projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bpf, x86_32: add eBPF JIT compiler for ia32
[linux-block.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
7efbb60b 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
d452930f
RH		 70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
1da177e4
LT		 72#include <linux/quota.h>
73#include <linux/un.h> /* for Unix socket types */
74#include <net/af_unix.h> /* for Unix socket types */
75#include <linux/parser.h>
76#include <linux/nfs_mount.h>
77#include <net/ipv6.h>
78#include <linux/hugetlb.h>
79#include <linux/personality.h>
1da177e4 80#include <linux/audit.h>
6931dfc9 81#include <linux/string.h>
877ce7c1 82#include <linux/selinux.h>
23970741 83#include <linux/mutex.h>
f06febc9 84#include <linux/posix-timers.h>
00234592 85#include <linux/syslog.h>
3486740a 86#include <linux/user_namespace.h>
44fc7ea0 87#include <linux/export.h>
40401530
AV		 88#include <linux/msg.h>
89#include <linux/shm.h>
ec27c356 90#include <linux/bpf.h>
1da177e4
LT		 91
92#include "avc.h"
93#include "objsec.h"
94#include "netif.h"
224dfbd8 95#include "netnode.h"
3e112172 96#include "netport.h"
409dcf31 97#include "ibpkey.h"
d28d1e08 98#include "xfrm.h"
c60475bf 99#include "netlabel.h"
9d57a7f9 100#include "audit.h"
7b98a585 101#include "avc_ss.h"
1da177e4 102
aa8e712c
SS		 103struct selinux_state selinux_state;
104
d621d35e 105/* SECMARK reference count */
56a4ca99 106static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 107
1da177e4 108#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
aa8e712c 109static int selinux_enforcing_boot;
1da177e4
LT		 110
111static int __init enforcing_setup(char *str)
112{
f5269710 113 unsigned long enforcing;
29707b20 114 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 115 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 116 return 1;
117}
118__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 119#else
120#define selinux_enforcing_boot 1
1da177e4
LT		 121#endif
122
123#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125
126static int __init selinux_enabled_setup(char *str)
127{
f5269710 128 unsigned long enabled;
29707b20 129 if (!kstrtoul(str, 0, &enabled))
f5269710 130 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 131 return 1;
132}
133__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 134#else
135int selinux_enabled = 1;
1da177e4
LT		 136#endif
137
aa8e712c
SS		 138static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141static int __init checkreqprot_setup(char *str)
142{
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148}
149__setup("checkreqprot=", checkreqprot_setup);
150
e18b890b 151static struct kmem_cache *sel_inode_cache;
63205654 152static struct kmem_cache *file_security_cache;
7cae7e26 153
d621d35e
PM		 154/**
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156 *
157 * Description:
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 163 *
164 */
165static int selinux_secmark_enabled(void)
166{
aa8e712c
SS		 167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 169}
170
171/**
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173 *
174 * Description:
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
179 *
180 */
181static int selinux_peerlbl_enabled(void)
182{
aa8e712c
SS		 183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 185}
186
615e51fd
PM		 187static int selinux_netcache_avc_callback(u32 event)
188{
189 if (event == AVC_CALLBACK_RESET) {
190 sel_netif_flush();
191 sel_netnode_flush();
192 sel_netport_flush();
193 synchronize_net();
194 }
195 return 0;
196}
197
8f408ab6
DJ		 198static int selinux_lsm_notifier_avc_callback(u32 event)
199{
409dcf31
DJ		 200 if (event == AVC_CALLBACK_RESET) {
201 sel_ib_pkey_flush();
8f408ab6 202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 203 }
8f408ab6
DJ		 204
205 return 0;
206}
207
d84f4f99
DH		 208/*
209 * initialise the security for the init task
210 */
211static void cred_init_security(void)
1da177e4 212{
3b11a1de 213 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 214 struct task_security_struct *tsec;
215
89d155ef 216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 217 if (!tsec)
d84f4f99 218 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 219
d84f4f99 220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 221 cred->security = tsec;
1da177e4
LT		 222}
223
88e67f3b
DH		 224/*
225 * get the security ID of a set of credentials
226 */
227static inline u32 cred_sid(const struct cred *cred)
228{
229 const struct task_security_struct *tsec;
230
231 tsec = cred->security;
232 return tsec->sid;
233}
234
275bb41e 235/*
3b11a1de 236 * get the objective security ID of a task
275bb41e
DH		 237 */
238static inline u32 task_sid(const struct task_struct *task)
239{
275bb41e
DH		 240 u32 sid;
241
242 rcu_read_lock();
88e67f3b 243 sid = cred_sid(__task_cred(task));
275bb41e
DH		 244 rcu_read_unlock();
245 return sid;
246}
247
88e67f3b
DH		 248/* Allocate and free functions for each kind of security blob. */
249
1da177e4
LT		 250static int inode_alloc_security(struct inode *inode)
251{
1da177e4 252 struct inode_security_struct *isec;
275bb41e 253 u32 sid = current_sid();
1da177e4 254
a02fe132 255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 256 if (!isec)
257 return -ENOMEM;
258
9287aed2 259 spin_lock_init(&isec->lock);
1da177e4 260 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 261 isec->inode = inode;
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
275bb41e 264 isec->task_sid = sid;
42059112 265 isec->initialized = LABEL_INVALID;
1da177e4
LT		 266 inode->i_security = isec;
267
268 return 0;
269}
270
5d226df4
AG		 271static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
272
273/*
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 276 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 277 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
278 * when no dentry is available, set it to NULL instead.
279 */
280static int __inode_security_revalidate(struct inode *inode,
281 struct dentry *opt_dentry,
282 bool may_sleep)
283{
284 struct inode_security_struct *isec = inode->i_security;
285
286 might_sleep_if(may_sleep);
287
aa8e712c
SS		 288 if (selinux_state.initialized &&
289 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 290 if (!may_sleep)
291 return -ECHILD;
292
293 /*
294 * Try reloading the inode security label. This will fail if
295 * @opt_dentry is NULL and no dentry for this inode can be
296 * found; in that case, continue using the old label.
297 */
298 inode_doinit_with_dentry(inode, opt_dentry);
299 }
300 return 0;
301}
302
5d226df4
AG		 303static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304{
305 return inode->i_security;
306}
307
308static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
309{
310 int error;
311
312 error = __inode_security_revalidate(inode, NULL, !rcu);
313 if (error)
314 return ERR_PTR(error);
315 return inode->i_security;
316}
317
83da53c5
AG		 318/*
319 * Get the security label of an inode.
320 */
321static struct inode_security_struct *inode_security(struct inode *inode)
322{
5d226df4 323 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 324 return inode->i_security;
325}
326
2c97165b
PM		 327static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328{
329 struct inode *inode = d_backing_inode(dentry);
330
331 return inode->i_security;
332}
333
83da53c5
AG		 334/*
335 * Get the security label of a dentry's backing inode.
336 */
337static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338{
339 struct inode *inode = d_backing_inode(dentry);
340
5d226df4 341 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 342 return inode->i_security;
343}
344
3dc91d43
SR		 345static void inode_free_rcu(struct rcu_head *head)
346{
347 struct inode_security_struct *isec;
348
349 isec = container_of(head, struct inode_security_struct, rcu);
350 kmem_cache_free(sel_inode_cache, isec);
351}
352
1da177e4
LT		 353static void inode_free_security(struct inode *inode)
354{
355 struct inode_security_struct *isec = inode->i_security;
356 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
357
9629d04a
WL		 358 /*
359 * As not all inode security structures are in a list, we check for
360 * empty list outside of the lock to make sure that we won't waste
361 * time taking a lock doing nothing.
362 *
363 * The list_del_init() function can be safely called more than once.
364 * It should not be possible for this function to be called with
365 * concurrent list_add(), but for better safety against future changes
366 * in the code, we use list_empty_careful() here.
367 */
368 if (!list_empty_careful(&isec->list)) {
369 spin_lock(&sbsec->isec_lock);
1da177e4 370 list_del_init(&isec->list);
9629d04a
WL		 371 spin_unlock(&sbsec->isec_lock);
372 }
1da177e4 373
3dc91d43
SR		 374 /*
375 * The inode may still be referenced in a path walk and
376 * a call to selinux_inode_permission() can be made
377 * after inode_free_security() is called. Ideally, the VFS
378 * wouldn't do this, but fixing that is a much harder
379 * job. For now, simply free the i_security via RCU, and
380 * leave the current inode->i_security pointer intact.
381 * The inode will be freed after the RCU grace period too.
382 */
383 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 384}
385
386static int file_alloc_security(struct file *file)
387{
1da177e4 388 struct file_security_struct *fsec;
275bb41e 389 u32 sid = current_sid();
1da177e4 390
63205654 391 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 392 if (!fsec)
393 return -ENOMEM;
394
275bb41e
DH		 395 fsec->sid = sid;
396 fsec->fown_sid = sid;
1da177e4
LT		 397 file->f_security = fsec;
398
399 return 0;
400}
401
402static void file_free_security(struct file *file)
403{
404 struct file_security_struct *fsec = file->f_security;
1da177e4 405 file->f_security = NULL;
63205654 406 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 407}
408
409static int superblock_alloc_security(struct super_block *sb)
410{
411 struct superblock_security_struct *sbsec;
412
89d155ef 413 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 414 if (!sbsec)
415 return -ENOMEM;
416
bc7e982b 417 mutex_init(&sbsec->lock);
1da177e4
LT		 418 INIT_LIST_HEAD(&sbsec->isec_head);
419 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 420 sbsec->sb = sb;
421 sbsec->sid = SECINITSID_UNLABELED;
422 sbsec->def_sid = SECINITSID_FILE;
c312feb2 423 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 424 sb->s_security = sbsec;
425
426 return 0;
427}
428
429static void superblock_free_security(struct super_block *sb)
430{
431 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 432 sb->s_security = NULL;
433 kfree(sbsec);
434}
435
1da177e4
LT		 436static inline int inode_doinit(struct inode *inode)
437{
438 return inode_doinit_with_dentry(inode, NULL);
439}
440
441enum {
31e87930 442 Opt_error = -1,
1da177e4
LT		 443 Opt_context = 1,
444 Opt_fscontext = 2,
c9180a57
EP		 445 Opt_defcontext = 3,
446 Opt_rootcontext = 4,
11689d47 447 Opt_labelsupport = 5,
d355987f 448 Opt_nextmntopt = 6,
1da177e4
LT		 449};
450
d355987f
EP		 451#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
452
a447c093 453static const match_table_t tokens = {
832cbd9a
EP		 454 {Opt_context, CONTEXT_STR "%s"},
455 {Opt_fscontext, FSCONTEXT_STR "%s"},
456 {Opt_defcontext, DEFCONTEXT_STR "%s"},
457 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 458 {Opt_labelsupport, LABELSUPP_STR},
31e87930 459 {Opt_error, NULL},
1da177e4
LT		 460};
461
462#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
463
c312feb2
EP		 464static int may_context_mount_sb_relabel(u32 sid,
465 struct superblock_security_struct *sbsec,
275bb41e 466 const struct cred *cred)
c312feb2 467{
275bb41e 468 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 469 int rc;
470
6b6bc620
SS		 471 rc = avc_has_perm(&selinux_state,
472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 473 FILESYSTEM__RELABELFROM, NULL);
474 if (rc)
475 return rc;
476
6b6bc620
SS		 477 rc = avc_has_perm(&selinux_state,
478 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 479 FILESYSTEM__RELABELTO, NULL);
480 return rc;
481}
482
0808925e
EP		 483static int may_context_mount_inode_relabel(u32 sid,
484 struct superblock_security_struct *sbsec,
275bb41e 485 const struct cred *cred)
0808925e 486{
275bb41e 487 const struct task_security_struct *tsec = cred->security;
0808925e 488 int rc;
6b6bc620
SS		 489 rc = avc_has_perm(&selinux_state,
490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 491 FILESYSTEM__RELABELFROM, NULL);
492 if (rc)
493 return rc;
494
6b6bc620
SS		 495 rc = avc_has_perm(&selinux_state,
496 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 497 FILESYSTEM__ASSOCIATE, NULL);
498 return rc;
499}
500
b43e725d
EP		 501static int selinux_is_sblabel_mnt(struct super_block *sb)
502{
503 struct superblock_security_struct *sbsec = sb->s_security;
504
d5f3a5f6
MS		 505 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
506 sbsec->behavior == SECURITY_FS_USE_TRANS ||
507 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 508 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 509 /* Special handling. Genfs but also in-core setxattr handler */
510 !strcmp(sb->s_type->name, "sysfs") ||
511 !strcmp(sb->s_type->name, "pstore") ||
512 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 513 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 514 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 515 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 516 (!strcmp(sb->s_type->name, "cgroup") ||
517 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 518}
519
c9180a57 520static int sb_finish_set_opts(struct super_block *sb)
1da177e4 521{
1da177e4 522 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 523 struct dentry *root = sb->s_root;
c6f493d6 524 struct inode *root_inode = d_backing_inode(root);
c9180a57 525 int rc = 0;
1da177e4 526
c9180a57
EP		 527 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
528 /* Make sure that the xattr handler exists and that no
529 error other than -ENODATA is returned by getxattr on
530 the root directory. -ENODATA is ok, as this may be
531 the first boot of the SELinux kernel before we have
532 assigned xattr values to the filesystem. */
5d6c3191 533 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 534 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
535 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 536 rc = -EOPNOTSUPP;
537 goto out;
538 }
5d6c3191
AG		 539
540 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 541 if (rc < 0 && rc != -ENODATA) {
542 if (rc == -EOPNOTSUPP)
543 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 544 "%s) has no security xattr handler\n",
545 sb->s_id, sb->s_type->name);
c9180a57
EP		 546 else
547 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 548 "%s) getxattr errno %d\n", sb->s_id,
549 sb->s_type->name, -rc);
c9180a57
EP		 550 goto out;
551 }
552 }
1da177e4 553
eadcabc6 554 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 555
556 /*
557 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
558 * leave the flag untouched because sb_clone_mnt_opts might be handing
559 * us a superblock that needs the flag to be cleared.
560 */
b43e725d 561 if (selinux_is_sblabel_mnt(sb))
12f348b9 562 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 563 else
564 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 565
c9180a57
EP		 566 /* Initialize the root inode. */
567 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 568
c9180a57
EP		 569 /* Initialize any other inodes associated with the superblock, e.g.
570 inodes created prior to initial policy load or inodes created
571 during get_sb by a pseudo filesystem that directly
572 populates itself. */
573 spin_lock(&sbsec->isec_lock);
574next_inode:
575 if (!list_empty(&sbsec->isec_head)) {
576 struct inode_security_struct *isec =
577 list_entry(sbsec->isec_head.next,
578 struct inode_security_struct, list);
579 struct inode *inode = isec->inode;
923190d3 580 list_del_init(&isec->list);
c9180a57
EP		 581 spin_unlock(&sbsec->isec_lock);
582 inode = igrab(inode);
583 if (inode) {
584 if (!IS_PRIVATE(inode))
585 inode_doinit(inode);
586 iput(inode);
587 }
588 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 589 goto next_inode;
590 }
591 spin_unlock(&sbsec->isec_lock);
592out:
593 return rc;
594}
1da177e4 595
c9180a57
EP		 596/*
597 * This function should allow an FS to ask what it's mount security
598 * options were so it can use those later for submounts, displaying
599 * mount options, or whatever.
