projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports
[linux-2.6-block.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
7efbb60b 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
1da177e4
LT		 70#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */
73#include <linux/parser.h>
74#include <linux/nfs_mount.h>
75#include <net/ipv6.h>
76#include <linux/hugetlb.h>
77#include <linux/personality.h>
1da177e4 78#include <linux/audit.h>
6931dfc9 79#include <linux/string.h>
877ce7c1 80#include <linux/selinux.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
ec27c356 88#include <linux/bpf.h>
1da177e4
LT		 89
90#include "avc.h"
91#include "objsec.h"
92#include "netif.h"
224dfbd8 93#include "netnode.h"
3e112172 94#include "netport.h"
409dcf31 95#include "ibpkey.h"
d28d1e08 96#include "xfrm.h"
c60475bf 97#include "netlabel.h"
9d57a7f9 98#include "audit.h"
7b98a585 99#include "avc_ss.h"
1da177e4 100
d621d35e 101/* SECMARK reference count */
56a4ca99 102static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 103
1da177e4 104#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 105int selinux_enforcing;
1da177e4
LT		 106
107static int __init enforcing_setup(char *str)
108{
f5269710 109 unsigned long enforcing;
29707b20 110 if (!kstrtoul(str, 0, &enforcing))
f5269710 111 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 112 return 1;
113}
114__setup("enforcing=", enforcing_setup);
115#endif
116
117#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119
120static int __init selinux_enabled_setup(char *str)
121{
f5269710 122 unsigned long enabled;
29707b20 123 if (!kstrtoul(str, 0, &enabled))
f5269710 124 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 125 return 1;
126}
127__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 128#else
129int selinux_enabled = 1;
1da177e4
LT		 130#endif
131
e18b890b 132static struct kmem_cache *sel_inode_cache;
63205654 133static struct kmem_cache *file_security_cache;
7cae7e26 134
d621d35e
PM		 135/**
136 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
137 *
138 * Description:
139 * This function checks the SECMARK reference counter to see if any SECMARK
140 * targets are currently configured, if the reference counter is greater than
141 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 142 * enabled, false (0) if SECMARK is disabled. If the always_check_network
143 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 144 *
145 */
146static int selinux_secmark_enabled(void)
147{
2be4d74f
CP		 148 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
149}
150
151/**
152 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
153 *
154 * Description:
155 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
156 * (1) if any are enabled or false (0) if neither are enabled. If the
157 * always_check_network policy capability is enabled, peer labeling
158 * is always considered enabled.
159 *
160 */
161static int selinux_peerlbl_enabled(void)
162{
163 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 164}
165
615e51fd
PM		 166static int selinux_netcache_avc_callback(u32 event)
167{
168 if (event == AVC_CALLBACK_RESET) {
169 sel_netif_flush();
170 sel_netnode_flush();
171 sel_netport_flush();
172 synchronize_net();
173 }
174 return 0;
175}
176
8f408ab6
DJ		 177static int selinux_lsm_notifier_avc_callback(u32 event)
178{
409dcf31
DJ		 179 if (event == AVC_CALLBACK_RESET) {
180 sel_ib_pkey_flush();
8f408ab6 181 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 182 }
8f408ab6
DJ		 183
184 return 0;
185}
186
d84f4f99
DH		 187/*
188 * initialise the security for the init task
189 */
190static void cred_init_security(void)
1da177e4 191{
3b11a1de 192 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 193 struct task_security_struct *tsec;
194
89d155ef 195 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 196 if (!tsec)
d84f4f99 197 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 198
d84f4f99 199 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 200 cred->security = tsec;
1da177e4
LT		 201}
202
88e67f3b
DH		 203/*
204 * get the security ID of a set of credentials
205 */
206static inline u32 cred_sid(const struct cred *cred)
207{
208 const struct task_security_struct *tsec;
209
210 tsec = cred->security;
211 return tsec->sid;
212}
213
275bb41e 214/*
3b11a1de 215 * get the objective security ID of a task
275bb41e
DH		 216 */
217static inline u32 task_sid(const struct task_struct *task)
218{
275bb41e
DH		 219 u32 sid;
220
221 rcu_read_lock();
88e67f3b 222 sid = cred_sid(__task_cred(task));
275bb41e
DH		 223 rcu_read_unlock();
224 return sid;
225}
226
88e67f3b
DH		 227/* Allocate and free functions for each kind of security blob. */
228
1da177e4
LT		 229static int inode_alloc_security(struct inode *inode)
230{
1da177e4 231 struct inode_security_struct *isec;
275bb41e 232 u32 sid = current_sid();
1da177e4 233
a02fe132 234 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 235 if (!isec)
236 return -ENOMEM;
237
9287aed2 238 spin_lock_init(&isec->lock);
1da177e4 239 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 240 isec->inode = inode;
241 isec->sid = SECINITSID_UNLABELED;
242 isec->sclass = SECCLASS_FILE;
275bb41e 243 isec->task_sid = sid;
42059112 244 isec->initialized = LABEL_INVALID;
1da177e4
LT		 245 inode->i_security = isec;
246
247 return 0;
248}
249
5d226df4
AG		 250static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
251
252/*
253 * Try reloading inode security labels that have been marked as invalid. The
254 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 255 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 256 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
257 * when no dentry is available, set it to NULL instead.
258 */
259static int __inode_security_revalidate(struct inode *inode,
260 struct dentry *opt_dentry,
261 bool may_sleep)
262{
263 struct inode_security_struct *isec = inode->i_security;
264
265 might_sleep_if(may_sleep);
266
1ac42476 267 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 268 if (!may_sleep)
269 return -ECHILD;
270
271 /*
272 * Try reloading the inode security label. This will fail if
273 * @opt_dentry is NULL and no dentry for this inode can be
274 * found; in that case, continue using the old label.
275 */
276 inode_doinit_with_dentry(inode, opt_dentry);
277 }
278 return 0;
279}
280
5d226df4
AG		 281static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
282{
283 return inode->i_security;
284}
285
286static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
287{
288 int error;
289
290 error = __inode_security_revalidate(inode, NULL, !rcu);
291 if (error)
292 return ERR_PTR(error);
293 return inode->i_security;
294}
295
83da53c5
AG		 296/*
297 * Get the security label of an inode.
298 */
299static struct inode_security_struct *inode_security(struct inode *inode)
300{
5d226df4 301 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 302 return inode->i_security;
303}
304
2c97165b
PM		 305static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
306{
307 struct inode *inode = d_backing_inode(dentry);
308
309 return inode->i_security;
310}
311
83da53c5
AG		 312/*
313 * Get the security label of a dentry's backing inode.
314 */
315static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
316{
317 struct inode *inode = d_backing_inode(dentry);
318
5d226df4 319 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 320 return inode->i_security;
321}
322
3dc91d43
SR		 323static void inode_free_rcu(struct rcu_head *head)
324{
325 struct inode_security_struct *isec;
326
327 isec = container_of(head, struct inode_security_struct, rcu);
328 kmem_cache_free(sel_inode_cache, isec);
329}
330
1da177e4
LT		 331static void inode_free_security(struct inode *inode)
332{
333 struct inode_security_struct *isec = inode->i_security;
334 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
335
9629d04a
WL		 336 /*
337 * As not all inode security structures are in a list, we check for
338 * empty list outside of the lock to make sure that we won't waste
339 * time taking a lock doing nothing.
340 *
341 * The list_del_init() function can be safely called more than once.
342 * It should not be possible for this function to be called with
343 * concurrent list_add(), but for better safety against future changes
344 * in the code, we use list_empty_careful() here.
345 */
346 if (!list_empty_careful(&isec->list)) {
347 spin_lock(&sbsec->isec_lock);
1da177e4 348 list_del_init(&isec->list);
9629d04a
WL		 349 spin_unlock(&sbsec->isec_lock);
350 }
1da177e4 351
3dc91d43
SR		 352 /*
353 * The inode may still be referenced in a path walk and
354 * a call to selinux_inode_permission() can be made
355 * after inode_free_security() is called. Ideally, the VFS
356 * wouldn't do this, but fixing that is a much harder
357 * job. For now, simply free the i_security via RCU, and
358 * leave the current inode->i_security pointer intact.
359 * The inode will be freed after the RCU grace period too.
360 */
361 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 362}
363
364static int file_alloc_security(struct file *file)
365{
1da177e4 366 struct file_security_struct *fsec;
275bb41e 367 u32 sid = current_sid();
1da177e4 368
63205654 369 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 370 if (!fsec)
371 return -ENOMEM;
372
275bb41e
DH		 373 fsec->sid = sid;
374 fsec->fown_sid = sid;
1da177e4
LT		 375 file->f_security = fsec;
376
377 return 0;
378}
379
380static void file_free_security(struct file *file)
381{
382 struct file_security_struct *fsec = file->f_security;
1da177e4 383 file->f_security = NULL;
63205654 384 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 385}
386
387static int superblock_alloc_security(struct super_block *sb)
388{
389 struct superblock_security_struct *sbsec;
390
89d155ef 391 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 392 if (!sbsec)
393 return -ENOMEM;
394
bc7e982b 395 mutex_init(&sbsec->lock);
1da177e4
LT		 396 INIT_LIST_HEAD(&sbsec->isec_head);
397 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 398 sbsec->sb = sb;
399 sbsec->sid = SECINITSID_UNLABELED;
400 sbsec->def_sid = SECINITSID_FILE;
c312feb2 401 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 402 sb->s_security = sbsec;
403
404 return 0;
405}
406
407static void superblock_free_security(struct super_block *sb)
408{
409 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 410 sb->s_security = NULL;
411 kfree(sbsec);
412}
413
1da177e4
LT		 414static inline int inode_doinit(struct inode *inode)
415{
416 return inode_doinit_with_dentry(inode, NULL);
417}
418
419enum {
31e87930 420 Opt_error = -1,
1da177e4
LT		 421 Opt_context = 1,
422 Opt_fscontext = 2,
c9180a57
EP		 423 Opt_defcontext = 3,
424 Opt_rootcontext = 4,
11689d47 425 Opt_labelsupport = 5,
d355987f 426 Opt_nextmntopt = 6,
1da177e4
LT		 427};
428
d355987f
EP		 429#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
430
a447c093 431static const match_table_t tokens = {
832cbd9a
EP		 432 {Opt_context, CONTEXT_STR "%s"},
433 {Opt_fscontext, FSCONTEXT_STR "%s"},
434 {Opt_defcontext, DEFCONTEXT_STR "%s"},
435 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 436 {Opt_labelsupport, LABELSUPP_STR},
31e87930 437 {Opt_error, NULL},
1da177e4
LT		 438};
439
440#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
441
c312feb2
EP		 442static int may_context_mount_sb_relabel(u32 sid,
443 struct superblock_security_struct *sbsec,
275bb41e 444 const struct cred *cred)
c312feb2 445{
275bb41e 446 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 447 int rc;
448
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL);
451 if (rc)
452 return rc;
453
454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__RELABELTO, NULL);
456 return rc;
457}
458
0808925e
EP		 459static int may_context_mount_inode_relabel(u32 sid,
460 struct superblock_security_struct *sbsec,
275bb41e 461 const struct cred *cred)
0808925e 462{
275bb41e 463 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 464 int rc;
465 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 FILESYSTEM__RELABELFROM, NULL);
467 if (rc)
468 return rc;
469
470 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 FILESYSTEM__ASSOCIATE, NULL);
472 return rc;
473}
474
b43e725d
EP		 475static int selinux_is_sblabel_mnt(struct super_block *sb)
476{
477 struct superblock_security_struct *sbsec = sb->s_security;
478
d5f3a5f6
MS		 479 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
480 sbsec->behavior == SECURITY_FS_USE_TRANS ||
481 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 482 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 483 /* Special handling. Genfs but also in-core setxattr handler */
484 !strcmp(sb->s_type->name, "sysfs") ||
485 !strcmp(sb->s_type->name, "pstore") ||
486 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 487 !strcmp(sb->s_type->name, "tracefs") ||
2651225b
SS		 488 !strcmp(sb->s_type->name, "rootfs") ||
489 (selinux_policycap_cgroupseclabel &&
490 (!strcmp(sb->s_type->name, "cgroup") ||
491 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 492}
493
c9180a57 494static int sb_finish_set_opts(struct super_block *sb)
1da177e4 495{
1da177e4 496 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 497 struct dentry *root = sb->s_root;
c6f493d6 498 struct inode *root_inode = d_backing_inode(root);
c9180a57 499 int rc = 0;
1da177e4 500
c9180a57
EP		 501 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
502 /* Make sure that the xattr handler exists and that no
503 error other than -ENODATA is returned by getxattr on
504 the root directory. -ENODATA is ok, as this may be
505 the first boot of the SELinux kernel before we have
506 assigned xattr values to the filesystem. */
5d6c3191 507 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 508 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
509 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 510 rc = -EOPNOTSUPP;
511 goto out;
512 }
5d6c3191
AG		 513
514 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 515 if (rc < 0 && rc != -ENODATA) {
516 if (rc == -EOPNOTSUPP)
517 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 518 "%s) has no security xattr handler\n",
519 sb->s_id, sb->s_type->name);
c9180a57
EP		 520 else
521 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 522 "%s) getxattr errno %d\n", sb->s_id,
523 sb->s_type->name, -rc);
c9180a57
EP		 524 goto out;
525 }
526 }
1da177e4 527
eadcabc6 528 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 529
530 /*
531 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
532 * leave the flag untouched because sb_clone_mnt_opts might be handing
533 * us a superblock that needs the flag to be cleared.
534 */
b43e725d 535 if (selinux_is_sblabel_mnt(sb))
12f348b9 536 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 537 else
538 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 539
c9180a57
EP		 540 /* Initialize the root inode. */
541 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 542
c9180a57
EP		 543 /* Initialize any other inodes associated with the superblock, e.g.
