projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: reduce the object class calculations at inode init time
[linux-2.6-block.git] / security / selinux / hooks.c
CommitLineData
d2912cb1 1// SPDX-License-Identifier: GPL-2.0-only
1da177e4 2/*
90aa4f5e 3 * Security-Enhanced Linux (SELinux) security module
1da177e4
LT		 4 *
5 * This file contains the SELinux hook function implementations.
6 *
0fe53224 7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com>
828dfe1d
EP		 8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
1da177e4
LT		 11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
1da177e4 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 16 * <dgoeddel@trustedcs.com>
ed6d76e4 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 18 * Paul Moore <paul@paul-moore.com>
788e7dd4 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 21 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 22 */
23
1da177e4 24#include <linux/init.h>
0b24dcb7 25#include <linux/kd.h>
1da177e4 26#include <linux/kernel.h>
b89999d0 27#include <linux/kernel_read_file.h>
1da177e4 28#include <linux/errno.h>
3f07c014 29#include <linux/sched/signal.h>
29930025 30#include <linux/sched/task.h>
3c4ed7bd 31#include <linux/lsm_hooks.h>
1da177e4
LT		 32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
0b24dcb7 39#include <linux/proc_fs.h>
1da177e4 40#include <linux/swap.h>
1da177e4
LT		 41#include <linux/spinlock.h>
42#include <linux/syscalls.h>
2a7dba39 43#include <linux/dcache.h>
1da177e4 44#include <linux/file.h>
9f3acc31 45#include <linux/fdtable.h>
1da177e4
LT		 46#include <linux/namei.h>
47#include <linux/mount.h>
442155c1
DH		 48#include <linux/fs_context.h>
49#include <linux/fs_parser.h>
1da177e4
LT		 50#include <linux/netfilter_ipv4.h>
51#include <linux/netfilter_ipv6.h>
52#include <linux/tty.h>
53#include <net/icmp.h>
227b60f5 54#include <net/ip.h> /* for local_port_range[] */
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 56#include <net/inet_connection_sock.h>
220deb96 57#include <net/net_namespace.h>
d621d35e 58#include <net/netlabel.h>
f5269710 59#include <linux/uaccess.h>
1da177e4 60#include <asm/ioctls.h>
60063497 61#include <linux/atomic.h>
1da177e4
LT		 62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
77954983 65#include <net/netlink.h>
1da177e4
LT		 66#include <linux/tcp.h>
67#include <linux/udp.h>
2ee92d46 68#include <linux/dccp.h>
d452930f
RH		 69#include <linux/sctp.h>
70#include <net/sctp/structs.h>
1da177e4
LT		 71#include <linux/quota.h>
72#include <linux/un.h> /* for Unix socket types */
73#include <net/af_unix.h> /* for Unix socket types */
74#include <linux/parser.h>
75#include <linux/nfs_mount.h>
76#include <net/ipv6.h>
77#include <linux/hugetlb.h>
78#include <linux/personality.h>
1da177e4 79#include <linux/audit.h>
6931dfc9 80#include <linux/string.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
bc46ef3c 88#include <uapi/linux/shm.h>
ec27c356 89#include <linux/bpf.h>
ec882da5
OM		 90#include <linux/kernfs.h>
91#include <linux/stringhash.h> /* for hashlen_string() */
e262e32d 92#include <uapi/linux/mount.h>
ac5656d8
AG		 93#include <linux/fsnotify.h>
94#include <linux/fanotify.h>
b66509b8 95#include <linux/io_uring/cmd.h>
f3b8788c 96#include <uapi/linux/lsm.h>
1da177e4
LT		 97
98#include "avc.h"
99#include "objsec.h"
100#include "netif.h"
224dfbd8 101#include "netnode.h"
3e112172 102#include "netport.h"
409dcf31 103#include "ibpkey.h"
d28d1e08 104#include "xfrm.h"
c60475bf 105#include "netlabel.h"
9d57a7f9 106#include "audit.h"
7b98a585 107#include "avc_ss.h"
1da177e4 108
6bcdfd2c
RS		 109#define SELINUX_INODE_INIT_XATTRS 1
110
aa8e712c
SS		 111struct selinux_state selinux_state;
112
d621d35e 113/* SECMARK reference count */
56a4ca99 114static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 115
1da177e4 116#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
6c5a682e 117static int selinux_enforcing_boot __initdata;
1da177e4
LT		 118
119static int __init enforcing_setup(char *str)
120{
f5269710 121 unsigned long enforcing;
29707b20 122 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 123 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 124 return 1;
125}
126__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 127#else
128#define selinux_enforcing_boot 1
1da177e4
LT		 129#endif
130
6c5a682e 131int selinux_enabled_boot __initdata = 1;
1da177e4 132#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
1da177e4
LT		 133static int __init selinux_enabled_setup(char *str)
134{
f5269710 135 unsigned long enabled;
29707b20 136 if (!kstrtoul(str, 0, &enabled))
6c5a682e 137 selinux_enabled_boot = enabled ? 1 : 0;
1da177e4
LT		 138 return 1;
139}
140__setup("selinux=", selinux_enabled_setup);
141#endif
142
aa8e712c
SS		 143static int __init checkreqprot_setup(char *str)
144{
145 unsigned long checkreqprot;
146
e9c38f9f 147 if (!kstrtoul(str, 0, &checkreqprot)) {
e9c38f9f 148 if (checkreqprot)
a7e4676e 149 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n");
e9c38f9f 150 }
aa8e712c
SS		 151 return 1;
152}
153__setup("checkreqprot=", checkreqprot_setup);
154
d621d35e
PM		 155/**
156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157 *
158 * Description:
159 * This function checks the SECMARK reference counter to see if any SECMARK
160 * targets are currently configured, if the reference counter is greater than
161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 162 * enabled, false (0) if SECMARK is disabled. If the always_check_network
163 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 164 *
165 */
166static int selinux_secmark_enabled(void)
167{
aa8e712c
SS		 168 return (selinux_policycap_alwaysnetwork() ||
169 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 170}
171
172/**
173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174 *
175 * Description:
176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
177 * (1) if any are enabled or false (0) if neither are enabled. If the
178 * always_check_network policy capability is enabled, peer labeling
179 * is always considered enabled.
