projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
nfs_remount(): don't leak, don't ignore LSM options quietly
[linux-2.6-block.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
7efbb60b 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
d452930f
RH		 70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
1da177e4
LT		 72#include <linux/quota.h>
73#include <linux/un.h> /* for Unix socket types */
74#include <net/af_unix.h> /* for Unix socket types */
75#include <linux/parser.h>
76#include <linux/nfs_mount.h>
77#include <net/ipv6.h>
78#include <linux/hugetlb.h>
79#include <linux/personality.h>
1da177e4 80#include <linux/audit.h>
6931dfc9 81#include <linux/string.h>
877ce7c1 82#include <linux/selinux.h>
23970741 83#include <linux/mutex.h>
f06febc9 84#include <linux/posix-timers.h>
00234592 85#include <linux/syslog.h>
3486740a 86#include <linux/user_namespace.h>
44fc7ea0 87#include <linux/export.h>
40401530
AV		 88#include <linux/msg.h>
89#include <linux/shm.h>
ec27c356 90#include <linux/bpf.h>
e262e32d 91#include <uapi/linux/mount.h>
1da177e4
LT		 92
93#include "avc.h"
94#include "objsec.h"
95#include "netif.h"
224dfbd8 96#include "netnode.h"
3e112172 97#include "netport.h"
409dcf31 98#include "ibpkey.h"
d28d1e08 99#include "xfrm.h"
c60475bf 100#include "netlabel.h"
9d57a7f9 101#include "audit.h"
7b98a585 102#include "avc_ss.h"
1da177e4 103
aa8e712c
SS		 104struct selinux_state selinux_state;
105
d621d35e 106/* SECMARK reference count */
56a4ca99 107static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 108
1da177e4 109#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
aa8e712c 110static int selinux_enforcing_boot;
1da177e4
LT		 111
112static int __init enforcing_setup(char *str)
113{
f5269710 114 unsigned long enforcing;
29707b20 115 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 116 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 117 return 1;
118}
119__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 120#else
121#define selinux_enforcing_boot 1
1da177e4
LT		 122#endif
123
124#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
125int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
126
127static int __init selinux_enabled_setup(char *str)
128{
f5269710 129 unsigned long enabled;
29707b20 130 if (!kstrtoul(str, 0, &enabled))
f5269710 131 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 132 return 1;
133}
134__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 135#else
136int selinux_enabled = 1;
1da177e4
LT		 137#endif
138
aa8e712c
SS		 139static unsigned int selinux_checkreqprot_boot =
140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141
142static int __init checkreqprot_setup(char *str)
143{
144 unsigned long checkreqprot;
145
146 if (!kstrtoul(str, 0, &checkreqprot))
147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148 return 1;
149}
150__setup("checkreqprot=", checkreqprot_setup);
151
e18b890b 152static struct kmem_cache *sel_inode_cache;
63205654 153static struct kmem_cache *file_security_cache;
7cae7e26 154
d621d35e
PM		 155/**
156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157 *
158 * Description:
159 * This function checks the SECMARK reference counter to see if any SECMARK
160 * targets are currently configured, if the reference counter is greater than
161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 162 * enabled, false (0) if SECMARK is disabled. If the always_check_network
163 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 164 *
165 */
166static int selinux_secmark_enabled(void)
167{
aa8e712c
SS		 168 return (selinux_policycap_alwaysnetwork() ||
169 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 170}
171
172/**
173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174 *
175 * Description:
176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
177 * (1) if any are enabled or false (0) if neither are enabled. If the
178 * always_check_network policy capability is enabled, peer labeling
179 * is always considered enabled.
180 *
181 */
182static int selinux_peerlbl_enabled(void)
183{
aa8e712c
SS		 184 return (selinux_policycap_alwaysnetwork() ||
185 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 186}
187
615e51fd
PM		 188static int selinux_netcache_avc_callback(u32 event)
189{
190 if (event == AVC_CALLBACK_RESET) {
191 sel_netif_flush();
192 sel_netnode_flush();
193 sel_netport_flush();
194 synchronize_net();
195 }
196 return 0;
197}
198
8f408ab6
DJ		 199static int selinux_lsm_notifier_avc_callback(u32 event)
200{
409dcf31
DJ		 201 if (event == AVC_CALLBACK_RESET) {
202 sel_ib_pkey_flush();
8f408ab6 203 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 204 }
8f408ab6
DJ		 205
206 return 0;
207}
208
d84f4f99
DH		 209/*
210 * initialise the security for the init task
211 */
212static void cred_init_security(void)
1da177e4 213{
3b11a1de 214 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 215 struct task_security_struct *tsec;
216
89d155ef 217 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 218 if (!tsec)
d84f4f99 219 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 220
d84f4f99 221 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 222 cred->security = tsec;
1da177e4
LT		 223}
224
88e67f3b
DH		 225/*
226 * get the security ID of a set of credentials
227 */
228static inline u32 cred_sid(const struct cred *cred)
229{
230 const struct task_security_struct *tsec;
231
232 tsec = cred->security;
233 return tsec->sid;
234}
235
275bb41e 236/*
3b11a1de 237 * get the objective security ID of a task
275bb41e
DH		 238 */
239static inline u32 task_sid(const struct task_struct *task)
240{
275bb41e
DH		 241 u32 sid;
242
243 rcu_read_lock();
88e67f3b 244 sid = cred_sid(__task_cred(task));
275bb41e
DH		 245 rcu_read_unlock();
246 return sid;
247}
248
88e67f3b
DH		 249/* Allocate and free functions for each kind of security blob. */
250
1da177e4
LT		 251static int inode_alloc_security(struct inode *inode)
252{
1da177e4 253 struct inode_security_struct *isec;
275bb41e 254 u32 sid = current_sid();
1da177e4 255
a02fe132 256 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 257 if (!isec)
258 return -ENOMEM;
259
9287aed2 260 spin_lock_init(&isec->lock);
1da177e4 261 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 262 isec->inode = inode;
263 isec->sid = SECINITSID_UNLABELED;
264 isec->sclass = SECCLASS_FILE;
275bb41e 265 isec->task_sid = sid;
42059112 266 isec->initialized = LABEL_INVALID;
1da177e4
LT		 267 inode->i_security = isec;
268
269 return 0;
270}
271
5d226df4
AG		 272static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
273
274/*
275 * Try reloading inode security labels that have been marked as invalid. The
276 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 277 * allowed; when set to false, returns -ECHILD when the label is
e9193288 278 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 279 */
280static int __inode_security_revalidate(struct inode *inode,
e9193288 281 struct dentry *dentry,
5d226df4
AG		 282 bool may_sleep)
283{
284 struct inode_security_struct *isec = inode->i_security;
285
286 might_sleep_if(may_sleep);
287
aa8e712c
SS		 288 if (selinux_state.initialized &&
289 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 290 if (!may_sleep)
291 return -ECHILD;
292
293 /*
294 * Try reloading the inode security label. This will fail if
295 * @opt_dentry is NULL and no dentry for this inode can be
296 * found; in that case, continue using the old label.
297 */
e9193288 298 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 299 }
300 return 0;
301}
302
5d226df4
AG		 303static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304{
305 return inode->i_security;
306}
307
308static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
309{
310 int error;
311
312 error = __inode_security_revalidate(inode, NULL, !rcu);
313 if (error)
314 return ERR_PTR(error);
315 return inode->i_security;
316}
317
83da53c5
AG		 318/*
319 * Get the security label of an inode.
320 */
321static struct inode_security_struct *inode_security(struct inode *inode)
322{
5d226df4 323 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 324 return inode->i_security;
325}
326
2c97165b
PM		 327static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328{
329 struct inode *inode = d_backing_inode(dentry);
330
331 return inode->i_security;
332}
333
83da53c5
AG		 334/*
335 * Get the security label of a dentry's backing inode.
336 */
337static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338{
339 struct inode *inode = d_backing_inode(dentry);
340
5d226df4 341 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 342 return inode->i_security;
343}
344
3dc91d43
SR		 345static void inode_free_rcu(struct rcu_head *head)
346{
347 struct inode_security_struct *isec;
348
349 isec = container_of(head, struct inode_security_struct, rcu);
350 kmem_cache_free(sel_inode_cache, isec);
351}
352
1da177e4
LT		 353static void inode_free_security(struct inode *inode)
354{
355 struct inode_security_struct *isec = inode->i_security;
356 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
357
9629d04a
WL		 358 /*
359 * As not all inode security structures are in a list, we check for
360 * empty list outside of the lock to make sure that we won't waste
361 * time taking a lock doing nothing.
362 *
363 * The list_del_init() function can be safely called more than once.
364 * It should not be possible for this function to be called with
365 * concurrent list_add(), but for better safety against future changes
366 * in the code, we use list_empty_careful() here.
367 */
368 if (!list_empty_careful(&isec->list)) {
369 spin_lock(&sbsec->isec_lock);
1da177e4 370 list_del_init(&isec->list);
9629d04a
WL		 371 spin_unlock(&sbsec->isec_lock);
372 }
1da177e4 373
3dc91d43
SR		 374 /*
375 * The inode may still be referenced in a path walk and
376 * a call to selinux_inode_permission() can be made
377 * after inode_free_security() is called. Ideally, the VFS
378 * wouldn't do this, but fixing that is a much harder
379 * job. For now, simply free the i_security via RCU, and
380 * leave the current inode->i_security pointer intact.
381 * The inode will be freed after the RCU grace period too.
382 */
383 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 384}
385
386static int file_alloc_security(struct file *file)
387{
1da177e4 388 struct file_security_struct *fsec;
275bb41e 389 u32 sid = current_sid();
1da177e4 390
63205654 391 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 392 if (!fsec)
393 return -ENOMEM;
394
275bb41e
DH		 395 fsec->sid = sid;
396 fsec->fown_sid = sid;
1da177e4
LT		 397 file->f_security = fsec;
398
399 return 0;
400}
401
402static void file_free_security(struct file *file)
403{
404 struct file_security_struct *fsec = file->f_security;
1da177e4 405 file->f_security = NULL;
63205654 406 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 407}
408
409static int superblock_alloc_security(struct super_block *sb)
410{
411 struct superblock_security_struct *sbsec;
412
89d155ef 413 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 414 if (!sbsec)
415 return -ENOMEM;
416
bc7e982b 417 mutex_init(&sbsec->lock);
1da177e4
LT		 418 INIT_LIST_HEAD(&sbsec->isec_head);
419 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 420 sbsec->sb = sb;
421 sbsec->sid = SECINITSID_UNLABELED;
422 sbsec->def_sid = SECINITSID_FILE;
c312feb2 423 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 424 sb->s_security = sbsec;
425
426 return 0;
427}
428
429static void superblock_free_security(struct super_block *sb)
430{
431 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 432 sb->s_security = NULL;
433 kfree(sbsec);
434}
435
1da177e4
LT		 436static inline int inode_doinit(struct inode *inode)
437{
438 return inode_doinit_with_dentry(inode, NULL);
439}
440
441enum {
31e87930 442 Opt_error = -1,
1da177e4
LT		 443 Opt_context = 1,
444 Opt_fscontext = 2,
c9180a57
EP		 445 Opt_defcontext = 3,
446 Opt_rootcontext = 4,
11689d47 447 Opt_labelsupport = 5,
d355987f 448 Opt_nextmntopt = 6,
1da177e4
LT		 449};
450
d355987f
EP		 451#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
452
a447c093 453static const match_table_t tokens = {
832cbd9a
EP		 454 {Opt_context, CONTEXT_STR "%s"},
455 {Opt_fscontext, FSCONTEXT_STR "%s"},
456 {Opt_defcontext, DEFCONTEXT_STR "%s"},
457 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 458 {Opt_labelsupport, LABELSUPP_STR},
31e87930 459 {Opt_error, NULL},
1da177e4
LT		 460};
461
462#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
463
c312feb2
EP		 464static int may_context_mount_sb_relabel(u32 sid,
465 struct superblock_security_struct *sbsec,
275bb41e 466 const struct cred *cred)
c312feb2 467{
275bb41e 468 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 469 int rc;
470
6b6bc620
SS		 471 rc = avc_has_perm(&selinux_state,
472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 473 FILESYSTEM__RELABELFROM, NULL);
474 if (rc)
475 return rc;
476
6b6bc620
SS		 477 rc = avc_has_perm(&selinux_state,
478 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 479 FILESYSTEM__RELABELTO, NULL);
480 return rc;
481}
482
0808925e
EP		 483static int may_context_mount_inode_relabel(u32 sid,
484 struct superblock_security_struct *sbsec,
275bb41e 485 const struct cred *cred)
0808925e 486{
275bb41e 487 const struct task_security_struct *tsec = cred->security;
0808925e 488 int rc;
6b6bc620
SS		 489 rc = avc_has_perm(&selinux_state,
490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 491 FILESYSTEM__RELABELFROM, NULL);
492 if (rc)
493 return rc;
494
6b6bc620
SS		 495 rc = avc_has_perm(&selinux_state,
496 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 497 FILESYSTEM__ASSOCIATE, NULL);
498 return rc;
499}
500
b43e725d
EP		 501static int selinux_is_sblabel_mnt(struct super_block *sb)
502{
503 struct superblock_security_struct *sbsec = sb->s_security;
504
d5f3a5f6
MS		 505 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
506 sbsec->behavior == SECURITY_FS_USE_TRANS ||
507 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 508 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 509 /* Special handling. Genfs but also in-core setxattr handler */
510 !strcmp(sb->s_type->name, "sysfs") ||
511 !strcmp(sb->s_type->name, "pstore") ||
512 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 513 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 514 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 515 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 516 (!strcmp(sb->s_type->name, "cgroup") ||
517 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 518}
519
c9180a57 520static int sb_finish_set_opts(struct super_block *sb)
1da177e4 521{
1da177e4 522 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 523 struct dentry *root = sb->s_root;
c6f493d6 524 struct inode *root_inode = d_backing_inode(root);
c9180a57 525 int rc = 0;
1da177e4 526
c9180a57
EP		 527 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
528 /* Make sure that the xattr handler exists and that no
529 error other than -ENODATA is returned by getxattr on
530 the root directory. -ENODATA is ok, as this may be
531 the first boot of the SELinux kernel before we have
532 assigned xattr values to the filesystem. */
5d6c3191 533 if (!(root_inode->i_opflags & IOP_XATTR)) {
c103a91e 534 pr_warn("SELinux: (dev %s, type %s) has no "
29b1deb2 535 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 536 rc = -EOPNOTSUPP;
537 goto out;
538 }
5d6c3191
AG		 539
540 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 541 if (rc < 0 && rc != -ENODATA) {
542 if (rc == -EOPNOTSUPP)
c103a91e 543 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 544 "%s) has no security xattr handler\n",
545 sb->s_id, sb->s_type->name);
c9180a57 546 else
c103a91e 547 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 548 "%s) getxattr errno %d\n", sb->s_id,
549 sb->s_type->name, -rc);
c9180a57
EP		 550 goto out;
551 }
552 }
1da177e4 553
eadcabc6 554 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 555
556 /*
557 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
558 * leave the flag untouched because sb_clone_mnt_opts might be handing
559 * us a superblock that needs the flag to be cleared.
