projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'mmc-v5.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc
[linux-block.git] / security / selinux / hooks.c
CommitLineData
d2912cb1 1// SPDX-License-Identifier: GPL-2.0-only
1da177e4
LT		 2/*
3 * NSA Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7efbb60b 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
1da177e4
LT		 11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
1da177e4 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 16 * <dgoeddel@trustedcs.com>
ed6d76e4 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 18 * Paul Moore <paul@paul-moore.com>
788e7dd4 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 21 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 22 */
23
1da177e4 24#include <linux/init.h>
0b24dcb7 25#include <linux/kd.h>
1da177e4 26#include <linux/kernel.h>
0d094efe 27#include <linux/tracehook.h>
1da177e4 28#include <linux/errno.h>
3f07c014 29#include <linux/sched/signal.h>
29930025 30#include <linux/sched/task.h>
3c4ed7bd 31#include <linux/lsm_hooks.h>
1da177e4
LT		 32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
0b24dcb7 39#include <linux/proc_fs.h>
1da177e4 40#include <linux/swap.h>
1da177e4
LT		 41#include <linux/spinlock.h>
42#include <linux/syscalls.h>
2a7dba39 43#include <linux/dcache.h>
1da177e4 44#include <linux/file.h>
9f3acc31 45#include <linux/fdtable.h>
1da177e4
LT		 46#include <linux/namei.h>
47#include <linux/mount.h>
442155c1
DH		 48#include <linux/fs_context.h>
49#include <linux/fs_parser.h>
1da177e4
LT		 50#include <linux/netfilter_ipv4.h>
51#include <linux/netfilter_ipv6.h>
52#include <linux/tty.h>
53#include <net/icmp.h>
227b60f5 54#include <net/ip.h> /* for local_port_range[] */
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 56#include <net/inet_connection_sock.h>
220deb96 57#include <net/net_namespace.h>
d621d35e 58#include <net/netlabel.h>
f5269710 59#include <linux/uaccess.h>
1da177e4 60#include <asm/ioctls.h>
60063497 61#include <linux/atomic.h>
1da177e4
LT		 62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
77954983 65#include <net/netlink.h>
1da177e4
LT		 66#include <linux/tcp.h>
67#include <linux/udp.h>
2ee92d46 68#include <linux/dccp.h>
d452930f
RH		 69#include <linux/sctp.h>
70#include <net/sctp/structs.h>
1da177e4
LT		 71#include <linux/quota.h>
72#include <linux/un.h> /* for Unix socket types */
73#include <net/af_unix.h> /* for Unix socket types */
74#include <linux/parser.h>
75#include <linux/nfs_mount.h>
76#include <net/ipv6.h>
77#include <linux/hugetlb.h>
78#include <linux/personality.h>
1da177e4 79#include <linux/audit.h>
6931dfc9 80#include <linux/string.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
ec27c356 88#include <linux/bpf.h>
ec882da5
OM		 89#include <linux/kernfs.h>
90#include <linux/stringhash.h> /* for hashlen_string() */
e262e32d 91#include <uapi/linux/mount.h>
ac5656d8
AG		 92#include <linux/fsnotify.h>
93#include <linux/fanotify.h>
1da177e4
LT		 94
95#include "avc.h"
96#include "objsec.h"
97#include "netif.h"
224dfbd8 98#include "netnode.h"
3e112172 99#include "netport.h"
409dcf31 100#include "ibpkey.h"
d28d1e08 101#include "xfrm.h"
c60475bf 102#include "netlabel.h"
9d57a7f9 103#include "audit.h"
7b98a585 104#include "avc_ss.h"
1da177e4 105
aa8e712c
SS		 106struct selinux_state selinux_state;
107
d621d35e 108/* SECMARK reference count */
56a4ca99 109static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 110
1da177e4 111#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
6c5a682e 112static int selinux_enforcing_boot __initdata;
1da177e4
LT		 113
114static int __init enforcing_setup(char *str)
115{
f5269710 116 unsigned long enforcing;
29707b20 117 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 118 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 119 return 1;
120}
121__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 122#else
123#define selinux_enforcing_boot 1
1da177e4
LT		 124#endif
125
6c5a682e 126int selinux_enabled_boot __initdata = 1;
1da177e4 127#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
1da177e4
LT		 128static int __init selinux_enabled_setup(char *str)
129{
f5269710 130 unsigned long enabled;
29707b20 131 if (!kstrtoul(str, 0, &enabled))
6c5a682e 132 selinux_enabled_boot = enabled ? 1 : 0;
1da177e4
LT		 133 return 1;
134}
135__setup("selinux=", selinux_enabled_setup);
136#endif
137
aa8e712c
SS		 138static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141static int __init checkreqprot_setup(char *str)
142{
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148}
149__setup("checkreqprot=", checkreqprot_setup);
150
d621d35e
PM		 151/**
152 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
153 *
154 * Description:
155 * This function checks the SECMARK reference counter to see if any SECMARK
156 * targets are currently configured, if the reference counter is greater than
157 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 158 * enabled, false (0) if SECMARK is disabled. If the always_check_network
159 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 160 *
161 */
162static int selinux_secmark_enabled(void)
163{
aa8e712c
SS		 164 return (selinux_policycap_alwaysnetwork() ||
165 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 166}
167
168/**
169 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
170 *
171 * Description:
172 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
173 * (1) if any are enabled or false (0) if neither are enabled. If the
174 * always_check_network policy capability is enabled, peer labeling
175 * is always considered enabled.
176 *
177 */
178static int selinux_peerlbl_enabled(void)
179{
aa8e712c
SS		 180 return (selinux_policycap_alwaysnetwork() ||
181 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 182}
183
615e51fd
PM		 184static int selinux_netcache_avc_callback(u32 event)
185{
186 if (event == AVC_CALLBACK_RESET) {
187 sel_netif_flush();
188 sel_netnode_flush();
189 sel_netport_flush();
190 synchronize_net();
191 }
192 return 0;
193}
194
8f408ab6
DJ		 195static int selinux_lsm_notifier_avc_callback(u32 event)
196{
409dcf31
DJ		 197 if (event == AVC_CALLBACK_RESET) {
198 sel_ib_pkey_flush();
42df744c 199 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 200 }
8f408ab6
DJ		 201
202 return 0;
203}
204
d84f4f99
DH		 205/*
206 * initialise the security for the init task
207 */
208static void cred_init_security(void)
1da177e4 209{
3b11a1de 210 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 211 struct task_security_struct *tsec;
212
bbd3662a 213 tsec = selinux_cred(cred);
d84f4f99 214 tsec->osid = tsec->sid = SECINITSID_KERNEL;
1da177e4
LT		 215}
216
88e67f3b
DH		 217/*
218 * get the security ID of a set of credentials
219 */
220static inline u32 cred_sid(const struct cred *cred)
221{
222 const struct task_security_struct *tsec;
223
0c6cfa62 224 tsec = selinux_cred(cred);
88e67f3b
DH		 225 return tsec->sid;
226}
227
275bb41e 228/*
3b11a1de 229 * get the objective security ID of a task
275bb41e
DH		 230 */
231static inline u32 task_sid(const struct task_struct *task)
232{
275bb41e
DH		 233 u32 sid;
234
235 rcu_read_lock();
88e67f3b 236 sid = cred_sid(__task_cred(task));
275bb41e
DH		 237 rcu_read_unlock();
238 return sid;
239}
240
5d226df4
AG		 241static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
242
243/*
244 * Try reloading inode security labels that have been marked as invalid. The
245 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 246 * allowed; when set to false, returns -ECHILD when the label is
e9193288 247 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 248 */
249static int __inode_security_revalidate(struct inode *inode,
e9193288 250 struct dentry *dentry,
5d226df4
AG		 251 bool may_sleep)
252{
80788c22 253 struct inode_security_struct *isec = selinux_inode(inode);
5d226df4
AG		 254
255 might_sleep_if(may_sleep);
256
65cddd50 257 if (selinux_initialized(&selinux_state) &&
aa8e712c 258 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 259 if (!may_sleep)
260 return -ECHILD;
261
262 /*
263 * Try reloading the inode security label. This will fail if
264 * @opt_dentry is NULL and no dentry for this inode can be
265 * found; in that case, continue using the old label.
266 */
e9193288 267 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 268 }
269 return 0;
270}
271
5d226df4
AG		 272static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
273{
80788c22 274 return selinux_inode(inode);
5d226df4
AG		 275}
276
277static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
278{
279 int error;
280
281 error = __inode_security_revalidate(inode, NULL, !rcu);
282 if (error)
283 return ERR_PTR(error);
80788c22 284 return selinux_inode(inode);
5d226df4
AG		 285}
286
83da53c5
AG		 287/*
288 * Get the security label of an inode.
289 */
290static struct inode_security_struct *inode_security(struct inode *inode)
291{
5d226df4 292 __inode_security_revalidate(inode, NULL, true);
80788c22 293 return selinux_inode(inode);
83da53c5
AG		 294}
295
2c97165b
PM		 296static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
297{
298 struct inode *inode = d_backing_inode(dentry);
299
80788c22 300 return selinux_inode(inode);
2c97165b
PM		 301}
302
83da53c5
AG		 303/*
304 * Get the security label of a dentry's backing inode.
305 */
306static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
307{
308 struct inode *inode = d_backing_inode(dentry);
309
5d226df4 310 __inode_security_revalidate(inode, dentry, true);
80788c22 311 return selinux_inode(inode);
83da53c5
AG		 312}
313
1da177e4
LT		 314static void inode_free_security(struct inode *inode)
315{
80788c22 316 struct inode_security_struct *isec = selinux_inode(inode);
afb1cbe3 317 struct superblock_security_struct *sbsec;
1da177e4 318
afb1cbe3
CS		 319 if (!isec)
320 return;
321 sbsec = inode->i_sb->s_security;
9629d04a
WL		 322 /*
323 * As not all inode security structures are in a list, we check for
324 * empty list outside of the lock to make sure that we won't waste
325 * time taking a lock doing nothing.
326 *
327 * The list_del_init() function can be safely called more than once.
328 * It should not be possible for this function to be called with
329 * concurrent list_add(), but for better safety against future changes
330 * in the code, we use list_empty_careful() here.
331 */
332 if (!list_empty_careful(&isec->list)) {
333 spin_lock(&sbsec->isec_lock);
1da177e4 334 list_del_init(&isec->list);
9629d04a
WL		 335 spin_unlock(&sbsec->isec_lock);
336 }
1da177e4
LT		 337}
338
1da177e4
LT		 339static void superblock_free_security(struct super_block *sb)
340{
341 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 342 sb->s_security = NULL;
343 kfree(sbsec);
344}
345
bd323655
AV		 346struct selinux_mnt_opts {
347 const char *fscontext, *context, *rootcontext, *defcontext;
348};
349
204cc0cc
AV		 350static void selinux_free_mnt_opts(void *mnt_opts)
351{
bd323655
AV		 352 struct selinux_mnt_opts *opts = mnt_opts;
353 kfree(opts->fscontext);
354 kfree(opts->context);
355 kfree(opts->rootcontext);
356 kfree(opts->defcontext);
204cc0cc
AV		 357 kfree(opts);
358}
359
1da177e4 360enum {
31e87930 361 Opt_error = -1,
442155c1
DH		 362 Opt_context = 0,
363 Opt_defcontext = 1,
1da177e4 364 Opt_fscontext = 2,
442155c1
DH		 365 Opt_rootcontext = 3,
366 Opt_seclabel = 4,
1da177e4
LT		 367};
368
da3d76ab 369#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
169d68ef
AV		 370static struct {
371 const char *name;
372 int len;
373 int opt;
374 bool has_arg;
375} tokens[] = {
da3d76ab
AV		 376 A(context, true),
377 A(fscontext, true),
378 A(defcontext, true),
379 A(rootcontext, true),
380 A(seclabel, false),
1da177e4 381};
169d68ef
AV		 382#undef A
383
384static int match_opt_prefix(char *s, int l, char **arg)
385{
386 int i;
387
388 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
389 size_t len = tokens[i].len;
390 if (len > l || memcmp(s, tokens[i].name, len))
391 continue;
392 if (tokens[i].has_arg) {
393 if (len == l || s[len] != '=')
394 continue;
395 *arg = s + len + 1;
396 } else if (len != l)
397 continue;
398 return tokens[i].opt;
399 }
400 return Opt_error;
401}
1da177e4
LT		 402
403#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
404
c312feb2
EP		 405static int may_context_mount_sb_relabel(u32 sid,
406 struct superblock_security_struct *sbsec,
275bb41e 407 const struct cred *cred)
c312feb2 408{
0c6cfa62 409 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 410 int rc;
411
6b6bc620
SS		 412 rc = avc_has_perm(&selinux_state,
413 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 414 FILESYSTEM__RELABELFROM, NULL);
415 if (rc)
416 return rc;
417
6b6bc620
SS		 418 rc = avc_has_perm(&selinux_state,
419 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 420 FILESYSTEM__RELABELTO, NULL);
421 return rc;
422}
423
0808925e
EP		 424static int may_context_mount_inode_relabel(u32 sid,
425 struct superblock_security_struct *sbsec,
275bb41e 426 const struct cred *cred)
0808925e 427{
0c6cfa62 428 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e 429 int rc;
6b6bc620
SS		 430 rc = avc_has_perm(&selinux_state,
431 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 432 FILESYSTEM__RELABELFROM, NULL);
433 if (rc)
434 return rc;
435
6b6bc620
SS		 436 rc = avc_has_perm(&selinux_state,
437 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 438 FILESYSTEM__ASSOCIATE, NULL);
439 return rc;
440}
441
a83d6dda 442static int selinux_is_genfs_special_handling(struct super_block *sb)
b43e725d 443{
a83d6dda
OM		 444 /* Special handling. Genfs but also in-core setxattr handler */
445 return !strcmp(sb->s_type->name, "sysfs") ||
d5f3a5f6
MS		 446 !strcmp(sb->s_type->name, "pstore") ||
447 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 448 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 449 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 450 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 451 (!strcmp(sb->s_type->name, "cgroup") ||
452 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 453}
454
a83d6dda
OM		 455static int selinux_is_sblabel_mnt(struct super_block *sb)
456{
457 struct superblock_security_struct *sbsec = sb->s_security;
458
459 /*
460 * IMPORTANT: Double-check logic in this function when adding a new
461 * SECURITY_FS_USE_* definition!
462 */
463 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
464
465 switch (sbsec->behavior) {
466 case SECURITY_FS_USE_XATTR:
467 case SECURITY_FS_USE_TRANS:
468 case SECURITY_FS_USE_TASK:
469 case SECURITY_FS_USE_NATIVE:
470 return 1;
471
472 case SECURITY_FS_USE_GENFS:
473 return selinux_is_genfs_special_handling(sb);
474
475 /* Never allow relabeling on context mounts */
476 case SECURITY_FS_USE_MNTPOINT:
477 case SECURITY_FS_USE_NONE:
478 default:
479 return 0;
480 }
481}
482
c9180a57 483static int sb_finish_set_opts(struct super_block *sb)
1da177e4 484{
1da177e4 485 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 486 struct dentry *root = sb->s_root;
c6f493d6 487 struct inode *root_inode = d_backing_inode(root);
c9180a57 488 int rc = 0;
1da177e4 489
c9180a57
EP		 490 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
491 /* Make sure that the xattr handler exists and that no
492 error other than -ENODATA is returned by getxattr on
493 the root directory. -ENODATA is ok, as this may be
494 the first boot of the SELinux kernel before we have
495 assigned xattr values to the filesystem. */
5d6c3191 496 if (!(root_inode->i_opflags & IOP_XATTR)) {
c103a91e 497 pr_warn("SELinux: (dev %s, type %s) has no "
29b1deb2 498 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 499 rc = -EOPNOTSUPP;
500 goto out;
501 }
5d6c3191
AG		 502
503 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 504 if (rc < 0 && rc != -ENODATA) {
505 if (rc == -EOPNOTSUPP)
c103a91e 506 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 507 "%s) has no security xattr handler\n",
508 sb->s_id, sb->s_type->name);
c9180a57 509 else
c103a91e 510 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 511 "%s) getxattr errno %d\n", sb->s_id,
512 sb->s_type->name, -rc);
c9180a57
EP		 513 goto out;
514 }
515 }
1da177e4 516
eadcabc6 517 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 518
519 /*
520 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
521 * leave the flag untouched because sb_clone_mnt_opts might be handing
522 * us a superblock that needs the flag to be cleared.