180 *
181 */
182static int selinux_peerlbl_enabled(void)
183{
aa8e712c
SS		 184 return (selinux_policycap_alwaysnetwork() ||
185 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 186}
187
615e51fd
PM		 188static int selinux_netcache_avc_callback(u32 event)
189{
190 if (event == AVC_CALLBACK_RESET) {
191 sel_netif_flush();
192 sel_netnode_flush();
193 sel_netport_flush();
194 synchronize_net();
195 }
196 return 0;
197}
198
8f408ab6
DJ		 199static int selinux_lsm_notifier_avc_callback(u32 event)
200{
409dcf31
DJ		 201 if (event == AVC_CALLBACK_RESET) {
202 sel_ib_pkey_flush();
42df744c 203 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 204 }
8f408ab6
DJ		 205
206 return 0;
207}
208
d84f4f99
DH		 209/*
210 * initialise the security for the init task
211 */
212static void cred_init_security(void)
1da177e4
LT		 213{
214 struct task_security_struct *tsec;
215
cdeea454 216 tsec = selinux_cred(unrcu_pointer(current->real_cred));
d84f4f99 217 tsec->osid = tsec->sid = SECINITSID_KERNEL;
1da177e4
LT		 218}
219
88e67f3b
DH		 220/*
221 * get the security ID of a set of credentials
222 */
223static inline u32 cred_sid(const struct cred *cred)
224{
225 const struct task_security_struct *tsec;
226
0c6cfa62 227 tsec = selinux_cred(cred);
88e67f3b
DH		 228 return tsec->sid;
229}
230
dd51fcd4
PA		 231static void __ad_net_init(struct common_audit_data *ad,
232 struct lsm_network_audit *net,
233 int ifindex, struct sock *sk, u16 family)
234{
235 ad->type = LSM_AUDIT_DATA_NET;
236 ad->u.net = net;
237 net->netif = ifindex;
238 net->sk = sk;
239 net->family = family;
240}
241
242static void ad_net_init_from_sk(struct common_audit_data *ad,
243 struct lsm_network_audit *net,
244 struct sock *sk)
245{
246 __ad_net_init(ad, net, 0, sk, 0);
247}
248
249static void ad_net_init_from_iif(struct common_audit_data *ad,
250 struct lsm_network_audit *net,
251 int ifindex, u16 family)
252{
3876043a 253 __ad_net_init(ad, net, ifindex, NULL, family);
dd51fcd4
PA		 254}
255
275bb41e 256/*
3b11a1de 257 * get the objective security ID of a task
275bb41e 258 */
eb1231f7 259static inline u32 task_sid_obj(const struct task_struct *task)
275bb41e 260{
275bb41e
DH		 261 u32 sid;
262
263 rcu_read_lock();
88e67f3b 264 sid = cred_sid(__task_cred(task));
275bb41e
DH		 265 rcu_read_unlock();
266 return sid;
267}
268
5d226df4
AG		 269static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
270
271/*
272 * Try reloading inode security labels that have been marked as invalid. The
273 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 274 * allowed; when set to false, returns -ECHILD when the label is
e9193288 275 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 276 */
277static int __inode_security_revalidate(struct inode *inode,
e9193288 278 struct dentry *dentry,
5d226df4
AG		 279 bool may_sleep)
280{
80788c22 281 struct inode_security_struct *isec = selinux_inode(inode);
5d226df4
AG		 282
283 might_sleep_if(may_sleep);
284
e67b7985 285 if (selinux_initialized() &&
aa8e712c 286 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 287 if (!may_sleep)
288 return -ECHILD;
289
290 /*
291 * Try reloading the inode security label. This will fail if
292 * @opt_dentry is NULL and no dentry for this inode can be
293 * found; in that case, continue using the old label.
294 */
e9193288 295 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 296 }
297 return 0;
298}
299
5d226df4
AG		 300static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
301{
80788c22 302 return selinux_inode(inode);
5d226df4
AG		 303}
304
305static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
306{
307 int error;
308
309 error = __inode_security_revalidate(inode, NULL, !rcu);
310 if (error)
311 return ERR_PTR(error);
80788c22 312 return selinux_inode(inode);
5d226df4
AG		 313}
314
83da53c5
AG		 315/*
316 * Get the security label of an inode.
317 */
318static struct inode_security_struct *inode_security(struct inode *inode)
319{
5d226df4 320 __inode_security_revalidate(inode, NULL, true);
80788c22 321 return selinux_inode(inode);
83da53c5
AG		 322}
323
2c97165b
PM		 324static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
325{
326 struct inode *inode = d_backing_inode(dentry);
327
80788c22 328 return selinux_inode(inode);
2c97165b
PM		 329}
330
83da53c5
AG		 331/*
332 * Get the security label of a dentry's backing inode.
333 */
334static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
335{
336 struct inode *inode = d_backing_inode(dentry);
337
5d226df4 338 __inode_security_revalidate(inode, dentry, true);
80788c22 339 return selinux_inode(inode);
83da53c5
AG		 340}
341
1da177e4
LT		 342static void inode_free_security(struct inode *inode)
343{
80788c22 344 struct inode_security_struct *isec = selinux_inode(inode);
afb1cbe3 345 struct superblock_security_struct *sbsec;
1da177e4 346
afb1cbe3
CS		 347 if (!isec)
348 return;
1aea7808 349 sbsec = selinux_superblock(inode->i_sb);
9629d04a
WL		 350 /*
351 * As not all inode security structures are in a list, we check for
352 * empty list outside of the lock to make sure that we won't waste
353 * time taking a lock doing nothing.
354 *
355 * The list_del_init() function can be safely called more than once.
356 * It should not be possible for this function to be called with
357 * concurrent list_add(), but for better safety against future changes
358 * in the code, we use list_empty_careful() here.
359 */
360 if (!list_empty_careful(&isec->list)) {
361 spin_lock(&sbsec->isec_lock);
1da177e4 362 list_del_init(&isec->list);
9629d04a
WL		 363 spin_unlock(&sbsec->isec_lock);
364 }
1da177e4
LT		 365}
366
bd323655 367struct selinux_mnt_opts {
b8b87fd9
SM		 368 u32 fscontext_sid;
369 u32 context_sid;
370 u32 rootcontext_sid;
371 u32 defcontext_sid;
bd323655
AV		 372};
373
204cc0cc
AV		 374static void selinux_free_mnt_opts(void *mnt_opts)
375{
70f4169a 376 kfree(mnt_opts);
204cc0cc
AV		 377}
378
1da177e4 379enum {
31e87930 380 Opt_error = -1,
442155c1
DH		 381 Opt_context = 0,
382 Opt_defcontext = 1,
1da177e4 383 Opt_fscontext = 2,
442155c1
DH		 384 Opt_rootcontext = 3,
385 Opt_seclabel = 4,
1da177e4
LT		 386};
387
da3d76ab 388#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
4158cb60 389static const struct {
169d68ef
AV		 390 const char *name;
391 int len;
392 int opt;
393 bool has_arg;
394} tokens[] = {
da3d76ab
AV		 395 A(context, true),
396 A(fscontext, true),
397 A(defcontext, true),
398 A(rootcontext, true),
399 A(seclabel, false),
1da177e4 400};
169d68ef
AV		 401#undef A
402
403static int match_opt_prefix(char *s, int l, char **arg)
404{
405 int i;
406
407 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
408 size_t len = tokens[i].len;
409 if (len > l || memcmp(s, tokens[i].name, len))
410 continue;
411 if (tokens[i].has_arg) {
412 if (len == l || s[len] != '=')
413 continue;
414 *arg = s + len + 1;
415 } else if (len != l)
416 continue;
417 return tokens[i].opt;
418 }
419 return Opt_error;
420}
1da177e4
LT		 421
422#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
423
c312feb2
EP		 424static int may_context_mount_sb_relabel(u32 sid,
425 struct superblock_security_struct *sbsec,
275bb41e 426 const struct cred *cred)
c312feb2 427{
0c6cfa62 428 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 429 int rc;
430
e67b7985 431 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 432 FILESYSTEM__RELABELFROM, NULL);
433 if (rc)
434 return rc;
435
e67b7985 436 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 437 FILESYSTEM__RELABELTO, NULL);
438 return rc;
439}
440
0808925e
EP		 441static int may_context_mount_inode_relabel(u32 sid,
442 struct superblock_security_struct *sbsec,
275bb41e 443 const struct cred *cred)
0808925e 444{
0c6cfa62 445 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e 446 int rc;
e67b7985 447 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 448 FILESYSTEM__RELABELFROM, NULL);
449 if (rc)
450 return rc;
451
e67b7985 452 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 453 FILESYSTEM__ASSOCIATE, NULL);
454 return rc;
455}
456
a83d6dda 457static int selinux_is_genfs_special_handling(struct super_block *sb)
b43e725d 458{
a83d6dda
OM		 459 /* Special handling. Genfs but also in-core setxattr handler */
460 return !strcmp(sb->s_type->name, "sysfs") ||
d5f3a5f6
MS		 461 !strcmp(sb->s_type->name, "pstore") ||
462 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 463 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 464 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 465 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 466 (!strcmp(sb->s_type->name, "cgroup") ||
467 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 468}
469
a83d6dda
OM		 470static int selinux_is_sblabel_mnt(struct super_block *sb)
471{
1aea7808 472 struct superblock_security_struct *sbsec = selinux_superblock(sb);
a83d6dda
OM		 473
474 /*
475 * IMPORTANT: Double-check logic in this function when adding a new
476 * SECURITY_FS_USE_* definition!
