true);
19e49834 1702 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1703}
1704
1705/* Same as inode_has_perm, but pass explicit audit data containing
1706 the path to help the auditing code to more easily generate the
1707 pathname if needed. */
1708static inline int path_has_perm(const struct cred *cred,
3f7036a0 1709 const struct path *path,
2875fa00
EP		 1710 u32 av)
1711{
c6f493d6 1712 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1713 struct common_audit_data ad;
1714
50c205f5 1715 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1716 ad.u.path = *path;
5d226df4 1717 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1718 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1719}
1720
13f8e981
DH		 1721/* Same as path_has_perm, but uses the inode from the file struct. */
1722static inline int file_path_has_perm(const struct cred *cred,
1723 struct file *file,
1724 u32 av)
1725{
1726 struct common_audit_data ad;
1727
43af5de7
VG		 1728 ad.type = LSM_AUDIT_DATA_FILE;
1729 ad.u.file = file;
19e49834 1730 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1731}
1732
f66e448c
CF		 1733#ifdef CONFIG_BPF_SYSCALL
1734static int bpf_fd_pass(struct file *file, u32 sid);
1735#endif
1736
1da177e4
LT		 1737/* Check whether a task can use an open file descriptor to
1738 access an inode in a given way. Check access to the
1739 descriptor itself, and then use dentry_has_perm to
1740 check a particular permission to the file.
1741 Access to the descriptor is implicitly granted if it
1742 has the same SID as the process. If av is zero, then
1743 access to the file is not checked, e.g. for cases
1744 where only the descriptor is affected like seek. */
88e67f3b
DH		 1745static int file_has_perm(const struct cred *cred,
1746 struct file *file,
1747 u32 av)
1da177e4 1748{
bb6c6b02 1749 struct file_security_struct *fsec = selinux_file(file);
496ad9aa 1750 struct inode *inode = file_inode(file);
2bf49690 1751 struct common_audit_data ad;
88e67f3b 1752 u32 sid = cred_sid(cred);
1da177e4
LT		 1753 int rc;
1754
43af5de7
VG		 1755 ad.type = LSM_AUDIT_DATA_FILE;
1756 ad.u.file = file;
1da177e4 1757
275bb41e 1758 if (sid != fsec->sid) {
6b6bc620
SS		 1759 rc = avc_has_perm(&selinux_state,
1760 sid, fsec->sid,
1da177e4
LT		 1761 SECCLASS_FD,
1762 FD__USE,
1763 &ad);
1764 if (rc)
88e67f3b 1765 goto out;
1da177e4
LT		 1766 }
1767
f66e448c
CF		 1768#ifdef CONFIG_BPF_SYSCALL
1769 rc = bpf_fd_pass(file, cred_sid(cred));
1770 if (rc)
1771 return rc;
1772#endif
1773
1da177e4 1774 /* av is zero if only checking access to the descriptor. */
88e67f3b 1775 rc = 0;
1da177e4 1776 if (av)
19e49834 1777 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1778
88e67f3b
DH		 1779out:
1780 return rc;
1da177e4
LT		 1781}
1782
c3c188b2
DH		 1783/*
1784 * Determine the label for an inode that might be unioned.
1785 */
c957f6df
VG		 1786static int
1787selinux_determine_inode_label(const struct task_security_struct *tsec,
1788 struct inode *dir,
1789 const struct qstr *name, u16 tclass,
1790 u32 *_new_isid)
c3c188b2
DH		 1791{
1792 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1793
1794 if ((sbsec->flags & SE_SBINITIALIZED) &&
1795 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1796 *_new_isid = sbsec->mntpoint_sid;
1797 } else if ((sbsec->flags & SBLABEL_MNT) &&
1798 tsec->create_sid) {
1799 *_new_isid = tsec->create_sid;
1800 } else {
20cdef8d 1801 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1802 return security_transition_sid(&selinux_state, tsec->sid,
1803 dsec->sid, tclass,
c3c188b2
DH		 1804 name, _new_isid);
1805 }
1806
1807 return 0;
1808}
1809
1da177e4
LT		 1810/* Check whether a task can create a file. */
1811static int may_create(struct inode *dir,
1812 struct dentry *dentry,
1813 u16 tclass)
1814{
0c6cfa62 1815 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1816 struct inode_security_struct *dsec;
1817 struct superblock_security_struct *sbsec;
275bb41e 1818 u32 sid, newsid;
2bf49690 1819 struct common_audit_data ad;
1da177e4
LT		 1820 int rc;
1821
83da53c5 1822 dsec = inode_security(dir);
1da177e4
LT		 1823 sbsec = dir->i_sb->s_security;
1824
275bb41e 1825 sid = tsec->sid;
275bb41e 1826
50c205f5 1827 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1828 ad.u.dentry = dentry;
1da177e4 1829
6b6bc620
SS		 1830 rc = avc_has_perm(&selinux_state,
1831 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1832 DIR__ADD_NAME | DIR__SEARCH,
1833 &ad);
1834 if (rc)
1835 return rc;
1836
0c6cfa62 1837 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
c957f6df 1838 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1839 if (rc)
1840 return rc;
1da177e4 1841
6b6bc620
SS		 1842 rc = avc_has_perm(&selinux_state,
1843 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1844 if (rc)
1845 return rc;
1846
6b6bc620
SS		 1847 return avc_has_perm(&selinux_state,
1848 newsid, sbsec->sid,
1da177e4
LT		 1849 SECCLASS_FILESYSTEM,
1850 FILESYSTEM__ASSOCIATE, &ad);
1851}
1852
828dfe1d
EP		 1853#define MAY_LINK 0
1854#define MAY_UNLINK 1
1855#define MAY_RMDIR 2
1da177e4
LT		 1856
1857/* Check whether a task can link, unlink, or rmdir a file/directory. */
1858static int may_link(struct inode *dir,
1859 struct dentry *dentry,
1860 int kind)
1861
1862{
1da177e4 1863 struct inode_security_struct *dsec, *isec;
2bf49690 1864 struct common_audit_data ad;
275bb41e 1865 u32 sid = current_sid();
1da177e4
LT		 1866 u32 av;
1867 int rc;
1868
83da53c5
AG		 1869 dsec = inode_security(dir);
1870 isec = backing_inode_security(dentry);
1da177e4 1871
50c205f5 1872 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1873 ad.u.dentry = dentry;
1da177e4
LT		 1874
1875 av = DIR__SEARCH;
1876 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 1877 rc = avc_has_perm(&selinux_state,
1878 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1879 if (rc)
1880 return rc;
1881
1882 switch (kind) {
1883 case MAY_LINK:
1884 av = FILE__LINK;
1885 break;
1886 case MAY_UNLINK:
1887 av = FILE__UNLINK;
1888 break;
1889 case MAY_RMDIR:
1890 av = DIR__RMDIR;
1891 break;
1892 default:
c103a91e 1893 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1894 __func__, kind);
1da177e4
LT		 1895 return 0;
1896 }
1897
6b6bc620
SS		 1898 rc = avc_has_perm(&selinux_state,
1899 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1900 return rc;
1901}
1902
1903static inline int may_rename(struct inode *old_dir,
1904 struct dentry *old_dentry,
1905 struct inode *new_dir,
1906 struct dentry *new_dentry)
1907{
1da177e4 1908 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1909 struct common_audit_data ad;
275bb41e 1910 u32 sid = current_sid();
1da177e4
LT		 1911 u32 av;
1912 int old_is_dir, new_is_dir;
1913 int rc;
1914
83da53c5
AG		 1915 old_dsec = inode_security(old_dir);
1916 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1917 old_is_dir = d_is_dir(old_dentry);
83da53c5 1918 new_dsec = inode_security(new_dir);
1da177e4 1919
50c205f5 1920 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1921
a269434d 1922 ad.u.dentry = old_dentry;
6b6bc620
SS		 1923 rc = avc_has_perm(&selinux_state,
1924 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1925 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1926 if (rc)