600 */
601static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 602 struct security_mnt_opts *opts)
c9180a57
EP		 603{
604 int rc = 0, i;
605 struct superblock_security_struct *sbsec = sb->s_security;
606 char *context = NULL;
607 u32 len;
608 char tmp;
1da177e4 609
e0007529 610 security_init_mnt_opts(opts);
1da177e4 611
0d90a7ec 612 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 613 return -EINVAL;
1da177e4 614
aa8e712c 615 if (!selinux_state.initialized)
c9180a57 616 return -EINVAL;
1da177e4 617
af8e50cc
EP		 618 /* make sure we always check enough bits to cover the mask */
619 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
620
0d90a7ec 621 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 622 /* count the number of mount options for this sb */
af8e50cc 623 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 624 if (tmp & 0x01)
e0007529 625 opts->num_mnt_opts++;
c9180a57
EP		 626 tmp >>= 1;
627 }
11689d47 628 /* Check if the Label support flag is set */
0b4bdb35 629 if (sbsec->flags & SBLABEL_MNT)
11689d47 630 opts->num_mnt_opts++;
1da177e4 631
e0007529
EP		 632 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
633 if (!opts->mnt_opts) {
c9180a57
EP		 634 rc = -ENOMEM;
635 goto out_free;
636 }
1da177e4 637
e0007529
EP		 638 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
639 if (!opts->mnt_opts_flags) {
c9180a57
EP		 640 rc = -ENOMEM;
641 goto out_free;
642 }
1da177e4 643
c9180a57
EP		 644 i = 0;
645 if (sbsec->flags & FSCONTEXT_MNT) {
aa8e712c
SS		 646 rc = security_sid_to_context(&selinux_state, sbsec->sid,
647 &context, &len);
c9180a57
EP		 648 if (rc)
649 goto out_free;
e0007529
EP		 650 opts->mnt_opts[i] = context;
651 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 652 }
653 if (sbsec->flags & CONTEXT_MNT) {
aa8e712c
SS		 654 rc = security_sid_to_context(&selinux_state,
655 sbsec->mntpoint_sid,
656 &context, &len);
c9180a57
EP		 657 if (rc)
658 goto out_free;
e0007529
EP		 659 opts->mnt_opts[i] = context;
660 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 661 }
662 if (sbsec->flags & DEFCONTEXT_MNT) {
aa8e712c
SS		 663 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
664 &context, &len);
c9180a57
EP		 665 if (rc)
666 goto out_free;
e0007529
EP		 667 opts->mnt_opts[i] = context;
668 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 669 }
670 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 671 struct dentry *root = sbsec->sb->s_root;
672 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 673
aa8e712c
SS		 674 rc = security_sid_to_context(&selinux_state, isec->sid,
675 &context, &len);
c9180a57
EP		 676 if (rc)
677 goto out_free;
e0007529
EP		 678 opts->mnt_opts[i] = context;
679 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 680 }
12f348b9 681 if (sbsec->flags & SBLABEL_MNT) {
11689d47 682 opts->mnt_opts[i] = NULL;
12f348b9 683 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 684 }
1da177e4 685
e0007529 686 BUG_ON(i != opts->num_mnt_opts);
1da177e4 687
c9180a57
EP		 688 return 0;
689
690out_free:
e0007529 691 security_free_mnt_opts(opts);
c9180a57
EP		 692 return rc;
693}
1da177e4 694
c9180a57
EP		 695static int bad_option(struct superblock_security_struct *sbsec, char flag,
696 u32 old_sid, u32 new_sid)
697{
0d90a7ec
DQ		 698 char mnt_flags = sbsec->flags & SE_MNTMASK;
699
c9180a57 700 /* check if the old mount command had the same options */
0d90a7ec 701 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 702 if (!(sbsec->flags & flag) ||
703 (old_sid != new_sid))
704 return 1;
705
706 /* check if we were passed the same options twice,
707 * aka someone passed context=a,context=b
708 */
0d90a7ec
DQ		 709 if (!(sbsec->flags & SE_SBINITIALIZED))
710 if (mnt_flags & flag)
c9180a57
EP		 711 return 1;
712 return 0;
713}
e0007529 714
c9180a57
EP		 715/*
716 * Allow filesystems with binary mount data to explicitly set mount point
717 * labeling information.
718 */
e0007529 719static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 720 struct security_mnt_opts *opts,
721 unsigned long kern_flags,
722 unsigned long *set_kern_flags)
c9180a57 723{
275bb41e 724 const struct cred *cred = current_cred();
c9180a57 725 int rc = 0, i;
c9180a57 726 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 727 const char *name = sb->s_type->name;
83da53c5 728 struct dentry *root = sbsec->sb->s_root;
2c97165b 729 struct inode_security_struct *root_isec;
c9180a57
EP		 730 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
731 u32 defcontext_sid = 0;
e0007529
EP		 732 char **mount_options = opts->mnt_opts;
733 int *flags = opts->mnt_opts_flags;
734 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 735
736 mutex_lock(&sbsec->lock);
737
aa8e712c 738 if (!selinux_state.initialized) {
c9180a57
EP		 739 if (!num_opts) {
740 /* Defer initialization until selinux_complete_init,
741 after the initial policy is loaded and the security
742 server is ready to handle calls. */
c9180a57
EP		 743 goto out;
744 }
745 rc = -EINVAL;
744ba35e
EP		 746 printk(KERN_WARNING "SELinux: Unable to set superblock options "
747 "before the security server is initialized\n");
1da177e4 748 goto out;
c9180a57 749 }
649f6e77
DQ		 750 if (kern_flags && !set_kern_flags) {
751 /* Specifying internal flags without providing a place to
752 * place the results is not allowed */
753 rc = -EINVAL;
754 goto out;
755 }
1da177e4 756
e0007529
EP		 757 /*
758 * Binary mount data FS will come through this function twice. Once
759 * from an explicit call and once from the generic calls from the vfs.
760 * Since the generic VFS calls will not contain any security mount data
761 * we need to skip the double mount verification.
762 *
763 * This does open a hole in which we will not notice if the first
764 * mount using this sb set explict options and a second mount using
765 * this sb does not set any security options. (The first options
766 * will be used for both mounts)
767 */
0d90a7ec 768 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 769 && (num_opts == 0))
f5269710 770 goto out;
e0007529 771
2c97165b
PM		 772 root_isec = backing_inode_security_novalidate(root);
773
c9180a57
EP		 774 /*
775 * parse the mount options, check if they are valid sids.
776 * also check if someone is trying to mount the same sb more
777 * than once with different security options.
778 */
779 for (i = 0; i < num_opts; i++) {
780 u32 sid;
11689d47 781
12f348b9 782 if (flags[i] == SBLABEL_MNT)
11689d47 783 continue;
aa8e712c
SS		 784 rc = security_context_str_to_sid(&selinux_state,
785 mount_options[i], &sid,
786 GFP_KERNEL);
1da177e4 787 if (rc) {
44be2f65 788 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 789 "(%s) failed for (dev %s, type %s) errno=%d\n",
790 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 791 goto out;
792 }
793 switch (flags[i]) {
794 case FSCONTEXT_MNT:
795 fscontext_sid = sid;
796
797 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
798 fscontext_sid))
799 goto out_double_mount;
800
801 sbsec->flags |= FSCONTEXT_MNT;
802 break;
803 case CONTEXT_MNT:
804 context_sid = sid;
805
806 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
807 context_sid))
808 goto out_double_mount;
809
810 sbsec->flags |= CONTEXT_MNT;
811 break;
812 case ROOTCONTEXT_MNT:
813 rootcontext_sid = sid;
814
815 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
816 rootcontext_sid))
817 goto out_double_mount;
818
819 sbsec->flags |= ROOTCONTEXT_MNT;
820
821 break;
822 case DEFCONTEXT_MNT:
823 defcontext_sid = sid;
824
825 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
826 defcontext_sid))
827 goto out_double_mount;
828
829 sbsec->flags |= DEFCONTEXT_MNT;
830
831 break;
832 default:
833 rc = -EINVAL;
834 goto out;
1da177e4 835 }
c9180a57
EP		 836 }
837
0d90a7ec 838 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 839 /* previously mounted with options, but not on this attempt? */
0d90a7ec 840 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 841 goto out_double_mount;
842 rc = 0;
843 goto out;
844 }
845
089be43e 846 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 847 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
848
8e014720 849 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 850 !strcmp(sb->s_type->name, "tracefs") ||
8e014720 851 !strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 852 !strcmp(sb->s_type->name, "pstore") ||
853 !strcmp(sb->s_type->name, "cgroup") ||
854 !strcmp(sb->s_type->name, "cgroup2"))
134509d5 855 sbsec->flags |= SE_SBGENFS;
c9180a57 856
eb9ae686
DQ		 857 if (!sbsec->behavior) {
858 /*
859 * Determine the labeling behavior to use for this
860 * filesystem type.
861 */
aa8e712c 862 rc = security_fs_use(&selinux_state, sb);
eb9ae686
DQ		 863 if (rc) {
864 printk(KERN_WARNING
865 "%s: security_fs_use(%s) returned %d\n",
866 __func__, sb->s_type->name, rc);
867 goto out;
868 }
c9180a57 869 }
aad82892
SF		 870
871 /*
01593d32
SS		 872 * If this is a user namespace mount and the filesystem type is not
873 * explicitly whitelisted, then no contexts are allowed on the command
874 * line and security labels must be ignored.
aad82892 875 */
01593d32
SS		 876 if (sb->s_user_ns != &init_user_ns &&
877 strcmp(sb->s_type->name, "tmpfs") &&
878 strcmp(sb->s_type->name, "ramfs") &&
879 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 880 if (context_sid || fscontext_sid || rootcontext_sid ||
881 defcontext_sid) {
882 rc = -EACCES;
883 goto out;
884 }
885 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
886 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 887 rc = security_transition_sid(&selinux_state,
888 current_sid(),
889 current_sid(),
aad82892
SF		 890 SECCLASS_FILE, NULL,
891 &sbsec->mntpoint_sid);
892 if (rc)
893 goto out;
894 }
895 goto out_set_opts;
896 }
897
c9180a57
EP		 898 /* sets the context of the superblock for the fs being mounted. */
899 if (fscontext_sid) {
275bb41e 900 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 901 if (rc)
c9180a57 902 goto out;
1da177e4 903
c9180a57 904 sbsec->sid = fscontext_sid;
c312feb2
EP		 905 }
906
907 /*
908 * Switch to using mount point labeling behavior.
909 * sets the label used on all file below the mountpoint, and will set
910 * the superblock context if not already set.
911 */
eb9ae686
DQ		 912 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
913 sbsec->behavior = SECURITY_FS_USE_NATIVE;
914 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
915 }
916
c9180a57
EP		 917 if (context_sid) {
918 if (!fscontext_sid) {
275bb41e
DH		 919 rc = may_context_mount_sb_relabel(context_sid, sbsec,
920 cred);
b04ea3ce 921 if (rc)
c9180a57
EP		 922 goto out;
923 sbsec->sid = context_sid;
b04ea3ce 924 } else {
275bb41e
DH		 925 rc = may_context_mount_inode_relabel(context_sid, sbsec,
926 cred);
b04ea3ce 927 if (rc)
c9180a57 928 goto out;
b04ea3ce 929 }
c9180a57
EP		 930 if (!rootcontext_sid)
931 rootcontext_sid = context_sid;
1da177e4 932
c9180a57 933 sbsec->mntpoint_sid = context_sid;
c312feb2 934 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 935 }
936
c9180a57 937 if (rootcontext_sid) {
275bb41e
DH		 938 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
939 cred);
0808925e 940 if (rc)
c9180a57 941 goto out;
0808925e 942
c9180a57 943 root_isec->sid = rootcontext_sid;
6f3be9f5 944 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 945 }
946
c9180a57 947 if (defcontext_sid) {
eb9ae686
DQ		 948 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
949 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 950 rc = -EINVAL;
951 printk(KERN_WARNING "SELinux: defcontext option is "
952 "invalid for this filesystem type\n");
953 goto out;
1da177e4
LT		 954 }
955
c9180a57
EP		 956 if (defcontext_sid != sbsec->def_sid) {
957 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 958 sbsec, cred);
c9180a57
EP		 959 if (rc)
960 goto out;
961 }
1da177e4 962
c9180a57 963 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 964 }
965
aad82892 966out_set_opts:
c9180a57 967 rc = sb_finish_set_opts(sb);
1da177e4 968out:
c9180a57 969 mutex_unlock(&sbsec->lock);
1da177e4 970 return rc;
c9180a57
EP		 971out_double_mount:
972 rc = -EINVAL;
973 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 974 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 975 goto out;
1da177e4
LT		 976}
977
094f7b69
JL		 978static int selinux_cmp_sb_context(const struct super_block *oldsb,
979 const struct super_block *newsb)
980{
981 struct superblock_security_struct *old = oldsb->s_security;
982 struct superblock_security_struct *new = newsb->s_security;
983 char oldflags = old->flags & SE_MNTMASK;
984 char newflags = new->flags & SE_MNTMASK;
985
986 if (oldflags != newflags)
987 goto mismatch;
988 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
989 goto mismatch;
990 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
991 goto mismatch;
992 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
993 goto mismatch;
994 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 995 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
996 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 997 if (oldroot->sid != newroot->sid)
998 goto mismatch;
999 }
1000 return 0;
1001mismatch:
1002 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
1003 "different security settings for (dev %s, "
1004 "type %s)\n", newsb->s_id, newsb->s_type->name);
1005 return -EBUSY;
1006}
1007
1008static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 1009 struct super_block *newsb,
1010 unsigned long kern_flags,
1011 unsigned long *set_kern_flags)
1da177e4 1012{
0b4d3452 1013 int rc = 0;
c9180a57
EP		 1014 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1015 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 1016
c9180a57
EP		 1017 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1018 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1019 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 1020
0f5e6420
EP		 1021 /*
1022 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 1023 * mount options. thus we can safely deal with this superblock later
0f5e6420 1024 */
aa8e712c 1025 if (!selinux_state.initialized)
094f7b69 1026 return 0;
c9180a57 1027
0b4d3452
SM		 1028 /*
1029 * Specifying internal flags without providing a place to
1030 * place the results is not allowed.