523 */
b43e725d 524 if (selinux_is_sblabel_mnt(sb))
12f348b9 525 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 526 else
527 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 528
c9180a57
EP		 529 /* Initialize the root inode. */
530 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 531
c9180a57
EP		 532 /* Initialize any other inodes associated with the superblock, e.g.
533 inodes created prior to initial policy load or inodes created
534 during get_sb by a pseudo filesystem that directly
535 populates itself. */
536 spin_lock(&sbsec->isec_lock);
8d64124a 537 while (!list_empty(&sbsec->isec_head)) {
c9180a57 538 struct inode_security_struct *isec =
8d64124a 539 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 540 struct inode_security_struct, list);
541 struct inode *inode = isec->inode;
923190d3 542 list_del_init(&isec->list);
c9180a57
EP		 543 spin_unlock(&sbsec->isec_lock);
544 inode = igrab(inode);
545 if (inode) {
546 if (!IS_PRIVATE(inode))
cb89e246 547 inode_doinit_with_dentry(inode, NULL);
c9180a57
EP		 548 iput(inode);
549 }
550 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 551 }
552 spin_unlock(&sbsec->isec_lock);
553out:
554 return rc;
555}
1da177e4 556
c9180a57
EP		 557static int bad_option(struct superblock_security_struct *sbsec, char flag,
558 u32 old_sid, u32 new_sid)
559{
0d90a7ec
DQ		 560 char mnt_flags = sbsec->flags & SE_MNTMASK;
561
c9180a57 562 /* check if the old mount command had the same options */
0d90a7ec 563 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 564 if (!(sbsec->flags & flag) ||
565 (old_sid != new_sid))
566 return 1;
567
568 /* check if we were passed the same options twice,
569 * aka someone passed context=a,context=b
570 */
0d90a7ec
DQ		 571 if (!(sbsec->flags & SE_SBINITIALIZED))
572 if (mnt_flags & flag)
c9180a57
EP		 573 return 1;
574 return 0;
575}
e0007529 576
bd323655
AV		 577static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
578{
579 int rc = security_context_str_to_sid(&selinux_state, s,
580 sid, GFP_KERNEL);
581 if (rc)
582 pr_warn("SELinux: security_context_str_to_sid"
583 "(%s) failed for (dev %s, type %s) errno=%d\n",
584 s, sb->s_id, sb->s_type->name, rc);
585 return rc;
586}
587
c9180a57
EP		 588/*
589 * Allow filesystems with binary mount data to explicitly set mount point
590 * labeling information.
591 */
e0007529 592static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 593 void *mnt_opts,
649f6e77
DQ		 594 unsigned long kern_flags,
595 unsigned long *set_kern_flags)
c9180a57 596{
275bb41e 597 const struct cred *cred = current_cred();
c9180a57 598 struct superblock_security_struct *sbsec = sb->s_security;
83da53c5 599 struct dentry *root = sbsec->sb->s_root;
bd323655 600 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 601 struct inode_security_struct *root_isec;
c9180a57
EP		 602 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
603 u32 defcontext_sid = 0;
bd323655 604 int rc = 0;
c9180a57
EP		 605
606 mutex_lock(&sbsec->lock);
607
65cddd50 608 if (!selinux_initialized(&selinux_state)) {
bd323655 609 if (!opts) {
c9180a57
EP		 610 /* Defer initialization until selinux_complete_init,
611 after the initial policy is loaded and the security
612 server is ready to handle calls. */
c9180a57
EP		 613 goto out;
614 }
615 rc = -EINVAL;
c103a91e 616 pr_warn("SELinux: Unable to set superblock options "
744ba35e 617 "before the security server is initialized\n");
1da177e4 618 goto out;
c9180a57 619 }
649f6e77
DQ		 620 if (kern_flags && !set_kern_flags) {
621 /* Specifying internal flags without providing a place to
622 * place the results is not allowed */
623 rc = -EINVAL;
624 goto out;
625 }
1da177e4 626
e0007529
EP		 627 /*
628 * Binary mount data FS will come through this function twice. Once
629 * from an explicit call and once from the generic calls from the vfs.
630 * Since the generic VFS calls will not contain any security mount data
631 * we need to skip the double mount verification.
632 *
633 * This does open a hole in which we will not notice if the first
634 * mount using this sb set explict options and a second mount using
635 * this sb does not set any security options. (The first options
636 * will be used for both mounts)
637 */
0d90a7ec 638 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 639 && !opts)
f5269710 640 goto out;
e0007529 641
2c97165b
PM		 642 root_isec = backing_inode_security_novalidate(root);
643
c9180a57
EP		 644 /*
645 * parse the mount options, check if they are valid sids.
646 * also check if someone is trying to mount the same sb more
647 * than once with different security options.
648 */
bd323655
AV		 649 if (opts) {
650 if (opts->fscontext) {
651 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
652 if (rc)
653 goto out;
c9180a57
EP		 654 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
655 fscontext_sid))
656 goto out_double_mount;
c9180a57 657 sbsec->flags |= FSCONTEXT_MNT;
bd323655
AV		 658 }
659 if (opts->context) {
660 rc = parse_sid(sb, opts->context, &context_sid);
661 if (rc)
662 goto out;
c9180a57
EP		 663 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
664 context_sid))
665 goto out_double_mount;
c9180a57 666 sbsec->flags |= CONTEXT_MNT;
bd323655
AV		 667 }
668 if (opts->rootcontext) {
669 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
670 if (rc)
671 goto out;
c9180a57
EP		 672 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
673 rootcontext_sid))
674 goto out_double_mount;
c9180a57 675 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655
AV		 676 }
677 if (opts->defcontext) {
678 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
679 if (rc)
680 goto out;
c9180a57
EP		 681 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
682 defcontext_sid))
683 goto out_double_mount;
c9180a57 684 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 685 }
c9180a57
EP		 686 }
687
0d90a7ec 688 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 689 /* previously mounted with options, but not on this attempt? */
bd323655 690 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 691 goto out_double_mount;
692 rc = 0;
693 goto out;
694 }
695
089be43e 696 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 697 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
698
8e014720 699 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 700 !strcmp(sb->s_type->name, "tracefs") ||
a20456ae 701 !strcmp(sb->s_type->name, "binder") ||
b754026b
OM		 702 !strcmp(sb->s_type->name, "pstore"))
703 sbsec->flags |= SE_SBGENFS;
704
705 if (!strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 706 !strcmp(sb->s_type->name, "cgroup") ||
707 !strcmp(sb->s_type->name, "cgroup2"))
b754026b 708 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
c9180a57 709
eb9ae686
DQ		 710 if (!sbsec->behavior) {
711 /*
712 * Determine the labeling behavior to use for this
713 * filesystem type.
714 */
aa8e712c 715 rc = security_fs_use(&selinux_state, sb);
eb9ae686 716 if (rc) {
c103a91e 717 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 718 __func__, sb->s_type->name, rc);
719 goto out;
720 }
c9180a57 721 }
aad82892
SF		 722
723 /*
01593d32
SS		 724 * If this is a user namespace mount and the filesystem type is not
725 * explicitly whitelisted, then no contexts are allowed on the command
726 * line and security labels must be ignored.
aad82892 727 */
01593d32
SS		 728 if (sb->s_user_ns != &init_user_ns &&
729 strcmp(sb->s_type->name, "tmpfs") &&
730 strcmp(sb->s_type->name, "ramfs") &&
731 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 732 if (context_sid || fscontext_sid || rootcontext_sid ||
733 defcontext_sid) {
734 rc = -EACCES;
735 goto out;
736 }
737 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
738 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 739 rc = security_transition_sid(&selinux_state,
740 current_sid(),
741 current_sid(),
aad82892
SF		 742 SECCLASS_FILE, NULL,
743 &sbsec->mntpoint_sid);
744 if (rc)
745 goto out;
746 }
747 goto out_set_opts;
748 }
749
c9180a57
EP		 750 /* sets the context of the superblock for the fs being mounted. */
751 if (fscontext_sid) {
275bb41e 752 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 753 if (rc)
c9180a57 754 goto out;
1da177e4 755
c9180a57 756 sbsec->sid = fscontext_sid;
c312feb2
EP		 757 }
758
759 /*
760 * Switch to using mount point labeling behavior.
761 * sets the label used on all file below the mountpoint, and will set
762 * the superblock context if not already set.
763 */
eb9ae686
DQ		 764 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
765 sbsec->behavior = SECURITY_FS_USE_NATIVE;
766 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
767 }
768
c9180a57
EP		 769 if (context_sid) {
770 if (!fscontext_sid) {
275bb41e
DH		 771 rc = may_context_mount_sb_relabel(context_sid, sbsec,
772 cred);
b04ea3ce 773 if (rc)
c9180a57
EP		 774 goto out;
775 sbsec->sid = context_sid;
b04ea3ce 776 } else {
275bb41e
DH		 777 rc = may_context_mount_inode_relabel(context_sid, sbsec,
778 cred);
b04ea3ce 779 if (rc)
c9180a57 780 goto out;
b04ea3ce 781 }
c9180a57
EP		 782 if (!rootcontext_sid)
783 rootcontext_sid = context_sid;
1da177e4 784
c9180a57 785 sbsec->mntpoint_sid = context_sid;
c312feb2 786 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 787 }
788
c9180a57 789 if (rootcontext_sid) {
275bb41e
DH		 790 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
791 cred);
0808925e 792 if (rc)
c9180a57 793 goto out;
0808925e 794
c9180a57 795 root_isec->sid = rootcontext_sid;
6f3be9f5 796 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 797 }
798
c9180a57 799 if (defcontext_sid) {
eb9ae686
DQ		 800 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
801 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 802 rc = -EINVAL;
c103a91e 803 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 804 "invalid for this filesystem type\n");
805 goto out;
1da177e4
LT		 806 }
807
c9180a57
EP		 808 if (defcontext_sid != sbsec->def_sid) {
809 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 810 sbsec, cred);
c9180a57
EP		 811 if (rc)
812 goto out;
813 }
1da177e4 814
c9180a57 815 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 816 }
817
aad82892 818out_set_opts:
c9180a57 819 rc = sb_finish_set_opts(sb);
1da177e4 820out:
c9180a57 821 mutex_unlock(&sbsec->lock);
1da177e4 822 return rc;
c9180a57
EP		 823out_double_mount:
824 rc = -EINVAL;
c103a91e 825 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 826 "security settings for (dev %s, type %s)\n", sb->s_id,
827 sb->s_type->name);
c9180a57 828 goto out;
1da177e4
LT		 829}
830
094f7b69
JL		 831static int selinux_cmp_sb_context(const struct super_block *oldsb,
832 const struct super_block *newsb)
833{
834 struct superblock_security_struct *old = oldsb->s_security;
835 struct superblock_security_struct *new = newsb->s_security;
836 char oldflags = old->flags & SE_MNTMASK;
837 char newflags = new->flags & SE_MNTMASK;
838
839 if (oldflags != newflags)
840 goto mismatch;
841 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
842 goto mismatch;
843 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
844 goto mismatch;
845 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
846 goto mismatch;
847 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 848 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
849 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 850 if (oldroot->sid != newroot->sid)
851 goto mismatch;
852 }
853 return 0;
854mismatch:
c103a91e 855 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 856 "different security settings for (dev %s, "
857 "type %s)\n", newsb->s_id, newsb->s_type->name);
858 return -EBUSY;
859}
860
861static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 862 struct super_block *newsb,
863 unsigned long kern_flags,
864 unsigned long *set_kern_flags)
1da177e4 865{
0b4d3452 866 int rc = 0;
c9180a57
EP		 867 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
868 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 869
c9180a57
EP		 870 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
871 int set_context = (oldsbsec->flags & CONTEXT_MNT);
872 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 873
0f5e6420
EP		 874 /*
875 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 876 * mount options. thus we can safely deal with this superblock later
0f5e6420 877 */
65cddd50 878 if (!selinux_initialized(&selinux_state))
094f7b69 879 return 0;
c9180a57 880
0b4d3452
SM		 881 /*
882 * Specifying internal flags without providing a place to
883 * place the results is not allowed.