560 */
b43e725d 561 if (selinux_is_sblabel_mnt(sb))
12f348b9 562 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 563 else
564 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 565
c9180a57
EP		 566 /* Initialize the root inode. */
567 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 568
c9180a57
EP		 569 /* Initialize any other inodes associated with the superblock, e.g.
570 inodes created prior to initial policy load or inodes created
571 during get_sb by a pseudo filesystem that directly
572 populates itself. */
573 spin_lock(&sbsec->isec_lock);
8d64124a 574 while (!list_empty(&sbsec->isec_head)) {
c9180a57 575 struct inode_security_struct *isec =
8d64124a 576 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 577 struct inode_security_struct, list);
578 struct inode *inode = isec->inode;
923190d3 579 list_del_init(&isec->list);
c9180a57
EP		 580 spin_unlock(&sbsec->isec_lock);
581 inode = igrab(inode);
582 if (inode) {
583 if (!IS_PRIVATE(inode))
584 inode_doinit(inode);
585 iput(inode);
586 }
587 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 588 }
589 spin_unlock(&sbsec->isec_lock);
590out:
591 return rc;
592}
1da177e4 593
c9180a57
EP		 594/*
595 * This function should allow an FS to ask what it's mount security
596 * options were so it can use those later for submounts, displaying
597 * mount options, or whatever.
598 */
599static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 600 struct security_mnt_opts *opts)
c9180a57
EP		 601{
602 int rc = 0, i;
603 struct superblock_security_struct *sbsec = sb->s_security;
604 char *context = NULL;
605 u32 len;
606 char tmp;
1da177e4 607
e0007529 608 security_init_mnt_opts(opts);
1da177e4 609
0d90a7ec 610 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 611 return -EINVAL;
1da177e4 612
aa8e712c 613 if (!selinux_state.initialized)
c9180a57 614 return -EINVAL;
1da177e4 615
af8e50cc
EP		 616 /* make sure we always check enough bits to cover the mask */
617 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
618
0d90a7ec 619 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 620 /* count the number of mount options for this sb */
af8e50cc 621 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 622 if (tmp & 0x01)
e0007529 623 opts->num_mnt_opts++;
c9180a57
EP		 624 tmp >>= 1;
625 }
11689d47 626 /* Check if the Label support flag is set */
0b4bdb35 627 if (sbsec->flags & SBLABEL_MNT)
11689d47 628 opts->num_mnt_opts++;
1da177e4 629
e0007529
EP		 630 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
631 if (!opts->mnt_opts) {
c9180a57
EP		 632 rc = -ENOMEM;
633 goto out_free;
634 }
1da177e4 635
e0007529
EP		 636 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
637 if (!opts->mnt_opts_flags) {
c9180a57
EP		 638 rc = -ENOMEM;
639 goto out_free;
640 }
1da177e4 641
c9180a57
EP		 642 i = 0;
643 if (sbsec->flags & FSCONTEXT_MNT) {
aa8e712c
SS		 644 rc = security_sid_to_context(&selinux_state, sbsec->sid,
645 &context, &len);
c9180a57
EP		 646 if (rc)
647 goto out_free;
e0007529
EP		 648 opts->mnt_opts[i] = context;
649 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 650 }
651 if (sbsec->flags & CONTEXT_MNT) {
aa8e712c
SS		 652 rc = security_sid_to_context(&selinux_state,
653 sbsec->mntpoint_sid,
654 &context, &len);
c9180a57
EP		 655 if (rc)
656 goto out_free;
e0007529
EP		 657 opts->mnt_opts[i] = context;
658 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 659 }
660 if (sbsec->flags & DEFCONTEXT_MNT) {
aa8e712c
SS		 661 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
662 &context, &len);
c9180a57
EP		 663 if (rc)
664 goto out_free;
e0007529
EP		 665 opts->mnt_opts[i] = context;
666 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 667 }
668 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 669 struct dentry *root = sbsec->sb->s_root;
670 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 671
aa8e712c
SS		 672 rc = security_sid_to_context(&selinux_state, isec->sid,
673 &context, &len);
c9180a57
EP		 674 if (rc)
675 goto out_free;
e0007529
EP		 676 opts->mnt_opts[i] = context;
677 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 678 }
12f348b9 679 if (sbsec->flags & SBLABEL_MNT) {
11689d47 680 opts->mnt_opts[i] = NULL;
12f348b9 681 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 682 }
1da177e4 683
e0007529 684 BUG_ON(i != opts->num_mnt_opts);
1da177e4 685
c9180a57
EP		 686 return 0;
687
688out_free:
e0007529 689 security_free_mnt_opts(opts);
c9180a57
EP		 690 return rc;
691}
1da177e4 692
c9180a57
EP		 693static int bad_option(struct superblock_security_struct *sbsec, char flag,
694 u32 old_sid, u32 new_sid)
695{
0d90a7ec
DQ		 696 char mnt_flags = sbsec->flags & SE_MNTMASK;
697
c9180a57 698 /* check if the old mount command had the same options */
0d90a7ec 699 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 700 if (!(sbsec->flags & flag) ||
701 (old_sid != new_sid))
702 return 1;
703
704 /* check if we were passed the same options twice,
705 * aka someone passed context=a,context=b
706 */
0d90a7ec
DQ		 707 if (!(sbsec->flags & SE_SBINITIALIZED))
708 if (mnt_flags & flag)
c9180a57
EP		 709 return 1;
710 return 0;
711}
e0007529 712
c9180a57
EP		 713/*
714 * Allow filesystems with binary mount data to explicitly set mount point
715 * labeling information.
716 */
e0007529 717static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 718 struct security_mnt_opts *opts,
719 unsigned long kern_flags,
720 unsigned long *set_kern_flags)
c9180a57 721{
275bb41e 722 const struct cred *cred = current_cred();
c9180a57 723 int rc = 0, i;
c9180a57 724 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 725 const char *name = sb->s_type->name;
83da53c5 726 struct dentry *root = sbsec->sb->s_root;
2c97165b 727 struct inode_security_struct *root_isec;
c9180a57
EP		 728 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
729 u32 defcontext_sid = 0;
e0007529
EP		 730 char **mount_options = opts->mnt_opts;
731 int *flags = opts->mnt_opts_flags;
732 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 733
734 mutex_lock(&sbsec->lock);
735
aa8e712c 736 if (!selinux_state.initialized) {
c9180a57
EP		 737 if (!num_opts) {
738 /* Defer initialization until selinux_complete_init,
739 after the initial policy is loaded and the security
740 server is ready to handle calls. */
c9180a57
EP		 741 goto out;
742 }
743 rc = -EINVAL;
c103a91e 744 pr_warn("SELinux: Unable to set superblock options "
744ba35e 745 "before the security server is initialized\n");
1da177e4 746 goto out;
c9180a57 747 }
649f6e77
DQ		 748 if (kern_flags && !set_kern_flags) {
749 /* Specifying internal flags without providing a place to
750 * place the results is not allowed */
751 rc = -EINVAL;
752 goto out;
753 }
1da177e4 754
e0007529
EP		 755 /*
756 * Binary mount data FS will come through this function twice. Once
757 * from an explicit call and once from the generic calls from the vfs.
758 * Since the generic VFS calls will not contain any security mount data
759 * we need to skip the double mount verification.
760 *
761 * This does open a hole in which we will not notice if the first
762 * mount using this sb set explict options and a second mount using
763 * this sb does not set any security options. (The first options
764 * will be used for both mounts)
765 */
0d90a7ec 766 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 767 && (num_opts == 0))
f5269710 768 goto out;
e0007529 769
2c97165b
PM		 770 root_isec = backing_inode_security_novalidate(root);
771
c9180a57
EP		 772 /*
773 * parse the mount options, check if they are valid sids.
774 * also check if someone is trying to mount the same sb more
775 * than once with different security options.
776 */
777 for (i = 0; i < num_opts; i++) {
778 u32 sid;
11689d47 779
12f348b9 780 if (flags[i] == SBLABEL_MNT)
11689d47 781 continue;
aa8e712c
SS		 782 rc = security_context_str_to_sid(&selinux_state,
783 mount_options[i], &sid,
784 GFP_KERNEL);
1da177e4 785 if (rc) {
c103a91e 786 pr_warn("SELinux: security_context_str_to_sid"
29b1deb2
LT		 787 "(%s) failed for (dev %s, type %s) errno=%d\n",
788 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 789 goto out;
790 }
791 switch (flags[i]) {
792 case FSCONTEXT_MNT:
793 fscontext_sid = sid;
794
795 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
796 fscontext_sid))
797 goto out_double_mount;
798
799 sbsec->flags |= FSCONTEXT_MNT;
800 break;
801 case CONTEXT_MNT:
802 context_sid = sid;
803
804 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
805 context_sid))
806 goto out_double_mount;
807
808 sbsec->flags |= CONTEXT_MNT;
809 break;
810 case ROOTCONTEXT_MNT:
811 rootcontext_sid = sid;
812
813 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
814 rootcontext_sid))
815 goto out_double_mount;
816
817 sbsec->flags |= ROOTCONTEXT_MNT;
818
819 break;
820 case DEFCONTEXT_MNT:
821 defcontext_sid = sid;
822
823 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
824 defcontext_sid))
825 goto out_double_mount;
826
827 sbsec->flags |= DEFCONTEXT_MNT;
828
829 break;
830 default:
831 rc = -EINVAL;
832 goto out;
1da177e4 833 }
c9180a57
EP		 834 }
835
0d90a7ec 836 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 837 /* previously mounted with options, but not on this attempt? */
0d90a7ec 838 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 839 goto out_double_mount;
840 rc = 0;
841 goto out;
842 }
843
089be43e 844 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 845 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
846
8e014720 847 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 848 !strcmp(sb->s_type->name, "tracefs") ||
8e014720 849 !strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 850 !strcmp(sb->s_type->name, "pstore") ||
851 !strcmp(sb->s_type->name, "cgroup") ||
852 !strcmp(sb->s_type->name, "cgroup2"))
134509d5 853 sbsec->flags |= SE_SBGENFS;
c9180a57 854
eb9ae686
DQ		 855 if (!sbsec->behavior) {
856 /*
857 * Determine the labeling behavior to use for this
858 * filesystem type.
859 */
aa8e712c 860 rc = security_fs_use(&selinux_state, sb);
eb9ae686 861 if (rc) {
c103a91e 862 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 863 __func__, sb->s_type->name, rc);
864 goto out;
865 }
c9180a57 866 }
aad82892
SF		 867
868 /*
01593d32
SS		 869 * If this is a user namespace mount and the filesystem type is not
870 * explicitly whitelisted, then no contexts are allowed on the command
871 * line and security labels must be ignored.
aad82892 872 */
01593d32
SS		 873 if (sb->s_user_ns != &init_user_ns &&
874 strcmp(sb->s_type->name, "tmpfs") &&
875 strcmp(sb->s_type->name, "ramfs") &&
876 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 877 if (context_sid || fscontext_sid || rootcontext_sid ||
878 defcontext_sid) {
879 rc = -EACCES;
880 goto out;
881 }
882 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
883 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 884 rc = security_transition_sid(&selinux_state,
885 current_sid(),
886 current_sid(),
aad82892
SF		 887 SECCLASS_FILE, NULL,
888 &sbsec->mntpoint_sid);
889 if (rc)
890 goto out;
891 }
892 goto out_set_opts;
893 }
894
c9180a57
EP		 895 /* sets the context of the superblock for the fs being mounted. */
896 if (fscontext_sid) {
275bb41e 897 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 898 if (rc)
c9180a57 899 goto out;
1da177e4 900
c9180a57 901 sbsec->sid = fscontext_sid;
c312feb2
EP		 902 }
903
904 /*
905 * Switch to using mount point labeling behavior.
906 * sets the label used on all file below the mountpoint, and will set
907 * the superblock context if not already set.
908 */
eb9ae686
DQ		 909 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
910 sbsec->behavior = SECURITY_FS_USE_NATIVE;
911 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
912 }
913
c9180a57
EP		 914 if (context_sid) {
915 if (!fscontext_sid) {
275bb41e
DH		 916 rc = may_context_mount_sb_relabel(context_sid, sbsec,
917 cred);
b04ea3ce 918 if (rc)
c9180a57
EP		 919 goto out;
920 sbsec->sid = context_sid;
b04ea3ce 921 } else {
275bb41e
DH		 922 rc = may_context_mount_inode_relabel(context_sid, sbsec,
923 cred);
b04ea3ce 924 if (rc)
c9180a57 925 goto out;
b04ea3ce 926 }
c9180a57
EP		 927 if (!rootcontext_sid)
928 rootcontext_sid = context_sid;
1da177e4 929
c9180a57 930 sbsec->mntpoint_sid = context_sid;
c312feb2 931 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 932 }
933
c9180a57 934 if (rootcontext_sid) {
275bb41e
DH		 935 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
936 cred);
0808925e 937 if (rc)
c9180a57 938 goto out;
0808925e 939
c9180a57 940 root_isec->sid = rootcontext_sid;
6f3be9f5 941 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 942 }
943
c9180a57 944 if (defcontext_sid) {
eb9ae686
DQ		 945 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
946 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 947 rc = -EINVAL;
c103a91e 948 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 949 "invalid for this filesystem type\n");
950 goto out;
1da177e4
LT		 951 }
952
c9180a57
EP		 953 if (defcontext_sid != sbsec->def_sid) {
954 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 955 sbsec, cred);
c9180a57
EP		 956 if (rc)
957 goto out;
958 }
1da177e4 959
c9180a57 960 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 961 }
962
aad82892 963out_set_opts:
c9180a57 964 rc = sb_finish_set_opts(sb);
1da177e4 965out:
c9180a57 966 mutex_unlock(&sbsec->lock);
1da177e4 967 return rc;
c9180a57
EP		 968out_double_mount:
969 rc = -EINVAL;
c103a91e 970 pr_warn("SELinux: mount invalid. Same superblock, different "
29b1deb2 971 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 972 goto out;
1da177e4
LT		 973}
974
094f7b69
JL		 975static int selinux_cmp_sb_context(const struct super_block *oldsb,
976 const struct super_block *newsb)
977{
978 struct superblock_security_struct *old = oldsb->s_security;
979 struct superblock_security_struct *new = newsb->s_security;
980 char oldflags = old->flags & SE_MNTMASK;
981 char newflags = new->flags & SE_MNTMASK;
982
983 if (oldflags != newflags)
984 goto mismatch;
985 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
986 goto mismatch;
987 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
988 goto mismatch;
989 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
990 goto mismatch;
991 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 992 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
993 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 994 if (oldroot->sid != newroot->sid)
995 goto mismatch;
996 }
997 return 0;
998mismatch:
c103a91e 999 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 1000 "different security settings for (dev %s, "
1001 "type %s)\n", newsb->s_id, newsb->s_type->name);
1002 return -EBUSY;
1003}
1004
1005static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 1006 struct super_block *newsb,
1007 unsigned long kern_flags,
1008 unsigned long *set_kern_flags)
1da177e4 1009{
0b4d3452 1010 int rc = 0;
c9180a57
EP		 1011 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1012 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 1013
c9180a57
EP		 1014 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1015 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1016 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 1017
0f5e6420
EP		 1018 /*
1019 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 1020 * mount options. thus we can safely deal with this superblock later
0f5e6420 1021 */
aa8e712c 1022 if (!selinux_state.initialized)
094f7b69 1023 return 0;
c9180a57 1024
0b4d3452
SM		 1025 /*
1026 * Specifying internal flags without providing a place to
1027 * place the results is not allowed.
