projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: clean up selinux_inode_permission MAY_NOT_BLOCK tests
[linux-2.6-block.git] / security / selinux / hooks.c
CommitLineData
d2912cb1 1// SPDX-License-Identifier: GPL-2.0-only
1da177e4
LT		 2/*
3 * NSA Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7efbb60b 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
1da177e4
LT		 11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
1da177e4 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 16 * <dgoeddel@trustedcs.com>
ed6d76e4 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 18 * Paul Moore <paul@paul-moore.com>
788e7dd4 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 21 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 22 */
23
1da177e4 24#include <linux/init.h>
0b24dcb7 25#include <linux/kd.h>
1da177e4 26#include <linux/kernel.h>
0d094efe 27#include <linux/tracehook.h>
1da177e4 28#include <linux/errno.h>
3f07c014 29#include <linux/sched/signal.h>
29930025 30#include <linux/sched/task.h>
3c4ed7bd 31#include <linux/lsm_hooks.h>
1da177e4
LT		 32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
0b24dcb7 39#include <linux/proc_fs.h>
1da177e4 40#include <linux/swap.h>
1da177e4
LT		 41#include <linux/spinlock.h>
42#include <linux/syscalls.h>
2a7dba39 43#include <linux/dcache.h>
1da177e4 44#include <linux/file.h>
9f3acc31 45#include <linux/fdtable.h>
1da177e4
LT		 46#include <linux/namei.h>
47#include <linux/mount.h>
442155c1
DH		 48#include <linux/fs_context.h>
49#include <linux/fs_parser.h>
1da177e4
LT		 50#include <linux/netfilter_ipv4.h>
51#include <linux/netfilter_ipv6.h>
52#include <linux/tty.h>
53#include <net/icmp.h>
227b60f5 54#include <net/ip.h> /* for local_port_range[] */
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 56#include <net/inet_connection_sock.h>
220deb96 57#include <net/net_namespace.h>
d621d35e 58#include <net/netlabel.h>
f5269710 59#include <linux/uaccess.h>
1da177e4 60#include <asm/ioctls.h>
60063497 61#include <linux/atomic.h>
1da177e4
LT		 62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
77954983 65#include <net/netlink.h>
1da177e4
LT		 66#include <linux/tcp.h>
67#include <linux/udp.h>
2ee92d46 68#include <linux/dccp.h>
d452930f
RH		 69#include <linux/sctp.h>
70#include <net/sctp/structs.h>
1da177e4
LT		 71#include <linux/quota.h>
72#include <linux/un.h> /* for Unix socket types */
73#include <net/af_unix.h> /* for Unix socket types */
74#include <linux/parser.h>
75#include <linux/nfs_mount.h>
76#include <net/ipv6.h>
77#include <linux/hugetlb.h>
78#include <linux/personality.h>
1da177e4 79#include <linux/audit.h>
6931dfc9 80#include <linux/string.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
ec27c356 88#include <linux/bpf.h>
ec882da5
OM		 89#include <linux/kernfs.h>
90#include <linux/stringhash.h> /* for hashlen_string() */
e262e32d 91#include <uapi/linux/mount.h>
ac5656d8
AG		 92#include <linux/fsnotify.h>
93#include <linux/fanotify.h>
1da177e4
LT		 94
95#include "avc.h"
96#include "objsec.h"
97#include "netif.h"
224dfbd8 98#include "netnode.h"
3e112172 99#include "netport.h"
409dcf31 100#include "ibpkey.h"
d28d1e08 101#include "xfrm.h"
c60475bf 102#include "netlabel.h"
9d57a7f9 103#include "audit.h"
7b98a585 104#include "avc_ss.h"
1da177e4 105
aa8e712c
SS		 106struct selinux_state selinux_state;
107
d621d35e 108/* SECMARK reference count */
56a4ca99 109static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 110
1da177e4 111#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
aa8e712c 112static int selinux_enforcing_boot;
1da177e4
LT		 113
114static int __init enforcing_setup(char *str)
115{
f5269710 116 unsigned long enforcing;
29707b20 117 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 118 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 119 return 1;
120}
121__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 122#else
123#define selinux_enforcing_boot 1
1da177e4
LT		 124#endif
125
be6ec88f 126int selinux_enabled __lsm_ro_after_init = 1;
1da177e4 127#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
1da177e4
LT		 128static int __init selinux_enabled_setup(char *str)
129{
f5269710 130 unsigned long enabled;
29707b20 131 if (!kstrtoul(str, 0, &enabled))
f5269710 132 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 133 return 1;
134}
135__setup("selinux=", selinux_enabled_setup);
136#endif
137
aa8e712c
SS		 138static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141static int __init checkreqprot_setup(char *str)
142{
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148}
149__setup("checkreqprot=", checkreqprot_setup);
150
d621d35e
PM		 151/**
152 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
153 *
154 * Description:
155 * This function checks the SECMARK reference counter to see if any SECMARK
156 * targets are currently configured, if the reference counter is greater than
157 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 158 * enabled, false (0) if SECMARK is disabled. If the always_check_network
159 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 160 *
161 */
162static int selinux_secmark_enabled(void)
163{
aa8e712c
SS		 164 return (selinux_policycap_alwaysnetwork() ||
165 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 166}
167
168/**
169 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
170 *
171 * Description:
172 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
173 * (1) if any are enabled or false (0) if neither are enabled. If the
174 * always_check_network policy capability is enabled, peer labeling
175 * is always considered enabled.
176 *
177 */
178static int selinux_peerlbl_enabled(void)
179{
aa8e712c
SS		 180 return (selinux_policycap_alwaysnetwork() ||
181 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 182}
183
615e51fd
PM		 184static int selinux_netcache_avc_callback(u32 event)
185{
186 if (event == AVC_CALLBACK_RESET) {
187 sel_netif_flush();
188 sel_netnode_flush();
189 sel_netport_flush();
190 synchronize_net();
191 }
192 return 0;
193}
194
8f408ab6
DJ		 195static int selinux_lsm_notifier_avc_callback(u32 event)
196{
409dcf31
DJ		 197 if (event == AVC_CALLBACK_RESET) {
198 sel_ib_pkey_flush();
42df744c 199 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 200 }
8f408ab6
DJ		 201
202 return 0;
203}
204
d84f4f99
DH		 205/*
206 * initialise the security for the init task
207 */
208static void cred_init_security(void)
1da177e4 209{
3b11a1de 210 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 211 struct task_security_struct *tsec;
212
bbd3662a 213 tsec = selinux_cred(cred);
d84f4f99 214 tsec->osid = tsec->sid = SECINITSID_KERNEL;
1da177e4
LT		 215}
216
88e67f3b
DH		 217/*
218 * get the security ID of a set of credentials
219 */
220static inline u32 cred_sid(const struct cred *cred)
221{
222 const struct task_security_struct *tsec;
223
0c6cfa62 224 tsec = selinux_cred(cred);
88e67f3b
DH		 225 return tsec->sid;
226}
227
275bb41e 228/*
3b11a1de 229 * get the objective security ID of a task
275bb41e
DH		 230 */
231static inline u32 task_sid(const struct task_struct *task)
232{
275bb41e
DH		 233 u32 sid;
234
235 rcu_read_lock();
88e67f3b 236 sid = cred_sid(__task_cred(task));
275bb41e
DH		 237 rcu_read_unlock();
238 return sid;
239}
240
88e67f3b
DH		 241/* Allocate and free functions for each kind of security blob. */
242
1da177e4
LT		 243static int inode_alloc_security(struct inode *inode)
244{
afb1cbe3 245 struct inode_security_struct *isec = selinux_inode(inode);
275bb41e 246 u32 sid = current_sid();
1da177e4 247
9287aed2 248 spin_lock_init(&isec->lock);
1da177e4 249 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 250 isec->inode = inode;
251 isec->sid = SECINITSID_UNLABELED;
252 isec->sclass = SECCLASS_FILE;
275bb41e 253 isec->task_sid = sid;
42059112 254 isec->initialized = LABEL_INVALID;
1da177e4
LT		 255
256 return 0;
257}
258
5d226df4
AG		 259static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
260
261/*
262 * Try reloading inode security labels that have been marked as invalid. The
263 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 264 * allowed; when set to false, returns -ECHILD when the label is
e9193288 265 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 266 */
267static int __inode_security_revalidate(struct inode *inode,
e9193288 268 struct dentry *dentry,
5d226df4
AG		 269 bool may_sleep)
270{
80788c22 271 struct inode_security_struct *isec = selinux_inode(inode);
5d226df4
AG		 272
273 might_sleep_if(may_sleep);
274
aa8e712c
SS		 275 if (selinux_state.initialized &&
276 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 277 if (!may_sleep)
278 return -ECHILD;
279
280 /*
281 * Try reloading the inode security label. This will fail if
282 * @opt_dentry is NULL and no dentry for this inode can be
283 * found; in that case, continue using the old label.
284 */
e9193288 285 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 286 }
287 return 0;
288}
289
5d226df4
AG		 290static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
291{
80788c22 292 return selinux_inode(inode);
5d226df4
AG		 293}
294
295static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
296{
297 int error;
298
299 error = __inode_security_revalidate(inode, NULL, !rcu);
300 if (error)
301 return ERR_PTR(error);
80788c22 302 return selinux_inode(inode);
5d226df4
AG		 303}
304
83da53c5
AG		 305/*
306 * Get the security label of an inode.
307 */
308static struct inode_security_struct *inode_security(struct inode *inode)
309{
5d226df4 310 __inode_security_revalidate(inode, NULL, true);
80788c22 311 return selinux_inode(inode);
83da53c5
AG		 312}
313
2c97165b
PM		 314static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
315{
316 struct inode *inode = d_backing_inode(dentry);
317
80788c22 318 return selinux_inode(inode);
2c97165b
PM		 319}
320
83da53c5
AG		 321/*
322 * Get the security label of a dentry's backing inode.
323 */
324static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
325{
326 struct inode *inode = d_backing_inode(dentry);
327
5d226df4 328 __inode_security_revalidate(inode, dentry, true);
80788c22 329 return selinux_inode(inode);
83da53c5
AG		 330}
331
1da177e4
LT		 332static void inode_free_security(struct inode *inode)
333{
80788c22 334 struct inode_security_struct *isec = selinux_inode(inode);
afb1cbe3 335 struct superblock_security_struct *sbsec;
1da177e4 336
afb1cbe3
CS		 337 if (!isec)
338 return;
339 sbsec = inode->i_sb->s_security;
9629d04a
WL		 340 /*
341 * As not all inode security structures are in a list, we check for
342 * empty list outside of the lock to make sure that we won't waste
343 * time taking a lock doing nothing.
344 *
345 * The list_del_init() function can be safely called more than once.
346 * It should not be possible for this function to be called with
347 * concurrent list_add(), but for better safety against future changes
348 * in the code, we use list_empty_careful() here.
349 */
350 if (!list_empty_careful(&isec->list)) {
351 spin_lock(&sbsec->isec_lock);
1da177e4 352 list_del_init(&isec->list);
9629d04a
WL		 353 spin_unlock(&sbsec->isec_lock);
354 }
1da177e4
LT		 355}
356
357static int file_alloc_security(struct file *file)
358{
33bf60ca 359 struct file_security_struct *fsec = selinux_file(file);
275bb41e 360 u32 sid = current_sid();
1da177e4 361
275bb41e
DH		 362 fsec->sid = sid;
363 fsec->fown_sid = sid;
1da177e4
LT		 364
365 return 0;
366}
367
1da177e4
LT		 368static int superblock_alloc_security(struct super_block *sb)
369{
370 struct superblock_security_struct *sbsec;
371
89d155ef 372 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 373 if (!sbsec)
374 return -ENOMEM;
375
bc7e982b 376 mutex_init(&sbsec->lock);
1da177e4
LT		 377 INIT_LIST_HEAD(&sbsec->isec_head);
378 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 379 sbsec->sb = sb;
380 sbsec->sid = SECINITSID_UNLABELED;
381 sbsec->def_sid = SECINITSID_FILE;
c312feb2 382 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 383 sb->s_security = sbsec;
384
385 return 0;
386}
387
388static void superblock_free_security(struct super_block *sb)
389{
390 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 391 sb->s_security = NULL;
392 kfree(sbsec);
393}
394
bd323655
AV		 395struct selinux_mnt_opts {
396 const char *fscontext, *context, *rootcontext, *defcontext;
397};
398
204cc0cc
AV		 399static void selinux_free_mnt_opts(void *mnt_opts)
400{
bd323655
AV		 401 struct selinux_mnt_opts *opts = mnt_opts;
402 kfree(opts->fscontext);
403 kfree(opts->context);
404 kfree(opts->rootcontext);
405 kfree(opts->defcontext);
204cc0cc
AV		 406 kfree(opts);
407}
408
1da177e4
LT		 409static inline int inode_doinit(struct inode *inode)
410{
411 return inode_doinit_with_dentry(inode, NULL);
412}
413
414enum {
31e87930 415 Opt_error = -1,
442155c1
DH		 416 Opt_context = 0,
417 Opt_defcontext = 1,
1da177e4 418 Opt_fscontext = 2,
442155c1
DH		 419 Opt_rootcontext = 3,
420 Opt_seclabel = 4,
1da177e4
LT		 421};
422
da3d76ab 423#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
169d68ef
AV		 424static struct {
425 const char *name;
426 int len;
427 int opt;
428 bool has_arg;
429} tokens[] = {
da3d76ab
AV		 430 A(context, true),
431 A(fscontext, true),
432 A(defcontext, true),
433 A(rootcontext, true),
434 A(seclabel, false),
1da177e4 435};
169d68ef
AV		 436#undef A
437
438static int match_opt_prefix(char *s, int l, char **arg)
439{
440 int i;
441
442 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
443 size_t len = tokens[i].len;
444 if (len > l || memcmp(s, tokens[i].name, len))
445 continue;
446 if (tokens[i].has_arg) {
447 if (len == l || s[len] != '=')
448 continue;
449 *arg = s + len + 1;
450 } else if (len != l)
451 continue;
452 return tokens[i].opt;
453 }
454 return Opt_error;
455}
1da177e4
LT		 456
457#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
458
c312feb2
EP		 459static int may_context_mount_sb_relabel(u32 sid,
460 struct superblock_security_struct *sbsec,
275bb41e 461 const struct cred *cred)
c312feb2 462{
0c6cfa62 463 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 464 int rc;
465
6b6bc620
SS		 466 rc = avc_has_perm(&selinux_state,
467 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 468 FILESYSTEM__RELABELFROM, NULL);
469 if (rc)
470 return rc;
471
6b6bc620
SS		 472 rc = avc_has_perm(&selinux_state,
473 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 474 FILESYSTEM__RELABELTO, NULL);
475 return rc;
476}
477
0808925e
EP		 478static int may_context_mount_inode_relabel(u32 sid,
479 struct superblock_security_struct *sbsec,
275bb41e 480 const struct cred *cred)
0808925e 481{
0c6cfa62 482 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e 483 int rc;
6b6bc620
SS		 484 rc = avc_has_perm(&selinux_state,
485 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 486 FILESYSTEM__RELABELFROM, NULL);
487 if (rc)
488 return rc;
489
6b6bc620
SS		 490 rc = avc_has_perm(&selinux_state,
491 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 492 FILESYSTEM__ASSOCIATE, NULL);
493 return rc;
494}
495
a83d6dda 496static int selinux_is_genfs_special_handling(struct super_block *sb)
b43e725d 497{
a83d6dda
OM		 498 /* Special handling. Genfs but also in-core setxattr handler */
499 return !strcmp(sb->s_type->name, "sysfs") ||
d5f3a5f6
MS		 500 !strcmp(sb->s_type->name, "pstore") ||
501 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 502 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 503 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 504 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 505 (!strcmp(sb->s_type->name, "cgroup") ||
506 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 507}
508
a83d6dda
OM		 509static int selinux_is_sblabel_mnt(struct super_block *sb)
510{
511 struct superblock_security_struct *sbsec = sb->s_security;
512
513 /*
514 * IMPORTANT: Double-check logic in this function when adding a new
515 * SECURITY_FS_USE_* definition!