544 inodes created prior to initial policy load or inodes created
545 during get_sb by a pseudo filesystem that directly
546 populates itself. */
547 spin_lock(&sbsec->isec_lock);
548next_inode:
549 if (!list_empty(&sbsec->isec_head)) {
550 struct inode_security_struct *isec =
551 list_entry(sbsec->isec_head.next,
552 struct inode_security_struct, list);
553 struct inode *inode = isec->inode;
923190d3 554 list_del_init(&isec->list);
c9180a57
EP		 555 spin_unlock(&sbsec->isec_lock);
556 inode = igrab(inode);
557 if (inode) {
558 if (!IS_PRIVATE(inode))
559 inode_doinit(inode);
560 iput(inode);
561 }
562 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 563 goto next_inode;
564 }
565 spin_unlock(&sbsec->isec_lock);
566out:
567 return rc;
568}
1da177e4 569
c9180a57
EP		 570/*
571 * This function should allow an FS to ask what it's mount security
572 * options were so it can use those later for submounts, displaying
573 * mount options, or whatever.
574 */
575static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 576 struct security_mnt_opts *opts)
c9180a57
EP		 577{
578 int rc = 0, i;
579 struct superblock_security_struct *sbsec = sb->s_security;
580 char *context = NULL;
581 u32 len;
582 char tmp;
1da177e4 583
e0007529 584 security_init_mnt_opts(opts);
1da177e4 585
0d90a7ec 586 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 587 return -EINVAL;
1da177e4 588
c9180a57
EP		 589 if (!ss_initialized)
590 return -EINVAL;
1da177e4 591
af8e50cc
EP		 592 /* make sure we always check enough bits to cover the mask */
593 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
594
0d90a7ec 595 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 596 /* count the number of mount options for this sb */
af8e50cc 597 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 598 if (tmp & 0x01)
e0007529 599 opts->num_mnt_opts++;
c9180a57
EP		 600 tmp >>= 1;
601 }
11689d47 602 /* Check if the Label support flag is set */
0b4bdb35 603 if (sbsec->flags & SBLABEL_MNT)
11689d47 604 opts->num_mnt_opts++;
1da177e4 605
e0007529
EP		 606 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
607 if (!opts->mnt_opts) {
c9180a57
EP		 608 rc = -ENOMEM;
609 goto out_free;
610 }
1da177e4 611
e0007529
EP		 612 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
613 if (!opts->mnt_opts_flags) {
c9180a57
EP		 614 rc = -ENOMEM;
615 goto out_free;
616 }
1da177e4 617
c9180a57
EP		 618 i = 0;
619 if (sbsec->flags & FSCONTEXT_MNT) {
620 rc = security_sid_to_context(sbsec->sid, &context, &len);
621 if (rc)
622 goto out_free;
e0007529
EP		 623 opts->mnt_opts[i] = context;
624 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 625 }
626 if (sbsec->flags & CONTEXT_MNT) {
627 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
628 if (rc)
629 goto out_free;
e0007529
EP		 630 opts->mnt_opts[i] = context;
631 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 632 }
633 if (sbsec->flags & DEFCONTEXT_MNT) {
634 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
635 if (rc)
636 goto out_free;
e0007529
EP		 637 opts->mnt_opts[i] = context;
638 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 639 }
640 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 641 struct dentry *root = sbsec->sb->s_root;
642 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 643
c9180a57
EP		 644 rc = security_sid_to_context(isec->sid, &context, &len);
645 if (rc)
646 goto out_free;
e0007529
EP		 647 opts->mnt_opts[i] = context;
648 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 649 }
12f348b9 650 if (sbsec->flags & SBLABEL_MNT) {
11689d47 651 opts->mnt_opts[i] = NULL;
12f348b9 652 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 653 }
1da177e4 654
e0007529 655 BUG_ON(i != opts->num_mnt_opts);
1da177e4 656
c9180a57
EP		 657 return 0;
658
659out_free:
e0007529 660 security_free_mnt_opts(opts);
c9180a57
EP		 661 return rc;
662}
1da177e4 663
c9180a57
EP		 664static int bad_option(struct superblock_security_struct *sbsec, char flag,
665 u32 old_sid, u32 new_sid)
666{
0d90a7ec
DQ		 667 char mnt_flags = sbsec->flags & SE_MNTMASK;
668
c9180a57 669 /* check if the old mount command had the same options */
0d90a7ec 670 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 671 if (!(sbsec->flags & flag) ||
672 (old_sid != new_sid))
673 return 1;
674
675 /* check if we were passed the same options twice,
676 * aka someone passed context=a,context=b
677 */
0d90a7ec
DQ		 678 if (!(sbsec->flags & SE_SBINITIALIZED))
679 if (mnt_flags & flag)
c9180a57
EP		 680 return 1;
681 return 0;
682}
e0007529 683
c9180a57
EP		 684/*
685 * Allow filesystems with binary mount data to explicitly set mount point
686 * labeling information.
687 */
e0007529 688static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 689 struct security_mnt_opts *opts,
690 unsigned long kern_flags,
691 unsigned long *set_kern_flags)
c9180a57 692{
275bb41e 693 const struct cred *cred = current_cred();
c9180a57 694 int rc = 0, i;
c9180a57 695 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 696 const char *name = sb->s_type->name;
83da53c5 697 struct dentry *root = sbsec->sb->s_root;
2c97165b 698 struct inode_security_struct *root_isec;
c9180a57
EP		 699 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
700 u32 defcontext_sid = 0;
e0007529
EP		 701 char **mount_options = opts->mnt_opts;
702 int *flags = opts->mnt_opts_flags;
703 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 704
705 mutex_lock(&sbsec->lock);
706
707 if (!ss_initialized) {
708 if (!num_opts) {
709 /* Defer initialization until selinux_complete_init,
710 after the initial policy is loaded and the security
711 server is ready to handle calls. */
c9180a57
EP		 712 goto out;
713 }
714 rc = -EINVAL;
744ba35e
EP		 715 printk(KERN_WARNING "SELinux: Unable to set superblock options "
716 "before the security server is initialized\n");
1da177e4 717 goto out;
c9180a57 718 }
649f6e77
DQ		 719 if (kern_flags && !set_kern_flags) {
720 /* Specifying internal flags without providing a place to
721 * place the results is not allowed */
722 rc = -EINVAL;
723 goto out;
724 }
1da177e4 725
e0007529
EP		 726 /*
727 * Binary mount data FS will come through this function twice. Once
728 * from an explicit call and once from the generic calls from the vfs.
729 * Since the generic VFS calls will not contain any security mount data
730 * we need to skip the double mount verification.
731 *
732 * This does open a hole in which we will not notice if the first
733 * mount using this sb set explict options and a second mount using
734 * this sb does not set any security options. (The first options
735 * will be used for both mounts)
736 */
0d90a7ec 737 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 738 && (num_opts == 0))
f5269710 739 goto out;
e0007529 740
2c97165b
PM		 741 root_isec = backing_inode_security_novalidate(root);
742
c9180a57
EP		 743 /*
744 * parse the mount options, check if they are valid sids.
745 * also check if someone is trying to mount the same sb more
746 * than once with different security options.
747 */
748 for (i = 0; i < num_opts; i++) {
749 u32 sid;
11689d47 750
12f348b9 751 if (flags[i] == SBLABEL_MNT)
11689d47 752 continue;
44be2f65 753 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 754 if (rc) {
44be2f65 755 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 756 "(%s) failed for (dev %s, type %s) errno=%d\n",
757 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 758 goto out;
759 }
760 switch (flags[i]) {
761 case FSCONTEXT_MNT:
762 fscontext_sid = sid;
763
764 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
765 fscontext_sid))
766 goto out_double_mount;
767
768 sbsec->flags |= FSCONTEXT_MNT;
769 break;
770 case CONTEXT_MNT:
771 context_sid = sid;
772
773 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
774 context_sid))
775 goto out_double_mount;
776
777 sbsec->flags |= CONTEXT_MNT;
778 break;
779 case ROOTCONTEXT_MNT:
780 rootcontext_sid = sid;
781
782 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
783 rootcontext_sid))
784 goto out_double_mount;
785
786 sbsec->flags |= ROOTCONTEXT_MNT;
787
788 break;
789 case DEFCONTEXT_MNT:
790 defcontext_sid = sid;
791
792 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
793 defcontext_sid))
794 goto out_double_mount;
795
796 sbsec->flags |= DEFCONTEXT_MNT;
797
798 break;
799 default:
800 rc = -EINVAL;
801 goto out;
1da177e4 802 }
c9180a57
EP		 803 }
804
0d90a7ec 805 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 806 /* previously mounted with options, but not on this attempt? */
0d90a7ec 807 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 808 goto out_double_mount;
809 rc = 0;
810 goto out;
811 }
812
089be43e 813 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 814 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
815
8e014720 816 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 817 !strcmp(sb->s_type->name, "tracefs") ||
8e014720 818 !strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 819 !strcmp(sb->s_type->name, "pstore") ||
820 !strcmp(sb->s_type->name, "cgroup") ||
821 !strcmp(sb->s_type->name, "cgroup2"))
134509d5 822 sbsec->flags |= SE_SBGENFS;
c9180a57 823
eb9ae686
DQ		 824 if (!sbsec->behavior) {
825 /*
826 * Determine the labeling behavior to use for this
827 * filesystem type.
828 */
98f700f3 829 rc = security_fs_use(sb);
eb9ae686
DQ		 830 if (rc) {
831 printk(KERN_WARNING
832 "%s: security_fs_use(%s) returned %d\n",
833 __func__, sb->s_type->name, rc);
834 goto out;
835 }
c9180a57 836 }
aad82892
SF		 837
838 /*
01593d32
SS		 839 * If this is a user namespace mount and the filesystem type is not
840 * explicitly whitelisted, then no contexts are allowed on the command
841 * line and security labels must be ignored.
aad82892 842 */
01593d32
SS		 843 if (sb->s_user_ns != &init_user_ns &&
844 strcmp(sb->s_type->name, "tmpfs") &&
845 strcmp(sb->s_type->name, "ramfs") &&
846 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 847 if (context_sid || fscontext_sid || rootcontext_sid ||
848 defcontext_sid) {
849 rc = -EACCES;
850 goto out;
851 }
852 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
853 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
854 rc = security_transition_sid(current_sid(), current_sid(),
855 SECCLASS_FILE, NULL,
856 &sbsec->mntpoint_sid);
857 if (rc)
858 goto out;
859 }
860 goto out_set_opts;
861 }
862
c9180a57
EP		 863 /* sets the context of the superblock for the fs being mounted. */
864 if (fscontext_sid) {
275bb41e 865 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 866 if (rc)
c9180a57 867 goto out;
1da177e4 868
c9180a57 869 sbsec->sid = fscontext_sid;
c312feb2
EP		 870 }
871
872 /*
873 * Switch to using mount point labeling behavior.
874 * sets the label used on all file below the mountpoint, and will set
875 * the superblock context if not already set.
876 */
eb9ae686
DQ		 877 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
878 sbsec->behavior = SECURITY_FS_USE_NATIVE;
879 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
880 }
881
c9180a57
EP		 882 if (context_sid) {
883 if (!fscontext_sid) {
275bb41e
DH		 884 rc = may_context_mount_sb_relabel(context_sid, sbsec,
885 cred);
b04ea3ce 886 if (rc)
c9180a57
EP		 887 goto out;
888 sbsec->sid = context_sid;
b04ea3ce 889 } else {
275bb41e
DH		 890 rc = may_context_mount_inode_relabel(context_sid, sbsec,
891 cred);
b04ea3ce 892 if (rc)
c9180a57 893 goto out;
b04ea3ce 894 }
c9180a57
EP		 895 if (!rootcontext_sid)
896 rootcontext_sid = context_sid;
1da177e4 897
c9180a57 898 sbsec->mntpoint_sid = context_sid;
c312feb2 899 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 900 }
901
c9180a57 902 if (rootcontext_sid) {
275bb41e
DH		 903 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
904 cred);
0808925e 905 if (rc)
c9180a57 906 goto out;
0808925e 907
c9180a57 908 root_isec->sid = rootcontext_sid;
6f3be9f5 909 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 910 }
911
c9180a57 912 if (defcontext_sid) {
eb9ae686
DQ		 913 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
914 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 915 rc = -EINVAL;
916 printk(KERN_WARNING "SELinux: defcontext option is "
917 "invalid for this filesystem type\n");
918 goto out;
1da177e4
LT		 919 }
920
c9180a57
EP		 921 if (defcontext_sid != sbsec->def_sid) {
922 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 923 sbsec, cred);
c9180a57
EP		 924 if (rc)
925 goto out;
926 }
1da177e4 927
c9180a57 928 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 929 }
930
aad82892 931out_set_opts:
c9180a57 932 rc = sb_finish_set_opts(sb);
1da177e4 933out:
c9180a57 934 mutex_unlock(&sbsec->lock);
1da177e4 935 return rc;
c9180a57
EP		 936out_double_mount:
937 rc = -EINVAL;
938 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 939 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 940 goto out;
1da177e4
LT		 941}
942
094f7b69
JL		 943static int selinux_cmp_sb_context(const struct super_block *oldsb,
944 const struct super_block *newsb)
945{
946 struct superblock_security_struct *old = oldsb->s_security;
947 struct superblock_security_struct *new = newsb->s_security;
948 char oldflags = old->flags & SE_MNTMASK;
949 char newflags = new->flags & SE_MNTMASK;
950
951 if (oldflags != newflags)
952 goto mismatch;
953 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
954 goto mismatch;
955 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
956 goto mismatch;
957 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
958 goto mismatch;
959 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 960 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
961 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 962 if (oldroot->sid != newroot->sid)
963 goto mismatch;
964 }
965 return 0;
966mismatch:
967 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
968 "different security settings for (dev %s, "
969 "type %s)\n", newsb->s_id, newsb->s_type->name);
970 return -EBUSY;
971}
972
973static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 974 struct super_block *newsb,
975 unsigned long kern_flags,
976 unsigned long *set_kern_flags)
1da177e4 977{
0b4d3452 978 int rc = 0;
c9180a57
EP		 979 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
980 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 981
c9180a57
EP		 982 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
983 int set_context = (oldsbsec->flags & CONTEXT_MNT);
984 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 985
0f5e6420
EP		 986 /*
987 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 988 * mount options. thus we can safely deal with this superblock later
0f5e6420 989 */
e8c26255 990 if (!ss_initialized)
094f7b69 991 return 0;
c9180a57 992
0b4d3452
SM		 993 /*
994 * Specifying internal flags without providing a place to
995 * place the results is not allowed.