884 */
885 if (kern_flags && !set_kern_flags)
886 return -EINVAL;
887
c9180a57 888 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 889 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 890
094f7b69 891 /* if fs is reusing a sb, make sure that the contexts match */
3815a245
BF		 892 if (newsbsec->flags & SE_SBINITIALIZED) {
893 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
894 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
094f7b69 895 return selinux_cmp_sb_context(oldsb, newsb);
3815a245 896 }
5a552617 897
c9180a57
EP		 898 mutex_lock(&newsbsec->lock);
899
900 newsbsec->flags = oldsbsec->flags;
901
902 newsbsec->sid = oldsbsec->sid;
903 newsbsec->def_sid = oldsbsec->def_sid;
904 newsbsec->behavior = oldsbsec->behavior;
905
0b4d3452
SM		 906 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
907 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 908 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 909 if (rc)
910 goto out;
911 }
912
913 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
914 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
915 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
916 }
917
c9180a57
EP		 918 if (set_context) {
919 u32 sid = oldsbsec->mntpoint_sid;
920
921 if (!set_fscontext)
922 newsbsec->sid = sid;
923 if (!set_rootcontext) {
83da53c5 924 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 925 newisec->sid = sid;
926 }
927 newsbsec->mntpoint_sid = sid;
1da177e4 928 }
c9180a57 929 if (set_rootcontext) {
83da53c5
AG		 930 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
931 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 932
c9180a57 933 newisec->sid = oldisec->sid;
1da177e4
LT		 934 }
935
c9180a57 936 sb_finish_set_opts(newsb);
0b4d3452 937out:
c9180a57 938 mutex_unlock(&newsbsec->lock);
0b4d3452 939 return rc;
c9180a57
EP		 940}
941
ba641862 942static int selinux_add_opt(int token, const char *s, void **mnt_opts)
c9180a57 943{
ba641862 944 struct selinux_mnt_opts *opts = *mnt_opts;
1da177e4 945
da3d76ab 946 if (token == Opt_seclabel) /* eaten and completely ignored */
169d68ef 947 return 0;
e0007529 948
ba641862
AV		 949 if (!opts) {
950 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
951 if (!opts)
952 return -ENOMEM;
953 *mnt_opts = opts;
c9180a57 954 }
ba641862
AV		 955 if (!s)
956 return -ENOMEM;
957 switch (token) {
958 case Opt_context:
959 if (opts->context || opts->defcontext)
960 goto Einval;
961 opts->context = s;
962 break;
963 case Opt_fscontext:
964 if (opts->fscontext)
965 goto Einval;
966 opts->fscontext = s;
967 break;
968 case Opt_rootcontext:
969 if (opts->rootcontext)
970 goto Einval;
971 opts->rootcontext = s;
972 break;
973 case Opt_defcontext:
974 if (opts->context || opts->defcontext)
975 goto Einval;
976 opts->defcontext = s;
977 break;
c9180a57 978 }
e0007529 979 return 0;
ba641862
AV		 980Einval:
981 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862 982 return -EINVAL;
1da177e4 983}
e0007529 984
757cbe59
AV		 985static int selinux_add_mnt_opt(const char *option, const char *val, int len,
986 void **mnt_opts)
c9180a57 987{
757cbe59
AV		 988 int token = Opt_error;
989 int rc, i;
e0007529 990
757cbe59
AV		 991 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
992 if (strcmp(option, tokens[i].name) == 0) {
993 token = tokens[i].opt;
994 break;
169d68ef 995 }
757cbe59 996 }
e0007529 997
757cbe59
AV		 998 if (token == Opt_error)
999 return -EINVAL;
e0007529 1000
e2e0e097 1001 if (token != Opt_seclabel) {
757cbe59 1002 val = kmemdup_nul(val, len, GFP_KERNEL);
e2e0e097
GZ		 1003 if (!val) {
1004 rc = -ENOMEM;
1005 goto free_opt;
1006 }
1007 }
757cbe59
AV		 1008 rc = selinux_add_opt(token, val, mnt_opts);
1009 if (unlikely(rc)) {
1010 kfree(val);
e2e0e097
GZ		 1011 goto free_opt;
1012 }
1013 return rc;
1014
1015free_opt:
1016 if (*mnt_opts) {
1017 selinux_free_mnt_opts(*mnt_opts);
1018 *mnt_opts = NULL;
1da177e4 1019 }
e0007529
EP		 1020 return rc;
1021}
1da177e4 1022
e3489f89 1023static int show_sid(struct seq_file *m, u32 sid)
2069f457 1024{
e3489f89
AV		 1025 char *context = NULL;
1026 u32 len;
1027 int rc;
11689d47 1028
e3489f89
AV		 1029 rc = security_sid_to_context(&selinux_state, sid,
1030 &context, &len);
1031 if (!rc) {
1032 bool has_comma = context && strchr(context, ',');
2069f457 1033
442155c1 1034 seq_putc(m, '=');
2069f457
EP		 1035 if (has_comma)
1036 seq_putc(m, '\"');
e3489f89 1037 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1038 if (has_comma)
1039 seq_putc(m, '\"');
1040 }
e3489f89
AV		 1041 kfree(context);
1042 return rc;
2069f457
EP		 1043}
1044
1045static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1046{
e3489f89 1047 struct superblock_security_struct *sbsec = sb->s_security;
2069f457
EP		 1048 int rc;
1049
e3489f89
AV		 1050 if (!(sbsec->flags & SE_SBINITIALIZED))
1051 return 0;
2069f457 1052
65cddd50 1053 if (!selinux_initialized(&selinux_state))
e3489f89 1054 return 0;
2069f457 1055
e3489f89
AV		 1056 if (sbsec->flags & FSCONTEXT_MNT) {
1057 seq_putc(m, ',');
1058 seq_puts(m, FSCONTEXT_STR);
1059 rc = show_sid(m, sbsec->sid);
1060 if (rc)
1061 return rc;
1062 }
1063 if (sbsec->flags & CONTEXT_MNT) {
1064 seq_putc(m, ',');
1065 seq_puts(m, CONTEXT_STR);
1066 rc = show_sid(m, sbsec->mntpoint_sid);
1067 if (rc)
1068 return rc;
1069 }
1070 if (sbsec->flags & DEFCONTEXT_MNT) {
1071 seq_putc(m, ',');
1072 seq_puts(m, DEFCONTEXT_STR);
1073 rc = show_sid(m, sbsec->def_sid);
1074 if (rc)
1075 return rc;
1076 }
1077 if (sbsec->flags & ROOTCONTEXT_MNT) {
1078 struct dentry *root = sbsec->sb->s_root;
1079 struct inode_security_struct *isec = backing_inode_security(root);
1080 seq_putc(m, ',');
1081 seq_puts(m, ROOTCONTEXT_STR);
1082 rc = show_sid(m, isec->sid);
1083 if (rc)
1084 return rc;
1085 }
1086 if (sbsec->flags & SBLABEL_MNT) {
1087 seq_putc(m, ',');
442155c1 1088 seq_puts(m, SECLABEL_STR);
e3489f89
AV		 1089 }
1090 return 0;
2069f457
EP		 1091}
1092
1da177e4
LT		 1093static inline u16 inode_mode_to_security_class(umode_t mode)
1094{
1095 switch (mode & S_IFMT) {
1096 case S_IFSOCK:
1097 return SECCLASS_SOCK_FILE;
1098 case S_IFLNK:
1099 return SECCLASS_LNK_FILE;
1100 case S_IFREG:
1101 return SECCLASS_FILE;
1102 case S_IFBLK:
1103 return SECCLASS_BLK_FILE;
1104 case S_IFDIR:
1105 return SECCLASS_DIR;
1106 case S_IFCHR:
1107 return SECCLASS_CHR_FILE;
1108 case S_IFIFO:
1109 return SECCLASS_FIFO_FILE;
1110
1111 }
1112
1113 return SECCLASS_FILE;
1114}
1115
13402580
JM		 1116static inline int default_protocol_stream(int protocol)
1117{
1118 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1119}
1120
1121static inline int default_protocol_dgram(int protocol)
1122{
1123 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1124}
1125
1da177e4
LT		 1126static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1127{
aa8e712c 1128 int extsockclass = selinux_policycap_extsockclass();
da69a530 1129
1da177e4
LT		 1130 switch (family) {
1131 case PF_UNIX:
1132 switch (type) {
1133 case SOCK_STREAM:
1134 case SOCK_SEQPACKET:
1135 return SECCLASS_UNIX_STREAM_SOCKET;
1136 case SOCK_DGRAM:
2a764b52 1137 case SOCK_RAW:
1da177e4
LT		 1138 return SECCLASS_UNIX_DGRAM_SOCKET;
1139 }
1140 break;
1141 case PF_INET:
1142 case PF_INET6:
1143 switch (type) {
1144 case SOCK_STREAM:
da69a530 1145 case SOCK_SEQPACKET:
13402580
JM		 1146 if (default_protocol_stream(protocol))
1147 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1148 else if (extsockclass && protocol == IPPROTO_SCTP)
1149 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1150 else
1151 return SECCLASS_RAWIP_SOCKET;
1da177e4 1152 case SOCK_DGRAM:
13402580
JM		 1153 if (default_protocol_dgram(protocol))
1154 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1155 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1156 protocol == IPPROTO_ICMPV6))
da69a530 1157 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1158 else
1159 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1160 case SOCK_DCCP:
1161 return SECCLASS_DCCP_SOCKET;
13402580 1162 default:
1da177e4
LT		 1163 return SECCLASS_RAWIP_SOCKET;
1164 }
1165 break;
1166 case PF_NETLINK:
1167 switch (protocol) {
1168 case NETLINK_ROUTE:
1169 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1170 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1171 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1172 case NETLINK_NFLOG:
1173 return SECCLASS_NETLINK_NFLOG_SOCKET;
1174 case NETLINK_XFRM:
1175 return SECCLASS_NETLINK_XFRM_SOCKET;
1176 case NETLINK_SELINUX:
1177 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1178 case NETLINK_ISCSI:
1179 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1180 case NETLINK_AUDIT:
1181 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1182 case NETLINK_FIB_LOOKUP:
1183 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1184 case NETLINK_CONNECTOR:
1185 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1186 case NETLINK_NETFILTER:
1187 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1188 case NETLINK_DNRTMSG:
1189 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1190 case NETLINK_KOBJECT_UEVENT:
1191 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1192 case NETLINK_GENERIC:
1193 return SECCLASS_NETLINK_GENERIC_SOCKET;
1194 case NETLINK_SCSITRANSPORT:
1195 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1196 case NETLINK_RDMA:
1197 return SECCLASS_NETLINK_RDMA_SOCKET;
1198 case NETLINK_CRYPTO:
1199 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1200 default:
1201 return SECCLASS_NETLINK_SOCKET;
1202 }
1203 case PF_PACKET:
1204 return SECCLASS_PACKET_SOCKET;
1205 case PF_KEY:
1206 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1207 case PF_APPLETALK:
1208 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1209 }
1210
da69a530
SS		 1211 if (extsockclass) {
1212 switch (family) {
1213 case PF_AX25:
1214 return SECCLASS_AX25_SOCKET;
1215 case PF_IPX:
1216 return SECCLASS_IPX_SOCKET;
1217 case PF_NETROM:
1218 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1219 case PF_ATMPVC:
1220 return SECCLASS_ATMPVC_SOCKET;
1221 case PF_X25:
1222 return SECCLASS_X25_SOCKET;
1223 case PF_ROSE:
1224 return SECCLASS_ROSE_SOCKET;
1225 case PF_DECnet:
1226 return SECCLASS_DECNET_SOCKET;
1227 case PF_ATMSVC:
1228 return SECCLASS_ATMSVC_SOCKET;
1229 case PF_RDS:
1230 return SECCLASS_RDS_SOCKET;
1231 case PF_IRDA:
1232 return SECCLASS_IRDA_SOCKET;
1233 case PF_PPPOX:
1234 return SECCLASS_PPPOX_SOCKET;
1235 case PF_LLC:
1236 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1237 case PF_CAN:
1238 return SECCLASS_CAN_SOCKET;
1239 case PF_TIPC:
1240 return SECCLASS_TIPC_SOCKET;
1241 case PF_BLUETOOTH:
1242 return SECCLASS_BLUETOOTH_SOCKET;
1243 case PF_IUCV:
1244 return SECCLASS_IUCV_SOCKET;
1245 case PF_RXRPC:
1246 return SECCLASS_RXRPC_SOCKET;
1247 case PF_ISDN:
1248 return SECCLASS_ISDN_SOCKET;
1249 case PF_PHONET:
1250 return SECCLASS_PHONET_SOCKET;
1251 case PF_IEEE802154:
1252 return SECCLASS_IEEE802154_SOCKET;
1253 case PF_CAIF:
1254 return SECCLASS_CAIF_SOCKET;
1255 case PF_ALG:
1256 return SECCLASS_ALG_SOCKET;
1257 case PF_NFC:
1258 return SECCLASS_NFC_SOCKET;
1259 case PF_VSOCK:
1260 return SECCLASS_VSOCK_SOCKET;
1261 case PF_KCM:
1262 return SECCLASS_KCM_SOCKET;
1263 case PF_QIPCRTR:
1264 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1265 case PF_SMC:
1266 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1267 case PF_XDP:
1268 return SECCLASS_XDP_SOCKET;
1269#if PF_MAX > 45
da69a530
SS		 1270#error New address family defined, please update this function.
1271#endif
1272 }
1273 }
1274
1da177e4
LT		 1275 return SECCLASS_SOCKET;
1276}
1277
134509d5
SS		 1278static int selinux_genfs_get_sid(struct dentry *dentry,
1279 u16 tclass,
1280 u16 flags,
1281 u32 *sid)
1da177e4 1282{
8e6c9693 1283 int rc;
fc64005c 1284 struct super_block *sb = dentry->d_sb;
8e6c9693 1285 char *buffer, *path;
1da177e4 1286
828dfe1d 1287 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1288 if (!buffer)
1289 return -ENOMEM;
1290
8e6c9693
LAG		 1291 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1292 if (IS_ERR(path))
1293 rc = PTR_ERR(path);
1294 else {
134509d5
SS		 1295 if (flags & SE_SBPROC) {
1296 /* each process gets a /proc/PID/ entry. Strip off the
1297 * PID part to get a valid selinux labeling.
1298 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1299 while (path[1] >= '0' && path[1] <= '9') {
1300 path[1] = '/';
1301 path++;
1302 }
8e6c9693 1303 }
aa8e712c
SS		 1304 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1305 path, tclass, sid);
7bb185ed
SS		 1306 if (rc == -ENOENT) {
1307 /* No match in policy, mark as unlabeled. */
1308 *sid = SECINITSID_UNLABELED;
1309 rc = 0;
1310 }
1da177e4 1311 }
1da177e4
LT		 1312 free_page((unsigned long)buffer);
1313 return rc;
1314}
1da177e4 1315
b754026b
OM		 1316static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1317 u32 def_sid, u32 *sid)
1318{
1319#define INITCONTEXTLEN 255
1320 char *context;
1321 unsigned int len;
1322 int rc;
1323
1324 len = INITCONTEXTLEN;
1325 context = kmalloc(len + 1, GFP_NOFS);
1326 if (!context)
1327 return -ENOMEM;
1328
1329 context[len] = '\0';
1330 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1331 if (rc == -ERANGE) {
1332 kfree(context);
1333
1334 /* Need a larger buffer. Query for the right size. */
1335 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1336 if (rc < 0)
1337 return rc;
1338
1339 len = rc;
1340 context = kmalloc(len + 1, GFP_NOFS);
1341 if (!context)
1342 return -ENOMEM;
1343
1344 context[len] = '\0';
1345 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1346 context, len);
1347 }
1348 if (rc < 0) {
1349 kfree(context);
1350 if (rc != -ENODATA) {
1351 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1352 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1353 return rc;
1354 }
1355 *sid = def_sid;
1356 return 0;
1357 }
1358
1359 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1360 def_sid, GFP_NOFS);
1361 if (rc) {
1362 char *dev = inode->i_sb->s_id;
1363 unsigned long ino = inode->i_ino;
1364
1365 if (rc == -EINVAL) {
1366 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1367 ino, dev, context);
1368 } else {
1369 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1370 __func__, context, -rc, dev, ino);
1371 }
1372 }
1373 kfree(context);
1374 return 0;
1375}
1376
1da177e4
LT		 1377/* The inode's security attributes must be initialized before first use. */
1378static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1379{
1380 struct superblock_security_struct *sbsec = NULL;
80788c22 1381 struct inode_security_struct *isec = selinux_inode(inode);
9287aed2
AG		 1382 u32 task_sid, sid = 0;
1383 u16 sclass;
1da177e4 1384 struct dentry *dentry;
1da177e4 1385 int rc = 0;
1da177e4 1386
6f3be9f5 1387 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1388 return 0;
1da177e4 1389
9287aed2 1390 spin_lock(&isec->lock);
6f3be9f5 1391 if (isec->initialized == LABEL_INITIALIZED)
23970741 1392 goto out_unlock;
1da177e4 1393
13457d07
AG		 1394 if (isec->sclass == SECCLASS_FILE)
1395 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1396
1da177e4 1397 sbsec = inode->i_sb->s_security;
0d90a7ec 1398 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1399 /* Defer initialization until selinux_complete_init,
1400 after the initial policy is loaded and the security
1401 server is ready to handle calls. */
1402 spin_lock(&sbsec->isec_lock);
1403 if (list_empty(&isec->list))
1404 list_add(&isec->list, &sbsec->isec_head);
1405 spin_unlock(&sbsec->isec_lock);
23970741 1406 goto out_unlock;
1da177e4
LT		 1407 }
1408
9287aed2
AG		 1409 sclass = isec->sclass;
1410 task_sid = isec->task_sid;
1411 sid = isec->sid;
1412 isec->initialized = LABEL_PENDING;
1413 spin_unlock(&isec->lock);
1414
1da177e4 1415 switch (sbsec->behavior) {
eb9ae686
DQ		 1416 case SECURITY_FS_USE_NATIVE:
1417 break;
1da177e4 1418 case SECURITY_FS_USE_XATTR:
5d6c3191 1419 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1420 sid = sbsec->def_sid;
1da177e4
LT		 1421 break;
1422 }
1da177e4
LT		 1423 /* Need a dentry, since the xattr API requires one.
1424 Life would be simpler if we could just pass the inode. */
1425 if (opt_dentry) {
1426 /* Called from d_instantiate or d_splice_alias. */
1427 dentry = dget(opt_dentry);
1428 } else {
b127125d
AV		 1429 /*
1430 * Called from selinux_complete_init, try to find a dentry.