516 */
517 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
518
519 switch (sbsec->behavior) {
520 case SECURITY_FS_USE_XATTR:
521 case SECURITY_FS_USE_TRANS:
522 case SECURITY_FS_USE_TASK:
523 case SECURITY_FS_USE_NATIVE:
524 return 1;
525
526 case SECURITY_FS_USE_GENFS:
527 return selinux_is_genfs_special_handling(sb);
528
529 /* Never allow relabeling on context mounts */
530 case SECURITY_FS_USE_MNTPOINT:
531 case SECURITY_FS_USE_NONE:
532 default:
533 return 0;
534 }
535}
536
c9180a57 537static int sb_finish_set_opts(struct super_block *sb)
1da177e4 538{
1da177e4 539 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 540 struct dentry *root = sb->s_root;
c6f493d6 541 struct inode *root_inode = d_backing_inode(root);
c9180a57 542 int rc = 0;
1da177e4 543
c9180a57
EP		 544 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
545 /* Make sure that the xattr handler exists and that no
546 error other than -ENODATA is returned by getxattr on
547 the root directory. -ENODATA is ok, as this may be
548 the first boot of the SELinux kernel before we have
549 assigned xattr values to the filesystem. */
5d6c3191 550 if (!(root_inode->i_opflags & IOP_XATTR)) {
c103a91e 551 pr_warn("SELinux: (dev %s, type %s) has no "
29b1deb2 552 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 553 rc = -EOPNOTSUPP;
554 goto out;
555 }
5d6c3191
AG		 556
557 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 558 if (rc < 0 && rc != -ENODATA) {
559 if (rc == -EOPNOTSUPP)
c103a91e 560 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 561 "%s) has no security xattr handler\n",
562 sb->s_id, sb->s_type->name);
c9180a57 563 else
c103a91e 564 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 565 "%s) getxattr errno %d\n", sb->s_id,
566 sb->s_type->name, -rc);
c9180a57
EP		 567 goto out;
568 }
569 }
1da177e4 570
eadcabc6 571 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 572
573 /*
574 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
575 * leave the flag untouched because sb_clone_mnt_opts might be handing
576 * us a superblock that needs the flag to be cleared.
577 */
b43e725d 578 if (selinux_is_sblabel_mnt(sb))
12f348b9 579 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 580 else
581 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 582
c9180a57
EP		 583 /* Initialize the root inode. */
584 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 585
c9180a57
EP		 586 /* Initialize any other inodes associated with the superblock, e.g.
587 inodes created prior to initial policy load or inodes created
588 during get_sb by a pseudo filesystem that directly
589 populates itself. */
590 spin_lock(&sbsec->isec_lock);
8d64124a 591 while (!list_empty(&sbsec->isec_head)) {
c9180a57 592 struct inode_security_struct *isec =
8d64124a 593 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 594 struct inode_security_struct, list);
595 struct inode *inode = isec->inode;
923190d3 596 list_del_init(&isec->list);
c9180a57
EP		 597 spin_unlock(&sbsec->isec_lock);
598 inode = igrab(inode);
599 if (inode) {
600 if (!IS_PRIVATE(inode))
601 inode_doinit(inode);
602 iput(inode);
603 }
604 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 605 }
606 spin_unlock(&sbsec->isec_lock);
607out:
608 return rc;
609}
1da177e4 610
c9180a57
EP		 611static int bad_option(struct superblock_security_struct *sbsec, char flag,
612 u32 old_sid, u32 new_sid)
613{
0d90a7ec
DQ		 614 char mnt_flags = sbsec->flags & SE_MNTMASK;
615
c9180a57 616 /* check if the old mount command had the same options */
0d90a7ec 617 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 618 if (!(sbsec->flags & flag) ||
619 (old_sid != new_sid))
620 return 1;
621
622 /* check if we were passed the same options twice,
623 * aka someone passed context=a,context=b
624 */
0d90a7ec
DQ		 625 if (!(sbsec->flags & SE_SBINITIALIZED))
626 if (mnt_flags & flag)
c9180a57
EP		 627 return 1;
628 return 0;
629}
e0007529 630
bd323655
AV		 631static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
632{
633 int rc = security_context_str_to_sid(&selinux_state, s,
634 sid, GFP_KERNEL);
635 if (rc)
636 pr_warn("SELinux: security_context_str_to_sid"
637 "(%s) failed for (dev %s, type %s) errno=%d\n",
638 s, sb->s_id, sb->s_type->name, rc);
639 return rc;
640}
641
c9180a57
EP		 642/*
643 * Allow filesystems with binary mount data to explicitly set mount point
644 * labeling information.
645 */
e0007529 646static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 647 void *mnt_opts,
649f6e77
DQ		 648 unsigned long kern_flags,
649 unsigned long *set_kern_flags)
c9180a57 650{
275bb41e 651 const struct cred *cred = current_cred();
c9180a57 652 struct superblock_security_struct *sbsec = sb->s_security;
83da53c5 653 struct dentry *root = sbsec->sb->s_root;
bd323655 654 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 655 struct inode_security_struct *root_isec;
c9180a57
EP		 656 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
657 u32 defcontext_sid = 0;
bd323655 658 int rc = 0;
c9180a57
EP		 659
660 mutex_lock(&sbsec->lock);
661
aa8e712c 662 if (!selinux_state.initialized) {
bd323655 663 if (!opts) {
c9180a57
EP		 664 /* Defer initialization until selinux_complete_init,
665 after the initial policy is loaded and the security
666 server is ready to handle calls. */
c9180a57
EP		 667 goto out;
668 }
669 rc = -EINVAL;
c103a91e 670 pr_warn("SELinux: Unable to set superblock options "
744ba35e 671 "before the security server is initialized\n");
1da177e4 672 goto out;
c9180a57 673 }
649f6e77
DQ		 674 if (kern_flags && !set_kern_flags) {
675 /* Specifying internal flags without providing a place to
676 * place the results is not allowed */
677 rc = -EINVAL;
678 goto out;
679 }
1da177e4 680
e0007529
EP		 681 /*
682 * Binary mount data FS will come through this function twice. Once
683 * from an explicit call and once from the generic calls from the vfs.
684 * Since the generic VFS calls will not contain any security mount data
685 * we need to skip the double mount verification.
686 *
687 * This does open a hole in which we will not notice if the first
688 * mount using this sb set explict options and a second mount using
689 * this sb does not set any security options. (The first options
690 * will be used for both mounts)
691 */
0d90a7ec 692 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 693 && !opts)
f5269710 694 goto out;
e0007529 695
2c97165b
PM		 696 root_isec = backing_inode_security_novalidate(root);
697
c9180a57
EP		 698 /*
699 * parse the mount options, check if they are valid sids.
700 * also check if someone is trying to mount the same sb more
701 * than once with different security options.
702 */
bd323655
AV		 703 if (opts) {
704 if (opts->fscontext) {
705 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
706 if (rc)
707 goto out;
c9180a57
EP		 708 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
709 fscontext_sid))
710 goto out_double_mount;
c9180a57 711 sbsec->flags |= FSCONTEXT_MNT;
bd323655
AV		 712 }
713 if (opts->context) {
714 rc = parse_sid(sb, opts->context, &context_sid);
715 if (rc)
716 goto out;
c9180a57
EP		 717 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
718 context_sid))
719 goto out_double_mount;
c9180a57 720 sbsec->flags |= CONTEXT_MNT;
bd323655
AV		 721 }
722 if (opts->rootcontext) {
723 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
724 if (rc)
725 goto out;
c9180a57
EP		 726 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
727 rootcontext_sid))
728 goto out_double_mount;
c9180a57 729 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655
AV		 730 }
731 if (opts->defcontext) {
732 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
733 if (rc)
734 goto out;
c9180a57
EP		 735 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
736 defcontext_sid))
737 goto out_double_mount;
c9180a57 738 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 739 }
c9180a57
EP		 740 }
741
0d90a7ec 742 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 743 /* previously mounted with options, but not on this attempt? */
bd323655 744 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 745 goto out_double_mount;
746 rc = 0;
747 goto out;
748 }
749
089be43e 750 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 751 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
752
8e014720 753 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 754 !strcmp(sb->s_type->name, "tracefs") ||
b754026b
OM		 755 !strcmp(sb->s_type->name, "pstore"))
756 sbsec->flags |= SE_SBGENFS;
757
758 if (!strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 759 !strcmp(sb->s_type->name, "cgroup") ||
760 !strcmp(sb->s_type->name, "cgroup2"))
b754026b 761 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
c9180a57 762
eb9ae686
DQ		 763 if (!sbsec->behavior) {
764 /*
765 * Determine the labeling behavior to use for this
766 * filesystem type.
767 */
aa8e712c 768 rc = security_fs_use(&selinux_state, sb);
eb9ae686 769 if (rc) {
c103a91e 770 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 771 __func__, sb->s_type->name, rc);
772 goto out;
773 }
c9180a57 774 }
aad82892
SF		 775
776 /*
01593d32
SS		 777 * If this is a user namespace mount and the filesystem type is not
778 * explicitly whitelisted, then no contexts are allowed on the command
779 * line and security labels must be ignored.
aad82892 780 */
01593d32
SS		 781 if (sb->s_user_ns != &init_user_ns &&
782 strcmp(sb->s_type->name, "tmpfs") &&
783 strcmp(sb->s_type->name, "ramfs") &&
784 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 785 if (context_sid || fscontext_sid || rootcontext_sid ||
786 defcontext_sid) {
787 rc = -EACCES;
788 goto out;
789 }
790 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
791 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 792 rc = security_transition_sid(&selinux_state,
793 current_sid(),
794 current_sid(),
aad82892
SF		 795 SECCLASS_FILE, NULL,
796 &sbsec->mntpoint_sid);
797 if (rc)
798 goto out;
799 }
800 goto out_set_opts;
801 }
802
c9180a57
EP		 803 /* sets the context of the superblock for the fs being mounted. */
804 if (fscontext_sid) {
275bb41e 805 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 806 if (rc)
c9180a57 807 goto out;
1da177e4 808
c9180a57 809 sbsec->sid = fscontext_sid;
c312feb2
EP		 810 }
811
812 /*
813 * Switch to using mount point labeling behavior.
814 * sets the label used on all file below the mountpoint, and will set
815 * the superblock context if not already set.
816 */
eb9ae686
DQ		 817 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
818 sbsec->behavior = SECURITY_FS_USE_NATIVE;
819 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
820 }
821
c9180a57
EP		 822 if (context_sid) {
823 if (!fscontext_sid) {
275bb41e
DH		 824 rc = may_context_mount_sb_relabel(context_sid, sbsec,
825 cred);
b04ea3ce 826 if (rc)
c9180a57
EP		 827 goto out;
828 sbsec->sid = context_sid;
b04ea3ce 829 } else {
275bb41e
DH		 830 rc = may_context_mount_inode_relabel(context_sid, sbsec,
831 cred);
b04ea3ce 832 if (rc)
c9180a57 833 goto out;
b04ea3ce 834 }
c9180a57
EP		 835 if (!rootcontext_sid)
836 rootcontext_sid = context_sid;
1da177e4 837
c9180a57 838 sbsec->mntpoint_sid = context_sid;
c312feb2 839 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 840 }
841
c9180a57 842 if (rootcontext_sid) {
275bb41e
DH		 843 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
844 cred);
0808925e 845 if (rc)
c9180a57 846 goto out;
0808925e 847
c9180a57 848 root_isec->sid = rootcontext_sid;
6f3be9f5 849 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 850 }
851
c9180a57 852 if (defcontext_sid) {
eb9ae686
DQ		 853 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
854 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 855 rc = -EINVAL;
c103a91e 856 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 857 "invalid for this filesystem type\n");
858 goto out;
1da177e4
LT		 859 }
860
c9180a57
EP		 861 if (defcontext_sid != sbsec->def_sid) {
862 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 863 sbsec, cred);
c9180a57
EP		 864 if (rc)
865 goto out;
866 }
1da177e4 867
c9180a57 868 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 869 }
870
aad82892 871out_set_opts:
c9180a57 872 rc = sb_finish_set_opts(sb);
1da177e4 873out:
c9180a57 874 mutex_unlock(&sbsec->lock);
1da177e4 875 return rc;
c9180a57
EP		 876out_double_mount:
877 rc = -EINVAL;
c103a91e 878 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 879 "security settings for (dev %s, type %s)\n", sb->s_id,
880 sb->s_type->name);
c9180a57 881 goto out;
1da177e4
LT		 882}
883
094f7b69
JL		 884static int selinux_cmp_sb_context(const struct super_block *oldsb,
885 const struct super_block *newsb)
886{
887 struct superblock_security_struct *old = oldsb->s_security;
888 struct superblock_security_struct *new = newsb->s_security;
889 char oldflags = old->flags & SE_MNTMASK;
890 char newflags = new->flags & SE_MNTMASK;
891
892 if (oldflags != newflags)
893 goto mismatch;
894 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
895 goto mismatch;
896 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
897 goto mismatch;
898 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
899 goto mismatch;
900 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 901 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
902 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 903 if (oldroot->sid != newroot->sid)
904 goto mismatch;
905 }
906 return 0;
907mismatch:
c103a91e 908 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 909 "different security settings for (dev %s, "
910 "type %s)\n", newsb->s_id, newsb->s_type->name);
911 return -EBUSY;
912}
913
914static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 915 struct super_block *newsb,
916 unsigned long kern_flags,
917 unsigned long *set_kern_flags)
1da177e4 918{
0b4d3452 919 int rc = 0;
c9180a57
EP		 920 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
921 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 922
c9180a57
EP		 923 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
924 int set_context = (oldsbsec->flags & CONTEXT_MNT);
925 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 926
0f5e6420
EP		 927 /*
928 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 929 * mount options. thus we can safely deal with this superblock later
0f5e6420 930 */
aa8e712c 931 if (!selinux_state.initialized)
094f7b69 932 return 0;
c9180a57 933
0b4d3452
SM		 934 /*
935 * Specifying internal flags without providing a place to
936 * place the results is not allowed.