996 */
997 if (kern_flags && !set_kern_flags)
998 return -EINVAL;
999
c9180a57 1000 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 1001 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 1002
094f7b69 1003 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 1004 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 1005 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 1006
c9180a57
EP		 1007 mutex_lock(&newsbsec->lock);
1008
1009 newsbsec->flags = oldsbsec->flags;
1010
1011 newsbsec->sid = oldsbsec->sid;
1012 newsbsec->def_sid = oldsbsec->def_sid;
1013 newsbsec->behavior = oldsbsec->behavior;
1014
0b4d3452
SM		 1015 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1016 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1017 rc = security_fs_use(newsb);
1018 if (rc)
1019 goto out;
1020 }
1021
1022 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1023 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1024 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1025 }
1026
c9180a57
EP		 1027 if (set_context) {
1028 u32 sid = oldsbsec->mntpoint_sid;
1029
1030 if (!set_fscontext)
1031 newsbsec->sid = sid;
1032 if (!set_rootcontext) {
83da53c5 1033 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1034 newisec->sid = sid;
1035 }
1036 newsbsec->mntpoint_sid = sid;
1da177e4 1037 }
c9180a57 1038 if (set_rootcontext) {
83da53c5
AG		 1039 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1040 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1041
c9180a57 1042 newisec->sid = oldisec->sid;
1da177e4
LT		 1043 }
1044
c9180a57 1045 sb_finish_set_opts(newsb);
0b4d3452 1046out:
c9180a57 1047 mutex_unlock(&newsbsec->lock);
0b4d3452 1048 return rc;
c9180a57
EP		 1049}
1050
2e1479d9
AB		 1051static int selinux_parse_opts_str(char *options,
1052 struct security_mnt_opts *opts)
c9180a57 1053{
e0007529 1054 char *p;
c9180a57
EP		 1055 char *context = NULL, *defcontext = NULL;
1056 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1057 int rc, num_mnt_opts = 0;
1da177e4 1058
e0007529 1059 opts->num_mnt_opts = 0;
1da177e4 1060
c9180a57
EP		 1061 /* Standard string-based options. */
1062 while ((p = strsep(&options, "|")) != NULL) {
1063 int token;
1064 substring_t args[MAX_OPT_ARGS];
1da177e4 1065
c9180a57
EP		 1066 if (!*p)
1067 continue;
1da177e4 1068
c9180a57 1069 token = match_token(p, tokens, args);
1da177e4 1070
c9180a57
EP		 1071 switch (token) {
1072 case Opt_context:
1073 if (context || defcontext) {
1074 rc = -EINVAL;
1075 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1076 goto out_err;
1077 }
1078 context = match_strdup(&args[0]);
1079 if (!context) {
1080 rc = -ENOMEM;
1081 goto out_err;
1082 }
1083 break;
1084
1085 case Opt_fscontext:
1086 if (fscontext) {
1087 rc = -EINVAL;
1088 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1089 goto out_err;
1090 }
1091 fscontext = match_strdup(&args[0]);
1092 if (!fscontext) {
1093 rc = -ENOMEM;
1094 goto out_err;
1095 }
1096 break;
1097
1098 case Opt_rootcontext:
1099 if (rootcontext) {
1100 rc = -EINVAL;
1101 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1102 goto out_err;
1103 }
1104 rootcontext = match_strdup(&args[0]);
1105 if (!rootcontext) {
1106 rc = -ENOMEM;
1107 goto out_err;
1108 }
1109 break;
1110
1111 case Opt_defcontext:
1112 if (context || defcontext) {
1113 rc = -EINVAL;
1114 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1115 goto out_err;
1116 }
1117 defcontext = match_strdup(&args[0]);
1118 if (!defcontext) {
1119 rc = -ENOMEM;
1120 goto out_err;
1121 }
1122 break;
11689d47
DQ		 1123 case Opt_labelsupport:
1124 break;
c9180a57
EP		 1125 default:
1126 rc = -EINVAL;
1127 printk(KERN_WARNING "SELinux: unknown mount option\n");
1128 goto out_err;
1da177e4 1129
1da177e4 1130 }
1da177e4 1131 }
c9180a57 1132
e0007529 1133 rc = -ENOMEM;
8931c3bd 1134 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1135 if (!opts->mnt_opts)
1136 goto out_err;
1137
8931c3bd
TH		 1138 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1139 GFP_KERNEL);
023f108d 1140 if (!opts->mnt_opts_flags)
e0007529 1141 goto out_err;
e0007529 1142
c9180a57 1143 if (fscontext) {
e0007529
EP		 1144 opts->mnt_opts[num_mnt_opts] = fscontext;
1145 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1146 }
1147 if (context) {
e0007529
EP		 1148 opts->mnt_opts[num_mnt_opts] = context;
1149 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1150 }
1151 if (rootcontext) {
e0007529
EP		 1152 opts->mnt_opts[num_mnt_opts] = rootcontext;
1153 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1154 }
1155 if (defcontext) {
e0007529
EP		 1156 opts->mnt_opts[num_mnt_opts] = defcontext;
1157 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1158 }
1159
e0007529
EP		 1160 opts->num_mnt_opts = num_mnt_opts;
1161 return 0;
1162
c9180a57 1163out_err:
023f108d 1164 security_free_mnt_opts(opts);
c9180a57
EP		 1165 kfree(context);
1166 kfree(defcontext);
1167 kfree(fscontext);
1168 kfree(rootcontext);
1da177e4
LT		 1169 return rc;
1170}
e0007529
EP		 1171/*
1172 * string mount options parsing and call set the sbsec
1173 */
1174static int superblock_doinit(struct super_block *sb, void *data)
1175{
1176 int rc = 0;
1177 char *options = data;
1178 struct security_mnt_opts opts;
1179
1180 security_init_mnt_opts(&opts);
1181
1182 if (!data)
1183 goto out;
1184
1185 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1186
1187 rc = selinux_parse_opts_str(options, &opts);
1188 if (rc)
1189 goto out_err;
1190
1191out:
649f6e77 1192 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1193
1194out_err:
1195 security_free_mnt_opts(&opts);
1196 return rc;
1197}
1da177e4 1198
3583a711
AB		 1199static void selinux_write_opts(struct seq_file *m,
1200 struct security_mnt_opts *opts)
2069f457
EP		 1201{
1202 int i;
1203 char *prefix;
1204
1205 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1206 char *has_comma;
1207
1208 if (opts->mnt_opts[i])
1209 has_comma = strchr(opts->mnt_opts[i], ',');
1210 else
1211 has_comma = NULL;
2069f457
EP		 1212
1213 switch (opts->mnt_opts_flags[i]) {
1214 case CONTEXT_MNT:
1215 prefix = CONTEXT_STR;
1216 break;
1217 case FSCONTEXT_MNT:
1218 prefix = FSCONTEXT_STR;
1219 break;
1220 case ROOTCONTEXT_MNT:
1221 prefix = ROOTCONTEXT_STR;
1222 break;
1223 case DEFCONTEXT_MNT:
1224 prefix = DEFCONTEXT_STR;
1225 break;
12f348b9 1226 case SBLABEL_MNT:
11689d47
DQ		 1227 seq_putc(m, ',');
1228 seq_puts(m, LABELSUPP_STR);
1229 continue;
2069f457
EP		 1230 default:
1231 BUG();
a35c6c83 1232 return;
2069f457
EP		 1233 };
1234 /* we need a comma before each option */
1235 seq_putc(m, ',');
1236 seq_puts(m, prefix);
1237 if (has_comma)
1238 seq_putc(m, '\"');
a068acf2 1239 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1240 if (has_comma)
1241 seq_putc(m, '\"');
1242 }
1243}
1244
1245static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1246{
1247 struct security_mnt_opts opts;
1248 int rc;
1249
1250 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1251 if (rc) {
1252 /* before policy load we may get EINVAL, don't show anything */
1253 if (rc == -EINVAL)
1254 rc = 0;
2069f457 1255 return rc;
383795c2 1256 }
2069f457
EP		 1257
1258 selinux_write_opts(m, &opts);
1259
1260 security_free_mnt_opts(&opts);
1261
1262 return rc;
1263}
1264
1da177e4
LT		 1265static inline u16 inode_mode_to_security_class(umode_t mode)
1266{
1267 switch (mode & S_IFMT) {
1268 case S_IFSOCK:
1269 return SECCLASS_SOCK_FILE;
1270 case S_IFLNK:
1271 return SECCLASS_LNK_FILE;
1272 case S_IFREG:
1273 return SECCLASS_FILE;
1274 case S_IFBLK:
1275 return SECCLASS_BLK_FILE;
1276 case S_IFDIR:
1277 return SECCLASS_DIR;
1278 case S_IFCHR:
1279 return SECCLASS_CHR_FILE;
1280 case S_IFIFO:
1281 return SECCLASS_FIFO_FILE;
1282
1283 }
1284
1285 return SECCLASS_FILE;
1286}
1287
13402580
JM		 1288static inline int default_protocol_stream(int protocol)
1289{
1290 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1291}
1292
1293static inline int default_protocol_dgram(int protocol)
1294{
1295 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1296}
1297
1da177e4
LT		 1298static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1299{
da69a530
SS		 1300 int extsockclass = selinux_policycap_extsockclass;
1301
1da177e4
LT		 1302 switch (family) {
1303 case PF_UNIX:
1304 switch (type) {
1305 case SOCK_STREAM:
1306 case SOCK_SEQPACKET:
1307 return SECCLASS_UNIX_STREAM_SOCKET;
1308 case SOCK_DGRAM:
2a764b52 1309 case SOCK_RAW:
1da177e4
LT		 1310 return SECCLASS_UNIX_DGRAM_SOCKET;
1311 }
1312 break;
1313 case PF_INET:
1314 case PF_INET6:
1315 switch (type) {
1316 case SOCK_STREAM:
da69a530 1317 case SOCK_SEQPACKET:
13402580
JM		 1318 if (default_protocol_stream(protocol))
1319 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1320 else if (extsockclass && protocol == IPPROTO_SCTP)
1321 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1322 else
1323 return SECCLASS_RAWIP_SOCKET;
1da177e4 1324 case SOCK_DGRAM:
13402580
JM		 1325 if (default_protocol_dgram(protocol))
1326 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1327 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1328 protocol == IPPROTO_ICMPV6))
da69a530 1329 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1330 else
1331 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1332 case SOCK_DCCP:
1333 return SECCLASS_DCCP_SOCKET;
13402580 1334 default:
1da177e4
LT		 1335 return SECCLASS_RAWIP_SOCKET;
1336 }
1337 break;
1338 case PF_NETLINK:
1339 switch (protocol) {
1340 case NETLINK_ROUTE:
1341 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1342 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1343 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1344 case NETLINK_NFLOG:
1345 return SECCLASS_NETLINK_NFLOG_SOCKET;
1346 case NETLINK_XFRM:
1347 return SECCLASS_NETLINK_XFRM_SOCKET;
1348 case NETLINK_SELINUX:
1349 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1350 case NETLINK_ISCSI:
1351 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1352 case NETLINK_AUDIT:
1353 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1354 case NETLINK_FIB_LOOKUP:
1355 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1356 case NETLINK_CONNECTOR:
1357 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1358 case NETLINK_NETFILTER:
1359 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1360 case NETLINK_DNRTMSG:
1361 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1362 case NETLINK_KOBJECT_UEVENT:
1363 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1364 case NETLINK_GENERIC:
1365 return SECCLASS_NETLINK_GENERIC_SOCKET;
1366 case NETLINK_SCSITRANSPORT:
1367 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1368 case NETLINK_RDMA:
1369 return SECCLASS_NETLINK_RDMA_SOCKET;
1370 case NETLINK_CRYPTO:
1371 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1372 default:
1373 return SECCLASS_NETLINK_SOCKET;
1374 }
1375 case PF_PACKET:
1376 return SECCLASS_PACKET_SOCKET;
1377 case PF_KEY:
1378 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1379 case PF_APPLETALK:
1380 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1381 }
1382
da69a530
SS		 1383 if (extsockclass) {
1384 switch (family) {
1385 case PF_AX25:
1386 return SECCLASS_AX25_SOCKET;
1387 case PF_IPX:
1388 return SECCLASS_IPX_SOCKET;
1389 case PF_NETROM:
1390 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1391 case PF_ATMPVC:
1392 return SECCLASS_ATMPVC_SOCKET;
1393 case PF_X25:
1394 return SECCLASS_X25_SOCKET;
1395 case PF_ROSE:
1396 return SECCLASS_ROSE_SOCKET;
1397 case PF_DECnet:
1398 return SECCLASS_DECNET_SOCKET;
1399 case PF_ATMSVC:
1400 return SECCLASS_ATMSVC_SOCKET;
1401 case PF_RDS:
1402 return SECCLASS_RDS_SOCKET;
1403 case PF_IRDA:
1404 return SECCLASS_IRDA_SOCKET;
1405 case PF_PPPOX:
1406 return SECCLASS_PPPOX_SOCKET;
1407 case PF_LLC:
1408 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1409 case PF_CAN:
1410 return SECCLASS_CAN_SOCKET;
1411 case PF_TIPC:
1412 return SECCLASS_TIPC_SOCKET;
1413 case PF_BLUETOOTH:
1414 return SECCLASS_BLUETOOTH_SOCKET;
1415 case PF_IUCV:
1416 return SECCLASS_IUCV_SOCKET;
1417 case PF_RXRPC:
1418 return SECCLASS_RXRPC_SOCKET;
1419 case PF_ISDN:
1420 return SECCLASS_ISDN_SOCKET;
1421 case PF_PHONET:
1422 return SECCLASS_PHONET_SOCKET;
1423 case PF_IEEE802154:
1424 return SECCLASS_IEEE802154_SOCKET;
1425 case PF_CAIF:
1426 return SECCLASS_CAIF_SOCKET;
1427 case PF_ALG:
1428 return SECCLASS_ALG_SOCKET;
1429 case PF_NFC:
1430 return SECCLASS_NFC_SOCKET;
1431 case PF_VSOCK:
1432 return SECCLASS_VSOCK_SOCKET;
1433 case PF_KCM:
1434 return SECCLASS_KCM_SOCKET;
1435 case PF_QIPCRTR:
1436 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1437 case PF_SMC:
1438 return SECCLASS_SMC_SOCKET;
1439#if PF_MAX > 44
da69a530
SS		 1440#error New address family defined, please update this function.