1431 * Some filesystems really want a connected one, so try
1432 * that first. We could split SECURITY_FS_USE_XATTR in
1433 * two, depending upon that...
1434 */
1da177e4 1435 dentry = d_find_alias(inode);
b127125d
AV		 1436 if (!dentry)
1437 dentry = d_find_any_alias(inode);
1da177e4
LT		 1438 }
1439 if (!dentry) {
df7f54c0
EP		 1440 /*
1441 * this is can be hit on boot when a file is accessed
1442 * before the policy is loaded. When we load policy we
1443 * may find inodes that have no dentry on the
1444 * sbsec->isec_head list. No reason to complain as these
1445 * will get fixed up the next time we go through
1446 * inode_doinit with a dentry, before these inodes could
1447 * be used again by userspace.
1448 */
9287aed2 1449 goto out;
1da177e4
LT		 1450 }
1451
b754026b
OM		 1452 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1453 &sid);
1da177e4 1454 dput(dentry);
b754026b
OM		 1455 if (rc)
1456 goto out;
1da177e4
LT		 1457 break;
1458 case SECURITY_FS_USE_TASK:
9287aed2 1459 sid = task_sid;
1da177e4
LT		 1460 break;
1461 case SECURITY_FS_USE_TRANS:
1462 /* Default to the fs SID. */
9287aed2 1463 sid = sbsec->sid;
1da177e4
LT		 1464
1465 /* Try to obtain a transition SID. */
aa8e712c
SS		 1466 rc = security_transition_sid(&selinux_state, task_sid, sid,
1467 sclass, NULL, &sid);
1da177e4 1468 if (rc)
9287aed2 1469 goto out;
1da177e4 1470 break;
c312feb2 1471 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1472 sid = sbsec->mntpoint_sid;
c312feb2 1473 break;
1da177e4 1474 default:
c312feb2 1475 /* Default to the fs superblock SID. */
9287aed2 1476 sid = sbsec->sid;
1da177e4 1477
134509d5 1478 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1479 /* We must have a dentry to determine the label on
1480 * procfs inodes */
b127125d 1481 if (opt_dentry) {
f64410ec
PM		 1482 /* Called from d_instantiate or
1483 * d_splice_alias. */
1484 dentry = dget(opt_dentry);
b127125d 1485 } else {
f64410ec 1486 /* Called from selinux_complete_init, try to
b127125d
AV		 1487 * find a dentry. Some filesystems really want
1488 * a connected one, so try that first.
1489 */
f64410ec 1490 dentry = d_find_alias(inode);
b127125d
AV		 1491 if (!dentry)
1492 dentry = d_find_any_alias(inode);
1493 }
f64410ec
PM		 1494 /*
1495 * This can be hit on boot when a file is accessed
1496 * before the policy is loaded. When we load policy we
1497 * may find inodes that have no dentry on the
1498 * sbsec->isec_head list. No reason to complain as
1499 * these will get fixed up the next time we go through
1500 * inode_doinit() with a dentry, before these inodes
1501 * could be used again by userspace.
1502 */
1503 if (!dentry)
9287aed2
AG		 1504 goto out;
1505 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1506 sbsec->flags, &sid);
b754026b
OM		 1507 if (rc) {
1508 dput(dentry);
9287aed2 1509 goto out;
b754026b
OM		 1510 }
1511
1512 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1513 (inode->i_opflags & IOP_XATTR)) {
1514 rc = inode_doinit_use_xattr(inode, dentry,
1515 sid, &sid);
1516 if (rc) {
1517 dput(dentry);
1518 goto out;
1519 }
1520 }
1521 dput(dentry);
1da177e4
LT		 1522 }
1523 break;
1524 }
1525
9287aed2
AG		 1526out:
1527 spin_lock(&isec->lock);
1528 if (isec->initialized == LABEL_PENDING) {
1529 if (!sid || rc) {
1530 isec->initialized = LABEL_INVALID;
1531 goto out_unlock;
1532 }
1533
1534 isec->initialized = LABEL_INITIALIZED;
1535 isec->sid = sid;
1536 }
1da177e4 1537
23970741 1538out_unlock:
9287aed2 1539 spin_unlock(&isec->lock);
1da177e4
LT		 1540 return rc;
1541}
1542
1543/* Convert a Linux signal to an access vector. */
1544static inline u32 signal_to_av(int sig)
1545{
1546 u32 perm = 0;
1547
1548 switch (sig) {
1549 case SIGCHLD:
1550 /* Commonly granted from child to parent. */
1551 perm = PROCESS__SIGCHLD;
1552 break;
1553 case SIGKILL:
1554 /* Cannot be caught or ignored */
1555 perm = PROCESS__SIGKILL;
1556 break;
1557 case SIGSTOP:
1558 /* Cannot be caught or ignored */
1559 perm = PROCESS__SIGSTOP;
1560 break;
1561 default:
1562 /* All other signals. */
1563 perm = PROCESS__SIGNAL;
1564 break;
1565 }
1566
1567 return perm;
1568}
1569
b68e418c
SS		 1570#if CAP_LAST_CAP > 63
1571#error Fix SELinux to handle capabilities > 63.
1572#endif
1573
1da177e4 1574/* Check whether a task is allowed to use a capability. */
6a9de491 1575static int cred_has_capability(const struct cred *cred,
c1a85a00 1576 int cap, unsigned int opts, bool initns)
1da177e4 1577{
2bf49690 1578 struct common_audit_data ad;
06112163 1579 struct av_decision avd;
b68e418c 1580 u16 sclass;
3699c53c 1581 u32 sid = cred_sid(cred);
b68e418c 1582 u32 av = CAP_TO_MASK(cap);
06112163 1583 int rc;
1da177e4 1584
50c205f5 1585 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1586 ad.u.cap = cap;
1587
b68e418c
SS		 1588 switch (CAP_TO_INDEX(cap)) {
1589 case 0:
8e4ff6f2 1590 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1591 break;
1592 case 1:
8e4ff6f2 1593 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1594 break;
1595 default:
c103a91e 1596 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1597 BUG();
a35c6c83 1598 return -EINVAL;
b68e418c 1599 }
06112163 1600
6b6bc620
SS		 1601 rc = avc_has_perm_noaudit(&selinux_state,
1602 sid, sid, sclass, av, 0, &avd);
c1a85a00 1603 if (!(opts & CAP_OPT_NOAUDIT)) {
6b6bc620
SS		 1604 int rc2 = avc_audit(&selinux_state,
1605 sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1606 if (rc2)
1607 return rc2;
1608 }
06112163 1609 return rc;
1da177e4
LT		 1610}
1611
1da177e4
LT		 1612/* Check whether a task has a particular permission to an inode.
1613 The 'adp' parameter is optional and allows other audit
1614 data to be passed (e.g. the dentry). */
88e67f3b 1615static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1616 struct inode *inode,
1617 u32 perms,
19e49834 1618 struct common_audit_data *adp)
1da177e4 1619{
1da177e4 1620 struct inode_security_struct *isec;
275bb41e 1621 u32 sid;
1da177e4 1622
e0e81739
DH		 1623 validate_creds(cred);
1624
828dfe1d 1625 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1626 return 0;
1627
88e67f3b 1628 sid = cred_sid(cred);
80788c22 1629 isec = selinux_inode(inode);
1da177e4 1630
6b6bc620
SS		 1631 return avc_has_perm(&selinux_state,
1632 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1633}
1634
1635/* Same as inode_has_perm, but pass explicit audit data containing
1636 the dentry to help the auditing code to more easily generate the
1637 pathname if needed. */
88e67f3b 1638static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1639 struct dentry *dentry,
1640 u32 av)
1641{
c6f493d6 1642 struct inode *inode = d_backing_inode(dentry);
2bf49690 1643 struct common_audit_data ad;
88e67f3b 1644
50c205f5 1645 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1646 ad.u.dentry = dentry;
5d226df4 1647 __inode_security_revalidate(inode, dentry, true);
19e49834 1648 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1649}
1650
1651/* Same as inode_has_perm, but pass explicit audit data containing
1652 the path to help the auditing code to more easily generate the
1653 pathname if needed. */
1654static inline int path_has_perm(const struct cred *cred,
3f7036a0 1655 const struct path *path,
2875fa00
EP		 1656 u32 av)
1657{
c6f493d6 1658 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1659 struct common_audit_data ad;
1660
50c205f5 1661 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1662 ad.u.path = *path;
5d226df4 1663 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1664 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1665}
1666
13f8e981
DH		 1667/* Same as path_has_perm, but uses the inode from the file struct. */
1668static inline int file_path_has_perm(const struct cred *cred,
1669 struct file *file,
1670 u32 av)
1671{
1672 struct common_audit_data ad;
1673
43af5de7
VG		 1674 ad.type = LSM_AUDIT_DATA_FILE;
1675 ad.u.file = file;
19e49834 1676 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1677}
1678
f66e448c
CF		 1679#ifdef CONFIG_BPF_SYSCALL
1680static int bpf_fd_pass(struct file *file, u32 sid);
1681#endif
1682
1da177e4
LT		 1683/* Check whether a task can use an open file descriptor to
1684 access an inode in a given way. Check access to the
1685 descriptor itself, and then use dentry_has_perm to
1686 check a particular permission to the file.
1687 Access to the descriptor is implicitly granted if it
1688 has the same SID as the process. If av is zero, then
1689 access to the file is not checked, e.g. for cases
1690 where only the descriptor is affected like seek. */
88e67f3b
DH		 1691static int file_has_perm(const struct cred *cred,
1692 struct file *file,
1693 u32 av)
1da177e4 1694{
bb6c6b02 1695 struct file_security_struct *fsec = selinux_file(file);
496ad9aa 1696 struct inode *inode = file_inode(file);
2bf49690 1697 struct common_audit_data ad;
88e67f3b 1698 u32 sid = cred_sid(cred);
1da177e4
LT		 1699 int rc;
1700
43af5de7
VG		 1701 ad.type = LSM_AUDIT_DATA_FILE;
1702 ad.u.file = file;
1da177e4 1703
275bb41e 1704 if (sid != fsec->sid) {
6b6bc620
SS		 1705 rc = avc_has_perm(&selinux_state,
1706 sid, fsec->sid,
1da177e4
LT		 1707 SECCLASS_FD,
1708 FD__USE,
1709 &ad);
1710 if (rc)
88e67f3b 1711 goto out;
1da177e4
LT		 1712 }
1713
f66e448c
CF		 1714#ifdef CONFIG_BPF_SYSCALL
1715 rc = bpf_fd_pass(file, cred_sid(cred));
1716 if (rc)
1717 return rc;
1718#endif
1719
1da177e4 1720 /* av is zero if only checking access to the descriptor. */
88e67f3b 1721 rc = 0;
1da177e4 1722 if (av)
19e49834 1723 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1724
88e67f3b
DH		 1725out:
1726 return rc;
1da177e4
LT		 1727}
1728
c3c188b2
DH		 1729/*
1730 * Determine the label for an inode that might be unioned.
1731 */
c957f6df
VG		 1732static int
1733selinux_determine_inode_label(const struct task_security_struct *tsec,
1734 struct inode *dir,
1735 const struct qstr *name, u16 tclass,
1736 u32 *_new_isid)
c3c188b2
DH		 1737{
1738 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1739
1740 if ((sbsec->flags & SE_SBINITIALIZED) &&
1741 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1742 *_new_isid = sbsec->mntpoint_sid;
1743 } else if ((sbsec->flags & SBLABEL_MNT) &&
1744 tsec->create_sid) {
1745 *_new_isid = tsec->create_sid;
1746 } else {
20cdef8d 1747 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1748 return security_transition_sid(&selinux_state, tsec->sid,
1749 dsec->sid, tclass,
c3c188b2
DH		 1750 name, _new_isid);
1751 }
1752
1753 return 0;
1754}
1755
1da177e4
LT		 1756/* Check whether a task can create a file. */
1757static int may_create(struct inode *dir,
1758 struct dentry *dentry,
1759 u16 tclass)
1760{
0c6cfa62 1761 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1762 struct inode_security_struct *dsec;
1763 struct superblock_security_struct *sbsec;
275bb41e 1764 u32 sid, newsid;
2bf49690 1765 struct common_audit_data ad;
1da177e4
LT		 1766 int rc;
1767
83da53c5 1768 dsec = inode_security(dir);
1da177e4
LT		 1769 sbsec = dir->i_sb->s_security;
1770
275bb41e 1771 sid = tsec->sid;
275bb41e 1772
50c205f5 1773 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1774 ad.u.dentry = dentry;
1da177e4 1775
6b6bc620
SS		 1776 rc = avc_has_perm(&selinux_state,
1777 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1778 DIR__ADD_NAME | DIR__SEARCH,
1779 &ad);
1780 if (rc)
1781 return rc;
1782
210a2928
YG		 1783 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1784 &newsid);
c3c188b2
DH		 1785 if (rc)
1786 return rc;
1da177e4 1787
6b6bc620
SS		 1788 rc = avc_has_perm(&selinux_state,
1789 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1790 if (rc)
1791 return rc;
1792
6b6bc620
SS		 1793 return avc_has_perm(&selinux_state,
1794 newsid, sbsec->sid,
1da177e4
LT		 1795 SECCLASS_FILESYSTEM,
1796 FILESYSTEM__ASSOCIATE, &ad);
1797}
1798
828dfe1d
EP		 1799#define MAY_LINK 0
1800#define MAY_UNLINK 1
1801#define MAY_RMDIR 2
1da177e4
LT		 1802
1803/* Check whether a task can link, unlink, or rmdir a file/directory. */
1804static int may_link(struct inode *dir,
1805 struct dentry *dentry,
1806 int kind)
1807
1808{
1da177e4 1809 struct inode_security_struct *dsec, *isec;
2bf49690 1810 struct common_audit_data ad;
275bb41e 1811 u32 sid = current_sid();
1da177e4
LT		 1812 u32 av;
1813 int rc;
1814
83da53c5
AG		 1815 dsec = inode_security(dir);
1816 isec = backing_inode_security(dentry);
1da177e4 1817
50c205f5 1818 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1819 ad.u.dentry = dentry;
1da177e4
LT		 1820
1821 av = DIR__SEARCH;
1822 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 1823 rc = avc_has_perm(&selinux_state,
1824 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1825 if (rc)
1826 return rc;
1827
1828 switch (kind) {
1829 case MAY_LINK:
1830 av = FILE__LINK;
1831 break;
1832 case MAY_UNLINK:
1833 av = FILE__UNLINK;
1834 break;
1835 case MAY_RMDIR:
1836 av = DIR__RMDIR;
1837 break;
1838 default:
c103a91e 1839 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1840 __func__, kind);
1da177e4
LT		 1841 return 0;
1842 }
1843
6b6bc620
SS		 1844 rc = avc_has_perm(&selinux_state,
1845 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1846 return rc;
1847}
1848
1849static inline int may_rename(struct inode *old_dir,
1850 struct dentry *old_dentry,
1851 struct inode *new_dir,
1852 struct dentry *new_dentry)
1853{
1da177e4 1854 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1855 struct common_audit_data ad;
275bb41e 1856 u32 sid = current_sid();
1da177e4
LT		 1857 u32 av;
1858 int old_is_dir, new_is_dir;
1859 int rc;
1860
83da53c5
AG		 1861 old_dsec = inode_security(old_dir);
1862 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1863 old_is_dir = d_is_dir(old_dentry);
83da53c5 1864 new_dsec = inode_security(new_dir);
1da177e4 1865
50c205f5 1866 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1867
a269434d 1868 ad.u.dentry = old_dentry;
6b6bc620
SS		 1869 rc = avc_has_perm(&selinux_state,
1870 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1871 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1872 if (rc)
1873 return rc;
6b6bc620
SS		 1874 rc = avc_has_perm(&selinux_state,
1875 sid, old_isec->sid,
1da177e4
LT		 1876 old_isec->sclass, FILE__RENAME, &ad);
1877 if (rc)
1878 return rc;
1879 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 1880 rc = avc_has_perm(&selinux_state,
1881 sid, old_isec->sid,
1da177e4
LT		 1882 old_isec->sclass, DIR__REPARENT, &ad);
1883 if (rc)
1884 return rc;
1885 }
1886
a269434d 1887 ad.u.dentry = new_dentry;
1da177e4 1888 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1889 if (d_is_positive(new_dentry))
1da177e4 1890 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 1891 rc = avc_has_perm(&selinux_state,
1892 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1893 if (rc)
1894 return rc;
2c616d4d 1895 if (d_is_positive(new_dentry)) {
83da53c5 1896 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1897 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 1898 rc = avc_has_perm(&selinux_state,
1899 sid, new_isec->sid,
1da177e4
LT		 1900 new_isec->sclass,
1901 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1902 if (rc)
1903 return rc;
1904 }
1905
1906 return 0;
1907}
1908
1909/* Check whether a task can perform a filesystem operation. */
88e67f3b 1910static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1911 struct super_block *sb,
1912 u32 perms,
2bf49690 1913 struct common_audit_data *ad)
1da177e4 1914{
1da177e4 1915 struct superblock_security_struct *sbsec;
88e67f3b 1916 u32 sid = cred_sid(cred);
1da177e4 1917
1da177e4 1918 sbsec = sb->s_security;
6b6bc620
SS		 1919 return avc_has_perm(&selinux_state,
1920 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1921}
1922
1923/* Convert a Linux mode and permission mask to an access vector. */
1924static inline u32 file_mask_to_av(int mode, int mask)
1925{
1926 u32 av = 0;
1927
dba19c60 1928 if (!S_ISDIR(mode)) {
1da177e4
LT		 1929 if (mask & MAY_EXEC)
1930 av |= FILE__EXECUTE;
1931 if (mask & MAY_READ)
1932 av |= FILE__READ;
1933
1934 if (mask & MAY_APPEND)
1935 av |= FILE__APPEND;
1936 else if (mask & MAY_WRITE)
1937 av |= FILE__WRITE;
1938
1939 } else {
1940 if (mask & MAY_EXEC)
1941 av |= DIR__SEARCH;
1942 if (mask & MAY_WRITE)
1943 av |= DIR__WRITE;
1944 if (mask & MAY_READ)
1945 av |= DIR__READ;
1946 }
1947
1948 return av;
1949}
1950
8b6a5a37
EP		 1951/* Convert a Linux file to an access vector. */
1952static inline u32 file_to_av(struct file *file)
1953{
1954 u32 av = 0;
1955
1956 if (file->f_mode & FMODE_READ)
1957 av |= FILE__READ;
1958 if (file->f_mode & FMODE_WRITE) {
1959 if (file->f_flags & O_APPEND)
1960 av |= FILE__APPEND;
1961 else
1962 av |= FILE__WRITE;
1963 }
1964 if (!av) {
1965 /*
1966 * Special file opened with flags 3 for ioctl-only use.