1028 */
1029 if (kern_flags && !set_kern_flags)
1030 return -EINVAL;
1031
c9180a57 1032 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 1033 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 1034
094f7b69 1035 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 1036 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 1037 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 1038
c9180a57
EP		 1039 mutex_lock(&newsbsec->lock);
1040
1041 newsbsec->flags = oldsbsec->flags;
1042
1043 newsbsec->sid = oldsbsec->sid;
1044 newsbsec->def_sid = oldsbsec->def_sid;
1045 newsbsec->behavior = oldsbsec->behavior;
1046
0b4d3452
SM		 1047 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1048 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 1049 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 1050 if (rc)
1051 goto out;
1052 }
1053
1054 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1055 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1056 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1057 }
1058
c9180a57
EP		 1059 if (set_context) {
1060 u32 sid = oldsbsec->mntpoint_sid;
1061
1062 if (!set_fscontext)
1063 newsbsec->sid = sid;
1064 if (!set_rootcontext) {
83da53c5 1065 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1066 newisec->sid = sid;
1067 }
1068 newsbsec->mntpoint_sid = sid;
1da177e4 1069 }
c9180a57 1070 if (set_rootcontext) {
83da53c5
AG		 1071 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1072 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1073
c9180a57 1074 newisec->sid = oldisec->sid;
1da177e4
LT		 1075 }
1076
c9180a57 1077 sb_finish_set_opts(newsb);
0b4d3452 1078out:
c9180a57 1079 mutex_unlock(&newsbsec->lock);
0b4d3452 1080 return rc;
c9180a57
EP		 1081}
1082
2e1479d9
AB		 1083static int selinux_parse_opts_str(char *options,
1084 struct security_mnt_opts *opts)
c9180a57 1085{
e0007529 1086 char *p;
c9180a57
EP		 1087 char *context = NULL, *defcontext = NULL;
1088 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1089 int rc, num_mnt_opts = 0;
1da177e4 1090
e0007529 1091 opts->num_mnt_opts = 0;
1da177e4 1092
c9180a57
EP		 1093 /* Standard string-based options. */
1094 while ((p = strsep(&options, "|")) != NULL) {
1095 int token;
1096 substring_t args[MAX_OPT_ARGS];
1da177e4 1097
c9180a57
EP		 1098 if (!*p)
1099 continue;
1da177e4 1100
c9180a57 1101 token = match_token(p, tokens, args);
1da177e4 1102
c9180a57
EP		 1103 switch (token) {
1104 case Opt_context:
1105 if (context || defcontext) {
1106 rc = -EINVAL;
c103a91e 1107 pr_warn(SEL_MOUNT_FAIL_MSG);
c9180a57
EP		 1108 goto out_err;
1109 }
1110 context = match_strdup(&args[0]);
1111 if (!context) {
1112 rc = -ENOMEM;
1113 goto out_err;
1114 }
1115 break;
1116
1117 case Opt_fscontext:
1118 if (fscontext) {
1119 rc = -EINVAL;
c103a91e 1120 pr_warn(SEL_MOUNT_FAIL_MSG);
c9180a57
EP		 1121 goto out_err;
1122 }
1123 fscontext = match_strdup(&args[0]);
1124 if (!fscontext) {
1125 rc = -ENOMEM;
1126 goto out_err;
1127 }
1128 break;
1129
1130 case Opt_rootcontext:
1131 if (rootcontext) {
1132 rc = -EINVAL;
c103a91e 1133 pr_warn(SEL_MOUNT_FAIL_MSG);
c9180a57
EP		 1134 goto out_err;
1135 }
1136 rootcontext = match_strdup(&args[0]);
1137 if (!rootcontext) {
1138 rc = -ENOMEM;
1139 goto out_err;
1140 }
1141 break;
1142
1143 case Opt_defcontext:
1144 if (context || defcontext) {
1145 rc = -EINVAL;
c103a91e 1146 pr_warn(SEL_MOUNT_FAIL_MSG);
c9180a57
EP		 1147 goto out_err;
1148 }
1149 defcontext = match_strdup(&args[0]);
1150 if (!defcontext) {
1151 rc = -ENOMEM;
1152 goto out_err;
1153 }
1154 break;
11689d47
DQ		 1155 case Opt_labelsupport:
1156 break;
c9180a57
EP		 1157 default:
1158 rc = -EINVAL;
c103a91e 1159 pr_warn("SELinux: unknown mount option\n");
c9180a57 1160 goto out_err;
1da177e4 1161
1da177e4 1162 }
1da177e4 1163 }
c9180a57 1164
e0007529 1165 rc = -ENOMEM;
8931c3bd 1166 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1167 if (!opts->mnt_opts)
1168 goto out_err;
1169
8931c3bd
TH		 1170 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1171 GFP_KERNEL);
023f108d 1172 if (!opts->mnt_opts_flags)
e0007529 1173 goto out_err;
e0007529 1174
c9180a57 1175 if (fscontext) {
e0007529
EP		 1176 opts->mnt_opts[num_mnt_opts] = fscontext;
1177 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1178 }
1179 if (context) {
e0007529
EP		 1180 opts->mnt_opts[num_mnt_opts] = context;
1181 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1182 }
1183 if (rootcontext) {
e0007529
EP		 1184 opts->mnt_opts[num_mnt_opts] = rootcontext;
1185 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1186 }
1187 if (defcontext) {
e0007529
EP		 1188 opts->mnt_opts[num_mnt_opts] = defcontext;
1189 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1190 }
1191
e0007529
EP		 1192 opts->num_mnt_opts = num_mnt_opts;
1193 return 0;
1194
c9180a57 1195out_err:
023f108d 1196 security_free_mnt_opts(opts);
c9180a57
EP		 1197 kfree(context);
1198 kfree(defcontext);
1199 kfree(fscontext);
1200 kfree(rootcontext);
1da177e4
LT		 1201 return rc;
1202}
1203
3583a711
AB		 1204static void selinux_write_opts(struct seq_file *m,
1205 struct security_mnt_opts *opts)
2069f457
EP		 1206{
1207 int i;
1208 char *prefix;
1209
1210 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1211 char *has_comma;
1212
1213 if (opts->mnt_opts[i])
1214 has_comma = strchr(opts->mnt_opts[i], ',');
1215 else
1216 has_comma = NULL;
2069f457
EP		 1217
1218 switch (opts->mnt_opts_flags[i]) {
1219 case CONTEXT_MNT:
1220 prefix = CONTEXT_STR;
1221 break;
1222 case FSCONTEXT_MNT:
1223 prefix = FSCONTEXT_STR;
1224 break;
1225 case ROOTCONTEXT_MNT:
1226 prefix = ROOTCONTEXT_STR;
1227 break;
1228 case DEFCONTEXT_MNT:
1229 prefix = DEFCONTEXT_STR;
1230 break;
12f348b9 1231 case SBLABEL_MNT:
11689d47
DQ		 1232 seq_putc(m, ',');
1233 seq_puts(m, LABELSUPP_STR);
1234 continue;
2069f457
EP		 1235 default:
1236 BUG();
a35c6c83 1237 return;
2069f457
EP		 1238 };
1239 /* we need a comma before each option */
1240 seq_putc(m, ',');
1241 seq_puts(m, prefix);
1242 if (has_comma)
1243 seq_putc(m, '\"');
a068acf2 1244 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1245 if (has_comma)
1246 seq_putc(m, '\"');
1247 }
1248}
1249
1250static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1251{
1252 struct security_mnt_opts opts;
1253 int rc;
1254
1255 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1256 if (rc) {
1257 /* before policy load we may get EINVAL, don't show anything */
1258 if (rc == -EINVAL)
1259 rc = 0;
2069f457 1260 return rc;
383795c2 1261 }
2069f457
EP		 1262
1263 selinux_write_opts(m, &opts);
1264
1265 security_free_mnt_opts(&opts);
1266
1267 return rc;
1268}
1269
1da177e4
LT		 1270static inline u16 inode_mode_to_security_class(umode_t mode)
1271{
1272 switch (mode & S_IFMT) {
1273 case S_IFSOCK:
1274 return SECCLASS_SOCK_FILE;
1275 case S_IFLNK:
1276 return SECCLASS_LNK_FILE;
1277 case S_IFREG:
1278 return SECCLASS_FILE;
1279 case S_IFBLK:
1280 return SECCLASS_BLK_FILE;
1281 case S_IFDIR:
1282 return SECCLASS_DIR;
1283 case S_IFCHR:
1284 return SECCLASS_CHR_FILE;
1285 case S_IFIFO:
1286 return SECCLASS_FIFO_FILE;
1287
1288 }
1289
1290 return SECCLASS_FILE;
1291}
1292
13402580
JM		 1293static inline int default_protocol_stream(int protocol)
1294{
1295 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1296}
1297
1298static inline int default_protocol_dgram(int protocol)
1299{
1300 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1301}
1302
1da177e4
LT		 1303static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1304{
aa8e712c 1305 int extsockclass = selinux_policycap_extsockclass();
da69a530 1306
1da177e4
LT		 1307 switch (family) {
1308 case PF_UNIX:
1309 switch (type) {
1310 case SOCK_STREAM:
1311 case SOCK_SEQPACKET:
1312 return SECCLASS_UNIX_STREAM_SOCKET;
1313 case SOCK_DGRAM:
2a764b52 1314 case SOCK_RAW:
1da177e4
LT		 1315 return SECCLASS_UNIX_DGRAM_SOCKET;
1316 }
1317 break;
1318 case PF_INET:
1319 case PF_INET6:
1320 switch (type) {
1321 case SOCK_STREAM:
da69a530 1322 case SOCK_SEQPACKET:
13402580
JM		 1323 if (default_protocol_stream(protocol))
1324 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1325 else if (extsockclass && protocol == IPPROTO_SCTP)
1326 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1327 else
1328 return SECCLASS_RAWIP_SOCKET;
1da177e4 1329 case SOCK_DGRAM:
13402580
JM		 1330 if (default_protocol_dgram(protocol))
1331 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1332 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1333 protocol == IPPROTO_ICMPV6))
da69a530 1334 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1335 else
1336 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1337 case SOCK_DCCP:
1338 return SECCLASS_DCCP_SOCKET;
13402580 1339 default:
1da177e4
LT		 1340 return SECCLASS_RAWIP_SOCKET;
1341 }
1342 break;
1343 case PF_NETLINK:
1344 switch (protocol) {
1345 case NETLINK_ROUTE:
1346 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1347 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1348 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1349 case NETLINK_NFLOG:
1350 return SECCLASS_NETLINK_NFLOG_SOCKET;
1351 case NETLINK_XFRM:
1352 return SECCLASS_NETLINK_XFRM_SOCKET;
1353 case NETLINK_SELINUX:
1354 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1355 case NETLINK_ISCSI:
1356 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1357 case NETLINK_AUDIT:
1358 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1359 case NETLINK_FIB_LOOKUP:
1360 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1361 case NETLINK_CONNECTOR:
1362 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1363 case NETLINK_NETFILTER:
1364 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1365 case NETLINK_DNRTMSG:
1366 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1367 case NETLINK_KOBJECT_UEVENT:
1368 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1369 case NETLINK_GENERIC:
1370 return SECCLASS_NETLINK_GENERIC_SOCKET;
1371 case NETLINK_SCSITRANSPORT:
1372 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1373 case NETLINK_RDMA:
1374 return SECCLASS_NETLINK_RDMA_SOCKET;
1375 case NETLINK_CRYPTO:
1376 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1377 default:
1378 return SECCLASS_NETLINK_SOCKET;
1379 }
1380 case PF_PACKET:
1381 return SECCLASS_PACKET_SOCKET;
1382 case PF_KEY:
1383 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1384 case PF_APPLETALK:
1385 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1386 }
1387
da69a530
SS		 1388 if (extsockclass) {
1389 switch (family) {
1390 case PF_AX25:
1391 return SECCLASS_AX25_SOCKET;
1392 case PF_IPX:
1393 return SECCLASS_IPX_SOCKET;
1394 case PF_NETROM:
1395 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1396 case PF_ATMPVC:
1397 return SECCLASS_ATMPVC_SOCKET;
1398 case PF_X25:
1399 return SECCLASS_X25_SOCKET;
1400 case PF_ROSE:
1401 return SECCLASS_ROSE_SOCKET;
1402 case PF_DECnet:
1403 return SECCLASS_DECNET_SOCKET;
1404 case PF_ATMSVC:
1405 return SECCLASS_ATMSVC_SOCKET;
1406 case PF_RDS:
1407 return SECCLASS_RDS_SOCKET;
1408 case PF_IRDA:
1409 return SECCLASS_IRDA_SOCKET;
1410 case PF_PPPOX:
1411 return SECCLASS_PPPOX_SOCKET;
1412 case PF_LLC:
1413 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1414 case PF_CAN:
1415 return SECCLASS_CAN_SOCKET;
1416 case PF_TIPC:
1417 return SECCLASS_TIPC_SOCKET;
1418 case PF_BLUETOOTH:
1419 return SECCLASS_BLUETOOTH_SOCKET;
1420 case PF_IUCV:
1421 return SECCLASS_IUCV_SOCKET;
1422 case PF_RXRPC:
1423 return SECCLASS_RXRPC_SOCKET;
1424 case PF_ISDN:
1425 return SECCLASS_ISDN_SOCKET;
1426 case PF_PHONET:
1427 return SECCLASS_PHONET_SOCKET;
1428 case PF_IEEE802154:
1429 return SECCLASS_IEEE802154_SOCKET;
1430 case PF_CAIF:
1431 return SECCLASS_CAIF_SOCKET;
1432 case PF_ALG:
1433 return SECCLASS_ALG_SOCKET;
1434 case PF_NFC:
1435 return SECCLASS_NFC_SOCKET;
1436 case PF_VSOCK:
1437 return SECCLASS_VSOCK_SOCKET;
1438 case PF_KCM:
1439 return SECCLASS_KCM_SOCKET;
1440 case PF_QIPCRTR:
1441 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1442 case PF_SMC:
1443 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1444 case PF_XDP:
1445 return SECCLASS_XDP_SOCKET;
1446#if PF_MAX > 45
da69a530
SS		 1447#error New address family defined, please update this function.
1448#endif
1449 }
1450 }
1451
1da177e4
LT		 1452 return SECCLASS_SOCKET;
1453}
1454
134509d5
SS		 1455static int selinux_genfs_get_sid(struct dentry *dentry,
1456 u16 tclass,
1457 u16 flags,
1458 u32 *sid)
1da177e4 1459{
8e6c9693 1460 int rc;
fc64005c 1461 struct super_block *sb = dentry->d_sb;
8e6c9693 1462 char *buffer, *path;
1da177e4 1463
828dfe1d 1464 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1465 if (!buffer)
1466 return -ENOMEM;
1467
8e6c9693
LAG		 1468 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1469 if (IS_ERR(path))
1470 rc = PTR_ERR(path);
1471 else {
134509d5
SS		 1472 if (flags & SE_SBPROC) {
1473 /* each process gets a /proc/PID/ entry. Strip off the
1474 * PID part to get a valid selinux labeling.