1927 return rc;
6b6bc620
SS		 1928 rc = avc_has_perm(&selinux_state,
1929 sid, old_isec->sid,
1da177e4
LT		 1930 old_isec->sclass, FILE__RENAME, &ad);
1931 if (rc)
1932 return rc;
1933 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 1934 rc = avc_has_perm(&selinux_state,
1935 sid, old_isec->sid,
1da177e4
LT		 1936 old_isec->sclass, DIR__REPARENT, &ad);
1937 if (rc)
1938 return rc;
1939 }
1940
a269434d 1941 ad.u.dentry = new_dentry;
1da177e4 1942 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1943 if (d_is_positive(new_dentry))
1da177e4 1944 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 1945 rc = avc_has_perm(&selinux_state,
1946 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1947 if (rc)
1948 return rc;
2c616d4d 1949 if (d_is_positive(new_dentry)) {
83da53c5 1950 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1951 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 1952 rc = avc_has_perm(&selinux_state,
1953 sid, new_isec->sid,
1da177e4
LT		 1954 new_isec->sclass,
1955 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1956 if (rc)
1957 return rc;
1958 }
1959
1960 return 0;
1961}
1962
1963/* Check whether a task can perform a filesystem operation. */
88e67f3b 1964static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1965 struct super_block *sb,
1966 u32 perms,
2bf49690 1967 struct common_audit_data *ad)
1da177e4 1968{
1da177e4 1969 struct superblock_security_struct *sbsec;
88e67f3b 1970 u32 sid = cred_sid(cred);
1da177e4 1971
1da177e4 1972 sbsec = sb->s_security;
6b6bc620
SS		 1973 return avc_has_perm(&selinux_state,
1974 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1975}
1976
1977/* Convert a Linux mode and permission mask to an access vector. */
1978static inline u32 file_mask_to_av(int mode, int mask)
1979{
1980 u32 av = 0;
1981
dba19c60 1982 if (!S_ISDIR(mode)) {
1da177e4
LT		 1983 if (mask & MAY_EXEC)
1984 av |= FILE__EXECUTE;
1985 if (mask & MAY_READ)
1986 av |= FILE__READ;
1987
1988 if (mask & MAY_APPEND)
1989 av |= FILE__APPEND;
1990 else if (mask & MAY_WRITE)
1991 av |= FILE__WRITE;
1992
1993 } else {
1994 if (mask & MAY_EXEC)
1995 av |= DIR__SEARCH;
1996 if (mask & MAY_WRITE)
1997 av |= DIR__WRITE;
1998 if (mask & MAY_READ)
1999 av |= DIR__READ;
2000 }
2001
2002 return av;
2003}
2004
8b6a5a37
EP		 2005/* Convert a Linux file to an access vector. */
2006static inline u32 file_to_av(struct file *file)
2007{
2008 u32 av = 0;
2009
2010 if (file->f_mode & FMODE_READ)
2011 av |= FILE__READ;
2012 if (file->f_mode & FMODE_WRITE) {
2013 if (file->f_flags & O_APPEND)
2014 av |= FILE__APPEND;
2015 else
2016 av |= FILE__WRITE;
2017 }
2018 if (!av) {
2019 /*
2020 * Special file opened with flags 3 for ioctl-only use.
2021 */
2022 av = FILE__IOCTL;
2023 }
2024
2025 return av;
2026}
2027
b0c636b9 2028/*
8b6a5a37 2029 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2030 * open permission.
2031 */
8b6a5a37 2032static inline u32 open_file_to_av(struct file *file)
b0c636b9 2033{
8b6a5a37 2034 u32 av = file_to_av(file);
ccb54478 2035 struct inode *inode = file_inode(file);
b0c636b9 2036
aa8e712c
SS		 2037 if (selinux_policycap_openperm() &&
2038 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2039 av |= FILE__OPEN;
2040
b0c636b9
EP		 2041 return av;
2042}
2043
1da177e4
LT		 2044/* Hook functions begin here. */
2045
79af7307
SS		 2046static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2047{
2048 u32 mysid = current_sid();
2049 u32 mgrsid = task_sid(mgr);
2050
6b6bc620
SS		 2051 return avc_has_perm(&selinux_state,
2052 mysid, mgrsid, SECCLASS_BINDER,
79af7307
SS		 2053 BINDER__SET_CONTEXT_MGR, NULL);
2054}
2055
2056static int selinux_binder_transaction(struct task_struct *from,
2057 struct task_struct *to)
2058{
2059 u32 mysid = current_sid();
2060 u32 fromsid = task_sid(from);
2061 u32 tosid = task_sid(to);
2062 int rc;
2063
2064 if (mysid != fromsid) {
6b6bc620
SS		 2065 rc = avc_has_perm(&selinux_state,
2066 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2067 BINDER__IMPERSONATE, NULL);
2068 if (rc)
2069 return rc;
2070 }
2071
6b6bc620
SS		 2072 return avc_has_perm(&selinux_state,
2073 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
79af7307
SS		 2074 NULL);
2075}
2076
2077static int selinux_binder_transfer_binder(struct task_struct *from,
2078 struct task_struct *to)
2079{
2080 u32 fromsid = task_sid(from);
2081 u32 tosid = task_sid(to);
2082
6b6bc620
SS		 2083 return avc_has_perm(&selinux_state,
2084 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2085 NULL);
2086}
2087
2088static int selinux_binder_transfer_file(struct task_struct *from,
2089 struct task_struct *to,
2090 struct file *file)
2091{
2092 u32 sid = task_sid(to);
bb6c6b02 2093 struct file_security_struct *fsec = selinux_file(file);
83da53c5 2094 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2095 struct inode_security_struct *isec;
79af7307
SS		 2096 struct common_audit_data ad;
2097 int rc;
2098
2099 ad.type = LSM_AUDIT_DATA_PATH;
2100 ad.u.path = file->f_path;
2101
2102 if (sid != fsec->sid) {
6b6bc620
SS		 2103 rc = avc_has_perm(&selinux_state,
2104 sid, fsec->sid,
79af7307
SS		 2105 SECCLASS_FD,
2106 FD__USE,
2107 &ad);
2108 if (rc)
2109 return rc;
2110 }
2111
f66e448c
CF		 2112#ifdef CONFIG_BPF_SYSCALL
2113 rc = bpf_fd_pass(file, sid);
2114 if (rc)
2115 return rc;
2116#endif
2117
83da53c5 2118 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2119 return 0;
2120
20cdef8d 2121 isec = backing_inode_security(dentry);
6b6bc620
SS		 2122 return avc_has_perm(&selinux_state,
2123 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2124 &ad);
2125}
2126
9e48858f 2127static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2128 unsigned int mode)
1da177e4 2129{
be0554c9
SS		 2130 u32 sid = current_sid();
2131 u32 csid = task_sid(child);
2132
2133 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2134 return avc_has_perm(&selinux_state,
2135 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2136
6b6bc620
SS		 2137 return avc_has_perm(&selinux_state,
2138 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2139}
2140
2141static int selinux_ptrace_traceme(struct task_struct *parent)
2142{
6b6bc620
SS		 2143 return avc_has_perm(&selinux_state,
2144 task_sid(parent), current_sid(), SECCLASS_PROCESS,
be0554c9 2145 PROCESS__PTRACE, NULL);
1da177e4
LT		 2146}
2147
2148static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2149 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2150{
6b6bc620
SS		 2151 return avc_has_perm(&selinux_state,
2152 current_sid(), task_sid(target), SECCLASS_PROCESS,
be0554c9 2153 PROCESS__GETCAP, NULL);
1da177e4
LT		 2154}
2155
d84f4f99
DH		 2156static int selinux_capset(struct cred *new, const struct cred *old,
2157 const kernel_cap_t *effective,
2158 const kernel_cap_t *inheritable,
2159 const kernel_cap_t *permitted)
1da177e4 2160{
6b6bc620
SS		 2161 return avc_has_perm(&selinux_state,
2162 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2163 PROCESS__SETCAP, NULL);
1da177e4
LT		 2164}
2165
5626d3e8
JM		 2166/*
2167 * (This comment used to live with the selinux_task_setuid hook,
2168 * which was removed).
