projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'lsm-pr-20240105' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm
[linux-2.6-block.git] / security / selinux / hooks.c
CommitLineData
d2912cb1 1// SPDX-License-Identifier: GPL-2.0-only
1da177e4 2/*
90aa4f5e 3 * Security-Enhanced Linux (SELinux) security module
1da177e4
LT		 4 *
5 * This file contains the SELinux hook function implementations.
6 *
0fe53224 7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com>
828dfe1d
EP		 8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
1da177e4
LT		 11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
1da177e4 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 16 * <dgoeddel@trustedcs.com>
ed6d76e4 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 18 * Paul Moore <paul@paul-moore.com>
788e7dd4 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 21 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 22 */
23
1da177e4 24#include <linux/init.h>
0b24dcb7 25#include <linux/kd.h>
1da177e4 26#include <linux/kernel.h>
b89999d0 27#include <linux/kernel_read_file.h>
1da177e4 28#include <linux/errno.h>
3f07c014 29#include <linux/sched/signal.h>
29930025 30#include <linux/sched/task.h>
3c4ed7bd 31#include <linux/lsm_hooks.h>
1da177e4
LT		 32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
0b24dcb7 39#include <linux/proc_fs.h>
1da177e4 40#include <linux/swap.h>
1da177e4
LT		 41#include <linux/spinlock.h>
42#include <linux/syscalls.h>
2a7dba39 43#include <linux/dcache.h>
1da177e4 44#include <linux/file.h>
9f3acc31 45#include <linux/fdtable.h>
1da177e4
LT		 46#include <linux/namei.h>
47#include <linux/mount.h>
442155c1
DH		 48#include <linux/fs_context.h>
49#include <linux/fs_parser.h>
1da177e4
LT		 50#include <linux/netfilter_ipv4.h>
51#include <linux/netfilter_ipv6.h>
52#include <linux/tty.h>
53#include <net/icmp.h>
227b60f5 54#include <net/ip.h> /* for local_port_range[] */
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 56#include <net/inet_connection_sock.h>
220deb96 57#include <net/net_namespace.h>
d621d35e 58#include <net/netlabel.h>
f5269710 59#include <linux/uaccess.h>
1da177e4 60#include <asm/ioctls.h>
60063497 61#include <linux/atomic.h>
1da177e4
LT		 62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
77954983 65#include <net/netlink.h>
1da177e4
LT		 66#include <linux/tcp.h>
67#include <linux/udp.h>
2ee92d46 68#include <linux/dccp.h>
d452930f
RH		 69#include <linux/sctp.h>
70#include <net/sctp/structs.h>
1da177e4
LT		 71#include <linux/quota.h>
72#include <linux/un.h> /* for Unix socket types */
73#include <net/af_unix.h> /* for Unix socket types */
74#include <linux/parser.h>
75#include <linux/nfs_mount.h>
76#include <net/ipv6.h>
77#include <linux/hugetlb.h>
78#include <linux/personality.h>
1da177e4 79#include <linux/audit.h>
6931dfc9 80#include <linux/string.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
ec27c356 88#include <linux/bpf.h>
ec882da5
OM		 89#include <linux/kernfs.h>
90#include <linux/stringhash.h> /* for hashlen_string() */
e262e32d 91#include <uapi/linux/mount.h>
ac5656d8
AG		 92#include <linux/fsnotify.h>
93#include <linux/fanotify.h>
f4d653dc 94#include <linux/io_uring.h>
f3b8788c 95#include <uapi/linux/lsm.h>
1da177e4
LT		 96
97#include "avc.h"
98#include "objsec.h"
99#include "netif.h"
224dfbd8 100#include "netnode.h"
3e112172 101#include "netport.h"
409dcf31 102#include "ibpkey.h"
d28d1e08 103#include "xfrm.h"
c60475bf 104#include "netlabel.h"
9d57a7f9 105#include "audit.h"
7b98a585 106#include "avc_ss.h"
1da177e4 107
6bcdfd2c
RS		 108#define SELINUX_INODE_INIT_XATTRS 1
109
aa8e712c
SS		 110struct selinux_state selinux_state;
111
d621d35e 112/* SECMARK reference count */
56a4ca99 113static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 114
1da177e4 115#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
6c5a682e 116static int selinux_enforcing_boot __initdata;
1da177e4
LT		 117
118static int __init enforcing_setup(char *str)
119{
f5269710 120 unsigned long enforcing;
29707b20 121 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 122 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 123 return 1;
124}
125__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 126#else
127#define selinux_enforcing_boot 1
1da177e4
LT		 128#endif
129
6c5a682e 130int selinux_enabled_boot __initdata = 1;
1da177e4 131#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
1da177e4
LT		 132static int __init selinux_enabled_setup(char *str)
133{
f5269710 134 unsigned long enabled;
29707b20 135 if (!kstrtoul(str, 0, &enabled))
6c5a682e 136 selinux_enabled_boot = enabled ? 1 : 0;
1da177e4
LT		 137 return 1;
138}
139__setup("selinux=", selinux_enabled_setup);
140#endif
141
aa8e712c
SS		 142static int __init checkreqprot_setup(char *str)
143{
144 unsigned long checkreqprot;
145
e9c38f9f 146 if (!kstrtoul(str, 0, &checkreqprot)) {
e9c38f9f 147 if (checkreqprot)
a7e4676e 148 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n");
e9c38f9f 149 }
aa8e712c
SS		 150 return 1;
151}
152__setup("checkreqprot=", checkreqprot_setup);
153
d621d35e
PM		 154/**
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156 *
157 * Description:
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 163 *
164 */
165static int selinux_secmark_enabled(void)
166{
aa8e712c
SS		 167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 169}
170
171/**
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173 *
174 * Description:
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
179 *
180 */
181static int selinux_peerlbl_enabled(void)
182{
aa8e712c
SS		 183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 185}
186
615e51fd
PM		 187static int selinux_netcache_avc_callback(u32 event)
188{
189 if (event == AVC_CALLBACK_RESET) {
190 sel_netif_flush();
191 sel_netnode_flush();
192 sel_netport_flush();
193 synchronize_net();
194 }
195 return 0;
196}
197
8f408ab6
DJ		 198static int selinux_lsm_notifier_avc_callback(u32 event)
199{
409dcf31
DJ		 200 if (event == AVC_CALLBACK_RESET) {
201 sel_ib_pkey_flush();
42df744c 202 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 203 }
8f408ab6
DJ		 204
205 return 0;
206}
207
d84f4f99
DH		 208/*
209 * initialise the security for the init task
210 */
211static void cred_init_security(void)
1da177e4
LT		 212{
213 struct task_security_struct *tsec;
214
cdeea454 215 tsec = selinux_cred(unrcu_pointer(current->real_cred));
d84f4f99 216 tsec->osid = tsec->sid = SECINITSID_KERNEL;
1da177e4
LT		 217}
218
88e67f3b
DH		 219/*
220 * get the security ID of a set of credentials
221 */
222static inline u32 cred_sid(const struct cred *cred)
223{
224 const struct task_security_struct *tsec;
225
0c6cfa62 226 tsec = selinux_cred(cred);
88e67f3b
DH		 227 return tsec->sid;
228}
229
dd51fcd4
PA		 230static void __ad_net_init(struct common_audit_data *ad,
231 struct lsm_network_audit *net,
232 int ifindex, struct sock *sk, u16 family)
233{
234 ad->type = LSM_AUDIT_DATA_NET;
235 ad->u.net = net;
236 net->netif = ifindex;
237 net->sk = sk;
238 net->family = family;
239}
240
241static void ad_net_init_from_sk(struct common_audit_data *ad,
242 struct lsm_network_audit *net,
243 struct sock *sk)
244{
245 __ad_net_init(ad, net, 0, sk, 0);
246}
247
248static void ad_net_init_from_iif(struct common_audit_data *ad,
249 struct lsm_network_audit *net,
250 int ifindex, u16 family)
251{
3876043a 252 __ad_net_init(ad, net, ifindex, NULL, family);
dd51fcd4
PA		 253}
254
275bb41e 255/*
3b11a1de 256 * get the objective security ID of a task
275bb41e 257 */
eb1231f7 258static inline u32 task_sid_obj(const struct task_struct *task)
275bb41e 259{
275bb41e
DH		 260 u32 sid;
261
262 rcu_read_lock();
88e67f3b 263 sid = cred_sid(__task_cred(task));
275bb41e
DH		 264 rcu_read_unlock();
265 return sid;
266}
267
5d226df4
AG		 268static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
269
270/*
271 * Try reloading inode security labels that have been marked as invalid. The
272 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 273 * allowed; when set to false, returns -ECHILD when the label is
e9193288 274 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 275 */
276static int __inode_security_revalidate(struct inode *inode,
e9193288 277 struct dentry *dentry,
5d226df4
AG		 278 bool may_sleep)
279{
80788c22 280 struct inode_security_struct *isec = selinux_inode(inode);
5d226df4
AG		 281
282 might_sleep_if(may_sleep);
283
e67b7985 284 if (selinux_initialized() &&
aa8e712c 285 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 286 if (!may_sleep)
287 return -ECHILD;
288
289 /*
290 * Try reloading the inode security label. This will fail if
291 * @opt_dentry is NULL and no dentry for this inode can be
292 * found; in that case, continue using the old label.
293 */
e9193288 294 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 295 }
296 return 0;
297}
298
5d226df4
AG		 299static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
300{
80788c22 301 return selinux_inode(inode);
5d226df4
AG		 302}
303
304static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
305{
306 int error;
307
308 error = __inode_security_revalidate(inode, NULL, !rcu);
309 if (error)
310 return ERR_PTR(error);
80788c22 311 return selinux_inode(inode);
5d226df4
AG		 312}
313
83da53c5
AG		 314/*
315 * Get the security label of an inode.
316 */
317static struct inode_security_struct *inode_security(struct inode *inode)
318{
5d226df4 319 __inode_security_revalidate(inode, NULL, true);
80788c22 320 return selinux_inode(inode);
83da53c5
AG		 321}
322
2c97165b
PM		 323static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
324{
325 struct inode *inode = d_backing_inode(dentry);
326
80788c22 327 return selinux_inode(inode);
2c97165b
PM		 328}
329
83da53c5
AG		 330/*
331 * Get the security label of a dentry's backing inode.
332 */
333static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
334{
335 struct inode *inode = d_backing_inode(dentry);
336
5d226df4 337 __inode_security_revalidate(inode, dentry, true);
80788c22 338 return selinux_inode(inode);
83da53c5
AG		 339}
340
1da177e4
LT		 341static void inode_free_security(struct inode *inode)
342{
80788c22 343 struct inode_security_struct *isec = selinux_inode(inode);
afb1cbe3 344 struct superblock_security_struct *sbsec;
1da177e4 345
afb1cbe3
CS		 346 if (!isec)
347 return;
1aea7808 348 sbsec = selinux_superblock(inode->i_sb);
9629d04a
WL		 349 /*
350 * As not all inode security structures are in a list, we check for
351 * empty list outside of the lock to make sure that we won't waste
352 * time taking a lock doing nothing.
353 *
354 * The list_del_init() function can be safely called more than once.
355 * It should not be possible for this function to be called with
356 * concurrent list_add(), but for better safety against future changes
357 * in the code, we use list_empty_careful() here.
358 */
359 if (!list_empty_careful(&isec->list)) {
360 spin_lock(&sbsec->isec_lock);
1da177e4 361 list_del_init(&isec->list);
9629d04a
WL		 362 spin_unlock(&sbsec->isec_lock);
363 }
1da177e4
LT		 364}
365
bd323655 366struct selinux_mnt_opts {
b8b87fd9
SM		 367 u32 fscontext_sid;
368 u32 context_sid;
369 u32 rootcontext_sid;
370 u32 defcontext_sid;
bd323655
AV		 371};
372
204cc0cc
AV		 373static void selinux_free_mnt_opts(void *mnt_opts)
374{
70f4169a 375 kfree(mnt_opts);
204cc0cc
AV		 376}
377
1da177e4 378enum {
31e87930 379 Opt_error = -1,
442155c1
DH		 380 Opt_context = 0,
381 Opt_defcontext = 1,
1da177e4 382 Opt_fscontext = 2,
442155c1
DH		 383 Opt_rootcontext = 3,
384 Opt_seclabel = 4,
1da177e4
LT		 385};
386
da3d76ab 387#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
4158cb60 388static const struct {
169d68ef
AV		 389 const char *name;
390 int len;
391 int opt;
392 bool has_arg;
393} tokens[] = {
da3d76ab
AV		 394 A(context, true),
395 A(fscontext, true),
396 A(defcontext, true),
397 A(rootcontext, true),
398 A(seclabel, false),
1da177e4 399};
169d68ef
AV		 400#undef A
401
402static int match_opt_prefix(char *s, int l, char **arg)
403{
404 int i;
405
406 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
407 size_t len = tokens[i].len;
408 if (len > l || memcmp(s, tokens[i].name, len))
409 continue;
410 if (tokens[i].has_arg) {
411 if (len == l || s[len] != '=')
412 continue;
413 *arg = s + len + 1;
414 } else if (len != l)
415 continue;
416 return tokens[i].opt;
417 }
418 return Opt_error;
419}
1da177e4
LT		 420
421#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
422
c312feb2
EP		 423static int may_context_mount_sb_relabel(u32 sid,
424 struct superblock_security_struct *sbsec,
275bb41e 425 const struct cred *cred)
c312feb2 426{
0c6cfa62 427 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 428 int rc;
429
e67b7985 430 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 431 FILESYSTEM__RELABELFROM, NULL);
432 if (rc)
433 return rc;
434
e67b7985 435 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 436 FILESYSTEM__RELABELTO, NULL);
437 return rc;
438}
439
0808925e
EP		 440static int may_context_mount_inode_relabel(u32 sid,
441 struct superblock_security_struct *sbsec,
275bb41e 442 const struct cred *cred)
0808925e 443{
0c6cfa62 444 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e 445 int rc;
e67b7985 446 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 447 FILESYSTEM__RELABELFROM, NULL);
448 if (rc)
449 return rc;
450
e67b7985 451 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 452 FILESYSTEM__ASSOCIATE, NULL);
453 return rc;
454}
455
a83d6dda 456static int selinux_is_genfs_special_handling(struct super_block *sb)
b43e725d 457{
a83d6dda
OM		 458 /* Special handling. Genfs but also in-core setxattr handler */
459 return !strcmp(sb->s_type->name, "sysfs") ||
d5f3a5f6
MS		 460 !strcmp(sb->s_type->name, "pstore") ||
461 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 462 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 463 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 464 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 465 (!strcmp(sb->s_type->name, "cgroup") ||
466 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 467}
468
a83d6dda
OM		 469static int selinux_is_sblabel_mnt(struct super_block *sb)
470{
1aea7808 471 struct superblock_security_struct *sbsec = selinux_superblock(sb);
a83d6dda
OM		 472
473 /*
474 * IMPORTANT: Double-check logic in this function when adding a new
475 * SECURITY_FS_USE_* definition!
476 */
477 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
478
479 switch (sbsec->behavior) {
480 case SECURITY_FS_USE_XATTR:
481 case SECURITY_FS_USE_TRANS:
482 case SECURITY_FS_USE_TASK:
483 case SECURITY_FS_USE_NATIVE:
484 return 1;
485
486 case SECURITY_FS_USE_GENFS:
487 return selinux_is_genfs_special_handling(sb);
488
489 /* Never allow relabeling on context mounts */
490 case SECURITY_FS_USE_MNTPOINT:
491 case SECURITY_FS_USE_NONE:
492 default:
493 return 0;
494 }
495}
496
08abe46b
OM		 497static int sb_check_xattr_support(struct super_block *sb)
498{
0266c25e 499 struct superblock_security_struct *sbsec = selinux_superblock(sb);
08abe46b
OM		 500 struct dentry *root = sb->s_root;
501 struct inode *root_inode = d_backing_inode(root);
502 u32 sid;
503 int rc;
504
505 /*
506 * Make sure that the xattr handler exists and that no
507 * error other than -ENODATA is returned by getxattr on
508 * the root directory. -ENODATA is ok, as this may be
509 * the first boot of the SELinux kernel before we have
510 * assigned xattr values to the filesystem.