1031 */
1032 if (kern_flags && !set_kern_flags)
1033 return -EINVAL;
1034
c9180a57 1035 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 1036 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 1037
094f7b69 1038 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 1039 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 1040 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 1041
c9180a57
EP		 1042 mutex_lock(&newsbsec->lock);
1043
1044 newsbsec->flags = oldsbsec->flags;
1045
1046 newsbsec->sid = oldsbsec->sid;
1047 newsbsec->def_sid = oldsbsec->def_sid;
1048 newsbsec->behavior = oldsbsec->behavior;
1049
0b4d3452
SM		 1050 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1051 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 1052 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 1053 if (rc)
1054 goto out;
1055 }
1056
1057 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1058 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1059 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1060 }
1061
c9180a57
EP		 1062 if (set_context) {
1063 u32 sid = oldsbsec->mntpoint_sid;
1064
1065 if (!set_fscontext)
1066 newsbsec->sid = sid;
1067 if (!set_rootcontext) {
83da53c5 1068 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1069 newisec->sid = sid;
1070 }
1071 newsbsec->mntpoint_sid = sid;
1da177e4 1072 }
c9180a57 1073 if (set_rootcontext) {
83da53c5
AG		 1074 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1075 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1076
c9180a57 1077 newisec->sid = oldisec->sid;
1da177e4
LT		 1078 }
1079
c9180a57 1080 sb_finish_set_opts(newsb);
0b4d3452 1081out:
c9180a57 1082 mutex_unlock(&newsbsec->lock);
0b4d3452 1083 return rc;
c9180a57
EP		 1084}
1085
2e1479d9
AB		 1086static int selinux_parse_opts_str(char *options,
1087 struct security_mnt_opts *opts)
c9180a57 1088{
e0007529 1089 char *p;
c9180a57
EP		 1090 char *context = NULL, *defcontext = NULL;
1091 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1092 int rc, num_mnt_opts = 0;
1da177e4 1093
e0007529 1094 opts->num_mnt_opts = 0;
1da177e4 1095
c9180a57
EP		 1096 /* Standard string-based options. */
1097 while ((p = strsep(&options, "|")) != NULL) {
1098 int token;
1099 substring_t args[MAX_OPT_ARGS];
1da177e4 1100
c9180a57
EP		 1101 if (!*p)
1102 continue;
1da177e4 1103
c9180a57 1104 token = match_token(p, tokens, args);
1da177e4 1105
c9180a57
EP		 1106 switch (token) {
1107 case Opt_context:
1108 if (context || defcontext) {
1109 rc = -EINVAL;
1110 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1111 goto out_err;
1112 }
1113 context = match_strdup(&args[0]);
1114 if (!context) {
1115 rc = -ENOMEM;
1116 goto out_err;
1117 }
1118 break;
1119
1120 case Opt_fscontext:
1121 if (fscontext) {
1122 rc = -EINVAL;
1123 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1124 goto out_err;
1125 }
1126 fscontext = match_strdup(&args[0]);
1127 if (!fscontext) {
1128 rc = -ENOMEM;
1129 goto out_err;
1130 }
1131 break;
1132
1133 case Opt_rootcontext:
1134 if (rootcontext) {
1135 rc = -EINVAL;
1136 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1137 goto out_err;
1138 }
1139 rootcontext = match_strdup(&args[0]);
1140 if (!rootcontext) {
1141 rc = -ENOMEM;
1142 goto out_err;
1143 }
1144 break;
1145
1146 case Opt_defcontext:
1147 if (context || defcontext) {
1148 rc = -EINVAL;
1149 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1150 goto out_err;
1151 }
1152 defcontext = match_strdup(&args[0]);
1153 if (!defcontext) {
1154 rc = -ENOMEM;
1155 goto out_err;
1156 }
1157 break;
11689d47
DQ		 1158 case Opt_labelsupport:
1159 break;
c9180a57
EP		 1160 default:
1161 rc = -EINVAL;
1162 printk(KERN_WARNING "SELinux: unknown mount option\n");
1163 goto out_err;
1da177e4 1164
1da177e4 1165 }
1da177e4 1166 }
c9180a57 1167
e0007529 1168 rc = -ENOMEM;
8931c3bd 1169 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1170 if (!opts->mnt_opts)
1171 goto out_err;
1172
8931c3bd
TH		 1173 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1174 GFP_KERNEL);
023f108d 1175 if (!opts->mnt_opts_flags)
e0007529 1176 goto out_err;
e0007529 1177
c9180a57 1178 if (fscontext) {
e0007529
EP		 1179 opts->mnt_opts[num_mnt_opts] = fscontext;
1180 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1181 }
1182 if (context) {
e0007529
EP		 1183 opts->mnt_opts[num_mnt_opts] = context;
1184 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1185 }
1186 if (rootcontext) {
e0007529
EP		 1187 opts->mnt_opts[num_mnt_opts] = rootcontext;
1188 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1189 }
1190 if (defcontext) {
e0007529
EP		 1191 opts->mnt_opts[num_mnt_opts] = defcontext;
1192 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1193 }
1194
e0007529
EP		 1195 opts->num_mnt_opts = num_mnt_opts;
1196 return 0;
1197
c9180a57 1198out_err:
023f108d 1199 security_free_mnt_opts(opts);
c9180a57
EP		 1200 kfree(context);
1201 kfree(defcontext);
1202 kfree(fscontext);
1203 kfree(rootcontext);
1da177e4
LT		 1204 return rc;
1205}
e0007529
EP		 1206/*
1207 * string mount options parsing and call set the sbsec
1208 */
1209static int superblock_doinit(struct super_block *sb, void *data)
1210{
1211 int rc = 0;
1212 char *options = data;
1213 struct security_mnt_opts opts;
1214
1215 security_init_mnt_opts(&opts);
1216
1217 if (!data)
1218 goto out;
1219
1220 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1221
1222 rc = selinux_parse_opts_str(options, &opts);
1223 if (rc)
1224 goto out_err;
1225
1226out:
649f6e77 1227 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1228
1229out_err:
1230 security_free_mnt_opts(&opts);
1231 return rc;
1232}
1da177e4 1233
3583a711
AB		 1234static void selinux_write_opts(struct seq_file *m,
1235 struct security_mnt_opts *opts)
2069f457
EP		 1236{
1237 int i;
1238 char *prefix;
1239
1240 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1241 char *has_comma;
1242
1243 if (opts->mnt_opts[i])
1244 has_comma = strchr(opts->mnt_opts[i], ',');
1245 else
1246 has_comma = NULL;
2069f457
EP		 1247
1248 switch (opts->mnt_opts_flags[i]) {
1249 case CONTEXT_MNT:
1250 prefix = CONTEXT_STR;
1251 break;
1252 case FSCONTEXT_MNT:
1253 prefix = FSCONTEXT_STR;
1254 break;
1255 case ROOTCONTEXT_MNT:
1256 prefix = ROOTCONTEXT_STR;
1257 break;
1258 case DEFCONTEXT_MNT:
1259 prefix = DEFCONTEXT_STR;
1260 break;
12f348b9 1261 case SBLABEL_MNT:
11689d47
DQ		 1262 seq_putc(m, ',');
1263 seq_puts(m, LABELSUPP_STR);
1264 continue;
2069f457
EP		 1265 default:
1266 BUG();
a35c6c83 1267 return;
2069f457
EP		 1268 };
1269 /* we need a comma before each option */
1270 seq_putc(m, ',');
1271 seq_puts(m, prefix);
1272 if (has_comma)
1273 seq_putc(m, '\"');
a068acf2 1274 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1275 if (has_comma)
1276 seq_putc(m, '\"');
1277 }
1278}
1279
1280static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1281{
1282 struct security_mnt_opts opts;
1283 int rc;
1284
1285 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1286 if (rc) {
1287 /* before policy load we may get EINVAL, don't show anything */
1288 if (rc == -EINVAL)
1289 rc = 0;
2069f457 1290 return rc;
383795c2 1291 }
2069f457
EP		 1292
1293 selinux_write_opts(m, &opts);
1294
1295 security_free_mnt_opts(&opts);
1296
1297 return rc;
1298}
1299
1da177e4
LT		 1300static inline u16 inode_mode_to_security_class(umode_t mode)
1301{
1302 switch (mode & S_IFMT) {
1303 case S_IFSOCK:
1304 return SECCLASS_SOCK_FILE;
1305 case S_IFLNK:
1306 return SECCLASS_LNK_FILE;
1307 case S_IFREG:
1308 return SECCLASS_FILE;
1309 case S_IFBLK:
1310 return SECCLASS_BLK_FILE;
1311 case S_IFDIR:
1312 return SECCLASS_DIR;
1313 case S_IFCHR:
1314 return SECCLASS_CHR_FILE;
1315 case S_IFIFO:
1316 return SECCLASS_FIFO_FILE;
1317
1318 }
1319
1320 return SECCLASS_FILE;
1321}
1322
13402580
JM		 1323static inline int default_protocol_stream(int protocol)
1324{
1325 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1326}
1327
1328static inline int default_protocol_dgram(int protocol)
1329{
1330 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1331}
1332
1da177e4
LT		 1333static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1334{
aa8e712c 1335 int extsockclass = selinux_policycap_extsockclass();
da69a530 1336
1da177e4
LT		 1337 switch (family) {
1338 case PF_UNIX:
1339 switch (type) {
1340 case SOCK_STREAM:
1341 case SOCK_SEQPACKET:
1342 return SECCLASS_UNIX_STREAM_SOCKET;
1343 case SOCK_DGRAM:
2a764b52 1344 case SOCK_RAW:
1da177e4
LT		 1345 return SECCLASS_UNIX_DGRAM_SOCKET;
1346 }
1347 break;
1348 case PF_INET:
1349 case PF_INET6:
1350 switch (type) {
1351 case SOCK_STREAM:
da69a530 1352 case SOCK_SEQPACKET:
13402580
JM		 1353 if (default_protocol_stream(protocol))
1354 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1355 else if (extsockclass && protocol == IPPROTO_SCTP)
1356 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1357 else
1358 return SECCLASS_RAWIP_SOCKET;
1da177e4 1359 case SOCK_DGRAM:
13402580
JM		 1360 if (default_protocol_dgram(protocol))
1361 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1362 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1363 protocol == IPPROTO_ICMPV6))
da69a530 1364 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1365 else
1366 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1367 case SOCK_DCCP:
1368 return SECCLASS_DCCP_SOCKET;
13402580 1369 default:
1da177e4
LT		 1370 return SECCLASS_RAWIP_SOCKET;
1371 }
1372 break;
1373 case PF_NETLINK:
1374 switch (protocol) {
1375 case NETLINK_ROUTE:
1376 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1377 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1378 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1379 case NETLINK_NFLOG:
1380 return SECCLASS_NETLINK_NFLOG_SOCKET;
1381 case NETLINK_XFRM:
1382 return SECCLASS_NETLINK_XFRM_SOCKET;
1383 case NETLINK_SELINUX:
1384 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1385 case NETLINK_ISCSI:
1386 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1387 case NETLINK_AUDIT:
1388 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1389 case NETLINK_FIB_LOOKUP:
1390 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1391 case NETLINK_CONNECTOR:
1392 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1393 case NETLINK_NETFILTER:
1394 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1395 case NETLINK_DNRTMSG:
1396 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1397 case NETLINK_KOBJECT_UEVENT:
1398 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1399 case NETLINK_GENERIC:
1400 return SECCLASS_NETLINK_GENERIC_SOCKET;
1401 case NETLINK_SCSITRANSPORT:
1402 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1403 case NETLINK_RDMA:
1404 return SECCLASS_NETLINK_RDMA_SOCKET;
1405 case NETLINK_CRYPTO:
1406 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1407 default:
1408 return SECCLASS_NETLINK_SOCKET;
1409 }
1410 case PF_PACKET:
1411 return SECCLASS_PACKET_SOCKET;
1412 case PF_KEY:
1413 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1414 case PF_APPLETALK:
1415 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1416 }
1417
da69a530
SS		 1418 if (extsockclass) {
1419 switch (family) {
1420 case PF_AX25:
1421 return SECCLASS_AX25_SOCKET;
1422 case PF_IPX:
1423 return SECCLASS_IPX_SOCKET;
1424 case PF_NETROM:
1425 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1426 case PF_ATMPVC:
1427 return SECCLASS_ATMPVC_SOCKET;
1428 case PF_X25:
1429 return SECCLASS_X25_SOCKET;
1430 case PF_ROSE:
1431 return SECCLASS_ROSE_SOCKET;
1432 case PF_DECnet:
1433 return SECCLASS_DECNET_SOCKET;
1434 case PF_ATMSVC:
1435 return SECCLASS_ATMSVC_SOCKET;
1436 case PF_RDS:
1437 return SECCLASS_RDS_SOCKET;
1438 case PF_IRDA:
1439 return SECCLASS_IRDA_SOCKET;
1440 case PF_PPPOX:
1441 return SECCLASS_PPPOX_SOCKET;
1442 case PF_LLC:
1443 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1444 case PF_CAN:
1445 return SECCLASS_CAN_SOCKET;
1446 case PF_TIPC:
1447 return SECCLASS_TIPC_SOCKET;
1448 case PF_BLUETOOTH:
1449 return SECCLASS_BLUETOOTH_SOCKET;
1450 case PF_IUCV:
1451 return SECCLASS_IUCV_SOCKET;
1452 case PF_RXRPC:
1453 return SECCLASS_RXRPC_SOCKET;
1454 case PF_ISDN:
1455 return SECCLASS_ISDN_SOCKET;
1456 case PF_PHONET:
1457 return SECCLASS_PHONET_SOCKET;
1458 case PF_IEEE802154:
1459 return SECCLASS_IEEE802154_SOCKET;
1460 case PF_CAIF:
1461 return SECCLASS_CAIF_SOCKET;
1462 case PF_ALG:
1463 return SECCLASS_ALG_SOCKET;
1464 case PF_NFC:
1465 return SECCLASS_NFC_SOCKET;
1466 case PF_VSOCK:
1467 return SECCLASS_VSOCK_SOCKET;
1468 case PF_KCM:
1469 return SECCLASS_KCM_SOCKET;
1470 case PF_QIPCRTR:
1471 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1472 case PF_SMC:
1473 return SECCLASS_SMC_SOCKET;
1474#if PF_MAX > 44
da69a530
SS		 1475#error New address family defined, please update this function.
1476#endif
1477 }
1478 }
1479
1da177e4
LT		 1480 return SECCLASS_SOCKET;
1481}
1482
134509d5
SS		 1483static int selinux_genfs_get_sid(struct dentry *dentry,
1484 u16 tclass,
1485 u16 flags,
1486 u32 *sid)
1da177e4 1487{
8e6c9693 1488 int rc;
fc64005c 1489 struct super_block *sb = dentry->d_sb;
8e6c9693 1490 char *buffer, *path;
1da177e4 1491
828dfe1d 1492 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1493 if (!buffer)
1494 return -ENOMEM;
1495
8e6c9693
LAG		 1496 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1497 if (IS_ERR(path))
1498 rc = PTR_ERR(path);
1499 else {
134509d5
SS		 1500 if (flags & SE_SBPROC) {
1501 /* each process gets a /proc/PID/ entry. Strip off the
1502 * PID part to get a valid selinux labeling.