937 */
938 if (kern_flags && !set_kern_flags)
939 return -EINVAL;
940
c9180a57 941 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 942 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 943
094f7b69 944 /* if fs is reusing a sb, make sure that the contexts match */
3815a245
BF		 945 if (newsbsec->flags & SE_SBINITIALIZED) {
946 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
947 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
094f7b69 948 return selinux_cmp_sb_context(oldsb, newsb);
3815a245 949 }
5a552617 950
c9180a57
EP		 951 mutex_lock(&newsbsec->lock);
952
953 newsbsec->flags = oldsbsec->flags;
954
955 newsbsec->sid = oldsbsec->sid;
956 newsbsec->def_sid = oldsbsec->def_sid;
957 newsbsec->behavior = oldsbsec->behavior;
958
0b4d3452
SM		 959 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
960 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 961 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 962 if (rc)
963 goto out;
964 }
965
966 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
967 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
968 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
969 }
970
c9180a57
EP		 971 if (set_context) {
972 u32 sid = oldsbsec->mntpoint_sid;
973
974 if (!set_fscontext)
975 newsbsec->sid = sid;
976 if (!set_rootcontext) {
83da53c5 977 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 978 newisec->sid = sid;
979 }
980 newsbsec->mntpoint_sid = sid;
1da177e4 981 }
c9180a57 982 if (set_rootcontext) {
83da53c5
AG		 983 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
984 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 985
c9180a57 986 newisec->sid = oldisec->sid;
1da177e4
LT		 987 }
988
c9180a57 989 sb_finish_set_opts(newsb);
0b4d3452 990out:
c9180a57 991 mutex_unlock(&newsbsec->lock);
0b4d3452 992 return rc;
c9180a57
EP		 993}
994
ba641862 995static int selinux_add_opt(int token, const char *s, void **mnt_opts)
c9180a57 996{
ba641862 997 struct selinux_mnt_opts *opts = *mnt_opts;
1da177e4 998
da3d76ab 999 if (token == Opt_seclabel) /* eaten and completely ignored */
169d68ef 1000 return 0;
e0007529 1001
ba641862
AV		 1002 if (!opts) {
1003 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1004 if (!opts)
1005 return -ENOMEM;
1006 *mnt_opts = opts;
c9180a57 1007 }
ba641862
AV		 1008 if (!s)
1009 return -ENOMEM;
1010 switch (token) {
1011 case Opt_context:
1012 if (opts->context || opts->defcontext)
1013 goto Einval;
1014 opts->context = s;
1015 break;
1016 case Opt_fscontext:
1017 if (opts->fscontext)
1018 goto Einval;
1019 opts->fscontext = s;
1020 break;
1021 case Opt_rootcontext:
1022 if (opts->rootcontext)
1023 goto Einval;
1024 opts->rootcontext = s;
1025 break;
1026 case Opt_defcontext:
1027 if (opts->context || opts->defcontext)
1028 goto Einval;
1029 opts->defcontext = s;
1030 break;
c9180a57 1031 }
e0007529 1032 return 0;
ba641862
AV		 1033Einval:
1034 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862 1035 return -EINVAL;
1da177e4 1036}
e0007529 1037
757cbe59
AV		 1038static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1039 void **mnt_opts)
c9180a57 1040{
757cbe59
AV		 1041 int token = Opt_error;
1042 int rc, i;
e0007529 1043
757cbe59
AV		 1044 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1045 if (strcmp(option, tokens[i].name) == 0) {
1046 token = tokens[i].opt;
1047 break;
169d68ef 1048 }
757cbe59 1049 }
e0007529 1050
757cbe59
AV		 1051 if (token == Opt_error)
1052 return -EINVAL;
e0007529 1053
e2e0e097 1054 if (token != Opt_seclabel) {
757cbe59 1055 val = kmemdup_nul(val, len, GFP_KERNEL);
e2e0e097
GZ		 1056 if (!val) {
1057 rc = -ENOMEM;
1058 goto free_opt;
1059 }
1060 }
757cbe59
AV		 1061 rc = selinux_add_opt(token, val, mnt_opts);
1062 if (unlikely(rc)) {
1063 kfree(val);
e2e0e097
GZ		 1064 goto free_opt;
1065 }
1066 return rc;
1067
1068free_opt:
1069 if (*mnt_opts) {
1070 selinux_free_mnt_opts(*mnt_opts);
1071 *mnt_opts = NULL;
1da177e4 1072 }
e0007529
EP		 1073 return rc;
1074}
1da177e4 1075
e3489f89 1076static int show_sid(struct seq_file *m, u32 sid)
2069f457 1077{
e3489f89
AV		 1078 char *context = NULL;
1079 u32 len;
1080 int rc;
11689d47 1081
e3489f89
AV		 1082 rc = security_sid_to_context(&selinux_state, sid,
1083 &context, &len);
1084 if (!rc) {
1085 bool has_comma = context && strchr(context, ',');
2069f457 1086
442155c1 1087 seq_putc(m, '=');
2069f457
EP		 1088 if (has_comma)
1089 seq_putc(m, '\"');
e3489f89 1090 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1091 if (has_comma)
1092 seq_putc(m, '\"');
1093 }
e3489f89
AV		 1094 kfree(context);
1095 return rc;
2069f457
EP		 1096}
1097
1098static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1099{
e3489f89 1100 struct superblock_security_struct *sbsec = sb->s_security;
2069f457
EP		 1101 int rc;
1102
e3489f89
AV		 1103 if (!(sbsec->flags & SE_SBINITIALIZED))
1104 return 0;
2069f457 1105
e3489f89
AV		 1106 if (!selinux_state.initialized)
1107 return 0;
2069f457 1108
e3489f89
AV		 1109 if (sbsec->flags & FSCONTEXT_MNT) {
1110 seq_putc(m, ',');
1111 seq_puts(m, FSCONTEXT_STR);
1112 rc = show_sid(m, sbsec->sid);
1113 if (rc)
1114 return rc;
1115 }
1116 if (sbsec->flags & CONTEXT_MNT) {
1117 seq_putc(m, ',');
1118 seq_puts(m, CONTEXT_STR);
1119 rc = show_sid(m, sbsec->mntpoint_sid);
1120 if (rc)
1121 return rc;
1122 }
1123 if (sbsec->flags & DEFCONTEXT_MNT) {
1124 seq_putc(m, ',');
1125 seq_puts(m, DEFCONTEXT_STR);
1126 rc = show_sid(m, sbsec->def_sid);
1127 if (rc)
1128 return rc;
1129 }
1130 if (sbsec->flags & ROOTCONTEXT_MNT) {
1131 struct dentry *root = sbsec->sb->s_root;
1132 struct inode_security_struct *isec = backing_inode_security(root);
1133 seq_putc(m, ',');
1134 seq_puts(m, ROOTCONTEXT_STR);
1135 rc = show_sid(m, isec->sid);
1136 if (rc)
1137 return rc;
1138 }
1139 if (sbsec->flags & SBLABEL_MNT) {
1140 seq_putc(m, ',');
442155c1 1141 seq_puts(m, SECLABEL_STR);
e3489f89
AV		 1142 }
1143 return 0;
2069f457
EP		 1144}
1145
1da177e4
LT		 1146static inline u16 inode_mode_to_security_class(umode_t mode)
1147{
1148 switch (mode & S_IFMT) {
1149 case S_IFSOCK:
1150 return SECCLASS_SOCK_FILE;
1151 case S_IFLNK:
1152 return SECCLASS_LNK_FILE;
1153 case S_IFREG:
1154 return SECCLASS_FILE;
1155 case S_IFBLK:
1156 return SECCLASS_BLK_FILE;
1157 case S_IFDIR:
1158 return SECCLASS_DIR;
1159 case S_IFCHR:
1160 return SECCLASS_CHR_FILE;
1161 case S_IFIFO:
1162 return SECCLASS_FIFO_FILE;
1163
1164 }
1165
1166 return SECCLASS_FILE;
1167}
1168
13402580
JM		 1169static inline int default_protocol_stream(int protocol)
1170{
1171 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1172}
1173
1174static inline int default_protocol_dgram(int protocol)
1175{
1176 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1177}
1178
1da177e4
LT		 1179static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1180{
aa8e712c 1181 int extsockclass = selinux_policycap_extsockclass();
da69a530 1182
1da177e4
LT		 1183 switch (family) {
1184 case PF_UNIX:
1185 switch (type) {
1186 case SOCK_STREAM:
1187 case SOCK_SEQPACKET:
1188 return SECCLASS_UNIX_STREAM_SOCKET;
1189 case SOCK_DGRAM:
2a764b52 1190 case SOCK_RAW:
1da177e4
LT		 1191 return SECCLASS_UNIX_DGRAM_SOCKET;
1192 }
1193 break;
1194 case PF_INET:
1195 case PF_INET6:
1196 switch (type) {
1197 case SOCK_STREAM:
da69a530 1198 case SOCK_SEQPACKET:
13402580
JM		 1199 if (default_protocol_stream(protocol))
1200 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1201 else if (extsockclass && protocol == IPPROTO_SCTP)
1202 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1203 else
1204 return SECCLASS_RAWIP_SOCKET;
1da177e4 1205 case SOCK_DGRAM:
13402580
JM		 1206 if (default_protocol_dgram(protocol))
1207 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1208 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1209 protocol == IPPROTO_ICMPV6))
da69a530 1210 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1211 else
1212 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1213 case SOCK_DCCP:
1214 return SECCLASS_DCCP_SOCKET;
13402580 1215 default:
1da177e4
LT		 1216 return SECCLASS_RAWIP_SOCKET;
1217 }
1218 break;
1219 case PF_NETLINK:
1220 switch (protocol) {
1221 case NETLINK_ROUTE:
1222 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1223 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1224 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1225 case NETLINK_NFLOG:
1226 return SECCLASS_NETLINK_NFLOG_SOCKET;
1227 case NETLINK_XFRM:
1228 return SECCLASS_NETLINK_XFRM_SOCKET;
1229 case NETLINK_SELINUX:
1230 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1231 case NETLINK_ISCSI:
1232 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1233 case NETLINK_AUDIT:
1234 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1235 case NETLINK_FIB_LOOKUP:
1236 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1237 case NETLINK_CONNECTOR:
1238 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1239 case NETLINK_NETFILTER:
1240 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1241 case NETLINK_DNRTMSG:
1242 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1243 case NETLINK_KOBJECT_UEVENT:
1244 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1245 case NETLINK_GENERIC:
1246 return SECCLASS_NETLINK_GENERIC_SOCKET;
1247 case NETLINK_SCSITRANSPORT:
1248 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1249 case NETLINK_RDMA:
1250 return SECCLASS_NETLINK_RDMA_SOCKET;
1251 case NETLINK_CRYPTO:
1252 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1253 default:
1254 return SECCLASS_NETLINK_SOCKET;
1255 }
1256 case PF_PACKET:
1257 return SECCLASS_PACKET_SOCKET;
1258 case PF_KEY:
1259 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1260 case PF_APPLETALK:
1261 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1262 }
1263
da69a530
SS		 1264 if (extsockclass) {
1265 switch (family) {
1266 case PF_AX25:
1267 return SECCLASS_AX25_SOCKET;
1268 case PF_IPX:
1269 return SECCLASS_IPX_SOCKET;
1270 case PF_NETROM:
1271 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1272 case PF_ATMPVC:
1273 return SECCLASS_ATMPVC_SOCKET;
1274 case PF_X25:
1275 return SECCLASS_X25_SOCKET;
1276 case PF_ROSE:
1277 return SECCLASS_ROSE_SOCKET;
1278 case PF_DECnet:
1279 return SECCLASS_DECNET_SOCKET;
1280 case PF_ATMSVC:
1281 return SECCLASS_ATMSVC_SOCKET;
1282 case PF_RDS:
1283 return SECCLASS_RDS_SOCKET;
1284 case PF_IRDA:
1285 return SECCLASS_IRDA_SOCKET;
1286 case PF_PPPOX:
1287 return SECCLASS_PPPOX_SOCKET;
1288 case PF_LLC:
1289 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1290 case PF_CAN:
1291 return SECCLASS_CAN_SOCKET;
1292 case PF_TIPC:
1293 return SECCLASS_TIPC_SOCKET;
1294 case PF_BLUETOOTH:
1295 return SECCLASS_BLUETOOTH_SOCKET;
1296 case PF_IUCV:
1297 return SECCLASS_IUCV_SOCKET;
1298 case PF_RXRPC:
1299 return SECCLASS_RXRPC_SOCKET;
1300 case PF_ISDN:
1301 return SECCLASS_ISDN_SOCKET;
1302 case PF_PHONET:
1303 return SECCLASS_PHONET_SOCKET;
1304 case PF_IEEE802154:
1305 return SECCLASS_IEEE802154_SOCKET;
1306 case PF_CAIF:
1307 return SECCLASS_CAIF_SOCKET;
1308 case PF_ALG:
1309 return SECCLASS_ALG_SOCKET;
1310 case PF_NFC:
1311 return SECCLASS_NFC_SOCKET;
1312 case PF_VSOCK:
1313 return SECCLASS_VSOCK_SOCKET;
1314 case PF_KCM:
1315 return SECCLASS_KCM_SOCKET;
1316 case PF_QIPCRTR:
1317 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1318 case PF_SMC:
1319 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1320 case PF_XDP:
1321 return SECCLASS_XDP_SOCKET;
1322#if PF_MAX > 45
da69a530
SS		 1323#error New address family defined, please update this function.
1324#endif
1325 }
1326 }
1327
1da177e4
LT		 1328 return SECCLASS_SOCKET;
1329}
1330
134509d5
SS		 1331static int selinux_genfs_get_sid(struct dentry *dentry,
1332 u16 tclass,
1333 u16 flags,
1334 u32 *sid)
1da177e4 1335{
8e6c9693 1336 int rc;
fc64005c 1337 struct super_block *sb = dentry->d_sb;
8e6c9693 1338 char *buffer, *path;
1da177e4 1339
828dfe1d 1340 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1341 if (!buffer)
1342 return -ENOMEM;
1343
8e6c9693
LAG		 1344 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1345 if (IS_ERR(path))
1346 rc = PTR_ERR(path);
1347 else {
134509d5
SS		 1348 if (flags & SE_SBPROC) {
1349 /* each process gets a /proc/PID/ entry. Strip off the
1350 * PID part to get a valid selinux labeling.
1351 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1352 while (path[1] >= '0' && path[1] <= '9') {
1353 path[1] = '/';
1354 path++;
1355 }
8e6c9693 1356 }
aa8e712c
SS		 1357 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1358 path, tclass, sid);
7bb185ed
SS		 1359 if (rc == -ENOENT) {
1360 /* No match in policy, mark as unlabeled. */
1361 *sid = SECINITSID_UNLABELED;
1362 rc = 0;
1363 }
1da177e4 1364 }
1da177e4
LT		 1365 free_page((unsigned long)buffer);
1366 return rc;
1367}
1da177e4 1368
b754026b
OM		 1369static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1370 u32 def_sid, u32 *sid)
1371{
1372#define INITCONTEXTLEN 255
1373 char *context;
1374 unsigned int len;
1375 int rc;
1376
1377 len = INITCONTEXTLEN;
1378 context = kmalloc(len + 1, GFP_NOFS);
1379 if (!context)
1380 return -ENOMEM;
1381
1382 context[len] = '\0';
1383 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1384 if (rc == -ERANGE) {
1385 kfree(context);
1386
1387 /* Need a larger buffer. Query for the right size. */
1388 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1389 if (rc < 0)
1390 return rc;
1391
1392 len = rc;
1393 context = kmalloc(len + 1, GFP_NOFS);
1394 if (!context)
1395 return -ENOMEM;
1396
1397 context[len] = '\0';
1398 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1399 context, len);
1400 }
1401 if (rc < 0) {
1402 kfree(context);
1403 if (rc != -ENODATA) {
1404 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1405 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1406 return rc;
1407 }
1408 *sid = def_sid;
1409 return 0;
1410 }
1411
1412 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1413 def_sid, GFP_NOFS);
1414 if (rc) {
1415 char *dev = inode->i_sb->s_id;
1416 unsigned long ino = inode->i_ino;
1417
1418 if (rc == -EINVAL) {
1419 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1420 ino, dev, context);
1421 } else {
1422 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1423 __func__, context, -rc, dev, ino);
1424 }
1425 }
1426 kfree(context);
1427 return 0;
1428}
1429
1da177e4
LT		 1430/* The inode's security attributes must be initialized before first use. */
1431static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1432{
1433 struct superblock_security_struct *sbsec = NULL;
80788c22 1434 struct inode_security_struct *isec = selinux_inode(inode);
9287aed2
AG		 1435 u32 task_sid, sid = 0;
1436 u16 sclass;
1da177e4 1437 struct dentry *dentry;
1da177e4 1438 int rc = 0;
1da177e4 1439
6f3be9f5 1440 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1441 return 0;
1da177e4 1442
9287aed2 1443 spin_lock(&isec->lock);
6f3be9f5 1444 if (isec->initialized == LABEL_INITIALIZED)
23970741 1445 goto out_unlock;
1da177e4 1446
13457d07
AG		 1447 if (isec->sclass == SECCLASS_FILE)
1448 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1449
1da177e4 1450 sbsec = inode->i_sb->s_security;
0d90a7ec 1451 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1452 /* Defer initialization until selinux_complete_init,
1453 after the initial policy is loaded and the security
1454 server is ready to handle calls. */
1455 spin_lock(&sbsec->isec_lock);
1456 if (list_empty(&isec->list))
1457 list_add(&isec->list, &sbsec->isec_head);
1458 spin_unlock(&sbsec->isec_lock);
23970741 1459 goto out_unlock;
1da177e4
LT		 1460 }
1461
9287aed2
AG		 1462 sclass = isec->sclass;
1463 task_sid = isec->task_sid;
1464 sid = isec->sid;
1465 isec->initialized = LABEL_PENDING;
1466 spin_unlock(&isec->lock);
1467
1da177e4 1468 switch (sbsec->behavior) {
eb9ae686
DQ		 1469 case SECURITY_FS_USE_NATIVE:
1470 break;
1da177e4 1471 case SECURITY_FS_USE_XATTR:
5d6c3191 1472 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1473 sid = sbsec->def_sid;
1da177e4
LT		 1474 break;
1475 }
1da177e4
LT		 1476 /* Need a dentry, since the xattr API requires one.