1967 */
1968 av = FILE__IOCTL;
1969 }
1970
1971 return av;
1972}
1973
b0c636b9 1974/*
8b6a5a37 1975 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1976 * open permission.
1977 */
8b6a5a37 1978static inline u32 open_file_to_av(struct file *file)
b0c636b9 1979{
8b6a5a37 1980 u32 av = file_to_av(file);
ccb54478 1981 struct inode *inode = file_inode(file);
b0c636b9 1982
aa8e712c
SS		 1983 if (selinux_policycap_openperm() &&
1984 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 1985 av |= FILE__OPEN;
1986
b0c636b9
EP		 1987 return av;
1988}
1989
1da177e4
LT		 1990/* Hook functions begin here. */
1991
79af7307
SS		 1992static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1993{
1994 u32 mysid = current_sid();
1995 u32 mgrsid = task_sid(mgr);
1996
6b6bc620
SS		 1997 return avc_has_perm(&selinux_state,
1998 mysid, mgrsid, SECCLASS_BINDER,
79af7307
SS		 1999 BINDER__SET_CONTEXT_MGR, NULL);
2000}
2001
2002static int selinux_binder_transaction(struct task_struct *from,
2003 struct task_struct *to)
2004{
2005 u32 mysid = current_sid();
2006 u32 fromsid = task_sid(from);
2007 u32 tosid = task_sid(to);
2008 int rc;
2009
2010 if (mysid != fromsid) {
6b6bc620
SS		 2011 rc = avc_has_perm(&selinux_state,
2012 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2013 BINDER__IMPERSONATE, NULL);
2014 if (rc)
2015 return rc;
2016 }
2017
6b6bc620
SS		 2018 return avc_has_perm(&selinux_state,
2019 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
79af7307
SS		 2020 NULL);
2021}
2022
2023static int selinux_binder_transfer_binder(struct task_struct *from,
2024 struct task_struct *to)
2025{
2026 u32 fromsid = task_sid(from);
2027 u32 tosid = task_sid(to);
2028
6b6bc620
SS		 2029 return avc_has_perm(&selinux_state,
2030 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2031 NULL);
2032}
2033
2034static int selinux_binder_transfer_file(struct task_struct *from,
2035 struct task_struct *to,
2036 struct file *file)
2037{
2038 u32 sid = task_sid(to);
bb6c6b02 2039 struct file_security_struct *fsec = selinux_file(file);
83da53c5 2040 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2041 struct inode_security_struct *isec;
79af7307
SS		 2042 struct common_audit_data ad;
2043 int rc;
2044
2045 ad.type = LSM_AUDIT_DATA_PATH;
2046 ad.u.path = file->f_path;
2047
2048 if (sid != fsec->sid) {
6b6bc620
SS		 2049 rc = avc_has_perm(&selinux_state,
2050 sid, fsec->sid,
79af7307
SS		 2051 SECCLASS_FD,
2052 FD__USE,
2053 &ad);
2054 if (rc)
2055 return rc;
2056 }
2057
f66e448c
CF		 2058#ifdef CONFIG_BPF_SYSCALL
2059 rc = bpf_fd_pass(file, sid);
2060 if (rc)
2061 return rc;
2062#endif
2063
83da53c5 2064 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2065 return 0;
2066
20cdef8d 2067 isec = backing_inode_security(dentry);
6b6bc620
SS		 2068 return avc_has_perm(&selinux_state,
2069 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2070 &ad);
2071}
2072
9e48858f 2073static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2074 unsigned int mode)
1da177e4 2075{
be0554c9
SS		 2076 u32 sid = current_sid();
2077 u32 csid = task_sid(child);
2078
2079 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2080 return avc_has_perm(&selinux_state,
2081 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2082
6b6bc620
SS		 2083 return avc_has_perm(&selinux_state,
2084 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2085}
2086
2087static int selinux_ptrace_traceme(struct task_struct *parent)
2088{
6b6bc620
SS		 2089 return avc_has_perm(&selinux_state,
2090 task_sid(parent), current_sid(), SECCLASS_PROCESS,
be0554c9 2091 PROCESS__PTRACE, NULL);
1da177e4
LT		 2092}
2093
2094static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2095 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2096{
6b6bc620
SS		 2097 return avc_has_perm(&selinux_state,
2098 current_sid(), task_sid(target), SECCLASS_PROCESS,
be0554c9 2099 PROCESS__GETCAP, NULL);
1da177e4
LT		 2100}
2101
d84f4f99
DH		 2102static int selinux_capset(struct cred *new, const struct cred *old,
2103 const kernel_cap_t *effective,
2104 const kernel_cap_t *inheritable,
2105 const kernel_cap_t *permitted)
1da177e4 2106{
6b6bc620
SS		 2107 return avc_has_perm(&selinux_state,
2108 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2109 PROCESS__SETCAP, NULL);
1da177e4
LT		 2110}
2111
5626d3e8
JM		 2112/*
2113 * (This comment used to live with the selinux_task_setuid hook,
2114 * which was removed).
2115 *
2116 * Since setuid only affects the current process, and since the SELinux
2117 * controls are not based on the Linux identity attributes, SELinux does not
2118 * need to control this operation. However, SELinux does control the use of
2119 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2120 */
2121
6a9de491 2122static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
c1a85a00 2123 int cap, unsigned int opts)
1da177e4 2124{
c1a85a00 2125 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
1da177e4
LT		 2126}
2127
1da177e4
LT		 2128static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2129{
88e67f3b 2130 const struct cred *cred = current_cred();
1da177e4
LT		 2131 int rc = 0;
2132
2133 if (!sb)
2134 return 0;
2135
2136 switch (cmds) {
828dfe1d
EP		 2137 case Q_SYNC:
2138 case Q_QUOTAON:
2139 case Q_QUOTAOFF:
2140 case Q_SETINFO:
2141 case Q_SETQUOTA:
88e67f3b 2142 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2143 break;
2144 case Q_GETFMT:
2145 case Q_GETINFO:
2146 case Q_GETQUOTA:
88e67f3b 2147 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2148 break;
2149 default:
2150 rc = 0; /* let the kernel handle invalid cmds */
2151 break;
1da177e4
LT		 2152 }
2153 return rc;
2154}
2155
2156static int selinux_quota_on(struct dentry *dentry)
2157{
88e67f3b
DH		 2158 const struct cred *cred = current_cred();
2159
2875fa00 2160 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2161}
2162
12b3052c 2163static int selinux_syslog(int type)
1da177e4 2164{
1da177e4 2165 switch (type) {
d78ca3cd
KC		 2166 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2167 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2168 return avc_has_perm(&selinux_state,
2169 current_sid(), SECINITSID_KERNEL,
be0554c9 2170 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2171 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2172 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2173 /* Set level of messages printed to console */
2174 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2175 return avc_has_perm(&selinux_state,
2176 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2177 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2178 NULL);
1da177e4 2179 }
be0554c9 2180 /* All other syslog types */
6b6bc620
SS		 2181 return avc_has_perm(&selinux_state,
2182 current_sid(), SECINITSID_KERNEL,
be0554c9 2183 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2184}
2185
2186/*
2187 * Check that a process has enough memory to allocate a new virtual
2188 * mapping. 0 means there is enough memory for the allocation to
2189 * succeed and -ENOMEM implies there is not.
2190 *
1da177e4
LT		 2191 * Do not audit the selinux permission check, as this is applied to all
2192 * processes that allocate mappings.
2193 */
34b4e4aa 2194static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2195{
2196 int rc, cap_sys_admin = 0;
1da177e4 2197
b1d9e6b0 2198 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
c1a85a00 2199 CAP_OPT_NOAUDIT, true);
1da177e4
LT		 2200 if (rc == 0)
2201 cap_sys_admin = 1;
2202
b1d9e6b0 2203 return cap_sys_admin;
1da177e4
LT		 2204}
2205
2206/* binprm security operations */
2207
be0554c9 2208static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2209{
2210 u32 sid = 0;
2211 struct task_struct *tracer;
2212
2213 rcu_read_lock();
be0554c9 2214 tracer = ptrace_parent(current);
0c6181cb
PM		 2215 if (tracer)
2216 sid = task_sid(tracer);
2217 rcu_read_unlock();
2218
2219 return sid;
2220}
2221
7b0d0b40
SS		 2222static int check_nnp_nosuid(const struct linux_binprm *bprm,
2223 const struct task_security_struct *old_tsec,
2224 const struct task_security_struct *new_tsec)
2225{
2226 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2227 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2228 int rc;
af63f419 2229 u32 av;
7b0d0b40
SS		 2230
2231 if (!nnp && !nosuid)
2232 return 0; /* neither NNP nor nosuid */
2233
2234 if (new_tsec->sid == old_tsec->sid)
2235 return 0; /* No change in credentials */
2236
2237 /*
af63f419
SS		 2238 * If the policy enables the nnp_nosuid_transition policy capability,
2239 * then we permit transitions under NNP or nosuid if the
2240 * policy allows the corresponding permission between
2241 * the old and new contexts.
7b0d0b40 2242 */
aa8e712c 2243 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2244 av = 0;
7b0d0b40 2245 if (nnp)
af63f419
SS		 2246 av |= PROCESS2__NNP_TRANSITION;
2247 if (nosuid)
2248 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2249 rc = avc_has_perm(&selinux_state,
2250 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2251 SECCLASS_PROCESS2, av, NULL);
2252 if (!rc)
2253 return 0;
7b0d0b40 2254 }
af63f419
SS		 2255
2256 /*
2257 * We also permit NNP or nosuid transitions to bounded SIDs,
2258 * i.e. SIDs that are guaranteed to only be allowed a subset
2259 * of the permissions of the current SID.
2260 */
aa8e712c
SS		 2261 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2262 new_tsec->sid);
af63f419
SS		 2263 if (!rc)
2264 return 0;
2265
2266 /*
2267 * On failure, preserve the errno values for NNP vs nosuid.
2268 * NNP: Operation not permitted for caller.
2269 * nosuid: Permission denied to file.
2270 */
2271 if (nnp)
2272 return -EPERM;
2273 return -EACCES;
7b0d0b40
SS		 2274}
2275
a6f76f23 2276static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2277{
a6f76f23
DH		 2278 const struct task_security_struct *old_tsec;
2279 struct task_security_struct *new_tsec;
1da177e4 2280 struct inode_security_struct *isec;
2bf49690 2281 struct common_audit_data ad;
496ad9aa 2282 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2283 int rc;
2284
a6f76f23
DH		 2285 /* SELinux context only depends on initial program or script and not
2286 * the script interpreter */
ddb4a144 2287 if (bprm->called_set_creds)
1da177e4
LT		 2288 return 0;
2289
0c6cfa62
CS		 2290 old_tsec = selinux_cred(current_cred());
2291 new_tsec = selinux_cred(bprm->cred);
83da53c5 2292 isec = inode_security(inode);
1da177e4
LT		 2293
2294 /* Default to the current task SID. */
a6f76f23
DH		 2295 new_tsec->sid = old_tsec->sid;
2296 new_tsec->osid = old_tsec->sid;
1da177e4 2297
28eba5bf 2298 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2299 new_tsec->create_sid = 0;
2300 new_tsec->keycreate_sid = 0;
2301 new_tsec->sockcreate_sid = 0;
1da177e4 2302
a6f76f23
DH		 2303 if (old_tsec->exec_sid) {
2304 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2305 /* Reset exec SID on execve. */
a6f76f23 2306 new_tsec->exec_sid = 0;
259e5e6c 2307
7b0d0b40
SS		 2308 /* Fail on NNP or nosuid if not an allowed transition. */
2309 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2310 if (rc)
2311 return rc;
1da177e4
LT		 2312 } else {
2313 /* Check for a default transition on this program. */
aa8e712c
SS		 2314 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2315 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2316 &new_tsec->sid);
1da177e4
LT		 2317 if (rc)
2318 return rc;
7b0d0b40
SS		 2319
2320 /*
2321 * Fallback to old SID on NNP or nosuid if not an allowed
2322 * transition.