1503 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1504 while (path[1] >= '0' && path[1] <= '9') {
1505 path[1] = '/';
1506 path++;
1507 }
8e6c9693 1508 }
aa8e712c
SS		 1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510 path, tclass, sid);
1da177e4 1511 }
1da177e4
LT		 1512 free_page((unsigned long)buffer);
1513 return rc;
1514}
1da177e4
LT		 1515
1516/* The inode's security attributes must be initialized before first use. */
1517static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1518{
1519 struct superblock_security_struct *sbsec = NULL;
1520 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1521 u32 task_sid, sid = 0;
1522 u16 sclass;
1da177e4
LT		 1523 struct dentry *dentry;
1524#define INITCONTEXTLEN 255
1525 char *context = NULL;
1526 unsigned len = 0;
1527 int rc = 0;
1da177e4 1528
6f3be9f5 1529 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1530 return 0;
1da177e4 1531
9287aed2 1532 spin_lock(&isec->lock);
6f3be9f5 1533 if (isec->initialized == LABEL_INITIALIZED)
23970741 1534 goto out_unlock;
1da177e4 1535
13457d07
AG		 1536 if (isec->sclass == SECCLASS_FILE)
1537 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1538
1da177e4 1539 sbsec = inode->i_sb->s_security;
0d90a7ec 1540 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1541 /* Defer initialization until selinux_complete_init,
1542 after the initial policy is loaded and the security
1543 server is ready to handle calls. */
1544 spin_lock(&sbsec->isec_lock);
1545 if (list_empty(&isec->list))
1546 list_add(&isec->list, &sbsec->isec_head);
1547 spin_unlock(&sbsec->isec_lock);
23970741 1548 goto out_unlock;
1da177e4
LT		 1549 }
1550
9287aed2
AG		 1551 sclass = isec->sclass;
1552 task_sid = isec->task_sid;
1553 sid = isec->sid;
1554 isec->initialized = LABEL_PENDING;
1555 spin_unlock(&isec->lock);
1556
1da177e4 1557 switch (sbsec->behavior) {
eb9ae686
DQ		 1558 case SECURITY_FS_USE_NATIVE:
1559 break;
1da177e4 1560 case SECURITY_FS_USE_XATTR:
5d6c3191 1561 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1562 sid = sbsec->def_sid;
1da177e4
LT		 1563 break;
1564 }
1da177e4
LT		 1565 /* Need a dentry, since the xattr API requires one.
1566 Life would be simpler if we could just pass the inode. */
1567 if (opt_dentry) {
1568 /* Called from d_instantiate or d_splice_alias. */
1569 dentry = dget(opt_dentry);
1570 } else {
1571 /* Called from selinux_complete_init, try to find a dentry. */
1572 dentry = d_find_alias(inode);
1573 }
1574 if (!dentry) {
df7f54c0
EP		 1575 /*
1576 * this is can be hit on boot when a file is accessed
1577 * before the policy is loaded. When we load policy we
1578 * may find inodes that have no dentry on the
1579 * sbsec->isec_head list. No reason to complain as these
1580 * will get fixed up the next time we go through
1581 * inode_doinit with a dentry, before these inodes could
1582 * be used again by userspace.
1583 */
9287aed2 1584 goto out;
1da177e4
LT		 1585 }
1586
1587 len = INITCONTEXTLEN;
4cb912f1 1588 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1589 if (!context) {
1590 rc = -ENOMEM;
1591 dput(dentry);
9287aed2 1592 goto out;
1da177e4 1593 }
4cb912f1 1594 context[len] = '\0';
5d6c3191 1595 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1596 if (rc == -ERANGE) {
314dabb8
JM		 1597 kfree(context);
1598
1da177e4 1599 /* Need a larger buffer. Query for the right size. */
5d6c3191 1600 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1601 if (rc < 0) {
1602 dput(dentry);
9287aed2 1603 goto out;
1da177e4 1604 }
1da177e4 1605 len = rc;
4cb912f1 1606 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1607 if (!context) {
1608 rc = -ENOMEM;
1609 dput(dentry);
9287aed2 1610 goto out;
1da177e4 1611 }
4cb912f1 1612 context[len] = '\0';
5d6c3191 1613 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1614 }
1615 dput(dentry);
1616 if (rc < 0) {
1617 if (rc != -ENODATA) {
744ba35e 1618 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1619 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1620 -rc, inode->i_sb->s_id, inode->i_ino);
1621 kfree(context);
9287aed2 1622 goto out;
1da177e4
LT		 1623 }
1624 /* Map ENODATA to the default file SID */
1625 sid = sbsec->def_sid;
1626 rc = 0;
1627 } else {
aa8e712c
SS		 1628 rc = security_context_to_sid_default(&selinux_state,
1629 context, rc, &sid,
869ab514
SS		 1630 sbsec->def_sid,
1631 GFP_NOFS);
1da177e4 1632 if (rc) {
4ba0a8ad
EP		 1633 char *dev = inode->i_sb->s_id;
1634 unsigned long ino = inode->i_ino;
1635
1636 if (rc == -EINVAL) {
1637 if (printk_ratelimit())
1638 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1639 "context=%s. This indicates you may need to relabel the inode or the "
1640 "filesystem in question.\n", ino, dev, context);
1641 } else {
1642 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1643 "returned %d for dev=%s ino=%ld\n",
1644 __func__, context, -rc, dev, ino);
1645 }
1da177e4
LT		 1646 kfree(context);
1647 /* Leave with the unlabeled SID */
1648 rc = 0;
1649 break;
1650 }
1651 }
1652 kfree(context);
1da177e4
LT		 1653 break;
1654 case SECURITY_FS_USE_TASK:
9287aed2 1655 sid = task_sid;
1da177e4
LT		 1656 break;
1657 case SECURITY_FS_USE_TRANS:
1658 /* Default to the fs SID. */
9287aed2 1659 sid = sbsec->sid;
1da177e4
LT		 1660
1661 /* Try to obtain a transition SID. */
aa8e712c
SS		 1662 rc = security_transition_sid(&selinux_state, task_sid, sid,
1663 sclass, NULL, &sid);
1da177e4 1664 if (rc)
9287aed2 1665 goto out;
1da177e4 1666 break;
c312feb2 1667 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1668 sid = sbsec->mntpoint_sid;
c312feb2 1669 break;
1da177e4 1670 default:
c312feb2 1671 /* Default to the fs superblock SID. */
9287aed2 1672 sid = sbsec->sid;
1da177e4 1673
134509d5 1674 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1675 /* We must have a dentry to determine the label on
1676 * procfs inodes */
1677 if (opt_dentry)
1678 /* Called from d_instantiate or
1679 * d_splice_alias. */
1680 dentry = dget(opt_dentry);
1681 else
1682 /* Called from selinux_complete_init, try to
1683 * find a dentry. */
1684 dentry = d_find_alias(inode);
1685 /*
1686 * This can be hit on boot when a file is accessed
1687 * before the policy is loaded. When we load policy we
1688 * may find inodes that have no dentry on the
1689 * sbsec->isec_head list. No reason to complain as
1690 * these will get fixed up the next time we go through
1691 * inode_doinit() with a dentry, before these inodes
1692 * could be used again by userspace.
1693 */
1694 if (!dentry)
9287aed2
AG		 1695 goto out;
1696 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1697 sbsec->flags, &sid);
f64410ec
PM		 1698 dput(dentry);
1699 if (rc)
9287aed2 1700 goto out;
1da177e4
LT		 1701 }
1702 break;
1703 }
1704
9287aed2
AG		 1705out:
1706 spin_lock(&isec->lock);
1707 if (isec->initialized == LABEL_PENDING) {
1708 if (!sid || rc) {
1709 isec->initialized = LABEL_INVALID;
1710 goto out_unlock;
1711 }
1712
1713 isec->initialized = LABEL_INITIALIZED;
1714 isec->sid = sid;
1715 }
1da177e4 1716
23970741 1717out_unlock:
9287aed2 1718 spin_unlock(&isec->lock);
1da177e4
LT		 1719 return rc;
1720}
1721
1722/* Convert a Linux signal to an access vector. */
1723static inline u32 signal_to_av(int sig)
1724{
1725 u32 perm = 0;
1726
1727 switch (sig) {
1728 case SIGCHLD:
1729 /* Commonly granted from child to parent. */
1730 perm = PROCESS__SIGCHLD;
1731 break;
1732 case SIGKILL:
1733 /* Cannot be caught or ignored */
1734 perm = PROCESS__SIGKILL;
1735 break;
1736 case SIGSTOP:
1737 /* Cannot be caught or ignored */
1738 perm = PROCESS__SIGSTOP;
1739 break;
1740 default:
1741 /* All other signals. */
1742 perm = PROCESS__SIGNAL;
1743 break;
1744 }
1745
1746 return perm;
1747}
1748
b68e418c
SS		 1749#if CAP_LAST_CAP > 63
1750#error Fix SELinux to handle capabilities > 63.
1751#endif
1752
1da177e4 1753/* Check whether a task is allowed to use a capability. */
6a9de491 1754static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1755 int cap, int audit, bool initns)
1da177e4 1756{
2bf49690 1757 struct common_audit_data ad;
06112163 1758 struct av_decision avd;
b68e418c 1759 u16 sclass;
3699c53c 1760 u32 sid = cred_sid(cred);
b68e418c 1761 u32 av = CAP_TO_MASK(cap);
06112163 1762 int rc;
1da177e4 1763
50c205f5 1764 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1765 ad.u.cap = cap;
1766
b68e418c
SS		 1767 switch (CAP_TO_INDEX(cap)) {
1768 case 0:
8e4ff6f2 1769 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1770 break;
1771 case 1:
8e4ff6f2 1772 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1773 break;
1774 default:
1775 printk(KERN_ERR
1776 "SELinux: out of range capability %d\n", cap);
1777 BUG();
a35c6c83 1778 return -EINVAL;
b68e418c 1779 }
06112163 1780
6b6bc620
SS		 1781 rc = avc_has_perm_noaudit(&selinux_state,
1782 sid, sid, sclass, av, 0, &avd);
9ade0cf4 1783 if (audit == SECURITY_CAP_AUDIT) {
6b6bc620
SS		 1784 int rc2 = avc_audit(&selinux_state,
1785 sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1786 if (rc2)
1787 return rc2;
1788 }
06112163 1789 return rc;
1da177e4
LT		 1790}
1791
1da177e4
LT		 1792/* Check whether a task has a particular permission to an inode.
1793 The 'adp' parameter is optional and allows other audit
1794 data to be passed (e.g. the dentry). */
88e67f3b 1795static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1796 struct inode *inode,
1797 u32 perms,
19e49834 1798 struct common_audit_data *adp)
1da177e4 1799{
1da177e4 1800 struct inode_security_struct *isec;
275bb41e 1801 u32 sid;
1da177e4 1802
e0e81739
DH		 1803 validate_creds(cred);
1804
828dfe1d 1805 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1806 return 0;
1807
88e67f3b 1808 sid = cred_sid(cred);
1da177e4
LT		 1809 isec = inode->i_security;
1810
6b6bc620
SS		 1811 return avc_has_perm(&selinux_state,
1812 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1813}
1814
1815/* Same as inode_has_perm, but pass explicit audit data containing
1816 the dentry to help the auditing code to more easily generate the
1817 pathname if needed. */
88e67f3b 1818static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1819 struct dentry *dentry,
1820 u32 av)
1821{
c6f493d6 1822 struct inode *inode = d_backing_inode(dentry);
2bf49690 1823 struct common_audit_data ad;
88e67f3b 1824
50c205f5 1825 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1826 ad.u.dentry = dentry;
5d226df4 1827 __inode_security_revalidate(inode, dentry, true);
19e49834 1828 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1829}
1830
1831/* Same as inode_has_perm, but pass explicit audit data containing
1832 the path to help the auditing code to more easily generate the
1833 pathname if needed. */
1834static inline int path_has_perm(const struct cred *cred,
3f7036a0 1835 const struct path *path,
2875fa00
EP		 1836 u32 av)
1837{
c6f493d6 1838 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1839 struct common_audit_data ad;
1840
50c205f5 1841 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1842 ad.u.path = *path;
5d226df4 1843 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1844 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1845}
1846
13f8e981
DH		 1847/* Same as path_has_perm, but uses the inode from the file struct. */
1848static inline int file_path_has_perm(const struct cred *cred,
1849 struct file *file,
1850 u32 av)
1851{
1852 struct common_audit_data ad;
1853
43af5de7
VG		 1854 ad.type = LSM_AUDIT_DATA_FILE;
1855 ad.u.file = file;
19e49834 1856 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1857}
1858
f66e448c
CF		 1859#ifdef CONFIG_BPF_SYSCALL
1860static int bpf_fd_pass(struct file *file, u32 sid);
1861#endif
1862
1da177e4
LT		 1863/* Check whether a task can use an open file descriptor to
1864 access an inode in a given way. Check access to the
1865 descriptor itself, and then use dentry_has_perm to
1866 check a particular permission to the file.
1867 Access to the descriptor is implicitly granted if it
1868 has the same SID as the process. If av is zero, then
1869 access to the file is not checked, e.g. for cases
1870 where only the descriptor is affected like seek. */
88e67f3b
DH		 1871static int file_has_perm(const struct cred *cred,
1872 struct file *file,
1873 u32 av)
1da177e4 1874{
1da177e4 1875 struct file_security_struct *fsec = file->f_security;
496ad9aa 1876 struct inode *inode = file_inode(file);
2bf49690 1877 struct common_audit_data ad;
88e67f3b 1878 u32 sid = cred_sid(cred);
1da177e4
LT		 1879 int rc;
1880
43af5de7
VG		 1881 ad.type = LSM_AUDIT_DATA_FILE;
1882 ad.u.file = file;
1da177e4 1883
275bb41e 1884 if (sid != fsec->sid) {
6b6bc620
SS		 1885 rc = avc_has_perm(&selinux_state,
1886 sid, fsec->sid,
1da177e4
LT		 1887 SECCLASS_FD,
1888 FD__USE,
1889 &ad);
1890 if (rc)
88e67f3b 1891 goto out;
1da177e4
LT		 1892 }
1893
f66e448c
CF		 1894#ifdef CONFIG_BPF_SYSCALL
1895 rc = bpf_fd_pass(file, cred_sid(cred));
1896 if (rc)
1897 return rc;
1898#endif
1899
1da177e4 1900 /* av is zero if only checking access to the descriptor. */
88e67f3b 1901 rc = 0;
1da177e4 1902 if (av)
19e49834 1903 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1904
88e67f3b
DH		 1905out:
1906 return rc;
1da177e4
LT		 1907}
1908
c3c188b2
DH		 1909/*
1910 * Determine the label for an inode that might be unioned.