477 */
478 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
479
480 switch (sbsec->behavior) {
481 case SECURITY_FS_USE_XATTR:
482 case SECURITY_FS_USE_TRANS:
483 case SECURITY_FS_USE_TASK:
484 case SECURITY_FS_USE_NATIVE:
485 return 1;
486
487 case SECURITY_FS_USE_GENFS:
488 return selinux_is_genfs_special_handling(sb);
489
490 /* Never allow relabeling on context mounts */
491 case SECURITY_FS_USE_MNTPOINT:
492 case SECURITY_FS_USE_NONE:
493 default:
494 return 0;
495 }
496}
497
08abe46b
OM		 498static int sb_check_xattr_support(struct super_block *sb)
499{
0266c25e 500 struct superblock_security_struct *sbsec = selinux_superblock(sb);
08abe46b
OM		 501 struct dentry *root = sb->s_root;
502 struct inode *root_inode = d_backing_inode(root);
503 u32 sid;
504 int rc;
505
506 /*
507 * Make sure that the xattr handler exists and that no
508 * error other than -ENODATA is returned by getxattr on
509 * the root directory. -ENODATA is ok, as this may be
510 * the first boot of the SELinux kernel before we have
511 * assigned xattr values to the filesystem.
512 */
513 if (!(root_inode->i_opflags & IOP_XATTR)) {
514 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
515 sb->s_id, sb->s_type->name);
516 goto fallback;
517 }
518
519 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
520 if (rc < 0 && rc != -ENODATA) {
521 if (rc == -EOPNOTSUPP) {
522 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
523 sb->s_id, sb->s_type->name);
524 goto fallback;
525 } else {
526 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
527 sb->s_id, sb->s_type->name, -rc);
528 return rc;
529 }
530 }
531 return 0;
532
533fallback:
534 /* No xattr support - try to fallback to genfs if possible. */
e67b7985 535 rc = security_genfs_sid(sb->s_type->name, "/",
08abe46b
OM		 536 SECCLASS_DIR, &sid);
537 if (rc)
538 return -EOPNOTSUPP;
539
540 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
541 sb->s_id, sb->s_type->name);
542 sbsec->behavior = SECURITY_FS_USE_GENFS;
543 sbsec->sid = sid;
544 return 0;
545}
546
c9180a57 547static int sb_finish_set_opts(struct super_block *sb)
1da177e4 548{
1aea7808 549 struct superblock_security_struct *sbsec = selinux_superblock(sb);
c9180a57 550 struct dentry *root = sb->s_root;
c6f493d6 551 struct inode *root_inode = d_backing_inode(root);
c9180a57 552 int rc = 0;
1da177e4 553
c9180a57 554 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
08abe46b
OM		 555 rc = sb_check_xattr_support(sb);
556 if (rc)
557 return rc;
c9180a57 558 }
1da177e4 559
eadcabc6 560 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 561
562 /*
563 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
564 * leave the flag untouched because sb_clone_mnt_opts might be handing
565 * us a superblock that needs the flag to be cleared.
566 */
b43e725d 567 if (selinux_is_sblabel_mnt(sb))
12f348b9 568 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 569 else
570 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 571
c9180a57
EP		 572 /* Initialize the root inode. */
573 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 574
c9180a57
EP		 575 /* Initialize any other inodes associated with the superblock, e.g.
576 inodes created prior to initial policy load or inodes created
577 during get_sb by a pseudo filesystem that directly
578 populates itself. */
579 spin_lock(&sbsec->isec_lock);
8d64124a 580 while (!list_empty(&sbsec->isec_head)) {
c9180a57 581 struct inode_security_struct *isec =
8d64124a 582 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 583 struct inode_security_struct, list);
584 struct inode *inode = isec->inode;
923190d3 585 list_del_init(&isec->list);
c9180a57
EP		 586 spin_unlock(&sbsec->isec_lock);
587 inode = igrab(inode);
588 if (inode) {
589 if (!IS_PRIVATE(inode))
cb89e246 590 inode_doinit_with_dentry(inode, NULL);
c9180a57
EP		 591 iput(inode);
592 }
593 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 594 }
595 spin_unlock(&sbsec->isec_lock);
c9180a57
EP		 596 return rc;
597}
1da177e4 598
c9180a57
EP		 599static int bad_option(struct superblock_security_struct *sbsec, char flag,
600 u32 old_sid, u32 new_sid)
601{
0d90a7ec
DQ		 602 char mnt_flags = sbsec->flags & SE_MNTMASK;
603
c9180a57 604 /* check if the old mount command had the same options */
0d90a7ec 605 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 606 if (!(sbsec->flags & flag) ||
607 (old_sid != new_sid))
608 return 1;
609
610 /* check if we were passed the same options twice,
611 * aka someone passed context=a,context=b
612 */
0d90a7ec
DQ		 613 if (!(sbsec->flags & SE_SBINITIALIZED))
614 if (mnt_flags & flag)
c9180a57
EP		 615 return 1;
616 return 0;
617}
e0007529 618
c9180a57
EP		 619/*
620 * Allow filesystems with binary mount data to explicitly set mount point
621 * labeling information.