2169 *
2170 * Since setuid only affects the current process, and since the SELinux
2171 * controls are not based on the Linux identity attributes, SELinux does not
2172 * need to control this operation. However, SELinux does control the use of
2173 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2174 */
2175
6a9de491 2176static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
c1a85a00 2177 int cap, unsigned int opts)
1da177e4 2178{
c1a85a00 2179 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
1da177e4
LT		 2180}
2181
1da177e4
LT		 2182static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2183{
88e67f3b 2184 const struct cred *cred = current_cred();
1da177e4
LT		 2185 int rc = 0;
2186
2187 if (!sb)
2188 return 0;
2189
2190 switch (cmds) {
828dfe1d
EP		 2191 case Q_SYNC:
2192 case Q_QUOTAON:
2193 case Q_QUOTAOFF:
2194 case Q_SETINFO:
2195 case Q_SETQUOTA:
88e67f3b 2196 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2197 break;
2198 case Q_GETFMT:
2199 case Q_GETINFO:
2200 case Q_GETQUOTA:
88e67f3b 2201 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2202 break;
2203 default:
2204 rc = 0; /* let the kernel handle invalid cmds */
2205 break;
1da177e4
LT		 2206 }
2207 return rc;
2208}
2209
2210static int selinux_quota_on(struct dentry *dentry)
2211{
88e67f3b
DH		 2212 const struct cred *cred = current_cred();
2213
2875fa00 2214 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2215}
2216
12b3052c 2217static int selinux_syslog(int type)
1da177e4 2218{
1da177e4 2219 switch (type) {
d78ca3cd
KC		 2220 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2221 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2222 return avc_has_perm(&selinux_state,
2223 current_sid(), SECINITSID_KERNEL,
be0554c9 2224 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2225 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2226 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2227 /* Set level of messages printed to console */
2228 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2229 return avc_has_perm(&selinux_state,
2230 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2231 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2232 NULL);
1da177e4 2233 }
be0554c9 2234 /* All other syslog types */
6b6bc620
SS		 2235 return avc_has_perm(&selinux_state,
2236 current_sid(), SECINITSID_KERNEL,
be0554c9 2237 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2238}
2239
2240/*
2241 * Check that a process has enough memory to allocate a new virtual
2242 * mapping. 0 means there is enough memory for the allocation to
2243 * succeed and -ENOMEM implies there is not.
2244 *
1da177e4
LT		 2245 * Do not audit the selinux permission check, as this is applied to all
2246 * processes that allocate mappings.
2247 */
34b4e4aa 2248static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2249{
2250 int rc, cap_sys_admin = 0;
1da177e4 2251
b1d9e6b0 2252 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
c1a85a00 2253 CAP_OPT_NOAUDIT, true);
1da177e4
LT		 2254 if (rc == 0)
2255 cap_sys_admin = 1;
2256
b1d9e6b0 2257 return cap_sys_admin;
1da177e4
LT		 2258}
2259
2260/* binprm security operations */
2261
be0554c9 2262static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2263{
2264 u32 sid = 0;
2265 struct task_struct *tracer;
2266
2267 rcu_read_lock();
be0554c9 2268 tracer = ptrace_parent(current);
0c6181cb
PM		 2269 if (tracer)
2270 sid = task_sid(tracer);
2271 rcu_read_unlock();
2272
2273 return sid;
2274}
2275
7b0d0b40
SS		 2276static int check_nnp_nosuid(const struct linux_binprm *bprm,
2277 const struct task_security_struct *old_tsec,
2278 const struct task_security_struct *new_tsec)
2279{
2280 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2281 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2282 int rc;
af63f419 2283 u32 av;
7b0d0b40
SS		 2284
2285 if (!nnp && !nosuid)
2286 return 0; /* neither NNP nor nosuid */
2287
2288 if (new_tsec->sid == old_tsec->sid)
2289 return 0; /* No change in credentials */
2290
2291 /*
af63f419
SS		 2292 * If the policy enables the nnp_nosuid_transition policy capability,
2293 * then we permit transitions under NNP or nosuid if the
2294 * policy allows the corresponding permission between
2295 * the old and new contexts.
7b0d0b40 2296 */
aa8e712c 2297 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2298 av = 0;
7b0d0b40 2299 if (nnp)
af63f419
SS		 2300 av |= PROCESS2__NNP_TRANSITION;
2301 if (nosuid)
2302 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2303 rc = avc_has_perm(&selinux_state,
2304 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2305 SECCLASS_PROCESS2, av, NULL);
2306 if (!rc)
2307 return 0;
7b0d0b40 2308 }
af63f419
SS		 2309
2310 /*
2311 * We also permit NNP or nosuid transitions to bounded SIDs,
2312 * i.e. SIDs that are guaranteed to only be allowed a subset
2313 * of the permissions of the current SID.
2314 */
aa8e712c
SS		 2315 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2316 new_tsec->sid);
af63f419
SS		 2317 if (!rc)
2318 return 0;
2319
2320 /*
2321 * On failure, preserve the errno values for NNP vs nosuid.
2322 * NNP: Operation not permitted for caller.
2323 * nosuid: Permission denied to file.
2324 */
2325 if (nnp)
2326 return -EPERM;
2327 return -EACCES;
7b0d0b40
SS		 2328}
2329
a6f76f23 2330static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2331{
a6f76f23
DH		 2332 const struct task_security_struct *old_tsec;
2333 struct task_security_struct *new_tsec;
1da177e4 2334 struct inode_security_struct *isec;
2bf49690 2335 struct common_audit_data ad;
496ad9aa 2336 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2337 int rc;
2338
a6f76f23
DH		 2339 /* SELinux context only depends on initial program or script and not
2340 * the script interpreter */
ddb4a144 2341 if (bprm->called_set_creds)
1da177e4
LT		 2342 return 0;
2343
0c6cfa62
CS		 2344 old_tsec = selinux_cred(current_cred());
2345 new_tsec = selinux_cred(bprm->cred);
83da53c5 2346 isec = inode_security(inode);
1da177e4
LT		 2347
2348 /* Default to the current task SID. */
a6f76f23
DH		 2349 new_tsec->sid = old_tsec->sid;
2350 new_tsec->osid = old_tsec->sid;
1da177e4 2351
28eba5bf 2352 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2353 new_tsec->create_sid = 0;
2354 new_tsec->keycreate_sid = 0;
2355 new_tsec->sockcreate_sid = 0;
1da177e4 2356
a6f76f23
DH		 2357 if (old_tsec->exec_sid) {
2358 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2359 /* Reset exec SID on execve. */
a6f76f23 2360 new_tsec->exec_sid = 0;
259e5e6c 2361
7b0d0b40
SS		 2362 /* Fail on NNP or nosuid if not an allowed transition. */
2363 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2364 if (rc)
2365 return rc;
1da177e4
LT		 2366 } else {
2367 /* Check for a default transition on this program. */
aa8e712c
SS		 2368 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2369 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2370 &new_tsec->sid);
1da177e4
LT		 2371 if (rc)
2372 return rc;
7b0d0b40
SS		 2373
2374 /*
2375 * Fallback to old SID on NNP or nosuid if not an allowed
2376 * transition.
2377 */
2378 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2379 if (rc)
2380 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2381 }
2382
43af5de7
VG		 2383 ad.type = LSM_AUDIT_DATA_FILE;
2384 ad.u.file = bprm->file;
1da177e4 2385
a6f76f23 2386 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2387 rc = avc_has_perm(&selinux_state,
2388 old_tsec->sid, isec->sid,
1da177e4
LT		 2389 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2390 if (rc)
2391 return rc;
2392 } else {
2393 /* Check permissions for the transition. */
6b6bc620
SS		 2394 rc = avc_has_perm(&selinux_state,
2395 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2396 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2397 if (rc)
2398 return rc;
2399
6b6bc620
SS		 2400 rc = avc_has_perm(&selinux_state,
2401 new_tsec->sid, isec->sid,
1da177e4
LT		 2402 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2403 if (rc)
2404 return rc;
2405
a6f76f23
DH		 2406 /* Check for shared state */
2407 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2408 rc = avc_has_perm(&selinux_state,
2409 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2410 SECCLASS_PROCESS, PROCESS__SHARE,
2411 NULL);
2412 if (rc)
2413 return -EPERM;
2414 }
2415
2416 /* Make sure that anyone attempting to ptrace over a task that
2417 * changes its SID has the appropriate permit */
9227dd2a 2418 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2419 u32 ptsid = ptrace_parent_sid();
a6f76f23 2420 if (ptsid != 0) {
6b6bc620
SS		 2421 rc = avc_has_perm(&selinux_state,
2422 ptsid, new_tsec->sid,
a6f76f23
DH		 2423 SECCLASS_PROCESS,
2424 PROCESS__PTRACE, NULL);
2425 if (rc)
2426 return -EPERM;
2427 }
2428 }
1da177e4 2429
a6f76f23
DH		 2430 /* Clear any possibly unsafe personality bits on exec: */
2431 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2432
1da177e4
LT		 2433 /* Enable secure mode for SIDs transitions unless
2434 the noatsecure permission is granted between
2435 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2436 rc = avc_has_perm(&selinux_state,
2437 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2438 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2439 NULL);
2440 bprm->secureexec |= !!rc;
1da177e4
LT		 2441 }
2442
62874c3a 2443 return 0;
1da177e4
LT		 2444}
2445
c3c073f8
AV		 2446static int match_file(const void *p, struct file *file, unsigned fd)
2447{
2448 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2449}
2450
1da177e4 2451/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2452static inline void flush_unauthorized_files(const struct cred *cred,
2453 struct files_struct *files)
1da177e4 2454{
1da177e4 2455 struct file *file, *devnull = NULL;
b20c8122 2456 struct tty_struct *tty;
24ec839c 2457 int drop_tty = 0;
c3c073f8 2458 unsigned n;
1da177e4 2459
24ec839c 2460 tty = get_current_tty();
1da177e4 2461 if (tty) {
4a510969 2462 spin_lock(&tty->files_lock);
37dd0bd0 2463 if (!list_empty(&tty->tty_files)) {
d996b62a 2464 struct tty_file_private *file_priv;
37dd0bd0 2465
1da177e4 2466 /* Revalidate access to controlling tty.