1477 Life would be simpler if we could just pass the inode. */
1478 if (opt_dentry) {
1479 /* Called from d_instantiate or d_splice_alias. */
1480 dentry = dget(opt_dentry);
1481 } else {
b127125d
AV		 1482 /*
1483 * Called from selinux_complete_init, try to find a dentry.
1484 * Some filesystems really want a connected one, so try
1485 * that first. We could split SECURITY_FS_USE_XATTR in
1486 * two, depending upon that...
1487 */
1da177e4 1488 dentry = d_find_alias(inode);
b127125d
AV		 1489 if (!dentry)
1490 dentry = d_find_any_alias(inode);
1da177e4
LT		 1491 }
1492 if (!dentry) {
df7f54c0
EP		 1493 /*
1494 * this is can be hit on boot when a file is accessed
1495 * before the policy is loaded. When we load policy we
1496 * may find inodes that have no dentry on the
1497 * sbsec->isec_head list. No reason to complain as these
1498 * will get fixed up the next time we go through
1499 * inode_doinit with a dentry, before these inodes could
1500 * be used again by userspace.
1501 */
9287aed2 1502 goto out;
1da177e4
LT		 1503 }
1504
b754026b
OM		 1505 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1506 &sid);
1da177e4 1507 dput(dentry);
b754026b
OM		 1508 if (rc)
1509 goto out;
1da177e4
LT		 1510 break;
1511 case SECURITY_FS_USE_TASK:
9287aed2 1512 sid = task_sid;
1da177e4
LT		 1513 break;
1514 case SECURITY_FS_USE_TRANS:
1515 /* Default to the fs SID. */
9287aed2 1516 sid = sbsec->sid;
1da177e4
LT		 1517
1518 /* Try to obtain a transition SID. */
aa8e712c
SS		 1519 rc = security_transition_sid(&selinux_state, task_sid, sid,
1520 sclass, NULL, &sid);
1da177e4 1521 if (rc)
9287aed2 1522 goto out;
1da177e4 1523 break;
c312feb2 1524 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1525 sid = sbsec->mntpoint_sid;
c312feb2 1526 break;
1da177e4 1527 default:
c312feb2 1528 /* Default to the fs superblock SID. */
9287aed2 1529 sid = sbsec->sid;
1da177e4 1530
134509d5 1531 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1532 /* We must have a dentry to determine the label on
1533 * procfs inodes */
b127125d 1534 if (opt_dentry) {
f64410ec
PM		 1535 /* Called from d_instantiate or
1536 * d_splice_alias. */
1537 dentry = dget(opt_dentry);
b127125d 1538 } else {
f64410ec 1539 /* Called from selinux_complete_init, try to
b127125d
AV		 1540 * find a dentry. Some filesystems really want
1541 * a connected one, so try that first.
1542 */
f64410ec 1543 dentry = d_find_alias(inode);
b127125d
AV		 1544 if (!dentry)
1545 dentry = d_find_any_alias(inode);
1546 }
f64410ec
PM		 1547 /*
1548 * This can be hit on boot when a file is accessed
1549 * before the policy is loaded. When we load policy we
1550 * may find inodes that have no dentry on the
1551 * sbsec->isec_head list. No reason to complain as
1552 * these will get fixed up the next time we go through
1553 * inode_doinit() with a dentry, before these inodes
1554 * could be used again by userspace.
1555 */
1556 if (!dentry)
9287aed2
AG		 1557 goto out;
1558 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1559 sbsec->flags, &sid);
b754026b
OM		 1560 if (rc) {
1561 dput(dentry);
9287aed2 1562 goto out;
b754026b
OM		 1563 }
1564
1565 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1566 (inode->i_opflags & IOP_XATTR)) {
1567 rc = inode_doinit_use_xattr(inode, dentry,
1568 sid, &sid);
1569 if (rc) {
1570 dput(dentry);
1571 goto out;
1572 }
1573 }
1574 dput(dentry);
1da177e4
LT		 1575 }
1576 break;
1577 }
1578
9287aed2
AG		 1579out:
1580 spin_lock(&isec->lock);
1581 if (isec->initialized == LABEL_PENDING) {
1582 if (!sid || rc) {
1583 isec->initialized = LABEL_INVALID;
1584 goto out_unlock;
1585 }
1586
1587 isec->initialized = LABEL_INITIALIZED;
1588 isec->sid = sid;
1589 }
1da177e4 1590
23970741 1591out_unlock:
9287aed2 1592 spin_unlock(&isec->lock);
1da177e4
LT		 1593 return rc;
1594}
1595
1596/* Convert a Linux signal to an access vector. */
1597static inline u32 signal_to_av(int sig)
1598{
1599 u32 perm = 0;
1600
1601 switch (sig) {
1602 case SIGCHLD:
1603 /* Commonly granted from child to parent. */
1604 perm = PROCESS__SIGCHLD;
1605 break;
1606 case SIGKILL:
1607 /* Cannot be caught or ignored */
1608 perm = PROCESS__SIGKILL;
1609 break;
1610 case SIGSTOP:
1611 /* Cannot be caught or ignored */
1612 perm = PROCESS__SIGSTOP;
1613 break;
1614 default:
1615 /* All other signals. */
1616 perm = PROCESS__SIGNAL;
1617 break;
1618 }
1619
1620 return perm;
1621}
1622
b68e418c
SS		 1623#if CAP_LAST_CAP > 63
1624#error Fix SELinux to handle capabilities > 63.
1625#endif
1626
1da177e4 1627/* Check whether a task is allowed to use a capability. */
6a9de491 1628static int cred_has_capability(const struct cred *cred,
c1a85a00 1629 int cap, unsigned int opts, bool initns)
1da177e4 1630{
2bf49690 1631 struct common_audit_data ad;
06112163 1632 struct av_decision avd;
b68e418c 1633 u16 sclass;
3699c53c 1634 u32 sid = cred_sid(cred);
b68e418c 1635 u32 av = CAP_TO_MASK(cap);
06112163 1636 int rc;
1da177e4 1637
50c205f5 1638 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1639 ad.u.cap = cap;
1640
b68e418c
SS		 1641 switch (CAP_TO_INDEX(cap)) {
1642 case 0:
8e4ff6f2 1643 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1644 break;
1645 case 1:
8e4ff6f2 1646 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1647 break;
1648 default:
c103a91e 1649 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1650 BUG();
a35c6c83 1651 return -EINVAL;
b68e418c 1652 }
06112163 1653
6b6bc620
SS		 1654 rc = avc_has_perm_noaudit(&selinux_state,
1655 sid, sid, sclass, av, 0, &avd);
c1a85a00 1656 if (!(opts & CAP_OPT_NOAUDIT)) {
6b6bc620
SS		 1657 int rc2 = avc_audit(&selinux_state,
1658 sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1659 if (rc2)
1660 return rc2;
1661 }
06112163 1662 return rc;
1da177e4
LT		 1663}
1664
1da177e4
LT		 1665/* Check whether a task has a particular permission to an inode.
1666 The 'adp' parameter is optional and allows other audit
1667 data to be passed (e.g. the dentry). */
88e67f3b 1668static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1669 struct inode *inode,
1670 u32 perms,
19e49834 1671 struct common_audit_data *adp)
1da177e4 1672{
1da177e4 1673 struct inode_security_struct *isec;
275bb41e 1674 u32 sid;
1da177e4 1675
e0e81739
DH		 1676 validate_creds(cred);
1677
828dfe1d 1678 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1679 return 0;
1680
88e67f3b 1681 sid = cred_sid(cred);
80788c22 1682 isec = selinux_inode(inode);
1da177e4 1683
6b6bc620
SS		 1684 return avc_has_perm(&selinux_state,
1685 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1686}
1687
1688/* Same as inode_has_perm, but pass explicit audit data containing
1689 the dentry to help the auditing code to more easily generate the
1690 pathname if needed. */
88e67f3b 1691static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1692 struct dentry *dentry,
1693 u32 av)
1694{
c6f493d6 1695 struct inode *inode = d_backing_inode(dentry);
2bf49690 1696 struct common_audit_data ad;
88e67f3b 1697
50c205f5 1698 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1699 ad.u.dentry = dentry;
5d226df4 1700 __inode_security_revalidate(inode, dentry, true);
19e49834 1701 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1702}
1703
1704/* Same as inode_has_perm, but pass explicit audit data containing
1705 the path to help the auditing code to more easily generate the
1706 pathname if needed. */
1707static inline int path_has_perm(const struct cred *cred,
3f7036a0 1708 const struct path *path,
2875fa00
EP		 1709 u32 av)
1710{
c6f493d6 1711 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1712 struct common_audit_data ad;
1713
50c205f5 1714 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1715 ad.u.path = *path;
5d226df4 1716 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1717 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1718}
1719
13f8e981
DH		 1720/* Same as path_has_perm, but uses the inode from the file struct. */
1721static inline int file_path_has_perm(const struct cred *cred,
1722 struct file *file,
1723 u32 av)
1724{
1725 struct common_audit_data ad;
1726
43af5de7
VG		 1727 ad.type = LSM_AUDIT_DATA_FILE;
1728 ad.u.file = file;
19e49834 1729 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1730}
1731
f66e448c
CF		 1732#ifdef CONFIG_BPF_SYSCALL
1733static int bpf_fd_pass(struct file *file, u32 sid);
1734#endif
1735
1da177e4
LT		 1736/* Check whether a task can use an open file descriptor to
1737 access an inode in a given way. Check access to the
1738 descriptor itself, and then use dentry_has_perm to
1739 check a particular permission to the file.
1740 Access to the descriptor is implicitly granted if it
1741 has the same SID as the process. If av is zero, then
1742 access to the file is not checked, e.g. for cases
1743 where only the descriptor is affected like seek. */
88e67f3b
DH		 1744static int file_has_perm(const struct cred *cred,
1745 struct file *file,
1746 u32 av)
1da177e4 1747{
bb6c6b02 1748 struct file_security_struct *fsec = selinux_file(file);
496ad9aa 1749 struct inode *inode = file_inode(file);
2bf49690 1750 struct common_audit_data ad;
88e67f3b 1751 u32 sid = cred_sid(cred);
1da177e4
LT		 1752 int rc;
1753
43af5de7
VG		 1754 ad.type = LSM_AUDIT_DATA_FILE;
1755 ad.u.file = file;
1da177e4 1756
275bb41e 1757 if (sid != fsec->sid) {
6b6bc620
SS		 1758 rc = avc_has_perm(&selinux_state,
1759 sid, fsec->sid,
1da177e4
LT		 1760 SECCLASS_FD,
1761 FD__USE,
1762 &ad);
1763 if (rc)
88e67f3b 1764 goto out;
1da177e4
LT		 1765 }
1766
f66e448c
CF		 1767#ifdef CONFIG_BPF_SYSCALL
1768 rc = bpf_fd_pass(file, cred_sid(cred));
1769 if (rc)
1770 return rc;
1771#endif
1772
1da177e4 1773 /* av is zero if only checking access to the descriptor. */
88e67f3b 1774 rc = 0;
1da177e4 1775 if (av)
19e49834 1776 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1777
88e67f3b
DH		 1778out:
1779 return rc;
1da177e4
LT		 1780}
1781
c3c188b2
DH		 1782/*
1783 * Determine the label for an inode that might be unioned.