511 */
512 if (!(root_inode->i_opflags & IOP_XATTR)) {
513 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
514 sb->s_id, sb->s_type->name);
515 goto fallback;
516 }
517
518 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
519 if (rc < 0 && rc != -ENODATA) {
520 if (rc == -EOPNOTSUPP) {
521 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
522 sb->s_id, sb->s_type->name);
523 goto fallback;
524 } else {
525 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
526 sb->s_id, sb->s_type->name, -rc);
527 return rc;
528 }
529 }
530 return 0;
531
532fallback:
533 /* No xattr support - try to fallback to genfs if possible. */
e67b7985 534 rc = security_genfs_sid(sb->s_type->name, "/",
08abe46b
OM		 535 SECCLASS_DIR, &sid);
536 if (rc)
537 return -EOPNOTSUPP;
538
539 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
540 sb->s_id, sb->s_type->name);
541 sbsec->behavior = SECURITY_FS_USE_GENFS;
542 sbsec->sid = sid;
543 return 0;
544}
545
c9180a57 546static int sb_finish_set_opts(struct super_block *sb)
1da177e4 547{
1aea7808 548 struct superblock_security_struct *sbsec = selinux_superblock(sb);
c9180a57 549 struct dentry *root = sb->s_root;
c6f493d6 550 struct inode *root_inode = d_backing_inode(root);
c9180a57 551 int rc = 0;
1da177e4 552
c9180a57 553 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
08abe46b
OM		 554 rc = sb_check_xattr_support(sb);
555 if (rc)
556 return rc;
c9180a57 557 }
1da177e4 558
eadcabc6 559 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 560
561 /*
562 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
563 * leave the flag untouched because sb_clone_mnt_opts might be handing
564 * us a superblock that needs the flag to be cleared.
565 */
b43e725d 566 if (selinux_is_sblabel_mnt(sb))
12f348b9 567 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 568 else
569 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 570
c9180a57
EP		 571 /* Initialize the root inode. */
572 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 573
c9180a57
EP		 574 /* Initialize any other inodes associated with the superblock, e.g.
575 inodes created prior to initial policy load or inodes created
576 during get_sb by a pseudo filesystem that directly
577 populates itself. */
578 spin_lock(&sbsec->isec_lock);
8d64124a 579 while (!list_empty(&sbsec->isec_head)) {
c9180a57 580 struct inode_security_struct *isec =
8d64124a 581 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 582 struct inode_security_struct, list);
583 struct inode *inode = isec->inode;
923190d3 584 list_del_init(&isec->list);
c9180a57
EP		 585 spin_unlock(&sbsec->isec_lock);
586 inode = igrab(inode);
587 if (inode) {
588 if (!IS_PRIVATE(inode))
cb89e246 589 inode_doinit_with_dentry(inode, NULL);
c9180a57
EP		 590 iput(inode);
591 }
592 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 593 }
594 spin_unlock(&sbsec->isec_lock);
c9180a57
EP		 595 return rc;
596}
1da177e4 597
c9180a57
EP		 598static int bad_option(struct superblock_security_struct *sbsec, char flag,
599 u32 old_sid, u32 new_sid)
600{
0d90a7ec
DQ		 601 char mnt_flags = sbsec->flags & SE_MNTMASK;
602
c9180a57 603 /* check if the old mount command had the same options */
0d90a7ec 604 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 605 if (!(sbsec->flags & flag) ||
606 (old_sid != new_sid))
607 return 1;
608
609 /* check if we were passed the same options twice,
610 * aka someone passed context=a,context=b
611 */
0d90a7ec
DQ		 612 if (!(sbsec->flags & SE_SBINITIALIZED))
613 if (mnt_flags & flag)
c9180a57
EP		 614 return 1;
615 return 0;
616}
e0007529 617
c9180a57
EP		 618/*
619 * Allow filesystems with binary mount data to explicitly set mount point
620 * labeling information.
621 */
e0007529 622static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 623 void *mnt_opts,
649f6e77
DQ		 624 unsigned long kern_flags,
625 unsigned long *set_kern_flags)
c9180a57 626{
275bb41e 627 const struct cred *cred = current_cred();
1aea7808 628 struct superblock_security_struct *sbsec = selinux_superblock(sb);
b159e86b 629 struct dentry *root = sb->s_root;
bd323655 630 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 631 struct inode_security_struct *root_isec;
c9180a57
EP		 632 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
633 u32 defcontext_sid = 0;
bd323655 634 int rc = 0;
c9180a57 635
cec5fe70
OM		 636 /*
637 * Specifying internal flags without providing a place to
638 * place the results is not allowed
639 */
640 if (kern_flags && !set_kern_flags)
641 return -EINVAL;
642
c9180a57
EP		 643 mutex_lock(&sbsec->lock);
644
e67b7985 645 if (!selinux_initialized()) {
bd323655 646 if (!opts) {
c9180a57
EP		 647 /* Defer initialization until selinux_complete_init,
648 after the initial policy is loaded and the security
649 server is ready to handle calls. */
cec5fe70
OM		 650 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
651 sbsec->flags |= SE_SBNATIVE;
652 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
653 }
c9180a57
EP		 654 goto out;
655 }
656 rc = -EINVAL;
c103a91e 657 pr_warn("SELinux: Unable to set superblock options "
744ba35e 658 "before the security server is initialized\n");
1da177e4 659 goto out;
c9180a57 660 }
1da177e4 661
e0007529
EP		 662 /*
663 * Binary mount data FS will come through this function twice. Once
664 * from an explicit call and once from the generic calls from the vfs.
665 * Since the generic VFS calls will not contain any security mount data
666 * we need to skip the double mount verification.
667 *
668 * This does open a hole in which we will not notice if the first
9691e4f9 669 * mount using this sb set explicit options and a second mount using
e0007529
EP		 670 * this sb does not set any security options. (The first options
671 * will be used for both mounts)
672 */
0d90a7ec 673 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 674 && !opts)
f5269710 675 goto out;
e0007529 676
2c97165b
PM		 677 root_isec = backing_inode_security_novalidate(root);
678
c9180a57
EP		 679 /*
680 * parse the mount options, check if they are valid sids.
681 * also check if someone is trying to mount the same sb more
682 * than once with different security options.
683 */
bd323655 684 if (opts) {
70f4169a
OM		 685 if (opts->fscontext_sid) {
686 fscontext_sid = opts->fscontext_sid;
c9180a57
EP		 687 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
688 fscontext_sid))
689 goto out_double_mount;
c9180a57 690 sbsec->flags |= FSCONTEXT_MNT;
bd323655 691 }
70f4169a
OM		 692 if (opts->context_sid) {
693 context_sid = opts->context_sid;
c9180a57
EP		 694 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
695 context_sid))
696 goto out_double_mount;
c9180a57 697 sbsec->flags |= CONTEXT_MNT;
bd323655 698 }
70f4169a
OM		 699 if (opts->rootcontext_sid) {
700 rootcontext_sid = opts->rootcontext_sid;
c9180a57
EP		 701 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
702 rootcontext_sid))
703 goto out_double_mount;
c9180a57 704 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655 705 }
70f4169a
OM		 706 if (opts->defcontext_sid) {
707 defcontext_sid = opts->defcontext_sid;
c9180a57
EP		 708 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
709 defcontext_sid))
710 goto out_double_mount;
c9180a57 711 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 712 }
c9180a57
EP		 713 }
714
0d90a7ec 715 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 716 /* previously mounted with options, but not on this attempt? */
bd323655 717 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 718 goto out_double_mount;
719 rc = 0;
720 goto out;
721 }
722
089be43e 723 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 724 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
725
8e014720 726 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 727 !strcmp(sb->s_type->name, "tracefs") ||
a20456ae 728 !strcmp(sb->s_type->name, "binder") ||
4ca54d3d 729 !strcmp(sb->s_type->name, "bpf") ||
8a764ef1
CG		 730 !strcmp(sb->s_type->name, "pstore") ||
731 !strcmp(sb->s_type->name, "securityfs"))
b754026b
OM		 732 sbsec->flags |= SE_SBGENFS;
733
734 if (!strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 735 !strcmp(sb->s_type->name, "cgroup") ||
736 !strcmp(sb->s_type->name, "cgroup2"))
b754026b 737 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
c9180a57 738
eb9ae686
DQ		 739 if (!sbsec->behavior) {
740 /*
741 * Determine the labeling behavior to use for this
742 * filesystem type.
743 */
e67b7985 744 rc = security_fs_use(sb);
eb9ae686 745 if (rc) {
c103a91e 746 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 747 __func__, sb->s_type->name, rc);
748 goto out;
749 }
c9180a57 750 }
aad82892
SF		 751
752 /*
01593d32
SS		 753 * If this is a user namespace mount and the filesystem type is not
754 * explicitly whitelisted, then no contexts are allowed on the command
755 * line and security labels must be ignored.
aad82892 756 */
01593d32
SS		 757 if (sb->s_user_ns != &init_user_ns &&
758 strcmp(sb->s_type->name, "tmpfs") &&
759 strcmp(sb->s_type->name, "ramfs") &&
7fa2e79a
VG		 760 strcmp(sb->s_type->name, "devpts") &&
761 strcmp(sb->s_type->name, "overlay")) {
aad82892
SF		 762 if (context_sid || fscontext_sid || rootcontext_sid ||
763 defcontext_sid) {
764 rc = -EACCES;
765 goto out;
766 }
767 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
768 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
e67b7985 769 rc = security_transition_sid(current_sid(),
aa8e712c 770 current_sid(),
aad82892
SF		 771 SECCLASS_FILE, NULL,
772 &sbsec->mntpoint_sid);
773 if (rc)
774 goto out;
775 }
776 goto out_set_opts;
777 }
778
c9180a57
EP		 779 /* sets the context of the superblock for the fs being mounted. */
780 if (fscontext_sid) {
275bb41e 781 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 782 if (rc)
c9180a57 783 goto out;
1da177e4 784
c9180a57 785 sbsec->sid = fscontext_sid;
c312feb2
EP		 786 }
787
788 /*
789 * Switch to using mount point labeling behavior.
790 * sets the label used on all file below the mountpoint, and will set
791 * the superblock context if not already set.
792 */
cec5fe70
OM		 793 if (sbsec->flags & SE_SBNATIVE) {
794 /*
795 * This means we are initializing a superblock that has been
796 * mounted before the SELinux was initialized and the
797 * filesystem requested native labeling. We had already
798 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
799 * in the original mount attempt, so now we just need to set
800 * the SECURITY_FS_USE_NATIVE behavior.
801 */
802 sbsec->behavior = SECURITY_FS_USE_NATIVE;
803 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
eb9ae686
DQ		 804 sbsec->behavior = SECURITY_FS_USE_NATIVE;
805 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
806 }
807
c9180a57
EP		 808 if (context_sid) {
809 if (!fscontext_sid) {
275bb41e
DH		 810 rc = may_context_mount_sb_relabel(context_sid, sbsec,
811 cred);
b04ea3ce 812 if (rc)
c9180a57
EP		 813 goto out;
814 sbsec->sid = context_sid;
b04ea3ce 815 } else {
275bb41e
DH		 816 rc = may_context_mount_inode_relabel(context_sid, sbsec,
817 cred);
b04ea3ce 818 if (rc)
c9180a57 819 goto out;
b04ea3ce 820 }
c9180a57
EP		 821 if (!rootcontext_sid)
822 rootcontext_sid = context_sid;
1da177e4 823
c9180a57 824 sbsec->mntpoint_sid = context_sid;
c312feb2 825 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 826 }
827
c9180a57 828 if (rootcontext_sid) {
275bb41e
DH		 829 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
830 cred);
0808925e 831 if (rc)
c9180a57 832 goto out;
0808925e 833
c9180a57 834 root_isec->sid = rootcontext_sid;
6f3be9f5 835 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 836 }
837
c9180a57 838 if (defcontext_sid) {
eb9ae686
DQ		 839 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
840 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 841 rc = -EINVAL;
c103a91e 842 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 843 "invalid for this filesystem type\n");
844 goto out;
1da177e4
LT		 845 }
846
c9180a57
EP		 847 if (defcontext_sid != sbsec->def_sid) {
848 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 849 sbsec, cred);
c9180a57
EP		 850 if (rc)
851 goto out;
852 }
1da177e4 853
c9180a57 854 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 855 }
856
aad82892 857out_set_opts:
c9180a57 858 rc = sb_finish_set_opts(sb);
1da177e4 859out:
c9180a57 860 mutex_unlock(&sbsec->lock);
1da177e4 861 return rc;
c9180a57
EP		 862out_double_mount:
863 rc = -EINVAL;
c103a91e 864 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 865 "security settings for (dev %s, type %s)\n", sb->s_id,
866 sb->s_type->name);
c9180a57 867 goto out;
1da177e4
LT		 868}
869
094f7b69
JL		 870static int selinux_cmp_sb_context(const struct super_block *oldsb,
871 const struct super_block *newsb)
872{
1aea7808
CS		 873 struct superblock_security_struct *old = selinux_superblock(oldsb);
874 struct superblock_security_struct *new = selinux_superblock(newsb);
094f7b69
JL		 875 char oldflags = old->flags & SE_MNTMASK;
876 char newflags = new->flags & SE_MNTMASK;
877
878 if (oldflags != newflags)
879 goto mismatch;
880 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
881 goto mismatch;
882 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
883 goto mismatch;
884 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
885 goto mismatch;
886 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 887 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
888 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 889 if (oldroot->sid != newroot->sid)
890 goto mismatch;
891 }
892 return 0;
893mismatch:
c103a91e 894 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 895 "different security settings for (dev %s, "
896 "type %s)\n", newsb->s_id, newsb->s_type->name);
897 return -EBUSY;
898}
899
900static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 901 struct super_block *newsb,
902 unsigned long kern_flags,
903 unsigned long *set_kern_flags)
1da177e4 904{
0b4d3452 905 int rc = 0;
1aea7808
CS		 906 const struct superblock_security_struct *oldsbsec =
907 selinux_superblock(oldsb);
908 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
1da177e4 909
c9180a57
EP		 910 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
911 int set_context = (oldsbsec->flags & CONTEXT_MNT);
912 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 913
0b4d3452
SM		 914 /*
915 * Specifying internal flags without providing a place to
916 * place the results is not allowed.
917 */
918 if (kern_flags && !set_kern_flags)
919 return -EINVAL;
920
cec5fe70
OM		 921 mutex_lock(&newsbsec->lock);
922
923 /*
924 * if the parent was able to be mounted it clearly had no special lsm
925 * mount options. thus we can safely deal with this superblock later
926 */
927 if (!selinux_initialized()) {
928 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
929 newsbsec->flags |= SE_SBNATIVE;
930 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
931 }
932 goto out;
933 }
934
c9180a57 935 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 936 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 937
094f7b69 938 /* if fs is reusing a sb, make sure that the contexts match */
3815a245 939 if (newsbsec->flags & SE_SBINITIALIZED) {
cec5fe70 940 mutex_unlock(&newsbsec->lock);
3815a245
BF		 941 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
942 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
094f7b69 943 return selinux_cmp_sb_context(oldsb, newsb);
3815a245 944 }
5a552617 945
c9180a57
EP		 946 newsbsec->flags = oldsbsec->flags;
947
948 newsbsec->sid = oldsbsec->sid;
949 newsbsec->def_sid = oldsbsec->def_sid;
950 newsbsec->behavior = oldsbsec->behavior;
951
0b4d3452
SM		 952 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
953 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
e67b7985 954 rc = security_fs_use(newsb);
0b4d3452
SM		 955 if (rc)
956 goto out;
957 }
958
959 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
960 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
961 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
962 }
963
c9180a57
EP		 964 if (set_context) {
965 u32 sid = oldsbsec->mntpoint_sid;
966
967 if (!set_fscontext)
968 newsbsec->sid = sid;
969 if (!set_rootcontext) {
83da53c5 970 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 971 newisec->sid = sid;
972 }
973 newsbsec->mntpoint_sid = sid;
1da177e4 974 }
c9180a57 975 if (set_rootcontext) {
83da53c5
AG		 976 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
977 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 978
c9180a57 979 newisec->sid = oldisec->sid;
1da177e4
LT		 980 }
981
c9180a57 982 sb_finish_set_opts(newsb);
0b4d3452 983out:
c9180a57 984 mutex_unlock(&newsbsec->lock);
0b4d3452 985 return rc;
c9180a57
EP		 986}
987
ef54ccb6 988/*
3d9047a0 989 * NOTE: the caller is responsible for freeing the memory even if on error.