1475 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1476 while (path[1] >= '0' && path[1] <= '9') {
1477 path[1] = '/';
1478 path++;
1479 }
8e6c9693 1480 }
aa8e712c
SS		 1481 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1482 path, tclass, sid);
7bb185ed
SS		 1483 if (rc == -ENOENT) {
1484 /* No match in policy, mark as unlabeled. */
1485 *sid = SECINITSID_UNLABELED;
1486 rc = 0;
1487 }
1da177e4 1488 }
1da177e4
LT		 1489 free_page((unsigned long)buffer);
1490 return rc;
1491}
1da177e4
LT		 1492
1493/* The inode's security attributes must be initialized before first use. */
1494static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1495{
1496 struct superblock_security_struct *sbsec = NULL;
1497 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1498 u32 task_sid, sid = 0;
1499 u16 sclass;
1da177e4
LT		 1500 struct dentry *dentry;
1501#define INITCONTEXTLEN 255
1502 char *context = NULL;
1503 unsigned len = 0;
1504 int rc = 0;
1da177e4 1505
6f3be9f5 1506 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1507 return 0;
1da177e4 1508
9287aed2 1509 spin_lock(&isec->lock);
6f3be9f5 1510 if (isec->initialized == LABEL_INITIALIZED)
23970741 1511 goto out_unlock;
1da177e4 1512
13457d07
AG		 1513 if (isec->sclass == SECCLASS_FILE)
1514 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1515
1da177e4 1516 sbsec = inode->i_sb->s_security;
0d90a7ec 1517 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1518 /* Defer initialization until selinux_complete_init,
1519 after the initial policy is loaded and the security
1520 server is ready to handle calls. */
1521 spin_lock(&sbsec->isec_lock);
1522 if (list_empty(&isec->list))
1523 list_add(&isec->list, &sbsec->isec_head);
1524 spin_unlock(&sbsec->isec_lock);
23970741 1525 goto out_unlock;
1da177e4
LT		 1526 }
1527
9287aed2
AG		 1528 sclass = isec->sclass;
1529 task_sid = isec->task_sid;
1530 sid = isec->sid;
1531 isec->initialized = LABEL_PENDING;
1532 spin_unlock(&isec->lock);
1533
1da177e4 1534 switch (sbsec->behavior) {
eb9ae686
DQ		 1535 case SECURITY_FS_USE_NATIVE:
1536 break;
1da177e4 1537 case SECURITY_FS_USE_XATTR:
5d6c3191 1538 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1539 sid = sbsec->def_sid;
1da177e4
LT		 1540 break;
1541 }
1da177e4
LT		 1542 /* Need a dentry, since the xattr API requires one.
1543 Life would be simpler if we could just pass the inode. */
1544 if (opt_dentry) {
1545 /* Called from d_instantiate or d_splice_alias. */
1546 dentry = dget(opt_dentry);
1547 } else {
b127125d
AV		 1548 /*
1549 * Called from selinux_complete_init, try to find a dentry.
1550 * Some filesystems really want a connected one, so try
1551 * that first. We could split SECURITY_FS_USE_XATTR in
1552 * two, depending upon that...
1553 */
1da177e4 1554 dentry = d_find_alias(inode);
b127125d
AV		 1555 if (!dentry)
1556 dentry = d_find_any_alias(inode);
1da177e4
LT		 1557 }
1558 if (!dentry) {
df7f54c0
EP		 1559 /*
1560 * this is can be hit on boot when a file is accessed
1561 * before the policy is loaded. When we load policy we
1562 * may find inodes that have no dentry on the
1563 * sbsec->isec_head list. No reason to complain as these
1564 * will get fixed up the next time we go through
1565 * inode_doinit with a dentry, before these inodes could
1566 * be used again by userspace.
1567 */
9287aed2 1568 goto out;
1da177e4
LT		 1569 }
1570
1571 len = INITCONTEXTLEN;
4cb912f1 1572 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1573 if (!context) {
1574 rc = -ENOMEM;
1575 dput(dentry);
9287aed2 1576 goto out;
1da177e4 1577 }
4cb912f1 1578 context[len] = '\0';
5d6c3191 1579 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1580 if (rc == -ERANGE) {
314dabb8
JM		 1581 kfree(context);
1582
1da177e4 1583 /* Need a larger buffer. Query for the right size. */
5d6c3191 1584 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1585 if (rc < 0) {
1586 dput(dentry);
9287aed2 1587 goto out;
1da177e4 1588 }
1da177e4 1589 len = rc;
4cb912f1 1590 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1591 if (!context) {
1592 rc = -ENOMEM;
1593 dput(dentry);
9287aed2 1594 goto out;
1da177e4 1595 }
4cb912f1 1596 context[len] = '\0';
5d6c3191 1597 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1598 }
1599 dput(dentry);
1600 if (rc < 0) {
1601 if (rc != -ENODATA) {
c103a91e 1602 pr_warn("SELinux: %s: getxattr returned "
dd6f953a 1603 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1604 -rc, inode->i_sb->s_id, inode->i_ino);
1605 kfree(context);
9287aed2 1606 goto out;
1da177e4
LT		 1607 }
1608 /* Map ENODATA to the default file SID */
1609 sid = sbsec->def_sid;
1610 rc = 0;
1611 } else {
aa8e712c
SS		 1612 rc = security_context_to_sid_default(&selinux_state,
1613 context, rc, &sid,
869ab514
SS		 1614 sbsec->def_sid,
1615 GFP_NOFS);
1da177e4 1616 if (rc) {
4ba0a8ad
EP		 1617 char *dev = inode->i_sb->s_id;
1618 unsigned long ino = inode->i_ino;
1619
1620 if (rc == -EINVAL) {
1621 if (printk_ratelimit())
c103a91e 1622 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
4ba0a8ad
EP		 1623 "context=%s. This indicates you may need to relabel the inode or the "
1624 "filesystem in question.\n", ino, dev, context);
1625 } else {
c103a91e 1626 pr_warn("SELinux: %s: context_to_sid(%s) "
4ba0a8ad
EP		 1627 "returned %d for dev=%s ino=%ld\n",
1628 __func__, context, -rc, dev, ino);
1629 }
1da177e4
LT		 1630 kfree(context);
1631 /* Leave with the unlabeled SID */
1632 rc = 0;
1633 break;
1634 }
1635 }
1636 kfree(context);
1da177e4
LT		 1637 break;
1638 case SECURITY_FS_USE_TASK:
9287aed2 1639 sid = task_sid;
1da177e4
LT		 1640 break;
1641 case SECURITY_FS_USE_TRANS:
1642 /* Default to the fs SID. */
9287aed2 1643 sid = sbsec->sid;
1da177e4
LT		 1644
1645 /* Try to obtain a transition SID. */
aa8e712c
SS		 1646 rc = security_transition_sid(&selinux_state, task_sid, sid,
1647 sclass, NULL, &sid);
1da177e4 1648 if (rc)
9287aed2 1649 goto out;
1da177e4 1650 break;
c312feb2 1651 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1652 sid = sbsec->mntpoint_sid;
c312feb2 1653 break;
1da177e4 1654 default:
c312feb2 1655 /* Default to the fs superblock SID. */
9287aed2 1656 sid = sbsec->sid;
1da177e4 1657
134509d5 1658 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1659 /* We must have a dentry to determine the label on
1660 * procfs inodes */
b127125d 1661 if (opt_dentry) {
f64410ec
PM		 1662 /* Called from d_instantiate or
1663 * d_splice_alias. */
1664 dentry = dget(opt_dentry);
b127125d 1665 } else {
f64410ec 1666 /* Called from selinux_complete_init, try to
b127125d
AV		 1667 * find a dentry. Some filesystems really want
1668 * a connected one, so try that first.
1669 */
f64410ec 1670 dentry = d_find_alias(inode);
b127125d
AV		 1671 if (!dentry)
1672 dentry = d_find_any_alias(inode);
1673 }
f64410ec
PM		 1674 /*
1675 * This can be hit on boot when a file is accessed
1676 * before the policy is loaded. When we load policy we
1677 * may find inodes that have no dentry on the
1678 * sbsec->isec_head list. No reason to complain as
1679 * these will get fixed up the next time we go through
1680 * inode_doinit() with a dentry, before these inodes
1681 * could be used again by userspace.
1682 */
1683 if (!dentry)
9287aed2
AG		 1684 goto out;
1685 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1686 sbsec->flags, &sid);
f64410ec
PM		 1687 dput(dentry);
1688 if (rc)
9287aed2 1689 goto out;
1da177e4
LT		 1690 }
1691 break;
1692 }
1693
9287aed2
AG		 1694out:
1695 spin_lock(&isec->lock);
1696 if (isec->initialized == LABEL_PENDING) {
1697 if (!sid || rc) {
1698 isec->initialized = LABEL_INVALID;
1699 goto out_unlock;
1700 }
1701
1702 isec->initialized = LABEL_INITIALIZED;
1703 isec->sid = sid;
1704 }
1da177e4 1705
23970741 1706out_unlock:
9287aed2 1707 spin_unlock(&isec->lock);
1da177e4
LT		 1708 return rc;
1709}
1710
1711/* Convert a Linux signal to an access vector. */
1712static inline u32 signal_to_av(int sig)
1713{
1714 u32 perm = 0;
1715
1716 switch (sig) {
1717 case SIGCHLD:
1718 /* Commonly granted from child to parent. */
1719 perm = PROCESS__SIGCHLD;
1720 break;
1721 case SIGKILL:
1722 /* Cannot be caught or ignored */
1723 perm = PROCESS__SIGKILL;
1724 break;
1725 case SIGSTOP:
1726 /* Cannot be caught or ignored */
1727 perm = PROCESS__SIGSTOP;
1728 break;
1729 default:
1730 /* All other signals. */
1731 perm = PROCESS__SIGNAL;
1732 break;
1733 }
1734
1735 return perm;
1736}
1737
b68e418c
SS		 1738#if CAP_LAST_CAP > 63
1739#error Fix SELinux to handle capabilities > 63.
1740#endif
1741
1da177e4 1742/* Check whether a task is allowed to use a capability. */
6a9de491 1743static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1744 int cap, int audit, bool initns)
1da177e4 1745{
2bf49690 1746 struct common_audit_data ad;
06112163 1747 struct av_decision avd;
b68e418c 1748 u16 sclass;
3699c53c 1749 u32 sid = cred_sid(cred);
b68e418c 1750 u32 av = CAP_TO_MASK(cap);
06112163 1751 int rc;
1da177e4 1752
50c205f5 1753 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1754 ad.u.cap = cap;
1755
b68e418c
SS		 1756 switch (CAP_TO_INDEX(cap)) {
1757 case 0:
8e4ff6f2 1758 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1759 break;
1760 case 1:
8e4ff6f2 1761 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1762 break;
1763 default:
c103a91e 1764 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1765 BUG();
a35c6c83 1766 return -EINVAL;
b68e418c 1767 }
06112163 1768
6b6bc620
SS		 1769 rc = avc_has_perm_noaudit(&selinux_state,
1770 sid, sid, sclass, av, 0, &avd);
9ade0cf4 1771 if (audit == SECURITY_CAP_AUDIT) {
6b6bc620
SS		 1772 int rc2 = avc_audit(&selinux_state,
1773 sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1774 if (rc2)
1775 return rc2;
1776 }
06112163 1777 return rc;
1da177e4
LT		 1778}
1779
1da177e4
LT		 1780/* Check whether a task has a particular permission to an inode.
1781 The 'adp' parameter is optional and allows other audit
1782 data to be passed (e.g. the dentry). */
88e67f3b 1783static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1784 struct inode *inode,
1785 u32 perms,
19e49834 1786 struct common_audit_data *adp)
1da177e4 1787{
1da177e4 1788 struct inode_security_struct *isec;
275bb41e 1789 u32 sid;
1da177e4 1790
e0e81739
DH		 1791 validate_creds(cred);
1792
828dfe1d 1793 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1794 return 0;
1795
88e67f3b 1796 sid = cred_sid(cred);
1da177e4
LT		 1797 isec = inode->i_security;
1798
6b6bc620
SS		 1799 return avc_has_perm(&selinux_state,
1800 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1801}
1802
1803/* Same as inode_has_perm, but pass explicit audit data containing
1804 the dentry to help the auditing code to more easily generate the
1805 pathname if needed. */
88e67f3b 1806static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1807 struct dentry *dentry,
1808 u32 av)
1809{
c6f493d6 1810 struct inode *inode = d_backing_inode(dentry);
2bf49690 1811 struct common_audit_data ad;
88e67f3b 1812
50c205f5 1813 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1814 ad.u.dentry = dentry;
5d226df4 1815 __inode_security_revalidate(inode, dentry, true);
19e49834 1816 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1817}
1818
1819/* Same as inode_has_perm, but pass explicit audit data containing
1820 the path to help the auditing code to more easily generate the
1821 pathname if needed. */
1822static inline int path_has_perm(const struct cred *cred,
3f7036a0 1823 const struct path *path,
2875fa00
EP		 1824 u32 av)
1825{
c6f493d6 1826 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1827 struct common_audit_data ad;
1828
50c205f5 1829 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1830 ad.u.path = *path;
5d226df4 1831 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1832 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1833}
1834
13f8e981
DH		 1835/* Same as path_has_perm, but uses the inode from the file struct. */
1836static inline int file_path_has_perm(const struct cred *cred,
1837 struct file *file,
1838 u32 av)
1839{
1840 struct common_audit_data ad;
1841
43af5de7
VG		 1842 ad.type = LSM_AUDIT_DATA_FILE;
1843 ad.u.file = file;
19e49834 1844 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1845}
1846
f66e448c
CF		 1847#ifdef CONFIG_BPF_SYSCALL
1848static int bpf_fd_pass(struct file *file, u32 sid);
1849#endif
1850
1da177e4
LT		 1851/* Check whether a task can use an open file descriptor to
1852 access an inode in a given way. Check access to the
1853 descriptor itself, and then use dentry_has_perm to
1854 check a particular permission to the file.
1855 Access to the descriptor is implicitly granted if it
1856 has the same SID as the process. If av is zero, then
1857 access to the file is not checked, e.g. for cases
1858 where only the descriptor is affected like seek. */
88e67f3b
DH		 1859static int file_has_perm(const struct cred *cred,
1860 struct file *file,
1861 u32 av)
1da177e4 1862{
1da177e4 1863 struct file_security_struct *fsec = file->f_security;
496ad9aa 1864 struct inode *inode = file_inode(file);
2bf49690 1865 struct common_audit_data ad;
88e67f3b 1866 u32 sid = cred_sid(cred);
1da177e4
LT		 1867 int rc;
1868
43af5de7
VG		 1869 ad.type = LSM_AUDIT_DATA_FILE;
1870 ad.u.file = file;
1da177e4 1871
275bb41e 1872 if (sid != fsec->sid) {
6b6bc620
SS		 1873 rc = avc_has_perm(&selinux_state,
1874 sid, fsec->sid,
1da177e4
LT		 1875 SECCLASS_FD,
1876 FD__USE,
1877 &ad);
1878 if (rc)
88e67f3b 1879 goto out;
1da177e4
LT		 1880 }
1881
f66e448c
CF		 1882#ifdef CONFIG_BPF_SYSCALL
1883 rc = bpf_fd_pass(file, cred_sid(cred));
1884 if (rc)
1885 return rc;
1886#endif
1887
1da177e4 1888 /* av is zero if only checking access to the descriptor. */
88e67f3b 1889 rc = 0;
1da177e4 1890 if (av)
19e49834 1891 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1892
88e67f3b
DH		 1893out:
1894 return rc;
1da177e4
LT		 1895}
1896
c3c188b2
DH		 1897/*
1898 * Determine the label for an inode that might be unioned.