1784 */
c957f6df
VG		 1785static int
1786selinux_determine_inode_label(const struct task_security_struct *tsec,
1787 struct inode *dir,
1788 const struct qstr *name, u16 tclass,
1789 u32 *_new_isid)
c3c188b2
DH		 1790{
1791 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1792
1793 if ((sbsec->flags & SE_SBINITIALIZED) &&
1794 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1795 *_new_isid = sbsec->mntpoint_sid;
1796 } else if ((sbsec->flags & SBLABEL_MNT) &&
1797 tsec->create_sid) {
1798 *_new_isid = tsec->create_sid;
1799 } else {
20cdef8d 1800 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1801 return security_transition_sid(&selinux_state, tsec->sid,
1802 dsec->sid, tclass,
c3c188b2
DH		 1803 name, _new_isid);
1804 }
1805
1806 return 0;
1807}
1808
1da177e4
LT		 1809/* Check whether a task can create a file. */
1810static int may_create(struct inode *dir,
1811 struct dentry *dentry,
1812 u16 tclass)
1813{
0c6cfa62 1814 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1815 struct inode_security_struct *dsec;
1816 struct superblock_security_struct *sbsec;
275bb41e 1817 u32 sid, newsid;
2bf49690 1818 struct common_audit_data ad;
1da177e4
LT		 1819 int rc;
1820
83da53c5 1821 dsec = inode_security(dir);
1da177e4
LT		 1822 sbsec = dir->i_sb->s_security;
1823
275bb41e 1824 sid = tsec->sid;
275bb41e 1825
50c205f5 1826 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1827 ad.u.dentry = dentry;
1da177e4 1828
6b6bc620
SS		 1829 rc = avc_has_perm(&selinux_state,
1830 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1831 DIR__ADD_NAME | DIR__SEARCH,
1832 &ad);
1833 if (rc)
1834 return rc;
1835
0c6cfa62 1836 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
c957f6df 1837 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1838 if (rc)
1839 return rc;
1da177e4 1840
6b6bc620
SS		 1841 rc = avc_has_perm(&selinux_state,
1842 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1843 if (rc)
1844 return rc;
1845
6b6bc620
SS		 1846 return avc_has_perm(&selinux_state,
1847 newsid, sbsec->sid,
1da177e4
LT		 1848 SECCLASS_FILESYSTEM,
1849 FILESYSTEM__ASSOCIATE, &ad);
1850}
1851
828dfe1d
EP		 1852#define MAY_LINK 0
1853#define MAY_UNLINK 1
1854#define MAY_RMDIR 2
1da177e4
LT		 1855
1856/* Check whether a task can link, unlink, or rmdir a file/directory. */
1857static int may_link(struct inode *dir,
1858 struct dentry *dentry,
1859 int kind)
1860
1861{
1da177e4 1862 struct inode_security_struct *dsec, *isec;
2bf49690 1863 struct common_audit_data ad;
275bb41e 1864 u32 sid = current_sid();
1da177e4
LT		 1865 u32 av;
1866 int rc;
1867
83da53c5
AG		 1868 dsec = inode_security(dir);
1869 isec = backing_inode_security(dentry);
1da177e4 1870
50c205f5 1871 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1872 ad.u.dentry = dentry;
1da177e4
LT		 1873
1874 av = DIR__SEARCH;
1875 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 1876 rc = avc_has_perm(&selinux_state,
1877 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1878 if (rc)
1879 return rc;
1880
1881 switch (kind) {
1882 case MAY_LINK:
1883 av = FILE__LINK;
1884 break;
1885 case MAY_UNLINK:
1886 av = FILE__UNLINK;
1887 break;
1888 case MAY_RMDIR:
1889 av = DIR__RMDIR;
1890 break;
1891 default:
c103a91e 1892 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1893 __func__, kind);
1da177e4
LT		 1894 return 0;
1895 }
1896
6b6bc620
SS		 1897 rc = avc_has_perm(&selinux_state,
1898 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1899 return rc;
1900}
1901
1902static inline int may_rename(struct inode *old_dir,
1903 struct dentry *old_dentry,
1904 struct inode *new_dir,
1905 struct dentry *new_dentry)
1906{
1da177e4 1907 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1908 struct common_audit_data ad;
275bb41e 1909 u32 sid = current_sid();
1da177e4
LT		 1910 u32 av;
1911 int old_is_dir, new_is_dir;
1912 int rc;
1913
83da53c5
AG		 1914 old_dsec = inode_security(old_dir);
1915 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1916 old_is_dir = d_is_dir(old_dentry);
83da53c5 1917 new_dsec = inode_security(new_dir);
1da177e4 1918
50c205f5 1919 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1920
a269434d 1921 ad.u.dentry = old_dentry;
6b6bc620
SS		 1922 rc = avc_has_perm(&selinux_state,
1923 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1924 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1925 if (rc)
1926 return rc;
6b6bc620
SS		 1927 rc = avc_has_perm(&selinux_state,
1928 sid, old_isec->sid,
1da177e4
LT		 1929 old_isec->sclass, FILE__RENAME, &ad);
1930 if (rc)
1931 return rc;
1932 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 1933 rc = avc_has_perm(&selinux_state,
1934 sid, old_isec->sid,
1da177e4
LT		 1935 old_isec->sclass, DIR__REPARENT, &ad);
1936 if (rc)
1937 return rc;
1938 }
1939
a269434d 1940 ad.u.dentry = new_dentry;
1da177e4 1941 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1942 if (d_is_positive(new_dentry))
1da177e4 1943 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 1944 rc = avc_has_perm(&selinux_state,
1945 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1946 if (rc)
1947 return rc;
2c616d4d 1948 if (d_is_positive(new_dentry)) {
83da53c5 1949 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1950 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 1951 rc = avc_has_perm(&selinux_state,
1952 sid, new_isec->sid,
1da177e4
LT		 1953 new_isec->sclass,
1954 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1955 if (rc)
1956 return rc;
1957 }
1958
1959 return 0;
1960}
1961
1962/* Check whether a task can perform a filesystem operation. */
88e67f3b 1963static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1964 struct super_block *sb,
1965 u32 perms,
2bf49690 1966 struct common_audit_data *ad)
1da177e4 1967{
1da177e4 1968 struct superblock_security_struct *sbsec;
88e67f3b 1969 u32 sid = cred_sid(cred);
1da177e4 1970
1da177e4 1971 sbsec = sb->s_security;
6b6bc620
SS		 1972 return avc_has_perm(&selinux_state,
1973 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1974}
1975
1976/* Convert a Linux mode and permission mask to an access vector. */
1977static inline u32 file_mask_to_av(int mode, int mask)
1978{
1979 u32 av = 0;
1980
dba19c60 1981 if (!S_ISDIR(mode)) {
1da177e4
LT		 1982 if (mask & MAY_EXEC)
1983 av |= FILE__EXECUTE;
1984 if (mask & MAY_READ)
1985 av |= FILE__READ;
1986
1987 if (mask & MAY_APPEND)
1988 av |= FILE__APPEND;
1989 else if (mask & MAY_WRITE)
1990 av |= FILE__WRITE;
1991
1992 } else {
1993 if (mask & MAY_EXEC)
1994 av |= DIR__SEARCH;
1995 if (mask & MAY_WRITE)
1996 av |= DIR__WRITE;
1997 if (mask & MAY_READ)
1998 av |= DIR__READ;
1999 }
2000
2001 return av;
2002}
2003
8b6a5a37
EP		 2004/* Convert a Linux file to an access vector. */
2005static inline u32 file_to_av(struct file *file)
2006{
2007 u32 av = 0;
2008
2009 if (file->f_mode & FMODE_READ)
2010 av |= FILE__READ;
2011 if (file->f_mode & FMODE_WRITE) {
2012 if (file->f_flags & O_APPEND)
2013 av |= FILE__APPEND;
2014 else
2015 av |= FILE__WRITE;
2016 }
2017 if (!av) {
2018 /*
2019 * Special file opened with flags 3 for ioctl-only use.
2020 */
2021 av = FILE__IOCTL;
2022 }
2023
2024 return av;
2025}
2026
b0c636b9 2027/*
8b6a5a37 2028 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2029 * open permission.
2030 */
8b6a5a37 2031static inline u32 open_file_to_av(struct file *file)
b0c636b9 2032{
8b6a5a37 2033 u32 av = file_to_av(file);
ccb54478 2034 struct inode *inode = file_inode(file);
b0c636b9 2035
aa8e712c
SS		 2036 if (selinux_policycap_openperm() &&
2037 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2038 av |= FILE__OPEN;
2039
b0c636b9
EP		 2040 return av;
2041}
2042
1da177e4
LT		 2043/* Hook functions begin here. */
2044
79af7307
SS		 2045static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2046{
2047 u32 mysid = current_sid();
2048 u32 mgrsid = task_sid(mgr);
2049
6b6bc620
SS		 2050 return avc_has_perm(&selinux_state,
2051 mysid, mgrsid, SECCLASS_BINDER,
79af7307
SS		 2052 BINDER__SET_CONTEXT_MGR, NULL);
2053}
2054
2055static int selinux_binder_transaction(struct task_struct *from,
2056 struct task_struct *to)
2057{
2058 u32 mysid = current_sid();
2059 u32 fromsid = task_sid(from);
2060 u32 tosid = task_sid(to);
2061 int rc;
2062
2063 if (mysid != fromsid) {
6b6bc620
SS		 2064 rc = avc_has_perm(&selinux_state,
2065 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2066 BINDER__IMPERSONATE, NULL);
2067 if (rc)
2068 return rc;
2069 }
2070
6b6bc620
SS		 2071 return avc_has_perm(&selinux_state,
2072 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
79af7307
SS		 2073 NULL);
2074}
2075
2076static int selinux_binder_transfer_binder(struct task_struct *from,
2077 struct task_struct *to)
2078{
2079 u32 fromsid = task_sid(from);
2080 u32 tosid = task_sid(to);
2081
6b6bc620
SS		 2082 return avc_has_perm(&selinux_state,
2083 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2084 NULL);
2085}
2086
2087static int selinux_binder_transfer_file(struct task_struct *from,
2088 struct task_struct *to,
2089 struct file *file)
2090{
2091 u32 sid = task_sid(to);
bb6c6b02 2092 struct file_security_struct *fsec = selinux_file(file);
83da53c5 2093 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2094 struct inode_security_struct *isec;
79af7307
SS		 2095 struct common_audit_data ad;
2096 int rc;
2097
2098 ad.type = LSM_AUDIT_DATA_PATH;
2099 ad.u.path = file->f_path;
2100
2101 if (sid != fsec->sid) {
6b6bc620
SS		 2102 rc = avc_has_perm(&selinux_state,
2103 sid, fsec->sid,
79af7307
SS		 2104 SECCLASS_FD,
2105 FD__USE,
2106 &ad);
2107 if (rc)
2108 return rc;
2109 }
2110
f66e448c
CF		 2111#ifdef CONFIG_BPF_SYSCALL
2112 rc = bpf_fd_pass(file, sid);
2113 if (rc)
2114 return rc;
2115#endif
2116
83da53c5 2117 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2118 return 0;
2119
20cdef8d 2120 isec = backing_inode_security(dentry);
6b6bc620
SS		 2121 return avc_has_perm(&selinux_state,
2122 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2123 &ad);
2124}
2125
9e48858f 2126static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2127 unsigned int mode)
1da177e4 2128{
be0554c9
SS		 2129 u32 sid = current_sid();
2130 u32 csid = task_sid(child);
2131
2132 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2133 return avc_has_perm(&selinux_state,
2134 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2135
6b6bc620
SS		 2136 return avc_has_perm(&selinux_state,
2137 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2138}
2139
2140static int selinux_ptrace_traceme(struct task_struct *parent)
2141{
6b6bc620
SS		 2142 return avc_has_perm(&selinux_state,
2143 task_sid(parent), current_sid(), SECCLASS_PROCESS,
be0554c9 2144 PROCESS__PTRACE, NULL);
1da177e4
LT		 2145}
2146
2147static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2148 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2149{
6b6bc620
SS		 2150 return avc_has_perm(&selinux_state,
2151 current_sid(), task_sid(target), SECCLASS_PROCESS,
be0554c9 2152 PROCESS__GETCAP, NULL);
1da177e4
LT		 2153}
2154
d84f4f99
DH		 2155static int selinux_capset(struct cred *new, const struct cred *old,
2156 const kernel_cap_t *effective,
2157 const kernel_cap_t *inheritable,
2158 const kernel_cap_t *permitted)
1da177e4 2159{
6b6bc620
SS		 2160 return avc_has_perm(&selinux_state,
2161 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2162 PROCESS__SETCAP, NULL);
1da177e4
LT		 2163}
2164
5626d3e8
JM		 2165/*
2166 * (This comment used to live with the selinux_task_setuid hook,
2167 * which was removed).
2168 *
2169 * Since setuid only affects the current process, and since the SELinux
2170 * controls are not based on the Linux identity attributes, SELinux does not
2171 * need to control this operation. However, SELinux does control the use of
2172 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2173 */
2174
6a9de491 2175static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
c1a85a00 2176 int cap, unsigned int opts)
1da177e4 2177{
c1a85a00 2178 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
1da177e4
LT		 2179}
2180
1da177e4
LT		 2181static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2182{
88e67f3b 2183 const struct cred *cred = current_cred();
1da177e4
LT		 2184 int rc = 0;
2185
2186 if (!sb)
2187 return 0;
2188
2189 switch (cmds) {
828dfe1d
EP		 2190 case Q_SYNC:
2191 case Q_QUOTAON:
2192 case Q_QUOTAOFF:
2193 case Q_SETINFO:
2194 case Q_SETQUOTA:
88e67f3b 2195 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2196 break;
2197 case Q_GETFMT:
2198 case Q_GETINFO:
2199 case Q_GETQUOTA:
88e67f3b 2200 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2201 break;
2202 default:
2203 rc = 0; /* let the kernel handle invalid cmds */
2204 break;
1da177e4
LT		 2205 }
2206 return rc;
2207}
2208
2209static int selinux_quota_on(struct dentry *dentry)
2210{
88e67f3b
DH		 2211 const struct cred *cred = current_cred();
2212
2875fa00 2213 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2214}
2215
12b3052c 2216static int selinux_syslog(int type)
1da177e4 2217{
1da177e4 2218 switch (type) {
d78ca3cd
KC		 2219 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2220 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2221 return avc_has_perm(&selinux_state,
2222 current_sid(), SECINITSID_KERNEL,
be0554c9 2223 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2224 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2225 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2226 /* Set level of messages printed to console */
2227 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2228 return avc_has_perm(&selinux_state,
2229 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2230 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2231 NULL);
1da177e4 2232 }
be0554c9 2233 /* All other syslog types */
6b6bc620
SS		 2234 return avc_has_perm(&selinux_state,
2235 current_sid(), SECINITSID_KERNEL,
be0554c9 2236 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2237}
2238
2239/*
2240 * Check that a process has enough memory to allocate a new virtual
2241 * mapping. 0 means there is enough memory for the allocation to
2242 * succeed and -ENOMEM implies there is not.
2243 *
1da177e4
LT		 2244 * Do not audit the selinux permission check, as this is applied to all
2245 * processes that allocate mappings.
2246 */
34b4e4aa 2247static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2248{
2249 int rc, cap_sys_admin = 0;
1da177e4 2250
b1d9e6b0 2251 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
c1a85a00 2252 CAP_OPT_NOAUDIT, true);
1da177e4
LT		 2253 if (rc == 0)
2254 cap_sys_admin = 1;
2255
b1d9e6b0 2256 return cap_sys_admin;
1da177e4
LT		 2257}
2258
2259/* binprm security operations */
2260
be0554c9 2261static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2262{
2263 u32 sid = 0;
2264 struct task_struct *tracer;
2265
2266 rcu_read_lock();
be0554c9 2267 tracer = ptrace_parent(current);
0c6181cb
PM		 2268 if (tracer)
2269 sid = task_sid(tracer);
2270 rcu_read_unlock();
2271
2272 return sid;
2273}
2274
7b0d0b40
SS		 2275static int check_nnp_nosuid(const struct linux_binprm *bprm,
2276 const struct task_security_struct *old_tsec,
2277 const struct task_security_struct *new_tsec)
2278{
2279 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2280 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2281 int rc;
af63f419 2282 u32 av;
7b0d0b40
SS		 2283
2284 if (!nnp && !nosuid)
2285 return 0; /* neither NNP nor nosuid */
2286
2287 if (new_tsec->sid == old_tsec->sid)
2288 return 0; /* No change in credentials */
2289
2290 /*
af63f419
SS		 2291 * If the policy enables the nnp_nosuid_transition policy capability,
2292 * then we permit transitions under NNP or nosuid if the
2293 * policy allows the corresponding permission between
2294 * the old and new contexts.
7b0d0b40 2295 */
aa8e712c 2296 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2297 av = 0;
7b0d0b40 2298 if (nnp)
af63f419
SS		 2299 av |= PROCESS2__NNP_TRANSITION;
2300 if (nosuid)
2301 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2302 rc = avc_has_perm(&selinux_state,
2303 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2304 SECCLASS_PROCESS2, av, NULL);
2305 if (!rc)
2306 return 0;
7b0d0b40 2307 }
af63f419
SS		 2308
2309 /*
2310 * We also permit NNP or nosuid transitions to bounded SIDs,
2311 * i.e. SIDs that are guaranteed to only be allowed a subset
2312 * of the permissions of the current SID.
2313 */
aa8e712c
SS		 2314 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2315 new_tsec->sid);
af63f419
SS		 2316 if (!rc)
2317 return 0;
2318
2319 /*
2320 * On failure, preserve the errno values for NNP vs nosuid.
2321 * NNP: Operation not permitted for caller.
2322 * nosuid: Permission denied to file.