13f8e981
DH		 2467 Use file_path_has_perm on the tty path directly
2468 rather than using file_has_perm, as this particular
2469 open file may belong to another process and we are
2470 only interested in the inode-based check here. */
d996b62a
NP		 2471 file_priv = list_first_entry(&tty->tty_files,
2472 struct tty_file_private, list);
2473 file = file_priv->file;
13f8e981 2474 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2475 drop_tty = 1;
1da177e4 2476 }
4a510969 2477 spin_unlock(&tty->files_lock);
452a00d2 2478 tty_kref_put(tty);
1da177e4 2479 }
98a27ba4
EB		 2480 /* Reset controlling tty. */
2481 if (drop_tty)
2482 no_tty();
1da177e4
LT		 2483
2484 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2485 n = iterate_fd(files, 0, match_file, cred);
2486 if (!n) /* none found? */
2487 return;
1da177e4 2488
c3c073f8 2489 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2490 if (IS_ERR(devnull))
2491 devnull = NULL;
2492 /* replace all the matching ones with this */
2493 do {
2494 replace_fd(n - 1, devnull, 0);
2495 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2496 if (devnull)
c3c073f8 2497 fput(devnull);
1da177e4
LT		 2498}
2499
a6f76f23
DH		 2500/*
2501 * Prepare a process for imminent new credential changes due to exec
2502 */
2503static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2504{
a6f76f23
DH		 2505 struct task_security_struct *new_tsec;
2506 struct rlimit *rlim, *initrlim;
2507 int rc, i;
d84f4f99 2508
0c6cfa62 2509 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2510 if (new_tsec->sid == new_tsec->osid)
2511 return;
1da177e4 2512
a6f76f23
DH		 2513 /* Close files for which the new task SID is not authorized. */
2514 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2515
a6f76f23
DH		 2516 /* Always clear parent death signal on SID transitions. */
2517 current->pdeath_signal = 0;
0356357c 2518
a6f76f23
DH		 2519 /* Check whether the new SID can inherit resource limits from the old
2520 * SID. If not, reset all soft limits to the lower of the current
2521 * task's hard limit and the init task's soft limit.
2522 *
2523 * Note that the setting of hard limits (even to lower them) can be
2524 * controlled by the setrlimit check. The inclusion of the init task's
2525 * soft limit into the computation is to avoid resetting soft limits
2526 * higher than the default soft limit for cases where the default is
2527 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2528 */
6b6bc620
SS		 2529 rc = avc_has_perm(&selinux_state,
2530 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2531 PROCESS__RLIMITINH, NULL);
2532 if (rc) {
eb2d55a3
ON		 2533 /* protect against do_prlimit() */
2534 task_lock(current);
a6f76f23
DH		 2535 for (i = 0; i < RLIM_NLIMITS; i++) {
2536 rlim = current->signal->rlim + i;
2537 initrlim = init_task.signal->rlim + i;
2538 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2539 }
eb2d55a3 2540 task_unlock(current);
baa73d9e
NP		 2541 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2542 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2543 }
2544}
2545
2546/*
a6f76f23
DH		 2547 * Clean up the process immediately after the installation of new credentials
2548 * due to exec
1da177e4 2549 */
a6f76f23 2550static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2551{
0c6cfa62 2552 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4 2553 struct itimerval itimer;
a6f76f23 2554 u32 osid, sid;
1da177e4
LT		 2555 int rc, i;
2556
a6f76f23
DH		 2557 osid = tsec->osid;
2558 sid = tsec->sid;
2559
2560 if (sid == osid)
1da177e4
LT		 2561 return;
2562
a6f76f23
DH		 2563 /* Check whether the new SID can inherit signal state from the old SID.
2564 * If not, clear itimers to avoid subsequent signal generation and
2565 * flush and unblock signals.
2566 *
2567 * This must occur _after_ the task SID has been updated so that any
2568 * kill done after the flush will be checked against the new SID.
2569 */
6b6bc620
SS		 2570 rc = avc_has_perm(&selinux_state,
2571 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2572 if (rc) {
baa73d9e
NP		 2573 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2574 memset(&itimer, 0, sizeof itimer);
2575 for (i = 0; i < 3; i++)
2576 do_setitimer(i, &itimer, NULL);
2577 }
1da177e4 2578 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2579 if (!fatal_signal_pending(current)) {
2580 flush_sigqueue(&current->pending);
2581 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2582 flush_signal_handlers(current, 1);
2583 sigemptyset(&current->blocked);
9e7c8f8c 2584 recalc_sigpending();
3bcac026 2585 }
1da177e4
LT		 2586 spin_unlock_irq(&current->sighand->siglock);
2587 }
2588
a6f76f23
DH		 2589 /* Wake up the parent if it is waiting so that it can recheck
2590 * wait permission to the new task SID. */
ecd6de3c 2591 read_lock(&tasklist_lock);
0b7570e7 2592 __wake_up_parent(current, current->real_parent);
ecd6de3c 2593 read_unlock(&tasklist_lock);
1da177e4
LT		 2594}
2595
2596/* superblock security operations */
2597
2598static int selinux_sb_alloc_security(struct super_block *sb)
2599{
2600 return superblock_alloc_security(sb);
2601}
2602
2603static void selinux_sb_free_security(struct super_block *sb)
2604{
2605 superblock_free_security(sb);
2606}
2607
99dbbb59 2608static inline int opt_len(const char *s)
1da177e4 2609{
99dbbb59
AV		 2610 bool open_quote = false;
2611 int len;
2612 char c;
1da177e4 2613
99dbbb59
AV		 2614 for (len = 0; (c = s[len]) != '\0'; len++) {
2615 if (c == '"')
2616 open_quote = !open_quote;
2617 if (c == ',' && !open_quote)
2618 break;
3528a953 2619 }
99dbbb59 2620 return len;
3528a953
CO		 2621}
2622
99dbbb59 2623static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
1da177e4 2624{
99dbbb59
AV		 2625 char *from = options;
2626 char *to = options;
2627 bool first = true;
fec63753 2628 int rc;
1da177e4 2629
99dbbb59
AV		 2630 while (1) {
2631 int len = opt_len(from);
fec63753 2632 int token;
99dbbb59 2633 char *arg = NULL;
1da177e4 2634
99dbbb59 2635 token = match_opt_prefix(from, len, &arg);
1da177e4 2636
99dbbb59
AV		 2637 if (token != Opt_error) {
2638 char *p, *q;
1da177e4 2639
99dbbb59
AV		 2640 /* strip quotes */
2641 if (arg) {
2642 for (p = q = arg; p < from + len; p++) {
2643 char c = *p;
2644 if (c != '"')
2645 *q++ = c;
2646 }
2647 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
fec63753
GZ		 2648 if (!arg) {
2649 rc = -ENOMEM;
2650 goto free_opt;
2651 }
99dbbb59
AV		 2652 }
2653 rc = selinux_add_opt(token, arg, mnt_opts);
2654 if (unlikely(rc)) {
2655 kfree(arg);
fec63753 2656 goto free_opt;
99dbbb59
AV		 2657 }
2658 } else {
2659 if (!first) { // copy with preceding comma
2660 from--;
2661 len++;
2662 }
2663 if (to != from)
2664 memmove(to, from, len);
2665 to += len;
2666 first = false;
1da177e4 2667 }
99dbbb59
AV		 2668 if (!from[len])
2669 break;
2670 from += len + 1;
2671 }
2672 *to = '\0';
2673 return 0;
fec63753
GZ		 2674
2675free_opt:
2676 if (*mnt_opts) {
2677 selinux_free_mnt_opts(*mnt_opts);
2678 *mnt_opts = NULL;
2679 }
2680 return rc;
1da177e4
LT		 2681}
2682
204cc0cc 2683static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2684{
bd323655 2685 struct selinux_mnt_opts *opts = mnt_opts;
026eb167 2686 struct superblock_security_struct *sbsec = sb->s_security;
bd323655
AV		 2687 u32 sid;
2688 int rc;
026eb167
EP		 2689
2690 if (!(sbsec->flags & SE_SBINITIALIZED))
2691 return 0;
2692
204cc0cc 2693 if (!opts)
026eb167
EP		 2694 return 0;
2695
bd323655
AV		 2696 if (opts->fscontext) {
2697 rc = parse_sid(sb, opts->fscontext, &sid);
2698 if (rc)
c039bc3c 2699 return rc;
bd323655
AV		 2700 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2701 goto out_bad_option;
026eb167 2702 }
bd323655
AV		 2703 if (opts->context) {
2704 rc = parse_sid(sb, opts->context, &sid);
2705 if (rc)
2706 return rc;
2707 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2708 goto out_bad_option;
2709 }
2710 if (opts->rootcontext) {
2711 struct inode_security_struct *root_isec;
2712 root_isec = backing_inode_security(sb->s_root);
2713 rc = parse_sid(sb, opts->rootcontext, &sid);
2714 if (rc)
2715 return rc;
2716 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2717 goto out_bad_option;
2718 }
2719 if (opts->defcontext) {
2720 rc = parse_sid(sb, opts->defcontext, &sid);
2721 if (rc)
2722 return rc;
2723 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2724 goto out_bad_option;
026eb167 2725 }
c039bc3c 2726 return 0;
026eb167 2727
026eb167 2728out_bad_option:
c103a91e 2729 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2730 "during remount (dev %s, type=%s)\n", sb->s_id,
2731 sb->s_type->name);