1911 */
c957f6df
VG		 1912static int
1913selinux_determine_inode_label(const struct task_security_struct *tsec,
1914 struct inode *dir,
1915 const struct qstr *name, u16 tclass,
1916 u32 *_new_isid)
c3c188b2
DH		 1917{
1918 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1919
1920 if ((sbsec->flags & SE_SBINITIALIZED) &&
1921 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1922 *_new_isid = sbsec->mntpoint_sid;
1923 } else if ((sbsec->flags & SBLABEL_MNT) &&
1924 tsec->create_sid) {
1925 *_new_isid = tsec->create_sid;
1926 } else {
20cdef8d 1927 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1928 return security_transition_sid(&selinux_state, tsec->sid,
1929 dsec->sid, tclass,
c3c188b2
DH		 1930 name, _new_isid);
1931 }
1932
1933 return 0;
1934}
1935
1da177e4
LT		 1936/* Check whether a task can create a file. */
1937static int may_create(struct inode *dir,
1938 struct dentry *dentry,
1939 u16 tclass)
1940{
5fb49870 1941 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1942 struct inode_security_struct *dsec;
1943 struct superblock_security_struct *sbsec;
275bb41e 1944 u32 sid, newsid;
2bf49690 1945 struct common_audit_data ad;
1da177e4
LT		 1946 int rc;
1947
83da53c5 1948 dsec = inode_security(dir);
1da177e4
LT		 1949 sbsec = dir->i_sb->s_security;
1950
275bb41e 1951 sid = tsec->sid;
275bb41e 1952
50c205f5 1953 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1954 ad.u.dentry = dentry;
1da177e4 1955
6b6bc620
SS		 1956 rc = avc_has_perm(&selinux_state,
1957 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1958 DIR__ADD_NAME | DIR__SEARCH,
1959 &ad);
1960 if (rc)
1961 return rc;
1962
c957f6df
VG		 1963 rc = selinux_determine_inode_label(current_security(), dir,
1964 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1965 if (rc)
1966 return rc;
1da177e4 1967
6b6bc620
SS		 1968 rc = avc_has_perm(&selinux_state,
1969 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1970 if (rc)
1971 return rc;
1972
6b6bc620
SS		 1973 return avc_has_perm(&selinux_state,
1974 newsid, sbsec->sid,
1da177e4
LT		 1975 SECCLASS_FILESYSTEM,
1976 FILESYSTEM__ASSOCIATE, &ad);
1977}
1978
828dfe1d
EP		 1979#define MAY_LINK 0
1980#define MAY_UNLINK 1
1981#define MAY_RMDIR 2
1da177e4
LT		 1982
1983/* Check whether a task can link, unlink, or rmdir a file/directory. */
1984static int may_link(struct inode *dir,
1985 struct dentry *dentry,
1986 int kind)
1987
1988{
1da177e4 1989 struct inode_security_struct *dsec, *isec;
2bf49690 1990 struct common_audit_data ad;
275bb41e 1991 u32 sid = current_sid();
1da177e4
LT		 1992 u32 av;
1993 int rc;
1994
83da53c5
AG		 1995 dsec = inode_security(dir);
1996 isec = backing_inode_security(dentry);
1da177e4 1997
50c205f5 1998 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1999 ad.u.dentry = dentry;
1da177e4
LT		 2000
2001 av = DIR__SEARCH;
2002 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 2003 rc = avc_has_perm(&selinux_state,
2004 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 2005 if (rc)
2006 return rc;
2007
2008 switch (kind) {
2009 case MAY_LINK:
2010 av = FILE__LINK;
2011 break;
2012 case MAY_UNLINK:
2013 av = FILE__UNLINK;
2014 break;
2015 case MAY_RMDIR:
2016 av = DIR__RMDIR;
2017 break;
2018 default:
744ba35e
EP		 2019 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
2020 __func__, kind);
1da177e4
LT		 2021 return 0;
2022 }
2023
6b6bc620
SS		 2024 rc = avc_has_perm(&selinux_state,
2025 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 2026 return rc;
2027}
2028
2029static inline int may_rename(struct inode *old_dir,
2030 struct dentry *old_dentry,
2031 struct inode *new_dir,
2032 struct dentry *new_dentry)
2033{
1da177e4 2034 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 2035 struct common_audit_data ad;
275bb41e 2036 u32 sid = current_sid();
1da177e4
LT		 2037 u32 av;
2038 int old_is_dir, new_is_dir;
2039 int rc;
2040
83da53c5
AG		 2041 old_dsec = inode_security(old_dir);
2042 old_isec = backing_inode_security(old_dentry);
e36cb0b8 2043 old_is_dir = d_is_dir(old_dentry);
83da53c5 2044 new_dsec = inode_security(new_dir);
1da177e4 2045
50c205f5 2046 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 2047
a269434d 2048 ad.u.dentry = old_dentry;
6b6bc620
SS		 2049 rc = avc_has_perm(&selinux_state,
2050 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 2051 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2052 if (rc)
2053 return rc;
6b6bc620
SS		 2054 rc = avc_has_perm(&selinux_state,
2055 sid, old_isec->sid,
1da177e4
LT		 2056 old_isec->sclass, FILE__RENAME, &ad);
2057 if (rc)
2058 return rc;
2059 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 2060 rc = avc_has_perm(&selinux_state,
2061 sid, old_isec->sid,
1da177e4
LT		 2062 old_isec->sclass, DIR__REPARENT, &ad);
2063 if (rc)
2064 return rc;
2065 }
2066
a269434d 2067 ad.u.dentry = new_dentry;
1da177e4 2068 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 2069 if (d_is_positive(new_dentry))
1da177e4 2070 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 2071 rc = avc_has_perm(&selinux_state,
2072 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 2073 if (rc)
2074 return rc;
2c616d4d 2075 if (d_is_positive(new_dentry)) {
83da53c5 2076 new_isec = backing_inode_security(new_dentry);
e36cb0b8 2077 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 2078 rc = avc_has_perm(&selinux_state,
2079 sid, new_isec->sid,
1da177e4
LT		 2080 new_isec->sclass,
2081 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2082 if (rc)
2083 return rc;
2084 }
2085
2086 return 0;
2087}
2088
2089/* Check whether a task can perform a filesystem operation. */
88e67f3b 2090static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2091 struct super_block *sb,
2092 u32 perms,
2bf49690 2093 struct common_audit_data *ad)
1da177e4 2094{
1da177e4 2095 struct superblock_security_struct *sbsec;
88e67f3b 2096 u32 sid = cred_sid(cred);
1da177e4 2097
1da177e4 2098 sbsec = sb->s_security;
6b6bc620
SS		 2099 return avc_has_perm(&selinux_state,
2100 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2101}
2102
2103/* Convert a Linux mode and permission mask to an access vector. */
2104static inline u32 file_mask_to_av(int mode, int mask)
2105{
2106 u32 av = 0;
2107
dba19c60 2108 if (!S_ISDIR(mode)) {
1da177e4
LT		 2109 if (mask & MAY_EXEC)
2110 av |= FILE__EXECUTE;
2111 if (mask & MAY_READ)
2112 av |= FILE__READ;
2113
2114 if (mask & MAY_APPEND)
2115 av |= FILE__APPEND;
2116 else if (mask & MAY_WRITE)
2117 av |= FILE__WRITE;
2118
2119 } else {
2120 if (mask & MAY_EXEC)
2121 av |= DIR__SEARCH;
2122 if (mask & MAY_WRITE)
2123 av |= DIR__WRITE;
2124 if (mask & MAY_READ)
2125 av |= DIR__READ;
2126 }
2127
2128 return av;
2129}
2130
8b6a5a37
EP		 2131/* Convert a Linux file to an access vector. */
2132static inline u32 file_to_av(struct file *file)
2133{
2134 u32 av = 0;
2135
2136 if (file->f_mode & FMODE_READ)
2137 av |= FILE__READ;
2138 if (file->f_mode & FMODE_WRITE) {
2139 if (file->f_flags & O_APPEND)
2140 av |= FILE__APPEND;
2141 else
2142 av |= FILE__WRITE;
2143 }
2144 if (!av) {
2145 /*
2146 * Special file opened with flags 3 for ioctl-only use.
2147 */
2148 av = FILE__IOCTL;
2149 }
2150
2151 return av;
2152}
2153
b0c636b9 2154/*
8b6a5a37 2155 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2156 * open permission.
2157 */
8b6a5a37 2158static inline u32 open_file_to_av(struct file *file)
b0c636b9 2159{
8b6a5a37 2160 u32 av = file_to_av(file);
ccb54478 2161 struct inode *inode = file_inode(file);
b0c636b9 2162
aa8e712c
SS		 2163 if (selinux_policycap_openperm() &&
2164 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2165 av |= FILE__OPEN;
2166
b0c636b9
EP		 2167 return av;
2168}
2169
1da177e4
LT		 2170/* Hook functions begin here. */
2171
79af7307
SS		 2172static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2173{
2174 u32 mysid = current_sid();
2175 u32 mgrsid = task_sid(mgr);
2176
6b6bc620
SS		 2177 return avc_has_perm(&selinux_state,
2178 mysid, mgrsid, SECCLASS_BINDER,
79af7307
SS		 2179 BINDER__SET_CONTEXT_MGR, NULL);
2180}
2181
2182static int selinux_binder_transaction(struct task_struct *from,
2183 struct task_struct *to)
2184{
2185 u32 mysid = current_sid();
2186 u32 fromsid = task_sid(from);
2187 u32 tosid = task_sid(to);
2188 int rc;
2189
2190 if (mysid != fromsid) {
6b6bc620
SS		 2191 rc = avc_has_perm(&selinux_state,
2192 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2193 BINDER__IMPERSONATE, NULL);
2194 if (rc)
2195 return rc;
2196 }
2197
6b6bc620
SS		 2198 return avc_has_perm(&selinux_state,
2199 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
79af7307
SS		 2200 NULL);
2201}
2202
2203static int selinux_binder_transfer_binder(struct task_struct *from,
2204 struct task_struct *to)
2205{
2206 u32 fromsid = task_sid(from);
2207 u32 tosid = task_sid(to);
2208
6b6bc620
SS		 2209 return avc_has_perm(&selinux_state,
2210 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2211 NULL);
2212}
2213
2214static int selinux_binder_transfer_file(struct task_struct *from,
2215 struct task_struct *to,
2216 struct file *file)
2217{
2218 u32 sid = task_sid(to);
2219 struct file_security_struct *fsec = file->f_security;
83da53c5 2220 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2221 struct inode_security_struct *isec;
79af7307
SS		 2222 struct common_audit_data ad;
2223 int rc;
2224
2225 ad.type = LSM_AUDIT_DATA_PATH;
2226 ad.u.path = file->f_path;
2227
2228 if (sid != fsec->sid) {
6b6bc620
SS		 2229 rc = avc_has_perm(&selinux_state,
2230 sid, fsec->sid,
79af7307
SS		 2231 SECCLASS_FD,
2232 FD__USE,
2233 &ad);
2234 if (rc)
2235 return rc;
2236 }
2237
f66e448c
CF		 2238#ifdef CONFIG_BPF_SYSCALL
2239 rc = bpf_fd_pass(file, sid);
2240 if (rc)
2241 return rc;
2242#endif
2243
83da53c5 2244 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2245 return 0;
2246
20cdef8d 2247 isec = backing_inode_security(dentry);
6b6bc620
SS		 2248 return avc_has_perm(&selinux_state,
2249 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2250 &ad);
2251}
2252
9e48858f 2253static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2254 unsigned int mode)
1da177e4 2255{
be0554c9
SS		 2256 u32 sid = current_sid();
2257 u32 csid = task_sid(child);
2258
2259 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2260 return avc_has_perm(&selinux_state,
2261 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2262
6b6bc620
SS		 2263 return avc_has_perm(&selinux_state,
2264 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2265}
2266
2267static int selinux_ptrace_traceme(struct task_struct *parent)
2268{
6b6bc620
SS		 2269 return avc_has_perm(&selinux_state,
2270 task_sid(parent), current_sid(), SECCLASS_PROCESS,
be0554c9 2271 PROCESS__PTRACE, NULL);
1da177e4
LT		 2272}
2273
2274static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2275 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2276{
6b6bc620
SS		 2277 return avc_has_perm(&selinux_state,
2278 current_sid(), task_sid(target), SECCLASS_PROCESS,
be0554c9 2279 PROCESS__GETCAP, NULL);
1da177e4
LT		 2280}
2281
d84f4f99
DH		 2282static int selinux_capset(struct cred *new, const struct cred *old,
2283 const kernel_cap_t *effective,
2284 const kernel_cap_t *inheritable,
2285 const kernel_cap_t *permitted)
1da177e4 2286{
6b6bc620
SS		 2287 return avc_has_perm(&selinux_state,
2288 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2289 PROCESS__SETCAP, NULL);
1da177e4
LT		 2290}
2291
5626d3e8
JM		 2292/*
2293 * (This comment used to live with the selinux_task_setuid hook,
2294 * which was removed).
2295 *
2296 * Since setuid only affects the current process, and since the SELinux
2297 * controls are not based on the Linux identity attributes, SELinux does not
2298 * need to control this operation. However, SELinux does control the use of
2299 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2300 */
2301
6a9de491
EP		 2302static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2303 int cap, int audit)
1da177e4 2304{
8e4ff6f2 2305 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2306}
2307
1da177e4
LT		 2308static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2309{
88e67f3b 2310 const struct cred *cred = current_cred();
1da177e4
LT		 2311 int rc = 0;
2312
2313 if (!sb)
2314 return 0;
2315
2316 switch (cmds) {
828dfe1d
EP		 2317 case Q_SYNC:
2318 case Q_QUOTAON:
2319 case Q_QUOTAOFF:
2320 case Q_SETINFO:
2321 case Q_SETQUOTA:
88e67f3b 2322 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2323 break;
2324 case Q_GETFMT:
2325 case Q_GETINFO:
2326 case Q_GETQUOTA:
88e67f3b 2327 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2328 break;
2329 default:
2330 rc = 0; /* let the kernel handle invalid cmds */
2331 break;
1da177e4
LT		 2332 }
2333 return rc;
2334}
2335
2336static int selinux_quota_on(struct dentry *dentry)
2337{
88e67f3b
DH		 2338 const struct cred *cred = current_cred();
2339
2875fa00 2340 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2341}
2342
12b3052c 2343static int selinux_syslog(int type)
1da177e4 2344{
1da177e4 2345 switch (type) {
d78ca3cd
KC		 2346 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2347 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2348 return avc_has_perm(&selinux_state,
2349 current_sid(), SECINITSID_KERNEL,
be0554c9 2350 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2351 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2352 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2353 /* Set level of messages printed to console */
2354 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2355 return avc_has_perm(&selinux_state,
2356 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2357 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2358 NULL);
1da177e4 2359 }
be0554c9 2360 /* All other syslog types */
6b6bc620
SS		 2361 return avc_has_perm(&selinux_state,
2362 current_sid(), SECINITSID_KERNEL,
be0554c9 2363 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2364}
2365
2366/*
2367 * Check that a process has enough memory to allocate a new virtual
2368 * mapping. 0 means there is enough memory for the allocation to
2369 * succeed and -ENOMEM implies there is not.
2370 *
1da177e4
LT		 2371 * Do not audit the selinux permission check, as this is applied to all
2372 * processes that allocate mappings.