1899 */
c957f6df
VG		 1900static int
1901selinux_determine_inode_label(const struct task_security_struct *tsec,
1902 struct inode *dir,
1903 const struct qstr *name, u16 tclass,
1904 u32 *_new_isid)
c3c188b2
DH		 1905{
1906 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1907
1908 if ((sbsec->flags & SE_SBINITIALIZED) &&
1909 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1910 *_new_isid = sbsec->mntpoint_sid;
1911 } else if ((sbsec->flags & SBLABEL_MNT) &&
1912 tsec->create_sid) {
1913 *_new_isid = tsec->create_sid;
1914 } else {
20cdef8d 1915 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1916 return security_transition_sid(&selinux_state, tsec->sid,
1917 dsec->sid, tclass,
c3c188b2
DH		 1918 name, _new_isid);
1919 }
1920
1921 return 0;
1922}
1923
1da177e4
LT		 1924/* Check whether a task can create a file. */
1925static int may_create(struct inode *dir,
1926 struct dentry *dentry,
1927 u16 tclass)
1928{
5fb49870 1929 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1930 struct inode_security_struct *dsec;
1931 struct superblock_security_struct *sbsec;
275bb41e 1932 u32 sid, newsid;
2bf49690 1933 struct common_audit_data ad;
1da177e4
LT		 1934 int rc;
1935
83da53c5 1936 dsec = inode_security(dir);
1da177e4
LT		 1937 sbsec = dir->i_sb->s_security;
1938
275bb41e 1939 sid = tsec->sid;
275bb41e 1940
50c205f5 1941 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1942 ad.u.dentry = dentry;
1da177e4 1943
6b6bc620
SS		 1944 rc = avc_has_perm(&selinux_state,
1945 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1946 DIR__ADD_NAME | DIR__SEARCH,
1947 &ad);
1948 if (rc)
1949 return rc;
1950
c957f6df
VG		 1951 rc = selinux_determine_inode_label(current_security(), dir,
1952 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1953 if (rc)
1954 return rc;
1da177e4 1955
6b6bc620
SS		 1956 rc = avc_has_perm(&selinux_state,
1957 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1958 if (rc)
1959 return rc;
1960
6b6bc620
SS		 1961 return avc_has_perm(&selinux_state,
1962 newsid, sbsec->sid,
1da177e4
LT		 1963 SECCLASS_FILESYSTEM,
1964 FILESYSTEM__ASSOCIATE, &ad);
1965}
1966
828dfe1d
EP		 1967#define MAY_LINK 0
1968#define MAY_UNLINK 1
1969#define MAY_RMDIR 2
1da177e4
LT		 1970
1971/* Check whether a task can link, unlink, or rmdir a file/directory. */
1972static int may_link(struct inode *dir,
1973 struct dentry *dentry,
1974 int kind)
1975
1976{
1da177e4 1977 struct inode_security_struct *dsec, *isec;
2bf49690 1978 struct common_audit_data ad;
275bb41e 1979 u32 sid = current_sid();
1da177e4
LT		 1980 u32 av;
1981 int rc;
1982
83da53c5
AG		 1983 dsec = inode_security(dir);
1984 isec = backing_inode_security(dentry);
1da177e4 1985
50c205f5 1986 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1987 ad.u.dentry = dentry;
1da177e4
LT		 1988
1989 av = DIR__SEARCH;
1990 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 1991 rc = avc_has_perm(&selinux_state,
1992 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1993 if (rc)
1994 return rc;
1995
1996 switch (kind) {
1997 case MAY_LINK:
1998 av = FILE__LINK;
1999 break;
2000 case MAY_UNLINK:
2001 av = FILE__UNLINK;
2002 break;
2003 case MAY_RMDIR:
2004 av = DIR__RMDIR;
2005 break;
2006 default:
c103a91e 2007 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 2008 __func__, kind);
1da177e4
LT		 2009 return 0;
2010 }
2011
6b6bc620
SS		 2012 rc = avc_has_perm(&selinux_state,
2013 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 2014 return rc;
2015}
2016
2017static inline int may_rename(struct inode *old_dir,
2018 struct dentry *old_dentry,
2019 struct inode *new_dir,
2020 struct dentry *new_dentry)
2021{
1da177e4 2022 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 2023 struct common_audit_data ad;
275bb41e 2024 u32 sid = current_sid();
1da177e4
LT		 2025 u32 av;
2026 int old_is_dir, new_is_dir;
2027 int rc;
2028
83da53c5
AG		 2029 old_dsec = inode_security(old_dir);
2030 old_isec = backing_inode_security(old_dentry);
e36cb0b8 2031 old_is_dir = d_is_dir(old_dentry);
83da53c5 2032 new_dsec = inode_security(new_dir);
1da177e4 2033
50c205f5 2034 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 2035
a269434d 2036 ad.u.dentry = old_dentry;
6b6bc620
SS		 2037 rc = avc_has_perm(&selinux_state,
2038 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 2039 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2040 if (rc)
2041 return rc;
6b6bc620
SS		 2042 rc = avc_has_perm(&selinux_state,
2043 sid, old_isec->sid,
1da177e4
LT		 2044 old_isec->sclass, FILE__RENAME, &ad);
2045 if (rc)
2046 return rc;
2047 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 2048 rc = avc_has_perm(&selinux_state,
2049 sid, old_isec->sid,
1da177e4
LT		 2050 old_isec->sclass, DIR__REPARENT, &ad);
2051 if (rc)
2052 return rc;
2053 }
2054
a269434d 2055 ad.u.dentry = new_dentry;
1da177e4 2056 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 2057 if (d_is_positive(new_dentry))
1da177e4 2058 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 2059 rc = avc_has_perm(&selinux_state,
2060 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 2061 if (rc)
2062 return rc;
2c616d4d 2063 if (d_is_positive(new_dentry)) {
83da53c5 2064 new_isec = backing_inode_security(new_dentry);
e36cb0b8 2065 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 2066 rc = avc_has_perm(&selinux_state,
2067 sid, new_isec->sid,
1da177e4
LT		 2068 new_isec->sclass,
2069 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2070 if (rc)
2071 return rc;
2072 }
2073
2074 return 0;
2075}
2076
2077/* Check whether a task can perform a filesystem operation. */
88e67f3b 2078static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2079 struct super_block *sb,
2080 u32 perms,
2bf49690 2081 struct common_audit_data *ad)
1da177e4 2082{
1da177e4 2083 struct superblock_security_struct *sbsec;
88e67f3b 2084 u32 sid = cred_sid(cred);
1da177e4 2085
1da177e4 2086 sbsec = sb->s_security;
6b6bc620
SS		 2087 return avc_has_perm(&selinux_state,
2088 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2089}
2090
2091/* Convert a Linux mode and permission mask to an access vector. */
2092static inline u32 file_mask_to_av(int mode, int mask)
2093{
2094 u32 av = 0;
2095
dba19c60 2096 if (!S_ISDIR(mode)) {
1da177e4
LT		 2097 if (mask & MAY_EXEC)
2098 av |= FILE__EXECUTE;
2099 if (mask & MAY_READ)
2100 av |= FILE__READ;
2101
2102 if (mask & MAY_APPEND)
2103 av |= FILE__APPEND;
2104 else if (mask & MAY_WRITE)
2105 av |= FILE__WRITE;
2106
2107 } else {
2108 if (mask & MAY_EXEC)
2109 av |= DIR__SEARCH;
2110 if (mask & MAY_WRITE)
2111 av |= DIR__WRITE;
2112 if (mask & MAY_READ)
2113 av |= DIR__READ;
2114 }
2115
2116 return av;
2117}
2118
8b6a5a37
EP		 2119/* Convert a Linux file to an access vector. */
2120static inline u32 file_to_av(struct file *file)
2121{
2122 u32 av = 0;
2123
2124 if (file->f_mode & FMODE_READ)
2125 av |= FILE__READ;
2126 if (file->f_mode & FMODE_WRITE) {
2127 if (file->f_flags & O_APPEND)
2128 av |= FILE__APPEND;
2129 else
2130 av |= FILE__WRITE;
2131 }
2132 if (!av) {
2133 /*
2134 * Special file opened with flags 3 for ioctl-only use.
2135 */
2136 av = FILE__IOCTL;
2137 }
2138
2139 return av;
2140}
2141
b0c636b9 2142/*
8b6a5a37 2143 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2144 * open permission.
2145 */
8b6a5a37 2146static inline u32 open_file_to_av(struct file *file)
b0c636b9 2147{
8b6a5a37 2148 u32 av = file_to_av(file);
ccb54478 2149 struct inode *inode = file_inode(file);
b0c636b9 2150
aa8e712c
SS		 2151 if (selinux_policycap_openperm() &&
2152 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2153 av |= FILE__OPEN;
2154
b0c636b9
EP		 2155 return av;
2156}
2157
1da177e4
LT		 2158/* Hook functions begin here. */
2159
79af7307
SS		 2160static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2161{
2162 u32 mysid = current_sid();
2163 u32 mgrsid = task_sid(mgr);
2164
6b6bc620
SS		 2165 return avc_has_perm(&selinux_state,
2166 mysid, mgrsid, SECCLASS_BINDER,
79af7307
SS		 2167 BINDER__SET_CONTEXT_MGR, NULL);
2168}
2169
2170static int selinux_binder_transaction(struct task_struct *from,
2171 struct task_struct *to)
2172{
2173 u32 mysid = current_sid();
2174 u32 fromsid = task_sid(from);
2175 u32 tosid = task_sid(to);
2176 int rc;
2177
2178 if (mysid != fromsid) {
6b6bc620
SS		 2179 rc = avc_has_perm(&selinux_state,
2180 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2181 BINDER__IMPERSONATE, NULL);
2182 if (rc)
2183 return rc;
2184 }
2185
6b6bc620
SS		 2186 return avc_has_perm(&selinux_state,
2187 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
79af7307
SS		 2188 NULL);
2189}
2190
2191static int selinux_binder_transfer_binder(struct task_struct *from,
2192 struct task_struct *to)
2193{
2194 u32 fromsid = task_sid(from);
2195 u32 tosid = task_sid(to);
2196
6b6bc620
SS		 2197 return avc_has_perm(&selinux_state,
2198 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2199 NULL);
2200}
2201
2202static int selinux_binder_transfer_file(struct task_struct *from,
2203 struct task_struct *to,
2204 struct file *file)
2205{
2206 u32 sid = task_sid(to);
2207 struct file_security_struct *fsec = file->f_security;
83da53c5 2208 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2209 struct inode_security_struct *isec;
79af7307
SS		 2210 struct common_audit_data ad;
2211 int rc;
2212
2213 ad.type = LSM_AUDIT_DATA_PATH;
2214 ad.u.path = file->f_path;
2215
2216 if (sid != fsec->sid) {
6b6bc620
SS		 2217 rc = avc_has_perm(&selinux_state,
2218 sid, fsec->sid,
79af7307
SS		 2219 SECCLASS_FD,
2220 FD__USE,
2221 &ad);
2222 if (rc)
2223 return rc;
2224 }
2225
f66e448c
CF		 2226#ifdef CONFIG_BPF_SYSCALL
2227 rc = bpf_fd_pass(file, sid);
2228 if (rc)
2229 return rc;
2230#endif
2231
83da53c5 2232 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2233 return 0;
2234
20cdef8d 2235 isec = backing_inode_security(dentry);
6b6bc620
SS		 2236 return avc_has_perm(&selinux_state,
2237 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2238 &ad);
2239}
2240
9e48858f 2241static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2242 unsigned int mode)
1da177e4 2243{
be0554c9
SS		 2244 u32 sid = current_sid();
2245 u32 csid = task_sid(child);
2246
2247 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2248 return avc_has_perm(&selinux_state,
2249 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2250
6b6bc620
SS		 2251 return avc_has_perm(&selinux_state,
2252 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2253}
2254
2255static int selinux_ptrace_traceme(struct task_struct *parent)
2256{
6b6bc620
SS		 2257 return avc_has_perm(&selinux_state,
2258 task_sid(parent), current_sid(), SECCLASS_PROCESS,
be0554c9 2259 PROCESS__PTRACE, NULL);
1da177e4
LT		 2260}
2261
2262static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2263 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2264{
6b6bc620
SS		 2265 return avc_has_perm(&selinux_state,
2266 current_sid(), task_sid(target), SECCLASS_PROCESS,
be0554c9 2267 PROCESS__GETCAP, NULL);
1da177e4
LT		 2268}
2269
d84f4f99
DH		 2270static int selinux_capset(struct cred *new, const struct cred *old,
2271 const kernel_cap_t *effective,
2272 const kernel_cap_t *inheritable,
2273 const kernel_cap_t *permitted)
1da177e4 2274{
6b6bc620
SS		 2275 return avc_has_perm(&selinux_state,
2276 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2277 PROCESS__SETCAP, NULL);
1da177e4
LT		 2278}
2279
5626d3e8
JM		 2280/*
2281 * (This comment used to live with the selinux_task_setuid hook,
2282 * which was removed).
2283 *
2284 * Since setuid only affects the current process, and since the SELinux
2285 * controls are not based on the Linux identity attributes, SELinux does not
2286 * need to control this operation. However, SELinux does control the use of
2287 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2288 */
2289
6a9de491
EP		 2290static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2291 int cap, int audit)
1da177e4 2292{
8e4ff6f2 2293 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2294}
2295
1da177e4
LT		 2296static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2297{
88e67f3b 2298 const struct cred *cred = current_cred();
1da177e4
LT		 2299 int rc = 0;
2300
2301 if (!sb)
2302 return 0;
2303
2304 switch (cmds) {
828dfe1d
EP		 2305 case Q_SYNC:
2306 case Q_QUOTAON:
2307 case Q_QUOTAOFF:
2308 case Q_SETINFO:
2309 case Q_SETQUOTA:
88e67f3b 2310 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2311 break;
2312 case Q_GETFMT:
2313 case Q_GETINFO:
2314 case Q_GETQUOTA:
88e67f3b 2315 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2316 break;
2317 default:
2318 rc = 0; /* let the kernel handle invalid cmds */
2319 break;
1da177e4
LT		 2320 }
2321 return rc;
2322}
2323
2324static int selinux_quota_on(struct dentry *dentry)
2325{
88e67f3b
DH		 2326 const struct cred *cred = current_cred();
2327
2875fa00 2328 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2329}
2330
12b3052c 2331static int selinux_syslog(int type)
1da177e4 2332{
1da177e4 2333 switch (type) {
d78ca3cd
KC		 2334 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2335 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2336 return avc_has_perm(&selinux_state,
2337 current_sid(), SECINITSID_KERNEL,
be0554c9 2338 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2339 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2340 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2341 /* Set level of messages printed to console */
2342 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2343 return avc_has_perm(&selinux_state,
2344 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2345 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2346 NULL);
1da177e4 2347 }
be0554c9 2348 /* All other syslog types */
6b6bc620
SS		 2349 return avc_has_perm(&selinux_state,
2350 current_sid(), SECINITSID_KERNEL,
be0554c9 2351 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2352}
2353
2354/*
2355 * Check that a process has enough memory to allocate a new virtual
2356 * mapping. 0 means there is enough memory for the allocation to
2357 * succeed and -ENOMEM implies there is not.