c039bc3c 2732 return -EINVAL;
026eb167
EP		 2733}
2734
a10d7c22 2735static int selinux_sb_kern_mount(struct super_block *sb)
1da177e4 2736{
88e67f3b 2737 const struct cred *cred = current_cred();
2bf49690 2738 struct common_audit_data ad;
74192246 2739
50c205f5 2740 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2741 ad.u.dentry = sb->s_root;
88e67f3b 2742 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2743}
2744
726c3342 2745static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2746{
88e67f3b 2747 const struct cred *cred = current_cred();
2bf49690 2748 struct common_audit_data ad;
1da177e4 2749
50c205f5 2750 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2751 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2752 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2753}
2754
808d4e3c 2755static int selinux_mount(const char *dev_name,
8a04c43b 2756 const struct path *path,
808d4e3c 2757 const char *type,
828dfe1d
EP		 2758 unsigned long flags,
2759 void *data)
1da177e4 2760{
88e67f3b 2761 const struct cred *cred = current_cred();
1da177e4
LT		 2762
2763 if (flags & MS_REMOUNT)
d8c9584e 2764 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2765 FILESYSTEM__REMOUNT, NULL);
1da177e4 2766 else
2875fa00 2767 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2768}
2769
2770static int selinux_umount(struct vfsmount *mnt, int flags)
2771{
88e67f3b 2772 const struct cred *cred = current_cred();
1da177e4 2773
88e67f3b 2774 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2775 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2776}
2777
0b52075e
AV		 2778static int selinux_fs_context_dup(struct fs_context *fc,
2779 struct fs_context *src_fc)
2780{
2781 const struct selinux_mnt_opts *src = src_fc->security;
2782 struct selinux_mnt_opts *opts;
2783
2784 if (!src)
2785 return 0;
2786
2787 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2788 if (!fc->security)
2789 return -ENOMEM;
2790
2791 opts = fc->security;
2792
2793 if (src->fscontext) {
2794 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2795 if (!opts->fscontext)
2796 return -ENOMEM;
2797 }
2798 if (src->context) {
2799 opts->context = kstrdup(src->context, GFP_KERNEL);
2800 if (!opts->context)
2801 return -ENOMEM;
2802 }
2803 if (src->rootcontext) {
2804 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2805 if (!opts->rootcontext)
2806 return -ENOMEM;
2807 }
2808 if (src->defcontext) {
2809 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2810 if (!opts->defcontext)
2811 return -ENOMEM;
2812 }
2813 return 0;
2814}
2815
442155c1
DH		 2816static const struct fs_parameter_spec selinux_param_specs[] = {
2817 fsparam_string(CONTEXT_STR, Opt_context),
2818 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2819 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2820 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2821 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2822 {}
2823};
2824
2825static const struct fs_parameter_description selinux_fs_parameters = {
2826 .name = "SELinux",
2827 .specs = selinux_param_specs,
2828};
2829
2830static int selinux_fs_context_parse_param(struct fs_context *fc,
2831 struct fs_parameter *param)
2832{
2833 struct fs_parse_result result;
2834 int opt, rc;
2835
2836 opt = fs_parse(fc, &selinux_fs_parameters, param, &result);
2837 if (opt < 0)
2838 return opt;
2839
2840 rc = selinux_add_opt(opt, param->string, &fc->security);
2841 if (!rc) {
2842 param->string = NULL;
2843 rc = 1;
2844 }
2845 return rc;
2846}
2847
1da177e4
LT		 2848/* inode security operations */
2849
2850static int selinux_inode_alloc_security(struct inode *inode)
2851{
2852 return inode_alloc_security(inode);
2853}
2854
2855static void selinux_inode_free_security(struct inode *inode)
2856{
2857 inode_free_security(inode);
2858}
2859
d47be3df 2860static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2861 const struct qstr *name, void **ctx,
d47be3df
DQ		 2862 u32 *ctxlen)
2863{
d47be3df
DQ		 2864 u32 newsid;
2865 int rc;
2866
0c6cfa62 2867 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2868 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2869 inode_mode_to_security_class(mode),
2870 &newsid);
2871 if (rc)
2872 return rc;
d47be3df 2873
aa8e712c
SS		 2874 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2875 ctxlen);
d47be3df
DQ		 2876}
2877
a518b0a5
VG		 2878static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2879 struct qstr *name,
2880 const struct cred *old,
2881 struct cred *new)
2882{
2883 u32 newsid;
2884 int rc;
2885 struct task_security_struct *tsec;
2886
0c6cfa62 2887 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2888 d_inode(dentry->d_parent), name,
2889 inode_mode_to_security_class(mode),
2890 &newsid);
2891 if (rc)
2892 return rc;
2893
0c6cfa62 2894 tsec = selinux_cred(new);
a518b0a5
VG		 2895 tsec->create_sid = newsid;
2896 return 0;
2897}
2898
5e41ff9e 2899static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2900 const struct qstr *qstr,
2901 const char **name,
2a7dba39 2902 void **value, size_t *len)
5e41ff9e 2903{
0c6cfa62 2904 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2905 struct superblock_security_struct *sbsec;
c0d4f464 2906 u32 newsid, clen;
5e41ff9e 2907 int rc;
9548906b 2908 char *context;
5e41ff9e 2909
5e41ff9e 2910 sbsec = dir->i_sb->s_security;
5e41ff9e 2911
275bb41e
DH		 2912 newsid = tsec->create_sid;
2913
0c6cfa62 2914 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c3c188b2
DH		 2915 dir, qstr,
2916 inode_mode_to_security_class(inode->i_mode),
2917 &newsid);
2918 if (rc)
2919 return rc;
5e41ff9e 2920
296fddf7 2921 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2922 if (sbsec->flags & SE_SBINITIALIZED) {
80788c22 2923 struct inode_security_struct *isec = selinux_inode(inode);
296fddf7
EP		 2924 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2925 isec->sid = newsid;
6f3be9f5 2926 isec->initialized = LABEL_INITIALIZED;
296fddf7 2927 }
5e41ff9e 2928
aa8e712c 2929 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2930 return -EOPNOTSUPP;
2931
9548906b
TH		 2932 if (name)
2933 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2934
570bc1c2 2935 if (value && len) {
aa8e712c
SS		 2936 rc = security_sid_to_context_force(&selinux_state, newsid,
2937 &context, &clen);
9548906b 2938 if (rc)
570bc1c2 2939 return rc;
570bc1c2
SS		 2940 *value = context;
2941 *len = clen;
5e41ff9e 2942 }
5e41ff9e 2943
5e41ff9e
SS		 2944 return 0;
2945}
2946
4acdaf27 2947static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2948{
2949 return may_create(dir, dentry, SECCLASS_FILE);
2950}
2951
1da177e4
LT		 2952static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2953{
1da177e4
LT		 2954 return may_link(dir, old_dentry, MAY_LINK);
2955}
2956
1da177e4
LT		 2957static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2958{
1da177e4
LT		 2959 return may_link(dir, dentry, MAY_UNLINK);
2960}
2961
2962static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2963{
2964 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2965}
2966
18bb1db3 2967static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2968{
2969 return may_create(dir, dentry, SECCLASS_DIR);
2970}
2971
1da177e4
LT		 2972static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2973{
2974 return may_link(dir, dentry, MAY_RMDIR);
2975}
2976
1a67aafb 2977static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2978{
1da177e4
LT		 2979 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2980}
2981
1da177e4 2982static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2983 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2984{
2985 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2986}
2987
1da177e4
LT		 2988static int selinux_inode_readlink(struct dentry *dentry)
2989{
88e67f3b
DH		 2990 const struct cred *cred = current_cred();
2991
2875fa00 2992 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2993}
2994
bda0be7a
N		 2995static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2996 bool rcu)
1da177e4 2997{
88e67f3b 2998 const struct cred *cred = current_cred();
bda0be7a
N		 2999 struct common_audit_data ad;
3000 struct inode_security_struct *isec;
3001 u32 sid;
1da177e4 3002
bda0be7a
N		 3003 validate_creds(cred);
3004
3005 ad.type = LSM_AUDIT_DATA_DENTRY;
3006 ad.u.dentry = dentry;
3007 sid = cred_sid(cred);
5d226df4
AG		 3008 isec = inode_security_rcu(inode, rcu);
3009 if (IS_ERR(isec))
3010 return PTR_ERR(isec);
bda0be7a 3011
e46e01ee
SS		 3012 return avc_has_perm(&selinux_state,
3013 sid, isec->sid, isec->sclass, FILE__READ, &ad);
1da177e4
LT		 3014}
3015
d4cf970d