ef54ccb6 990 */
ba641862 991static int selinux_add_opt(int token, const char *s, void **mnt_opts)
c9180a57 992{
ba641862 993 struct selinux_mnt_opts *opts = *mnt_opts;
70f4169a
OM		 994 u32 *dst_sid;
995 int rc;
1da177e4 996
6cd9d4b9
PM		 997 if (token == Opt_seclabel)
998 /* eaten and completely ignored */
169d68ef 999 return 0;
2e08df3c 1000 if (!s)
ef54ccb6 1001 return -EINVAL;
e0007529 1002
e67b7985 1003 if (!selinux_initialized()) {
70f4169a
OM		 1004 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1005 return -EINVAL;
1006 }
1007
ba641862 1008 if (!opts) {
6cd9d4b9 1009 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
ba641862
AV		 1010 if (!opts)
1011 return -ENOMEM;
1012 *mnt_opts = opts;
c9180a57 1013 }
2e08df3c 1014
ba641862
AV		 1015 switch (token) {
1016 case Opt_context:
70f4169a 1017 if (opts->context_sid || opts->defcontext_sid)
6cd9d4b9 1018 goto err;
70f4169a 1019 dst_sid = &opts->context_sid;
ba641862
AV		 1020 break;
1021 case Opt_fscontext:
70f4169a 1022 if (opts->fscontext_sid)
6cd9d4b9 1023 goto err;
70f4169a 1024 dst_sid = &opts->fscontext_sid;
ba641862
AV		 1025 break;
1026 case Opt_rootcontext:
70f4169a 1027 if (opts->rootcontext_sid)
6cd9d4b9 1028 goto err;
70f4169a 1029 dst_sid = &opts->rootcontext_sid;
ba641862
AV		 1030 break;
1031 case Opt_defcontext:
70f4169a 1032 if (opts->context_sid || opts->defcontext_sid)
6cd9d4b9 1033 goto err;
70f4169a 1034 dst_sid = &opts->defcontext_sid;
ba641862 1035 break;
70f4169a
OM		 1036 default:
1037 WARN_ON(1);
1038 return -EINVAL;
c9180a57 1039 }
e67b7985 1040 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
70f4169a
OM		 1041 if (rc)
1042 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1043 s, rc);
1044 return rc;
e2e0e097 1045
6cd9d4b9 1046err:
ba641862 1047 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862 1048 return -EINVAL;
e0007529 1049}
1da177e4 1050
e3489f89 1051static int show_sid(struct seq_file *m, u32 sid)
2069f457 1052{
e3489f89
AV		 1053 char *context = NULL;
1054 u32 len;
1055 int rc;
11689d47 1056
e67b7985 1057 rc = security_sid_to_context(sid, &context, &len);
e3489f89 1058 if (!rc) {
4d3d0ed6 1059 bool has_comma = strchr(context, ',');
2069f457 1060
442155c1 1061 seq_putc(m, '=');
2069f457
EP		 1062 if (has_comma)
1063 seq_putc(m, '\"');
e3489f89 1064 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1065 if (has_comma)
1066 seq_putc(m, '\"');
1067 }
e3489f89
AV		 1068 kfree(context);
1069 return rc;
2069f457
EP		 1070}
1071
1072static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1073{
1aea7808 1074 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2069f457
EP		 1075 int rc;
1076
e3489f89
AV		 1077 if (!(sbsec->flags & SE_SBINITIALIZED))
1078 return 0;
2069f457 1079
e67b7985 1080 if (!selinux_initialized())
e3489f89 1081 return 0;
2069f457 1082
e3489f89
AV		 1083 if (sbsec->flags & FSCONTEXT_MNT) {
1084 seq_putc(m, ',');
1085 seq_puts(m, FSCONTEXT_STR);
1086 rc = show_sid(m, sbsec->sid);
1087 if (rc)
1088 return rc;
1089 }
1090 if (sbsec->flags & CONTEXT_MNT) {
1091 seq_putc(m, ',');
1092 seq_puts(m, CONTEXT_STR);
1093 rc = show_sid(m, sbsec->mntpoint_sid);
1094 if (rc)
1095 return rc;
1096 }
1097 if (sbsec->flags & DEFCONTEXT_MNT) {
1098 seq_putc(m, ',');
1099 seq_puts(m, DEFCONTEXT_STR);
1100 rc = show_sid(m, sbsec->def_sid);
1101 if (rc)
1102 return rc;
1103 }
1104 if (sbsec->flags & ROOTCONTEXT_MNT) {
b159e86b 1105 struct dentry *root = sb->s_root;
e3489f89
AV		 1106 struct inode_security_struct *isec = backing_inode_security(root);
1107 seq_putc(m, ',');
1108 seq_puts(m, ROOTCONTEXT_STR);
1109 rc = show_sid(m, isec->sid);
1110 if (rc)
1111 return rc;
1112 }
1113 if (sbsec->flags & SBLABEL_MNT) {
1114 seq_putc(m, ',');
442155c1 1115 seq_puts(m, SECLABEL_STR);
e3489f89
AV		 1116 }
1117 return 0;
2069f457
EP		 1118}
1119
1da177e4
LT		 1120static inline u16 inode_mode_to_security_class(umode_t mode)
1121{
1122 switch (mode & S_IFMT) {
1123 case S_IFSOCK:
1124 return SECCLASS_SOCK_FILE;
1125 case S_IFLNK:
1126 return SECCLASS_LNK_FILE;
1127 case S_IFREG:
1128 return SECCLASS_FILE;
1129 case S_IFBLK:
1130 return SECCLASS_BLK_FILE;
1131 case S_IFDIR:
1132 return SECCLASS_DIR;
1133 case S_IFCHR:
1134 return SECCLASS_CHR_FILE;
1135 case S_IFIFO:
1136 return SECCLASS_FIFO_FILE;
1137
1138 }
1139
1140 return SECCLASS_FILE;
1141}
1142
13402580
JM		 1143static inline int default_protocol_stream(int protocol)
1144{
95ca9072
PA		 1145 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1146 protocol == IPPROTO_MPTCP);
13402580
JM		 1147}
1148
1149static inline int default_protocol_dgram(int protocol)
1150{
1151 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1152}
1153
1da177e4
LT		 1154static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1155{
a13479bb 1156 bool extsockclass = selinux_policycap_extsockclass();
da69a530 1157
1da177e4
LT		 1158 switch (family) {
1159 case PF_UNIX:
1160 switch (type) {
1161 case SOCK_STREAM:
1162 case SOCK_SEQPACKET:
1163 return SECCLASS_UNIX_STREAM_SOCKET;
1164 case SOCK_DGRAM:
2a764b52 1165 case SOCK_RAW:
1da177e4
LT		 1166 return SECCLASS_UNIX_DGRAM_SOCKET;
1167 }
1168 break;
1169 case PF_INET:
1170 case PF_INET6:
1171 switch (type) {
1172 case SOCK_STREAM:
da69a530 1173 case SOCK_SEQPACKET:
13402580
JM		 1174 if (default_protocol_stream(protocol))
1175 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1176 else if (extsockclass && protocol == IPPROTO_SCTP)
1177 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1178 else
1179 return SECCLASS_RAWIP_SOCKET;
1da177e4 1180 case SOCK_DGRAM:
13402580
JM		 1181 if (default_protocol_dgram(protocol))
1182 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1183 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1184 protocol == IPPROTO_ICMPV6))
da69a530 1185 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1186 else
1187 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1188 case SOCK_DCCP:
1189 return SECCLASS_DCCP_SOCKET;
13402580 1190 default:
1da177e4
LT		 1191 return SECCLASS_RAWIP_SOCKET;
1192 }
1193 break;
1194 case PF_NETLINK:
1195 switch (protocol) {
1196 case NETLINK_ROUTE:
1197 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1198 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1199 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1200 case NETLINK_NFLOG:
1201 return SECCLASS_NETLINK_NFLOG_SOCKET;
1202 case NETLINK_XFRM:
1203 return SECCLASS_NETLINK_XFRM_SOCKET;
1204 case NETLINK_SELINUX:
1205 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1206 case NETLINK_ISCSI:
1207 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1208 case NETLINK_AUDIT:
1209 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1210 case NETLINK_FIB_LOOKUP:
1211 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1212 case NETLINK_CONNECTOR:
1213 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1214 case NETLINK_NETFILTER:
1215 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1216 case NETLINK_DNRTMSG:
1217 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1218 case NETLINK_KOBJECT_UEVENT:
1219 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1220 case NETLINK_GENERIC:
1221 return SECCLASS_NETLINK_GENERIC_SOCKET;
1222 case NETLINK_SCSITRANSPORT:
1223 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1224 case NETLINK_RDMA:
1225 return SECCLASS_NETLINK_RDMA_SOCKET;
1226 case NETLINK_CRYPTO:
1227 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1228 default:
1229 return SECCLASS_NETLINK_SOCKET;
1230 }
1231 case PF_PACKET:
1232 return SECCLASS_PACKET_SOCKET;
1233 case PF_KEY:
1234 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1235 case PF_APPLETALK:
1236 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1237 }
1238
da69a530
SS		 1239 if (extsockclass) {
1240 switch (family) {
1241 case PF_AX25:
1242 return SECCLASS_AX25_SOCKET;
1243 case PF_IPX:
1244 return SECCLASS_IPX_SOCKET;
1245 case PF_NETROM:
1246 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1247 case PF_ATMPVC:
1248 return SECCLASS_ATMPVC_SOCKET;
1249 case PF_X25:
1250 return SECCLASS_X25_SOCKET;
1251 case PF_ROSE:
1252 return SECCLASS_ROSE_SOCKET;
1253 case PF_DECnet:
1254 return SECCLASS_DECNET_SOCKET;
1255 case PF_ATMSVC:
1256 return SECCLASS_ATMSVC_SOCKET;
1257 case PF_RDS:
1258 return SECCLASS_RDS_SOCKET;
1259 case PF_IRDA:
1260 return SECCLASS_IRDA_SOCKET;
1261 case PF_PPPOX:
1262 return SECCLASS_PPPOX_SOCKET;
1263 case PF_LLC:
1264 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1265 case PF_CAN:
1266 return SECCLASS_CAN_SOCKET;
1267 case PF_TIPC:
1268 return SECCLASS_TIPC_SOCKET;
1269 case PF_BLUETOOTH:
1270 return SECCLASS_BLUETOOTH_SOCKET;
1271 case PF_IUCV:
1272 return SECCLASS_IUCV_SOCKET;
1273 case PF_RXRPC:
1274 return SECCLASS_RXRPC_SOCKET;
1275 case PF_ISDN:
1276 return SECCLASS_ISDN_SOCKET;
1277 case PF_PHONET:
1278 return SECCLASS_PHONET_SOCKET;
1279 case PF_IEEE802154:
1280 return SECCLASS_IEEE802154_SOCKET;
1281 case PF_CAIF:
1282 return SECCLASS_CAIF_SOCKET;
1283 case PF_ALG:
1284 return SECCLASS_ALG_SOCKET;
1285 case PF_NFC:
1286 return SECCLASS_NFC_SOCKET;
1287 case PF_VSOCK:
1288 return SECCLASS_VSOCK_SOCKET;
1289 case PF_KCM:
1290 return SECCLASS_KCM_SOCKET;
1291 case PF_QIPCRTR:
1292 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1293 case PF_SMC:
1294 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1295 case PF_XDP:
1296 return SECCLASS_XDP_SOCKET;
bc49d816
JK		 1297 case PF_MCTP:
1298 return SECCLASS_MCTP_SOCKET;
1299#if PF_MAX > 46
da69a530
SS		 1300#error New address family defined, please update this function.
1301#endif
1302 }
1303 }
1304
1da177e4
LT		 1305 return SECCLASS_SOCKET;
1306}
1307
134509d5
SS		 1308static int selinux_genfs_get_sid(struct dentry *dentry,
1309 u16 tclass,
1310 u16 flags,
1311 u32 *sid)
1da177e4 1312{
8e6c9693 1313 int rc;
fc64005c 1314 struct super_block *sb = dentry->d_sb;
8e6c9693 1315 char *buffer, *path;
1da177e4 1316
828dfe1d 1317 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1318 if (!buffer)
1319 return -ENOMEM;
1320
8e6c9693
LAG		 1321 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1322 if (IS_ERR(path))
1323 rc = PTR_ERR(path);
1324 else {
134509d5
SS		 1325 if (flags & SE_SBPROC) {
1326 /* each process gets a /proc/PID/ entry. Strip off the
1327 * PID part to get a valid selinux labeling.
1328 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1329 while (path[1] >= '0' && path[1] <= '9') {
1330 path[1] = '/';
1331 path++;
1332 }
8e6c9693 1333 }
e67b7985 1334 rc = security_genfs_sid(sb->s_type->name,
aa8e712c 1335 path, tclass, sid);
7bb185ed
SS		 1336 if (rc == -ENOENT) {
1337 /* No match in policy, mark as unlabeled. */
1338 *sid = SECINITSID_UNLABELED;
1339 rc = 0;
1340 }
1da177e4 1341 }
1da177e4
LT		 1342 free_page((unsigned long)buffer);
1343 return rc;
1344}
1da177e4 1345
b754026b
OM		 1346static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1347 u32 def_sid, u32 *sid)
1348{
1349#define INITCONTEXTLEN 255
1350 char *context;
1351 unsigned int len;
1352 int rc;
1353
1354 len = INITCONTEXTLEN;
1355 context = kmalloc(len + 1, GFP_NOFS);
1356 if (!context)
1357 return -ENOMEM;
1358
1359 context[len] = '\0';
1360 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1361 if (rc == -ERANGE) {
1362 kfree(context);
1363
1364 /* Need a larger buffer. Query for the right size. */
1365 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1366 if (rc < 0)
1367 return rc;
1368
1369 len = rc;
1370 context = kmalloc(len + 1, GFP_NOFS);
1371 if (!context)
1372 return -ENOMEM;
1373
1374 context[len] = '\0';
1375 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1376 context, len);
1377 }
1378 if (rc < 0) {
1379 kfree(context);
1380 if (rc != -ENODATA) {
1381 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1382 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1383 return rc;
1384 }
1385 *sid = def_sid;
1386 return 0;
1387 }
1388
e67b7985 1389 rc = security_context_to_sid_default(context, rc, sid,
b754026b
OM		 1390 def_sid, GFP_NOFS);
1391 if (rc) {
1392 char *dev = inode->i_sb->s_id;
1393 unsigned long ino = inode->i_ino;
1394
1395 if (rc == -EINVAL) {
1396 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1397 ino, dev, context);
1398 } else {
1399 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1400 __func__, context, -rc, dev, ino);
1401 }
1402 }
1403 kfree(context);
1404 return 0;
1405}
1406
1da177e4
LT		 1407/* The inode's security attributes must be initialized before first use. */
1408static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1409{
1410 struct superblock_security_struct *sbsec = NULL;
80788c22 1411 struct inode_security_struct *isec = selinux_inode(inode);
9287aed2
AG		 1412 u32 task_sid, sid = 0;
1413 u16 sclass;
1da177e4 1414 struct dentry *dentry;
1da177e4 1415 int rc = 0;
1da177e4 1416
6f3be9f5 1417 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1418 return 0;
1da177e4 1419
9287aed2 1420 spin_lock(&isec->lock);
6f3be9f5 1421 if (isec->initialized == LABEL_INITIALIZED)
23970741 1422 goto out_unlock;
1da177e4 1423
13457d07
AG		 1424 if (isec->sclass == SECCLASS_FILE)
1425 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1426
1aea7808 1427 sbsec = selinux_superblock(inode->i_sb);
0d90a7ec 1428 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1429 /* Defer initialization until selinux_complete_init,
1430 after the initial policy is loaded and the security
1431 server is ready to handle calls. */
1432 spin_lock(&sbsec->isec_lock);
1433 if (list_empty(&isec->list))
1434 list_add(&isec->list, &sbsec->isec_head);
1435 spin_unlock(&sbsec->isec_lock);
23970741 1436 goto out_unlock;
1da177e4
LT		 1437 }
1438
9287aed2
AG		 1439 sclass = isec->sclass;
1440 task_sid = isec->task_sid;
1441 sid = isec->sid;
1442 isec->initialized = LABEL_PENDING;
1443 spin_unlock(&isec->lock);
1444
1da177e4 1445 switch (sbsec->behavior) {
cec5fe70
OM		 1446 /*
1447 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1448 * via xattr when called from delayed_superblock_init().
1449 */
eb9ae686 1450 case SECURITY_FS_USE_NATIVE:
1da177e4 1451 case SECURITY_FS_USE_XATTR:
5d6c3191 1452 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1453 sid = sbsec->def_sid;
1da177e4
LT		 1454 break;
1455 }
1da177e4
LT		 1456 /* Need a dentry, since the xattr API requires one.
1457 Life would be simpler if we could just pass the inode. */
1458 if (opt_dentry) {
1459 /* Called from d_instantiate or d_splice_alias. */
1460 dentry = dget(opt_dentry);
1461 } else {
b127125d
AV		 1462 /*
1463 * Called from selinux_complete_init, try to find a dentry.
1464 * Some filesystems really want a connected one, so try
1465 * that first. We could split SECURITY_FS_USE_XATTR in
1466 * two, depending upon that...