2358 *
1da177e4
LT		 2359 * Do not audit the selinux permission check, as this is applied to all
2360 * processes that allocate mappings.
2361 */
34b4e4aa 2362static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2363{
2364 int rc, cap_sys_admin = 0;
1da177e4 2365
b1d9e6b0 2366 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2367 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2368 if (rc == 0)
2369 cap_sys_admin = 1;
2370
b1d9e6b0 2371 return cap_sys_admin;
1da177e4
LT		 2372}
2373
2374/* binprm security operations */
2375
be0554c9 2376static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2377{
2378 u32 sid = 0;
2379 struct task_struct *tracer;
2380
2381 rcu_read_lock();
be0554c9 2382 tracer = ptrace_parent(current);
0c6181cb
PM		 2383 if (tracer)
2384 sid = task_sid(tracer);
2385 rcu_read_unlock();
2386
2387 return sid;
2388}
2389
7b0d0b40
SS		 2390static int check_nnp_nosuid(const struct linux_binprm *bprm,
2391 const struct task_security_struct *old_tsec,
2392 const struct task_security_struct *new_tsec)
2393{
2394 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2395 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2396 int rc;
af63f419 2397 u32 av;
7b0d0b40
SS		 2398
2399 if (!nnp && !nosuid)
2400 return 0; /* neither NNP nor nosuid */
2401
2402 if (new_tsec->sid == old_tsec->sid)
2403 return 0; /* No change in credentials */
2404
2405 /*
af63f419
SS		 2406 * If the policy enables the nnp_nosuid_transition policy capability,
2407 * then we permit transitions under NNP or nosuid if the
2408 * policy allows the corresponding permission between
2409 * the old and new contexts.
7b0d0b40 2410 */
aa8e712c 2411 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2412 av = 0;
7b0d0b40 2413 if (nnp)
af63f419
SS		 2414 av |= PROCESS2__NNP_TRANSITION;
2415 if (nosuid)
2416 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2417 rc = avc_has_perm(&selinux_state,
2418 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2419 SECCLASS_PROCESS2, av, NULL);
2420 if (!rc)
2421 return 0;
7b0d0b40 2422 }
af63f419
SS		 2423
2424 /*
2425 * We also permit NNP or nosuid transitions to bounded SIDs,
2426 * i.e. SIDs that are guaranteed to only be allowed a subset
2427 * of the permissions of the current SID.
2428 */
aa8e712c
SS		 2429 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2430 new_tsec->sid);
af63f419
SS		 2431 if (!rc)
2432 return 0;
2433
2434 /*
2435 * On failure, preserve the errno values for NNP vs nosuid.
2436 * NNP: Operation not permitted for caller.
2437 * nosuid: Permission denied to file.
2438 */
2439 if (nnp)
2440 return -EPERM;
2441 return -EACCES;
7b0d0b40
SS		 2442}
2443
a6f76f23 2444static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2445{
a6f76f23
DH		 2446 const struct task_security_struct *old_tsec;
2447 struct task_security_struct *new_tsec;
1da177e4 2448 struct inode_security_struct *isec;
2bf49690 2449 struct common_audit_data ad;
496ad9aa 2450 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2451 int rc;
2452
a6f76f23
DH		 2453 /* SELinux context only depends on initial program or script and not
2454 * the script interpreter */
ddb4a144 2455 if (bprm->called_set_creds)
1da177e4
LT		 2456 return 0;
2457
a6f76f23
DH		 2458 old_tsec = current_security();
2459 new_tsec = bprm->cred->security;
83da53c5 2460 isec = inode_security(inode);
1da177e4
LT		 2461
2462 /* Default to the current task SID. */
a6f76f23
DH		 2463 new_tsec->sid = old_tsec->sid;
2464 new_tsec->osid = old_tsec->sid;
1da177e4 2465
28eba5bf 2466 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2467 new_tsec->create_sid = 0;
2468 new_tsec->keycreate_sid = 0;
2469 new_tsec->sockcreate_sid = 0;
1da177e4 2470
a6f76f23
DH		 2471 if (old_tsec->exec_sid) {
2472 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2473 /* Reset exec SID on execve. */
a6f76f23 2474 new_tsec->exec_sid = 0;
259e5e6c 2475
7b0d0b40
SS		 2476 /* Fail on NNP or nosuid if not an allowed transition. */
2477 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2478 if (rc)
2479 return rc;
1da177e4
LT		 2480 } else {
2481 /* Check for a default transition on this program. */
aa8e712c
SS		 2482 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2483 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2484 &new_tsec->sid);
1da177e4
LT		 2485 if (rc)
2486 return rc;
7b0d0b40
SS		 2487
2488 /*
2489 * Fallback to old SID on NNP or nosuid if not an allowed
2490 * transition.
2491 */
2492 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2493 if (rc)
2494 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2495 }
2496
43af5de7
VG		 2497 ad.type = LSM_AUDIT_DATA_FILE;
2498 ad.u.file = bprm->file;
1da177e4 2499
a6f76f23 2500 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2501 rc = avc_has_perm(&selinux_state,
2502 old_tsec->sid, isec->sid,
1da177e4
LT		 2503 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2504 if (rc)
2505 return rc;
2506 } else {
2507 /* Check permissions for the transition. */
6b6bc620
SS		 2508 rc = avc_has_perm(&selinux_state,
2509 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2510 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2511 if (rc)
2512 return rc;
2513
6b6bc620
SS		 2514 rc = avc_has_perm(&selinux_state,
2515 new_tsec->sid, isec->sid,
1da177e4
LT		 2516 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2517 if (rc)
2518 return rc;
2519
a6f76f23
DH		 2520 /* Check for shared state */
2521 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2522 rc = avc_has_perm(&selinux_state,
2523 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2524 SECCLASS_PROCESS, PROCESS__SHARE,
2525 NULL);
2526 if (rc)
2527 return -EPERM;
2528 }
2529
2530 /* Make sure that anyone attempting to ptrace over a task that
2531 * changes its SID has the appropriate permit */
9227dd2a 2532 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2533 u32 ptsid = ptrace_parent_sid();
a6f76f23 2534 if (ptsid != 0) {
6b6bc620
SS		 2535 rc = avc_has_perm(&selinux_state,
2536 ptsid, new_tsec->sid,
a6f76f23
DH		 2537 SECCLASS_PROCESS,
2538 PROCESS__PTRACE, NULL);
2539 if (rc)
2540 return -EPERM;
2541 }
2542 }
1da177e4 2543
a6f76f23
DH		 2544 /* Clear any possibly unsafe personality bits on exec: */
2545 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2546
1da177e4
LT		 2547 /* Enable secure mode for SIDs transitions unless
2548 the noatsecure permission is granted between
2549 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2550 rc = avc_has_perm(&selinux_state,
2551 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2552 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2553 NULL);
2554 bprm->secureexec |= !!rc;
1da177e4
LT		 2555 }
2556
62874c3a 2557 return 0;
1da177e4
LT		 2558}
2559
c3c073f8
AV		 2560static int match_file(const void *p, struct file *file, unsigned fd)
2561{
2562 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2563}
2564
1da177e4 2565/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2566static inline void flush_unauthorized_files(const struct cred *cred,
2567 struct files_struct *files)
1da177e4 2568{
1da177e4 2569 struct file *file, *devnull = NULL;
b20c8122 2570 struct tty_struct *tty;
24ec839c 2571 int drop_tty = 0;
c3c073f8 2572 unsigned n;
1da177e4 2573
24ec839c 2574 tty = get_current_tty();
1da177e4 2575 if (tty) {
4a510969 2576 spin_lock(&tty->files_lock);
37dd0bd0 2577 if (!list_empty(&tty->tty_files)) {
d996b62a 2578 struct tty_file_private *file_priv;
37dd0bd0 2579
1da177e4 2580 /* Revalidate access to controlling tty.
13f8e981
DH		 2581 Use file_path_has_perm on the tty path directly
2582 rather than using file_has_perm, as this particular
2583 open file may belong to another process and we are
2584 only interested in the inode-based check here. */
d996b62a
NP		 2585 file_priv = list_first_entry(&tty->tty_files,
2586 struct tty_file_private, list);
2587 file = file_priv->file;
13f8e981 2588 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2589 drop_tty = 1;
1da177e4 2590 }
4a510969 2591 spin_unlock(&tty->files_lock);
452a00d2 2592 tty_kref_put(tty);
1da177e4 2593 }
98a27ba4
EB		 2594 /* Reset controlling tty. */
2595 if (drop_tty)
2596 no_tty();
1da177e4
LT		 2597
2598 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2599 n = iterate_fd(files, 0, match_file, cred);
2600 if (!n) /* none found? */
2601 return;
1da177e4 2602
c3c073f8 2603 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2604 if (IS_ERR(devnull))
2605 devnull = NULL;
2606 /* replace all the matching ones with this */
2607 do {
2608 replace_fd(n - 1, devnull, 0);
2609 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2610 if (devnull)
c3c073f8 2611 fput(devnull);
1da177e4
LT		 2612}
2613
a6f76f23
DH		 2614/*
2615 * Prepare a process for imminent new credential changes due to exec
2616 */
2617static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2618{
a6f76f23
DH		 2619 struct task_security_struct *new_tsec;
2620 struct rlimit *rlim, *initrlim;
2621 int rc, i;
d84f4f99 2622
a6f76f23
DH		 2623 new_tsec = bprm->cred->security;
2624 if (new_tsec->sid == new_tsec->osid)
2625 return;
1da177e4 2626
a6f76f23
DH		 2627 /* Close files for which the new task SID is not authorized. */
2628 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2629
a6f76f23
DH		 2630 /* Always clear parent death signal on SID transitions. */
2631 current->pdeath_signal = 0;
0356357c 2632
a6f76f23
DH		 2633 /* Check whether the new SID can inherit resource limits from the old
2634 * SID. If not, reset all soft limits to the lower of the current
2635 * task's hard limit and the init task's soft limit.
2636 *
2637 * Note that the setting of hard limits (even to lower them) can be
2638 * controlled by the setrlimit check. The inclusion of the init task's
2639 * soft limit into the computation is to avoid resetting soft limits
2640 * higher than the default soft limit for cases where the default is
2641 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2642 */
6b6bc620
SS		 2643 rc = avc_has_perm(&selinux_state,
2644 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2645 PROCESS__RLIMITINH, NULL);
2646 if (rc) {
eb2d55a3
ON		 2647 /* protect against do_prlimit() */
2648 task_lock(current);
a6f76f23
DH		 2649 for (i = 0; i < RLIM_NLIMITS; i++) {
2650 rlim = current->signal->rlim + i;
2651 initrlim = init_task.signal->rlim + i;
2652 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2653 }
eb2d55a3 2654 task_unlock(current);
baa73d9e
NP		 2655 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2656 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2657 }
2658}
2659
2660/*
a6f76f23
DH		 2661 * Clean up the process immediately after the installation of new credentials
2662 * due to exec
1da177e4 2663 */
a6f76f23 2664static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2665{
a6f76f23 2666 const struct task_security_struct *tsec = current_security();
1da177e4 2667 struct itimerval itimer;
a6f76f23 2668 u32 osid, sid;
1da177e4
LT		 2669 int rc, i;
2670
a6f76f23
DH		 2671 osid = tsec->osid;
2672 sid = tsec->sid;
2673
2674 if (sid == osid)
1da177e4
LT		 2675 return;
2676
a6f76f23
DH		 2677 /* Check whether the new SID can inherit signal state from the old SID.
2678 * If not, clear itimers to avoid subsequent signal generation and
2679 * flush and unblock signals.
2680 *
2681 * This must occur _after_ the task SID has been updated so that any
2682 * kill done after the flush will be checked against the new SID.