EP		 3016static noinline int audit_inode_permission(struct inode *inode,
3017 u32 perms, u32 audited, u32 denied,
626b9740 3018 int result,
d4cf970d 3019 unsigned flags)
1da177e4 3020{
b782e0a6 3021 struct common_audit_data ad;
80788c22 3022 struct inode_security_struct *isec = selinux_inode(inode);
d4cf970d
EP		 3023 int rc;
3024
50c205f5 3025 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3026 ad.u.inode = inode;
3027
6b6bc620
SS		 3028 rc = slow_avc_audit(&selinux_state,
3029 current_sid(), isec->sid, isec->sclass, perms,
626b9740 3030 audited, denied, result, &ad, flags);
d4cf970d
EP		 3031 if (rc)
3032 return rc;
3033 return 0;
3034}
3035
e74f71eb 3036static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3037{
88e67f3b 3038 const struct cred *cred = current_cred();
b782e0a6
EP		 3039 u32 perms;
3040 bool from_access;
cf1dd1da 3041 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3042 struct inode_security_struct *isec;
3043 u32 sid;
3044 struct av_decision avd;
3045 int rc, rc2;
3046 u32 audited, denied;
1da177e4 3047
b782e0a6 3048 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3049 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3050
b782e0a6
EP		 3051 /* No permission to check. Existence test. */
3052 if (!mask)
1da177e4 3053 return 0;
1da177e4 3054
2e334057 3055 validate_creds(cred);
b782e0a6 3056
2e334057
EP		 3057 if (unlikely(IS_PRIVATE(inode)))
3058 return 0;
b782e0a6
EP		 3059
3060 perms = file_mask_to_av(inode->i_mode, mask);
3061
2e334057 3062 sid = cred_sid(cred);
5d226df4
AG		 3063 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3064 if (IS_ERR(isec))
3065 return PTR_ERR(isec);
2e334057 3066
6b6bc620 3067 rc = avc_has_perm_noaudit(&selinux_state,
3a28cff3
SS		 3068 sid, isec->sid, isec->sclass, perms,
3069 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3070 &avd);
2e334057
EP		 3071 audited = avc_audit_required(perms, &avd, rc,
3072 from_access ? FILE__AUDIT_ACCESS : 0,
3073 &denied);
3074 if (likely(!audited))
3075 return rc;
3076
626b9740 3077 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3078 if (rc2)
3079 return rc2;
3080 return rc;
1da177e4
LT		 3081}
3082
3083static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3084{
88e67f3b 3085 const struct cred *cred = current_cred();
ccb54478 3086 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3087 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3088 __u32 av = FILE__WRITE;
1da177e4 3089
bc6a6008
AW		 3090 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3091 if (ia_valid & ATTR_FORCE) {
3092 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3093 ATTR_FORCE);
3094 if (!ia_valid)
3095 return 0;
3096 }
1da177e4 3097
bc6a6008
AW		 3098 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3099 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3100 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3101
aa8e712c 3102 if (selinux_policycap_openperm() &&
ccb54478
SS		 3103 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3104 (ia_valid & ATTR_SIZE) &&
3105 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3106 av |= FILE__OPEN;
3107
3108 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3109}
3110
3f7036a0 3111static int selinux_inode_getattr(const struct path *path)
1da177e4 3112{
3f7036a0 3113 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3114}
3115
db59000a
SS		 3116static bool has_cap_mac_admin(bool audit)
3117{
3118 const struct cred *cred = current_cred();
c1a85a00 3119 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
db59000a 3120
c1a85a00 3121 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
db59000a 3122 return false;
c1a85a00 3123 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
db59000a
SS		 3124 return false;
3125 return true;
3126}
3127
8f0cfa52
DH		 3128static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3129 const void *value, size_t size, int flags)
1da177e4 3130{
c6f493d6 3131 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3132 struct inode_security_struct *isec;
1da177e4 3133 struct superblock_security_struct *sbsec;
2bf49690 3134 struct common_audit_data ad;
275bb41e 3135 u32 newsid, sid = current_sid();
1da177e4
LT		 3136 int rc = 0;
3137
6b240306
EB		 3138 if (strcmp(name, XATTR_NAME_SELINUX)) {
3139 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3140 if (rc)
3141 return rc;
3142
3143 /* Not an attribute we recognize, so just check the
3144 ordinary setattr permission. */
3145 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3146 }
1da177e4
LT		 3147
3148 sbsec = inode->i_sb->s_security;
12f348b9 3149 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3150 return -EOPNOTSUPP;
3151
2e149670 3152 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3153 return -EPERM;
3154
50c205f5 3155 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3156 ad.u.dentry = dentry;
1da177e4 3157
20cdef8d 3158 isec = backing_inode_security(dentry);
6b6bc620
SS		 3159 rc = avc_has_perm(&selinux_state,
3160 sid, isec->sid, isec->sclass,
1da177e4
LT		 3161 FILE__RELABELFROM, &ad);
3162 if (rc)
3163 return rc;
3164
aa8e712c
SS		 3165 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3166 GFP_KERNEL);
12b29f34 3167 if (rc == -EINVAL) {
db59000a 3168 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3169 struct audit_buffer *ab;
3170 size_t audit_size;
d6ea83ec
EP		 3171
3172 /* We strip a nul only if it is at the end, otherwise the
3173 * context contains a nul and we should audit that */
e3fea3f7 3174 if (value) {
add24372
CIK		 3175 const char *str = value;
3176
e3fea3f7
AV		 3177 if (str[size - 1] == '\0')
3178 audit_size = size - 1;
3179 else
3180 audit_size = size;
3181 } else {
e3fea3f7
AV		 3182 audit_size = 0;
3183 }
cdfb6b34
RGB		 3184 ab = audit_log_start(audit_context(),
3185 GFP_ATOMIC, AUDIT_SELINUX_ERR);
d6ea83ec
EP		 3186 audit_log_format(ab, "op=setxattr invalid_context=");
3187 audit_log_n_untrustedstring(ab, value, audit_size);
3188 audit_log_end(ab);
3189
12b29f34 3190 return rc;
d6ea83ec 3191 }
aa8e712c
SS		 3192 rc = security_context_to_sid_force(&selinux_state, value,
3193 size, &newsid);
12b29f34 3194 }
1da177e4
LT		 3195 if (rc)
3196 return rc;
3197
6b6bc620
SS		 3198 rc = avc_has_perm(&selinux_state,
3199 sid, newsid, isec->sclass,
1da177e4
LT		 3200 FILE__RELABELTO, &ad);
3201 if (rc)
3202 return rc;
3203
aa8e712c
SS		 3204 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3205 sid, isec->sclass);
1da177e4
LT		 3206 if (rc)
3207 return rc;
3208
6b6bc620
SS		 3209 return avc_has_perm(&selinux_state,
3210 newsid,
1da177e4
LT		 3211 sbsec->sid,
3212 SECCLASS_FILESYSTEM,
3213 FILESYSTEM__ASSOCIATE,
3214 &ad);
3215}
3216
8f0cfa52 3217static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3218 const void *value, size_t size,
8f0cfa52 3219 int flags)
1da177e4 3220{
c6f493d6 3221 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3222 struct inode_security_struct *isec;
1da177e4
LT		 3223 u32 newsid;
3224 int rc;
3225
3226 if (strcmp(name, XATTR_NAME_SELINUX)) {
3227 /* Not an attribute we recognize, so nothing to do. */
3228 return;
3229 }
3230
aa8e712c
SS		 3231 rc = security_context_to_sid_force(&selinux_state, value, size,
3232 &newsid);
1da177e4 3233 if (rc) {
c103a91e 3234 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3235 "for (%s, %lu), rc=%d\n",
3236 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3237 return;
3238 }
3239
20cdef8d 3240 isec = backing_inode_security(dentry);
9287aed2 3241 spin_lock(&isec->lock);
aa9c2669 3242 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3243 isec->sid = newsid;
6f3be9f5 3244 isec->initialized = LABEL_INITIALIZED;
9287aed2 3245 spin_unlock(&isec->lock);
aa9c2669 3246
1da177e4
LT		 3247 return;
3248}
3249
8f0cfa52 3250static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3251{
88e67f3b
DH		 3252 const struct cred *cred = current_cred();
3253
2875fa00 3254 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3255}
3256
828dfe1d 3257static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3258{
88e67f3b
DH		 3259 const struct cred *cred = current_cred();
3260
2875fa00 3261 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3262}
3263
8f0cfa52 3264static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3265{
6b240306
EB		 3266 if (strcmp(name, XATTR_NAME_SELINUX)) {
3267 int rc = cap_inode_removexattr(dentry, name);
3268 if (rc)
3269 return rc;
3270
3271 /* Not an attribute we recognize, so just check the
3272 ordinary setattr permission. */
3273 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3274 }
1da177e4
LT		 3275
3276 /* No one is allowed to remove a SELinux security label.