2323 */
2324 if (nnp)
2325 return -EPERM;
2326 return -EACCES;
7b0d0b40
SS		 2327}
2328
a6f76f23 2329static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2330{
a6f76f23
DH		 2331 const struct task_security_struct *old_tsec;
2332 struct task_security_struct *new_tsec;
1da177e4 2333 struct inode_security_struct *isec;
2bf49690 2334 struct common_audit_data ad;
496ad9aa 2335 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2336 int rc;
2337
a6f76f23
DH		 2338 /* SELinux context only depends on initial program or script and not
2339 * the script interpreter */
ddb4a144 2340 if (bprm->called_set_creds)
1da177e4
LT		 2341 return 0;
2342
0c6cfa62
CS		 2343 old_tsec = selinux_cred(current_cred());
2344 new_tsec = selinux_cred(bprm->cred);
83da53c5 2345 isec = inode_security(inode);
1da177e4
LT		 2346
2347 /* Default to the current task SID. */
a6f76f23
DH		 2348 new_tsec->sid = old_tsec->sid;
2349 new_tsec->osid = old_tsec->sid;
1da177e4 2350
28eba5bf 2351 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2352 new_tsec->create_sid = 0;
2353 new_tsec->keycreate_sid = 0;
2354 new_tsec->sockcreate_sid = 0;
1da177e4 2355
a6f76f23
DH		 2356 if (old_tsec->exec_sid) {
2357 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2358 /* Reset exec SID on execve. */
a6f76f23 2359 new_tsec->exec_sid = 0;
259e5e6c 2360
7b0d0b40
SS		 2361 /* Fail on NNP or nosuid if not an allowed transition. */
2362 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2363 if (rc)
2364 return rc;
1da177e4
LT		 2365 } else {
2366 /* Check for a default transition on this program. */
aa8e712c
SS		 2367 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2368 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2369 &new_tsec->sid);
1da177e4
LT		 2370 if (rc)
2371 return rc;
7b0d0b40
SS		 2372
2373 /*
2374 * Fallback to old SID on NNP or nosuid if not an allowed
2375 * transition.
2376 */
2377 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2378 if (rc)
2379 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2380 }
2381
43af5de7
VG		 2382 ad.type = LSM_AUDIT_DATA_FILE;
2383 ad.u.file = bprm->file;
1da177e4 2384
a6f76f23 2385 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2386 rc = avc_has_perm(&selinux_state,
2387 old_tsec->sid, isec->sid,
1da177e4
LT		 2388 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2389 if (rc)
2390 return rc;
2391 } else {
2392 /* Check permissions for the transition. */
6b6bc620
SS		 2393 rc = avc_has_perm(&selinux_state,
2394 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2395 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2396 if (rc)
2397 return rc;
2398
6b6bc620
SS		 2399 rc = avc_has_perm(&selinux_state,
2400 new_tsec->sid, isec->sid,
1da177e4
LT		 2401 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2402 if (rc)
2403 return rc;
2404
a6f76f23
DH		 2405 /* Check for shared state */
2406 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2407 rc = avc_has_perm(&selinux_state,
2408 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2409 SECCLASS_PROCESS, PROCESS__SHARE,
2410 NULL);
2411 if (rc)
2412 return -EPERM;
2413 }
2414
2415 /* Make sure that anyone attempting to ptrace over a task that
2416 * changes its SID has the appropriate permit */
9227dd2a 2417 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2418 u32 ptsid = ptrace_parent_sid();
a6f76f23 2419 if (ptsid != 0) {
6b6bc620
SS		 2420 rc = avc_has_perm(&selinux_state,
2421 ptsid, new_tsec->sid,
a6f76f23
DH		 2422 SECCLASS_PROCESS,
2423 PROCESS__PTRACE, NULL);
2424 if (rc)
2425 return -EPERM;
2426 }
2427 }
1da177e4 2428
a6f76f23
DH		 2429 /* Clear any possibly unsafe personality bits on exec: */
2430 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2431
1da177e4
LT		 2432 /* Enable secure mode for SIDs transitions unless
2433 the noatsecure permission is granted between
2434 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2435 rc = avc_has_perm(&selinux_state,
2436 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2437 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2438 NULL);
2439 bprm->secureexec |= !!rc;
1da177e4
LT		 2440 }
2441
62874c3a 2442 return 0;
1da177e4
LT		 2443}
2444
c3c073f8
AV		 2445static int match_file(const void *p, struct file *file, unsigned fd)
2446{
2447 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2448}
2449
1da177e4 2450/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2451static inline void flush_unauthorized_files(const struct cred *cred,
2452 struct files_struct *files)
1da177e4 2453{
1da177e4 2454 struct file *file, *devnull = NULL;
b20c8122 2455 struct tty_struct *tty;
24ec839c 2456 int drop_tty = 0;
c3c073f8 2457 unsigned n;
1da177e4 2458
24ec839c 2459 tty = get_current_tty();
1da177e4 2460 if (tty) {
4a510969 2461 spin_lock(&tty->files_lock);
37dd0bd0 2462 if (!list_empty(&tty->tty_files)) {
d996b62a 2463 struct tty_file_private *file_priv;
37dd0bd0 2464
1da177e4 2465 /* Revalidate access to controlling tty.
13f8e981
DH		 2466 Use file_path_has_perm on the tty path directly
2467 rather than using file_has_perm, as this particular
2468 open file may belong to another process and we are
2469 only interested in the inode-based check here. */
d996b62a
NP		 2470 file_priv = list_first_entry(&tty->tty_files,
2471 struct tty_file_private, list);
2472 file = file_priv->file;
13f8e981 2473 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2474 drop_tty = 1;
1da177e4 2475 }
4a510969 2476 spin_unlock(&tty->files_lock);
452a00d2 2477 tty_kref_put(tty);
1da177e4 2478 }
98a27ba4
EB		 2479 /* Reset controlling tty. */
2480 if (drop_tty)
2481 no_tty();
1da177e4
LT		 2482
2483 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2484 n = iterate_fd(files, 0, match_file, cred);
2485 if (!n) /* none found? */
2486 return;
1da177e4 2487
c3c073f8 2488 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2489 if (IS_ERR(devnull))
2490 devnull = NULL;
2491 /* replace all the matching ones with this */
2492 do {
2493 replace_fd(n - 1, devnull, 0);
2494 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2495 if (devnull)
c3c073f8 2496 fput(devnull);
1da177e4
LT		 2497}
2498
a6f76f23
DH		 2499/*
2500 * Prepare a process for imminent new credential changes due to exec
2501 */
2502static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2503{
a6f76f23
DH		 2504 struct task_security_struct *new_tsec;
2505 struct rlimit *rlim, *initrlim;
2506 int rc, i;
d84f4f99 2507
0c6cfa62 2508 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2509 if (new_tsec->sid == new_tsec->osid)
2510 return;
1da177e4 2511
a6f76f23
DH		 2512 /* Close files for which the new task SID is not authorized. */
2513 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2514
a6f76f23
DH		 2515 /* Always clear parent death signal on SID transitions. */
2516 current->pdeath_signal = 0;
0356357c 2517
a6f76f23
DH		 2518 /* Check whether the new SID can inherit resource limits from the old
2519 * SID. If not, reset all soft limits to the lower of the current
2520 * task's hard limit and the init task's soft limit.
2521 *
2522 * Note that the setting of hard limits (even to lower them) can be
2523 * controlled by the setrlimit check. The inclusion of the init task's
2524 * soft limit into the computation is to avoid resetting soft limits
2525 * higher than the default soft limit for cases where the default is
2526 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2527 */
6b6bc620
SS		 2528 rc = avc_has_perm(&selinux_state,
2529 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2530 PROCESS__RLIMITINH, NULL);
2531 if (rc) {
eb2d55a3
ON		 2532 /* protect against do_prlimit() */
2533 task_lock(current);
a6f76f23
DH		 2534 for (i = 0; i < RLIM_NLIMITS; i++) {
2535 rlim = current->signal->rlim + i;
2536 initrlim = init_task.signal->rlim + i;
2537 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2538 }
eb2d55a3 2539 task_unlock(current);
baa73d9e
NP		 2540 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2541 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2542 }
2543}
2544
2545/*
a6f76f23
DH		 2546 * Clean up the process immediately after the installation of new credentials
2547 * due to exec
1da177e4 2548 */
a6f76f23 2549static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2550{
0c6cfa62 2551 const struct task_security_struct *tsec = selinux_cred(current_cred());
a6f76f23 2552 u32 osid, sid;
ddbc7d06 2553 int rc;
1da177e4 2554
a6f76f23
DH		 2555 osid = tsec->osid;
2556 sid = tsec->sid;
2557
2558 if (sid == osid)
1da177e4
LT		 2559 return;
2560
a6f76f23
DH		 2561 /* Check whether the new SID can inherit signal state from the old SID.
2562 * If not, clear itimers to avoid subsequent signal generation and
2563 * flush and unblock signals.
2564 *
2565 * This must occur _after_ the task SID has been updated so that any
2566 * kill done after the flush will be checked against the new SID.
2567 */
6b6bc620
SS		 2568 rc = avc_has_perm(&selinux_state,
2569 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2570 if (rc) {
ddbc7d06
AB		 2571 clear_itimer();
2572
1da177e4 2573 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2574 if (!fatal_signal_pending(current)) {
2575 flush_sigqueue(&current->pending);
2576 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2577 flush_signal_handlers(current, 1);
2578 sigemptyset(&current->blocked);
9e7c8f8c 2579 recalc_sigpending();
3bcac026 2580 }
1da177e4
LT		 2581 spin_unlock_irq(&current->sighand->siglock);
2582 }
2583
a6f76f23
DH		 2584 /* Wake up the parent if it is waiting so that it can recheck
2585 * wait permission to the new task SID. */
ecd6de3c 2586 read_lock(&tasklist_lock);
0b7570e7 2587 __wake_up_parent(current, current->real_parent);
ecd6de3c 2588 read_unlock(&tasklist_lock);
1da177e4
LT		 2589}
2590
2591/* superblock security operations */
2592
2593static int selinux_sb_alloc_security(struct super_block *sb)
2594{
2595 return superblock_alloc_security(sb);
2596}
2597
2598static void selinux_sb_free_security(struct super_block *sb)
2599{
2600 superblock_free_security(sb);
2601}
2602
99dbbb59 2603static inline int opt_len(const char *s)
1da177e4 2604{
99dbbb59
AV		 2605 bool open_quote = false;
2606 int len;
2607 char c;
1da177e4 2608
99dbbb59
AV		 2609 for (len = 0; (c = s[len]) != '\0'; len++) {
2610 if (c == '"')
2611 open_quote = !open_quote;
2612 if (c == ',' && !open_quote)
2613 break;
3528a953 2614 }
99dbbb59 2615 return len;
3528a953
CO		 2616}
2617
99dbbb59 2618static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
1da177e4 2619{
99dbbb59
AV		 2620 char *from = options;
2621 char *to = options;
2622 bool first = true;
fec63753 2623 int rc;
1da177e4 2624
99dbbb59
AV		 2625 while (1) {
2626 int len = opt_len(from);
fec63753 2627 int token;
99dbbb59 2628 char *arg = NULL;
1da177e4 2629
99dbbb59 2630 token = match_opt_prefix(from, len, &arg);
1da177e4 2631
99dbbb59
AV		 2632 if (token != Opt_error) {
2633 char *p, *q;
1da177e4 2634
99dbbb59
AV		 2635 /* strip quotes */
2636 if (arg) {
2637 for (p = q = arg; p < from + len; p++) {
2638 char c = *p;
2639 if (c != '"')
2640 *q++ = c;
2641 }
2642 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
fec63753
GZ		 2643 if (!arg) {
2644 rc = -ENOMEM;
2645 goto free_opt;
2646 }
99dbbb59
AV		 2647 }
2648 rc = selinux_add_opt(token, arg, mnt_opts);
2649 if (unlikely(rc)) {
2650 kfree(arg);
fec63753 2651 goto free_opt;
99dbbb59
AV		 2652 }
2653 } else {
2654 if (!first) { // copy with preceding comma
2655 from--;
2656 len++;
2657 }
2658 if (to != from)
2659 memmove(to, from, len);
2660 to += len;
2661 first = false;
1da177e4 2662 }
99dbbb59
AV		 2663 if (!from[len])
2664 break;
2665 from += len + 1;
2666 }
2667 *to = '\0';
2668 return 0;
fec63753
GZ		 2669
2670free_opt:
2671 if (*mnt_opts) {
2672 selinux_free_mnt_opts(*mnt_opts);
2673 *mnt_opts = NULL;
2674 }
2675 return rc;
1da177e4
LT		 2676}
2677
204cc0cc 2678static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2679{
bd323655 2680 struct selinux_mnt_opts *opts = mnt_opts;
026eb167 2681 struct superblock_security_struct *sbsec = sb->s_security;
bd323655
AV		 2682 u32 sid;
2683 int rc;
026eb167
EP		 2684
2685 if (!(sbsec->flags & SE_SBINITIALIZED))
2686 return 0;
2687
204cc0cc 2688 if (!opts)
026eb167
EP		 2689 return 0;
2690
bd323655
AV		 2691 if (opts->fscontext) {
2692 rc = parse_sid(sb, opts->fscontext, &sid);
2693 if (rc)
c039bc3c 2694 return rc;
bd323655
AV		 2695 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2696 goto out_bad_option;
026eb167 2697 }
bd323655
AV		 2698 if (opts->context) {
2699 rc = parse_sid(sb, opts->context, &sid);
2700 if (rc)
2701 return rc;
2702 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2703 goto out_bad_option;
2704 }
2705 if (opts->rootcontext) {
2706 struct inode_security_struct *root_isec;
2707 root_isec = backing_inode_security(sb->s_root);
2708 rc = parse_sid(sb, opts->rootcontext, &sid);
2709 if (rc)
2710 return rc;
2711 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2712 goto out_bad_option;
2713 }
2714 if (opts->defcontext) {
2715 rc = parse_sid(sb, opts->defcontext, &sid);
2716 if (rc)
2717 return rc;
2718 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2719 goto out_bad_option;
026eb167 2720 }
c039bc3c 2721 return 0;
026eb167 2722
026eb167 2723out_bad_option:
c103a91e 2724 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2725 "during remount (dev %s, type=%s)\n", sb->s_id,
2726 sb->s_type->name);
c039bc3c 2727 return -EINVAL;
026eb167
EP		 2728}
2729
a10d7c22 2730static int selinux_sb_kern_mount(struct super_block *sb)
1da177e4 2731{
88e67f3b 2732 const struct cred *cred = current_cred();
2bf49690 2733 struct common_audit_data ad;
74192246 2734
50c205f5 2735 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2736 ad.u.dentry = sb->s_root;
88e67f3b 2737 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2738}
2739
726c3342 2740static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2741{
88e67f3b 2742 const struct cred *cred = current_cred();
2bf49690 2743 struct common_audit_data ad;
1da177e4 2744
50c205f5 2745 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2746 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2747 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2748}
2749
808d4e3c 2750static int selinux_mount(const char *dev_name,
8a04c43b 2751 const struct path *path,
808d4e3c 2752 const char *type,
828dfe1d
EP		 2753 unsigned long flags,
2754 void *data)
1da177e4 2755{
88e67f3b 2756 const struct cred *cred = current_cred();
1da177e4
LT		 2757
2758 if (flags & MS_REMOUNT)
d8c9584e 2759 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2760 FILESYSTEM__REMOUNT, NULL);
1da177e4 2761 else
2875fa00 2762 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2763}
2764
2765static int selinux_umount(struct vfsmount *mnt, int flags)
2766{
88e67f3b 2767 const struct cred *cred = current_cred();
1da177e4 2768
88e67f3b 2769 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2770 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2771}
2772
0b52075e
AV		 2773static int selinux_fs_context_dup(struct fs_context *fc,
2774 struct fs_context *src_fc)
2775{
2776 const struct selinux_mnt_opts *src = src_fc->security;
2777 struct selinux_mnt_opts *opts;
2778
2779 if (!src)
2780 return 0;
2781
2782 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2783 if (!fc->security)
2784 return -ENOMEM;
2785
2786 opts = fc->security;
2787
2788 if (src->fscontext) {
2789 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2790 if (!opts->fscontext)
2791 return -ENOMEM;
2792 }
2793 if (src->context) {
2794 opts->context = kstrdup(src->context, GFP_KERNEL);