1441#endif
1442 }
1443 }
1444
1da177e4
LT		 1445 return SECCLASS_SOCKET;
1446}
1447
134509d5
SS		 1448static int selinux_genfs_get_sid(struct dentry *dentry,
1449 u16 tclass,
1450 u16 flags,
1451 u32 *sid)
1da177e4 1452{
8e6c9693 1453 int rc;
fc64005c 1454 struct super_block *sb = dentry->d_sb;
8e6c9693 1455 char *buffer, *path;
1da177e4 1456
828dfe1d 1457 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1458 if (!buffer)
1459 return -ENOMEM;
1460
8e6c9693
LAG		 1461 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1462 if (IS_ERR(path))
1463 rc = PTR_ERR(path);
1464 else {
134509d5
SS		 1465 if (flags & SE_SBPROC) {
1466 /* each process gets a /proc/PID/ entry. Strip off the
1467 * PID part to get a valid selinux labeling.
1468 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1469 while (path[1] >= '0' && path[1] <= '9') {
1470 path[1] = '/';
1471 path++;
1472 }
8e6c9693 1473 }
134509d5 1474 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1475 }
1da177e4
LT		 1476 free_page((unsigned long)buffer);
1477 return rc;
1478}
1da177e4
LT		 1479
1480/* The inode's security attributes must be initialized before first use. */
1481static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1482{
1483 struct superblock_security_struct *sbsec = NULL;
1484 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1485 u32 task_sid, sid = 0;
1486 u16 sclass;
1da177e4
LT		 1487 struct dentry *dentry;
1488#define INITCONTEXTLEN 255
1489 char *context = NULL;
1490 unsigned len = 0;
1491 int rc = 0;
1da177e4 1492
6f3be9f5 1493 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1494 return 0;
1da177e4 1495
9287aed2 1496 spin_lock(&isec->lock);
6f3be9f5 1497 if (isec->initialized == LABEL_INITIALIZED)
23970741 1498 goto out_unlock;
1da177e4 1499
13457d07
AG		 1500 if (isec->sclass == SECCLASS_FILE)
1501 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1502
1da177e4 1503 sbsec = inode->i_sb->s_security;
0d90a7ec 1504 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1505 /* Defer initialization until selinux_complete_init,
1506 after the initial policy is loaded and the security
1507 server is ready to handle calls. */
1508 spin_lock(&sbsec->isec_lock);
1509 if (list_empty(&isec->list))
1510 list_add(&isec->list, &sbsec->isec_head);
1511 spin_unlock(&sbsec->isec_lock);
23970741 1512 goto out_unlock;
1da177e4
LT		 1513 }
1514
9287aed2
AG		 1515 sclass = isec->sclass;
1516 task_sid = isec->task_sid;
1517 sid = isec->sid;
1518 isec->initialized = LABEL_PENDING;
1519 spin_unlock(&isec->lock);
1520
1da177e4 1521 switch (sbsec->behavior) {
eb9ae686
DQ		 1522 case SECURITY_FS_USE_NATIVE:
1523 break;
1da177e4 1524 case SECURITY_FS_USE_XATTR:
5d6c3191 1525 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1526 sid = sbsec->def_sid;
1da177e4
LT		 1527 break;
1528 }
1da177e4
LT		 1529 /* Need a dentry, since the xattr API requires one.
1530 Life would be simpler if we could just pass the inode. */
1531 if (opt_dentry) {
1532 /* Called from d_instantiate or d_splice_alias. */
1533 dentry = dget(opt_dentry);
1534 } else {
1535 /* Called from selinux_complete_init, try to find a dentry. */
1536 dentry = d_find_alias(inode);
1537 }
1538 if (!dentry) {
df7f54c0
EP		 1539 /*
1540 * this is can be hit on boot when a file is accessed
1541 * before the policy is loaded. When we load policy we
1542 * may find inodes that have no dentry on the
1543 * sbsec->isec_head list. No reason to complain as these
1544 * will get fixed up the next time we go through
1545 * inode_doinit with a dentry, before these inodes could
1546 * be used again by userspace.
1547 */
9287aed2 1548 goto out;
1da177e4
LT		 1549 }
1550
1551 len = INITCONTEXTLEN;
4cb912f1 1552 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1553 if (!context) {
1554 rc = -ENOMEM;
1555 dput(dentry);
9287aed2 1556 goto out;
1da177e4 1557 }
4cb912f1 1558 context[len] = '\0';
5d6c3191 1559 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1560 if (rc == -ERANGE) {
314dabb8
JM		 1561 kfree(context);
1562
1da177e4 1563 /* Need a larger buffer. Query for the right size. */
5d6c3191 1564 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1565 if (rc < 0) {
1566 dput(dentry);
9287aed2 1567 goto out;
1da177e4 1568 }
1da177e4 1569 len = rc;
4cb912f1 1570 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1571 if (!context) {
1572 rc = -ENOMEM;
1573 dput(dentry);
9287aed2 1574 goto out;
1da177e4 1575 }
4cb912f1 1576 context[len] = '\0';
5d6c3191 1577 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1578 }
1579 dput(dentry);
1580 if (rc < 0) {
1581 if (rc != -ENODATA) {
744ba35e 1582 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1583 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1584 -rc, inode->i_sb->s_id, inode->i_ino);
1585 kfree(context);
9287aed2 1586 goto out;
1da177e4
LT		 1587 }
1588 /* Map ENODATA to the default file SID */
1589 sid = sbsec->def_sid;
1590 rc = 0;
1591 } else {
f5c1d5b2 1592 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1593 sbsec->def_sid,
1594 GFP_NOFS);
1da177e4 1595 if (rc) {
4ba0a8ad
EP		 1596 char *dev = inode->i_sb->s_id;
1597 unsigned long ino = inode->i_ino;
1598
1599 if (rc == -EINVAL) {
1600 if (printk_ratelimit())
1601 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1602 "context=%s. This indicates you may need to relabel the inode or the "
1603 "filesystem in question.\n", ino, dev, context);
1604 } else {
1605 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1606 "returned %d for dev=%s ino=%ld\n",
1607 __func__, context, -rc, dev, ino);
1608 }
1da177e4
LT		 1609 kfree(context);
1610 /* Leave with the unlabeled SID */
1611 rc = 0;
1612 break;
1613 }
1614 }
1615 kfree(context);
1da177e4
LT		 1616 break;
1617 case SECURITY_FS_USE_TASK:
9287aed2 1618 sid = task_sid;
1da177e4
LT		 1619 break;
1620 case SECURITY_FS_USE_TRANS:
1621 /* Default to the fs SID. */
9287aed2 1622 sid = sbsec->sid;
1da177e4
LT		 1623
1624 /* Try to obtain a transition SID. */
9287aed2 1625 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1da177e4 1626 if (rc)
9287aed2 1627 goto out;
1da177e4 1628 break;
c312feb2 1629 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1630 sid = sbsec->mntpoint_sid;
c312feb2 1631 break;
1da177e4 1632 default:
c312feb2 1633 /* Default to the fs superblock SID. */
9287aed2 1634 sid = sbsec->sid;
1da177e4 1635
134509d5 1636 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1637 /* We must have a dentry to determine the label on
1638 * procfs inodes */
1639 if (opt_dentry)
1640 /* Called from d_instantiate or
1641 * d_splice_alias. */
1642 dentry = dget(opt_dentry);
1643 else
1644 /* Called from selinux_complete_init, try to
1645 * find a dentry. */
1646 dentry = d_find_alias(inode);
1647 /*
1648 * This can be hit on boot when a file is accessed
1649 * before the policy is loaded. When we load policy we
1650 * may find inodes that have no dentry on the
1651 * sbsec->isec_head list. No reason to complain as
1652 * these will get fixed up the next time we go through
1653 * inode_doinit() with a dentry, before these inodes
1654 * could be used again by userspace.
1655 */
1656 if (!dentry)
9287aed2
AG		 1657 goto out;
1658 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1659 sbsec->flags, &sid);
f64410ec
PM		 1660 dput(dentry);
1661 if (rc)
9287aed2 1662 goto out;
1da177e4
LT		 1663 }
1664 break;
1665 }
1666
9287aed2
AG		 1667out:
1668 spin_lock(&isec->lock);
1669 if (isec->initialized == LABEL_PENDING) {
1670 if (!sid || rc) {
1671 isec->initialized = LABEL_INVALID;
1672 goto out_unlock;
1673 }
1674
1675 isec->initialized = LABEL_INITIALIZED;
1676 isec->sid = sid;
1677 }
1da177e4 1678
23970741 1679out_unlock:
9287aed2 1680 spin_unlock(&isec->lock);
1da177e4
LT		 1681 return rc;
1682}
1683
1684/* Convert a Linux signal to an access vector. */
1685static inline u32 signal_to_av(int sig)
1686{
1687 u32 perm = 0;
1688
1689 switch (sig) {
1690 case SIGCHLD:
1691 /* Commonly granted from child to parent. */
1692 perm = PROCESS__SIGCHLD;
1693 break;
1694 case SIGKILL:
1695 /* Cannot be caught or ignored */
1696 perm = PROCESS__SIGKILL;
1697 break;
1698 case SIGSTOP:
1699 /* Cannot be caught or ignored */
1700 perm = PROCESS__SIGSTOP;
1701 break;
1702 default:
1703 /* All other signals. */
1704 perm = PROCESS__SIGNAL;
1705 break;
1706 }
1707
1708 return perm;
1709}
1710
b68e418c
SS		 1711#if CAP_LAST_CAP > 63
1712#error Fix SELinux to handle capabilities > 63.
1713#endif
1714
1da177e4 1715/* Check whether a task is allowed to use a capability. */
6a9de491 1716static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1717 int cap, int audit, bool initns)
1da177e4 1718{
2bf49690 1719 struct common_audit_data ad;
06112163 1720 struct av_decision avd;
b68e418c 1721 u16 sclass;
3699c53c 1722 u32 sid = cred_sid(cred);
b68e418c 1723 u32 av = CAP_TO_MASK(cap);
06112163 1724 int rc;
1da177e4 1725
50c205f5 1726 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1727 ad.u.cap = cap;
1728
b68e418c
SS		 1729 switch (CAP_TO_INDEX(cap)) {
1730 case 0:
8e4ff6f2 1731 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1732 break;
1733 case 1:
8e4ff6f2 1734 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1735 break;
1736 default:
1737 printk(KERN_ERR
1738 "SELinux: out of range capability %d\n", cap);
1739 BUG();
a35c6c83 1740 return -EINVAL;
b68e418c 1741 }
06112163 1742
275bb41e 1743 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1744 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1745 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1746 if (rc2)
1747 return rc2;
1748 }
06112163 1749 return rc;
1da177e4
LT		 1750}
1751
1da177e4
LT		 1752/* Check whether a task has a particular permission to an inode.
1753 The 'adp' parameter is optional and allows other audit
1754 data to be passed (e.g. the dentry). */
88e67f3b 1755static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1756 struct inode *inode,
1757 u32 perms,
19e49834 1758 struct common_audit_data *adp)
1da177e4 1759{
1da177e4 1760 struct inode_security_struct *isec;
275bb41e 1761 u32 sid;
1da177e4 1762
e0e81739
DH		 1763 validate_creds(cred);
1764
828dfe1d 1765 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1766 return 0;
1767
88e67f3b 1768 sid = cred_sid(cred);
1da177e4
LT		 1769 isec = inode->i_security;
1770
19e49834 1771 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1772}
1773
1774/* Same as inode_has_perm, but pass explicit audit data containing
1775 the dentry to help the auditing code to more easily generate the
1776 pathname if needed. */
88e67f3b 1777static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1778 struct dentry *dentry,
1779 u32 av)
1780{
c6f493d6 1781 struct inode *inode = d_backing_inode(dentry);
2bf49690 1782 struct common_audit_data ad;
88e67f3b 1783
50c205f5 1784 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1785 ad.u.dentry = dentry;
5d226df4 1786 __inode_security_revalidate(inode, dentry, true);
19e49834 1787 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1788}
1789
1790/* Same as inode_has_perm, but pass explicit audit data containing
1791 the path to help the auditing code to more easily generate the
1792 pathname if needed. */
1793static inline int path_has_perm(const struct cred *cred,
3f7036a0 1794 const struct path *path,
2875fa00
EP		 1795 u32 av)
1796{
c6f493d6 1797 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1798 struct common_audit_data ad;
1799
50c205f5 1800 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1801 ad.u.path = *path;
5d226df4 1802 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1803 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1804}
1805
13f8e981
DH		 1806/* Same as path_has_perm, but uses the inode from the file struct. */
1807static inline int file_path_has_perm(const struct cred *cred,
1808 struct file *file,
1809 u32 av)
1810{
1811 struct common_audit_data ad;
1812
43af5de7
VG		 1813 ad.type = LSM_AUDIT_DATA_FILE;
1814 ad.u.file = file;
19e49834 1815 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1816}
1817
f66e448c
CF		 1818#ifdef CONFIG_BPF_SYSCALL
1819static int bpf_fd_pass(struct file *file, u32 sid);
1820#endif
1821
1da177e4
LT		 1822/* Check whether a task can use an open file descriptor to
1823 access an inode in a given way. Check access to the
1824 descriptor itself, and then use dentry_has_perm to
1825 check a particular permission to the file.
1826 Access to the descriptor is implicitly granted if it
1827 has the same SID as the process. If av is zero, then
1828 access to the file is not checked, e.g. for cases
1829 where only the descriptor is affected like seek. */
88e67f3b
DH		 1830static int file_has_perm(const struct cred *cred,
1831 struct file *file,
1832 u32 av)
1da177e4 1833{
1da177e4 1834 struct file_security_struct *fsec = file->f_security;
496ad9aa 1835 struct inode *inode = file_inode(file);
2bf49690 1836 struct common_audit_data ad;
88e67f3b 1837 u32 sid = cred_sid(cred);
1da177e4
LT		 1838 int rc;
1839
43af5de7
VG		 1840 ad.type = LSM_AUDIT_DATA_FILE;
1841 ad.u.file = file;
1da177e4 1842
275bb41e
DH		 1843 if (sid != fsec->sid) {
1844 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1845 SECCLASS_FD,
1846 FD__USE,
1847 &ad);
1848 if (rc)
88e67f3b 1849 goto out;
1da177e4
LT		 1850 }
1851
f66e448c
CF		 1852#ifdef CONFIG_BPF_SYSCALL
1853 rc = bpf_fd_pass(file, cred_sid(cred));
1854 if (rc)
1855 return rc;
1856#endif
1857
1da177e4 1858 /* av is zero if only checking access to the descriptor. */
88e67f3b 1859 rc = 0;
1da177e4 1860 if (av)
19e49834 1861 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1862
88e67f3b
DH		 1863out:
1864 return rc;
1da177e4
LT		 1865}
1866
c3c188b2
DH		 1867/*
1868 * Determine the label for an inode that might be unioned.