2373 */
34b4e4aa 2374static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2375{
2376 int rc, cap_sys_admin = 0;
1da177e4 2377
b1d9e6b0 2378 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2379 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2380 if (rc == 0)
2381 cap_sys_admin = 1;
2382
b1d9e6b0 2383 return cap_sys_admin;
1da177e4
LT		 2384}
2385
2386/* binprm security operations */
2387
be0554c9 2388static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2389{
2390 u32 sid = 0;
2391 struct task_struct *tracer;
2392
2393 rcu_read_lock();
be0554c9 2394 tracer = ptrace_parent(current);
0c6181cb
PM		 2395 if (tracer)
2396 sid = task_sid(tracer);
2397 rcu_read_unlock();
2398
2399 return sid;
2400}
2401
7b0d0b40
SS		 2402static int check_nnp_nosuid(const struct linux_binprm *bprm,
2403 const struct task_security_struct *old_tsec,
2404 const struct task_security_struct *new_tsec)
2405{
2406 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2407 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2408 int rc;
af63f419 2409 u32 av;
7b0d0b40
SS		 2410
2411 if (!nnp && !nosuid)
2412 return 0; /* neither NNP nor nosuid */
2413
2414 if (new_tsec->sid == old_tsec->sid)
2415 return 0; /* No change in credentials */
2416
2417 /*
af63f419
SS		 2418 * If the policy enables the nnp_nosuid_transition policy capability,
2419 * then we permit transitions under NNP or nosuid if the
2420 * policy allows the corresponding permission between
2421 * the old and new contexts.
7b0d0b40 2422 */
aa8e712c 2423 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2424 av = 0;
7b0d0b40 2425 if (nnp)
af63f419
SS		 2426 av |= PROCESS2__NNP_TRANSITION;
2427 if (nosuid)
2428 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2429 rc = avc_has_perm(&selinux_state,
2430 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2431 SECCLASS_PROCESS2, av, NULL);
2432 if (!rc)
2433 return 0;
7b0d0b40 2434 }
af63f419
SS		 2435
2436 /*
2437 * We also permit NNP or nosuid transitions to bounded SIDs,
2438 * i.e. SIDs that are guaranteed to only be allowed a subset
2439 * of the permissions of the current SID.
2440 */
aa8e712c
SS		 2441 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2442 new_tsec->sid);
af63f419
SS		 2443 if (!rc)
2444 return 0;
2445
2446 /*
2447 * On failure, preserve the errno values for NNP vs nosuid.
2448 * NNP: Operation not permitted for caller.
2449 * nosuid: Permission denied to file.
2450 */
2451 if (nnp)
2452 return -EPERM;
2453 return -EACCES;
7b0d0b40
SS		 2454}
2455
a6f76f23 2456static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2457{
a6f76f23
DH		 2458 const struct task_security_struct *old_tsec;
2459 struct task_security_struct *new_tsec;
1da177e4 2460 struct inode_security_struct *isec;
2bf49690 2461 struct common_audit_data ad;
496ad9aa 2462 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2463 int rc;
2464
a6f76f23
DH		 2465 /* SELinux context only depends on initial program or script and not
2466 * the script interpreter */
ddb4a144 2467 if (bprm->called_set_creds)
1da177e4
LT		 2468 return 0;
2469
a6f76f23
DH		 2470 old_tsec = current_security();
2471 new_tsec = bprm->cred->security;
83da53c5 2472 isec = inode_security(inode);
1da177e4
LT		 2473
2474 /* Default to the current task SID. */
a6f76f23
DH		 2475 new_tsec->sid = old_tsec->sid;
2476 new_tsec->osid = old_tsec->sid;
1da177e4 2477
28eba5bf 2478 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2479 new_tsec->create_sid = 0;
2480 new_tsec->keycreate_sid = 0;
2481 new_tsec->sockcreate_sid = 0;
1da177e4 2482
a6f76f23
DH		 2483 if (old_tsec->exec_sid) {
2484 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2485 /* Reset exec SID on execve. */
a6f76f23 2486 new_tsec->exec_sid = 0;
259e5e6c 2487
7b0d0b40
SS		 2488 /* Fail on NNP or nosuid if not an allowed transition. */
2489 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2490 if (rc)
2491 return rc;
1da177e4
LT		 2492 } else {
2493 /* Check for a default transition on this program. */
aa8e712c
SS		 2494 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2495 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2496 &new_tsec->sid);
1da177e4
LT		 2497 if (rc)
2498 return rc;
7b0d0b40
SS		 2499
2500 /*
2501 * Fallback to old SID on NNP or nosuid if not an allowed
2502 * transition.
2503 */
2504 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2505 if (rc)
2506 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2507 }
2508
43af5de7
VG		 2509 ad.type = LSM_AUDIT_DATA_FILE;
2510 ad.u.file = bprm->file;
1da177e4 2511
a6f76f23 2512 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2513 rc = avc_has_perm(&selinux_state,
2514 old_tsec->sid, isec->sid,
1da177e4
LT		 2515 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2516 if (rc)
2517 return rc;
2518 } else {
2519 /* Check permissions for the transition. */
6b6bc620
SS		 2520 rc = avc_has_perm(&selinux_state,
2521 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2522 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2523 if (rc)
2524 return rc;
2525
6b6bc620
SS		 2526 rc = avc_has_perm(&selinux_state,
2527 new_tsec->sid, isec->sid,
1da177e4
LT		 2528 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2529 if (rc)
2530 return rc;
2531
a6f76f23
DH		 2532 /* Check for shared state */
2533 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2534 rc = avc_has_perm(&selinux_state,
2535 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2536 SECCLASS_PROCESS, PROCESS__SHARE,
2537 NULL);
2538 if (rc)
2539 return -EPERM;
2540 }
2541
2542 /* Make sure that anyone attempting to ptrace over a task that
2543 * changes its SID has the appropriate permit */
9227dd2a 2544 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2545 u32 ptsid = ptrace_parent_sid();
a6f76f23 2546 if (ptsid != 0) {
6b6bc620
SS		 2547 rc = avc_has_perm(&selinux_state,
2548 ptsid, new_tsec->sid,
a6f76f23
DH		 2549 SECCLASS_PROCESS,
2550 PROCESS__PTRACE, NULL);
2551 if (rc)
2552 return -EPERM;
2553 }
2554 }
1da177e4 2555
a6f76f23
DH		 2556 /* Clear any possibly unsafe personality bits on exec: */
2557 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2558
1da177e4
LT		 2559 /* Enable secure mode for SIDs transitions unless
2560 the noatsecure permission is granted between
2561 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2562 rc = avc_has_perm(&selinux_state,
2563 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2564 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2565 NULL);
2566 bprm->secureexec |= !!rc;
1da177e4
LT		 2567 }
2568
62874c3a 2569 return 0;
1da177e4
LT		 2570}
2571
c3c073f8
AV		 2572static int match_file(const void *p, struct file *file, unsigned fd)
2573{
2574 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2575}
2576
1da177e4 2577/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2578static inline void flush_unauthorized_files(const struct cred *cred,
2579 struct files_struct *files)
1da177e4 2580{
1da177e4 2581 struct file *file, *devnull = NULL;
b20c8122 2582 struct tty_struct *tty;
24ec839c 2583 int drop_tty = 0;
c3c073f8 2584 unsigned n;
1da177e4 2585
24ec839c 2586 tty = get_current_tty();
1da177e4 2587 if (tty) {
4a510969 2588 spin_lock(&tty->files_lock);
37dd0bd0 2589 if (!list_empty(&tty->tty_files)) {
d996b62a 2590 struct tty_file_private *file_priv;
37dd0bd0 2591
1da177e4 2592 /* Revalidate access to controlling tty.
13f8e981
DH		 2593 Use file_path_has_perm on the tty path directly
2594 rather than using file_has_perm, as this particular
2595 open file may belong to another process and we are
2596 only interested in the inode-based check here. */
d996b62a
NP		 2597 file_priv = list_first_entry(&tty->tty_files,
2598 struct tty_file_private, list);
2599 file = file_priv->file;
13f8e981 2600 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2601 drop_tty = 1;
1da177e4 2602 }
4a510969 2603 spin_unlock(&tty->files_lock);
452a00d2 2604 tty_kref_put(tty);
1da177e4 2605 }
98a27ba4
EB		 2606 /* Reset controlling tty. */
2607 if (drop_tty)
2608 no_tty();
1da177e4
LT		 2609
2610 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2611 n = iterate_fd(files, 0, match_file, cred);
2612 if (!n) /* none found? */
2613 return;
1da177e4 2614
c3c073f8 2615 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2616 if (IS_ERR(devnull))
2617 devnull = NULL;
2618 /* replace all the matching ones with this */
2619 do {
2620 replace_fd(n - 1, devnull, 0);
2621 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2622 if (devnull)
c3c073f8 2623 fput(devnull);
1da177e4
LT		 2624}
2625
a6f76f23
DH		 2626/*
2627 * Prepare a process for imminent new credential changes due to exec
2628 */
2629static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2630{
a6f76f23
DH		 2631 struct task_security_struct *new_tsec;
2632 struct rlimit *rlim, *initrlim;
2633 int rc, i;
d84f4f99 2634
a6f76f23
DH		 2635 new_tsec = bprm->cred->security;
2636 if (new_tsec->sid == new_tsec->osid)
2637 return;
1da177e4 2638
a6f76f23
DH		 2639 /* Close files for which the new task SID is not authorized. */
2640 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2641
a6f76f23
DH		 2642 /* Always clear parent death signal on SID transitions. */
2643 current->pdeath_signal = 0;
0356357c 2644
a6f76f23
DH		 2645 /* Check whether the new SID can inherit resource limits from the old
2646 * SID. If not, reset all soft limits to the lower of the current
2647 * task's hard limit and the init task's soft limit.
2648 *
2649 * Note that the setting of hard limits (even to lower them) can be
2650 * controlled by the setrlimit check. The inclusion of the init task's
2651 * soft limit into the computation is to avoid resetting soft limits
2652 * higher than the default soft limit for cases where the default is
2653 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2654 */
6b6bc620
SS		 2655 rc = avc_has_perm(&selinux_state,
2656 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2657 PROCESS__RLIMITINH, NULL);
2658 if (rc) {
eb2d55a3
ON		 2659 /* protect against do_prlimit() */
2660 task_lock(current);
a6f76f23
DH		 2661 for (i = 0; i < RLIM_NLIMITS; i++) {
2662 rlim = current->signal->rlim + i;
2663 initrlim = init_task.signal->rlim + i;
2664 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2665 }
eb2d55a3 2666 task_unlock(current);
baa73d9e
NP		 2667 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2668 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2669 }
2670}
2671
2672/*
a6f76f23
DH		 2673 * Clean up the process immediately after the installation of new credentials
2674 * due to exec
1da177e4 2675 */
a6f76f23 2676static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2677{
a6f76f23 2678 const struct task_security_struct *tsec = current_security();
1da177e4 2679 struct itimerval itimer;
a6f76f23 2680 u32 osid, sid;
1da177e4
LT		 2681 int rc, i;
2682
a6f76f23
DH		 2683 osid = tsec->osid;
2684 sid = tsec->sid;
2685
2686 if (sid == osid)
1da177e4
LT		 2687 return;
2688
a6f76f23
DH		 2689 /* Check whether the new SID can inherit signal state from the old SID.
2690 * If not, clear itimers to avoid subsequent signal generation and
2691 * flush and unblock signals.
2692 *
2693 * This must occur _after_ the task SID has been updated so that any
2694 * kill done after the flush will be checked against the new SID.