2323 */
2324 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2325 if (rc)
2326 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2327 }
2328
43af5de7
VG		 2329 ad.type = LSM_AUDIT_DATA_FILE;
2330 ad.u.file = bprm->file;
1da177e4 2331
a6f76f23 2332 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2333 rc = avc_has_perm(&selinux_state,
2334 old_tsec->sid, isec->sid,
1da177e4
LT		 2335 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2336 if (rc)
2337 return rc;
2338 } else {
2339 /* Check permissions for the transition. */
6b6bc620
SS		 2340 rc = avc_has_perm(&selinux_state,
2341 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2342 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2343 if (rc)
2344 return rc;
2345
6b6bc620
SS		 2346 rc = avc_has_perm(&selinux_state,
2347 new_tsec->sid, isec->sid,
1da177e4
LT		 2348 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2349 if (rc)
2350 return rc;
2351
a6f76f23
DH		 2352 /* Check for shared state */
2353 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2354 rc = avc_has_perm(&selinux_state,
2355 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2356 SECCLASS_PROCESS, PROCESS__SHARE,
2357 NULL);
2358 if (rc)
2359 return -EPERM;
2360 }
2361
2362 /* Make sure that anyone attempting to ptrace over a task that
2363 * changes its SID has the appropriate permit */
9227dd2a 2364 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2365 u32 ptsid = ptrace_parent_sid();
a6f76f23 2366 if (ptsid != 0) {
6b6bc620
SS		 2367 rc = avc_has_perm(&selinux_state,
2368 ptsid, new_tsec->sid,
a6f76f23
DH		 2369 SECCLASS_PROCESS,
2370 PROCESS__PTRACE, NULL);
2371 if (rc)
2372 return -EPERM;
2373 }
2374 }
1da177e4 2375
a6f76f23
DH		 2376 /* Clear any possibly unsafe personality bits on exec: */
2377 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2378
1da177e4
LT		 2379 /* Enable secure mode for SIDs transitions unless
2380 the noatsecure permission is granted between
2381 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2382 rc = avc_has_perm(&selinux_state,
2383 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2384 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2385 NULL);
2386 bprm->secureexec |= !!rc;
1da177e4
LT		 2387 }
2388
62874c3a 2389 return 0;
1da177e4
LT		 2390}
2391
c3c073f8
AV		 2392static int match_file(const void *p, struct file *file, unsigned fd)
2393{
2394 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2395}
2396
1da177e4 2397/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2398static inline void flush_unauthorized_files(const struct cred *cred,
2399 struct files_struct *files)
1da177e4 2400{
1da177e4 2401 struct file *file, *devnull = NULL;
b20c8122 2402 struct tty_struct *tty;
24ec839c 2403 int drop_tty = 0;
c3c073f8 2404 unsigned n;
1da177e4 2405
24ec839c 2406 tty = get_current_tty();
1da177e4 2407 if (tty) {
4a510969 2408 spin_lock(&tty->files_lock);
37dd0bd0 2409 if (!list_empty(&tty->tty_files)) {
d996b62a 2410 struct tty_file_private *file_priv;
37dd0bd0 2411
1da177e4 2412 /* Revalidate access to controlling tty.
13f8e981
DH		 2413 Use file_path_has_perm on the tty path directly
2414 rather than using file_has_perm, as this particular
2415 open file may belong to another process and we are
2416 only interested in the inode-based check here. */
d996b62a
NP		 2417 file_priv = list_first_entry(&tty->tty_files,
2418 struct tty_file_private, list);
2419 file = file_priv->file;
13f8e981 2420 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2421 drop_tty = 1;
1da177e4 2422 }
4a510969 2423 spin_unlock(&tty->files_lock);
452a00d2 2424 tty_kref_put(tty);
1da177e4 2425 }
98a27ba4
EB		 2426 /* Reset controlling tty. */
2427 if (drop_tty)
2428 no_tty();
1da177e4
LT		 2429
2430 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2431 n = iterate_fd(files, 0, match_file, cred);
2432 if (!n) /* none found? */
2433 return;
1da177e4 2434
c3c073f8 2435 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2436 if (IS_ERR(devnull))
2437 devnull = NULL;
2438 /* replace all the matching ones with this */
2439 do {
2440 replace_fd(n - 1, devnull, 0);
2441 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2442 if (devnull)
c3c073f8 2443 fput(devnull);
1da177e4
LT		 2444}
2445
a6f76f23
DH		 2446/*
2447 * Prepare a process for imminent new credential changes due to exec
2448 */
2449static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2450{
a6f76f23
DH		 2451 struct task_security_struct *new_tsec;
2452 struct rlimit *rlim, *initrlim;
2453 int rc, i;
d84f4f99 2454
0c6cfa62 2455 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2456 if (new_tsec->sid == new_tsec->osid)
2457 return;
1da177e4 2458
a6f76f23
DH		 2459 /* Close files for which the new task SID is not authorized. */
2460 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2461
a6f76f23
DH		 2462 /* Always clear parent death signal on SID transitions. */
2463 current->pdeath_signal = 0;
0356357c 2464
a6f76f23
DH		 2465 /* Check whether the new SID can inherit resource limits from the old
2466 * SID. If not, reset all soft limits to the lower of the current
2467 * task's hard limit and the init task's soft limit.
2468 *
2469 * Note that the setting of hard limits (even to lower them) can be
2470 * controlled by the setrlimit check. The inclusion of the init task's
2471 * soft limit into the computation is to avoid resetting soft limits
2472 * higher than the default soft limit for cases where the default is
2473 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2474 */
6b6bc620
SS		 2475 rc = avc_has_perm(&selinux_state,
2476 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2477 PROCESS__RLIMITINH, NULL);
2478 if (rc) {
eb2d55a3
ON		 2479 /* protect against do_prlimit() */
2480 task_lock(current);
a6f76f23
DH		 2481 for (i = 0; i < RLIM_NLIMITS; i++) {
2482 rlim = current->signal->rlim + i;
2483 initrlim = init_task.signal->rlim + i;
2484 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2485 }
eb2d55a3 2486 task_unlock(current);
baa73d9e
NP		 2487 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2488 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2489 }
2490}
2491
2492/*
a6f76f23
DH		 2493 * Clean up the process immediately after the installation of new credentials
2494 * due to exec
1da177e4 2495 */
a6f76f23 2496static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2497{
0c6cfa62 2498 const struct task_security_struct *tsec = selinux_cred(current_cred());
a6f76f23 2499 u32 osid, sid;
ddbc7d06 2500 int rc;
1da177e4 2501
a6f76f23
DH		 2502 osid = tsec->osid;
2503 sid = tsec->sid;
2504
2505 if (sid == osid)
1da177e4
LT		 2506 return;
2507
a6f76f23
DH		 2508 /* Check whether the new SID can inherit signal state from the old SID.
2509 * If not, clear itimers to avoid subsequent signal generation and
2510 * flush and unblock signals.
2511 *
2512 * This must occur _after_ the task SID has been updated so that any
2513 * kill done after the flush will be checked against the new SID.
2514 */
6b6bc620
SS		 2515 rc = avc_has_perm(&selinux_state,
2516 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2517 if (rc) {
ddbc7d06
AB		 2518 clear_itimer();
2519
1da177e4 2520 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2521 if (!fatal_signal_pending(current)) {
2522 flush_sigqueue(&current->pending);
2523 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2524 flush_signal_handlers(current, 1);
2525 sigemptyset(&current->blocked);
9e7c8f8c 2526 recalc_sigpending();
3bcac026 2527 }
1da177e4
LT		 2528 spin_unlock_irq(&current->sighand->siglock);
2529 }
2530
a6f76f23
DH		 2531 /* Wake up the parent if it is waiting so that it can recheck
2532 * wait permission to the new task SID. */
ecd6de3c 2533 read_lock(&tasklist_lock);
0b7570e7 2534 __wake_up_parent(current, current->real_parent);
ecd6de3c 2535 read_unlock(&tasklist_lock);
1da177e4
LT		 2536}
2537
2538/* superblock security operations */
2539
2540static int selinux_sb_alloc_security(struct super_block *sb)
2541{
cb89e246
PM		 2542 struct superblock_security_struct *sbsec;
2543
2544 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
2545 if (!sbsec)
2546 return -ENOMEM;
2547
2548 mutex_init(&sbsec->lock);
2549 INIT_LIST_HEAD(&sbsec->isec_head);
2550 spin_lock_init(&sbsec->isec_lock);
2551 sbsec->sb = sb;
2552 sbsec->sid = SECINITSID_UNLABELED;
2553 sbsec->def_sid = SECINITSID_FILE;
2554 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2555 sb->s_security = sbsec;
2556
2557 return 0;
1da177e4
LT		 2558}
2559
2560static void selinux_sb_free_security(struct super_block *sb)
2561{
2562 superblock_free_security(sb);
2563}
2564
99dbbb59 2565static inline int opt_len(const char *s)
1da177e4 2566{
99dbbb59
AV		 2567 bool open_quote = false;
2568 int len;
2569 char c;
1da177e4 2570
99dbbb59
AV		 2571 for (len = 0; (c = s[len]) != '\0'; len++) {
2572 if (c == '"')
2573 open_quote = !open_quote;
2574 if (c == ',' && !open_quote)
2575 break;
3528a953 2576 }
99dbbb59 2577 return len;
3528a953
CO		 2578}
2579
99dbbb59 2580static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
1da177e4 2581{
99dbbb59
AV		 2582 char *from = options;
2583 char *to = options;
2584 bool first = true;
fec63753 2585 int rc;
1da177e4 2586
99dbbb59
AV		 2587 while (1) {
2588 int len = opt_len(from);
fec63753 2589 int token;
99dbbb59 2590 char *arg = NULL;
1da177e4 2591
99dbbb59 2592 token = match_opt_prefix(from, len, &arg);
1da177e4 2593
99dbbb59
AV		 2594 if (token != Opt_error) {
2595 char *p, *q;
1da177e4 2596
99dbbb59
AV		 2597 /* strip quotes */
2598 if (arg) {
2599 for (p = q = arg; p < from + len; p++) {
2600 char c = *p;
2601 if (c != '"')
2602 *q++ = c;
2603 }
2604 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
fec63753
GZ		 2605 if (!arg) {
2606 rc = -ENOMEM;
2607 goto free_opt;
2608 }
99dbbb59
AV		 2609 }
2610 rc = selinux_add_opt(token, arg, mnt_opts);
2611 if (unlikely(rc)) {
2612 kfree(arg);
fec63753 2613 goto free_opt;
99dbbb59
AV		 2614 }
2615 } else {
2616 if (!first) { // copy with preceding comma
2617 from--;
2618 len++;
2619 }
2620 if (to != from)
2621 memmove(to, from, len);
2622 to += len;
2623 first = false;
1da177e4 2624 }
99dbbb59
AV		 2625 if (!from[len])
2626 break;
2627 from += len + 1;
2628 }
2629 *to = '\0';
2630 return 0;
fec63753
GZ		 2631
2632free_opt:
2633 if (*mnt_opts) {
2634 selinux_free_mnt_opts(*mnt_opts);
2635 *mnt_opts = NULL;
2636 }
2637 return rc;
1da177e4
LT		 2638}
2639
204cc0cc 2640static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2641{
bd323655 2642 struct selinux_mnt_opts *opts = mnt_opts;
026eb167 2643 struct superblock_security_struct *sbsec = sb->s_security;
bd323655
AV		 2644 u32 sid;
2645 int rc;
026eb167
EP		 2646
2647 if (!(sbsec->flags & SE_SBINITIALIZED))
2648 return 0;
2649
204cc0cc 2650 if (!opts)
026eb167
EP		 2651 return 0;
2652
bd323655
AV		 2653 if (opts->fscontext) {
2654 rc = parse_sid(sb, opts->fscontext, &sid);
2655 if (rc)
c039bc3c 2656 return rc;
bd323655
AV		 2657 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2658 goto out_bad_option;
026eb167 2659 }
bd323655
AV		 2660 if (opts->context) {
2661 rc = parse_sid(sb, opts->context, &sid);
2662 if (rc)
2663 return rc;
2664 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2665 goto out_bad_option;
2666 }
2667 if (opts->rootcontext) {
2668 struct inode_security_struct *root_isec;
2669 root_isec = backing_inode_security(sb->s_root);
2670 rc = parse_sid(sb, opts->rootcontext, &sid);
2671 if (rc)
2672 return rc;
2673 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2674 goto out_bad_option;
2675 }
2676 if (opts->defcontext) {
2677 rc = parse_sid(sb, opts->defcontext, &sid);
2678 if (rc)
2679 return rc;
2680 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2681 goto out_bad_option;
026eb167 2682 }
c039bc3c 2683 return 0;
026eb167 2684
026eb167 2685out_bad_option:
c103a91e 2686 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2687 "during remount (dev %s, type=%s)\n", sb->s_id,
2688 sb->s_type->name);
c039bc3c 2689 return -EINVAL;
026eb167
EP		 2690}
2691
a10d7c22 2692static int selinux_sb_kern_mount(struct super_block *sb)
1da177e4 2693{
88e67f3b 2694 const struct cred *cred = current_cred();
2bf49690 2695 struct common_audit_data ad;
74192246 2696
50c205f5 2697 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2698 ad.u.dentry = sb->s_root;
88e67f3b 2699 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2700}
2701
726c3342 2702static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2703{
88e67f3b 2704 const struct cred *cred = current_cred();
2bf49690 2705 struct common_audit_data ad;
1da177e4 2706
50c205f5 2707 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2708 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2709 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2710}
2711
808d4e3c 2712static int selinux_mount(const char *dev_name,
8a04c43b 2713 const struct path *path,
808d4e3c 2714 const char *type,
828dfe1d
EP		 2715 unsigned long flags,
2716 void *data)
1da177e4 2717{
88e67f3b 2718 const struct cred *cred = current_cred();
1da177e4
LT		 2719
2720 if (flags & MS_REMOUNT)
d8c9584e 2721 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2722 FILESYSTEM__REMOUNT, NULL);
1da177e4 2723 else
2875fa00 2724 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2725}
2726
98aa0034
SS		 2727static int selinux_move_mount(const struct path *from_path,
2728 const struct path *to_path)
2729{
2730 const struct cred *cred = current_cred();
2731
2732 return path_has_perm(cred, to_path, FILE__MOUNTON);
2733}
2734
1da177e4
LT		 2735static int selinux_umount(struct vfsmount *mnt, int flags)
2736{
88e67f3b 2737 const struct cred *cred = current_cred();
1da177e4 2738
88e67f3b 2739 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2740 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2741}
2742
0b52075e
AV		 2743static int selinux_fs_context_dup(struct fs_context *fc,
2744 struct fs_context *src_fc)
2745{
2746 const struct selinux_mnt_opts *src = src_fc->security;
2747 struct selinux_mnt_opts *opts;
2748
2749 if (!src)
2750 return 0;
2751
2752 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2753 if (!fc->security)
2754 return -ENOMEM;
2755
2756 opts = fc->security;
2757
2758 if (src->fscontext) {
2759 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2760 if (!opts->fscontext)
2761 return -ENOMEM;
2762 }
2763 if (src->context) {
2764 opts->context = kstrdup(src->context, GFP_KERNEL);
2765 if (!opts->context)
2766 return -ENOMEM;
2767 }
2768 if (src->rootcontext) {
2769 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2770 if (!opts->rootcontext)
2771 return -ENOMEM;
2772 }
2773 if (src->defcontext) {
2774 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2775 if (!opts->defcontext)
2776 return -ENOMEM;
2777 }
2778 return 0;
2779}
2780
d7167b14 2781static const struct fs_parameter_spec selinux_fs_parameters[] = {
442155c1
DH		 2782 fsparam_string(CONTEXT_STR, Opt_context),
2783 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2784 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2785 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2786 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2787 {}
2788};
2789
442155c1
DH		 2790static int selinux_fs_context_parse_param(struct fs_context *fc,
2791 struct fs_parameter *param)
2792{
2793 struct fs_parse_result result;
2794 int opt, rc;
2795