2795 if (!opts->context)
2796 return -ENOMEM;
2797 }
2798 if (src->rootcontext) {
2799 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2800 if (!opts->rootcontext)
2801 return -ENOMEM;
2802 }
2803 if (src->defcontext) {
2804 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2805 if (!opts->defcontext)
2806 return -ENOMEM;
2807 }
2808 return 0;
2809}
2810
442155c1
DH		 2811static const struct fs_parameter_spec selinux_param_specs[] = {
2812 fsparam_string(CONTEXT_STR, Opt_context),
2813 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2814 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2815 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2816 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2817 {}
2818};
2819
2820static const struct fs_parameter_description selinux_fs_parameters = {
2821 .name = "SELinux",
2822 .specs = selinux_param_specs,
2823};
2824
2825static int selinux_fs_context_parse_param(struct fs_context *fc,
2826 struct fs_parameter *param)
2827{
2828 struct fs_parse_result result;
2829 int opt, rc;
2830
2831 opt = fs_parse(fc, &selinux_fs_parameters, param, &result);
2832 if (opt < 0)
2833 return opt;
2834
2835 rc = selinux_add_opt(opt, param->string, &fc->security);
2836 if (!rc) {
2837 param->string = NULL;
2838 rc = 1;
2839 }
2840 return rc;
2841}
2842
1da177e4
LT		 2843/* inode security operations */
2844
2845static int selinux_inode_alloc_security(struct inode *inode)
2846{
2847 return inode_alloc_security(inode);
2848}
2849
2850static void selinux_inode_free_security(struct inode *inode)
2851{
2852 inode_free_security(inode);
2853}
2854
d47be3df 2855static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2856 const struct qstr *name, void **ctx,
d47be3df
DQ		 2857 u32 *ctxlen)
2858{
d47be3df
DQ		 2859 u32 newsid;
2860 int rc;
2861
0c6cfa62 2862 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2863 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2864 inode_mode_to_security_class(mode),
2865 &newsid);
2866 if (rc)
2867 return rc;
d47be3df 2868
aa8e712c
SS		 2869 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2870 ctxlen);
d47be3df
DQ		 2871}
2872
a518b0a5
VG		 2873static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2874 struct qstr *name,
2875 const struct cred *old,
2876 struct cred *new)
2877{
2878 u32 newsid;
2879 int rc;
2880 struct task_security_struct *tsec;
2881
0c6cfa62 2882 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2883 d_inode(dentry->d_parent), name,
2884 inode_mode_to_security_class(mode),
2885 &newsid);
2886 if (rc)
2887 return rc;
2888
0c6cfa62 2889 tsec = selinux_cred(new);
a518b0a5
VG		 2890 tsec->create_sid = newsid;
2891 return 0;
2892}
2893
5e41ff9e 2894static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2895 const struct qstr *qstr,
2896 const char **name,
2a7dba39 2897 void **value, size_t *len)
5e41ff9e 2898{
0c6cfa62 2899 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2900 struct superblock_security_struct *sbsec;
c0d4f464 2901 u32 newsid, clen;
5e41ff9e 2902 int rc;
9548906b 2903 char *context;
5e41ff9e 2904
5e41ff9e 2905 sbsec = dir->i_sb->s_security;
5e41ff9e 2906
275bb41e
DH		 2907 newsid = tsec->create_sid;
2908
0c6cfa62 2909 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c3c188b2
DH		 2910 dir, qstr,
2911 inode_mode_to_security_class(inode->i_mode),
2912 &newsid);
2913 if (rc)
2914 return rc;
5e41ff9e 2915
296fddf7 2916 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2917 if (sbsec->flags & SE_SBINITIALIZED) {
80788c22 2918 struct inode_security_struct *isec = selinux_inode(inode);
296fddf7
EP		 2919 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2920 isec->sid = newsid;
6f3be9f5 2921 isec->initialized = LABEL_INITIALIZED;
296fddf7 2922 }
5e41ff9e 2923
aa8e712c 2924 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2925 return -EOPNOTSUPP;
2926
9548906b
TH		 2927 if (name)
2928 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2929
570bc1c2 2930 if (value && len) {
aa8e712c
SS		 2931 rc = security_sid_to_context_force(&selinux_state, newsid,
2932 &context, &clen);
9548906b 2933 if (rc)
570bc1c2 2934 return rc;
570bc1c2
SS		 2935 *value = context;
2936 *len = clen;
5e41ff9e 2937 }
5e41ff9e 2938
5e41ff9e
SS		 2939 return 0;
2940}
2941
4acdaf27 2942static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2943{
2944 return may_create(dir, dentry, SECCLASS_FILE);
2945}
2946
1da177e4
LT		 2947static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2948{
1da177e4
LT		 2949 return may_link(dir, old_dentry, MAY_LINK);
2950}
2951
1da177e4
LT		 2952static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2953{
1da177e4
LT		 2954 return may_link(dir, dentry, MAY_UNLINK);
2955}
2956
2957static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2958{
2959 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2960}
2961
18bb1db3 2962static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2963{
2964 return may_create(dir, dentry, SECCLASS_DIR);
2965}
2966
1da177e4
LT		 2967static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2968{
2969 return may_link(dir, dentry, MAY_RMDIR);
2970}
2971
1a67aafb 2972static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2973{
1da177e4
LT		 2974 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2975}
2976
1da177e4 2977static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2978 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2979{
2980 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2981}
2982
1da177e4
LT		 2983static int selinux_inode_readlink(struct dentry *dentry)
2984{
88e67f3b
DH		 2985 const struct cred *cred = current_cred();
2986
2875fa00 2987 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2988}
2989
bda0be7a
N		 2990static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2991 bool rcu)
1da177e4 2992{
88e67f3b 2993 const struct cred *cred = current_cred();
bda0be7a
N		 2994 struct common_audit_data ad;
2995 struct inode_security_struct *isec;
2996 u32 sid;
1da177e4 2997
bda0be7a
N		 2998 validate_creds(cred);
2999
3000 ad.type = LSM_AUDIT_DATA_DENTRY;
3001 ad.u.dentry = dentry;
3002 sid = cred_sid(cred);
5d226df4
AG		 3003 isec = inode_security_rcu(inode, rcu);
3004 if (IS_ERR(isec))
3005 return PTR_ERR(isec);
bda0be7a 3006
1a37079c
SS		 3007 return avc_has_perm_flags(&selinux_state,
3008 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3009 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3010}
3011
d4cf970d
EP		 3012static noinline int audit_inode_permission(struct inode *inode,
3013 u32 perms, u32 audited, u32 denied,
0188d5c0 3014 int result)
1da177e4 3015{
b782e0a6 3016 struct common_audit_data ad;
80788c22 3017 struct inode_security_struct *isec = selinux_inode(inode);
d4cf970d
EP		 3018 int rc;
3019
50c205f5 3020 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3021 ad.u.inode = inode;
3022
6b6bc620
SS		 3023 rc = slow_avc_audit(&selinux_state,
3024 current_sid(), isec->sid, isec->sclass, perms,
0188d5c0 3025 audited, denied, result, &ad);
d4cf970d
EP		 3026 if (rc)
3027 return rc;
3028 return 0;
3029}
3030
e74f71eb 3031static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3032{
88e67f3b 3033 const struct cred *cred = current_cred();
b782e0a6
EP		 3034 u32 perms;
3035 bool from_access;
5298d0b9 3036 bool no_block = mask & MAY_NOT_BLOCK;
2e334057
EP		 3037 struct inode_security_struct *isec;
3038 u32 sid;
3039 struct av_decision avd;
3040 int rc, rc2;
3041 u32 audited, denied;
1da177e4 3042
b782e0a6 3043 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3044 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3045
b782e0a6
EP		 3046 /* No permission to check. Existence test. */
3047 if (!mask)
1da177e4 3048 return 0;
1da177e4 3049
2e334057 3050 validate_creds(cred);
b782e0a6 3051
2e334057
EP		 3052 if (unlikely(IS_PRIVATE(inode)))
3053 return 0;
b782e0a6
EP		 3054
3055 perms = file_mask_to_av(inode->i_mode, mask);
3056
2e334057 3057 sid = cred_sid(cred);
5298d0b9 3058 isec = inode_security_rcu(inode, no_block);
5d226df4
AG		 3059 if (IS_ERR(isec))
3060 return PTR_ERR(isec);
2e334057 3061
6b6bc620 3062 rc = avc_has_perm_noaudit(&selinux_state,
3a28cff3 3063 sid, isec->sid, isec->sclass, perms,
5298d0b9 3064 no_block ? AVC_NONBLOCKING : 0,
3a28cff3 3065 &avd);
2e334057
EP		 3066 audited = avc_audit_required(perms, &avd, rc,
3067 from_access ? FILE__AUDIT_ACCESS : 0,
3068 &denied);
3069 if (likely(!audited))
3070 return rc;
3071
0188d5c0 3072 /* fall back to ref-walk if we have to generate audit */
5298d0b9 3073 if (no_block)
0188d5c0
SS		 3074 return -ECHILD;
3075
3076 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
2e334057
EP		 3077 if (rc2)
3078 return rc2;
3079 return rc;
1da177e4
LT		 3080}
3081
3082static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3083{
88e67f3b 3084 const struct cred *cred = current_cred();
ccb54478 3085 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3086 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3087 __u32 av = FILE__WRITE;
1da177e4 3088
bc6a6008
AW		 3089 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3090 if (ia_valid & ATTR_FORCE) {
3091 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3092 ATTR_FORCE);
3093 if (!ia_valid)
3094 return 0;
3095 }
1da177e4 3096
bc6a6008
AW		 3097 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3098 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3099 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3100
aa8e712c 3101 if (selinux_policycap_openperm() &&
ccb54478
SS		 3102 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3103 (ia_valid & ATTR_SIZE) &&
3104 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3105 av |= FILE__OPEN;
3106
3107 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3108}
3109
3f7036a0 3110static int selinux_inode_getattr(const struct path *path)
1da177e4 3111{
3f7036a0 3112 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3113}
3114
db59000a
SS		 3115static bool has_cap_mac_admin(bool audit)
3116{
3117 const struct cred *cred = current_cred();
c1a85a00 3118 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
db59000a 3119
c1a85a00 3120 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
db59000a 3121 return false;
c1a85a00 3122 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
db59000a
SS		 3123 return false;
3124 return true;
3125}
3126
8f0cfa52
DH		 3127static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3128 const void *value, size_t size, int flags)
1da177e4 3129{
c6f493d6 3130 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3131 struct inode_security_struct *isec;
1da177e4 3132 struct superblock_security_struct *sbsec;
2bf49690 3133 struct common_audit_data ad;
275bb41e 3134 u32 newsid, sid = current_sid();
1da177e4
LT		 3135 int rc = 0;
3136
6b240306
EB		 3137 if (strcmp(name, XATTR_NAME_SELINUX)) {
3138 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3139 if (rc)
3140 return rc;
3141
3142 /* Not an attribute we recognize, so just check the
3143 ordinary setattr permission. */
3144 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3145 }
1da177e4 3146
3e3e24b4
JL		 3147 if (!selinux_state.initialized)
3148 return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3149
1da177e4 3150 sbsec = inode->i_sb->s_security;
12f348b9 3151 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3152 return -EOPNOTSUPP;
3153
2e149670 3154 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3155 return -EPERM;
3156
50c205f5 3157 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3158 ad.u.dentry = dentry;
1da177e4 3159
20cdef8d 3160 isec = backing_inode_security(dentry);
6b6bc620
SS		 3161 rc = avc_has_perm(&selinux_state,
3162 sid, isec->sid, isec->sclass,
1da177e4
LT		 3163 FILE__RELABELFROM, &ad);
3164 if (rc)
3165 return rc;
3166
aa8e712c
SS		 3167 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3168 GFP_KERNEL);
12b29f34 3169 if (rc == -EINVAL) {
db59000a 3170 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3171 struct audit_buffer *ab;
3172 size_t audit_size;
d6ea83ec
EP		 3173
3174 /* We strip a nul only if it is at the end, otherwise the
3175 * context contains a nul and we should audit that */
e3fea3f7 3176 if (value) {
add24372
CIK		 3177 const char *str = value;
3178
e3fea3f7
AV		 3179 if (str[size - 1] == '\0')
3180 audit_size = size - 1;
3181 else
3182 audit_size = size;
3183 } else {
e3fea3f7
AV		 3184 audit_size = 0;
3185 }
cdfb6b34
RGB		 3186 ab = audit_log_start(audit_context(),
3187 GFP_ATOMIC, AUDIT_SELINUX_ERR);
d6ea83ec
EP		 3188 audit_log_format(ab, "op=setxattr invalid_context=");
3189 audit_log_n_untrustedstring(ab, value, audit_size);
3190 audit_log_end(ab);
3191
12b29f34 3192 return rc;
d6ea83ec 3193 }
aa8e712c
SS		 3194 rc = security_context_to_sid_force(&selinux_state, value,
3195 size, &newsid);
12b29f34 3196 }
1da177e4
LT		 3197 if (rc)
3198 return rc;
3199
6b6bc620
SS		 3200 rc = avc_has_perm(&selinux_state,
3201 sid, newsid, isec->sclass,
1da177e4
LT		 3202 FILE__RELABELTO, &ad);
3203 if (rc)
3204 return rc;
3205
aa8e712c
SS		 3206 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3207 sid, isec->sclass);
1da177e4
LT		 3208 if (rc)
3209 return rc;
3210
6b6bc620
SS		 3211 return avc_has_perm(&selinux_state,
3212 newsid,
1da177e4
LT		 3213 sbsec->sid,
3214 SECCLASS_FILESYSTEM,
3215 FILESYSTEM__ASSOCIATE,
3216 &ad);
3217}
3218
8f0cfa52 3219static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3220 const void *value, size_t size,
8f0cfa52 3221 int flags)
1da177e4 3222{
c6f493d6 3223 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3224 struct inode_security_struct *isec;
1da177e4
LT		 3225 u32 newsid;
3226 int rc;
3227
3228 if (strcmp(name, XATTR_NAME_SELINUX)) {
3229 /* Not an attribute we recognize, so nothing to do. */
3230 return;
3231 }
3232
3e3e24b4
JL		 3233 if (!selinux_state.initialized) {
3234 /* If we haven't even been initialized, then we can't validate
3235 * against a policy, so leave the label as invalid. It may
3236 * resolve to a valid label on the next revalidation try if
3237 * we've since initialized.
3238 */
3239 return;
3240 }
3241
aa8e712c
SS		 3242 rc = security_context_to_sid_force(&selinux_state, value, size,
3243 &newsid);
1da177e4 3244 if (rc) {
c103a91e 3245 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3246 "for (%s, %lu), rc=%d\n",
3247 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3248 return;
3249 }
3250
20cdef8d 3251 isec = backing_inode_security(dentry);
9287aed2 3252 spin_lock(&isec->lock);
aa9c2669 3253 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3254 isec->sid = newsid;
6f3be9f5 3255 isec->initialized = LABEL_INITIALIZED;
9287aed2 3256 spin_unlock(&isec->lock);
aa9c2669 3257
1da177e4
LT		 3258 return;
3259}
3260
8f0cfa52 3261static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3262{
88e67f3b
DH		 3263 const struct cred *cred = current_cred();
3264
2875fa00 3265 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3266}
3267
828dfe1d 3268static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3269{
88e67f3b
DH		 3270 const struct cred *cred = current_cred();
3271
2875fa00 3272 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3273}
3274
8f0cfa52 3275static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3276{
6b240306
EB		 3277 if (strcmp(name, XATTR_NAME_SELINUX)) {
3278 int rc = cap_inode_removexattr(dentry, name);
3279 if (rc)
3280 return rc;
3281
3282 /* Not an attribute we recognize, so just check the
3283 ordinary setattr permission. */
3284 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3285 }
1da177e4
LT		 3286
3287 /* No one is allowed to remove a SELinux security label.