2683 */
6b6bc620
SS		 2684 rc = avc_has_perm(&selinux_state,
2685 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2686 if (rc) {
baa73d9e
NP		 2687 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2688 memset(&itimer, 0, sizeof itimer);
2689 for (i = 0; i < 3; i++)
2690 do_setitimer(i, &itimer, NULL);
2691 }
1da177e4 2692 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2693 if (!fatal_signal_pending(current)) {
2694 flush_sigqueue(&current->pending);
2695 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2696 flush_signal_handlers(current, 1);
2697 sigemptyset(&current->blocked);
9e7c8f8c 2698 recalc_sigpending();
3bcac026 2699 }
1da177e4
LT		 2700 spin_unlock_irq(&current->sighand->siglock);
2701 }
2702
a6f76f23
DH		 2703 /* Wake up the parent if it is waiting so that it can recheck
2704 * wait permission to the new task SID. */
ecd6de3c 2705 read_lock(&tasklist_lock);
0b7570e7 2706 __wake_up_parent(current, current->real_parent);
ecd6de3c 2707 read_unlock(&tasklist_lock);
1da177e4
LT		 2708}
2709
2710/* superblock security operations */
2711
2712static int selinux_sb_alloc_security(struct super_block *sb)
2713{
2714 return superblock_alloc_security(sb);
2715}
2716
2717static void selinux_sb_free_security(struct super_block *sb)
2718{
2719 superblock_free_security(sb);
2720}
2721
2722static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2723{
2724 if (plen > olen)
2725 return 0;
2726
2727 return !memcmp(prefix, option, plen);
2728}
2729
2730static inline int selinux_option(char *option, int len)
2731{
832cbd9a
EP		 2732 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2733 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2734 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2735 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2736 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2737}
2738
2739static inline void take_option(char **to, char *from, int *first, int len)
2740{
2741 if (!*first) {
2742 **to = ',';
2743 *to += 1;
3528a953 2744 } else
1da177e4
LT		 2745 *first = 0;
2746 memcpy(*to, from, len);
2747 *to += len;
2748}
2749
828dfe1d
EP		 2750static inline void take_selinux_option(char **to, char *from, int *first,
2751 int len)
3528a953
CO		 2752{
2753 int current_size = 0;
2754
2755 if (!*first) {
2756 **to = '|';
2757 *to += 1;
828dfe1d 2758 } else
3528a953
CO		 2759 *first = 0;
2760
2761 while (current_size < len) {
2762 if (*from != '"') {
2763 **to = *from;
2764 *to += 1;
2765 }
2766 from += 1;
2767 current_size += 1;
2768 }
2769}
2770
e0007529 2771static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2772{
2773 int fnosec, fsec, rc = 0;
2774 char *in_save, *in_curr, *in_end;
2775 char *sec_curr, *nosec_save, *nosec;
3528a953 2776 int open_quote = 0;
1da177e4
LT		 2777
2778 in_curr = orig;
2779 sec_curr = copy;
2780
1da177e4
LT		 2781 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2782 if (!nosec) {
2783 rc = -ENOMEM;
2784 goto out;
2785 }
2786
2787 nosec_save = nosec;
2788 fnosec = fsec = 1;
2789 in_save = in_end = orig;
2790
2791 do {
3528a953
CO		 2792 if (*in_end == '"')
2793 open_quote = !open_quote;
2794 if ((*in_end == ',' && open_quote == 0) ||
2795 *in_end == '\0') {
1da177e4
LT		 2796 int len = in_end - in_curr;
2797
2798 if (selinux_option(in_curr, len))
3528a953 2799 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2800 else
2801 take_option(&nosec, in_curr, &fnosec, len);
2802
2803 in_curr = in_end + 1;
2804 }
2805 } while (*in_end++);
2806
6931dfc9 2807 strcpy(in_save, nosec_save);
da3caa20 2808 free_page((unsigned long)nosec_save);
1da177e4
LT		 2809out:
2810 return rc;
2811}
2812
c039bc3c
AV		 2813static int selinux_sb_remount(struct super_block *sb,
2814 struct security_mnt_opts *opts)
026eb167 2815{
c039bc3c
AV		 2816 int i, *flags;
2817 char **mount_options;
026eb167
EP		 2818 struct superblock_security_struct *sbsec = sb->s_security;
2819
2820 if (!(sbsec->flags & SE_SBINITIALIZED))
2821 return 0;
2822
c039bc3c
AV		 2823 mount_options = opts->mnt_opts;
2824 flags = opts->mnt_opts_flags;
026eb167 2825
c039bc3c 2826 for (i = 0; i < opts->num_mnt_opts; i++) {
026eb167 2827 u32 sid;
c039bc3c 2828 int rc;
026eb167 2829
12f348b9 2830 if (flags[i] == SBLABEL_MNT)
026eb167 2831 continue;
aa8e712c
SS		 2832 rc = security_context_str_to_sid(&selinux_state,
2833 mount_options[i], &sid,
2834 GFP_KERNEL);
026eb167 2835 if (rc) {
c103a91e 2836 pr_warn("SELinux: security_context_str_to_sid"
29b1deb2
LT		 2837 "(%s) failed for (dev %s, type %s) errno=%d\n",
2838 mount_options[i], sb->s_id, sb->s_type->name, rc);
c039bc3c 2839 return rc;
026eb167 2840 }
026eb167
EP		 2841 switch (flags[i]) {
2842 case FSCONTEXT_MNT:
2843 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2844 goto out_bad_option;
2845 break;
2846 case CONTEXT_MNT:
2847 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2848 goto out_bad_option;
2849 break;
2850 case ROOTCONTEXT_MNT: {
2851 struct inode_security_struct *root_isec;
83da53c5 2852 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2853
2854 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2855 goto out_bad_option;
2856 break;
2857 }
2858 case DEFCONTEXT_MNT:
2859 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2860 goto out_bad_option;
2861 break;
2862 default:
c039bc3c 2863 return -EINVAL;
026eb167
EP		 2864 }
2865 }
c039bc3c 2866 return 0;
026eb167 2867
026eb167 2868out_bad_option:
c103a91e 2869 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2870 "during remount (dev %s, type=%s)\n", sb->s_id,
2871 sb->s_type->name);
c039bc3c 2872 return -EINVAL;
026eb167
EP		 2873}
2874
a10d7c22 2875static int selinux_sb_kern_mount(struct super_block *sb)
1da177e4 2876{
88e67f3b 2877 const struct cred *cred = current_cred();
2bf49690 2878 struct common_audit_data ad;
74192246 2879
50c205f5 2880 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2881 ad.u.dentry = sb->s_root;
88e67f3b 2882 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2883}
2884
726c3342 2885static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2886{
88e67f3b 2887 const struct cred *cred = current_cred();
2bf49690 2888 struct common_audit_data ad;
1da177e4 2889
50c205f5 2890 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2891 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2892 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2893}
2894
808d4e3c 2895static int selinux_mount(const char *dev_name,
8a04c43b 2896 const struct path *path,
808d4e3c 2897 const char *type,
828dfe1d
EP		 2898 unsigned long flags,
2899 void *data)
1da177e4 2900{
88e67f3b 2901 const struct cred *cred = current_cred();
1da177e4
LT		 2902
2903 if (flags & MS_REMOUNT)
d8c9584e 2904 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2905 FILESYSTEM__REMOUNT, NULL);
1da177e4 2906 else
2875fa00 2907 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2908}
2909
2910static int selinux_umount(struct vfsmount *mnt, int flags)
2911{
88e67f3b 2912 const struct cred *cred = current_cred();
1da177e4 2913
88e67f3b 2914 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2915 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2916}
2917
2918/* inode security operations */
2919
2920static int selinux_inode_alloc_security(struct inode *inode)
2921{
2922 return inode_alloc_security(inode);
2923}
2924
2925static void selinux_inode_free_security(struct inode *inode)
2926{
2927 inode_free_security(inode);
2928}
2929
d47be3df 2930static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2931 const struct qstr *name, void **ctx,
d47be3df
DQ		 2932 u32 *ctxlen)
2933{
d47be3df
DQ		 2934 u32 newsid;
2935 int rc;
2936
c957f6df
VG		 2937 rc = selinux_determine_inode_label(current_security(),
2938 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2939 inode_mode_to_security_class(mode),
2940 &newsid);
2941 if (rc)
2942 return rc;
d47be3df 2943
aa8e712c
SS		 2944 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2945 ctxlen);
d47be3df
DQ		 2946}
2947
a518b0a5
VG		 2948static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2949 struct qstr *name,
2950 const struct cred *old,
2951 struct cred *new)
2952{
2953 u32 newsid;
2954 int rc;
2955 struct task_security_struct *tsec;
2956
2957 rc = selinux_determine_inode_label(old->security,
2958 d_inode(dentry->d_parent), name,
2959 inode_mode_to_security_class(mode),
2960 &newsid);
2961 if (rc)
2962 return rc;
2963
2964 tsec = new->security;
2965 tsec->create_sid = newsid;
2966 return 0;
2967}
2968
5e41ff9e 2969static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2970 const struct qstr *qstr,
2971 const char **name,
2a7dba39 2972 void **value, size_t *len)
5e41ff9e 2973{
5fb49870 2974 const struct task_security_struct *tsec = current_security();
5e41ff9e 2975 struct superblock_security_struct *sbsec;
c0d4f464 2976 u32 newsid, clen;
5e41ff9e 2977 int rc;
9548906b 2978 char *context;
5e41ff9e 2979
5e41ff9e 2980 sbsec = dir->i_sb->s_security;
5e41ff9e 2981
275bb41e
DH		 2982 newsid = tsec->create_sid;
2983
c957f6df 2984 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2985 dir, qstr,
2986 inode_mode_to_security_class(inode->i_mode),
2987 &newsid);
2988 if (rc)
2989 return rc;
5e41ff9e 2990
296fddf7 2991 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2992 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2993 struct inode_security_struct *isec = inode->i_security;
2994 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2995 isec->sid = newsid;
6f3be9f5 2996 isec->initialized = LABEL_INITIALIZED;
296fddf7 2997 }
5e41ff9e 2998
aa8e712c 2999 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 3000 return -EOPNOTSUPP;
3001
9548906b
TH		 3002 if (name)
3003 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 3004
570bc1c2 3005 if (value && len) {
aa8e712c
SS		 3006 rc = security_sid_to_context_force(&selinux_state, newsid,
3007 &context, &clen);
9548906b 3008 if (rc)
570bc1c2 3009 return rc;
570bc1c2
SS		 3010 *value = context;
3011 *len = clen;
5e41ff9e 3012 }
5e41ff9e 3013
5e41ff9e
SS		 3014 return 0;
3015}
3016
4acdaf27 3017static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 3018{
3019 return may_create(dir, dentry, SECCLASS_FILE);
3020}
3021
1da177e4
LT		 3022static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3023{
1da177e4
LT		 3024 return may_link(dir, old_dentry, MAY_LINK);
3025}
3026
1da177e4
LT		 3027static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3028{
1da177e4
LT		 3029 return may_link(dir, dentry, MAY_UNLINK);
3030}
3031
3032static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3033{
3034 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3035}
3036
18bb1db3 3037static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 3038{
3039 return may_create(dir, dentry, SECCLASS_DIR);
3040}
3041
1da177e4
LT		 3042static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3043{
3044 return may_link(dir, dentry, MAY_RMDIR);
3045}
3046
1a67aafb 3047static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 3048{
1da177e4
LT		 3049 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3050}
3051
1da177e4 3052static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 3053 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 3054{
3055 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3056}
3057
1da177e4
LT		 3058static int selinux_inode_readlink(struct dentry *dentry)
3059{
88e67f3b
DH		 3060 const struct cred *cred = current_cred();
3061
2875fa00 3062 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3063}
3064
bda0be7a
N		 3065static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3066 bool rcu)
1da177e4 3067{
88e67f3b 3068 const struct cred *cred = current_cred();
bda0be7a
N		 3069 struct common_audit_data ad;
3070 struct inode_security_struct *isec;
3071 u32 sid;
1da177e4 3072
bda0be7a
N		 3073 validate_creds(cred);
3074
3075 ad.type = LSM_AUDIT_DATA_DENTRY;
3076 ad.u.dentry = dentry;
3077 sid = cred_sid(cred);
5d226df4
AG		 3078 isec = inode_security_rcu(inode, rcu);
3079 if (IS_ERR(isec))
3080 return PTR_ERR(isec);
bda0be7a 3081
6b6bc620
SS		 3082 return avc_has_perm_flags(&selinux_state,
3083 sid, isec->sid, isec->sclass, FILE__READ, &ad,
bda0be7a 3084 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3085}
3086
d4cf970d
EP		 3087static noinline int audit_inode_permission(struct inode *inode,
3088 u32 perms, u32 audited, u32 denied,
626b9740 3089 int result,
d4cf970d 3090 unsigned flags)
1da177e4 3091{
b782e0a6 3092 struct common_audit_data ad;
d4cf970d
EP		 3093 struct inode_security_struct *isec = inode->i_security;
3094 int rc;
3095
50c205f5 3096 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3097 ad.u.inode = inode;
3098
6b6bc620
SS		 3099 rc = slow_avc_audit(&selinux_state,
3100 current_sid(), isec->sid, isec->sclass, perms,
626b9740 3101 audited, denied, result, &ad, flags);
d4cf970d
EP		 3102 if (rc)
3103 return rc;
3104 return 0;
3105}
3106
e74f71eb 3107static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3108{
88e67f3b 3109 const struct cred *cred = current_cred();
b782e0a6
EP		 3110 u32 perms;
3111 bool from_access;
cf1dd1da 3112 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3113 struct inode_security_struct *isec;
3114 u32 sid;
3115 struct av_decision avd;
3116 int rc, rc2;
3117 u32 audited, denied;
1da177e4 3118
b782e0a6 3119 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3120 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3121
b782e0a6
EP		 3122 /* No permission to check. Existence test. */
3123 if (!mask)
1da177e4 3124 return 0;
1da177e4 3125
2e334057 3126 validate_creds(cred);
b782e0a6 3127
2e334057
EP		 3128 if (unlikely(IS_PRIVATE(inode)))
3129 return 0;
b782e0a6
EP		 3130
3131 perms = file_mask_to_av(inode->i_mode, mask);
3132
2e334057 3133 sid = cred_sid(cred);
5d226df4
AG		 3134 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3135 if (IS_ERR(isec))
3136 return PTR_ERR(isec);
2e334057 3137
6b6bc620
SS		 3138 rc = avc_has_perm_noaudit(&selinux_state,
3139 sid, isec->sid, isec->sclass, perms, 0, &avd);
2e334057
EP		 3140 audited = avc_audit_required(perms, &avd, rc,
3141 from_access ? FILE__AUDIT_ACCESS : 0,
3142 &denied);
3143 if (likely(!audited))
3144 return rc;
3145
626b9740 3146 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3147 if (rc2)
3148 return rc2;
3149 return rc;
1da177e4
LT		 3150}
3151
3152static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3153{
88e67f3b 3154 const struct cred *cred = current_cred();
ccb54478 3155 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3156 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3157 __u32 av = FILE__WRITE;
1da177e4 3158
bc6a6008
AW		 3159 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3160 if (ia_valid & ATTR_FORCE) {
3161 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3162 ATTR_FORCE);
3163 if (!ia_valid)
3164 return 0;
3165 }
1da177e4 3166
bc6a6008
AW		 3167 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3168 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3169 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3170
aa8e712c 3171 if (selinux_policycap_openperm() &&
ccb54478
SS		 3172 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3173 (ia_valid & ATTR_SIZE) &&
3174 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3175 av |= FILE__OPEN;
3176
3177 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3178}
3179
3f7036a0 3180static int selinux_inode_getattr(const struct path *path)
1da177e4 3181{
3f7036a0 3182 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3183}
3184
db59000a
SS		 3185static bool has_cap_mac_admin(bool audit)
3186{
3187 const struct cred *cred = current_cred();
3188 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3189
3190 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3191 return false;
3192 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3193 return false;
3194 return true;
3195}
3196
8f0cfa52
DH		 3197static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3198 const void *value, size_t size, int flags)
1da177e4 3199{
c6f493d6 3200 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3201 struct inode_security_struct *isec;
1da177e4 3202 struct superblock_security_struct *sbsec;
2bf49690 3203 struct common_audit_data ad;
275bb41e 3204 u32 newsid, sid = current_sid();
1da177e4
LT		 3205 int rc = 0;
3206
6b240306
EB		 3207 if (strcmp(name, XATTR_NAME_SELINUX)) {
3208 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3209 if (rc)
3210 return rc;
3211
3212 /* Not an attribute we recognize, so just check the
3213 ordinary setattr permission. */
3214 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3215 }
1da177e4
LT		 3216
3217 sbsec = inode->i_sb->s_security;
12f348b9 3218 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3219 return -EOPNOTSUPP;
3220
2e149670 3221 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3222 return -EPERM;
3223
50c205f5 3224 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3225 ad.u.dentry = dentry;
1da177e4 3226
20cdef8d 3227 isec = backing_inode_security(dentry);
6b6bc620
SS		 3228 rc = avc_has_perm(&selinux_state,
3229 sid, isec->sid, isec->sclass,
1da177e4
LT		 3230 FILE__RELABELFROM, &ad);
3231 if (rc)
3232 return rc;
3233
aa8e712c
SS		 3234 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3235 GFP_KERNEL);
12b29f34 3236 if (rc == -EINVAL) {
db59000a 3237 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3238 struct audit_buffer *ab;
3239 size_t audit_size;
d6ea83ec
EP		 3240
3241 /* We strip a nul only if it is at the end, otherwise the
3242 * context contains a nul and we should audit that */
e3fea3f7 3243 if (value) {
add24372
CIK		 3244 const char *str = value;
3245
e3fea3f7
AV		 3246 if (str[size - 1] == '\0')
3247 audit_size = size - 1;
3248 else
3249 audit_size = size;
3250 } else {
e3fea3f7
AV		 3251 audit_size = 0;
3252 }
cdfb6b34
RGB		 3253 ab = audit_log_start(audit_context(),
3254 GFP_ATOMIC, AUDIT_SELINUX_ERR);
d6ea83ec
EP		 3255 audit_log_format(ab, "op=setxattr invalid_context=");
3256 audit_log_n_untrustedstring(ab, value, audit_size);
3257 audit_log_end(ab);
3258
12b29f34 3259 return rc;
d6ea83ec 3260 }
aa8e712c
SS		 3261 rc = security_context_to_sid_force(&selinux_state, value,
3262 size, &newsid);
12b29f34 3263 }
1da177e4
LT		 3264 if (rc)
3265 return rc;
3266
6b6bc620
SS		 3267 rc = avc_has_perm(&selinux_state,
3268 sid, newsid, isec->sclass,
1da177e4
LT		 3269 FILE__RELABELTO, &ad);
3270 if (rc)
3271 return rc;
3272
aa8e712c
SS		 3273 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3274 sid, isec->sclass);
1da177e4
LT		 3275 if (rc)
3276 return rc;
3277
6b6bc620
SS		 3278 return avc_has_perm(&selinux_state,
3279 newsid,
1da177e4
LT		 3280 sbsec->sid,
3281 SECCLASS_FILESYSTEM,
3282 FILESYSTEM__ASSOCIATE,
3283 &ad);
3284}
3285
8f0cfa52 3286static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3287 const void *value, size_t size,
8f0cfa52 3288 int flags)
1da177e4 3289{
c6f493d6 3290 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3291 struct inode_security_struct *isec;
1da177e4
LT		 3292 u32 newsid;
3293 int rc;
3294
3295 if (strcmp(name, XATTR_NAME_SELINUX)) {
3296 /* Not an attribute we recognize, so nothing to do. */
3297 return;
3298 }
3299
aa8e712c
SS		 3300 rc = security_context_to_sid_force(&selinux_state, value, size,
3301 &newsid);
1da177e4 3302 if (rc) {
c103a91e 3303 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3304 "for (%s, %lu), rc=%d\n",
3305 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3306 return;
3307 }
3308
20cdef8d 3309 isec = backing_inode_security(dentry);
9287aed2 3310 spin_lock(&isec->lock);
aa9c2669 3311 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3312 isec->sid = newsid;
6f3be9f5 3313 isec->initialized = LABEL_INITIALIZED;
9287aed2 3314 spin_unlock(&isec->lock);
aa9c2669 3315
1da177e4
LT		 3316 return;
3317}
3318
8f0cfa52 3319static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3320{
88e67f3b
DH		 3321 const struct cred *cred = current_cred();
3322
2875fa00 3323 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3324}
3325
828dfe1d 3326static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3327{
88e67f3b
DH		 3328 const struct cred *cred = current_cred();
3329
2875fa00 3330 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3331}
3332
8f0cfa52 3333static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3334{
6b240306
EB		 3335 if (strcmp(name, XATTR_NAME_SELINUX)) {
3336 int rc = cap_inode_removexattr(dentry, name);
3337 if (rc)
3338 return rc;
3339
3340 /* Not an attribute we recognize, so just check the
3341 ordinary setattr permission. */
3342 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3343 }
1da177e4
LT		 3344
3345 /* No one is allowed to remove a SELinux security label.