1467 */
1da177e4 1468 dentry = d_find_alias(inode);
b127125d
AV		 1469 if (!dentry)
1470 dentry = d_find_any_alias(inode);
1da177e4
LT		 1471 }
1472 if (!dentry) {
df7f54c0
EP		 1473 /*
1474 * this is can be hit on boot when a file is accessed
1475 * before the policy is loaded. When we load policy we
1476 * may find inodes that have no dentry on the
1477 * sbsec->isec_head list. No reason to complain as these
1478 * will get fixed up the next time we go through
1479 * inode_doinit with a dentry, before these inodes could
1480 * be used again by userspace.
1481 */
200ea5a2 1482 goto out_invalid;
1da177e4
LT		 1483 }
1484
b754026b
OM		 1485 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1486 &sid);
1da177e4 1487 dput(dentry);
b754026b
OM		 1488 if (rc)
1489 goto out;
1da177e4
LT		 1490 break;
1491 case SECURITY_FS_USE_TASK:
9287aed2 1492 sid = task_sid;
1da177e4
LT		 1493 break;
1494 case SECURITY_FS_USE_TRANS:
1495 /* Default to the fs SID. */
9287aed2 1496 sid = sbsec->sid;
1da177e4
LT		 1497
1498 /* Try to obtain a transition SID. */
e67b7985 1499 rc = security_transition_sid(task_sid, sid,
aa8e712c 1500 sclass, NULL, &sid);
1da177e4 1501 if (rc)
9287aed2 1502 goto out;
1da177e4 1503 break;
c312feb2 1504 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1505 sid = sbsec->mntpoint_sid;
c312feb2 1506 break;
1da177e4 1507 default:
c312feb2 1508 /* Default to the fs superblock SID. */
9287aed2 1509 sid = sbsec->sid;
1da177e4 1510
7470d0d1
CG		 1511 if ((sbsec->flags & SE_SBGENFS) &&
1512 (!S_ISLNK(inode->i_mode) ||
1513 selinux_policycap_genfs_seclabel_symlinks())) {
f64410ec
PM		 1514 /* We must have a dentry to determine the label on
1515 * procfs inodes */
b127125d 1516 if (opt_dentry) {
f64410ec
PM		 1517 /* Called from d_instantiate or
1518 * d_splice_alias. */
1519 dentry = dget(opt_dentry);
b127125d 1520 } else {
f64410ec 1521 /* Called from selinux_complete_init, try to
b127125d
AV		 1522 * find a dentry. Some filesystems really want
1523 * a connected one, so try that first.
1524 */
f64410ec 1525 dentry = d_find_alias(inode);
b127125d
AV		 1526 if (!dentry)
1527 dentry = d_find_any_alias(inode);
1528 }
f64410ec
PM		 1529 /*
1530 * This can be hit on boot when a file is accessed
1531 * before the policy is loaded. When we load policy we
1532 * may find inodes that have no dentry on the
1533 * sbsec->isec_head list. No reason to complain as
1534 * these will get fixed up the next time we go through
1535 * inode_doinit() with a dentry, before these inodes
1536 * could be used again by userspace.
1537 */
1538 if (!dentry)
200ea5a2 1539 goto out_invalid;
9287aed2 1540 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1541 sbsec->flags, &sid);
b754026b
OM		 1542 if (rc) {
1543 dput(dentry);
9287aed2 1544 goto out;
b754026b
OM		 1545 }
1546
1547 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1548 (inode->i_opflags & IOP_XATTR)) {
1549 rc = inode_doinit_use_xattr(inode, dentry,
1550 sid, &sid);
1551 if (rc) {
1552 dput(dentry);
1553 goto out;
1554 }
1555 }
1556 dput(dentry);
1da177e4
LT		 1557 }
1558 break;
1559 }
1560
9287aed2
AG		 1561out:
1562 spin_lock(&isec->lock);
1563 if (isec->initialized == LABEL_PENDING) {
200ea5a2 1564 if (rc) {
9287aed2
AG		 1565 isec->initialized = LABEL_INVALID;
1566 goto out_unlock;
1567 }
9287aed2
AG		 1568 isec->initialized = LABEL_INITIALIZED;
1569 isec->sid = sid;
1570 }
1da177e4 1571
23970741 1572out_unlock:
9287aed2 1573 spin_unlock(&isec->lock);
1da177e4 1574 return rc;
200ea5a2
PM		 1575
1576out_invalid:
1577 spin_lock(&isec->lock);
1578 if (isec->initialized == LABEL_PENDING) {
1579 isec->initialized = LABEL_INVALID;
1580 isec->sid = sid;
1581 }
1582 spin_unlock(&isec->lock);
1583 return 0;
1da177e4
LT		 1584}
1585
1586/* Convert a Linux signal to an access vector. */
1587static inline u32 signal_to_av(int sig)
1588{
1589 u32 perm = 0;
1590
1591 switch (sig) {
1592 case SIGCHLD:
1593 /* Commonly granted from child to parent. */
1594 perm = PROCESS__SIGCHLD;
1595 break;
1596 case SIGKILL:
1597 /* Cannot be caught or ignored */
1598 perm = PROCESS__SIGKILL;
1599 break;
1600 case SIGSTOP:
1601 /* Cannot be caught or ignored */
1602 perm = PROCESS__SIGSTOP;
1603 break;
1604 default:
1605 /* All other signals. */
1606 perm = PROCESS__SIGNAL;
1607 break;
1608 }
1609
1610 return perm;
1611}
1612
b68e418c
SS		 1613#if CAP_LAST_CAP > 63
1614#error Fix SELinux to handle capabilities > 63.
1615#endif
1616
1da177e4 1617/* Check whether a task is allowed to use a capability. */
6a9de491 1618static int cred_has_capability(const struct cred *cred,
c1a85a00 1619 int cap, unsigned int opts, bool initns)
1da177e4 1620{
2bf49690 1621 struct common_audit_data ad;
06112163 1622 struct av_decision avd;
b68e418c 1623 u16 sclass;
3699c53c 1624 u32 sid = cred_sid(cred);
b68e418c 1625 u32 av = CAP_TO_MASK(cap);
06112163 1626 int rc;
1da177e4 1627
50c205f5 1628 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1629 ad.u.cap = cap;
1630
b68e418c
SS		 1631 switch (CAP_TO_INDEX(cap)) {
1632 case 0:
8e4ff6f2 1633 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1634 break;
1635 case 1:
8e4ff6f2 1636 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1637 break;
1638 default:
c103a91e 1639 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1640 BUG();
a35c6c83 1641 return -EINVAL;
b68e418c 1642 }
06112163 1643
e67b7985 1644 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
c1a85a00 1645 if (!(opts & CAP_OPT_NOAUDIT)) {
e67b7985 1646 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
9ade0cf4
EP		 1647 if (rc2)
1648 return rc2;
1649 }
06112163 1650 return rc;
1da177e4
LT		 1651}
1652
1da177e4
LT		 1653/* Check whether a task has a particular permission to an inode.
1654 The 'adp' parameter is optional and allows other audit
1655 data to be passed (e.g. the dentry). */
88e67f3b 1656static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1657 struct inode *inode,
1658 u32 perms,
19e49834 1659 struct common_audit_data *adp)
1da177e4 1660{
1da177e4 1661 struct inode_security_struct *isec;
275bb41e 1662 u32 sid;
1da177e4 1663
828dfe1d 1664 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1665 return 0;
1666
88e67f3b 1667 sid = cred_sid(cred);
80788c22 1668 isec = selinux_inode(inode);
1da177e4 1669
e67b7985 1670 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1671}
1672
1673/* Same as inode_has_perm, but pass explicit audit data containing
1674 the dentry to help the auditing code to more easily generate the
1675 pathname if needed. */
88e67f3b 1676static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1677 struct dentry *dentry,
1678 u32 av)
1679{
c6f493d6 1680 struct inode *inode = d_backing_inode(dentry);
2bf49690 1681 struct common_audit_data ad;
88e67f3b 1682
50c205f5 1683 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1684 ad.u.dentry = dentry;
5d226df4 1685 __inode_security_revalidate(inode, dentry, true);
19e49834 1686 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1687}
1688
1689/* Same as inode_has_perm, but pass explicit audit data containing
1690 the path to help the auditing code to more easily generate the
1691 pathname if needed. */
1692static inline int path_has_perm(const struct cred *cred,
3f7036a0 1693 const struct path *path,
2875fa00
EP		 1694 u32 av)
1695{
c6f493d6 1696 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1697 struct common_audit_data ad;
1698
50c205f5 1699 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1700 ad.u.path = *path;
5d226df4 1701 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1702 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1703}
1704
13f8e981
DH		 1705/* Same as path_has_perm, but uses the inode from the file struct. */
1706static inline int file_path_has_perm(const struct cred *cred,
1707 struct file *file,
1708 u32 av)
1709{
1710 struct common_audit_data ad;
1711
43af5de7
VG		 1712 ad.type = LSM_AUDIT_DATA_FILE;
1713 ad.u.file = file;
19e49834 1714 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1715}
1716
f66e448c 1717#ifdef CONFIG_BPF_SYSCALL
8e4672d6 1718static int bpf_fd_pass(const struct file *file, u32 sid);
f66e448c
CF		 1719#endif
1720
1da177e4
LT		 1721/* Check whether a task can use an open file descriptor to
1722 access an inode in a given way. Check access to the
1723 descriptor itself, and then use dentry_has_perm to
1724 check a particular permission to the file.
1725 Access to the descriptor is implicitly granted if it
1726 has the same SID as the process. If av is zero, then
1727 access to the file is not checked, e.g. for cases
1728 where only the descriptor is affected like seek. */
88e67f3b
DH		 1729static int file_has_perm(const struct cred *cred,
1730 struct file *file,
1731 u32 av)
1da177e4 1732{
bb6c6b02 1733 struct file_security_struct *fsec = selinux_file(file);
496ad9aa 1734 struct inode *inode = file_inode(file);
2bf49690 1735 struct common_audit_data ad;
88e67f3b 1736 u32 sid = cred_sid(cred);
1da177e4
LT		 1737 int rc;
1738
43af5de7
VG		 1739 ad.type = LSM_AUDIT_DATA_FILE;
1740 ad.u.file = file;
1da177e4 1741
275bb41e 1742 if (sid != fsec->sid) {
e67b7985 1743 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1744 SECCLASS_FD,
1745 FD__USE,
1746 &ad);
1747 if (rc)
88e67f3b 1748 goto out;
1da177e4
LT		 1749 }
1750
f66e448c
CF		 1751#ifdef CONFIG_BPF_SYSCALL
1752 rc = bpf_fd_pass(file, cred_sid(cred));
1753 if (rc)
1754 return rc;
1755#endif
1756
1da177e4 1757 /* av is zero if only checking access to the descriptor. */
88e67f3b 1758 rc = 0;
1da177e4 1759 if (av)
19e49834 1760 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1761
88e67f3b
DH		 1762out:
1763 return rc;
1da177e4
LT		 1764}
1765
c3c188b2
DH		 1766/*
1767 * Determine the label for an inode that might be unioned.
1768 */
c957f6df
VG		 1769static int
1770selinux_determine_inode_label(const struct task_security_struct *tsec,
1771 struct inode *dir,
1772 const struct qstr *name, u16 tclass,
1773 u32 *_new_isid)
c3c188b2 1774{
1aea7808
CS		 1775 const struct superblock_security_struct *sbsec =
1776 selinux_superblock(dir->i_sb);
c3c188b2
DH		 1777
1778 if ((sbsec->flags & SE_SBINITIALIZED) &&
1779 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1780 *_new_isid = sbsec->mntpoint_sid;
1781 } else if ((sbsec->flags & SBLABEL_MNT) &&
1782 tsec->create_sid) {
1783 *_new_isid = tsec->create_sid;
1784 } else {
20cdef8d 1785 const struct inode_security_struct *dsec = inode_security(dir);
e67b7985 1786 return security_transition_sid(tsec->sid,
aa8e712c 1787 dsec->sid, tclass,
c3c188b2
DH		 1788 name, _new_isid);
1789 }
1790
1791 return 0;
1792}
1793
1da177e4
LT		 1794/* Check whether a task can create a file. */
1795static int may_create(struct inode *dir,
1796 struct dentry *dentry,
1797 u16 tclass)
1798{
0c6cfa62 1799 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1800 struct inode_security_struct *dsec;
1801 struct superblock_security_struct *sbsec;
275bb41e 1802 u32 sid, newsid;
2bf49690 1803 struct common_audit_data ad;
1da177e4
LT		 1804 int rc;
1805
83da53c5 1806 dsec = inode_security(dir);
1aea7808 1807 sbsec = selinux_superblock(dir->i_sb);
1da177e4 1808
275bb41e 1809 sid = tsec->sid;
275bb41e 1810
50c205f5 1811 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1812 ad.u.dentry = dentry;
1da177e4 1813
e67b7985 1814 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1815 DIR__ADD_NAME | DIR__SEARCH,
1816 &ad);
1817 if (rc)
1818 return rc;
1819
210a2928
YG		 1820 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1821 &newsid);
c3c188b2
DH		 1822 if (rc)
1823 return rc;
1da177e4 1824
e67b7985 1825 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1826 if (rc)
1827 return rc;
1828
e67b7985 1829 return avc_has_perm(newsid, sbsec->sid,
1da177e4
LT		 1830 SECCLASS_FILESYSTEM,
1831 FILESYSTEM__ASSOCIATE, &ad);
1832}
1833
828dfe1d
EP		 1834#define MAY_LINK 0
1835#define MAY_UNLINK 1
1836#define MAY_RMDIR 2
1da177e4
LT		 1837
1838/* Check whether a task can link, unlink, or rmdir a file/directory. */
1839static int may_link(struct inode *dir,
1840 struct dentry *dentry,
1841 int kind)
1842
1843{
1da177e4 1844 struct inode_security_struct *dsec, *isec;
2bf49690 1845 struct common_audit_data ad;
275bb41e 1846 u32 sid = current_sid();
1da177e4
LT		 1847 u32 av;
1848 int rc;
1849
83da53c5
AG		 1850 dsec = inode_security(dir);
1851 isec = backing_inode_security(dentry);
1da177e4 1852
50c205f5 1853 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1854 ad.u.dentry = dentry;
1da177e4
LT		 1855
1856 av = DIR__SEARCH;
1857 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
e67b7985 1858 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1859 if (rc)
1860 return rc;
1861
1862 switch (kind) {
1863 case MAY_LINK:
1864 av = FILE__LINK;
1865 break;
1866 case MAY_UNLINK:
1867 av = FILE__UNLINK;
1868 break;
1869 case MAY_RMDIR:
1870 av = DIR__RMDIR;
1871 break;
1872 default:
c103a91e 1873 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1874 __func__, kind);
1da177e4
LT		 1875 return 0;
1876 }
1877
e67b7985 1878 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1879 return rc;
1880}
1881
1882static inline int may_rename(struct inode *old_dir,
1883 struct dentry *old_dentry,
1884 struct inode *new_dir,
1885 struct dentry *new_dentry)
1886{
1da177e4 1887 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1888 struct common_audit_data ad;
275bb41e 1889 u32 sid = current_sid();
1da177e4
LT		 1890 u32 av;
1891 int old_is_dir, new_is_dir;
1892 int rc;
1893
83da53c5
AG		 1894 old_dsec = inode_security(old_dir);
1895 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1896 old_is_dir = d_is_dir(old_dentry);
83da53c5 1897 new_dsec = inode_security(new_dir);
1da177e4 1898
50c205f5 1899 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1900
a269434d 1901 ad.u.dentry = old_dentry;
e67b7985 1902 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1903 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1904 if (rc)
1905 return rc;
e67b7985 1906 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1907 old_isec->sclass, FILE__RENAME, &ad);
1908 if (rc)
1909 return rc;
1910 if (old_is_dir && new_dir != old_dir) {
e67b7985 1911 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1912 old_isec->sclass, DIR__REPARENT, &ad);
1913 if (rc)
1914 return rc;
1915 }
1916
a269434d 1917 ad.u.dentry = new_dentry;
1da177e4 1918 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1919 if (d_is_positive(new_dentry))
1da177e4 1920 av |= DIR__REMOVE_NAME;
e67b7985 1921 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1922 if (rc)
1923 return rc;
2c616d4d 1924 if (d_is_positive(new_dentry)) {
83da53c5 1925 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1926 new_is_dir = d_is_dir(new_dentry);
e67b7985 1927 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1928 new_isec->sclass,
1929 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1930 if (rc)
1931 return rc;
1932 }
1933
1934 return 0;
1935}
1936
1937/* Check whether a task can perform a filesystem operation. */
88e67f3b 1938static int superblock_has_perm(const struct cred *cred,
25cc71d1 1939 const struct super_block *sb,
1da177e4 1940 u32 perms,
2bf49690 1941 struct common_audit_data *ad)
1da177e4 1942{
1da177e4 1943 struct superblock_security_struct *sbsec;
88e67f3b 1944 u32 sid = cred_sid(cred);
1da177e4 1945
1aea7808 1946 sbsec = selinux_superblock(sb);
e67b7985 1947 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1948}
1949
1950/* Convert a Linux mode and permission mask to an access vector. */
1951static inline u32 file_mask_to_av(int mode, int mask)
1952{
1953 u32 av = 0;
1954
dba19c60 1955 if (!S_ISDIR(mode)) {
1da177e4
LT		 1956 if (mask & MAY_EXEC)
1957 av |= FILE__EXECUTE;
1958 if (mask & MAY_READ)
1959 av |= FILE__READ;
1960
1961 if (mask & MAY_APPEND)
1962 av |= FILE__APPEND;
1963 else if (mask & MAY_WRITE)
1964 av |= FILE__WRITE;
1965
1966 } else {
1967 if (mask & MAY_EXEC)
1968 av |= DIR__SEARCH;
1969 if (mask & MAY_WRITE)
1970 av |= DIR__WRITE;
1971 if (mask & MAY_READ)
1972 av |= DIR__READ;
1973 }
1974
1975 return av;
1976}
1977
8b6a5a37 1978/* Convert a Linux file to an access vector. */
8e4672d6 1979static inline u32 file_to_av(const struct file *file)
8b6a5a37
EP		 1980{
1981 u32 av = 0;
1982
1983 if (file->f_mode & FMODE_READ)
1984 av |= FILE__READ;
1985 if (file->f_mode & FMODE_WRITE) {
1986 if (file->f_flags & O_APPEND)
1987 av |= FILE__APPEND;
1988 else
1989 av |= FILE__WRITE;
1990 }
1991 if (!av) {
1992 /*
1993 * Special file opened with flags 3 for ioctl-only use.