2695 */
6b6bc620
SS		 2696 rc = avc_has_perm(&selinux_state,
2697 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2698 if (rc) {
baa73d9e
NP		 2699 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2700 memset(&itimer, 0, sizeof itimer);
2701 for (i = 0; i < 3; i++)
2702 do_setitimer(i, &itimer, NULL);
2703 }
1da177e4 2704 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2705 if (!fatal_signal_pending(current)) {
2706 flush_sigqueue(&current->pending);
2707 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2708 flush_signal_handlers(current, 1);
2709 sigemptyset(&current->blocked);
9e7c8f8c 2710 recalc_sigpending();
3bcac026 2711 }
1da177e4
LT		 2712 spin_unlock_irq(&current->sighand->siglock);
2713 }
2714
a6f76f23
DH		 2715 /* Wake up the parent if it is waiting so that it can recheck
2716 * wait permission to the new task SID. */
ecd6de3c 2717 read_lock(&tasklist_lock);
0b7570e7 2718 __wake_up_parent(current, current->real_parent);
ecd6de3c 2719 read_unlock(&tasklist_lock);
1da177e4
LT		 2720}
2721
2722/* superblock security operations */
2723
2724static int selinux_sb_alloc_security(struct super_block *sb)
2725{
2726 return superblock_alloc_security(sb);
2727}
2728
2729static void selinux_sb_free_security(struct super_block *sb)
2730{
2731 superblock_free_security(sb);
2732}
2733
2734static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2735{
2736 if (plen > olen)
2737 return 0;
2738
2739 return !memcmp(prefix, option, plen);
2740}
2741
2742static inline int selinux_option(char *option, int len)
2743{
832cbd9a
EP		 2744 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2745 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2746 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2747 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2748 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2749}
2750
2751static inline void take_option(char **to, char *from, int *first, int len)
2752{
2753 if (!*first) {
2754 **to = ',';
2755 *to += 1;
3528a953 2756 } else
1da177e4
LT		 2757 *first = 0;
2758 memcpy(*to, from, len);
2759 *to += len;
2760}
2761
828dfe1d
EP		 2762static inline void take_selinux_option(char **to, char *from, int *first,
2763 int len)
3528a953
CO		 2764{
2765 int current_size = 0;
2766
2767 if (!*first) {
2768 **to = '|';
2769 *to += 1;
828dfe1d 2770 } else
3528a953
CO		 2771 *first = 0;
2772
2773 while (current_size < len) {
2774 if (*from != '"') {
2775 **to = *from;
2776 *to += 1;
2777 }
2778 from += 1;
2779 current_size += 1;
2780 }
2781}
2782
e0007529 2783static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2784{
2785 int fnosec, fsec, rc = 0;
2786 char *in_save, *in_curr, *in_end;
2787 char *sec_curr, *nosec_save, *nosec;
3528a953 2788 int open_quote = 0;
1da177e4
LT		 2789
2790 in_curr = orig;
2791 sec_curr = copy;
2792
1da177e4
LT		 2793 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2794 if (!nosec) {
2795 rc = -ENOMEM;
2796 goto out;
2797 }
2798
2799 nosec_save = nosec;
2800 fnosec = fsec = 1;
2801 in_save = in_end = orig;
2802
2803 do {
3528a953
CO		 2804 if (*in_end == '"')
2805 open_quote = !open_quote;
2806 if ((*in_end == ',' && open_quote == 0) ||
2807 *in_end == '\0') {
1da177e4
LT		 2808 int len = in_end - in_curr;
2809
2810 if (selinux_option(in_curr, len))
3528a953 2811 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2812 else
2813 take_option(&nosec, in_curr, &fnosec, len);
2814
2815 in_curr = in_end + 1;
2816 }
2817 } while (*in_end++);
2818
6931dfc9 2819 strcpy(in_save, nosec_save);
da3caa20 2820 free_page((unsigned long)nosec_save);
1da177e4
LT		 2821out:
2822 return rc;
2823}
2824
026eb167
EP		 2825static int selinux_sb_remount(struct super_block *sb, void *data)
2826{
2827 int rc, i, *flags;
2828 struct security_mnt_opts opts;
2829 char *secdata, **mount_options;
2830 struct superblock_security_struct *sbsec = sb->s_security;
2831
2832 if (!(sbsec->flags & SE_SBINITIALIZED))
2833 return 0;
2834
2835 if (!data)
2836 return 0;
2837
2838 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2839 return 0;
2840
2841 security_init_mnt_opts(&opts);
2842 secdata = alloc_secdata();
2843 if (!secdata)
2844 return -ENOMEM;
2845 rc = selinux_sb_copy_data(data, secdata);
2846 if (rc)
2847 goto out_free_secdata;
2848
2849 rc = selinux_parse_opts_str(secdata, &opts);
2850 if (rc)
2851 goto out_free_secdata;
2852
2853 mount_options = opts.mnt_opts;
2854 flags = opts.mnt_opts_flags;
2855
2856 for (i = 0; i < opts.num_mnt_opts; i++) {
2857 u32 sid;
026eb167 2858
12f348b9 2859 if (flags[i] == SBLABEL_MNT)
026eb167 2860 continue;
aa8e712c
SS		 2861 rc = security_context_str_to_sid(&selinux_state,
2862 mount_options[i], &sid,
2863 GFP_KERNEL);
026eb167 2864 if (rc) {
44be2f65 2865 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2866 "(%s) failed for (dev %s, type %s) errno=%d\n",
2867 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2868 goto out_free_opts;
2869 }
2870 rc = -EINVAL;
2871 switch (flags[i]) {
2872 case FSCONTEXT_MNT:
2873 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2874 goto out_bad_option;
2875 break;
2876 case CONTEXT_MNT:
2877 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2878 goto out_bad_option;
2879 break;
2880 case ROOTCONTEXT_MNT: {
2881 struct inode_security_struct *root_isec;
83da53c5 2882 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2883
2884 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2885 goto out_bad_option;
2886 break;
2887 }
2888 case DEFCONTEXT_MNT:
2889 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2890 goto out_bad_option;
2891 break;
2892 default:
2893 goto out_free_opts;
2894 }
2895 }
2896
2897 rc = 0;
2898out_free_opts:
2899 security_free_mnt_opts(&opts);
2900out_free_secdata:
2901 free_secdata(secdata);
2902 return rc;
2903out_bad_option:
2904 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2905 "during remount (dev %s, type=%s)\n", sb->s_id,
2906 sb->s_type->name);
026eb167
EP		 2907 goto out_free_opts;
2908}
2909
12204e24 2910static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2911{
88e67f3b 2912 const struct cred *cred = current_cred();
2bf49690 2913 struct common_audit_data ad;
1da177e4
LT		 2914 int rc;
2915
2916 rc = superblock_doinit(sb, data);
2917 if (rc)
2918 return rc;
2919
74192246
JM		 2920 /* Allow all mounts performed by the kernel */
2921 if (flags & MS_KERNMOUNT)
2922 return 0;
2923
50c205f5 2924 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2925 ad.u.dentry = sb->s_root;
88e67f3b 2926 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2927}
2928
726c3342 2929static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2930{
88e67f3b 2931 const struct cred *cred = current_cred();
2bf49690 2932 struct common_audit_data ad;
1da177e4 2933
50c205f5 2934 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2935 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2936 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2937}
2938
808d4e3c 2939static int selinux_mount(const char *dev_name,
8a04c43b 2940 const struct path *path,
808d4e3c 2941 const char *type,
828dfe1d
EP		 2942 unsigned long flags,
2943 void *data)
1da177e4 2944{
88e67f3b 2945 const struct cred *cred = current_cred();
1da177e4
LT		 2946
2947 if (flags & MS_REMOUNT)
d8c9584e 2948 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2949 FILESYSTEM__REMOUNT, NULL);
1da177e4 2950 else
2875fa00 2951 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2952}
2953
2954static int selinux_umount(struct vfsmount *mnt, int flags)
2955{
88e67f3b 2956 const struct cred *cred = current_cred();
1da177e4 2957
88e67f3b 2958 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2959 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2960}
2961
2962/* inode security operations */
2963
2964static int selinux_inode_alloc_security(struct inode *inode)
2965{
2966 return inode_alloc_security(inode);
2967}
2968
2969static void selinux_inode_free_security(struct inode *inode)
2970{
2971 inode_free_security(inode);
2972}
2973
d47be3df 2974static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2975 const struct qstr *name, void **ctx,
d47be3df
DQ		 2976 u32 *ctxlen)
2977{
d47be3df
DQ		 2978 u32 newsid;
2979 int rc;
2980
c957f6df
VG		 2981 rc = selinux_determine_inode_label(current_security(),
2982 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2983 inode_mode_to_security_class(mode),
2984 &newsid);
2985 if (rc)
2986 return rc;
d47be3df 2987
aa8e712c
SS		 2988 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2989 ctxlen);
d47be3df
DQ		 2990}
2991
a518b0a5
VG		 2992static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2993 struct qstr *name,
2994 const struct cred *old,
2995 struct cred *new)
2996{
2997 u32 newsid;
2998 int rc;
2999 struct task_security_struct *tsec;
3000
3001 rc = selinux_determine_inode_label(old->security,
3002 d_inode(dentry->d_parent), name,
3003 inode_mode_to_security_class(mode),
3004 &newsid);
3005 if (rc)
3006 return rc;
3007
3008 tsec = new->security;
3009 tsec->create_sid = newsid;
3010 return 0;
3011}
3012
5e41ff9e 3013static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 3014 const struct qstr *qstr,
3015 const char **name,
2a7dba39 3016 void **value, size_t *len)
5e41ff9e 3017{
5fb49870 3018 const struct task_security_struct *tsec = current_security();
5e41ff9e 3019 struct superblock_security_struct *sbsec;
c0d4f464 3020 u32 newsid, clen;
5e41ff9e 3021 int rc;
9548906b 3022 char *context;
5e41ff9e 3023
5e41ff9e 3024 sbsec = dir->i_sb->s_security;
5e41ff9e 3025
275bb41e
DH		 3026 newsid = tsec->create_sid;
3027
c957f6df 3028 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 3029 dir, qstr,
3030 inode_mode_to_security_class(inode->i_mode),
3031 &newsid);
3032 if (rc)
3033 return rc;
5e41ff9e 3034
296fddf7 3035 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 3036 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 3037 struct inode_security_struct *isec = inode->i_security;
3038 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3039 isec->sid = newsid;
6f3be9f5 3040 isec->initialized = LABEL_INITIALIZED;
296fddf7 3041 }
5e41ff9e 3042
aa8e712c 3043 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 3044 return -EOPNOTSUPP;
3045
9548906b
TH		 3046 if (name)
3047 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 3048
570bc1c2 3049 if (value && len) {
aa8e712c
SS		 3050 rc = security_sid_to_context_force(&selinux_state, newsid,
3051 &context, &clen);
9548906b 3052 if (rc)
570bc1c2 3053 return rc;
570bc1c2
SS		 3054 *value = context;
3055 *len = clen;
5e41ff9e 3056 }
5e41ff9e 3057
5e41ff9e
SS		 3058 return 0;
3059}
3060
4acdaf27 3061static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 3062{
3063 return may_create(dir, dentry, SECCLASS_FILE);
3064}
3065
1da177e4
LT		 3066static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3067{
1da177e4
LT		 3068 return may_link(dir, old_dentry, MAY_LINK);
3069}
3070
1da177e4
LT		 3071static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3072{
1da177e4
LT		 3073 return may_link(dir, dentry, MAY_UNLINK);
3074}
3075
3076static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3077{
3078 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3079}
3080
18bb1db3 3081static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 3082{
3083 return may_create(dir, dentry, SECCLASS_DIR);
3084}
3085
1da177e4
LT		 3086static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3087{
3088 return may_link(dir, dentry, MAY_RMDIR);
3089}
3090
1a67aafb 3091static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 3092{
1da177e4
LT		 3093 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3094}
3095
1da177e4 3096static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 3097 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 3098{
3099 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3100}
3101
1da177e4
LT		 3102static int selinux_inode_readlink(struct dentry *dentry)
3103{
88e67f3b
DH		 3104 const struct cred *cred = current_cred();
3105
2875fa00 3106 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3107}
3108
bda0be7a
N		 3109static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3110 bool rcu)
1da177e4 3111{
88e67f3b 3112 const struct cred *cred = current_cred();
bda0be7a
N		 3113 struct common_audit_data ad;
3114 struct inode_security_struct *isec;
3115 u32 sid;
1da177e4 3116
bda0be7a
N		 3117 validate_creds(cred);
3118
3119 ad.type = LSM_AUDIT_DATA_DENTRY;
3120 ad.u.dentry = dentry;
3121 sid = cred_sid(cred);
5d226df4
AG		 3122 isec = inode_security_rcu(inode, rcu);
3123 if (IS_ERR(isec))
3124 return PTR_ERR(isec);
bda0be7a 3125
6b6bc620
SS		 3126 return avc_has_perm_flags(&selinux_state,
3127 sid, isec->sid, isec->sclass, FILE__READ, &ad,
bda0be7a 3128 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3129}
3130
d4cf970d
EP		 3131static noinline int audit_inode_permission(struct inode *inode,
3132 u32 perms, u32 audited, u32 denied,
626b9740 3133 int result,
d4cf970d 3134 unsigned flags)
1da177e4 3135{
b782e0a6 3136 struct common_audit_data ad;
d4cf970d
EP		 3137 struct inode_security_struct *isec = inode->i_security;
3138 int rc;
3139
50c205f5 3140 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3141 ad.u.inode = inode;
3142
6b6bc620
SS		 3143 rc = slow_avc_audit(&selinux_state,
3144 current_sid(), isec->sid, isec->sclass, perms,
626b9740 3145 audited, denied, result, &ad, flags);
d4cf970d
EP		 3146 if (rc)
3147 return rc;
3148 return 0;
3149}
3150
e74f71eb 3151static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3152{
88e67f3b 3153 const struct cred *cred = current_cred();
b782e0a6
EP		 3154 u32 perms;
3155 bool from_access;
cf1dd1da 3156 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3157 struct inode_security_struct *isec;
3158 u32 sid;
3159 struct av_decision avd;
3160 int rc, rc2;
3161 u32 audited, denied;
1da177e4 3162
b782e0a6 3163 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3164 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3165
b782e0a6
EP		 3166 /* No permission to check. Existence test. */
3167 if (!mask)
1da177e4 3168 return 0;
1da177e4 3169
2e334057 3170 validate_creds(cred);
b782e0a6 3171
2e334057
EP		 3172 if (unlikely(IS_PRIVATE(inode)))
3173 return 0;
b782e0a6
EP		 3174
3175 perms = file_mask_to_av(inode->i_mode, mask);
3176
2e334057 3177 sid = cred_sid(cred);
5d226df4
AG		 3178 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3179 if (IS_ERR(isec))
3180 return PTR_ERR(isec);
2e334057 3181
6b6bc620
SS		 3182 rc = avc_has_perm_noaudit(&selinux_state,
3183 sid, isec->sid, isec->sclass, perms, 0, &avd);
2e334057
EP		 3184 audited = avc_audit_required(perms, &avd, rc,
3185 from_access ? FILE__AUDIT_ACCESS : 0,
3186 &denied);
3187 if (likely(!audited))
3188 return rc;
3189
626b9740 3190 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3191 if (rc2)
3192 return rc2;
3193 return rc;
1da177e4
LT		 3194}
3195
3196static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3197{
88e67f3b 3198 const struct cred *cred = current_cred();
ccb54478 3199 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3200 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3201 __u32 av = FILE__WRITE;
1da177e4 3202
bc6a6008
AW		 3203 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3204 if (ia_valid & ATTR_FORCE) {
3205 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3206 ATTR_FORCE);
3207 if (!ia_valid)
3208 return 0;
3209 }
1da177e4 3210
bc6a6008
AW		 3211 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3212 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3213 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3214
aa8e712c 3215 if (selinux_policycap_openperm() &&
ccb54478
SS		 3216 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3217 (ia_valid & ATTR_SIZE) &&
3218 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3219 av |= FILE__OPEN;
3220
3221 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3222}
3223
3f7036a0 3224static int selinux_inode_getattr(const struct path *path)
1da177e4 3225{
3f7036a0 3226 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3227}
3228
db59000a
SS		 3229static bool has_cap_mac_admin(bool audit)
3230{
3231 const struct cred *cred = current_cred();
3232 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3233
3234 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3235 return false;
3236 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3237 return false;
3238 return true;
3239}
3240
8f0cfa52
DH		 3241static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3242 const void *value, size_t size, int flags)
1da177e4 3243{
c6f493d6 3244 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3245 struct inode_security_struct *isec;
1da177e4 3246 struct superblock_security_struct *sbsec;
2bf49690 3247 struct common_audit_data ad;
275bb41e 3248 u32 newsid, sid = current_sid();
1da177e4
LT		 3249 int rc = 0;
3250
6b240306
EB		 3251 if (strcmp(name, XATTR_NAME_SELINUX)) {
3252 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3253 if (rc)
3254 return rc;
3255
3256 /* Not an attribute we recognize, so just check the
3257 ordinary setattr permission. */
3258 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3259 }
1da177e4
LT		 3260
3261 sbsec = inode->i_sb->s_security;
12f348b9 3262 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3263 return -EOPNOTSUPP;
3264
2e149670 3265 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3266 return -EPERM;
3267
50c205f5 3268 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3269 ad.u.dentry = dentry;
1da177e4 3270
20cdef8d 3271 isec = backing_inode_security(dentry);
6b6bc620
SS		 3272 rc = avc_has_perm(&selinux_state,
3273 sid, isec->sid, isec->sclass,
1da177e4
LT		 3274 FILE__RELABELFROM, &ad);
3275 if (rc)
3276 return rc;
3277
aa8e712c
SS		 3278 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3279 GFP_KERNEL);
12b29f34 3280 if (rc == -EINVAL) {
db59000a 3281 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3282 struct audit_buffer *ab;
3283 size_t audit_size;
d6ea83ec
EP		 3284
3285 /* We strip a nul only if it is at the end, otherwise the
3286 * context contains a nul and we should audit that */
e3fea3f7 3287 if (value) {
add24372
CIK		 3288 const char *str = value;
3289
e3fea3f7
AV		 3290 if (str[size - 1] == '\0')
3291 audit_size = size - 1;
3292 else
3293 audit_size = size;
3294 } else {
e3fea3f7
AV		 3295 audit_size = 0;
3296 }
d6ea83ec
EP		 3297 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3298 audit_log_format(ab, "op=setxattr invalid_context=");
3299 audit_log_n_untrustedstring(ab, value, audit_size);
3300 audit_log_end(ab);
3301
12b29f34 3302 return rc;
d6ea83ec 3303 }
aa8e712c
SS		 3304 rc = security_context_to_sid_force(&selinux_state, value,
3305 size, &newsid);
12b29f34 3306 }
1da177e4
LT		 3307 if (rc)
3308 return rc;
3309
6b6bc620
SS		 3310 rc = avc_has_perm(&selinux_state,
3311 sid, newsid, isec->sclass,
1da177e4
LT		 3312 FILE__RELABELTO, &ad);
3313 if (rc)
3314 return rc;
3315
aa8e712c
SS		 3316 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3317 sid, isec->sclass);
1da177e4
LT		 3318 if (rc)
3319 return rc;
3320
6b6bc620
SS		 3321 return avc_has_perm(&selinux_state,
3322 newsid,
1da177e4
LT		 3323 sbsec->sid,
3324 SECCLASS_FILESYSTEM,
3325 FILESYSTEM__ASSOCIATE,
3326 &ad);
3327}
3328
8f0cfa52 3329static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3330 const void *value, size_t size,
8f0cfa52 3331 int flags)
1da177e4 3332{
c6f493d6 3333 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3334 struct inode_security_struct *isec;
1da177e4
LT		 3335 u32 newsid;
3336 int rc;
3337
3338 if (strcmp(name, XATTR_NAME_SELINUX)) {
3339 /* Not an attribute we recognize, so nothing to do. */
3340 return;
3341 }
3342
aa8e712c
SS		 3343 rc = security_context_to_sid_force(&selinux_state, value, size,
3344 &newsid);
1da177e4 3345 if (rc) {
12b29f34
SS		 3346 printk(KERN_ERR "SELinux: unable to map context to SID"
3347 "for (%s, %lu), rc=%d\n",
3348 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3349 return;
3350 }
3351
20cdef8d 3352 isec = backing_inode_security(dentry);
9287aed2 3353 spin_lock(&isec->lock);
aa9c2669 3354 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3355 isec->sid = newsid;
6f3be9f5 3356 isec->initialized = LABEL_INITIALIZED;
9287aed2 3357 spin_unlock(&isec->lock);
aa9c2669 3358
1da177e4
LT		 3359 return;
3360}
3361
8f0cfa52 3362static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3363{
88e67f3b
DH		 3364 const struct cred *cred = current_cred();
3365
2875fa00 3366 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3367}
3368
828dfe1d 3369static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3370{
88e67f3b
DH		 3371 const struct cred *cred = current_cred();
3372
2875fa00 3373 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3374}
3375
8f0cfa52 3376static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3377{
6b240306
EB		 3378 if (strcmp(name, XATTR_NAME_SELINUX)) {
3379 int rc = cap_inode_removexattr(dentry, name);
3380 if (rc)
3381 return rc;
3382
3383 /* Not an attribute we recognize, so just check the
3384 ordinary setattr permission. */
3385 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3386 }
1da177e4
LT		 3387
3388 /* No one is allowed to remove a SELinux security label.