3277 You can change the label, but all data must be labeled. */
3278 return -EACCES;
3279}
3280
d381d8a9 3281/*
abc69bb6 3282 * Copy the inode security context value to the user.
d381d8a9
JM		 3283 *
3284 * Permission check is handled by selinux_inode_getxattr hook.
3285 */
ea861dfd 3286static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3287{
42492594
DQ		 3288 u32 size;
3289 int error;
3290 char *context = NULL;
20cdef8d 3291 struct inode_security_struct *isec;
d381d8a9 3292
8c8570fb
DK		 3293 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3294 return -EOPNOTSUPP;
d381d8a9 3295
abc69bb6
SS		 3296 /*
3297 * If the caller has CAP_MAC_ADMIN, then get the raw context
3298 * value even if it is not defined by current policy; otherwise,
3299 * use the in-core value under current policy.
3300 * Use the non-auditing forms of the permission checks since
3301 * getxattr may be called by unprivileged processes commonly
3302 * and lack of permission just means that we fall back to the
3303 * in-core context value, not a denial.
3304 */
20cdef8d 3305 isec = inode_security(inode);
db59000a 3306 if (has_cap_mac_admin(false))
aa8e712c
SS		 3307 error = security_sid_to_context_force(&selinux_state,
3308 isec->sid, &context,
abc69bb6
SS		 3309 &size);
3310 else
aa8e712c
SS		 3311 error = security_sid_to_context(&selinux_state, isec->sid,
3312 &context, &size);
42492594
DQ		 3313 if (error)
3314 return error;
3315 error = size;
3316 if (alloc) {
3317 *buffer = context;
3318 goto out_nofree;
3319 }
3320 kfree(context);
3321out_nofree:
3322 return error;
1da177e4
LT		 3323}
3324
3325static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3326 const void *value, size_t size, int flags)
1da177e4 3327{
2c97165b 3328 struct inode_security_struct *isec = inode_security_novalidate(inode);
53e0c2aa 3329 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1da177e4
LT		 3330 u32 newsid;
3331 int rc;
3332
3333 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3334 return -EOPNOTSUPP;
3335
53e0c2aa
OM		 3336 if (!(sbsec->flags & SBLABEL_MNT))
3337 return -EOPNOTSUPP;
3338
1da177e4
LT		 3339 if (!value || !size)
3340 return -EACCES;
3341
aa8e712c
SS		 3342 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3343 GFP_KERNEL);
1da177e4
LT		 3344 if (rc)
3345 return rc;
3346
9287aed2 3347 spin_lock(&isec->lock);
aa9c2669 3348 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3349 isec->sid = newsid;
6f3be9f5 3350 isec->initialized = LABEL_INITIALIZED;
9287aed2 3351 spin_unlock(&isec->lock);
1da177e4
LT		 3352 return 0;
3353}
3354
3355static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3356{
3357 const int len = sizeof(XATTR_NAME_SELINUX);
3358 if (buffer && len <= buffer_size)
3359 memcpy(buffer, XATTR_NAME_SELINUX, len);
3360 return len;
3361}
3362
d6335d77 3363static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3364{
e817c2f3 3365 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3366 *secid = isec->sid;
3367}
3368
56909eb3
VG		 3369static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3370{
3371 u32 sid;
3372 struct task_security_struct *tsec;
3373 struct cred *new_creds = *new;
3374
3375 if (new_creds == NULL) {
3376 new_creds = prepare_creds();
3377 if (!new_creds)
3378 return -ENOMEM;
3379 }
3380
0c6cfa62 3381 tsec = selinux_cred(new_creds);
56909eb3
VG		 3382 /* Get label from overlay inode and set it in create_sid */
3383 selinux_inode_getsecid(d_inode(src), &sid);
3384 tsec->create_sid = sid;
3385 *new = new_creds;
3386 return 0;
3387}
3388
19472b69
VG		 3389static int selinux_inode_copy_up_xattr(const char *name)
3390{
3391 /* The copy_up hook above sets the initial context on an inode, but we
3392 * don't then want to overwrite it by blindly copying all the lower
3393 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3394 */
3395 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3396 return 1; /* Discard */
3397 /*
3398 * Any other attribute apart from SELINUX is not claimed, supported
3399 * by selinux.
3400 */
3401 return -EOPNOTSUPP;
3402}
3403
ec882da5
OM		 3404/* kernfs node operations */
3405
c72c4cde
Y		 3406static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3407 struct kernfs_node *kn)
ec882da5
OM		 3408{
3409 const struct task_security_struct *tsec = current_security();
3410 u32 parent_sid, newsid, clen;
3411 int rc;
3412 char *context;
3413
1537ad15 3414 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
ec882da5
OM		 3415 if (rc == -ENODATA)
3416 return 0;
3417 else if (rc < 0)
3418 return rc;
3419
3420 clen = (u32)rc;
3421 context = kmalloc(clen, GFP_KERNEL);
3422 if (!context)
3423 return -ENOMEM;
3424
1537ad15 3425 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
ec882da5
OM		 3426 if (rc < 0) {
3427 kfree(context);
3428 return rc;
3429 }
3430
3431 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3432 GFP_KERNEL);
3433 kfree(context);
3434 if (rc)
3435 return rc;
3436
3437 if (tsec->create_sid) {
3438 newsid = tsec->create_sid;
3439 } else {
3440 u16 secclass = inode_mode_to_security_class(kn->mode);
3441 struct qstr q;
3442
3443 q.name = kn->name;
3444 q.hash_len = hashlen_string(kn_dir, kn->name);
3445
3446 rc = security_transition_sid(&selinux_state, tsec->sid,
3447 parent_sid, secclass, &q,
3448 &newsid);
3449 if (rc)
3450 return rc;
3451 }
3452
3453 rc = security_sid_to_context_force(&selinux_state, newsid,
3454 &context, &clen);
3455 if (rc)
3456 return rc;
3457
1537ad15
OM		 3458 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3459 XATTR_CREATE);
ec882da5
OM		 3460 kfree(context);
3461 return rc;
3462}
3463
3464
1da177e4
LT		 3465/* file security operations */
3466
788e7dd4 3467static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3468{
88e67f3b 3469 const struct cred *cred = current_cred();
496ad9aa 3470 struct inode *inode = file_inode(file);
1da177e4 3471
1da177e4
LT		 3472 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3473 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3474 mask |= MAY_APPEND;
3475
389fb800
PM		 3476 return file_has_perm(cred, file,
3477 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3478}
3479
788e7dd4
YN		 3480static int selinux_file_permission(struct file *file, int mask)
3481{
496ad9aa 3482 struct inode *inode = file_inode(file);
bb6c6b02 3483 struct file_security_struct *fsec = selinux_file(file);
b197367e 3484 struct inode_security_struct *isec;
20dda18b
SS		 3485 u32 sid = current_sid();
3486
389fb800 3487 if (!mask)
788e7dd4
YN		 3488 /* No permission to check. Existence test. */
3489 return 0;
788e7dd4 3490
b197367e 3491 isec = inode_security(inode);
20dda18b 3492 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3493 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3494 /* No change since file_open check. */
20dda18b
SS		 3495 return 0;
3496
788e7dd4
YN		 3497 return selinux_revalidate_file_permission(file, mask);
3498}
3499
1da177e4
LT		 3500static int selinux_file_alloc_security(struct file *file)
3501{
3502 return file_alloc_security(file);
3503}
3504
fa1aa143
JVS		 3505/*
3506 * Check whether a task has the ioctl permission and cmd
3507 * operation to an inode.