1994 */
1995 av = FILE__IOCTL;
1996 }
1997
1998 return av;
1999}
2000
b0c636b9 2001/*
c76a2f9e 2002 * Convert a file to an access vector and include the correct
b0c636b9
EP		 2003 * open permission.
2004 */
8b6a5a37 2005static inline u32 open_file_to_av(struct file *file)
b0c636b9 2006{
8b6a5a37 2007 u32 av = file_to_av(file);
ccb54478 2008 struct inode *inode = file_inode(file);
b0c636b9 2009
aa8e712c
SS		 2010 if (selinux_policycap_openperm() &&
2011 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2012 av |= FILE__OPEN;
2013
b0c636b9
EP		 2014 return av;
2015}
2016
1da177e4
LT		 2017/* Hook functions begin here. */
2018
52f88693 2019static int selinux_binder_set_context_mgr(const struct cred *mgr)
79af7307 2020{
e67b7985 2021 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
79af7307
SS		 2022 BINDER__SET_CONTEXT_MGR, NULL);
2023}
2024
52f88693
TK		 2025static int selinux_binder_transaction(const struct cred *from,
2026 const struct cred *to)
79af7307
SS		 2027{
2028 u32 mysid = current_sid();
52f88693
TK		 2029 u32 fromsid = cred_sid(from);
2030 u32 tosid = cred_sid(to);
79af7307
SS		 2031 int rc;
2032
2033 if (mysid != fromsid) {
e67b7985 2034 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2035 BINDER__IMPERSONATE, NULL);
2036 if (rc)
2037 return rc;
2038 }
2039
e67b7985 2040 return avc_has_perm(fromsid, tosid,
eb1231f7 2041 SECCLASS_BINDER, BINDER__CALL, NULL);
79af7307
SS		 2042}
2043
52f88693
TK		 2044static int selinux_binder_transfer_binder(const struct cred *from,
2045 const struct cred *to)
79af7307 2046{
e67b7985 2047 return avc_has_perm(cred_sid(from), cred_sid(to),
eb1231f7 2048 SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2049 NULL);
2050}
2051
52f88693
TK		 2052static int selinux_binder_transfer_file(const struct cred *from,
2053 const struct cred *to,
8e4672d6 2054 const struct file *file)
79af7307 2055{
52f88693 2056 u32 sid = cred_sid(to);
bb6c6b02 2057 struct file_security_struct *fsec = selinux_file(file);
83da53c5 2058 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2059 struct inode_security_struct *isec;
79af7307
SS		 2060 struct common_audit_data ad;
2061 int rc;
2062
2063 ad.type = LSM_AUDIT_DATA_PATH;
2064 ad.u.path = file->f_path;
2065
2066 if (sid != fsec->sid) {
e67b7985 2067 rc = avc_has_perm(sid, fsec->sid,
79af7307
SS		 2068 SECCLASS_FD,
2069 FD__USE,
2070 &ad);
2071 if (rc)
2072 return rc;
2073 }
2074
f66e448c
CF		 2075#ifdef CONFIG_BPF_SYSCALL
2076 rc = bpf_fd_pass(file, sid);
2077 if (rc)
2078 return rc;
2079#endif
2080
83da53c5 2081 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2082 return 0;
2083
20cdef8d 2084 isec = backing_inode_security(dentry);
e67b7985 2085 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2086 &ad);
2087}
2088
9e48858f 2089static int selinux_ptrace_access_check(struct task_struct *child,
eb1231f7 2090 unsigned int mode)
1da177e4 2091{
be0554c9 2092 u32 sid = current_sid();
eb1231f7 2093 u32 csid = task_sid_obj(child);
be0554c9
SS		 2094
2095 if (mode & PTRACE_MODE_READ)
e67b7985
SS		 2096 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2097 NULL);
006ebb40 2098
e67b7985
SS		 2099 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2100 NULL);
5cd9c58f
DH		 2101}
2102
2103static int selinux_ptrace_traceme(struct task_struct *parent)
2104{
e67b7985 2105 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
eb1231f7 2106 SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
1da177e4
LT		 2107}
2108
6672efbb 2109static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2110 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2111{
e67b7985
SS		 2112 return avc_has_perm(current_sid(), task_sid_obj(target),
2113 SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
1da177e4
LT		 2114}
2115
d84f4f99
DH		 2116static int selinux_capset(struct cred *new, const struct cred *old,
2117 const kernel_cap_t *effective,
2118 const kernel_cap_t *inheritable,
2119 const kernel_cap_t *permitted)
1da177e4 2120{
e67b7985 2121 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2122 PROCESS__SETCAP, NULL);
1da177e4
LT		 2123}
2124
5626d3e8
JM		 2125/*
2126 * (This comment used to live with the selinux_task_setuid hook,
2127 * which was removed).
2128 *
2129 * Since setuid only affects the current process, and since the SELinux
2130 * controls are not based on the Linux identity attributes, SELinux does not
2131 * need to control this operation. However, SELinux does control the use of
2132 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2133 */
2134
6a9de491 2135static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
c1a85a00 2136 int cap, unsigned int opts)
1da177e4 2137{
c1a85a00 2138 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
1da177e4
LT		 2139}
2140
25cc71d1 2141static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb)
1da177e4 2142{
88e67f3b 2143 const struct cred *cred = current_cred();
1da177e4
LT		 2144 int rc = 0;
2145
2146 if (!sb)
2147 return 0;
2148
2149 switch (cmds) {
828dfe1d
EP		 2150 case Q_SYNC:
2151 case Q_QUOTAON:
2152 case Q_QUOTAOFF:
2153 case Q_SETINFO:
2154 case Q_SETQUOTA:
e4cfa05e
RH		 2155 case Q_XQUOTAOFF:
2156 case Q_XQUOTAON:
2157 case Q_XSETQLIM:
88e67f3b 2158 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2159 break;
2160 case Q_GETFMT:
2161 case Q_GETINFO:
2162 case Q_GETQUOTA:
e4cfa05e
RH		 2163 case Q_XGETQUOTA:
2164 case Q_XGETQSTAT:
2165 case Q_XGETQSTATV:
2166 case Q_XGETNEXTQUOTA:
88e67f3b 2167 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2168 break;
2169 default:
2170 rc = 0; /* let the kernel handle invalid cmds */
2171 break;
1da177e4
LT		 2172 }
2173 return rc;
2174}
2175
2176static int selinux_quota_on(struct dentry *dentry)
2177{
88e67f3b
DH		 2178 const struct cred *cred = current_cred();
2179
2875fa00 2180 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2181}
2182
12b3052c 2183static int selinux_syslog(int type)
1da177e4 2184{
1da177e4 2185 switch (type) {
d78ca3cd
KC		 2186 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2187 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
e67b7985 2188 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
be0554c9 2189 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2190 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2191 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2192 /* Set level of messages printed to console */
2193 case SYSLOG_ACTION_CONSOLE_LEVEL:
e67b7985 2194 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2195 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2196 NULL);
1da177e4 2197 }
be0554c9 2198 /* All other syslog types */
e67b7985 2199 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
be0554c9 2200 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2201}
2202
2203/*
2204 * Check that a process has enough memory to allocate a new virtual
2205 * mapping. 0 means there is enough memory for the allocation to
2206 * succeed and -ENOMEM implies there is not.
2207 *
1da177e4
LT		 2208 * Do not audit the selinux permission check, as this is applied to all
2209 * processes that allocate mappings.
2210 */
34b4e4aa 2211static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2212{
2213 int rc, cap_sys_admin = 0;
1da177e4 2214
b1d9e6b0 2215 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
c1a85a00 2216 CAP_OPT_NOAUDIT, true);
1da177e4
LT		 2217 if (rc == 0)
2218 cap_sys_admin = 1;
2219
b1d9e6b0 2220 return cap_sys_admin;
1da177e4
LT		 2221}
2222
2223/* binprm security operations */
2224
be0554c9 2225static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2226{
2227 u32 sid = 0;
2228 struct task_struct *tracer;
2229
2230 rcu_read_lock();
be0554c9 2231 tracer = ptrace_parent(current);
0c6181cb 2232 if (tracer)
eb1231f7 2233 sid = task_sid_obj(tracer);
0c6181cb
PM		 2234 rcu_read_unlock();
2235
2236 return sid;
2237}
2238
7b0d0b40
SS		 2239static int check_nnp_nosuid(const struct linux_binprm *bprm,
2240 const struct task_security_struct *old_tsec,
2241 const struct task_security_struct *new_tsec)
2242{
2243 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2244 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2245 int rc;
af63f419 2246 u32 av;
7b0d0b40
SS		 2247
2248 if (!nnp && !nosuid)
2249 return 0; /* neither NNP nor nosuid */
2250
2251 if (new_tsec->sid == old_tsec->sid)
2252 return 0; /* No change in credentials */
2253
2254 /*
af63f419
SS		 2255 * If the policy enables the nnp_nosuid_transition policy capability,
2256 * then we permit transitions under NNP or nosuid if the
2257 * policy allows the corresponding permission between
2258 * the old and new contexts.
7b0d0b40 2259 */
aa8e712c 2260 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2261 av = 0;
7b0d0b40 2262 if (nnp)
af63f419
SS		 2263 av |= PROCESS2__NNP_TRANSITION;
2264 if (nosuid)
2265 av |= PROCESS2__NOSUID_TRANSITION;
e67b7985 2266 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
af63f419
SS		 2267 SECCLASS_PROCESS2, av, NULL);
2268 if (!rc)
2269 return 0;
7b0d0b40 2270 }
af63f419
SS		 2271
2272 /*
2273 * We also permit NNP or nosuid transitions to bounded SIDs,
2274 * i.e. SIDs that are guaranteed to only be allowed a subset
2275 * of the permissions of the current SID.
2276 */
e67b7985 2277 rc = security_bounded_transition(old_tsec->sid,
aa8e712c 2278 new_tsec->sid);
af63f419
SS		 2279 if (!rc)
2280 return 0;
2281
2282 /*
2283 * On failure, preserve the errno values for NNP vs nosuid.
2284 * NNP: Operation not permitted for caller.
2285 * nosuid: Permission denied to file.
2286 */
2287 if (nnp)
2288 return -EPERM;
2289 return -EACCES;
7b0d0b40
SS		 2290}
2291
b8bff599 2292static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
1da177e4 2293{
a6f76f23
DH		 2294 const struct task_security_struct *old_tsec;
2295 struct task_security_struct *new_tsec;
1da177e4 2296 struct inode_security_struct *isec;
2bf49690 2297 struct common_audit_data ad;
496ad9aa 2298 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2299 int rc;
2300
a6f76f23
DH		 2301 /* SELinux context only depends on initial program or script and not
2302 * the script interpreter */
1da177e4 2303
0c6cfa62
CS		 2304 old_tsec = selinux_cred(current_cred());
2305 new_tsec = selinux_cred(bprm->cred);
83da53c5 2306 isec = inode_security(inode);
1da177e4
LT		 2307
2308 /* Default to the current task SID. */
a6f76f23
DH		 2309 new_tsec->sid = old_tsec->sid;
2310 new_tsec->osid = old_tsec->sid;
1da177e4 2311
28eba5bf 2312 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2313 new_tsec->create_sid = 0;
2314 new_tsec->keycreate_sid = 0;
2315 new_tsec->sockcreate_sid = 0;
1da177e4 2316
ae254858
OM		 2317 /*
2318 * Before policy is loaded, label any task outside kernel space
2319 * as SECINITSID_INIT, so that any userspace tasks surviving from
2320 * early boot end up with a label different from SECINITSID_KERNEL
2321 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL).
2322 */
2323 if (!selinux_initialized()) {
2324 new_tsec->sid = SECINITSID_INIT;
2325 /* also clear the exec_sid just in case */
2326 new_tsec->exec_sid = 0;
2327 return 0;
2328 }
2329
a6f76f23
DH		 2330 if (old_tsec->exec_sid) {
2331 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2332 /* Reset exec SID on execve. */
a6f76f23 2333 new_tsec->exec_sid = 0;
259e5e6c 2334
7b0d0b40
SS		 2335 /* Fail on NNP or nosuid if not an allowed transition. */
2336 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2337 if (rc)
2338 return rc;
1da177e4
LT		 2339 } else {
2340 /* Check for a default transition on this program. */
e67b7985 2341 rc = security_transition_sid(old_tsec->sid,
aa8e712c 2342 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2343 &new_tsec->sid);
1da177e4
LT		 2344 if (rc)
2345 return rc;
7b0d0b40
SS		 2346
2347 /*
2348 * Fallback to old SID on NNP or nosuid if not an allowed
2349 * transition.
2350 */
2351 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2352 if (rc)
2353 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2354 }
2355
43af5de7
VG		 2356 ad.type = LSM_AUDIT_DATA_FILE;
2357 ad.u.file = bprm->file;
1da177e4 2358
a6f76f23 2359 if (new_tsec->sid == old_tsec->sid) {
e67b7985 2360 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2361 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2362 if (rc)
2363 return rc;
2364 } else {
2365 /* Check permissions for the transition. */
e67b7985 2366 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2367 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2368 if (rc)
2369 return rc;
2370
e67b7985 2371 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2372 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2373 if (rc)
2374 return rc;
2375
a6f76f23
DH		 2376 /* Check for shared state */
2377 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
e67b7985 2378 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2379 SECCLASS_PROCESS, PROCESS__SHARE,
2380 NULL);
2381 if (rc)
2382 return -EPERM;
2383 }
2384
2385 /* Make sure that anyone attempting to ptrace over a task that
2386 * changes its SID has the appropriate permit */
9227dd2a 2387 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2388 u32 ptsid = ptrace_parent_sid();
a6f76f23 2389 if (ptsid != 0) {
e67b7985 2390 rc = avc_has_perm(ptsid, new_tsec->sid,
a6f76f23
DH		 2391 SECCLASS_PROCESS,
2392 PROCESS__PTRACE, NULL);
2393 if (rc)
2394 return -EPERM;
2395 }
2396 }
1da177e4 2397
a6f76f23
DH		 2398 /* Clear any possibly unsafe personality bits on exec: */
2399 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2400
1da177e4
LT		 2401 /* Enable secure mode for SIDs transitions unless
2402 the noatsecure permission is granted between
2403 the two SIDs, i.e. ahp returns 0. */
e67b7985 2404 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2405 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2406 NULL);
2407 bprm->secureexec |= !!rc;
1da177e4
LT		 2408 }
2409
62874c3a 2410 return 0;
1da177e4
LT		 2411}
2412
c3c073f8
AV		 2413static int match_file(const void *p, struct file *file, unsigned fd)
2414{
2415 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2416}
2417
1da177e4 2418/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2419static inline void flush_unauthorized_files(const struct cred *cred,
2420 struct files_struct *files)
1da177e4 2421{
1da177e4 2422 struct file *file, *devnull = NULL;
b20c8122 2423 struct tty_struct *tty;
24ec839c 2424 int drop_tty = 0;
c3c073f8 2425 unsigned n;
1da177e4 2426
24ec839c 2427 tty = get_current_tty();
1da177e4 2428 if (tty) {
4a510969 2429 spin_lock(&tty->files_lock);
37dd0bd0 2430 if (!list_empty(&tty->tty_files)) {
d996b62a 2431 struct tty_file_private *file_priv;
37dd0bd0 2432
1da177e4 2433 /* Revalidate access to controlling tty.