3288 You can change the label, but all data must be labeled. */
3289 return -EACCES;
3290}
3291
ac5656d8
AG		 3292static int selinux_path_notify(const struct path *path, u64 mask,
3293 unsigned int obj_type)
3294{
3295 int ret;
3296 u32 perm;
3297
3298 struct common_audit_data ad;
3299
3300 ad.type = LSM_AUDIT_DATA_PATH;
3301 ad.u.path = *path;
3302
3303 /*
3304 * Set permission needed based on the type of mark being set.
3305 * Performs an additional check for sb watches.
3306 */
3307 switch (obj_type) {
3308 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3309 perm = FILE__WATCH_MOUNT;
3310 break;
3311 case FSNOTIFY_OBJ_TYPE_SB:
3312 perm = FILE__WATCH_SB;
3313 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3314 FILESYSTEM__WATCH, &ad);
3315 if (ret)
3316 return ret;
3317 break;
3318 case FSNOTIFY_OBJ_TYPE_INODE:
3319 perm = FILE__WATCH;
3320 break;
3321 default:
3322 return -EINVAL;
3323 }
3324
3325 /* blocking watches require the file:watch_with_perm permission */
3326 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3327 perm |= FILE__WATCH_WITH_PERM;
3328
3329 /* watches on read-like events need the file:watch_reads permission */
3330 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3331 perm |= FILE__WATCH_READS;
3332
3333 return path_has_perm(current_cred(), path, perm);
3334}
3335
d381d8a9 3336/*
abc69bb6 3337 * Copy the inode security context value to the user.
d381d8a9
JM		 3338 *
3339 * Permission check is handled by selinux_inode_getxattr hook.
3340 */
ea861dfd 3341static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3342{
42492594
DQ		 3343 u32 size;
3344 int error;
3345 char *context = NULL;
20cdef8d 3346 struct inode_security_struct *isec;
d381d8a9 3347
8c8570fb
DK		 3348 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3349 return -EOPNOTSUPP;
d381d8a9 3350
abc69bb6
SS		 3351 /*
3352 * If the caller has CAP_MAC_ADMIN, then get the raw context
3353 * value even if it is not defined by current policy; otherwise,
3354 * use the in-core value under current policy.
3355 * Use the non-auditing forms of the permission checks since
3356 * getxattr may be called by unprivileged processes commonly
3357 * and lack of permission just means that we fall back to the
3358 * in-core context value, not a denial.
3359 */
20cdef8d 3360 isec = inode_security(inode);
db59000a 3361 if (has_cap_mac_admin(false))
aa8e712c
SS		 3362 error = security_sid_to_context_force(&selinux_state,
3363 isec->sid, &context,
abc69bb6
SS		 3364 &size);
3365 else
aa8e712c
SS		 3366 error = security_sid_to_context(&selinux_state, isec->sid,
3367 &context, &size);
42492594
DQ		 3368 if (error)
3369 return error;
3370 error = size;
3371 if (alloc) {
3372 *buffer = context;
3373 goto out_nofree;
3374 }
3375 kfree(context);
3376out_nofree:
3377 return error;
1da177e4
LT		 3378}
3379
3380static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3381 const void *value, size_t size, int flags)
1da177e4 3382{
2c97165b 3383 struct inode_security_struct *isec = inode_security_novalidate(inode);
53e0c2aa 3384 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1da177e4
LT		 3385 u32 newsid;
3386 int rc;
3387
3388 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3389 return -EOPNOTSUPP;
3390
53e0c2aa
OM		 3391 if (!(sbsec->flags & SBLABEL_MNT))
3392 return -EOPNOTSUPP;
3393
1da177e4
LT		 3394 if (!value || !size)
3395 return -EACCES;
3396
aa8e712c
SS		 3397 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3398 GFP_KERNEL);
1da177e4
LT		 3399 if (rc)
3400 return rc;
3401
9287aed2 3402 spin_lock(&isec->lock);
aa9c2669 3403 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3404 isec->sid = newsid;
6f3be9f5 3405 isec->initialized = LABEL_INITIALIZED;
9287aed2 3406 spin_unlock(&isec->lock);
1da177e4
LT		 3407 return 0;
3408}
3409
3410static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3411{
3412 const int len = sizeof(XATTR_NAME_SELINUX);
3413 if (buffer && len <= buffer_size)
3414 memcpy(buffer, XATTR_NAME_SELINUX, len);
3415 return len;
3416}
3417
d6335d77 3418static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3419{
e817c2f3 3420 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3421 *secid = isec->sid;
3422}
3423
56909eb3
VG		 3424static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3425{
3426 u32 sid;
3427 struct task_security_struct *tsec;
3428 struct cred *new_creds = *new;
3429
3430 if (new_creds == NULL) {
3431 new_creds = prepare_creds();
3432 if (!new_creds)
3433 return -ENOMEM;
3434 }
3435
0c6cfa62 3436 tsec = selinux_cred(new_creds);
56909eb3
VG		 3437 /* Get label from overlay inode and set it in create_sid */
3438 selinux_inode_getsecid(d_inode(src), &sid);
3439 tsec->create_sid = sid;
3440 *new = new_creds;
3441 return 0;
3442}
3443
19472b69
VG		 3444static int selinux_inode_copy_up_xattr(const char *name)
3445{
3446 /* The copy_up hook above sets the initial context on an inode, but we
3447 * don't then want to overwrite it by blindly copying all the lower
3448 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3449 */
3450 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3451 return 1; /* Discard */
3452 /*
3453 * Any other attribute apart from SELINUX is not claimed, supported
3454 * by selinux.
3455 */
3456 return -EOPNOTSUPP;
3457}
3458
ec882da5
OM		 3459/* kernfs node operations */
3460
c72c4cde
Y		 3461static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3462 struct kernfs_node *kn)
ec882da5 3463{
169ce0c0 3464 const struct task_security_struct *tsec = selinux_cred(current_cred());
ec882da5
OM		 3465 u32 parent_sid, newsid, clen;
3466 int rc;
3467 char *context;
3468
1537ad15 3469 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
ec882da5
OM		 3470 if (rc == -ENODATA)
3471 return 0;
3472 else if (rc < 0)
3473 return rc;
3474
3475 clen = (u32)rc;
3476 context = kmalloc(clen, GFP_KERNEL);
3477 if (!context)
3478 return -ENOMEM;
3479
1537ad15 3480 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
ec882da5
OM		 3481 if (rc < 0) {
3482 kfree(context);
3483 return rc;
3484 }
3485
3486 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3487 GFP_KERNEL);
3488 kfree(context);
3489 if (rc)
3490 return rc;
3491
3492 if (tsec->create_sid) {
3493 newsid = tsec->create_sid;
3494 } else {
3495 u16 secclass = inode_mode_to_security_class(kn->mode);
3496 struct qstr q;
3497
3498 q.name = kn->name;
3499 q.hash_len = hashlen_string(kn_dir, kn->name);
3500
3501 rc = security_transition_sid(&selinux_state, tsec->sid,
3502 parent_sid, secclass, &q,
3503 &newsid);
3504 if (rc)
3505 return rc;
3506 }
3507
3508 rc = security_sid_to_context_force(&selinux_state, newsid,
3509 &context, &clen);
3510 if (rc)
3511 return rc;
3512
1537ad15
OM		 3513 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3514 XATTR_CREATE);
ec882da5
OM		 3515 kfree(context);
3516 return rc;
3517}
3518
3519
1da177e4
LT		 3520/* file security operations */
3521
788e7dd4 3522static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3523{
88e67f3b 3524 const struct cred *cred = current_cred();
496ad9aa 3525 struct inode *inode = file_inode(file);
1da177e4 3526
1da177e4
LT		 3527 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3528 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3529 mask |= MAY_APPEND;
3530
389fb800
PM		 3531 return file_has_perm(cred, file,
3532 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3533}
3534
788e7dd4
YN		 3535static int selinux_file_permission(struct file *file, int mask)
3536{
496ad9aa 3537 struct inode *inode = file_inode(file);
bb6c6b02 3538 struct file_security_struct *fsec = selinux_file(file);
b197367e 3539 struct inode_security_struct *isec;
20dda18b
SS		 3540 u32 sid = current_sid();
3541
389fb800 3542 if (!mask)
788e7dd4
YN		 3543 /* No permission to check. Existence test. */
3544 return 0;
788e7dd4 3545
b197367e 3546 isec = inode_security(inode);
20dda18b 3547 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3548 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3549 /* No change since file_open check. */
20dda18b
SS		 3550 return 0;
3551
788e7dd4
YN		 3552 return selinux_revalidate_file_permission(file, mask);
3553}
3554
1da177e4
LT		 3555static int selinux_file_alloc_security(struct file *file)
3556{
3557 return file_alloc_security(file);
3558}
3559
fa1aa143
JVS		 3560/*
3561 * Check whether a task has the ioctl permission and cmd
3562 * operation to an inode.
3563 */
1d2a168a 3564static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3565 u32 requested, u16 cmd)
3566{
3567 struct common_audit_data ad;
bb6c6b02 3568 struct file_security_struct *fsec = selinux_file(file);
fa1aa143 3569 struct inode *inode = file_inode(file);
20cdef8d 3570 struct inode_security_struct *isec;
fa1aa143
JVS		 3571 struct lsm_ioctlop_audit ioctl;
3572 u32 ssid = cred_sid(cred);
3573 int rc;
3574 u8 driver = cmd >> 8;
3575 u8 xperm = cmd & 0xff;
3576
3577 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3578 ad.u.op = &ioctl;
3579 ad.u.op->cmd = cmd;
3580 ad.u.op->path = file->f_path;
3581
3582 if (ssid != fsec->sid) {
6b6bc620
SS		 3583 rc = avc_has_perm(&selinux_state,
3584 ssid, fsec->sid,
fa1aa143
JVS		 3585 SECCLASS_FD,
3586 FD__USE,
3587 &ad);
3588 if (rc)
3589 goto out;
3590 }
3591
3592 if (unlikely(IS_PRIVATE(inode)))
3593 return 0;
3594
20cdef8d 3595 isec = inode_security(inode);
6b6bc620
SS		 3596 rc = avc_has_extended_perms(&selinux_state,
3597 ssid, isec->sid, isec->sclass,
3598 requested, driver, xperm, &ad);
fa1aa143
JVS		 3599out:
3600 return rc;
3601}
3602
1da177e4
LT		 3603static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3604 unsigned long arg)
3605{
88e67f3b 3606 const struct cred *cred = current_cred();
0b24dcb7 3607 int error = 0;
1da177e4 3608
0b24dcb7
EP		 3609 switch (cmd) {
3610 case FIONREAD:
3611 /* fall through */
3612 case FIBMAP:
3613 /* fall through */
3614 case FIGETBSZ:
3615 /* fall through */
2f99c369 3616 case FS_IOC_GETFLAGS:
0b24dcb7 3617 /* fall through */
2f99c369 3618 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3619 error = file_has_perm(cred, file, FILE__GETATTR);
3620 break;
1da177e4 3621
2f99c369 3622 case FS_IOC_SETFLAGS:
0b24dcb7 3623 /* fall through */
2f99c369 3624 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3625 error = file_has_perm(cred, file, FILE__SETATTR);
3626 break;
3627
3628 /* sys_ioctl() checks */
3629 case FIONBIO:
3630 /* fall through */
3631 case FIOASYNC:
3632 error = file_has_perm(cred, file, 0);
3633 break;
1da177e4 3634
0b24dcb7
EP		 3635 case KDSKBENT:
3636 case KDSKBSENT:
6a9de491 3637 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
c1a85a00 3638 CAP_OPT_NONE, true);
0b24dcb7
EP		 3639 break;
3640
3641 /* default case assumes that the command will go
3642 * to the file's ioctl() function.
3643 */
3644 default:
fa1aa143 3645 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3646 }
3647 return error;
1da177e4
LT		 3648}
3649
fcaaade1
SS		 3650static int default_noexec;
3651
1da177e4
LT		 3652static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3653{
88e67f3b 3654 const struct cred *cred = current_cred();
be0554c9 3655 u32 sid = cred_sid(cred);
d84f4f99 3656 int rc = 0;
88e67f3b 3657
fcaaade1 3658 if (default_noexec &&
892e8cac
SS		 3659 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3660 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3661 /*
3662 * We are making executable an anonymous mapping or a
3663 * private file mapping that will also be writable.
3664 * This has an additional check.
3665 */
6b6bc620
SS		 3666 rc = avc_has_perm(&selinux_state,
3667 sid, sid, SECCLASS_PROCESS,
be0554c9 3668 PROCESS__EXECMEM, NULL);
1da177e4 3669 if (rc)
d84f4f99 3670 goto error;
1da177e4 3671 }
1da177e4
LT		 3672
3673 if (file) {
3674 /* read access is always possible with a mapping */
3675 u32 av = FILE__READ;
3676
3677 /* write access only matters if the mapping is shared */
3678 if (shared && (prot & PROT_WRITE))
3679 av |= FILE__WRITE;
3680
3681 if (prot & PROT_EXEC)
3682 av |= FILE__EXECUTE;
3683
88e67f3b 3684 return file_has_perm(cred, file, av);
1da177e4 3685 }
d84f4f99
DH		 3686
3687error:
3688 return rc;
1da177e4
LT		 3689}
3690
e5467859 3691static int selinux_mmap_addr(unsigned long addr)
1da177e4 3692{
b1d9e6b0 3693 int rc = 0;
1da177e4 3694
a2551df7 3695 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3696 u32 sid = current_sid();
6b6bc620
SS		 3697 rc = avc_has_perm(&selinux_state,
3698 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3699 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3700 }
3701
98883bfd 3702 return rc;
e5467859 3703}
1da177e4 3704
e5467859
AV		 3705static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3706 unsigned long prot, unsigned long flags)
3707{
3ba4bf5f
SS		 3708 struct common_audit_data ad;
3709 int rc;
3710
3711 if (file) {
3712 ad.type = LSM_AUDIT_DATA_FILE;
3713 ad.u.file = file;
3714 rc = inode_has_perm(current_cred(), file_inode(file),
3715 FILE__MAP, &ad);
3716 if (rc)
3717 return rc;
3718 }
3719
aa8e712c 3720 if (selinux_state.checkreqprot)
1da177e4
LT		 3721 prot = reqprot;
3722
3723 return file_map_prot_check(file, prot,
3724 (flags & MAP_TYPE) == MAP_SHARED);
3725}
3726
3727static int selinux_file_mprotect(struct vm_area_struct *vma,
3728 unsigned long reqprot,
3729 unsigned long prot)
3730{
88e67f3b 3731 const struct cred *cred = current_cred();
be0554c9 3732 u32 sid = cred_sid(cred);
1da177e4 3733
aa8e712c 3734 if (selinux_state.checkreqprot)
1da177e4
LT		 3735 prot = reqprot;
3736
fcaaade1
SS		 3737 if (default_noexec &&
3738 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3739 int rc = 0;
db4c9641
SS		 3740 if (vma->vm_start >= vma->vm_mm->start_brk &&
3741 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3742 rc = avc_has_perm(&selinux_state,
3743 sid, sid, SECCLASS_PROCESS,
be0554c9 3744 PROCESS__EXECHEAP, NULL);
db4c9641 3745 } else if (!vma->vm_file &&
c2316dbf
SS		 3746 ((vma->vm_start <= vma->vm_mm->start_stack &&
3747 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3748 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3749 rc = avc_has_perm(&selinux_state,
3750 sid, sid, SECCLASS_PROCESS,
be0554c9 3751 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3752 } else if (vma->vm_file && vma->anon_vma) {
3753 /*
3754 * We are making executable a file mapping that has
3755 * had some COW done. Since pages might have been
3756 * written, check ability to execute the possibly
3757 * modified content. This typically should only
3758 * occur for text relocations.
3759 */
d84f4f99 3760 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3761 }