622 */
e0007529 623static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 624 void *mnt_opts,
649f6e77
DQ		 625 unsigned long kern_flags,
626 unsigned long *set_kern_flags)
c9180a57 627{
275bb41e 628 const struct cred *cred = current_cred();
1aea7808 629 struct superblock_security_struct *sbsec = selinux_superblock(sb);
b159e86b 630 struct dentry *root = sb->s_root;
bd323655 631 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 632 struct inode_security_struct *root_isec;
c9180a57
EP		 633 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
634 u32 defcontext_sid = 0;
bd323655 635 int rc = 0;
c9180a57 636
cec5fe70
OM		 637 /*
638 * Specifying internal flags without providing a place to
639 * place the results is not allowed
640 */
641 if (kern_flags && !set_kern_flags)
642 return -EINVAL;
643
c9180a57
EP		 644 mutex_lock(&sbsec->lock);
645
e67b7985 646 if (!selinux_initialized()) {
bd323655 647 if (!opts) {
c9180a57
EP		 648 /* Defer initialization until selinux_complete_init,
649 after the initial policy is loaded and the security
650 server is ready to handle calls. */
cec5fe70
OM		 651 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
652 sbsec->flags |= SE_SBNATIVE;
653 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
654 }
c9180a57
EP		 655 goto out;
656 }
657 rc = -EINVAL;
c103a91e 658 pr_warn("SELinux: Unable to set superblock options "
744ba35e 659 "before the security server is initialized\n");
1da177e4 660 goto out;
c9180a57 661 }
1da177e4 662
e0007529
EP		 663 /*
664 * Binary mount data FS will come through this function twice. Once
665 * from an explicit call and once from the generic calls from the vfs.
666 * Since the generic VFS calls will not contain any security mount data
667 * we need to skip the double mount verification.
668 *
669 * This does open a hole in which we will not notice if the first
9691e4f9 670 * mount using this sb set explicit options and a second mount using
e0007529
EP		 671 * this sb does not set any security options. (The first options
672 * will be used for both mounts)
673 */
0d90a7ec 674 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 675 && !opts)
f5269710 676 goto out;
e0007529 677
2c97165b
PM		 678 root_isec = backing_inode_security_novalidate(root);
679
c9180a57
EP		 680 /*
681 * parse the mount options, check if they are valid sids.
682 * also check if someone is trying to mount the same sb more
683 * than once with different security options.
684 */
bd323655 685 if (opts) {
70f4169a
OM		 686 if (opts->fscontext_sid) {
687 fscontext_sid = opts->fscontext_sid;
c9180a57
EP		 688 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
689 fscontext_sid))
690 goto out_double_mount;
c9180a57 691 sbsec->flags |= FSCONTEXT_MNT;
bd323655 692 }
70f4169a
OM		 693 if (opts->context_sid) {
694 context_sid = opts->context_sid;
c9180a57
EP		 695 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
696 context_sid))
697 goto out_double_mount;
c9180a57 698 sbsec->flags |= CONTEXT_MNT;
bd323655 699 }
70f4169a
OM		 700 if (opts->rootcontext_sid) {
701 rootcontext_sid = opts->rootcontext_sid;
c9180a57
EP		 702 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
703 rootcontext_sid))
704 goto out_double_mount;
c9180a57 705 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655 706 }
70f4169a
OM		 707 if (opts->defcontext_sid) {
708 defcontext_sid = opts->defcontext_sid;
c9180a57
EP		 709 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
710 defcontext_sid))
711 goto out_double_mount;
c9180a57 712 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 713 }
c9180a57
EP		 714 }
715
0d90a7ec 716 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 717 /* previously mounted with options, but not on this attempt? */
bd323655 718 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 719 goto out_double_mount;
720 rc = 0;
721 goto out;
722 }
723
089be43e 724 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 725 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
726
8e014720 727 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 728 !strcmp(sb->s_type->name, "tracefs") ||
a20456ae 729 !strcmp(sb->s_type->name, "binder") ||
4ca54d3d 730 !strcmp(sb->s_type->name, "bpf") ||
8a764ef1
CG		 731 !strcmp(sb->s_type->name, "pstore") ||
732 !strcmp(sb->s_type->name, "securityfs"))
b754026b
OM		 733 sbsec->flags |= SE_SBGENFS;
734
735 if (!strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 736 !strcmp(sb->s_type->name, "cgroup") ||
737 !strcmp(sb->s_type->name, "cgroup2"))
b754026b 738 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
c9180a57 739
eb9ae686
DQ		 740 if (!sbsec->behavior) {
741 /*
742 * Determine the labeling behavior to use for this
743 * filesystem type.
744 */
e67b7985 745 rc = security_fs_use(sb);
eb9ae686 746 if (rc) {
c103a91e 747 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 748 __func__, sb->s_type->name, rc);
749 goto out;
750 }
c9180a57 751 }
aad82892
SF		 752
753 /*
01593d32
SS		 754 * If this is a user namespace mount and the filesystem type is not
755 * explicitly whitelisted, then no contexts are allowed on the command
756 * line and security labels must be ignored.
aad82892 757 */
01593d32
SS		 758 if (sb->s_user_ns != &init_user_ns &&
759 strcmp(sb->s_type->name, "tmpfs") &&
760 strcmp(sb->s_type->name, "ramfs") &&
7fa2e79a
VG		 761 strcmp(sb->s_type->name, "devpts") &&
762 strcmp(sb->s_type->name, "overlay")) {
aad82892
SF		 763 if (context_sid || fscontext_sid || rootcontext_sid ||
764 defcontext_sid) {
765 rc = -EACCES;
766 goto out;
767 }
768 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
769 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
e67b7985 770 rc = security_transition_sid(current_sid(),
aa8e712c 771 current_sid(),
aad82892
SF		 772 SECCLASS_FILE, NULL,
773 &sbsec->mntpoint_sid);
774 if (rc)
775 goto out;
776 }
777 goto out_set_opts;
778 }
779
c9180a57
EP		 780 /* sets the context of the superblock for the fs being mounted. */
781 if (fscontext_sid) {
275bb41e 782 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 783 if (rc)
c9180a57 784 goto out;
1da177e4 785
c9180a57 786 sbsec->sid = fscontext_sid;
c312feb2
EP		 787 }
788
789 /*
790 * Switch to using mount point labeling behavior.
791 * sets the label used on all file below the mountpoint, and will set
792 * the superblock context if not already set.
793 */
cec5fe70
OM		 794 if (sbsec->flags & SE_SBNATIVE) {
795 /*
796 * This means we are initializing a superblock that has been
797 * mounted before the SELinux was initialized and the
798 * filesystem requested native labeling. We had already
799 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
800 * in the original mount attempt, so now we just need to set
801 * the SECURITY_FS_USE_NATIVE behavior.