13f8e981
DH		 2434 Use file_path_has_perm on the tty path directly
2435 rather than using file_has_perm, as this particular
2436 open file may belong to another process and we are
2437 only interested in the inode-based check here. */
d996b62a
NP		 2438 file_priv = list_first_entry(&tty->tty_files,
2439 struct tty_file_private, list);
2440 file = file_priv->file;
13f8e981 2441 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2442 drop_tty = 1;
1da177e4 2443 }
4a510969 2444 spin_unlock(&tty->files_lock);
452a00d2 2445 tty_kref_put(tty);
1da177e4 2446 }
98a27ba4
EB		 2447 /* Reset controlling tty. */
2448 if (drop_tty)
2449 no_tty();
1da177e4
LT		 2450
2451 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2452 n = iterate_fd(files, 0, match_file, cred);
2453 if (!n) /* none found? */
2454 return;
1da177e4 2455
c3c073f8 2456 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2457 if (IS_ERR(devnull))
2458 devnull = NULL;
2459 /* replace all the matching ones with this */
2460 do {
2461 replace_fd(n - 1, devnull, 0);
2462 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2463 if (devnull)
c3c073f8 2464 fput(devnull);
1da177e4
LT		 2465}
2466
a6f76f23
DH		 2467/*
2468 * Prepare a process for imminent new credential changes due to exec
2469 */
64fc9526 2470static void selinux_bprm_committing_creds(const struct linux_binprm *bprm)
1da177e4 2471{
a6f76f23
DH		 2472 struct task_security_struct *new_tsec;
2473 struct rlimit *rlim, *initrlim;
2474 int rc, i;
d84f4f99 2475
0c6cfa62 2476 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2477 if (new_tsec->sid == new_tsec->osid)
2478 return;
1da177e4 2479
a6f76f23
DH		 2480 /* Close files for which the new task SID is not authorized. */
2481 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2482
a6f76f23
DH		 2483 /* Always clear parent death signal on SID transitions. */
2484 current->pdeath_signal = 0;
0356357c 2485
a6f76f23
DH		 2486 /* Check whether the new SID can inherit resource limits from the old
2487 * SID. If not, reset all soft limits to the lower of the current
2488 * task's hard limit and the init task's soft limit.
2489 *
2490 * Note that the setting of hard limits (even to lower them) can be
2491 * controlled by the setrlimit check. The inclusion of the init task's
2492 * soft limit into the computation is to avoid resetting soft limits
2493 * higher than the default soft limit for cases where the default is
2494 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2495 */
e67b7985 2496 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2497 PROCESS__RLIMITINH, NULL);
2498 if (rc) {
eb2d55a3
ON		 2499 /* protect against do_prlimit() */
2500 task_lock(current);
a6f76f23
DH		 2501 for (i = 0; i < RLIM_NLIMITS; i++) {
2502 rlim = current->signal->rlim + i;
2503 initrlim = init_task.signal->rlim + i;
2504 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2505 }
eb2d55a3 2506 task_unlock(current);
baa73d9e
NP		 2507 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2508 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2509 }
2510}
2511
2512/*
a6f76f23
DH		 2513 * Clean up the process immediately after the installation of new credentials
2514 * due to exec
1da177e4 2515 */
a721f7b8 2516static void selinux_bprm_committed_creds(const struct linux_binprm *bprm)
1da177e4 2517{
0c6cfa62 2518 const struct task_security_struct *tsec = selinux_cred(current_cred());
a6f76f23 2519 u32 osid, sid;
ddbc7d06 2520 int rc;
1da177e4 2521
a6f76f23
DH		 2522 osid = tsec->osid;
2523 sid = tsec->sid;
2524
2525 if (sid == osid)
1da177e4
LT		 2526 return;
2527
a6f76f23
DH		 2528 /* Check whether the new SID can inherit signal state from the old SID.
2529 * If not, clear itimers to avoid subsequent signal generation and
2530 * flush and unblock signals.
2531 *
2532 * This must occur _after_ the task SID has been updated so that any
2533 * kill done after the flush will be checked against the new SID.
2534 */
e67b7985 2535 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2536 if (rc) {
ddbc7d06
AB		 2537 clear_itimer();
2538
0e326df0 2539 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
9e7c8f8c
ON		 2540 if (!fatal_signal_pending(current)) {
2541 flush_sigqueue(&current->pending);
2542 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2543 flush_signal_handlers(current, 1);
2544 sigemptyset(&current->blocked);
9e7c8f8c 2545 recalc_sigpending();
3bcac026 2546 }
0e326df0 2547 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
1da177e4
LT		 2548 }
2549
a6f76f23
DH		 2550 /* Wake up the parent if it is waiting so that it can recheck
2551 * wait permission to the new task SID. */
ecd6de3c 2552 read_lock(&tasklist_lock);
0e326df0 2553 __wake_up_parent(current, unrcu_pointer(current->real_parent));
ecd6de3c 2554 read_unlock(&tasklist_lock);
1da177e4
LT		 2555}
2556
2557/* superblock security operations */
2558
2559static int selinux_sb_alloc_security(struct super_block *sb)
2560{
1aea7808 2561 struct superblock_security_struct *sbsec = selinux_superblock(sb);
cb89e246
PM		 2562
2563 mutex_init(&sbsec->lock);
2564 INIT_LIST_HEAD(&sbsec->isec_head);
2565 spin_lock_init(&sbsec->isec_lock);
cb89e246
PM		 2566 sbsec->sid = SECINITSID_UNLABELED;
2567 sbsec->def_sid = SECINITSID_FILE;
2568 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
cb89e246
PM		 2569
2570 return 0;
1da177e4
LT		 2571}
2572
99dbbb59 2573static inline int opt_len(const char *s)
1da177e4 2574{
99dbbb59
AV		 2575 bool open_quote = false;
2576 int len;
2577 char c;
1da177e4 2578
99dbbb59
AV		 2579 for (len = 0; (c = s[len]) != '\0'; len++) {
2580 if (c == '"')
2581 open_quote = !open_quote;
2582 if (c == ',' && !open_quote)
2583 break;
3528a953 2584 }
99dbbb59 2585 return len;
3528a953
CO		 2586}
2587
99dbbb59 2588static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
1da177e4 2589{
99dbbb59
AV		 2590 char *from = options;
2591 char *to = options;
2592 bool first = true;
fec63753 2593 int rc;
1da177e4 2594
99dbbb59
AV		 2595 while (1) {
2596 int len = opt_len(from);
fec63753 2597 int token;
99dbbb59 2598 char *arg = NULL;
1da177e4 2599
99dbbb59 2600 token = match_opt_prefix(from, len, &arg);
1da177e4 2601
99dbbb59
AV		 2602 if (token != Opt_error) {
2603 char *p, *q;
1da177e4 2604
99dbbb59
AV		 2605 /* strip quotes */
2606 if (arg) {
2607 for (p = q = arg; p < from + len; p++) {
2608 char c = *p;
2609 if (c != '"')
2610 *q++ = c;
2611 }
2612 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
fec63753
GZ		 2613 if (!arg) {
2614 rc = -ENOMEM;
2615 goto free_opt;
2616 }
99dbbb59
AV		 2617 }
2618 rc = selinux_add_opt(token, arg, mnt_opts);
cad140d0
CG		 2619 kfree(arg);
2620 arg = NULL;
99dbbb59 2621 if (unlikely(rc)) {
fec63753 2622 goto free_opt;
99dbbb59
AV		 2623 }
2624 } else {
2625 if (!first) { // copy with preceding comma
2626 from--;
2627 len++;
2628 }
2629 if (to != from)
2630 memmove(to, from, len);
2631 to += len;
2632 first = false;
1da177e4 2633 }
99dbbb59
AV		 2634 if (!from[len])
2635 break;
2636 from += len + 1;
2637 }
2638 *to = '\0';
2639 return 0;
fec63753
GZ		 2640
2641free_opt:
2642 if (*mnt_opts) {
2643 selinux_free_mnt_opts(*mnt_opts);
2644 *mnt_opts = NULL;
2645 }
2646 return rc;
1da177e4
LT		 2647}
2648
69c4a42d
OK		 2649static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2650{
2651 struct selinux_mnt_opts *opts = mnt_opts;
0266c25e 2652 struct superblock_security_struct *sbsec = selinux_superblock(sb);
69c4a42d
OK		 2653
2654 /*
2655 * Superblock not initialized (i.e. no options) - reject if any
2656 * options specified, otherwise accept.
2657 */
2658 if (!(sbsec->flags & SE_SBINITIALIZED))
2659 return opts ? 1 : 0;
2660
2661 /*
2662 * Superblock initialized and no options specified - reject if
2663 * superblock has any options set, otherwise accept.
2664 */
2665 if (!opts)
2666 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2667
70f4169a
OM		 2668 if (opts->fscontext_sid) {
2669 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2670 opts->fscontext_sid))
69c4a42d
OK		 2671 return 1;
2672 }
70f4169a
OM		 2673 if (opts->context_sid) {
2674 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2675 opts->context_sid))
69c4a42d
OK		 2676 return 1;
2677 }
70f4169a
OM		 2678 if (opts->rootcontext_sid) {
2679 struct inode_security_struct *root_isec;
b8b87fd9 2680
70f4169a
OM		 2681 root_isec = backing_inode_security(sb->s_root);
2682 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2683 opts->rootcontext_sid))
69c4a42d 2684 return 1;
70f4169a
OM		 2685 }
2686 if (opts->defcontext_sid) {
2687 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2688 opts->defcontext_sid))
69c4a42d
OK		 2689 return 1;
2690 }
2691 return 0;
2692}
2693
204cc0cc 2694static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2695{
bd323655 2696 struct selinux_mnt_opts *opts = mnt_opts;
1aea7808 2697 struct superblock_security_struct *sbsec = selinux_superblock(sb);
026eb167
EP		 2698
2699 if (!(sbsec->flags & SE_SBINITIALIZED))
2700 return 0;
2701
204cc0cc 2702 if (!opts)
026eb167
EP		 2703 return 0;
2704
70f4169a 2705 if (opts->fscontext_sid) {
6bc1968c
SM		 2706 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2707 opts->fscontext_sid))
bd323655 2708 goto out_bad_option;
026eb167 2709 }
70f4169a 2710 if (opts->context_sid) {
6bc1968c
SM		 2711 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2712 opts->context_sid))
bd323655
AV		 2713 goto out_bad_option;
2714 }
70f4169a 2715 if (opts->rootcontext_sid) {
bd323655
AV		 2716 struct inode_security_struct *root_isec;
2717 root_isec = backing_inode_security(sb->s_root);
6bc1968c
SM		 2718 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2719 opts->rootcontext_sid))
bd323655
AV		 2720 goto out_bad_option;
2721 }
70f4169a 2722 if (opts->defcontext_sid) {
6bc1968c
SM		 2723 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2724 opts->defcontext_sid))
bd323655 2725 goto out_bad_option;
026eb167 2726 }
c039bc3c 2727 return 0;
026eb167 2728
026eb167 2729out_bad_option:
c103a91e 2730 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2731 "during remount (dev %s, type=%s)\n", sb->s_id,
2732 sb->s_type->name);
c039bc3c 2733 return -EINVAL;
026eb167
EP		 2734}
2735
20a2aa47 2736static int selinux_sb_kern_mount(const struct super_block *sb)
1da177e4 2737{
88e67f3b 2738 const struct cred *cred = current_cred();
2bf49690 2739 struct common_audit_data ad;
74192246 2740
50c205f5 2741 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2742 ad.u.dentry = sb->s_root;
88e67f3b 2743 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2744}
2745
726c3342 2746static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2747{
88e67f3b 2748 const struct cred *cred = current_cred();
2bf49690 2749 struct common_audit_data ad;
1da177e4 2750
50c205f5 2751 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2752 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2753 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2754}
2755
808d4e3c 2756static int selinux_mount(const char *dev_name,
8a04c43b 2757 const struct path *path,
808d4e3c 2758 const char *type,
828dfe1d
EP		 2759 unsigned long flags,
2760 void *data)
1da177e4 2761{
88e67f3b 2762 const struct cred *cred = current_cred();
1da177e4
LT		 2763
2764 if (flags & MS_REMOUNT)
d8c9584e 2765 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2766 FILESYSTEM__REMOUNT, NULL);
1da177e4 2767 else
2875fa00 2768 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2769}
2770
98aa0034
SS		 2771static int selinux_move_mount(const struct path *from_path,
2772 const struct path *to_path)
2773{
2774 const struct cred *cred = current_cred();
2775
2776 return path_has_perm(cred, to_path, FILE__MOUNTON);
2777}
2778
1da177e4
LT		 2779static int selinux_umount(struct vfsmount *mnt, int flags)
2780{
88e67f3b 2781 const struct cred *cred = current_cred();
1da177e4 2782
88e67f3b 2783 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2784 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2785}
2786
d80a8f1b
DH		 2787static int selinux_fs_context_submount(struct fs_context *fc,
2788 struct super_block *reference)
2789{
ccf1dab9 2790 const struct superblock_security_struct *sbsec = selinux_superblock(reference);
d80a8f1b
DH		 2791 struct selinux_mnt_opts *opts;
2792
ccf1dab9
OM		 2793 /*
2794 * Ensure that fc->security remains NULL when no options are set
2795 * as expected by selinux_set_mnt_opts().
2796 */
2797 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2798 return 0;
2799
d80a8f1b
DH		 2800 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2801 if (!opts)
2802 return -ENOMEM;
2803
d80a8f1b
DH		 2804 if (sbsec->flags & FSCONTEXT_MNT)
2805 opts->fscontext_sid = sbsec->sid;
2806 if (sbsec->flags & CONTEXT_MNT)
2807 opts->context_sid = sbsec->mntpoint_sid;
2808 if (sbsec->flags & DEFCONTEXT_MNT)
2809 opts->defcontext_sid = sbsec->def_sid;
2810 fc->security = opts;
2811 return 0;
2812}
2813
0b52075e
AV		 2814static int selinux_fs_context_dup(struct fs_context *fc,
2815 struct fs_context *src_fc)
2816{
2817 const struct selinux_mnt_opts *src = src_fc->security;
0b52075e
AV		 2818
2819 if (!src)
2820 return 0;
2821
70f4169a
OM		 2822 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2823 return fc->security ? 0 : -ENOMEM;
0b52075e
AV		 2824}
2825
d7167b14 2826static const struct fs_parameter_spec selinux_fs_parameters[] = {
442155c1
DH		 2827 fsparam_string(CONTEXT_STR, Opt_context),
2828 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2829 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2830 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2831 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2832 {}
2833};
2834
442155c1
DH		 2835static int selinux_fs_context_parse_param(struct fs_context *fc,
2836 struct fs_parameter *param)
2837{
2838 struct fs_parse_result result;
cad140d0 2839 int opt;
442155c1 2840
d7167b14 2841 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
442155c1
DH		 2842 if (opt < 0)
2843 return opt;
2844
cad140d0 2845 return selinux_add_opt(opt, param->string, &fc->security);
442155c1
DH		 2846}
2847
1da177e4
LT		 2848/* inode security operations */
2849
2850static int selinux_inode_alloc_security(struct inode *inode)
2851{
cb89e246
PM		 2852 struct inode_security_struct *isec = selinux_inode(inode);
2853 u32 sid = current_sid();
2854
2855 spin_lock_init(&isec->lock);
2856 INIT_LIST_HEAD(&isec->list);
2857 isec->inode = inode;
2858 isec->sid = SECINITSID_UNLABELED;
2859 isec->sclass = SECCLASS_FILE;
2860 isec->task_sid = sid;
2861 isec->initialized = LABEL_INVALID;
2862
2863 return 0;
1da177e4
LT		 2864}
2865
2866static void selinux_inode_free_security(struct inode *inode)
2867{
2868 inode_free_security(inode);
2869}
2870
d47be3df 2871static int selinux_dentry_init_security(struct dentry *dentry, int mode,
15bf3239
VG		 2872 const struct qstr *name,
2873 const char **xattr_name, void **ctx,
d47be3df
DQ		 2874 u32 *ctxlen)
2875{
d47be3df
DQ		 2876 u32 newsid;
2877 int rc;
2878
0c6cfa62 2879 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2880 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2881 inode_mode_to_security_class(mode),
2882 &newsid);
2883 if (rc)
2884 return rc;
d47be3df 2885
15bf3239
VG		 2886 if (xattr_name)
2887 *xattr_name = XATTR_NAME_SELINUX;
2888
e67b7985 2889 return security_sid_to_context(newsid, (char **)ctx,
aa8e712c 2890 ctxlen);
d47be3df
DQ		 2891}
2892
a518b0a5
VG		 2893static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2894 struct qstr *name,
2895 const struct cred *old,
2896 struct cred *new)
2897{
2898 u32 newsid;
2899 int rc;
2900 struct task_security_struct *tsec;
2901
0c6cfa62 2902 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2903 d_inode(dentry->d_parent), name,
2904 inode_mode_to_security_class(mode),
2905 &newsid);
2906 if (rc)
2907 return rc;
2908
0c6cfa62 2909 tsec = selinux_cred(new);
a518b0a5
VG		 2910 tsec->create_sid = newsid;
2911 return 0;
2912}
2913
5e41ff9e 2914static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b 2915 const struct qstr *qstr,
6bcdfd2c 2916 struct xattr *xattrs, int *xattr_count)
5e41ff9e 2917{
0c6cfa62 2918 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2919 struct superblock_security_struct *sbsec;
6bcdfd2c 2920 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
c0d4f464 2921 u32 newsid, clen;
5e41ff9e 2922 int rc;
9548906b 2923 char *context;
5e41ff9e 2924
1aea7808 2925 sbsec = selinux_superblock(dir->i_sb);
5e41ff9e 2926
275bb41e
DH		 2927 newsid = tsec->create_sid;
2928
210a2928 2929 rc = selinux_determine_inode_label(tsec, dir, qstr,
c3c188b2
DH		 2930 inode_mode_to_security_class(inode->i_mode),
2931 &newsid);
2932 if (rc)
2933 return rc;
5e41ff9e 2934
296fddf7 2935 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2936 if (sbsec->flags & SE_SBINITIALIZED) {
80788c22 2937 struct inode_security_struct *isec = selinux_inode(inode);
296fddf7
EP		 2938 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2939 isec->sid = newsid;
6f3be9f5 2940 isec->initialized = LABEL_INITIALIZED;
296fddf7 2941 }
5e41ff9e 2942
e67b7985 2943 if (!selinux_initialized() ||
65cddd50 2944 !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2945 return -EOPNOTSUPP;
2946
6bcdfd2c 2947 if (xattr) {
e67b7985 2948 rc = security_sid_to_context_force(newsid,
aa8e712c 2949 &context, &clen);
9548906b 2950 if (rc)
570bc1c2 2951 return rc;
6bcdfd2c
RS		 2952 xattr->value = context;
2953 xattr->value_len = clen;
2954 xattr->name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2955 }
5e41ff9e 2956
5e41ff9e
SS		 2957 return 0;
2958}
2959
29cd6591
DC		 2960static int selinux_inode_init_security_anon(struct inode *inode,
2961 const struct qstr *name,
2962 const struct inode *context_inode)
2963{
2964 const struct task_security_struct *tsec = selinux_cred(current_cred());
2965 struct common_audit_data ad;
2966 struct inode_security_struct *isec;
2967 int rc;
2968
e67b7985 2969 if (unlikely(!selinux_initialized()))
29cd6591
DC		 2970 return 0;
2971
2972 isec = selinux_inode(inode);
2973
2974 /*
2975 * We only get here once per ephemeral inode. The inode has
2976 * been initialized via inode_alloc_security but is otherwise
2977 * untouched.