1869 */
c957f6df
VG		 1870static int
1871selinux_determine_inode_label(const struct task_security_struct *tsec,
1872 struct inode *dir,
1873 const struct qstr *name, u16 tclass,
1874 u32 *_new_isid)
c3c188b2
DH		 1875{
1876 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1877
1878 if ((sbsec->flags & SE_SBINITIALIZED) &&
1879 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1880 *_new_isid = sbsec->mntpoint_sid;
1881 } else if ((sbsec->flags & SBLABEL_MNT) &&
1882 tsec->create_sid) {
1883 *_new_isid = tsec->create_sid;
1884 } else {
20cdef8d 1885 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1886 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1887 name, _new_isid);
1888 }
1889
1890 return 0;
1891}
1892
1da177e4
LT		 1893/* Check whether a task can create a file. */
1894static int may_create(struct inode *dir,
1895 struct dentry *dentry,
1896 u16 tclass)
1897{
5fb49870 1898 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1899 struct inode_security_struct *dsec;
1900 struct superblock_security_struct *sbsec;
275bb41e 1901 u32 sid, newsid;
2bf49690 1902 struct common_audit_data ad;
1da177e4
LT		 1903 int rc;
1904
83da53c5 1905 dsec = inode_security(dir);
1da177e4
LT		 1906 sbsec = dir->i_sb->s_security;
1907
275bb41e 1908 sid = tsec->sid;
275bb41e 1909
50c205f5 1910 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1911 ad.u.dentry = dentry;
1da177e4 1912
275bb41e 1913 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1914 DIR__ADD_NAME | DIR__SEARCH,
1915 &ad);
1916 if (rc)
1917 return rc;
1918
c957f6df
VG		 1919 rc = selinux_determine_inode_label(current_security(), dir,
1920 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1921 if (rc)
1922 return rc;
1da177e4 1923
275bb41e 1924 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1925 if (rc)
1926 return rc;
1927
1928 return avc_has_perm(newsid, sbsec->sid,
1929 SECCLASS_FILESYSTEM,
1930 FILESYSTEM__ASSOCIATE, &ad);
1931}
1932
828dfe1d
EP		 1933#define MAY_LINK 0
1934#define MAY_UNLINK 1
1935#define MAY_RMDIR 2
1da177e4
LT		 1936
1937/* Check whether a task can link, unlink, or rmdir a file/directory. */
1938static int may_link(struct inode *dir,
1939 struct dentry *dentry,
1940 int kind)
1941
1942{
1da177e4 1943 struct inode_security_struct *dsec, *isec;
2bf49690 1944 struct common_audit_data ad;
275bb41e 1945 u32 sid = current_sid();
1da177e4
LT		 1946 u32 av;
1947 int rc;
1948
83da53c5
AG		 1949 dsec = inode_security(dir);
1950 isec = backing_inode_security(dentry);
1da177e4 1951
50c205f5 1952 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1953 ad.u.dentry = dentry;
1da177e4
LT		 1954
1955 av = DIR__SEARCH;
1956 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1957 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1958 if (rc)
1959 return rc;
1960
1961 switch (kind) {
1962 case MAY_LINK:
1963 av = FILE__LINK;
1964 break;
1965 case MAY_UNLINK:
1966 av = FILE__UNLINK;
1967 break;
1968 case MAY_RMDIR:
1969 av = DIR__RMDIR;
1970 break;
1971 default:
744ba35e
EP		 1972 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1973 __func__, kind);
1da177e4
LT		 1974 return 0;
1975 }
1976
275bb41e 1977 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1978 return rc;
1979}
1980
1981static inline int may_rename(struct inode *old_dir,
1982 struct dentry *old_dentry,
1983 struct inode *new_dir,
1984 struct dentry *new_dentry)
1985{
1da177e4 1986 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1987 struct common_audit_data ad;
275bb41e 1988 u32 sid = current_sid();
1da177e4
LT		 1989 u32 av;
1990 int old_is_dir, new_is_dir;
1991 int rc;
1992
83da53c5
AG		 1993 old_dsec = inode_security(old_dir);
1994 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1995 old_is_dir = d_is_dir(old_dentry);
83da53c5 1996 new_dsec = inode_security(new_dir);
1da177e4 1997
50c205f5 1998 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1999
a269434d 2000 ad.u.dentry = old_dentry;
275bb41e 2001 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 2002 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2003 if (rc)
2004 return rc;
275bb41e 2005 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 2006 old_isec->sclass, FILE__RENAME, &ad);
2007 if (rc)
2008 return rc;
2009 if (old_is_dir && new_dir != old_dir) {
275bb41e 2010 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 2011 old_isec->sclass, DIR__REPARENT, &ad);
2012 if (rc)
2013 return rc;
2014 }
2015
a269434d 2016 ad.u.dentry = new_dentry;
1da177e4 2017 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 2018 if (d_is_positive(new_dentry))
1da177e4 2019 av |= DIR__REMOVE_NAME;
275bb41e 2020 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 2021 if (rc)
2022 return rc;
2c616d4d 2023 if (d_is_positive(new_dentry)) {
83da53c5 2024 new_isec = backing_inode_security(new_dentry);
e36cb0b8 2025 new_is_dir = d_is_dir(new_dentry);
275bb41e 2026 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 2027 new_isec->sclass,
2028 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2029 if (rc)
2030 return rc;
2031 }
2032
2033 return 0;
2034}
2035
2036/* Check whether a task can perform a filesystem operation. */
88e67f3b 2037static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2038 struct super_block *sb,
2039 u32 perms,
2bf49690 2040 struct common_audit_data *ad)
1da177e4 2041{
1da177e4 2042 struct superblock_security_struct *sbsec;
88e67f3b 2043 u32 sid = cred_sid(cred);
1da177e4 2044
1da177e4 2045 sbsec = sb->s_security;
275bb41e 2046 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2047}
2048
2049/* Convert a Linux mode and permission mask to an access vector. */
2050static inline u32 file_mask_to_av(int mode, int mask)
2051{
2052 u32 av = 0;
2053
dba19c60 2054 if (!S_ISDIR(mode)) {
1da177e4
LT		 2055 if (mask & MAY_EXEC)
2056 av |= FILE__EXECUTE;
2057 if (mask & MAY_READ)
2058 av |= FILE__READ;
2059
2060 if (mask & MAY_APPEND)
2061 av |= FILE__APPEND;
2062 else if (mask & MAY_WRITE)
2063 av |= FILE__WRITE;
2064
2065 } else {
2066 if (mask & MAY_EXEC)
2067 av |= DIR__SEARCH;
2068 if (mask & MAY_WRITE)
2069 av |= DIR__WRITE;
2070 if (mask & MAY_READ)
2071 av |= DIR__READ;
2072 }
2073
2074 return av;
2075}
2076
8b6a5a37
EP		 2077/* Convert a Linux file to an access vector. */
2078static inline u32 file_to_av(struct file *file)
2079{
2080 u32 av = 0;
2081
2082 if (file->f_mode & FMODE_READ)
2083 av |= FILE__READ;
2084 if (file->f_mode & FMODE_WRITE) {
2085 if (file->f_flags & O_APPEND)
2086 av |= FILE__APPEND;
2087 else
2088 av |= FILE__WRITE;
2089 }
2090 if (!av) {
2091 /*
2092 * Special file opened with flags 3 for ioctl-only use.
2093 */
2094 av = FILE__IOCTL;
2095 }
2096
2097 return av;
2098}
2099
b0c636b9 2100/*
8b6a5a37 2101 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2102 * open permission.
2103 */
8b6a5a37 2104static inline u32 open_file_to_av(struct file *file)
b0c636b9 2105{
8b6a5a37 2106 u32 av = file_to_av(file);
ccb54478 2107 struct inode *inode = file_inode(file);
b0c636b9 2108
ccb54478 2109 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2110 av |= FILE__OPEN;
2111
b0c636b9
EP		 2112 return av;
2113}
2114
1da177e4
LT		 2115/* Hook functions begin here. */
2116
79af7307
SS		 2117static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2118{
2119 u32 mysid = current_sid();
2120 u32 mgrsid = task_sid(mgr);
2121
2122 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2123 BINDER__SET_CONTEXT_MGR, NULL);
2124}
2125
2126static int selinux_binder_transaction(struct task_struct *from,
2127 struct task_struct *to)
2128{
2129 u32 mysid = current_sid();
2130 u32 fromsid = task_sid(from);
2131 u32 tosid = task_sid(to);
2132 int rc;
2133
2134 if (mysid != fromsid) {
2135 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2136 BINDER__IMPERSONATE, NULL);
2137 if (rc)
2138 return rc;
2139 }
2140
2141 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2142 NULL);
2143}
2144
2145static int selinux_binder_transfer_binder(struct task_struct *from,
2146 struct task_struct *to)
2147{
2148 u32 fromsid = task_sid(from);
2149 u32 tosid = task_sid(to);
2150
2151 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2152 NULL);
2153}
2154
2155static int selinux_binder_transfer_file(struct task_struct *from,
2156 struct task_struct *to,
2157 struct file *file)
2158{
2159 u32 sid = task_sid(to);
2160 struct file_security_struct *fsec = file->f_security;
83da53c5 2161 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2162 struct inode_security_struct *isec;
79af7307
SS		 2163 struct common_audit_data ad;
2164 int rc;
2165
2166 ad.type = LSM_AUDIT_DATA_PATH;
2167 ad.u.path = file->f_path;
2168
2169 if (sid != fsec->sid) {
2170 rc = avc_has_perm(sid, fsec->sid,
2171 SECCLASS_FD,
2172 FD__USE,
2173 &ad);
2174 if (rc)
2175 return rc;
2176 }
2177
f66e448c
CF		 2178#ifdef CONFIG_BPF_SYSCALL
2179 rc = bpf_fd_pass(file, sid);
2180 if (rc)
2181 return rc;
2182#endif
2183
83da53c5 2184 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2185 return 0;
2186
20cdef8d 2187 isec = backing_inode_security(dentry);
79af7307
SS		 2188 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2189 &ad);
2190}
2191
9e48858f 2192static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2193 unsigned int mode)
1da177e4 2194{
be0554c9
SS		 2195 u32 sid = current_sid();
2196 u32 csid = task_sid(child);
2197
2198 if (mode & PTRACE_MODE_READ)
275bb41e 2199 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2200
be0554c9 2201 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2202}
2203
2204static int selinux_ptrace_traceme(struct task_struct *parent)
2205{
be0554c9
SS		 2206 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2207 PROCESS__PTRACE, NULL);
1da177e4
LT		 2208}
2209
2210static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2211 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2212{
be0554c9
SS		 2213 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2214 PROCESS__GETCAP, NULL);
1da177e4
LT		 2215}
2216
d84f4f99
DH		 2217static int selinux_capset(struct cred *new, const struct cred *old,
2218 const kernel_cap_t *effective,
2219 const kernel_cap_t *inheritable,
2220 const kernel_cap_t *permitted)
1da177e4 2221{
be0554c9
SS		 2222 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2223 PROCESS__SETCAP, NULL);
1da177e4
LT		 2224}
2225
5626d3e8
JM		 2226/*
2227 * (This comment used to live with the selinux_task_setuid hook,
2228 * which was removed).
2229 *
2230 * Since setuid only affects the current process, and since the SELinux
2231 * controls are not based on the Linux identity attributes, SELinux does not
2232 * need to control this operation. However, SELinux does control the use of
2233 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2234 */
2235
6a9de491
EP		 2236static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2237 int cap, int audit)
1da177e4 2238{
8e4ff6f2 2239 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2240}
2241
1da177e4
LT		 2242static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2243{
88e67f3b 2244 const struct cred *cred = current_cred();
1da177e4
LT		 2245 int rc = 0;
2246
2247 if (!sb)
2248 return 0;
2249
2250 switch (cmds) {
828dfe1d
EP		 2251 case Q_SYNC:
2252 case Q_QUOTAON:
2253 case Q_QUOTAOFF:
2254 case Q_SETINFO:
2255 case Q_SETQUOTA:
88e67f3b 2256 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2257 break;
2258 case Q_GETFMT:
2259 case Q_GETINFO:
2260 case Q_GETQUOTA:
88e67f3b 2261 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2262 break;
2263 default:
2264 rc = 0; /* let the kernel handle invalid cmds */
2265 break;
1da177e4
LT		 2266 }
2267 return rc;
2268}
2269
2270static int selinux_quota_on(struct dentry *dentry)
2271{
88e67f3b
DH		 2272 const struct cred *cred = current_cred();
2273
2875fa00 2274 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2275}
2276
12b3052c 2277static int selinux_syslog(int type)
1da177e4 2278{
1da177e4 2279 switch (type) {
d78ca3cd
KC		 2280 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2281 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
be0554c9
SS		 2282 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2283 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2284 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2285 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2286 /* Set level of messages printed to console */
2287 case SYSLOG_ACTION_CONSOLE_LEVEL:
be0554c9
SS		 2288 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2289 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2290 NULL);
1da177e4 2291 }
be0554c9
SS		 2292 /* All other syslog types */
2293 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2294 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2295}
2296
2297/*
2298 * Check that a process has enough memory to allocate a new virtual
2299 * mapping. 0 means there is enough memory for the allocation to
2300 * succeed and -ENOMEM implies there is not.
2301 *
1da177e4
LT		 2302 * Do not audit the selinux permission check, as this is applied to all
2303 * processes that allocate mappings.