3346 You can change the label, but all data must be labeled. */
3347 return -EACCES;
3348}
3349
d381d8a9 3350/*
abc69bb6 3351 * Copy the inode security context value to the user.
d381d8a9
JM		 3352 *
3353 * Permission check is handled by selinux_inode_getxattr hook.
3354 */
ea861dfd 3355static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3356{
42492594
DQ		 3357 u32 size;
3358 int error;
3359 char *context = NULL;
20cdef8d 3360 struct inode_security_struct *isec;
d381d8a9 3361
8c8570fb
DK		 3362 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3363 return -EOPNOTSUPP;
d381d8a9 3364
abc69bb6
SS		 3365 /*
3366 * If the caller has CAP_MAC_ADMIN, then get the raw context
3367 * value even if it is not defined by current policy; otherwise,
3368 * use the in-core value under current policy.
3369 * Use the non-auditing forms of the permission checks since
3370 * getxattr may be called by unprivileged processes commonly
3371 * and lack of permission just means that we fall back to the
3372 * in-core context value, not a denial.
3373 */
20cdef8d 3374 isec = inode_security(inode);
db59000a 3375 if (has_cap_mac_admin(false))
aa8e712c
SS		 3376 error = security_sid_to_context_force(&selinux_state,
3377 isec->sid, &context,
abc69bb6
SS		 3378 &size);
3379 else
aa8e712c
SS		 3380 error = security_sid_to_context(&selinux_state, isec->sid,
3381 &context, &size);
42492594
DQ		 3382 if (error)
3383 return error;
3384 error = size;
3385 if (alloc) {
3386 *buffer = context;
3387 goto out_nofree;
3388 }
3389 kfree(context);
3390out_nofree:
3391 return error;
1da177e4
LT		 3392}
3393
3394static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3395 const void *value, size_t size, int flags)
1da177e4 3396{
2c97165b 3397 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3398 u32 newsid;
3399 int rc;
3400
3401 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3402 return -EOPNOTSUPP;
3403
3404 if (!value || !size)
3405 return -EACCES;
3406
aa8e712c
SS		 3407 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3408 GFP_KERNEL);
1da177e4
LT		 3409 if (rc)
3410 return rc;
3411
9287aed2 3412 spin_lock(&isec->lock);
aa9c2669 3413 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3414 isec->sid = newsid;
6f3be9f5 3415 isec->initialized = LABEL_INITIALIZED;
9287aed2 3416 spin_unlock(&isec->lock);
1da177e4
LT		 3417 return 0;
3418}
3419
3420static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3421{
3422 const int len = sizeof(XATTR_NAME_SELINUX);
3423 if (buffer && len <= buffer_size)
3424 memcpy(buffer, XATTR_NAME_SELINUX, len);
3425 return len;
3426}
3427
d6335d77 3428static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3429{
e817c2f3 3430 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3431 *secid = isec->sid;
3432}
3433
56909eb3
VG		 3434static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3435{
3436 u32 sid;
3437 struct task_security_struct *tsec;
3438 struct cred *new_creds = *new;
3439
3440 if (new_creds == NULL) {
3441 new_creds = prepare_creds();
3442 if (!new_creds)
3443 return -ENOMEM;
3444 }
3445
3446 tsec = new_creds->security;
3447 /* Get label from overlay inode and set it in create_sid */
3448 selinux_inode_getsecid(d_inode(src), &sid);
3449 tsec->create_sid = sid;
3450 *new = new_creds;
3451 return 0;
3452}
3453
19472b69
VG		 3454static int selinux_inode_copy_up_xattr(const char *name)
3455{
3456 /* The copy_up hook above sets the initial context on an inode, but we
3457 * don't then want to overwrite it by blindly copying all the lower
3458 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3459 */
3460 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3461 return 1; /* Discard */
3462 /*
3463 * Any other attribute apart from SELINUX is not claimed, supported
3464 * by selinux.
3465 */
3466 return -EOPNOTSUPP;
3467}
3468
1da177e4
LT		 3469/* file security operations */
3470
788e7dd4 3471static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3472{
88e67f3b 3473 const struct cred *cred = current_cred();
496ad9aa 3474 struct inode *inode = file_inode(file);
1da177e4 3475
1da177e4
LT		 3476 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3477 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3478 mask |= MAY_APPEND;
3479
389fb800
PM		 3480 return file_has_perm(cred, file,
3481 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3482}
3483
788e7dd4
YN		 3484static int selinux_file_permission(struct file *file, int mask)
3485{
496ad9aa 3486 struct inode *inode = file_inode(file);
20dda18b 3487 struct file_security_struct *fsec = file->f_security;
b197367e 3488 struct inode_security_struct *isec;
20dda18b
SS		 3489 u32 sid = current_sid();
3490
389fb800 3491 if (!mask)
788e7dd4
YN		 3492 /* No permission to check. Existence test. */
3493 return 0;
788e7dd4 3494
b197367e 3495 isec = inode_security(inode);
20dda18b 3496 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3497 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3498 /* No change since file_open check. */
20dda18b
SS		 3499 return 0;
3500
788e7dd4
YN		 3501 return selinux_revalidate_file_permission(file, mask);
3502}
3503
1da177e4
LT		 3504static int selinux_file_alloc_security(struct file *file)
3505{
3506 return file_alloc_security(file);
3507}
3508
3509static void selinux_file_free_security(struct file *file)
3510{
3511 file_free_security(file);
3512}
3513
fa1aa143
JVS		 3514/*
3515 * Check whether a task has the ioctl permission and cmd
3516 * operation to an inode.
3517 */
1d2a168a 3518static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3519 u32 requested, u16 cmd)
3520{
3521 struct common_audit_data ad;
3522 struct file_security_struct *fsec = file->f_security;
3523 struct inode *inode = file_inode(file);
20cdef8d 3524 struct inode_security_struct *isec;
fa1aa143
JVS		 3525 struct lsm_ioctlop_audit ioctl;
3526 u32 ssid = cred_sid(cred);
3527 int rc;
3528 u8 driver = cmd >> 8;
3529 u8 xperm = cmd & 0xff;
3530
3531 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3532 ad.u.op = &ioctl;
3533 ad.u.op->cmd = cmd;
3534 ad.u.op->path = file->f_path;
3535
3536 if (ssid != fsec->sid) {
6b6bc620
SS		 3537 rc = avc_has_perm(&selinux_state,
3538 ssid, fsec->sid,
fa1aa143
JVS		 3539 SECCLASS_FD,
3540 FD__USE,
3541 &ad);
3542 if (rc)
3543 goto out;
3544 }
3545
3546 if (unlikely(IS_PRIVATE(inode)))
3547 return 0;
3548
20cdef8d 3549 isec = inode_security(inode);
6b6bc620
SS		 3550 rc = avc_has_extended_perms(&selinux_state,
3551 ssid, isec->sid, isec->sclass,
3552 requested, driver, xperm, &ad);
fa1aa143
JVS		 3553out:
3554 return rc;
3555}
3556
1da177e4
LT		 3557static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3558 unsigned long arg)
3559{
88e67f3b 3560 const struct cred *cred = current_cred();
0b24dcb7 3561 int error = 0;
1da177e4 3562
0b24dcb7
EP		 3563 switch (cmd) {
3564 case FIONREAD:
3565 /* fall through */
3566 case FIBMAP:
3567 /* fall through */
3568 case FIGETBSZ:
3569 /* fall through */
2f99c369 3570 case FS_IOC_GETFLAGS:
0b24dcb7 3571 /* fall through */
2f99c369 3572 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3573 error = file_has_perm(cred, file, FILE__GETATTR);
3574 break;
1da177e4 3575
2f99c369 3576 case FS_IOC_SETFLAGS:
0b24dcb7 3577 /* fall through */
2f99c369 3578 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3579 error = file_has_perm(cred, file, FILE__SETATTR);
3580 break;
3581
3582 /* sys_ioctl() checks */
3583 case FIONBIO:
3584 /* fall through */
3585 case FIOASYNC:
3586 error = file_has_perm(cred, file, 0);
3587 break;
1da177e4 3588
0b24dcb7
EP		 3589 case KDSKBENT:
3590 case KDSKBSENT:
6a9de491 3591 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3592 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3593 break;
3594
3595 /* default case assumes that the command will go
3596 * to the file's ioctl() function.
3597 */
3598 default:
fa1aa143 3599 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3600 }
3601 return error;
1da177e4
LT		 3602}
3603
fcaaade1
SS		 3604static int default_noexec;
3605
1da177e4
LT		 3606static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3607{
88e67f3b 3608 const struct cred *cred = current_cred();
be0554c9 3609 u32 sid = cred_sid(cred);
d84f4f99 3610 int rc = 0;
88e67f3b 3611
fcaaade1 3612 if (default_noexec &&
892e8cac
SS		 3613 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3614 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3615 /*
3616 * We are making executable an anonymous mapping or a
3617 * private file mapping that will also be writable.
3618 * This has an additional check.
3619 */
6b6bc620
SS		 3620 rc = avc_has_perm(&selinux_state,
3621 sid, sid, SECCLASS_PROCESS,
be0554c9 3622 PROCESS__EXECMEM, NULL);
1da177e4 3623 if (rc)
d84f4f99 3624 goto error;
1da177e4 3625 }
1da177e4
LT		 3626
3627 if (file) {
3628 /* read access is always possible with a mapping */
3629 u32 av = FILE__READ;
3630
3631 /* write access only matters if the mapping is shared */
3632 if (shared && (prot & PROT_WRITE))
3633 av |= FILE__WRITE;
3634
3635 if (prot & PROT_EXEC)
3636 av |= FILE__EXECUTE;
3637
88e67f3b 3638 return file_has_perm(cred, file, av);
1da177e4 3639 }
d84f4f99
DH		 3640
3641error:
3642 return rc;
1da177e4
LT		 3643}
3644
e5467859 3645static int selinux_mmap_addr(unsigned long addr)
1da177e4 3646{
b1d9e6b0 3647 int rc = 0;
1da177e4 3648
a2551df7 3649 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3650 u32 sid = current_sid();
6b6bc620
SS		 3651 rc = avc_has_perm(&selinux_state,
3652 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3653 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3654 }
3655
98883bfd 3656 return rc;
e5467859 3657}
1da177e4 3658
e5467859
AV		 3659static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3660 unsigned long prot, unsigned long flags)
3661{
3ba4bf5f
SS		 3662 struct common_audit_data ad;
3663 int rc;
3664
3665 if (file) {
3666 ad.type = LSM_AUDIT_DATA_FILE;
3667 ad.u.file = file;
3668 rc = inode_has_perm(current_cred(), file_inode(file),
3669 FILE__MAP, &ad);
3670 if (rc)
3671 return rc;
3672 }
3673
aa8e712c 3674 if (selinux_state.checkreqprot)
1da177e4
LT		 3675 prot = reqprot;
3676
3677 return file_map_prot_check(file, prot,
3678 (flags & MAP_TYPE) == MAP_SHARED);
3679}
3680
3681static int selinux_file_mprotect(struct vm_area_struct *vma,
3682 unsigned long reqprot,
3683 unsigned long prot)
3684{
88e67f3b 3685 const struct cred *cred = current_cred();
be0554c9 3686 u32 sid = cred_sid(cred);
1da177e4 3687
aa8e712c 3688 if (selinux_state.checkreqprot)
1da177e4
LT		 3689 prot = reqprot;
3690
fcaaade1
SS		 3691 if (default_noexec &&
3692 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3693 int rc = 0;
db4c9641
SS		 3694 if (vma->vm_start >= vma->vm_mm->start_brk &&
3695 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3696 rc = avc_has_perm(&selinux_state,
3697 sid, sid, SECCLASS_PROCESS,
be0554c9 3698 PROCESS__EXECHEAP, NULL);
db4c9641 3699 } else if (!vma->vm_file &&
c2316dbf
SS		 3700 ((vma->vm_start <= vma->vm_mm->start_stack &&
3701 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3702 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3703 rc = avc_has_perm(&selinux_state,
3704 sid, sid, SECCLASS_PROCESS,
be0554c9 3705 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3706 } else if (vma->vm_file && vma->anon_vma) {
3707 /*
3708 * We are making executable a file mapping that has
3709 * had some COW done. Since pages might have been
3710 * written, check ability to execute the possibly
3711 * modified content. This typically should only
3712 * occur for text relocations.
3713 */
d84f4f99 3714 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3715 }