802 */
803 sbsec->behavior = SECURITY_FS_USE_NATIVE;
804 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
eb9ae686
DQ		 805 sbsec->behavior = SECURITY_FS_USE_NATIVE;
806 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
807 }
808
c9180a57
EP		 809 if (context_sid) {
810 if (!fscontext_sid) {
275bb41e
DH		 811 rc = may_context_mount_sb_relabel(context_sid, sbsec,
812 cred);
b04ea3ce 813 if (rc)
c9180a57
EP		 814 goto out;
815 sbsec->sid = context_sid;
b04ea3ce 816 } else {
275bb41e
DH		 817 rc = may_context_mount_inode_relabel(context_sid, sbsec,
818 cred);
b04ea3ce 819 if (rc)
c9180a57 820 goto out;
b04ea3ce 821 }
c9180a57
EP		 822 if (!rootcontext_sid)
823 rootcontext_sid = context_sid;
1da177e4 824
c9180a57 825 sbsec->mntpoint_sid = context_sid;
c312feb2 826 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 827 }
828
c9180a57 829 if (rootcontext_sid) {
275bb41e
DH		 830 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
831 cred);
0808925e 832 if (rc)
c9180a57 833 goto out;
0808925e 834
c9180a57 835 root_isec->sid = rootcontext_sid;
6f3be9f5 836 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 837 }
838
c9180a57 839 if (defcontext_sid) {
eb9ae686
DQ		 840 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
841 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 842 rc = -EINVAL;
c103a91e 843 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 844 "invalid for this filesystem type\n");
845 goto out;
1da177e4
LT		 846 }
847
c9180a57
EP		 848 if (defcontext_sid != sbsec->def_sid) {
849 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 850 sbsec, cred);
c9180a57
EP		 851 if (rc)
852 goto out;
853 }
1da177e4 854
c9180a57 855 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 856 }
857
aad82892 858out_set_opts:
c9180a57 859 rc = sb_finish_set_opts(sb);
1da177e4 860out:
c9180a57 861 mutex_unlock(&sbsec->lock);
1da177e4 862 return rc;
c9180a57
EP		 863out_double_mount:
864 rc = -EINVAL;
c103a91e 865 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 866 "security settings for (dev %s, type %s)\n", sb->s_id,
867 sb->s_type->name);
c9180a57 868 goto out;
1da177e4
LT		 869}
870
094f7b69
JL		 871static int selinux_cmp_sb_context(const struct super_block *oldsb,
872 const struct super_block *newsb)
873{
1aea7808
CS		 874 struct superblock_security_struct *old = selinux_superblock(oldsb);
875 struct superblock_security_struct *new = selinux_superblock(newsb);
094f7b69
JL		 876 char oldflags = old->flags & SE_MNTMASK;
877 char newflags = new->flags & SE_MNTMASK;
878
879 if (oldflags != newflags)
880 goto mismatch;
881 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
882 goto mismatch;
883 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
884 goto mismatch;
885 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
886 goto mismatch;
887 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 888 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
889 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 890 if (oldroot->sid != newroot->sid)
891 goto mismatch;
892 }
893 return 0;
894mismatch:
c103a91e 895 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 896 "different security settings for (dev %s, "
897 "type %s)\n", newsb->s_id, newsb->s_type->name);
898 return -EBUSY;
899}
900
901static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 902 struct super_block *newsb,
903 unsigned long kern_flags,
904 unsigned long *set_kern_flags)
1da177e4 905{
0b4d3452 906 int rc = 0;
1aea7808
CS		 907 const struct superblock_security_struct *oldsbsec =
908 selinux_superblock(oldsb);
909 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
1da177e4 910
c9180a57
EP		 911 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
912 int set_context = (oldsbsec->flags & CONTEXT_MNT);
913 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 914
0b4d3452
SM		 915 /*
916 * Specifying internal flags without providing a place to
917 * place the results is not allowed.
918 */
919 if (kern_flags && !set_kern_flags)
920 return -EINVAL;
921
cec5fe70
OM		 922 mutex_lock(&newsbsec->lock);
923
924 /*
925 * if the parent was able to be mounted it clearly had no special lsm
926 * mount options. thus we can safely deal with this superblock later
927 */
928 if (!selinux_initialized()) {
929 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
930 newsbsec->flags |= SE_SBNATIVE;
931 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
932 }
933 goto out;
934 }
935
c9180a57 936 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 937 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 938
094f7b69 939 /* if fs is reusing a sb, make sure that the contexts match */
3815a245 940 if (newsbsec->flags & SE_SBINITIALIZED) {
cec5fe70 941 mutex_unlock(&newsbsec->lock);
3815a245
BF		 942 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
943 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
094f7b69 944 return selinux_cmp_sb_context(oldsb, newsb);
3815a245 945 }
5a552617 946
c9180a57
EP		 947 newsbsec->flags = oldsbsec->flags;
948
949 newsbsec->sid = oldsbsec->sid;
950 newsbsec->def_sid = oldsbsec->def_sid;
951 newsbsec->behavior = oldsbsec->behavior;
952
0b4d3452
SM		 953 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
954 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
e67b7985 955 rc = security_fs_use(newsb);
0b4d3452
SM		 956 if (rc)
957 goto out;
958 }
959
960 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
961 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
962 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
963 }
964
c9180a57
EP		 965 if (set_context) {
966 u32 sid = oldsbsec->mntpoint_sid;
967
968 if (!set_fscontext)
969 newsbsec->sid = sid;
970 if (!set_rootcontext) {
83da53c5 971 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 972 newisec->sid = sid;
973 }
974 newsbsec->mntpoint_sid = sid;
1da177e4 975 }
c9180a57 976 if (set_rootcontext) {
83da53c5
AG		 977 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
978 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 979
c9180a57 980 newisec->sid = oldisec->sid;
1da177e4
LT		 981 }
982
c9180a57 983 sb_finish_set_opts(newsb);
0b4d3452 984out:
c9180a57 985 mutex_unlock(&newsbsec->lock);
0b4d3452 986 return rc;
c9180a57
EP		 987}
988
ef54ccb6 989/*
3d9047a0 990 * NOTE: the caller is responsible for freeing the memory even if on error.