3508 */
1d2a168a 3509static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3510 u32 requested, u16 cmd)
3511{
3512 struct common_audit_data ad;
bb6c6b02 3513 struct file_security_struct *fsec = selinux_file(file);
fa1aa143 3514 struct inode *inode = file_inode(file);
20cdef8d 3515 struct inode_security_struct *isec;
fa1aa143
JVS		 3516 struct lsm_ioctlop_audit ioctl;
3517 u32 ssid = cred_sid(cred);
3518 int rc;
3519 u8 driver = cmd >> 8;
3520 u8 xperm = cmd & 0xff;
3521
3522 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3523 ad.u.op = &ioctl;
3524 ad.u.op->cmd = cmd;
3525 ad.u.op->path = file->f_path;
3526
3527 if (ssid != fsec->sid) {
6b6bc620
SS		 3528 rc = avc_has_perm(&selinux_state,
3529 ssid, fsec->sid,
fa1aa143
JVS		 3530 SECCLASS_FD,
3531 FD__USE,
3532 &ad);
3533 if (rc)
3534 goto out;
3535 }
3536
3537 if (unlikely(IS_PRIVATE(inode)))
3538 return 0;
3539
20cdef8d 3540 isec = inode_security(inode);
6b6bc620
SS		 3541 rc = avc_has_extended_perms(&selinux_state,
3542 ssid, isec->sid, isec->sclass,
3543 requested, driver, xperm, &ad);
fa1aa143
JVS		 3544out:
3545 return rc;
3546}
3547
1da177e4
LT		 3548static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3549 unsigned long arg)
3550{
88e67f3b 3551 const struct cred *cred = current_cred();
0b24dcb7 3552 int error = 0;
1da177e4 3553
0b24dcb7
EP		 3554 switch (cmd) {
3555 case FIONREAD:
3556 /* fall through */
3557 case FIBMAP:
3558 /* fall through */
3559 case FIGETBSZ:
3560 /* fall through */
2f99c369 3561 case FS_IOC_GETFLAGS:
0b24dcb7 3562 /* fall through */
2f99c369 3563 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3564 error = file_has_perm(cred, file, FILE__GETATTR);
3565 break;
1da177e4 3566
2f99c369 3567 case FS_IOC_SETFLAGS:
0b24dcb7 3568 /* fall through */
2f99c369 3569 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3570 error = file_has_perm(cred, file, FILE__SETATTR);
3571 break;
3572
3573 /* sys_ioctl() checks */
3574 case FIONBIO:
3575 /* fall through */
3576 case FIOASYNC:
3577 error = file_has_perm(cred, file, 0);
3578 break;
1da177e4 3579
0b24dcb7
EP		 3580 case KDSKBENT:
3581 case KDSKBSENT:
6a9de491 3582 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
c1a85a00 3583 CAP_OPT_NONE, true);
0b24dcb7
EP		 3584 break;
3585
3586 /* default case assumes that the command will go
3587 * to the file's ioctl() function.
3588 */
3589 default:
fa1aa143 3590 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3591 }
3592 return error;
1da177e4
LT		 3593}
3594
fcaaade1
SS		 3595static int default_noexec;
3596
1da177e4
LT		 3597static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3598{
88e67f3b 3599 const struct cred *cred = current_cred();
be0554c9 3600 u32 sid = cred_sid(cred);
d84f4f99 3601 int rc = 0;
88e67f3b 3602
fcaaade1 3603 if (default_noexec &&
892e8cac
SS		 3604 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3605 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3606 /*
3607 * We are making executable an anonymous mapping or a
3608 * private file mapping that will also be writable.
3609 * This has an additional check.
3610 */
6b6bc620
SS		 3611 rc = avc_has_perm(&selinux_state,
3612 sid, sid, SECCLASS_PROCESS,
be0554c9 3613 PROCESS__EXECMEM, NULL);
1da177e4 3614 if (rc)
d84f4f99 3615 goto error;
1da177e4 3616 }
1da177e4
LT		 3617
3618 if (file) {
3619 /* read access is always possible with a mapping */
3620 u32 av = FILE__READ;
3621
3622 /* write access only matters if the mapping is shared */
3623 if (shared && (prot & PROT_WRITE))
3624 av |= FILE__WRITE;
3625
3626 if (prot & PROT_EXEC)
3627 av |= FILE__EXECUTE;
3628
88e67f3b 3629 return file_has_perm(cred, file, av);
1da177e4 3630 }
d84f4f99
DH		 3631
3632error:
3633 return rc;
1da177e4
LT		 3634}
3635
e5467859 3636static int selinux_mmap_addr(unsigned long addr)
1da177e4 3637{
b1d9e6b0 3638 int rc = 0;
1da177e4 3639
a2551df7 3640 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3641 u32 sid = current_sid();
6b6bc620
SS		 3642 rc = avc_has_perm(&selinux_state,
3643 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3644 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3645 }
3646
98883bfd 3647 return rc;
e5467859 3648}
1da177e4 3649
e5467859
AV		 3650static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3651 unsigned long prot, unsigned long flags)
3652{
3ba4bf5f
SS		 3653 struct common_audit_data ad;
3654 int rc;
3655
3656 if (file) {
3657 ad.type = LSM_AUDIT_DATA_FILE;
3658 ad.u.file = file;
3659 rc = inode_has_perm(current_cred(), file_inode(file),
3660 FILE__MAP, &ad);
3661 if (rc)
3662 return rc;
3663 }
3664
aa8e712c 3665 if (selinux_state.checkreqprot)
1da177e4
LT		 3666 prot = reqprot;
3667
3668 return file_map_prot_check(file, prot,
3669 (flags & MAP_TYPE) == MAP_SHARED);
3670}
3671
3672static int selinux_file_mprotect(struct vm_area_struct *vma,
3673 unsigned long reqprot,
3674 unsigned long prot)
3675{
88e67f3b 3676 const struct cred *cred = current_cred();
be0554c9 3677 u32 sid = cred_sid(cred);
1da177e4 3678
aa8e712c 3679 if (selinux_state.checkreqprot)
1da177e4
LT		 3680 prot = reqprot;
3681
fcaaade1
SS		 3682 if (default_noexec &&
3683 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3684 int rc = 0;
db4c9641
SS		 3685 if (vma->vm_start >= vma->vm_mm->start_brk &&
3686 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3687 rc = avc_has_perm(&selinux_state,
3688 sid, sid, SECCLASS_PROCESS,
be0554c9 3689 PROCESS__EXECHEAP, NULL);
db4c9641 3690 } else if (!vma->vm_file &&
c2316dbf
SS		 3691 ((vma->vm_start <= vma->vm_mm->start_stack &&
3692 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3693 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3694 rc = avc_has_perm(&selinux_state,
3695 sid, sid, SECCLASS_PROCESS,
be0554c9 3696 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3697 } else if (vma->vm_file && vma->anon_vma) {
3698 /*
3699 * We are making executable a file mapping that has
3700 * had some COW done. Since pages might have been
3701 * written, check ability to execute the possibly
3702 * modified content. This typically should only
3703 * occur for text relocations.
3704 */
d84f4f99 3705 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3706 }