2304 */
34b4e4aa 2305static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2306{
2307 int rc, cap_sys_admin = 0;
1da177e4 2308
b1d9e6b0 2309 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2310 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2311 if (rc == 0)
2312 cap_sys_admin = 1;
2313
b1d9e6b0 2314 return cap_sys_admin;
1da177e4
LT		 2315}
2316
2317/* binprm security operations */
2318
be0554c9 2319static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2320{
2321 u32 sid = 0;
2322 struct task_struct *tracer;
2323
2324 rcu_read_lock();
be0554c9 2325 tracer = ptrace_parent(current);
0c6181cb
PM		 2326 if (tracer)
2327 sid = task_sid(tracer);
2328 rcu_read_unlock();
2329
2330 return sid;
2331}
2332
7b0d0b40
SS		 2333static int check_nnp_nosuid(const struct linux_binprm *bprm,
2334 const struct task_security_struct *old_tsec,
2335 const struct task_security_struct *new_tsec)
2336{
2337 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2338 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2339 int rc;
af63f419 2340 u32 av;
7b0d0b40
SS		 2341
2342 if (!nnp && !nosuid)
2343 return 0; /* neither NNP nor nosuid */
2344
2345 if (new_tsec->sid == old_tsec->sid)
2346 return 0; /* No change in credentials */
2347
2348 /*
af63f419
SS		 2349 * If the policy enables the nnp_nosuid_transition policy capability,
2350 * then we permit transitions under NNP or nosuid if the
2351 * policy allows the corresponding permission between
2352 * the old and new contexts.
7b0d0b40 2353 */
af63f419
SS		 2354 if (selinux_policycap_nnp_nosuid_transition) {
2355 av = 0;
7b0d0b40 2356 if (nnp)
af63f419
SS		 2357 av |= PROCESS2__NNP_TRANSITION;
2358 if (nosuid)
2359 av |= PROCESS2__NOSUID_TRANSITION;
2360 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2361 SECCLASS_PROCESS2, av, NULL);
2362 if (!rc)
2363 return 0;
7b0d0b40 2364 }
af63f419
SS		 2365
2366 /*
2367 * We also permit NNP or nosuid transitions to bounded SIDs,
2368 * i.e. SIDs that are guaranteed to only be allowed a subset
2369 * of the permissions of the current SID.
2370 */
2371 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2372 if (!rc)
2373 return 0;
2374
2375 /*
2376 * On failure, preserve the errno values for NNP vs nosuid.
2377 * NNP: Operation not permitted for caller.
2378 * nosuid: Permission denied to file.
2379 */
2380 if (nnp)
2381 return -EPERM;
2382 return -EACCES;
7b0d0b40
SS		 2383}
2384
a6f76f23 2385static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2386{
a6f76f23
DH		 2387 const struct task_security_struct *old_tsec;
2388 struct task_security_struct *new_tsec;
1da177e4 2389 struct inode_security_struct *isec;
2bf49690 2390 struct common_audit_data ad;
496ad9aa 2391 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2392 int rc;
2393
a6f76f23
DH		 2394 /* SELinux context only depends on initial program or script and not
2395 * the script interpreter */
ddb4a144 2396 if (bprm->called_set_creds)
1da177e4
LT		 2397 return 0;
2398
a6f76f23
DH		 2399 old_tsec = current_security();
2400 new_tsec = bprm->cred->security;
83da53c5 2401 isec = inode_security(inode);
1da177e4
LT		 2402
2403 /* Default to the current task SID. */
a6f76f23
DH		 2404 new_tsec->sid = old_tsec->sid;
2405 new_tsec->osid = old_tsec->sid;
1da177e4 2406
28eba5bf 2407 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2408 new_tsec->create_sid = 0;
2409 new_tsec->keycreate_sid = 0;
2410 new_tsec->sockcreate_sid = 0;
1da177e4 2411
a6f76f23
DH		 2412 if (old_tsec->exec_sid) {
2413 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2414 /* Reset exec SID on execve. */
a6f76f23 2415 new_tsec->exec_sid = 0;
259e5e6c 2416
7b0d0b40
SS		 2417 /* Fail on NNP or nosuid if not an allowed transition. */
2418 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2419 if (rc)
2420 return rc;
1da177e4
LT		 2421 } else {
2422 /* Check for a default transition on this program. */
a6f76f23 2423 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2424 SECCLASS_PROCESS, NULL,
2425 &new_tsec->sid);
1da177e4
LT		 2426 if (rc)
2427 return rc;
7b0d0b40
SS		 2428
2429 /*
2430 * Fallback to old SID on NNP or nosuid if not an allowed
2431 * transition.
2432 */
2433 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2434 if (rc)
2435 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2436 }
2437
43af5de7
VG		 2438 ad.type = LSM_AUDIT_DATA_FILE;
2439 ad.u.file = bprm->file;
1da177e4 2440
a6f76f23
DH		 2441 if (new_tsec->sid == old_tsec->sid) {
2442 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2443 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2444 if (rc)
2445 return rc;
2446 } else {
2447 /* Check permissions for the transition. */
a6f76f23 2448 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2449 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2450 if (rc)
2451 return rc;
2452
a6f76f23 2453 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2454 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2455 if (rc)
2456 return rc;
2457
a6f76f23
DH		 2458 /* Check for shared state */
2459 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2460 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2461 SECCLASS_PROCESS, PROCESS__SHARE,
2462 NULL);
2463 if (rc)
2464 return -EPERM;
2465 }
2466
2467 /* Make sure that anyone attempting to ptrace over a task that
2468 * changes its SID has the appropriate permit */
9227dd2a 2469 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2470 u32 ptsid = ptrace_parent_sid();
a6f76f23
DH		 2471 if (ptsid != 0) {
2472 rc = avc_has_perm(ptsid, new_tsec->sid,
2473 SECCLASS_PROCESS,
2474 PROCESS__PTRACE, NULL);
2475 if (rc)
2476 return -EPERM;
2477 }
2478 }
1da177e4 2479
a6f76f23
DH		 2480 /* Clear any possibly unsafe personality bits on exec: */
2481 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2482
1da177e4
LT		 2483 /* Enable secure mode for SIDs transitions unless
2484 the noatsecure permission is granted between
2485 the two SIDs, i.e. ahp returns 0. */
62874c3a
KC		 2486 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2487 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2488 NULL);
2489 bprm->secureexec |= !!rc;
1da177e4
LT		 2490 }
2491
62874c3a 2492 return 0;
1da177e4
LT		 2493}
2494
c3c073f8
AV		 2495static int match_file(const void *p, struct file *file, unsigned fd)
2496{
2497 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2498}
2499
1da177e4 2500/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2501static inline void flush_unauthorized_files(const struct cred *cred,
2502 struct files_struct *files)
1da177e4 2503{
1da177e4 2504 struct file *file, *devnull = NULL;
b20c8122 2505 struct tty_struct *tty;
24ec839c 2506 int drop_tty = 0;
c3c073f8 2507 unsigned n;
1da177e4 2508
24ec839c 2509 tty = get_current_tty();
1da177e4 2510 if (tty) {
4a510969 2511 spin_lock(&tty->files_lock);
37dd0bd0 2512 if (!list_empty(&tty->tty_files)) {
d996b62a 2513 struct tty_file_private *file_priv;
37dd0bd0 2514
1da177e4 2515 /* Revalidate access to controlling tty.
13f8e981
DH		 2516 Use file_path_has_perm on the tty path directly
2517 rather than using file_has_perm, as this particular
2518 open file may belong to another process and we are
2519 only interested in the inode-based check here. */
d996b62a
NP		 2520 file_priv = list_first_entry(&tty->tty_files,
2521 struct tty_file_private, list);
2522 file = file_priv->file;
13f8e981 2523 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2524 drop_tty = 1;
1da177e4 2525 }
4a510969 2526 spin_unlock(&tty->files_lock);
452a00d2 2527 tty_kref_put(tty);
1da177e4 2528 }
98a27ba4
EB		 2529 /* Reset controlling tty. */
2530 if (drop_tty)
2531 no_tty();
1da177e4
LT		 2532
2533 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2534 n = iterate_fd(files, 0, match_file, cred);
2535 if (!n) /* none found? */
2536 return;
1da177e4 2537
c3c073f8 2538 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2539 if (IS_ERR(devnull))
2540 devnull = NULL;
2541 /* replace all the matching ones with this */
2542 do {
2543 replace_fd(n - 1, devnull, 0);
2544 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2545 if (devnull)
c3c073f8 2546 fput(devnull);
1da177e4
LT		 2547}
2548
a6f76f23
DH		 2549/*
2550 * Prepare a process for imminent new credential changes due to exec
2551 */
2552static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2553{
a6f76f23
DH		 2554 struct task_security_struct *new_tsec;
2555 struct rlimit *rlim, *initrlim;
2556 int rc, i;
d84f4f99 2557
a6f76f23
DH		 2558 new_tsec = bprm->cred->security;
2559 if (new_tsec->sid == new_tsec->osid)
2560 return;
1da177e4 2561
a6f76f23
DH		 2562 /* Close files for which the new task SID is not authorized. */
2563 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2564
a6f76f23
DH		 2565 /* Always clear parent death signal on SID transitions. */
2566 current->pdeath_signal = 0;
0356357c 2567
a6f76f23
DH		 2568 /* Check whether the new SID can inherit resource limits from the old
2569 * SID. If not, reset all soft limits to the lower of the current
2570 * task's hard limit and the init task's soft limit.
2571 *
2572 * Note that the setting of hard limits (even to lower them) can be
2573 * controlled by the setrlimit check. The inclusion of the init task's
2574 * soft limit into the computation is to avoid resetting soft limits
2575 * higher than the default soft limit for cases where the default is
2576 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2577 */
2578 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2579 PROCESS__RLIMITINH, NULL);
2580 if (rc) {
eb2d55a3
ON		 2581 /* protect against do_prlimit() */
2582 task_lock(current);
a6f76f23
DH		 2583 for (i = 0; i < RLIM_NLIMITS; i++) {
2584 rlim = current->signal->rlim + i;
2585 initrlim = init_task.signal->rlim + i;
2586 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2587 }
eb2d55a3 2588 task_unlock(current);
baa73d9e
NP		 2589 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2590 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2591 }
2592}
2593
2594/*
a6f76f23
DH		 2595 * Clean up the process immediately after the installation of new credentials
2596 * due to exec
1da177e4 2597 */
a6f76f23 2598static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2599{
a6f76f23 2600 const struct task_security_struct *tsec = current_security();
1da177e4 2601 struct itimerval itimer;
a6f76f23 2602 u32 osid, sid;
1da177e4
LT		 2603 int rc, i;
2604
a6f76f23
DH		 2605 osid = tsec->osid;
2606 sid = tsec->sid;
2607
2608 if (sid == osid)
1da177e4
LT		 2609 return;
2610
a6f76f23
DH		 2611 /* Check whether the new SID can inherit signal state from the old SID.
2612 * If not, clear itimers to avoid subsequent signal generation and
2613 * flush and unblock signals.
2614 *
2615 * This must occur _after_ the task SID has been updated so that any
2616 * kill done after the flush will be checked against the new SID.