ef54ccb6 991 */
ba641862 992static int selinux_add_opt(int token, const char *s, void **mnt_opts)
c9180a57 993{
ba641862 994 struct selinux_mnt_opts *opts = *mnt_opts;
70f4169a
OM		 995 u32 *dst_sid;
996 int rc;
1da177e4 997
6cd9d4b9
PM		 998 if (token == Opt_seclabel)
999 /* eaten and completely ignored */
169d68ef 1000 return 0;
2e08df3c 1001 if (!s)
ef54ccb6 1002 return -EINVAL;
e0007529 1003
e67b7985 1004 if (!selinux_initialized()) {
70f4169a
OM		 1005 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1006 return -EINVAL;
1007 }
1008
ba641862 1009 if (!opts) {
6cd9d4b9 1010 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
ba641862
AV		 1011 if (!opts)
1012 return -ENOMEM;
1013 *mnt_opts = opts;
c9180a57 1014 }
2e08df3c 1015
ba641862
AV		 1016 switch (token) {
1017 case Opt_context:
70f4169a 1018 if (opts->context_sid || opts->defcontext_sid)
6cd9d4b9 1019 goto err;
70f4169a 1020 dst_sid = &opts->context_sid;
ba641862
AV		 1021 break;
1022 case Opt_fscontext:
70f4169a 1023 if (opts->fscontext_sid)
6cd9d4b9 1024 goto err;
70f4169a 1025 dst_sid = &opts->fscontext_sid;
ba641862
AV		 1026 break;
1027 case Opt_rootcontext:
70f4169a 1028 if (opts->rootcontext_sid)
6cd9d4b9 1029 goto err;
70f4169a 1030 dst_sid = &opts->rootcontext_sid;
ba641862
AV		 1031 break;
1032 case Opt_defcontext:
70f4169a 1033 if (opts->context_sid || opts->defcontext_sid)
6cd9d4b9 1034 goto err;
70f4169a 1035 dst_sid = &opts->defcontext_sid;
ba641862 1036 break;
70f4169a
OM		 1037 default:
1038 WARN_ON(1);
1039 return -EINVAL;
c9180a57 1040 }
e67b7985 1041 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
70f4169a
OM		 1042 if (rc)
1043 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1044 s, rc);
1045 return rc;
e2e0e097 1046
6cd9d4b9 1047err:
ba641862 1048 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862 1049 return -EINVAL;
e0007529 1050}
1da177e4 1051
e3489f89 1052static int show_sid(struct seq_file *m, u32 sid)
2069f457 1053{
e3489f89
AV		 1054 char *context = NULL;
1055 u32 len;
1056 int rc;
11689d47 1057
e67b7985 1058 rc = security_sid_to_context(sid, &context, &len);
e3489f89 1059 if (!rc) {
4d3d0ed6 1060 bool has_comma = strchr(context, ',');
2069f457 1061
442155c1 1062 seq_putc(m, '=');
2069f457
EP		 1063 if (has_comma)
1064 seq_putc(m, '\"');
e3489f89 1065 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1066 if (has_comma)
1067 seq_putc(m, '\"');
1068 }
e3489f89
AV		 1069 kfree(context);
1070 return rc;
2069f457
EP		 1071}
1072
1073static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1074{
1aea7808 1075 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2069f457
EP		 1076 int rc;
1077
e3489f89
AV		 1078 if (!(sbsec->flags & SE_SBINITIALIZED))
1079 return 0;
2069f457 1080
e67b7985 1081 if (!selinux_initialized())
e3489f89 1082 return 0;
2069f457 1083
e3489f89
AV		 1084 if (sbsec->flags & FSCONTEXT_MNT) {
1085 seq_putc(m, ',');
1086 seq_puts(m, FSCONTEXT_STR);
1087 rc = show_sid(m, sbsec->sid);
1088 if (rc)
1089 return rc;
1090 }
1091 if (sbsec->flags & CONTEXT_MNT) {
1092 seq_putc(m, ',');
1093 seq_puts(m, CONTEXT_STR);
1094 rc = show_sid(m, sbsec->mntpoint_sid);
1095 if (rc)
1096 return rc;
1097 }
1098 if (sbsec->flags & DEFCONTEXT_MNT) {
1099 seq_putc(m, ',');
1100 seq_puts(m, DEFCONTEXT_STR);
1101 rc = show_sid(m, sbsec->def_sid);
1102 if (rc)
1103 return rc;
1104 }
1105 if (sbsec->flags & ROOTCONTEXT_MNT) {
b159e86b 1106 struct dentry *root = sb->s_root;
e3489f89
AV		 1107 struct inode_security_struct *isec = backing_inode_security(root);
1108 seq_putc(m, ',');
1109 seq_puts(m, ROOTCONTEXT_STR);
1110 rc = show_sid(m, isec->sid);
1111 if (rc)
1112 return rc;
1113 }
1114 if (sbsec->flags & SBLABEL_MNT) {
1115 seq_putc(m, ',');
442155c1 1116 seq_puts(m, SECLABEL_STR);
e3489f89
AV		 1117 }
1118 return 0;
2069f457
EP		 1119}
1120
1da177e4
LT		 1121static inline u16 inode_mode_to_security_class(umode_t mode)
1122{
1123 switch (mode & S_IFMT) {
1124 case S_IFSOCK:
1125 return SECCLASS_SOCK_FILE;
1126 case S_IFLNK:
1127 return SECCLASS_LNK_FILE;
1128 case S_IFREG:
1129 return SECCLASS_FILE;
1130 case S_IFBLK:
1131 return SECCLASS_BLK_FILE;
1132 case S_IFDIR:
1133 return SECCLASS_DIR;
1134 case S_IFCHR:
1135 return SECCLASS_CHR_FILE;
1136 case S_IFIFO:
1137 return SECCLASS_FIFO_FILE;
1138
1139 }
1140
1141 return SECCLASS_FILE;
1142}
1143
13402580
JM		 1144static inline int default_protocol_stream(int protocol)
1145{
95ca9072
PA		 1146 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1147 protocol == IPPROTO_MPTCP);
13402580
JM		 1148}
1149
1150static inline int default_protocol_dgram(int protocol)
1151{
1152 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1153}
1154
1da177e4
LT		 1155static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1156{
a13479bb 1157 bool extsockclass = selinux_policycap_extsockclass();
da69a530 1158
1da177e4
LT		 1159 switch (family) {
1160 case PF_UNIX:
1161 switch (type) {
1162 case SOCK_STREAM:
1163 case SOCK_SEQPACKET:
1164 return SECCLASS_UNIX_STREAM_SOCKET;
1165 case SOCK_DGRAM:
2a764b52 1166 case SOCK_RAW:
1da177e4
LT		 1167 return SECCLASS_UNIX_DGRAM_SOCKET;
1168 }
1169 break;
1170 case PF_INET:
1171 case PF_INET6:
1172 switch (type) {
1173 case SOCK_STREAM:
da69a530 1174 case SOCK_SEQPACKET:
13402580
JM		 1175 if (default_protocol_stream(protocol))
1176 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1177 else if (extsockclass && protocol == IPPROTO_SCTP)
1178 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1179 else
1180 return SECCLASS_RAWIP_SOCKET;
1da177e4 1181 case SOCK_DGRAM:
13402580
JM		 1182 if (default_protocol_dgram(protocol))
1183 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1184 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1185 protocol == IPPROTO_ICMPV6))
da69a530 1186 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1187 else
1188 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1189 case SOCK_DCCP:
1190 return SECCLASS_DCCP_SOCKET;
13402580 1191 default:
1da177e4
LT		 1192 return SECCLASS_RAWIP_SOCKET;
1193 }
1194 break;
1195 case PF_NETLINK:
1196 switch (protocol) {
1197 case NETLINK_ROUTE:
1198 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1199 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1200 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1201 case NETLINK_NFLOG:
1202 return SECCLASS_NETLINK_NFLOG_SOCKET;
1203 case NETLINK_XFRM:
1204 return SECCLASS_NETLINK_XFRM_SOCKET;
1205 case NETLINK_SELINUX:
1206 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1207 case NETLINK_ISCSI:
1208 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1209 case NETLINK_AUDIT:
1210 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1211 case NETLINK_FIB_LOOKUP:
1212 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1213 case NETLINK_CONNECTOR:
1214 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1215 case NETLINK_NETFILTER:
1216 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1217 case NETLINK_DNRTMSG:
1218 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1219 case NETLINK_KOBJECT_UEVENT:
1220 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1221 case NETLINK_GENERIC:
1222 return SECCLASS_NETLINK_GENERIC_SOCKET;
1223 case NETLINK_SCSITRANSPORT:
1224 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1225 case NETLINK_RDMA:
1226 return SECCLASS_NETLINK_RDMA_SOCKET;
1227 case NETLINK_CRYPTO:
1228 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1229 default:
1230 return SECCLASS_NETLINK_SOCKET;
1231 }
1232 case PF_PACKET:
1233 return SECCLASS_PACKET_SOCKET;
1234 case PF_KEY:
1235 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1236 case PF_APPLETALK:
1237 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1238 }
1239
da69a530
SS		 1240 if (extsockclass) {
1241 switch (family) {
1242 case PF_AX25:
1243 return SECCLASS_AX25_SOCKET;
1244 case PF_IPX:
1245 return SECCLASS_IPX_SOCKET;
1246 case PF_NETROM:
1247 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1248 case PF_ATMPVC:
1249 return SECCLASS_ATMPVC_SOCKET;
1250 case PF_X25:
1251 return SECCLASS_X25_SOCKET;
1252 case PF_ROSE:
1253 return SECCLASS_ROSE_SOCKET;
1254 case PF_DECnet:
1255 return SECCLASS_DECNET_SOCKET;
1256 case PF_ATMSVC:
1257 return SECCLASS_ATMSVC_SOCKET;
1258 case PF_RDS:
1259 return SECCLASS_RDS_SOCKET;
1260 case PF_IRDA:
1261 return SECCLASS_IRDA_SOCKET;
1262 case PF_PPPOX:
1263 return SECCLASS_PPPOX_SOCKET;
1264 case PF_LLC:
1265 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1266 case PF_CAN:
1267 return SECCLASS_CAN_SOCKET;
1268 case PF_TIPC:
1269 return SECCLASS_TIPC_SOCKET;
1270 case PF_BLUETOOTH:
1271 return SECCLASS_BLUETOOTH_SOCKET;
1272 case PF_IUCV:
1273 return SECCLASS_IUCV_SOCKET;
1274 case PF_RXRPC:
1275 return SECCLASS_RXRPC_SOCKET;
1276 case PF_ISDN:
1277 return SECCLASS_ISDN_SOCKET;
1278 case PF_PHONET:
1279 return SECCLASS_PHONET_SOCKET;
1280 case PF_IEEE802154:
1281 return SECCLASS_IEEE802154_SOCKET;
1282 case PF_CAIF:
1283 return SECCLASS_CAIF_SOCKET;
1284 case PF_ALG:
1285 return SECCLASS_ALG_SOCKET;
1286 case PF_NFC:
1287 return SECCLASS_NFC_SOCKET;
1288 case PF_VSOCK:
1289 return SECCLASS_VSOCK_SOCKET;
1290 case PF_KCM:
1291 return SECCLASS_KCM_SOCKET;
1292 case PF_QIPCRTR:
1293 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1294 case PF_SMC:
1295 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1296 case PF_XDP:
1297 return SECCLASS_XDP_SOCKET;
bc49d816
JK		 1298 case PF_MCTP:
1299 return SECCLASS_MCTP_SOCKET;
1300#if PF_MAX > 46
da69a530
SS		 1301#error New address family defined, please update this function.
1302#endif
1303 }
1304 }
1305
1da177e4
LT		 1306 return SECCLASS_SOCKET;
1307}
1308
134509d5
SS		 1309static int selinux_genfs_get_sid(struct dentry *dentry,
1310 u16 tclass,
1311 u16 flags,
1312 u32 *sid)
1da177e4 1313{
8e6c9693 1314 int rc;
fc64005c 1315 struct super_block *sb = dentry->d_sb;
8e6c9693 1316 char *buffer, *path;
1da177e4 1317
828dfe1d 1318 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1319 if (!buffer)
1320 return -ENOMEM;
1321
8e6c9693
LAG		 1322 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1323 if (IS_ERR(path))
1324 rc = PTR_ERR(path);
1325 else {
134509d5
SS		 1326 if (flags & SE_SBPROC) {
1327 /* each process gets a /proc/PID/ entry. Strip off the
1328 * PID part to get a valid selinux labeling.
1329 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1330 while (path[1] >= '0' && path[1] <= '9') {
1331 path[1] = '/';
1332 path++;
1333 }
8e6c9693 1334 }
e67b7985 1335 rc = security_genfs_sid(sb->s_type->name,
aa8e712c 1336 path, tclass, sid);
7bb185ed
SS		 1337 if (rc == -ENOENT) {
1338 /* No match in policy, mark as unlabeled. */
1339 *sid = SECINITSID_UNLABELED;
1340 rc = 0;
1341 }
1da177e4 1342 }
1da177e4
LT		 1343 free_page((unsigned long)buffer);
1344 return rc;
1345}
1da177e4 1346
b754026b
OM		 1347static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1348 u32 def_sid, u32 *sid)
1349{
1350#define INITCONTEXTLEN 255
1351 char *context;
1352 unsigned int len;
1353 int rc;
1354
1355 len = INITCONTEXTLEN;
1356 context = kmalloc(len + 1, GFP_NOFS);
1357 if (!context)
1358 return -ENOMEM;
1359
1360 context[len] = '\0';
1361 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1362 if (rc == -ERANGE) {
1363 kfree(context);
1364
1365 /* Need a larger buffer. Query for the right size. */
1366 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1367 if (rc < 0)
1368 return rc;
1369
1370 len = rc;
1371 context = kmalloc(len + 1, GFP_NOFS);
1372 if (!context)
1373 return -ENOMEM;
1374
1375 context[len] = '\0';
1376 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1377 context, len);
1378 }
1379 if (rc < 0) {
1380 kfree(context);
1381 if (rc != -ENODATA) {
1382 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1383 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1384 return rc;
1385 }
1386 *sid = def_sid;
1387 return 0;
1388 }
1389
e67b7985 1390 rc = security_context_to_sid_default(context, rc, sid,
b754026b
OM		 1391 def_sid, GFP_NOFS);
1392 if (rc) {
1393 char *dev = inode->i_sb->s_id;
1394 unsigned long ino = inode->i_ino;
1395
1396 if (rc == -EINVAL) {
1397 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1398 ino, dev, context);
1399 } else {
1400 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1401 __func__, context, -rc, dev, ino);
1402 }
1403 }
1404 kfree(context);
1405 return 0;
1406}
1407
1da177e4
LT		 1408/* The inode's security attributes must be initialized before first use. */
1409static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1410{
1411 struct superblock_security_struct *sbsec = NULL;
80788c22 1412 struct inode_security_struct *isec = selinux_inode(inode);
9287aed2
AG		 1413 u32 task_sid, sid = 0;
1414 u16 sclass;
1da177e4 1415 struct dentry *dentry;
1da177e4 1416 int rc = 0;
1da177e4 1417
6f3be9f5 1418 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1419 return 0;
1da177e4 1420
9287aed2 1421 spin_lock(&isec->lock);
6f3be9f5 1422 if (isec->initialized == LABEL_INITIALIZED)
23970741 1423 goto out_unlock;
1da177e4 1424
13457d07
AG		 1425 if (isec->sclass == SECCLASS_FILE)
1426 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1427
1aea7808 1428 sbsec = selinux_superblock(inode->i_sb);
0d90a7ec 1429 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1430 /* Defer initialization until selinux_complete_init,
1431 after the initial policy is loaded and the security
1432 server is ready to handle calls. */
1433 spin_lock(&sbsec->isec_lock);
1434 if (list_empty(&isec->list))
1435 list_add(&isec->list, &sbsec->isec_head);
1436 spin_unlock(&sbsec->isec_lock);
23970741 1437 goto out_unlock;
1da177e4
LT		 1438 }
1439
9287aed2
AG		 1440 sclass = isec->sclass;
1441 task_sid = isec->task_sid;
1442 sid = isec->sid;
1443 isec->initialized = LABEL_PENDING;
1444 spin_unlock(&isec->lock);
1445
1da177e4 1446 switch (sbsec->behavior) {
cec5fe70
OM		 1447 /*
1448 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1449 * via xattr when called from delayed_superblock_init().