2978 */
2979
2980 if (context_inode) {
2981 struct inode_security_struct *context_isec =
2982 selinux_inode(context_inode);
2983 if (context_isec->initialized != LABEL_INITIALIZED) {
e5faa839 2984 pr_err("SELinux: context_inode is not initialized\n");
29cd6591
DC		 2985 return -EACCES;
2986 }
2987
2988 isec->sclass = context_isec->sclass;
2989 isec->sid = context_isec->sid;
2990 } else {
2991 isec->sclass = SECCLASS_ANON_INODE;
2992 rc = security_transition_sid(
e67b7985 2993 tsec->sid, tsec->sid,
29cd6591
DC		 2994 isec->sclass, name, &isec->sid);
2995 if (rc)
2996 return rc;
2997 }
2998
2999 isec->initialized = LABEL_INITIALIZED;
3000 /*
3001 * Now that we've initialized security, check whether we're
3002 * allowed to actually create this type of anonymous inode.
3003 */
3004
c29722fa
CG		 3005 ad.type = LSM_AUDIT_DATA_ANONINODE;
3006 ad.u.anonclass = name ? (const char *)name->name : "?";
29cd6591 3007
e67b7985 3008 return avc_has_perm(tsec->sid,
29cd6591
DC		 3009 isec->sid,
3010 isec->sclass,
3011 FILE__CREATE,
3012 &ad);
3013}
3014
4acdaf27 3015static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 3016{
3017 return may_create(dir, dentry, SECCLASS_FILE);
3018}
3019
1da177e4
LT		 3020static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3021{
1da177e4
LT		 3022 return may_link(dir, old_dentry, MAY_LINK);
3023}
3024
1da177e4
LT		 3025static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3026{
1da177e4
LT		 3027 return may_link(dir, dentry, MAY_UNLINK);
3028}
3029
3030static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3031{
3032 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3033}
3034
18bb1db3 3035static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 3036{
3037 return may_create(dir, dentry, SECCLASS_DIR);
3038}
3039
1da177e4
LT		 3040static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3041{
3042 return may_link(dir, dentry, MAY_RMDIR);
3043}
3044
1a67aafb 3045static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 3046{
1da177e4
LT		 3047 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3048}
3049
1da177e4 3050static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 3051 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 3052{
3053 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3054}
3055
1da177e4
LT		 3056static int selinux_inode_readlink(struct dentry *dentry)
3057{
88e67f3b
DH		 3058 const struct cred *cred = current_cred();
3059
2875fa00 3060 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3061}
3062
bda0be7a
N		 3063static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3064 bool rcu)
1da177e4 3065{
88e67f3b 3066 const struct cred *cred = current_cred();
bda0be7a
N		 3067 struct common_audit_data ad;
3068 struct inode_security_struct *isec;
3069 u32 sid;
1da177e4 3070
bda0be7a
N		 3071 ad.type = LSM_AUDIT_DATA_DENTRY;
3072 ad.u.dentry = dentry;
3073 sid = cred_sid(cred);
5d226df4
AG		 3074 isec = inode_security_rcu(inode, rcu);
3075 if (IS_ERR(isec))
3076 return PTR_ERR(isec);
bda0be7a 3077
e67b7985 3078 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
1da177e4
LT		 3079}
3080
d4cf970d
EP		 3081static noinline int audit_inode_permission(struct inode *inode,
3082 u32 perms, u32 audited, u32 denied,
0188d5c0 3083 int result)
1da177e4 3084{
b782e0a6 3085 struct common_audit_data ad;
80788c22 3086 struct inode_security_struct *isec = selinux_inode(inode);
d4cf970d 3087
50c205f5 3088 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3089 ad.u.inode = inode;
3090
e67b7985 3091 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
0188d5c0 3092 audited, denied, result, &ad);
d4cf970d
EP		 3093}
3094
e74f71eb 3095static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3096{
88e67f3b 3097 const struct cred *cred = current_cred();
b782e0a6
EP		 3098 u32 perms;
3099 bool from_access;
5298d0b9 3100 bool no_block = mask & MAY_NOT_BLOCK;
2e334057
EP		 3101 struct inode_security_struct *isec;
3102 u32 sid;
3103 struct av_decision avd;
3104 int rc, rc2;
3105 u32 audited, denied;
1da177e4 3106
b782e0a6 3107 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3108 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3109
b782e0a6
EP		 3110 /* No permission to check. Existence test. */
3111 if (!mask)
1da177e4 3112 return 0;
1da177e4 3113
2e334057
EP		 3114 if (unlikely(IS_PRIVATE(inode)))
3115 return 0;
b782e0a6
EP		 3116
3117 perms = file_mask_to_av(inode->i_mode, mask);
3118
2e334057 3119 sid = cred_sid(cred);
5298d0b9 3120 isec = inode_security_rcu(inode, no_block);
5d226df4
AG		 3121 if (IS_ERR(isec))
3122 return PTR_ERR(isec);
2e334057 3123
e67b7985 3124 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0,
3a28cff3 3125 &avd);
2e334057
EP		 3126 audited = avc_audit_required(perms, &avd, rc,
3127 from_access ? FILE__AUDIT_ACCESS : 0,
3128 &denied);
3129 if (likely(!audited))
3130 return rc;
3131
0188d5c0 3132 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
2e334057
EP		 3133 if (rc2)
3134 return rc2;
3135 return rc;
1da177e4
LT		 3136}
3137
3138static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3139{
88e67f3b 3140 const struct cred *cred = current_cred();
ccb54478 3141 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3142 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3143 __u32 av = FILE__WRITE;
1da177e4 3144
bc6a6008
AW		 3145 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3146 if (ia_valid & ATTR_FORCE) {
3147 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3148 ATTR_FORCE);
3149 if (!ia_valid)
3150 return 0;
3151 }
1da177e4 3152
bc6a6008
AW		 3153 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3154 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3155 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3156
aa8e712c 3157 if (selinux_policycap_openperm() &&
ccb54478
SS		 3158 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3159 (ia_valid & ATTR_SIZE) &&
3160 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3161 av |= FILE__OPEN;
3162
3163 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3164}
3165
3f7036a0 3166static int selinux_inode_getattr(const struct path *path)
1da177e4 3167{
3f7036a0 3168 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3169}
3170
db59000a
SS		 3171static bool has_cap_mac_admin(bool audit)
3172{
3173 const struct cred *cred = current_cred();
c1a85a00 3174 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
db59000a 3175
c1a85a00 3176 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
db59000a 3177 return false;
c1a85a00 3178 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
db59000a
SS		 3179 return false;
3180 return true;
3181}
3182
39f60c1c 3183static int selinux_inode_setxattr(struct mnt_idmap *idmap,
71bc356f 3184 struct dentry *dentry, const char *name,
8f0cfa52 3185 const void *value, size_t size, int flags)
1da177e4 3186{
c6f493d6 3187 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3188 struct inode_security_struct *isec;
1da177e4 3189 struct superblock_security_struct *sbsec;
2bf49690 3190 struct common_audit_data ad;
275bb41e 3191 u32 newsid, sid = current_sid();
1da177e4
LT		 3192 int rc = 0;
3193
6b240306
EB		 3194 if (strcmp(name, XATTR_NAME_SELINUX)) {
3195 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3196 if (rc)
3197 return rc;
3198
3199 /* Not an attribute we recognize, so just check the
3200 ordinary setattr permission. */
3201 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3202 }
1da177e4 3203
e67b7985 3204 if (!selinux_initialized())
01beba79 3205 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3e3e24b4 3206
1aea7808 3207 sbsec = selinux_superblock(inode->i_sb);
12f348b9 3208 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3209 return -EOPNOTSUPP;
3210
01beba79 3211 if (!inode_owner_or_capable(idmap, inode))
1da177e4
LT		 3212 return -EPERM;
3213
50c205f5 3214 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3215 ad.u.dentry = dentry;
1da177e4 3216
20cdef8d 3217 isec = backing_inode_security(dentry);
e67b7985 3218 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3219 FILE__RELABELFROM, &ad);
3220 if (rc)
3221 return rc;
3222
e67b7985 3223 rc = security_context_to_sid(value, size, &newsid,
aa8e712c 3224 GFP_KERNEL);
12b29f34 3225 if (rc == -EINVAL) {
db59000a 3226 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3227 struct audit_buffer *ab;
3228 size_t audit_size;
d6ea83ec
EP		 3229
3230 /* We strip a nul only if it is at the end, otherwise the
3231 * context contains a nul and we should audit that */
e3fea3f7 3232 if (value) {
add24372
CIK		 3233 const char *str = value;
3234
e3fea3f7
AV		 3235 if (str[size - 1] == '\0')
3236 audit_size = size - 1;
3237 else
3238 audit_size = size;
3239 } else {
e3fea3f7
AV		 3240 audit_size = 0;
3241 }
cdfb6b34
RGB		 3242 ab = audit_log_start(audit_context(),
3243 GFP_ATOMIC, AUDIT_SELINUX_ERR);
893c47d1
AK		 3244 if (!ab)
3245 return rc;
d6ea83ec
EP		 3246 audit_log_format(ab, "op=setxattr invalid_context=");
3247 audit_log_n_untrustedstring(ab, value, audit_size);
3248 audit_log_end(ab);
3249
12b29f34 3250 return rc;
d6ea83ec 3251 }
e67b7985 3252 rc = security_context_to_sid_force(value,
aa8e712c 3253 size, &newsid);
12b29f34 3254 }
1da177e4
LT		 3255 if (rc)
3256 return rc;
3257
e67b7985 3258 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3259 FILE__RELABELTO, &ad);
3260 if (rc)
3261 return rc;
3262
e67b7985 3263 rc = security_validate_transition(isec->sid, newsid,
aa8e712c 3264 sid, isec->sclass);
1da177e4
LT		 3265 if (rc)
3266 return rc;
3267
e67b7985 3268 return avc_has_perm(newsid,
1da177e4
LT		 3269 sbsec->sid,
3270 SECCLASS_FILESYSTEM,
3271 FILESYSTEM__ASSOCIATE,
3272 &ad);
3273}
3274
700b7940 3275static int selinux_inode_set_acl(struct mnt_idmap *idmap,
1bdeb218
CB		 3276 struct dentry *dentry, const char *acl_name,
3277 struct posix_acl *kacl)
3278{
3279 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3280}
3281
700b7940 3282static int selinux_inode_get_acl(struct mnt_idmap *idmap,
1bdeb218
CB		 3283 struct dentry *dentry, const char *acl_name)
3284{
3285 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3286}
3287
700b7940 3288static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
1bdeb218
CB		 3289 struct dentry *dentry, const char *acl_name)
3290{
3291 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3292}
3293
8f0cfa52 3294static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3295 const void *value, size_t size,
8f0cfa52 3296 int flags)
1da177e4 3297{
c6f493d6 3298 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3299 struct inode_security_struct *isec;
1da177e4
LT		 3300 u32 newsid;
3301 int rc;
3302
3303 if (strcmp(name, XATTR_NAME_SELINUX)) {
3304 /* Not an attribute we recognize, so nothing to do. */
3305 return;
3306 }
3307
e67b7985 3308 if (!selinux_initialized()) {
3e3e24b4
JL		 3309 /* If we haven't even been initialized, then we can't validate
3310 * against a policy, so leave the label as invalid. It may
3311 * resolve to a valid label on the next revalidation try if
3312 * we've since initialized.
3313 */
3314 return;
3315 }
3316
e67b7985 3317 rc = security_context_to_sid_force(value, size,
aa8e712c 3318 &newsid);
1da177e4 3319 if (rc) {
c103a91e 3320 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3321 "for (%s, %lu), rc=%d\n",
3322 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3323 return;
3324 }
3325
20cdef8d 3326 isec = backing_inode_security(dentry);
9287aed2 3327 spin_lock(&isec->lock);
aa9c2669 3328 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3329 isec->sid = newsid;
6f3be9f5 3330 isec->initialized = LABEL_INITIALIZED;
9287aed2 3331 spin_unlock(&isec->lock);
1da177e4
LT		 3332}
3333
8f0cfa52 3334static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3335{
88e67f3b
DH		 3336 const struct cred *cred = current_cred();
3337
2875fa00 3338 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3339}
3340
828dfe1d 3341static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3342{
88e67f3b
DH		 3343 const struct cred *cred = current_cred();
3344
2875fa00 3345 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3346}
3347
39f60c1c 3348static int selinux_inode_removexattr(struct mnt_idmap *idmap,
71bc356f 3349 struct dentry *dentry, const char *name)
1da177e4 3350{
6b240306 3351 if (strcmp(name, XATTR_NAME_SELINUX)) {
39f60c1c 3352 int rc = cap_inode_removexattr(idmap, dentry, name);
6b240306
EB		 3353 if (rc)
3354 return rc;
3355
3356 /* Not an attribute we recognize, so just check the
3357 ordinary setattr permission. */
3358 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3359 }
1da177e4 3360
e67b7985 3361 if (!selinux_initialized())
9530a3e0
SS		 3362 return 0;
3363
1da177e4
LT		 3364 /* No one is allowed to remove a SELinux security label.
3365 You can change the label, but all data must be labeled. */
3366 return -EACCES;
3367}
3368
ac5656d8
AG		 3369static int selinux_path_notify(const struct path *path, u64 mask,
3370 unsigned int obj_type)
3371{
3372 int ret;
3373 u32 perm;
3374
3375 struct common_audit_data ad;
3376
3377 ad.type = LSM_AUDIT_DATA_PATH;
3378 ad.u.path = *path;
3379
3380 /*
3381 * Set permission needed based on the type of mark being set.
3382 * Performs an additional check for sb watches.