d7167b14 2796 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
442155c1
DH		 2797 if (opt < 0)
2798 return opt;
2799
2800 rc = selinux_add_opt(opt, param->string, &fc->security);
2801 if (!rc) {
2802 param->string = NULL;
2803 rc = 1;
2804 }
2805 return rc;
2806}
2807
1da177e4
LT		 2808/* inode security operations */
2809
2810static int selinux_inode_alloc_security(struct inode *inode)
2811{
cb89e246
PM		 2812 struct inode_security_struct *isec = selinux_inode(inode);
2813 u32 sid = current_sid();
2814
2815 spin_lock_init(&isec->lock);
2816 INIT_LIST_HEAD(&isec->list);
2817 isec->inode = inode;
2818 isec->sid = SECINITSID_UNLABELED;
2819 isec->sclass = SECCLASS_FILE;
2820 isec->task_sid = sid;
2821 isec->initialized = LABEL_INVALID;
2822
2823 return 0;
1da177e4
LT		 2824}
2825
2826static void selinux_inode_free_security(struct inode *inode)
2827{
2828 inode_free_security(inode);
2829}
2830
d47be3df 2831static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2832 const struct qstr *name, void **ctx,
d47be3df
DQ		 2833 u32 *ctxlen)
2834{
d47be3df
DQ		 2835 u32 newsid;
2836 int rc;
2837
0c6cfa62 2838 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2839 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2840 inode_mode_to_security_class(mode),
2841 &newsid);
2842 if (rc)
2843 return rc;
d47be3df 2844
aa8e712c
SS		 2845 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2846 ctxlen);
d47be3df
DQ		 2847}
2848
a518b0a5
VG		 2849static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2850 struct qstr *name,
2851 const struct cred *old,
2852 struct cred *new)
2853{
2854 u32 newsid;
2855 int rc;
2856 struct task_security_struct *tsec;
2857
0c6cfa62 2858 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2859 d_inode(dentry->d_parent), name,
2860 inode_mode_to_security_class(mode),
2861 &newsid);
2862 if (rc)
2863 return rc;
2864
0c6cfa62 2865 tsec = selinux_cred(new);
a518b0a5
VG		 2866 tsec->create_sid = newsid;
2867 return 0;
2868}
2869
5e41ff9e 2870static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2871 const struct qstr *qstr,
2872 const char **name,
2a7dba39 2873 void **value, size_t *len)
5e41ff9e 2874{
0c6cfa62 2875 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2876 struct superblock_security_struct *sbsec;
c0d4f464 2877 u32 newsid, clen;
5e41ff9e 2878 int rc;
9548906b 2879 char *context;
5e41ff9e 2880
5e41ff9e 2881 sbsec = dir->i_sb->s_security;
5e41ff9e 2882
275bb41e
DH		 2883 newsid = tsec->create_sid;
2884
210a2928 2885 rc = selinux_determine_inode_label(tsec, dir, qstr,
c3c188b2
DH		 2886 inode_mode_to_security_class(inode->i_mode),
2887 &newsid);
2888 if (rc)
2889 return rc;
5e41ff9e 2890
296fddf7 2891 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2892 if (sbsec->flags & SE_SBINITIALIZED) {
80788c22 2893 struct inode_security_struct *isec = selinux_inode(inode);
296fddf7
EP		 2894 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2895 isec->sid = newsid;
6f3be9f5 2896 isec->initialized = LABEL_INITIALIZED;
296fddf7 2897 }
5e41ff9e 2898
65cddd50
OM		 2899 if (!selinux_initialized(&selinux_state) ||
2900 !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2901 return -EOPNOTSUPP;
2902
9548906b
TH		 2903 if (name)
2904 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2905
570bc1c2 2906 if (value && len) {
aa8e712c
SS		 2907 rc = security_sid_to_context_force(&selinux_state, newsid,
2908 &context, &clen);
9548906b 2909 if (rc)
570bc1c2 2910 return rc;
570bc1c2
SS		 2911 *value = context;
2912 *len = clen;
5e41ff9e 2913 }
5e41ff9e 2914
5e41ff9e
SS		 2915 return 0;
2916}
2917
4acdaf27 2918static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2919{
2920 return may_create(dir, dentry, SECCLASS_FILE);
2921}
2922
1da177e4
LT		 2923static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2924{
1da177e4
LT		 2925 return may_link(dir, old_dentry, MAY_LINK);
2926}
2927
1da177e4
LT		 2928static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2929{
1da177e4
LT		 2930 return may_link(dir, dentry, MAY_UNLINK);
2931}
2932
2933static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2934{
2935 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2936}
2937
18bb1db3 2938static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2939{
2940 return may_create(dir, dentry, SECCLASS_DIR);
2941}
2942
1da177e4
LT		 2943static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2944{
2945 return may_link(dir, dentry, MAY_RMDIR);
2946}
2947
1a67aafb 2948static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2949{
1da177e4
LT		 2950 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2951}
2952
1da177e4 2953static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2954 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2955{
2956 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2957}
2958
1da177e4
LT		 2959static int selinux_inode_readlink(struct dentry *dentry)
2960{
88e67f3b
DH		 2961 const struct cred *cred = current_cred();
2962
2875fa00 2963 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2964}
2965
bda0be7a
N		 2966static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2967 bool rcu)
1da177e4 2968{
88e67f3b 2969 const struct cred *cred = current_cred();
bda0be7a
N		 2970 struct common_audit_data ad;
2971 struct inode_security_struct *isec;
2972 u32 sid;
1da177e4 2973
bda0be7a
N		 2974 validate_creds(cred);
2975
2976 ad.type = LSM_AUDIT_DATA_DENTRY;
2977 ad.u.dentry = dentry;
2978 sid = cred_sid(cred);
5d226df4
AG		 2979 isec = inode_security_rcu(inode, rcu);
2980 if (IS_ERR(isec))
2981 return PTR_ERR(isec);
bda0be7a 2982
1a37079c
SS		 2983 return avc_has_perm_flags(&selinux_state,
2984 sid, isec->sid, isec->sclass, FILE__READ, &ad,
2985 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2986}
2987
d4cf970d
EP		 2988static noinline int audit_inode_permission(struct inode *inode,
2989 u32 perms, u32 audited, u32 denied,
0188d5c0 2990 int result)
1da177e4 2991{
b782e0a6 2992 struct common_audit_data ad;
80788c22 2993 struct inode_security_struct *isec = selinux_inode(inode);
d4cf970d
EP		 2994 int rc;
2995
50c205f5 2996 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2997 ad.u.inode = inode;
2998
6b6bc620
SS		 2999 rc = slow_avc_audit(&selinux_state,
3000 current_sid(), isec->sid, isec->sclass, perms,
0188d5c0 3001 audited, denied, result, &ad);
d4cf970d
EP		 3002 if (rc)
3003 return rc;
3004 return 0;
3005}
3006
e74f71eb 3007static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3008{
88e67f3b 3009 const struct cred *cred = current_cred();
b782e0a6
EP		 3010 u32 perms;
3011 bool from_access;
5298d0b9 3012 bool no_block = mask & MAY_NOT_BLOCK;
2e334057
EP		 3013 struct inode_security_struct *isec;
3014 u32 sid;
3015 struct av_decision avd;
3016 int rc, rc2;
3017 u32 audited, denied;
1da177e4 3018
b782e0a6 3019 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3020 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3021
b782e0a6
EP		 3022 /* No permission to check. Existence test. */
3023 if (!mask)
1da177e4 3024 return 0;
1da177e4 3025
2e334057 3026 validate_creds(cred);
b782e0a6 3027
2e334057
EP		 3028 if (unlikely(IS_PRIVATE(inode)))
3029 return 0;
b782e0a6
EP		 3030
3031 perms = file_mask_to_av(inode->i_mode, mask);
3032
2e334057 3033 sid = cred_sid(cred);
5298d0b9 3034 isec = inode_security_rcu(inode, no_block);
5d226df4
AG		 3035 if (IS_ERR(isec))
3036 return PTR_ERR(isec);
2e334057 3037
6b6bc620 3038 rc = avc_has_perm_noaudit(&selinux_state,
3a28cff3 3039 sid, isec->sid, isec->sclass, perms,
5298d0b9 3040 no_block ? AVC_NONBLOCKING : 0,
3a28cff3 3041 &avd);
2e334057
EP		 3042 audited = avc_audit_required(perms, &avd, rc,
3043 from_access ? FILE__AUDIT_ACCESS : 0,
3044 &denied);
3045 if (likely(!audited))
3046 return rc;
3047
0188d5c0 3048 /* fall back to ref-walk if we have to generate audit */
5298d0b9 3049 if (no_block)
0188d5c0
SS		 3050 return -ECHILD;
3051
3052 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
2e334057
EP		 3053 if (rc2)
3054 return rc2;
3055 return rc;
1da177e4
LT		 3056}
3057
3058static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3059{
88e67f3b 3060 const struct cred *cred = current_cred();
ccb54478 3061 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3062 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3063 __u32 av = FILE__WRITE;
1da177e4 3064
bc6a6008
AW		 3065 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3066 if (ia_valid & ATTR_FORCE) {
3067 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3068 ATTR_FORCE);
3069 if (!ia_valid)
3070 return 0;
3071 }
1da177e4 3072
bc6a6008
AW		 3073 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3074 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3075 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3076
aa8e712c 3077 if (selinux_policycap_openperm() &&
ccb54478
SS		 3078 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3079 (ia_valid & ATTR_SIZE) &&
3080 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3081 av |= FILE__OPEN;
3082
3083 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3084}
3085
3f7036a0 3086static int selinux_inode_getattr(const struct path *path)
1da177e4 3087{
3f7036a0 3088 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3089}
3090
db59000a
SS		 3091static bool has_cap_mac_admin(bool audit)
3092{
3093 const struct cred *cred = current_cred();
c1a85a00 3094 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
db59000a 3095
c1a85a00 3096 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
db59000a 3097 return false;
c1a85a00 3098 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
db59000a
SS		 3099 return false;
3100 return true;
3101}
3102
8f0cfa52
DH		 3103static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3104 const void *value, size_t size, int flags)
1da177e4 3105{
c6f493d6 3106 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3107 struct inode_security_struct *isec;
1da177e4 3108 struct superblock_security_struct *sbsec;
2bf49690 3109 struct common_audit_data ad;
275bb41e 3110 u32 newsid, sid = current_sid();
1da177e4
LT		 3111 int rc = 0;
3112
6b240306
EB		 3113 if (strcmp(name, XATTR_NAME_SELINUX)) {
3114 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3115 if (rc)
3116 return rc;
3117
3118 /* Not an attribute we recognize, so just check the
3119 ordinary setattr permission. */
3120 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3121 }
1da177e4 3122
65cddd50 3123 if (!selinux_initialized(&selinux_state))
3e3e24b4
JL		 3124 return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3125
1da177e4 3126 sbsec = inode->i_sb->s_security;
12f348b9 3127 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3128 return -EOPNOTSUPP;
3129
2e149670 3130 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3131 return -EPERM;
3132
50c205f5 3133 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3134 ad.u.dentry = dentry;
1da177e4 3135
20cdef8d 3136 isec = backing_inode_security(dentry);
6b6bc620
SS		 3137 rc = avc_has_perm(&selinux_state,
3138 sid, isec->sid, isec->sclass,
1da177e4
LT		 3139 FILE__RELABELFROM, &ad);
3140 if (rc)
3141 return rc;
3142
aa8e712c
SS		 3143 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3144 GFP_KERNEL);
12b29f34 3145 if (rc == -EINVAL) {
db59000a 3146 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3147 struct audit_buffer *ab;
3148 size_t audit_size;
d6ea83ec
EP		 3149
3150 /* We strip a nul only if it is at the end, otherwise the
3151 * context contains a nul and we should audit that */
e3fea3f7 3152 if (value) {
add24372
CIK		 3153 const char *str = value;
3154
e3fea3f7
AV		 3155 if (str[size - 1] == '\0')
3156 audit_size = size - 1;
3157 else
3158 audit_size = size;
3159 } else {
e3fea3f7
AV		 3160 audit_size = 0;
3161 }
cdfb6b34
RGB		 3162 ab = audit_log_start(audit_context(),
3163 GFP_ATOMIC, AUDIT_SELINUX_ERR);
d6ea83ec
EP		 3164 audit_log_format(ab, "op=setxattr invalid_context=");
3165 audit_log_n_untrustedstring(ab, value, audit_size);
3166 audit_log_end(ab);
3167
12b29f34 3168 return rc;
d6ea83ec 3169 }
aa8e712c
SS		 3170 rc = security_context_to_sid_force(&selinux_state, value,
3171 size, &newsid);
12b29f34 3172 }
1da177e4
LT		 3173 if (rc)
3174 return rc;
3175
6b6bc620
SS		 3176 rc = avc_has_perm(&selinux_state,
3177 sid, newsid, isec->sclass,
1da177e4
LT		 3178 FILE__RELABELTO, &ad);
3179 if (rc)
3180 return rc;
3181
aa8e712c
SS		 3182 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3183 sid, isec->sclass);
1da177e4
LT		 3184 if (rc)
3185 return rc;
3186
6b6bc620
SS		 3187 return avc_has_perm(&selinux_state,
3188 newsid,
1da177e4
LT		 3189 sbsec->sid,
3190 SECCLASS_FILESYSTEM,
3191 FILESYSTEM__ASSOCIATE,
3192 &ad);
3193}
3194
8f0cfa52 3195static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3196 const void *value, size_t size,
8f0cfa52 3197 int flags)
1da177e4 3198{
c6f493d6 3199 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3200 struct inode_security_struct *isec;
1da177e4
LT		 3201 u32 newsid;
3202 int rc;
3203
3204 if (strcmp(name, XATTR_NAME_SELINUX)) {
3205 /* Not an attribute we recognize, so nothing to do. */
3206 return;
3207 }
3208
65cddd50 3209 if (!selinux_initialized(&selinux_state)) {
3e3e24b4
JL		 3210 /* If we haven't even been initialized, then we can't validate
3211 * against a policy, so leave the label as invalid. It may
3212 * resolve to a valid label on the next revalidation try if
3213 * we've since initialized.
3214 */
3215 return;
3216 }
3217
aa8e712c
SS		 3218 rc = security_context_to_sid_force(&selinux_state, value, size,
3219 &newsid);
1da177e4 3220 if (rc) {
c103a91e 3221 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3222 "for (%s, %lu), rc=%d\n",
3223 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3224 return;
3225 }
3226
20cdef8d 3227 isec = backing_inode_security(dentry);
9287aed2 3228 spin_lock(&isec->lock);
aa9c2669 3229 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3230 isec->sid = newsid;
6f3be9f5 3231 isec->initialized = LABEL_INITIALIZED;
9287aed2 3232 spin_unlock(&isec->lock);
aa9c2669 3233
1da177e4
LT		 3234 return;
3235}
3236
8f0cfa52 3237static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3238{
88e67f3b
DH		 3239 const struct cred *cred = current_cred();
3240
2875fa00 3241 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3242}
3243
828dfe1d 3244static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3245{
88e67f3b
DH		 3246 const struct cred *cred = current_cred();
3247
2875fa00 3248 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3249}
3250
8f0cfa52 3251static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3252{
6b240306
EB		 3253 if (strcmp(name, XATTR_NAME_SELINUX)) {
3254 int rc = cap_inode_removexattr(dentry, name);
3255 if (rc)
3256 return rc;
3257
3258 /* Not an attribute we recognize, so just check the
3259 ordinary setattr permission. */
3260 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3261 }
1da177e4
LT		 3262
3263 /* No one is allowed to remove a SELinux security label.
3264 You can change the label, but all data must be labeled. */
3265 return -EACCES;
3266}
3267
ac5656d8
AG		 3268static int selinux_path_notify(const struct path *path, u64 mask,
3269 unsigned int obj_type)
3270{
3271 int ret;
3272 u32 perm;
3273
3274 struct common_audit_data ad;
3275
3276 ad.type = LSM_AUDIT_DATA_PATH;
3277 ad.u.path = *path;
3278
3279 /*
3280 * Set permission needed based on the type of mark being set.