2617 */
2618 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2619 if (rc) {
baa73d9e
NP		 2620 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2621 memset(&itimer, 0, sizeof itimer);
2622 for (i = 0; i < 3; i++)
2623 do_setitimer(i, &itimer, NULL);
2624 }
1da177e4 2625 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2626 if (!fatal_signal_pending(current)) {
2627 flush_sigqueue(&current->pending);
2628 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2629 flush_signal_handlers(current, 1);
2630 sigemptyset(&current->blocked);
9e7c8f8c 2631 recalc_sigpending();
3bcac026 2632 }
1da177e4
LT		 2633 spin_unlock_irq(&current->sighand->siglock);
2634 }
2635
a6f76f23
DH		 2636 /* Wake up the parent if it is waiting so that it can recheck
2637 * wait permission to the new task SID. */
ecd6de3c 2638 read_lock(&tasklist_lock);
0b7570e7 2639 __wake_up_parent(current, current->real_parent);
ecd6de3c 2640 read_unlock(&tasklist_lock);
1da177e4
LT		 2641}
2642
2643/* superblock security operations */
2644
2645static int selinux_sb_alloc_security(struct super_block *sb)
2646{
2647 return superblock_alloc_security(sb);
2648}
2649
2650static void selinux_sb_free_security(struct super_block *sb)
2651{
2652 superblock_free_security(sb);
2653}
2654
2655static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2656{
2657 if (plen > olen)
2658 return 0;
2659
2660 return !memcmp(prefix, option, plen);
2661}
2662
2663static inline int selinux_option(char *option, int len)
2664{
832cbd9a
EP		 2665 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2666 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2667 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2668 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2669 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2670}
2671
2672static inline void take_option(char **to, char *from, int *first, int len)
2673{
2674 if (!*first) {
2675 **to = ',';
2676 *to += 1;
3528a953 2677 } else
1da177e4
LT		 2678 *first = 0;
2679 memcpy(*to, from, len);
2680 *to += len;
2681}
2682
828dfe1d
EP		 2683static inline void take_selinux_option(char **to, char *from, int *first,
2684 int len)
3528a953
CO		 2685{
2686 int current_size = 0;
2687
2688 if (!*first) {
2689 **to = '|';
2690 *to += 1;
828dfe1d 2691 } else
3528a953
CO		 2692 *first = 0;
2693
2694 while (current_size < len) {
2695 if (*from != '"') {
2696 **to = *from;
2697 *to += 1;
2698 }
2699 from += 1;
2700 current_size += 1;
2701 }
2702}
2703
e0007529 2704static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2705{
2706 int fnosec, fsec, rc = 0;
2707 char *in_save, *in_curr, *in_end;
2708 char *sec_curr, *nosec_save, *nosec;
3528a953 2709 int open_quote = 0;
1da177e4
LT		 2710
2711 in_curr = orig;
2712 sec_curr = copy;
2713
1da177e4
LT		 2714 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2715 if (!nosec) {
2716 rc = -ENOMEM;
2717 goto out;
2718 }
2719
2720 nosec_save = nosec;
2721 fnosec = fsec = 1;
2722 in_save = in_end = orig;
2723
2724 do {
3528a953
CO		 2725 if (*in_end == '"')
2726 open_quote = !open_quote;
2727 if ((*in_end == ',' && open_quote == 0) ||
2728 *in_end == '\0') {
1da177e4
LT		 2729 int len = in_end - in_curr;
2730
2731 if (selinux_option(in_curr, len))
3528a953 2732 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2733 else
2734 take_option(&nosec, in_curr, &fnosec, len);
2735
2736 in_curr = in_end + 1;
2737 }
2738 } while (*in_end++);
2739
6931dfc9 2740 strcpy(in_save, nosec_save);
da3caa20 2741 free_page((unsigned long)nosec_save);
1da177e4
LT		 2742out:
2743 return rc;
2744}
2745
026eb167
EP		 2746static int selinux_sb_remount(struct super_block *sb, void *data)
2747{
2748 int rc, i, *flags;
2749 struct security_mnt_opts opts;
2750 char *secdata, **mount_options;
2751 struct superblock_security_struct *sbsec = sb->s_security;
2752
2753 if (!(sbsec->flags & SE_SBINITIALIZED))
2754 return 0;
2755
2756 if (!data)
2757 return 0;
2758
2759 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2760 return 0;
2761
2762 security_init_mnt_opts(&opts);
2763 secdata = alloc_secdata();
2764 if (!secdata)
2765 return -ENOMEM;
2766 rc = selinux_sb_copy_data(data, secdata);
2767 if (rc)
2768 goto out_free_secdata;
2769
2770 rc = selinux_parse_opts_str(secdata, &opts);
2771 if (rc)
2772 goto out_free_secdata;
2773
2774 mount_options = opts.mnt_opts;
2775 flags = opts.mnt_opts_flags;
2776
2777 for (i = 0; i < opts.num_mnt_opts; i++) {
2778 u32 sid;
026eb167 2779
12f348b9 2780 if (flags[i] == SBLABEL_MNT)
026eb167 2781 continue;
44be2f65 2782 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2783 if (rc) {
44be2f65 2784 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2785 "(%s) failed for (dev %s, type %s) errno=%d\n",
2786 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2787 goto out_free_opts;
2788 }
2789 rc = -EINVAL;
2790 switch (flags[i]) {
2791 case FSCONTEXT_MNT:
2792 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2793 goto out_bad_option;
2794 break;
2795 case CONTEXT_MNT:
2796 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2797 goto out_bad_option;
2798 break;
2799 case ROOTCONTEXT_MNT: {
2800 struct inode_security_struct *root_isec;
83da53c5 2801 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2802
2803 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2804 goto out_bad_option;
2805 break;
2806 }
2807 case DEFCONTEXT_MNT:
2808 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2809 goto out_bad_option;
2810 break;
2811 default:
2812 goto out_free_opts;
2813 }
2814 }
2815
2816 rc = 0;
2817out_free_opts:
2818 security_free_mnt_opts(&opts);
2819out_free_secdata:
2820 free_secdata(secdata);
2821 return rc;
2822out_bad_option:
2823 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2824 "during remount (dev %s, type=%s)\n", sb->s_id,
2825 sb->s_type->name);
026eb167
EP		 2826 goto out_free_opts;
2827}
2828
12204e24 2829static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2830{
88e67f3b 2831 const struct cred *cred = current_cred();
2bf49690 2832 struct common_audit_data ad;
1da177e4
LT		 2833 int rc;
2834
2835 rc = superblock_doinit(sb, data);
2836 if (rc)
2837 return rc;
2838
74192246
JM		 2839 /* Allow all mounts performed by the kernel */
2840 if (flags & MS_KERNMOUNT)
2841 return 0;
2842
50c205f5 2843 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2844 ad.u.dentry = sb->s_root;
88e67f3b 2845 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2846}
2847
726c3342 2848static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2849{
88e67f3b 2850 const struct cred *cred = current_cred();
2bf49690 2851 struct common_audit_data ad;
1da177e4 2852
50c205f5 2853 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2854 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2855 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2856}
2857
808d4e3c 2858static int selinux_mount(const char *dev_name,
8a04c43b 2859 const struct path *path,
808d4e3c 2860 const char *type,
828dfe1d
EP		 2861 unsigned long flags,
2862 void *data)
1da177e4 2863{
88e67f3b 2864 const struct cred *cred = current_cred();
1da177e4
LT		 2865
2866 if (flags & MS_REMOUNT)
d8c9584e 2867 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2868 FILESYSTEM__REMOUNT, NULL);
1da177e4 2869 else
2875fa00 2870 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2871}
2872
2873static int selinux_umount(struct vfsmount *mnt, int flags)
2874{
88e67f3b 2875 const struct cred *cred = current_cred();
1da177e4 2876
88e67f3b 2877 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2878 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2879}
2880
2881/* inode security operations */
2882
2883static int selinux_inode_alloc_security(struct inode *inode)
2884{
2885 return inode_alloc_security(inode);
2886}
2887
2888static void selinux_inode_free_security(struct inode *inode)
2889{
2890 inode_free_security(inode);
2891}
2892
d47be3df 2893static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2894 const struct qstr *name, void **ctx,
d47be3df
DQ		 2895 u32 *ctxlen)
2896{
d47be3df
DQ		 2897 u32 newsid;
2898 int rc;
2899
c957f6df
VG		 2900 rc = selinux_determine_inode_label(current_security(),
2901 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2902 inode_mode_to_security_class(mode),
2903 &newsid);
2904 if (rc)
2905 return rc;
d47be3df
DQ		 2906
2907 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2908}
2909
a518b0a5
VG		 2910static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2911 struct qstr *name,
2912 const struct cred *old,
2913 struct cred *new)
2914{
2915 u32 newsid;
2916 int rc;
2917 struct task_security_struct *tsec;
2918
2919 rc = selinux_determine_inode_label(old->security,
2920 d_inode(dentry->d_parent), name,
2921 inode_mode_to_security_class(mode),
2922 &newsid);
2923 if (rc)
2924 return rc;
2925
2926 tsec = new->security;
2927 tsec->create_sid = newsid;
2928 return 0;
2929}
2930
5e41ff9e 2931static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2932 const struct qstr *qstr,
2933 const char **name,
2a7dba39 2934 void **value, size_t *len)
5e41ff9e 2935{
5fb49870 2936 const struct task_security_struct *tsec = current_security();
5e41ff9e 2937 struct superblock_security_struct *sbsec;
c0d4f464 2938 u32 newsid, clen;
5e41ff9e 2939 int rc;
9548906b 2940 char *context;
5e41ff9e 2941
5e41ff9e 2942 sbsec = dir->i_sb->s_security;
5e41ff9e 2943
275bb41e
DH		 2944 newsid = tsec->create_sid;
2945
c957f6df 2946 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2947 dir, qstr,
2948 inode_mode_to_security_class(inode->i_mode),
2949 &newsid);
2950 if (rc)
2951 return rc;
5e41ff9e 2952
296fddf7 2953 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2954 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2955 struct inode_security_struct *isec = inode->i_security;
2956 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2957 isec->sid = newsid;
6f3be9f5 2958 isec->initialized = LABEL_INITIALIZED;
296fddf7 2959 }
5e41ff9e 2960
12f348b9 2961 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2962 return -EOPNOTSUPP;
2963
9548906b
TH		 2964 if (name)
2965 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2966
570bc1c2 2967 if (value && len) {
12b29f34 2968 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2969 if (rc)
570bc1c2 2970 return rc;
570bc1c2
SS		 2971 *value = context;
2972 *len = clen;
5e41ff9e 2973 }
5e41ff9e 2974
5e41ff9e
SS		 2975 return 0;
2976}
2977
4acdaf27 2978static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2979{
2980 return may_create(dir, dentry, SECCLASS_FILE);
2981}
2982
1da177e4
LT		 2983static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2984{
1da177e4
LT		 2985 return may_link(dir, old_dentry, MAY_LINK);
2986}
2987
1da177e4
LT		 2988static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2989{
1da177e4
LT		 2990 return may_link(dir, dentry, MAY_UNLINK);
2991}
2992
2993static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2994{
2995 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2996}
2997
18bb1db3 2998static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2999{
3000 return may_create(dir, dentry, SECCLASS_DIR);
3001}
3002
1da177e4
LT		 3003static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3004{
3005 return may_link(dir, dentry, MAY_RMDIR);
3006}
3007
1a67aafb 3008static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 3009{
1da177e4
LT		 3010 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3011}
3012
1da177e4 3013static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 3014 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 3015{
3016 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3017}
3018
1da177e4
LT		 3019static int selinux_inode_readlink(struct dentry *dentry)
3020{
88e67f3b
DH		 3021 const struct cred *cred = current_cred();
3022
2875fa00 3023 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3024}
3025
bda0be7a
N		 3026static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3027 bool rcu)
1da177e4 3028{
88e67f3b 3029 const struct cred *cred = current_cred();
bda0be7a
N		 3030 struct common_audit_data ad;
3031 struct inode_security_struct *isec;
3032 u32 sid;
1da177e4 3033
bda0be7a
N		 3034 validate_creds(cred);
3035
3036 ad.type = LSM_AUDIT_DATA_DENTRY;
3037 ad.u.dentry = dentry;
3038 sid = cred_sid(cred);
5d226df4
AG		 3039 isec = inode_security_rcu(inode, rcu);
3040 if (IS_ERR(isec))
3041 return PTR_ERR(isec);
bda0be7a
N		 3042
3043 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3044 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3045}
3046
d4cf970d
EP		 3047static noinline int audit_inode_permission(struct inode *inode,
3048 u32 perms, u32 audited, u32 denied,
626b9740 3049 int result,
d4cf970d 3050 unsigned flags)
1da177e4 3051{
b782e0a6 3052 struct common_audit_data ad;
d4cf970d
EP		 3053 struct inode_security_struct *isec = inode->i_security;
3054 int rc;
3055
50c205f5 3056 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3057 ad.u.inode = inode;
3058
3059 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 3060 audited, denied, result, &ad, flags);
d4cf970d
EP		 3061 if (rc)
3062 return rc;
3063 return 0;
3064}
3065
e74f71eb 3066static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3067{
88e67f3b 3068 const struct cred *cred = current_cred();
b782e0a6
EP		 3069 u32 perms;
3070 bool from_access;
cf1dd1da 3071 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3072 struct inode_security_struct *isec;
3073 u32 sid;
3074 struct av_decision avd;
3075 int rc, rc2;
3076 u32 audited, denied;
1da177e4 3077
b782e0a6 3078 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3079 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3080
b782e0a6
EP		 3081 /* No permission to check. Existence test. */
3082 if (!mask)
1da177e4 3083 return 0;
1da177e4 3084
2e334057 3085 validate_creds(cred);
b782e0a6 3086
2e334057
EP		 3087 if (unlikely(IS_PRIVATE(inode)))
3088 return 0;
b782e0a6
EP		 3089
3090 perms = file_mask_to_av(inode->i_mode, mask);
3091
2e334057 3092 sid = cred_sid(cred);
5d226df4
AG		 3093 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3094 if (IS_ERR(isec))
3095 return PTR_ERR(isec);
2e334057
EP		 3096
3097 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3098 audited = avc_audit_required(perms, &avd, rc,
3099 from_access ? FILE__AUDIT_ACCESS : 0,
3100 &denied);
3101 if (likely(!audited))
3102 return rc;
3103
626b9740 3104 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3105 if (rc2)
3106 return rc2;
3107 return rc;
1da177e4
LT		 3108}
3109
3110static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3111{
88e67f3b 3112 const struct cred *cred = current_cred();
ccb54478 3113 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3114 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3115 __u32 av = FILE__WRITE;
1da177e4 3116
bc6a6008
AW		 3117 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3118 if (ia_valid & ATTR_FORCE) {
3119 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3120 ATTR_FORCE);
3121 if (!ia_valid)
3122 return 0;
3123 }
1da177e4 3124
bc6a6008
AW		 3125 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3126 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3127 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3128
ccb54478
SS		 3129 if (selinux_policycap_openperm &&
3130 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3131 (ia_valid & ATTR_SIZE) &&
3132 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3133 av |= FILE__OPEN;
3134
3135 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3136}
3137
3f7036a0 3138static int selinux_inode_getattr(const struct path *path)
1da177e4 3139{
3f7036a0 3140 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3141}
3142
db59000a
SS		 3143static bool has_cap_mac_admin(bool audit)
3144{
3145 const struct cred *cred = current_cred();
3146 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3147
3148 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3149 return false;
3150 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3151 return false;
3152 return true;
3153}
3154
8f0cfa52
DH		 3155static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3156 const void *value, size_t size, int flags)
1da177e4 3157{
c6f493d6 3158 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3159 struct inode_security_struct *isec;
1da177e4 3160 struct superblock_security_struct *sbsec;
2bf49690 3161 struct common_audit_data ad;
275bb41e 3162 u32 newsid, sid = current_sid();
1da177e4
LT		 3163 int rc = 0;
3164
6b240306
EB		 3165 if (strcmp(name, XATTR_NAME_SELINUX)) {
3166 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3167 if (rc)
3168 return rc;
3169
3170 /* Not an attribute we recognize, so just check the
3171 ordinary setattr permission. */
3172 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3173 }
1da177e4
LT		 3174
3175 sbsec = inode->i_sb->s_security;
12f348b9 3176 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3177 return -EOPNOTSUPP;
3178
2e149670 3179 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3180 return -EPERM;
3181
50c205f5 3182 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3183 ad.u.dentry = dentry;
1da177e4 3184
20cdef8d 3185 isec = backing_inode_security(dentry);
275bb41e 3186 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3187 FILE__RELABELFROM, &ad);
3188 if (rc)
3189 return rc;
3190
52a4c640 3191 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3192 if (rc == -EINVAL) {
db59000a 3193 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3194 struct audit_buffer *ab;
3195 size_t audit_size;
d6ea83ec
EP		 3196
3197 /* We strip a nul only if it is at the end, otherwise the
3198 * context contains a nul and we should audit that */
e3fea3f7 3199 if (value) {
add24372
CIK		 3200 const char *str = value;
3201
e3fea3f7
AV		 3202 if (str[size - 1] == '\0')
3203 audit_size = size - 1;
3204 else
3205 audit_size = size;
3206 } else {
e3fea3f7
AV		 3207 audit_size = 0;
3208 }
d6ea83ec
EP		 3209 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3210 audit_log_format(ab, "op=setxattr invalid_context=");
3211 audit_log_n_untrustedstring(ab, value, audit_size);
3212 audit_log_end(ab);
3213
12b29f34 3214 return rc;
d6ea83ec 3215 }
12b29f34
SS		 3216 rc = security_context_to_sid_force(value, size, &newsid);
3217 }
1da177e4
LT		 3218 if (rc)
3219 return rc;
3220
275bb41e 3221 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3222 FILE__RELABELTO, &ad);
3223 if (rc)
3224 return rc;
3225
275bb41e 3226 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3227 isec->sclass);
1da177e4
LT		 3228 if (rc)
3229 return rc;
3230
3231 return avc_has_perm(newsid,
3232 sbsec->sid,
3233 SECCLASS_FILESYSTEM,
3234 FILESYSTEM__ASSOCIATE,
3235 &ad);
3236}
3237
8f0cfa52 3238static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3239 const void *value, size_t size,
8f0cfa52 3240 int flags)
1da177e4 3241{
c6f493d6 3242 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3243 struct inode_security_struct *isec;
1da177e4
LT		 3244 u32 newsid;
3245 int rc;
3246
3247 if (strcmp(name, XATTR_NAME_SELINUX)) {
3248 /* Not an attribute we recognize, so nothing to do. */
3249 return;
3250 }
3251
12b29f34 3252 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3253 if (rc) {
12b29f34
SS		 3254 printk(KERN_ERR "SELinux: unable to map context to SID"
3255 "for (%s, %lu), rc=%d\n",
3256 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3257 return;
3258 }
3259
20cdef8d 3260 isec = backing_inode_security(dentry);
9287aed2 3261 spin_lock(&isec->lock);
aa9c2669 3262 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3263 isec->sid = newsid;
6f3be9f5 3264 isec->initialized = LABEL_INITIALIZED;
9287aed2 3265 spin_unlock(&isec->lock);
aa9c2669 3266
1da177e4
LT		 3267 return;
3268}
3269
8f0cfa52 3270static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3271{
88e67f3b
DH		 3272 const struct cred *cred = current_cred();
3273
2875fa00 3274 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3275}
3276
828dfe1d 3277static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3278{
88e67f3b
DH		 3279 const struct cred *cred = current_cred();
3280
2875fa00 3281 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3282}
3283
8f0cfa52 3284static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3285{
6b240306
EB		 3286 if (strcmp(name, XATTR_NAME_SELINUX)) {
3287 int rc = cap_inode_removexattr(dentry, name);
3288 if (rc)
3289 return rc;
3290
3291 /* Not an attribute we recognize, so just check the
3292 ordinary setattr permission. */
3293 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3294 }
1da177e4
LT		 3295
3296 /* No one is allowed to remove a SELinux security label.