3383 */
3384 switch (obj_type) {
3385 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3386 perm = FILE__WATCH_MOUNT;
3387 break;
3388 case FSNOTIFY_OBJ_TYPE_SB:
3389 perm = FILE__WATCH_SB;
3390 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3391 FILESYSTEM__WATCH, &ad);
3392 if (ret)
3393 return ret;
3394 break;
3395 case FSNOTIFY_OBJ_TYPE_INODE:
3396 perm = FILE__WATCH;
3397 break;
3398 default:
3399 return -EINVAL;
3400 }
3401
3402 /* blocking watches require the file:watch_with_perm permission */
3403 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3404 perm |= FILE__WATCH_WITH_PERM;
3405
3406 /* watches on read-like events need the file:watch_reads permission */
3407 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3408 perm |= FILE__WATCH_READS;
3409
3410 return path_has_perm(current_cred(), path, perm);
3411}
3412
d381d8a9 3413/*
abc69bb6 3414 * Copy the inode security context value to the user.
d381d8a9
JM		 3415 *
3416 * Permission check is handled by selinux_inode_getxattr hook.
3417 */
4609e1f1 3418static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
71bc356f
CB		 3419 struct inode *inode, const char *name,
3420 void **buffer, bool alloc)
1da177e4 3421{
42492594
DQ		 3422 u32 size;
3423 int error;
3424 char *context = NULL;
20cdef8d 3425 struct inode_security_struct *isec;
d381d8a9 3426
c8e22261
JL		 3427 /*
3428 * If we're not initialized yet, then we can't validate contexts, so
3429 * just let vfs_getxattr fall back to using the on-disk xattr.
3430 */
e67b7985 3431 if (!selinux_initialized() ||
c8e22261 3432 strcmp(name, XATTR_SELINUX_SUFFIX))
8c8570fb 3433 return -EOPNOTSUPP;
d381d8a9 3434
abc69bb6
SS		 3435 /*
3436 * If the caller has CAP_MAC_ADMIN, then get the raw context
3437 * value even if it is not defined by current policy; otherwise,
3438 * use the in-core value under current policy.
3439 * Use the non-auditing forms of the permission checks since
3440 * getxattr may be called by unprivileged processes commonly
3441 * and lack of permission just means that we fall back to the
3442 * in-core context value, not a denial.
3443 */
20cdef8d 3444 isec = inode_security(inode);
db59000a 3445 if (has_cap_mac_admin(false))
e67b7985 3446 error = security_sid_to_context_force(isec->sid, &context,
abc69bb6
SS		 3447 &size);
3448 else
e67b7985 3449 error = security_sid_to_context(isec->sid,
aa8e712c 3450 &context, &size);
42492594
DQ		 3451 if (error)
3452 return error;
3453 error = size;
3454 if (alloc) {
3455 *buffer = context;
3456 goto out_nofree;
3457 }
3458 kfree(context);
3459out_nofree:
3460 return error;
1da177e4
LT		 3461}
3462
3463static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3464 const void *value, size_t size, int flags)
1da177e4 3465{
2c97165b 3466 struct inode_security_struct *isec = inode_security_novalidate(inode);
1aea7808 3467 struct superblock_security_struct *sbsec;
1da177e4
LT		 3468 u32 newsid;
3469 int rc;
3470
3471 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3472 return -EOPNOTSUPP;
3473
1aea7808 3474 sbsec = selinux_superblock(inode->i_sb);
53e0c2aa
OM		 3475 if (!(sbsec->flags & SBLABEL_MNT))
3476 return -EOPNOTSUPP;
3477
1da177e4
LT		 3478 if (!value || !size)
3479 return -EACCES;
3480
e67b7985 3481 rc = security_context_to_sid(value, size, &newsid,
aa8e712c 3482 GFP_KERNEL);
1da177e4
LT		 3483 if (rc)
3484 return rc;
3485
9287aed2 3486 spin_lock(&isec->lock);
aa9c2669 3487 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3488 isec->sid = newsid;
6f3be9f5 3489 isec->initialized = LABEL_INITIALIZED;
9287aed2 3490 spin_unlock(&isec->lock);
1da177e4
LT		 3491 return 0;
3492}
3493
3494static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3495{
3496 const int len = sizeof(XATTR_NAME_SELINUX);
a9ffe682 3497
e67b7985 3498 if (!selinux_initialized())
a9ffe682
AG		 3499 return 0;
3500
1da177e4
LT		 3501 if (buffer && len <= buffer_size)
3502 memcpy(buffer, XATTR_NAME_SELINUX, len);
3503 return len;
3504}
3505
d6335d77 3506static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3507{
e817c2f3 3508 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3509 *secid = isec->sid;
3510}
3511
56909eb3
VG		 3512static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3513{
3514 u32 sid;
3515 struct task_security_struct *tsec;
3516 struct cred *new_creds = *new;
3517
3518 if (new_creds == NULL) {
3519 new_creds = prepare_creds();
3520 if (!new_creds)
3521 return -ENOMEM;
3522 }
3523
0c6cfa62 3524 tsec = selinux_cred(new_creds);
56909eb3
VG		 3525 /* Get label from overlay inode and set it in create_sid */
3526 selinux_inode_getsecid(d_inode(src), &sid);
3527 tsec->create_sid = sid;
3528 *new = new_creds;
3529 return 0;
3530}
3531
19472b69
VG		 3532static int selinux_inode_copy_up_xattr(const char *name)
3533{
3534 /* The copy_up hook above sets the initial context on an inode, but we
3535 * don't then want to overwrite it by blindly copying all the lower
3536 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3537 */
3538 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3539 return 1; /* Discard */
3540 /*
3541 * Any other attribute apart from SELINUX is not claimed, supported
3542 * by selinux.
3543 */
3544 return -EOPNOTSUPP;
3545}
3546
ec882da5
OM		 3547/* kernfs node operations */
3548
c72c4cde
Y		 3549static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3550 struct kernfs_node *kn)
ec882da5 3551{
169ce0c0 3552 const struct task_security_struct *tsec = selinux_cred(current_cred());
ec882da5
OM		 3553 u32 parent_sid, newsid, clen;
3554 int rc;
3555 char *context;
3556
1537ad15 3557 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
ec882da5
OM		 3558 if (rc == -ENODATA)
3559 return 0;
3560 else if (rc < 0)
3561 return rc;
3562
3563 clen = (u32)rc;
3564 context = kmalloc(clen, GFP_KERNEL);
3565 if (!context)
3566 return -ENOMEM;
3567
1537ad15 3568 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
ec882da5
OM		 3569 if (rc < 0) {
3570 kfree(context);
3571 return rc;
3572 }
3573
e67b7985 3574 rc = security_context_to_sid(context, clen, &parent_sid,
ec882da5
OM		 3575 GFP_KERNEL);
3576 kfree(context);
3577 if (rc)
3578 return rc;
3579
3580 if (tsec->create_sid) {
3581 newsid = tsec->create_sid;
3582 } else {
3583 u16 secclass = inode_mode_to_security_class(kn->mode);
3584 struct qstr q;
3585
3586 q.name = kn->name;
3587 q.hash_len = hashlen_string(kn_dir, kn->name);
3588
e67b7985 3589 rc = security_transition_sid(tsec->sid,
ec882da5
OM		 3590 parent_sid, secclass, &q,
3591 &newsid);
3592 if (rc)
3593 return rc;
3594 }
3595
e67b7985 3596 rc = security_sid_to_context_force(newsid,
ec882da5
OM		 3597 &context, &clen);
3598 if (rc)
3599 return rc;
3600
1537ad15
OM		 3601 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3602 XATTR_CREATE);
ec882da5
OM		 3603 kfree(context);
3604 return rc;
3605}
3606
3607
1da177e4
LT		 3608/* file security operations */
3609
788e7dd4 3610static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3611{
88e67f3b 3612 const struct cred *cred = current_cred();
496ad9aa 3613 struct inode *inode = file_inode(file);
1da177e4 3614
1da177e4
LT		 3615 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3616 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3617 mask |= MAY_APPEND;
3618
389fb800
PM		 3619 return file_has_perm(cred, file,
3620 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3621}
3622
788e7dd4
YN		 3623static int selinux_file_permission(struct file *file, int mask)
3624{
496ad9aa 3625 struct inode *inode = file_inode(file);
bb6c6b02 3626 struct file_security_struct *fsec = selinux_file(file);
b197367e 3627 struct inode_security_struct *isec;
20dda18b
SS		 3628 u32 sid = current_sid();
3629
389fb800 3630 if (!mask)
788e7dd4
YN		 3631 /* No permission to check. Existence test. */
3632 return 0;
788e7dd4 3633
b197367e 3634 isec = inode_security(inode);
20dda18b 3635 if (sid == fsec->sid && fsec->isid == isec->sid &&
e67b7985 3636 fsec->pseqno == avc_policy_seqno())
83d49856 3637 /* No change since file_open check. */
20dda18b
SS		 3638 return 0;
3639
788e7dd4
YN		 3640 return selinux_revalidate_file_permission(file, mask);
3641}
3642
1da177e4
LT		 3643static int selinux_file_alloc_security(struct file *file)
3644{
cb89e246
PM		 3645 struct file_security_struct *fsec = selinux_file(file);
3646 u32 sid = current_sid();
3647
3648 fsec->sid = sid;
3649 fsec->fown_sid = sid;
3650
3651 return 0;
1da177e4
LT		 3652}
3653
fa1aa143
JVS		 3654/*
3655 * Check whether a task has the ioctl permission and cmd
3656 * operation to an inode.
3657 */
1d2a168a 3658static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3659 u32 requested, u16 cmd)
3660{
3661 struct common_audit_data ad;
bb6c6b02 3662 struct file_security_struct *fsec = selinux_file(file);
fa1aa143 3663 struct inode *inode = file_inode(file);
20cdef8d 3664 struct inode_security_struct *isec;
fa1aa143
JVS		 3665 struct lsm_ioctlop_audit ioctl;
3666 u32 ssid = cred_sid(cred);
3667 int rc;
3668 u8 driver = cmd >> 8;
3669 u8 xperm = cmd & 0xff;
3670
3671 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3672 ad.u.op = &ioctl;
3673 ad.u.op->cmd = cmd;
3674 ad.u.op->path = file->f_path;
3675
3676 if (ssid != fsec->sid) {
e67b7985 3677 rc = avc_has_perm(ssid, fsec->sid,
fa1aa143
JVS		 3678 SECCLASS_FD,
3679 FD__USE,
3680 &ad);
3681 if (rc)
3682 goto out;
3683 }
3684
3685 if (unlikely(IS_PRIVATE(inode)))
3686 return 0;
3687
20cdef8d 3688 isec = inode_security(inode);
e67b7985 3689 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
6b6bc620 3690 requested, driver, xperm, &ad);
fa1aa143
JVS		 3691out:
3692 return rc;
3693}
3694
1da177e4
LT		 3695static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3696 unsigned long arg)
3697{
88e67f3b 3698 const struct cred *cred = current_cred();
0b24dcb7 3699 int error = 0;
1da177e4 3700
0b24dcb7
EP		 3701 switch (cmd) {
3702 case FIONREAD:
0b24dcb7 3703 case FIBMAP:
0b24dcb7 3704 case FIGETBSZ:
2f99c369 3705 case FS_IOC_GETFLAGS:
2f99c369 3706 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3707 error = file_has_perm(cred, file, FILE__GETATTR);
3708 break;
1da177e4 3709
2f99c369 3710 case FS_IOC_SETFLAGS:
2f99c369 3711 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3712 error = file_has_perm(cred, file, FILE__SETATTR);
3713 break;
3714
3715 /* sys_ioctl() checks */
3716 case FIONBIO:
0b24dcb7
EP		 3717 case FIOASYNC:
3718 error = file_has_perm(cred, file, 0);
3719 break;
1da177e4 3720
0b24dcb7
EP		 3721 case KDSKBENT:
3722 case KDSKBSENT:
6a9de491 3723 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
c1a85a00 3724 CAP_OPT_NONE, true);
0b24dcb7
EP		 3725 break;
3726
65881e1d
RH		 3727 case FIOCLEX:
3728 case FIONCLEX:
3729 if (!selinux_policycap_ioctl_skip_cloexec())
3730 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3731 break;
3732
0b24dcb7
EP		 3733 /* default case assumes that the command will go
3734 * to the file's ioctl() function.
3735 */
3736 default:
fa1aa143 3737 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3738 }
3739 return error;
1da177e4
LT		 3740}
3741
f1bb47a3
AP		 3742static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3743 unsigned long arg)
3744{
3745 /*
3746 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3747 * make sure we don't compare 32-bit flags to 64-bit flags.
3748 */
3749 switch (cmd) {
3750 case FS_IOC32_GETFLAGS:
3751 cmd = FS_IOC_GETFLAGS;
3752 break;
3753 case FS_IOC32_SETFLAGS:
3754 cmd = FS_IOC_SETFLAGS;
3755 break;
3756 case FS_IOC32_GETVERSION:
3757 cmd = FS_IOC_GETVERSION;
3758 break;
3759 case FS_IOC32_SETVERSION:
3760 cmd = FS_IOC_SETVERSION;
3761 break;
3762 default:
3763 break;
3764 }
3765
3766 return selinux_file_ioctl(file, cmd, arg);
3767}
3768
b78b7d59 3769static int default_noexec __ro_after_init;
fcaaade1 3770
1da177e4
LT		 3771static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3772{
88e67f3b 3773 const struct cred *cred = current_cred();
be0554c9 3774 u32 sid = cred_sid(cred);
d84f4f99 3775 int rc = 0;
88e67f3b 3776
fcaaade1 3777 if (default_noexec &&
892e8cac
SS		 3778 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3779 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3780 /*
3781 * We are making executable an anonymous mapping or a
3782 * private file mapping that will also be writable.
3783 * This has an additional check.
3784 */
e67b7985 3785 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
be0554c9 3786 PROCESS__EXECMEM, NULL);
1da177e4 3787 if (rc)
d84f4f99 3788 goto error;
1da177e4 3789 }
1da177e4
LT		 3790
3791 if (file) {
3792 /* read access is always possible with a mapping */
3793 u32 av = FILE__READ;
3794
3795 /* write access only matters if the mapping is shared */
3796 if (shared && (prot & PROT_WRITE))
3797 av |= FILE__WRITE;
3798
3799 if (prot & PROT_EXEC)
3800 av |= FILE__EXECUTE;
3801
88e67f3b 3802 return file_has_perm(cred, file, av);
1da177e4 3803 }
d84f4f99
DH		 3804
3805error:
3806 return rc;
1da177e4
LT		 3807}
3808
e5467859 3809static int selinux_mmap_addr(unsigned long addr)
1da177e4 3810{
b1d9e6b0 3811 int rc = 0;
1da177e4 3812
a2551df7 3813 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3814 u32 sid = current_sid();
e67b7985 3815 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
ed032189 3816 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3817 }
3818
98883bfd 3819 return rc;
e5467859 3820}
1da177e4 3821
a7e4676e
PM		 3822static int selinux_mmap_file(struct file *file,
3823 unsigned long reqprot __always_unused,
e5467859
AV		 3824 unsigned long prot, unsigned long flags)
3825{
3ba4bf5f
SS		 3826 struct common_audit_data ad;
3827 int rc;
3828
3829 if (file) {
3830 ad.type = LSM_AUDIT_DATA_FILE;
3831 ad.u.file = file;
3832 rc = inode_has_perm(current_cred(), file_inode(file),
3833 FILE__MAP, &ad);
3834 if (rc)
3835 return rc;
3836 }
3837
1da177e4
LT		 3838 return file_map_prot_check(file, prot,
3839 (flags & MAP_TYPE) == MAP_SHARED);
3840}
3841
3842static int selinux_file_mprotect(struct vm_area_struct *vma,
a7e4676e 3843 unsigned long reqprot __always_unused,
1da177e4
LT		 3844 unsigned long prot)
3845{
88e67f3b 3846 const struct cred *cred = current_cred();
be0554c9 3847 u32 sid = cred_sid(cred);
1da177e4 3848
fcaaade1
SS		 3849 if (default_noexec &&
3850 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3851 int rc = 0;
68df1baf 3852 if (vma_is_initial_heap(vma)) {
e67b7985 3853 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
be0554c9 3854 PROCESS__EXECHEAP, NULL);
68df1baf 3855 } else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
d17af505 3856 vma_is_stack_for_current(vma))) {
e67b7985 3857 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
be0554c9 3858 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3859 } else if (vma->vm_file && vma->anon_vma) {
3860 /*
3861 * We are making executable a file mapping that has
3862 * had some COW done. Since pages might have been
3863 * written, check ability to execute the possibly
3864 * modified content. This typically should only
3865 * occur for text relocations.
3866 */
d84f4f99 3867 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3868 }