3389 You can change the label, but all data must be labeled. */
3390 return -EACCES;
3391}
3392
d381d8a9 3393/*
abc69bb6 3394 * Copy the inode security context value to the user.
d381d8a9
JM		 3395 *
3396 * Permission check is handled by selinux_inode_getxattr hook.
3397 */
ea861dfd 3398static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3399{
42492594
DQ		 3400 u32 size;
3401 int error;
3402 char *context = NULL;
20cdef8d 3403 struct inode_security_struct *isec;
d381d8a9 3404
8c8570fb
DK		 3405 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3406 return -EOPNOTSUPP;
d381d8a9 3407
abc69bb6
SS		 3408 /*
3409 * If the caller has CAP_MAC_ADMIN, then get the raw context
3410 * value even if it is not defined by current policy; otherwise,
3411 * use the in-core value under current policy.
3412 * Use the non-auditing forms of the permission checks since
3413 * getxattr may be called by unprivileged processes commonly
3414 * and lack of permission just means that we fall back to the
3415 * in-core context value, not a denial.
3416 */
20cdef8d 3417 isec = inode_security(inode);
db59000a 3418 if (has_cap_mac_admin(false))
aa8e712c
SS		 3419 error = security_sid_to_context_force(&selinux_state,
3420 isec->sid, &context,
abc69bb6
SS		 3421 &size);
3422 else
aa8e712c
SS		 3423 error = security_sid_to_context(&selinux_state, isec->sid,
3424 &context, &size);
42492594
DQ		 3425 if (error)
3426 return error;
3427 error = size;
3428 if (alloc) {
3429 *buffer = context;
3430 goto out_nofree;
3431 }
3432 kfree(context);
3433out_nofree:
3434 return error;
1da177e4
LT		 3435}
3436
3437static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3438 const void *value, size_t size, int flags)
1da177e4 3439{
2c97165b 3440 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3441 u32 newsid;
3442 int rc;
3443
3444 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3445 return -EOPNOTSUPP;
3446
3447 if (!value || !size)
3448 return -EACCES;
3449
aa8e712c
SS		 3450 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3451 GFP_KERNEL);
1da177e4
LT		 3452 if (rc)
3453 return rc;
3454
9287aed2 3455 spin_lock(&isec->lock);
aa9c2669 3456 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3457 isec->sid = newsid;
6f3be9f5 3458 isec->initialized = LABEL_INITIALIZED;
9287aed2 3459 spin_unlock(&isec->lock);
1da177e4
LT		 3460 return 0;
3461}
3462
3463static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3464{
3465 const int len = sizeof(XATTR_NAME_SELINUX);
3466 if (buffer && len <= buffer_size)
3467 memcpy(buffer, XATTR_NAME_SELINUX, len);
3468 return len;
3469}
3470
d6335d77 3471static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3472{
e817c2f3 3473 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3474 *secid = isec->sid;
3475}
3476
56909eb3
VG		 3477static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3478{
3479 u32 sid;
3480 struct task_security_struct *tsec;
3481 struct cred *new_creds = *new;
3482
3483 if (new_creds == NULL) {
3484 new_creds = prepare_creds();
3485 if (!new_creds)
3486 return -ENOMEM;
3487 }
3488
3489 tsec = new_creds->security;
3490 /* Get label from overlay inode and set it in create_sid */
3491 selinux_inode_getsecid(d_inode(src), &sid);
3492 tsec->create_sid = sid;
3493 *new = new_creds;
3494 return 0;
3495}
3496
19472b69
VG		 3497static int selinux_inode_copy_up_xattr(const char *name)
3498{
3499 /* The copy_up hook above sets the initial context on an inode, but we
3500 * don't then want to overwrite it by blindly copying all the lower
3501 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3502 */
3503 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3504 return 1; /* Discard */
3505 /*
3506 * Any other attribute apart from SELINUX is not claimed, supported
3507 * by selinux.
3508 */
3509 return -EOPNOTSUPP;
3510}
3511
1da177e4
LT		 3512/* file security operations */
3513
788e7dd4 3514static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3515{
88e67f3b 3516 const struct cred *cred = current_cred();
496ad9aa 3517 struct inode *inode = file_inode(file);
1da177e4 3518
1da177e4
LT		 3519 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3520 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3521 mask |= MAY_APPEND;
3522
389fb800
PM		 3523 return file_has_perm(cred, file,
3524 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3525}
3526
788e7dd4
YN		 3527static int selinux_file_permission(struct file *file, int mask)
3528{
496ad9aa 3529 struct inode *inode = file_inode(file);
20dda18b 3530 struct file_security_struct *fsec = file->f_security;
b197367e 3531 struct inode_security_struct *isec;
20dda18b
SS		 3532 u32 sid = current_sid();
3533
389fb800 3534 if (!mask)
788e7dd4
YN		 3535 /* No permission to check. Existence test. */
3536 return 0;
788e7dd4 3537
b197367e 3538 isec = inode_security(inode);
20dda18b 3539 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3540 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3541 /* No change since file_open check. */
20dda18b
SS		 3542 return 0;
3543
788e7dd4
YN		 3544 return selinux_revalidate_file_permission(file, mask);
3545}
3546
1da177e4
LT		 3547static int selinux_file_alloc_security(struct file *file)
3548{
3549 return file_alloc_security(file);
3550}
3551
3552static void selinux_file_free_security(struct file *file)
3553{
3554 file_free_security(file);
3555}
3556
fa1aa143
JVS		 3557/*
3558 * Check whether a task has the ioctl permission and cmd
3559 * operation to an inode.
3560 */
1d2a168a 3561static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3562 u32 requested, u16 cmd)
3563{
3564 struct common_audit_data ad;
3565 struct file_security_struct *fsec = file->f_security;
3566 struct inode *inode = file_inode(file);
20cdef8d 3567 struct inode_security_struct *isec;
fa1aa143
JVS		 3568 struct lsm_ioctlop_audit ioctl;
3569 u32 ssid = cred_sid(cred);
3570 int rc;
3571 u8 driver = cmd >> 8;
3572 u8 xperm = cmd & 0xff;
3573
3574 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3575 ad.u.op = &ioctl;
3576 ad.u.op->cmd = cmd;
3577 ad.u.op->path = file->f_path;
3578
3579 if (ssid != fsec->sid) {
6b6bc620
SS		 3580 rc = avc_has_perm(&selinux_state,
3581 ssid, fsec->sid,
fa1aa143
JVS		 3582 SECCLASS_FD,
3583 FD__USE,
3584 &ad);
3585 if (rc)
3586 goto out;
3587 }
3588
3589 if (unlikely(IS_PRIVATE(inode)))
3590 return 0;
3591
20cdef8d 3592 isec = inode_security(inode);
6b6bc620
SS		 3593 rc = avc_has_extended_perms(&selinux_state,
3594 ssid, isec->sid, isec->sclass,
3595 requested, driver, xperm, &ad);
fa1aa143
JVS		 3596out:
3597 return rc;
3598}
3599
1da177e4
LT		 3600static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3601 unsigned long arg)
3602{
88e67f3b 3603 const struct cred *cred = current_cred();
0b24dcb7 3604 int error = 0;
1da177e4 3605
0b24dcb7
EP		 3606 switch (cmd) {
3607 case FIONREAD:
3608 /* fall through */
3609 case FIBMAP:
3610 /* fall through */
3611 case FIGETBSZ:
3612 /* fall through */
2f99c369 3613 case FS_IOC_GETFLAGS:
0b24dcb7 3614 /* fall through */
2f99c369 3615 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3616 error = file_has_perm(cred, file, FILE__GETATTR);
3617 break;
1da177e4 3618
2f99c369 3619 case FS_IOC_SETFLAGS:
0b24dcb7 3620 /* fall through */
2f99c369 3621 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3622 error = file_has_perm(cred, file, FILE__SETATTR);
3623 break;
3624
3625 /* sys_ioctl() checks */
3626 case FIONBIO:
3627 /* fall through */
3628 case FIOASYNC:
3629 error = file_has_perm(cred, file, 0);
3630 break;
1da177e4 3631
0b24dcb7
EP		 3632 case KDSKBENT:
3633 case KDSKBSENT:
6a9de491 3634 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3635 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3636 break;
3637
3638 /* default case assumes that the command will go
3639 * to the file's ioctl() function.
3640 */
3641 default:
fa1aa143 3642 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3643 }
3644 return error;
1da177e4
LT		 3645}
3646
fcaaade1
SS		 3647static int default_noexec;
3648
1da177e4
LT		 3649static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3650{
88e67f3b 3651 const struct cred *cred = current_cred();
be0554c9 3652 u32 sid = cred_sid(cred);
d84f4f99 3653 int rc = 0;
88e67f3b 3654
fcaaade1 3655 if (default_noexec &&
892e8cac
SS		 3656 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3657 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3658 /*
3659 * We are making executable an anonymous mapping or a
3660 * private file mapping that will also be writable.
3661 * This has an additional check.
3662 */
6b6bc620
SS		 3663 rc = avc_has_perm(&selinux_state,
3664 sid, sid, SECCLASS_PROCESS,
be0554c9 3665 PROCESS__EXECMEM, NULL);
1da177e4 3666 if (rc)
d84f4f99 3667 goto error;
1da177e4 3668 }
1da177e4
LT		 3669
3670 if (file) {
3671 /* read access is always possible with a mapping */
3672 u32 av = FILE__READ;
3673
3674 /* write access only matters if the mapping is shared */
3675 if (shared && (prot & PROT_WRITE))
3676 av |= FILE__WRITE;
3677
3678 if (prot & PROT_EXEC)
3679 av |= FILE__EXECUTE;
3680
88e67f3b 3681 return file_has_perm(cred, file, av);
1da177e4 3682 }
d84f4f99
DH		 3683
3684error:
3685 return rc;
1da177e4
LT		 3686}
3687
e5467859 3688static int selinux_mmap_addr(unsigned long addr)
1da177e4 3689{
b1d9e6b0 3690 int rc = 0;
1da177e4 3691
a2551df7 3692 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3693 u32 sid = current_sid();
6b6bc620
SS		 3694 rc = avc_has_perm(&selinux_state,
3695 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3696 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3697 }
3698
98883bfd 3699 return rc;
e5467859 3700}
1da177e4 3701
e5467859
AV		 3702static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3703 unsigned long prot, unsigned long flags)
3704{
3ba4bf5f
SS		 3705 struct common_audit_data ad;
3706 int rc;
3707
3708 if (file) {
3709 ad.type = LSM_AUDIT_DATA_FILE;
3710 ad.u.file = file;
3711 rc = inode_has_perm(current_cred(), file_inode(file),
3712 FILE__MAP, &ad);
3713 if (rc)
3714 return rc;
3715 }
3716
aa8e712c 3717 if (selinux_state.checkreqprot)
1da177e4
LT		 3718 prot = reqprot;
3719
3720 return file_map_prot_check(file, prot,
3721 (flags & MAP_TYPE) == MAP_SHARED);
3722}
3723
3724static int selinux_file_mprotect(struct vm_area_struct *vma,
3725 unsigned long reqprot,
3726 unsigned long prot)
3727{
88e67f3b 3728 const struct cred *cred = current_cred();
be0554c9 3729 u32 sid = cred_sid(cred);
1da177e4 3730
aa8e712c 3731 if (selinux_state.checkreqprot)
1da177e4
LT		 3732 prot = reqprot;
3733
fcaaade1
SS		 3734 if (default_noexec &&
3735 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3736 int rc = 0;
db4c9641
SS		 3737 if (vma->vm_start >= vma->vm_mm->start_brk &&
3738 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3739 rc = avc_has_perm(&selinux_state,
3740 sid, sid, SECCLASS_PROCESS,
be0554c9 3741 PROCESS__EXECHEAP, NULL);
db4c9641 3742 } else if (!vma->vm_file &&
c2316dbf
SS		 3743 ((vma->vm_start <= vma->vm_mm->start_stack &&
3744 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3745 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3746 rc = avc_has_perm(&selinux_state,
3747 sid, sid, SECCLASS_PROCESS,
be0554c9 3748 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3749 } else if (vma->vm_file && vma->anon_vma) {
3750 /*
3751 * We are making executable a file mapping that has
3752 * had some COW done. Since pages might have been
3753 * written, check ability to execute the possibly
3754 * modified content. This typically should only
3755 * occur for text relocations.
3756 */
d84f4f99 3757 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3758 }