3297 You can change the label, but all data must be labeled. */
3298 return -EACCES;
3299}
3300
d381d8a9 3301/*
abc69bb6 3302 * Copy the inode security context value to the user.
d381d8a9
JM		 3303 *
3304 * Permission check is handled by selinux_inode_getxattr hook.
3305 */
ea861dfd 3306static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3307{
42492594
DQ		 3308 u32 size;
3309 int error;
3310 char *context = NULL;
20cdef8d 3311 struct inode_security_struct *isec;
d381d8a9 3312
8c8570fb
DK		 3313 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3314 return -EOPNOTSUPP;
d381d8a9 3315
abc69bb6
SS		 3316 /*
3317 * If the caller has CAP_MAC_ADMIN, then get the raw context
3318 * value even if it is not defined by current policy; otherwise,
3319 * use the in-core value under current policy.
3320 * Use the non-auditing forms of the permission checks since
3321 * getxattr may be called by unprivileged processes commonly
3322 * and lack of permission just means that we fall back to the
3323 * in-core context value, not a denial.
3324 */
20cdef8d 3325 isec = inode_security(inode);
db59000a 3326 if (has_cap_mac_admin(false))
abc69bb6
SS		 3327 error = security_sid_to_context_force(isec->sid, &context,
3328 &size);
3329 else
3330 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3331 if (error)
3332 return error;
3333 error = size;
3334 if (alloc) {
3335 *buffer = context;
3336 goto out_nofree;
3337 }
3338 kfree(context);
3339out_nofree:
3340 return error;
1da177e4
LT		 3341}
3342
3343static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3344 const void *value, size_t size, int flags)
1da177e4 3345{
2c97165b 3346 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3347 u32 newsid;
3348 int rc;
3349
3350 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3351 return -EOPNOTSUPP;
3352
3353 if (!value || !size)
3354 return -EACCES;
3355
20ba96ae 3356 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3357 if (rc)
3358 return rc;
3359
9287aed2 3360 spin_lock(&isec->lock);
aa9c2669 3361 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3362 isec->sid = newsid;
6f3be9f5 3363 isec->initialized = LABEL_INITIALIZED;
9287aed2 3364 spin_unlock(&isec->lock);
1da177e4
LT		 3365 return 0;
3366}
3367
3368static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3369{
3370 const int len = sizeof(XATTR_NAME_SELINUX);
3371 if (buffer && len <= buffer_size)
3372 memcpy(buffer, XATTR_NAME_SELINUX, len);
3373 return len;
3374}
3375
d6335d77 3376static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3377{
e817c2f3 3378 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3379 *secid = isec->sid;
3380}
3381
56909eb3
VG		 3382static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3383{
3384 u32 sid;
3385 struct task_security_struct *tsec;
3386 struct cred *new_creds = *new;
3387
3388 if (new_creds == NULL) {
3389 new_creds = prepare_creds();
3390 if (!new_creds)
3391 return -ENOMEM;
3392 }
3393
3394 tsec = new_creds->security;
3395 /* Get label from overlay inode and set it in create_sid */
3396 selinux_inode_getsecid(d_inode(src), &sid);
3397 tsec->create_sid = sid;
3398 *new = new_creds;
3399 return 0;
3400}
3401
19472b69
VG		 3402static int selinux_inode_copy_up_xattr(const char *name)
3403{
3404 /* The copy_up hook above sets the initial context on an inode, but we
3405 * don't then want to overwrite it by blindly copying all the lower
3406 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3407 */
3408 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3409 return 1; /* Discard */
3410 /*
3411 * Any other attribute apart from SELINUX is not claimed, supported
3412 * by selinux.
3413 */
3414 return -EOPNOTSUPP;
3415}
3416
1da177e4
LT		 3417/* file security operations */
3418
788e7dd4 3419static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3420{
88e67f3b 3421 const struct cred *cred = current_cred();
496ad9aa 3422 struct inode *inode = file_inode(file);
1da177e4 3423
1da177e4
LT		 3424 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3425 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3426 mask |= MAY_APPEND;
3427
389fb800
PM		 3428 return file_has_perm(cred, file,
3429 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3430}
3431
788e7dd4
YN		 3432static int selinux_file_permission(struct file *file, int mask)
3433{
496ad9aa 3434 struct inode *inode = file_inode(file);
20dda18b 3435 struct file_security_struct *fsec = file->f_security;
b197367e 3436 struct inode_security_struct *isec;
20dda18b
SS		 3437 u32 sid = current_sid();
3438
389fb800 3439 if (!mask)
788e7dd4
YN		 3440 /* No permission to check. Existence test. */
3441 return 0;
788e7dd4 3442
b197367e 3443 isec = inode_security(inode);
20dda18b
SS		 3444 if (sid == fsec->sid && fsec->isid == isec->sid &&
3445 fsec->pseqno == avc_policy_seqno())
83d49856 3446 /* No change since file_open check. */
20dda18b
SS		 3447 return 0;
3448
788e7dd4
YN		 3449 return selinux_revalidate_file_permission(file, mask);
3450}
3451
1da177e4
LT		 3452static int selinux_file_alloc_security(struct file *file)
3453{
3454 return file_alloc_security(file);
3455}
3456
3457static void selinux_file_free_security(struct file *file)
3458{
3459 file_free_security(file);
3460}
3461
fa1aa143
JVS		 3462/*
3463 * Check whether a task has the ioctl permission and cmd
3464 * operation to an inode.
3465 */
1d2a168a 3466static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3467 u32 requested, u16 cmd)
3468{
3469 struct common_audit_data ad;
3470 struct file_security_struct *fsec = file->f_security;
3471 struct inode *inode = file_inode(file);
20cdef8d 3472 struct inode_security_struct *isec;
fa1aa143
JVS		 3473 struct lsm_ioctlop_audit ioctl;
3474 u32 ssid = cred_sid(cred);
3475 int rc;
3476 u8 driver = cmd >> 8;
3477 u8 xperm = cmd & 0xff;
3478
3479 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3480 ad.u.op = &ioctl;
3481 ad.u.op->cmd = cmd;
3482 ad.u.op->path = file->f_path;
3483
3484 if (ssid != fsec->sid) {
3485 rc = avc_has_perm(ssid, fsec->sid,
3486 SECCLASS_FD,
3487 FD__USE,
3488 &ad);
3489 if (rc)
3490 goto out;
3491 }
3492
3493 if (unlikely(IS_PRIVATE(inode)))
3494 return 0;
3495
20cdef8d 3496 isec = inode_security(inode);
fa1aa143
JVS		 3497 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3498 requested, driver, xperm, &ad);
3499out:
3500 return rc;
3501}
3502
1da177e4
LT		 3503static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3504 unsigned long arg)
3505{
88e67f3b 3506 const struct cred *cred = current_cred();
0b24dcb7 3507 int error = 0;
1da177e4 3508
0b24dcb7
EP		 3509 switch (cmd) {
3510 case FIONREAD:
3511 /* fall through */
3512 case FIBMAP:
3513 /* fall through */
3514 case FIGETBSZ:
3515 /* fall through */
2f99c369 3516 case FS_IOC_GETFLAGS:
0b24dcb7 3517 /* fall through */
2f99c369 3518 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3519 error = file_has_perm(cred, file, FILE__GETATTR);
3520 break;
1da177e4 3521
2f99c369 3522 case FS_IOC_SETFLAGS:
0b24dcb7 3523 /* fall through */
2f99c369 3524 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3525 error = file_has_perm(cred, file, FILE__SETATTR);
3526 break;
3527
3528 /* sys_ioctl() checks */
3529 case FIONBIO:
3530 /* fall through */
3531 case FIOASYNC:
3532 error = file_has_perm(cred, file, 0);
3533 break;
1da177e4 3534
0b24dcb7
EP		 3535 case KDSKBENT:
3536 case KDSKBSENT:
6a9de491 3537 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3538 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3539 break;
3540
3541 /* default case assumes that the command will go
3542 * to the file's ioctl() function.
3543 */
3544 default:
fa1aa143 3545 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3546 }
3547 return error;
1da177e4
LT		 3548}
3549
fcaaade1
SS		 3550static int default_noexec;
3551
1da177e4
LT		 3552static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3553{
88e67f3b 3554 const struct cred *cred = current_cred();
be0554c9 3555 u32 sid = cred_sid(cred);
d84f4f99 3556 int rc = 0;
88e67f3b 3557
fcaaade1 3558 if (default_noexec &&
892e8cac
SS		 3559 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3560 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3561 /*
3562 * We are making executable an anonymous mapping or a
3563 * private file mapping that will also be writable.
3564 * This has an additional check.
3565 */
be0554c9
SS		 3566 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3567 PROCESS__EXECMEM, NULL);
1da177e4 3568 if (rc)
d84f4f99 3569 goto error;
1da177e4 3570 }
1da177e4
LT		 3571
3572 if (file) {
3573 /* read access is always possible with a mapping */
3574 u32 av = FILE__READ;
3575
3576 /* write access only matters if the mapping is shared */
3577 if (shared && (prot & PROT_WRITE))
3578 av |= FILE__WRITE;
3579
3580 if (prot & PROT_EXEC)
3581 av |= FILE__EXECUTE;
3582
88e67f3b 3583 return file_has_perm(cred, file, av);
1da177e4 3584 }
d84f4f99
DH		 3585
3586error:
3587 return rc;
1da177e4
LT		 3588}
3589
e5467859 3590static int selinux_mmap_addr(unsigned long addr)
1da177e4 3591{
b1d9e6b0 3592 int rc = 0;
1da177e4 3593
a2551df7 3594 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3595 u32 sid = current_sid();
ed032189
EP		 3596 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3597 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3598 }
3599
98883bfd 3600 return rc;
e5467859 3601}
1da177e4 3602
e5467859
AV		 3603static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3604 unsigned long prot, unsigned long flags)
3605{
3ba4bf5f
SS		 3606 struct common_audit_data ad;
3607 int rc;
3608
3609 if (file) {
3610 ad.type = LSM_AUDIT_DATA_FILE;
3611 ad.u.file = file;
3612 rc = inode_has_perm(current_cred(), file_inode(file),
3613 FILE__MAP, &ad);
3614 if (rc)
3615 return rc;
3616 }
3617
1da177e4
LT		 3618 if (selinux_checkreqprot)
3619 prot = reqprot;
3620
3621 return file_map_prot_check(file, prot,
3622 (flags & MAP_TYPE) == MAP_SHARED);
3623}
3624
3625static int selinux_file_mprotect(struct vm_area_struct *vma,
3626 unsigned long reqprot,
3627 unsigned long prot)
3628{
88e67f3b 3629 const struct cred *cred = current_cred();
be0554c9 3630 u32 sid = cred_sid(cred);
1da177e4
LT		 3631
3632 if (selinux_checkreqprot)
3633 prot = reqprot;
3634
fcaaade1
SS		 3635 if (default_noexec &&
3636 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3637 int rc = 0;
db4c9641
SS		 3638 if (vma->vm_start >= vma->vm_mm->start_brk &&
3639 vma->vm_end <= vma->vm_mm->brk) {
be0554c9
SS		 3640 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3641 PROCESS__EXECHEAP, NULL);
db4c9641 3642 } else if (!vma->vm_file &&
c2316dbf
SS		 3643 ((vma->vm_start <= vma->vm_mm->start_stack &&
3644 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3645 vma_is_stack_for_current(vma))) {
be0554c9
SS		 3646 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3647 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3648 } else if (vma->vm_file && vma->anon_vma) {
3649 /*
3650 * We are making executable a file mapping that has
3651 * had some COW done. Since pages might have been
3652 * written, check ability to execute the possibly
3653 * modified content. This typically should only
3654 * occur for text relocations.
3655 */
d84f4f99 3656 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3657 }