3281 * Performs an additional check for sb watches.
3282 */
3283 switch (obj_type) {
3284 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3285 perm = FILE__WATCH_MOUNT;
3286 break;
3287 case FSNOTIFY_OBJ_TYPE_SB:
3288 perm = FILE__WATCH_SB;
3289 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3290 FILESYSTEM__WATCH, &ad);
3291 if (ret)
3292 return ret;
3293 break;
3294 case FSNOTIFY_OBJ_TYPE_INODE:
3295 perm = FILE__WATCH;
3296 break;
3297 default:
3298 return -EINVAL;
3299 }
3300
3301 /* blocking watches require the file:watch_with_perm permission */
3302 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3303 perm |= FILE__WATCH_WITH_PERM;
3304
3305 /* watches on read-like events need the file:watch_reads permission */
3306 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3307 perm |= FILE__WATCH_READS;
3308
3309 return path_has_perm(current_cred(), path, perm);
3310}
3311
d381d8a9 3312/*
abc69bb6 3313 * Copy the inode security context value to the user.
d381d8a9
JM		 3314 *
3315 * Permission check is handled by selinux_inode_getxattr hook.
3316 */
ea861dfd 3317static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3318{
42492594
DQ		 3319 u32 size;
3320 int error;
3321 char *context = NULL;
20cdef8d 3322 struct inode_security_struct *isec;
d381d8a9 3323
8c8570fb
DK		 3324 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3325 return -EOPNOTSUPP;
d381d8a9 3326
abc69bb6
SS		 3327 /*
3328 * If the caller has CAP_MAC_ADMIN, then get the raw context
3329 * value even if it is not defined by current policy; otherwise,
3330 * use the in-core value under current policy.
3331 * Use the non-auditing forms of the permission checks since
3332 * getxattr may be called by unprivileged processes commonly
3333 * and lack of permission just means that we fall back to the
3334 * in-core context value, not a denial.
3335 */
20cdef8d 3336 isec = inode_security(inode);
db59000a 3337 if (has_cap_mac_admin(false))
aa8e712c
SS		 3338 error = security_sid_to_context_force(&selinux_state,
3339 isec->sid, &context,
abc69bb6
SS		 3340 &size);
3341 else
aa8e712c
SS		 3342 error = security_sid_to_context(&selinux_state, isec->sid,
3343 &context, &size);
42492594
DQ		 3344 if (error)
3345 return error;
3346 error = size;
3347 if (alloc) {
3348 *buffer = context;
3349 goto out_nofree;
3350 }
3351 kfree(context);
3352out_nofree:
3353 return error;
1da177e4
LT		 3354}
3355
3356static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3357 const void *value, size_t size, int flags)
1da177e4 3358{
2c97165b 3359 struct inode_security_struct *isec = inode_security_novalidate(inode);
53e0c2aa 3360 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1da177e4
LT		 3361 u32 newsid;
3362 int rc;
3363
3364 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3365 return -EOPNOTSUPP;
3366
53e0c2aa
OM		 3367 if (!(sbsec->flags & SBLABEL_MNT))
3368 return -EOPNOTSUPP;
3369
1da177e4
LT		 3370 if (!value || !size)
3371 return -EACCES;
3372
aa8e712c
SS		 3373 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3374 GFP_KERNEL);
1da177e4
LT		 3375 if (rc)
3376 return rc;
3377
9287aed2 3378 spin_lock(&isec->lock);
aa9c2669 3379 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3380 isec->sid = newsid;
6f3be9f5 3381 isec->initialized = LABEL_INITIALIZED;
9287aed2 3382 spin_unlock(&isec->lock);
1da177e4
LT		 3383 return 0;
3384}
3385
3386static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3387{
3388 const int len = sizeof(XATTR_NAME_SELINUX);
3389 if (buffer && len <= buffer_size)
3390 memcpy(buffer, XATTR_NAME_SELINUX, len);
3391 return len;
3392}
3393
d6335d77 3394static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3395{
e817c2f3 3396 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3397 *secid = isec->sid;
3398}
3399
56909eb3
VG		 3400static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3401{
3402 u32 sid;
3403 struct task_security_struct *tsec;
3404 struct cred *new_creds = *new;
3405
3406 if (new_creds == NULL) {
3407 new_creds = prepare_creds();
3408 if (!new_creds)
3409 return -ENOMEM;
3410 }
3411
0c6cfa62 3412 tsec = selinux_cred(new_creds);
56909eb3
VG		 3413 /* Get label from overlay inode and set it in create_sid */
3414 selinux_inode_getsecid(d_inode(src), &sid);
3415 tsec->create_sid = sid;
3416 *new = new_creds;
3417 return 0;
3418}
3419
19472b69
VG		 3420static int selinux_inode_copy_up_xattr(const char *name)
3421{
3422 /* The copy_up hook above sets the initial context on an inode, but we
3423 * don't then want to overwrite it by blindly copying all the lower
3424 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3425 */
3426 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3427 return 1; /* Discard */
3428 /*
3429 * Any other attribute apart from SELINUX is not claimed, supported
3430 * by selinux.
3431 */
3432 return -EOPNOTSUPP;
3433}
3434
ec882da5
OM		 3435/* kernfs node operations */
3436
c72c4cde
Y		 3437static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3438 struct kernfs_node *kn)
ec882da5 3439{
169ce0c0 3440 const struct task_security_struct *tsec = selinux_cred(current_cred());
ec882da5
OM		 3441 u32 parent_sid, newsid, clen;
3442 int rc;
3443 char *context;
3444
1537ad15 3445 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
ec882da5
OM		 3446 if (rc == -ENODATA)
3447 return 0;
3448 else if (rc < 0)
3449 return rc;
3450
3451 clen = (u32)rc;
3452 context = kmalloc(clen, GFP_KERNEL);
3453 if (!context)
3454 return -ENOMEM;
3455
1537ad15 3456 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
ec882da5
OM		 3457 if (rc < 0) {
3458 kfree(context);
3459 return rc;
3460 }
3461
3462 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3463 GFP_KERNEL);
3464 kfree(context);
3465 if (rc)
3466 return rc;
3467
3468 if (tsec->create_sid) {
3469 newsid = tsec->create_sid;
3470 } else {
3471 u16 secclass = inode_mode_to_security_class(kn->mode);
3472 struct qstr q;
3473
3474 q.name = kn->name;
3475 q.hash_len = hashlen_string(kn_dir, kn->name);
3476
3477 rc = security_transition_sid(&selinux_state, tsec->sid,
3478 parent_sid, secclass, &q,
3479 &newsid);
3480 if (rc)
3481 return rc;
3482 }
3483
3484 rc = security_sid_to_context_force(&selinux_state, newsid,
3485 &context, &clen);
3486 if (rc)
3487 return rc;
3488
1537ad15
OM		 3489 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3490 XATTR_CREATE);
ec882da5
OM		 3491 kfree(context);
3492 return rc;
3493}
3494
3495
1da177e4
LT		 3496/* file security operations */
3497
788e7dd4 3498static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3499{
88e67f3b 3500 const struct cred *cred = current_cred();
496ad9aa 3501 struct inode *inode = file_inode(file);
1da177e4 3502
1da177e4
LT		 3503 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3504 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3505 mask |= MAY_APPEND;
3506
389fb800
PM		 3507 return file_has_perm(cred, file,
3508 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3509}
3510
788e7dd4
YN		 3511static int selinux_file_permission(struct file *file, int mask)
3512{
496ad9aa 3513 struct inode *inode = file_inode(file);
bb6c6b02 3514 struct file_security_struct *fsec = selinux_file(file);
b197367e 3515 struct inode_security_struct *isec;
20dda18b
SS		 3516 u32 sid = current_sid();
3517
389fb800 3518 if (!mask)
788e7dd4
YN		 3519 /* No permission to check. Existence test. */
3520 return 0;
788e7dd4 3521
b197367e 3522 isec = inode_security(inode);
20dda18b 3523 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3524 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3525 /* No change since file_open check. */
20dda18b
SS		 3526 return 0;
3527
788e7dd4
YN		 3528 return selinux_revalidate_file_permission(file, mask);
3529}
3530
1da177e4
LT		 3531static int selinux_file_alloc_security(struct file *file)
3532{
cb89e246
PM		 3533 struct file_security_struct *fsec = selinux_file(file);
3534 u32 sid = current_sid();
3535
3536 fsec->sid = sid;
3537 fsec->fown_sid = sid;
3538
3539 return 0;
1da177e4
LT		 3540}
3541
fa1aa143
JVS		 3542/*
3543 * Check whether a task has the ioctl permission and cmd
3544 * operation to an inode.
3545 */
1d2a168a 3546static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3547 u32 requested, u16 cmd)
3548{
3549 struct common_audit_data ad;
bb6c6b02 3550 struct file_security_struct *fsec = selinux_file(file);
fa1aa143 3551 struct inode *inode = file_inode(file);
20cdef8d 3552 struct inode_security_struct *isec;
fa1aa143
JVS		 3553 struct lsm_ioctlop_audit ioctl;
3554 u32 ssid = cred_sid(cred);
3555 int rc;
3556 u8 driver = cmd >> 8;
3557 u8 xperm = cmd & 0xff;
3558
3559 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3560 ad.u.op = &ioctl;
3561 ad.u.op->cmd = cmd;
3562 ad.u.op->path = file->f_path;
3563
3564 if (ssid != fsec->sid) {
6b6bc620
SS		 3565 rc = avc_has_perm(&selinux_state,
3566 ssid, fsec->sid,
fa1aa143
JVS		 3567 SECCLASS_FD,
3568 FD__USE,
3569 &ad);
3570 if (rc)
3571 goto out;
3572 }
3573
3574 if (unlikely(IS_PRIVATE(inode)))
3575 return 0;
3576
20cdef8d 3577 isec = inode_security(inode);
6b6bc620
SS		 3578 rc = avc_has_extended_perms(&selinux_state,
3579 ssid, isec->sid, isec->sclass,
3580 requested, driver, xperm, &ad);
fa1aa143
JVS		 3581out:
3582 return rc;
3583}
3584
1da177e4
LT		 3585static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3586 unsigned long arg)
3587{
88e67f3b 3588 const struct cred *cred = current_cred();
0b24dcb7 3589 int error = 0;
1da177e4 3590
0b24dcb7
EP		 3591 switch (cmd) {
3592 case FIONREAD:
3593 /* fall through */
3594 case FIBMAP:
3595 /* fall through */
3596 case FIGETBSZ:
3597 /* fall through */
2f99c369 3598 case FS_IOC_GETFLAGS:
0b24dcb7 3599 /* fall through */
2f99c369 3600 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3601 error = file_has_perm(cred, file, FILE__GETATTR);
3602 break;
1da177e4 3603
2f99c369 3604 case FS_IOC_SETFLAGS:
0b24dcb7 3605 /* fall through */
2f99c369 3606 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3607 error = file_has_perm(cred, file, FILE__SETATTR);
3608 break;
3609
3610 /* sys_ioctl() checks */
3611 case FIONBIO:
3612 /* fall through */
3613 case FIOASYNC:
3614 error = file_has_perm(cred, file, 0);
3615 break;
1da177e4 3616
0b24dcb7
EP		 3617 case KDSKBENT:
3618 case KDSKBSENT:
6a9de491 3619 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
c1a85a00 3620 CAP_OPT_NONE, true);
0b24dcb7
EP		 3621 break;
3622
3623 /* default case assumes that the command will go
3624 * to the file's ioctl() function.
3625 */
3626 default:
fa1aa143 3627 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3628 }
3629 return error;
1da177e4
LT		 3630}
3631
b78b7d59 3632static int default_noexec __ro_after_init;
fcaaade1 3633
1da177e4
LT		 3634static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3635{
88e67f3b 3636 const struct cred *cred = current_cred();
be0554c9 3637 u32 sid = cred_sid(cred);
d84f4f99 3638 int rc = 0;
88e67f3b 3639
fcaaade1 3640 if (default_noexec &&
892e8cac
SS		 3641 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3642 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3643 /*
3644 * We are making executable an anonymous mapping or a
3645 * private file mapping that will also be writable.
3646 * This has an additional check.
3647 */
6b6bc620
SS		 3648 rc = avc_has_perm(&selinux_state,
3649 sid, sid, SECCLASS_PROCESS,
be0554c9 3650 PROCESS__EXECMEM, NULL);
1da177e4 3651 if (rc)
d84f4f99 3652 goto error;
1da177e4 3653 }
1da177e4
LT		 3654
3655 if (file) {
3656 /* read access is always possible with a mapping */
3657 u32 av = FILE__READ;
3658
3659 /* write access only matters if the mapping is shared */
3660 if (shared && (prot & PROT_WRITE))
3661 av |= FILE__WRITE;
3662
3663 if (prot & PROT_EXEC)
3664 av |= FILE__EXECUTE;
3665
88e67f3b 3666 return file_has_perm(cred, file, av);
1da177e4 3667 }
d84f4f99
DH		 3668
3669error:
3670 return rc;
1da177e4
LT		 3671}
3672
e5467859 3673static int selinux_mmap_addr(unsigned long addr)
1da177e4 3674{
b1d9e6b0 3675 int rc = 0;
1da177e4 3676
a2551df7 3677 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3678 u32 sid = current_sid();
6b6bc620
SS		 3679 rc = avc_has_perm(&selinux_state,
3680 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3681 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3682 }
3683
98883bfd 3684 return rc;
e5467859 3685}
1da177e4 3686
e5467859
AV		 3687static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3688 unsigned long prot, unsigned long flags)
3689{
3ba4bf5f
SS		 3690 struct common_audit_data ad;
3691 int rc;
3692
3693 if (file) {
3694 ad.type = LSM_AUDIT_DATA_FILE;
3695 ad.u.file = file;
3696 rc = inode_has_perm(current_cred(), file_inode(file),
3697 FILE__MAP, &ad);
3698 if (rc)
3699 return rc;
3700 }
3701
aa8e712c 3702 if (selinux_state.checkreqprot)
1da177e4
LT		 3703 prot = reqprot;
3704
3705 return file_map_prot_check(file, prot,
3706 (flags & MAP_TYPE) == MAP_SHARED);
3707}
3708
3709static int selinux_file_mprotect(struct vm_area_struct *vma,
3710 unsigned long reqprot,
3711 unsigned long prot)
3712{
88e67f3b 3713 const struct cred *cred = current_cred();
be0554c9 3714 u32 sid = cred_sid(cred);
1da177e4 3715
aa8e712c 3716 if (selinux_state.checkreqprot)
1da177e4
LT		 3717 prot = reqprot;
3718
fcaaade1
SS		 3719 if (default_noexec &&
3720 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3721 int rc = 0;
db4c9641
SS		 3722 if (vma->vm_start >= vma->vm_mm->start_brk &&
3723 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3724 rc = avc_has_perm(&selinux_state,
3725 sid, sid, SECCLASS_PROCESS,
be0554c9 3726 PROCESS__EXECHEAP, NULL);
db4c9641 3727 } else if (!vma->vm_file &&
c2316dbf
SS		 3728 ((vma->vm_start <= vma->vm_mm->start_stack &&
3729 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3730 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3731 rc = avc_has_perm(&selinux_state,
3732 sid, sid, SECCLASS_PROCESS,
be0554c9 3733 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3734 } else if (vma->vm_file && vma->anon_vma) {
3735 /*
3736 * We are making executable a file mapping that has
3737 * had some COW done. Since pages might have been
3738 * written, check ability to execute the possibly
3739 * modified content. This typically should only
3740 * occur for text relocations.
3741 */
d84f4f99 3742 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3743 }