1450 */
eb9ae686 1451 case SECURITY_FS_USE_NATIVE:
1da177e4 1452 case SECURITY_FS_USE_XATTR:
5d6c3191 1453 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1454 sid = sbsec->def_sid;
1da177e4
LT		 1455 break;
1456 }
1da177e4
LT		 1457 /* Need a dentry, since the xattr API requires one.
1458 Life would be simpler if we could just pass the inode. */
1459 if (opt_dentry) {
1460 /* Called from d_instantiate or d_splice_alias. */
1461 dentry = dget(opt_dentry);
1462 } else {
b127125d
AV		 1463 /*
1464 * Called from selinux_complete_init, try to find a dentry.
1465 * Some filesystems really want a connected one, so try
1466 * that first. We could split SECURITY_FS_USE_XATTR in
1467 * two, depending upon that...
1468 */
1da177e4 1469 dentry = d_find_alias(inode);
b127125d
AV		 1470 if (!dentry)
1471 dentry = d_find_any_alias(inode);
1da177e4
LT		 1472 }
1473 if (!dentry) {
df7f54c0
EP		 1474 /*
1475 * this is can be hit on boot when a file is accessed
1476 * before the policy is loaded. When we load policy we
1477 * may find inodes that have no dentry on the
1478 * sbsec->isec_head list. No reason to complain as these
1479 * will get fixed up the next time we go through
1480 * inode_doinit with a dentry, before these inodes could
1481 * be used again by userspace.
1482 */
200ea5a2 1483 goto out_invalid;
1da177e4
LT		 1484 }
1485
b754026b
OM		 1486 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1487 &sid);
1da177e4 1488 dput(dentry);
b754026b
OM		 1489 if (rc)
1490 goto out;
1da177e4
LT		 1491 break;
1492 case SECURITY_FS_USE_TASK:
9287aed2 1493 sid = task_sid;
1da177e4
LT		 1494 break;
1495 case SECURITY_FS_USE_TRANS:
1496 /* Default to the fs SID. */
9287aed2 1497 sid = sbsec->sid;
1da177e4
LT		 1498
1499 /* Try to obtain a transition SID. */
e67b7985 1500 rc = security_transition_sid(task_sid, sid,
aa8e712c 1501 sclass, NULL, &sid);
1da177e4 1502 if (rc)
9287aed2 1503 goto out;
1da177e4 1504 break;
c312feb2 1505 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1506 sid = sbsec->mntpoint_sid;
c312feb2 1507 break;
1da177e4 1508 default:
c312feb2 1509 /* Default to the fs superblock SID. */
9287aed2 1510 sid = sbsec->sid;
1da177e4 1511
7470d0d1
CG		 1512 if ((sbsec->flags & SE_SBGENFS) &&
1513 (!S_ISLNK(inode->i_mode) ||
1514 selinux_policycap_genfs_seclabel_symlinks())) {
f64410ec
PM		 1515 /* We must have a dentry to determine the label on
1516 * procfs inodes */
b127125d 1517 if (opt_dentry) {
f64410ec
PM		 1518 /* Called from d_instantiate or
1519 * d_splice_alias. */
1520 dentry = dget(opt_dentry);
b127125d 1521 } else {
f64410ec 1522 /* Called from selinux_complete_init, try to
b127125d
AV		 1523 * find a dentry. Some filesystems really want
1524 * a connected one, so try that first.
1525 */
f64410ec 1526 dentry = d_find_alias(inode);
b127125d
AV		 1527 if (!dentry)
1528 dentry = d_find_any_alias(inode);
1529 }
f64410ec
PM		 1530 /*
1531 * This can be hit on boot when a file is accessed
1532 * before the policy is loaded. When we load policy we
1533 * may find inodes that have no dentry on the
1534 * sbsec->isec_head list. No reason to complain as
1535 * these will get fixed up the next time we go through
1536 * inode_doinit() with a dentry, before these inodes
1537 * could be used again by userspace.
1538 */
1539 if (!dentry)
200ea5a2 1540 goto out_invalid;
9287aed2 1541 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1542 sbsec->flags, &sid);
b754026b
OM		 1543 if (rc) {
1544 dput(dentry);
9287aed2 1545 goto out;
b754026b
OM		 1546 }
1547
1548 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1549 (inode->i_opflags & IOP_XATTR)) {
1550 rc = inode_doinit_use_xattr(inode, dentry,
1551 sid, &sid);
1552 if (rc) {
1553 dput(dentry);
1554 goto out;
1555 }
1556 }
1557 dput(dentry);
1da177e4
LT		 1558 }
1559 break;
1560 }
1561
9287aed2
AG		 1562out:
1563 spin_lock(&isec->lock);
1564 if (isec->initialized == LABEL_PENDING) {
200ea5a2 1565 if (rc) {
9287aed2
AG		 1566 isec->initialized = LABEL_INVALID;
1567 goto out_unlock;
1568 }
9287aed2
AG		 1569 isec->initialized = LABEL_INITIALIZED;
1570 isec->sid = sid;
1571 }
1da177e4 1572
23970741 1573out_unlock:
9287aed2 1574 spin_unlock(&isec->lock);
1da177e4 1575 return rc;
200ea5a2
PM		 1576
1577out_invalid:
1578 spin_lock(&isec->lock);
1579 if (isec->initialized == LABEL_PENDING) {
1580 isec->initialized = LABEL_INVALID;
1581 isec->sid = sid;
1582 }
1583 spin_unlock(&isec->lock);
1584 return 0;
1da177e4
LT		 1585}
1586
1587/* Convert a Linux signal to an access vector. */
1588static inline u32 signal_to_av(int sig)
1589{
1590 u32 perm = 0;
1591
1592 switch (sig) {
1593 case SIGCHLD:
1594 /* Commonly granted from child to parent. */
1595 perm = PROCESS__SIGCHLD;
1596 break;
1597 case SIGKILL:
1598 /* Cannot be caught or ignored */
1599 perm = PROCESS__SIGKILL;
1600 break;
1601 case SIGSTOP:
1602 /* Cannot be caught or ignored */
1603 perm = PROCESS__SIGSTOP;
1604 break;
1605 default:
1606 /* All other signals. */
1607 perm = PROCESS__SIGNAL;
1608 break;
1609 }
1610
1611 return perm;
1612}
1613
b68e418c
SS		 1614#if CAP_LAST_CAP > 63
1615#error Fix SELinux to handle capabilities > 63.
1616#endif
1617
1da177e4 1618/* Check whether a task is allowed to use a capability. */
6a9de491 1619static int cred_has_capability(const struct cred *cred,
c1a85a00 1620 int cap, unsigned int opts, bool initns)
1da177e4 1621{
2bf49690 1622 struct common_audit_data ad;
06112163 1623 struct av_decision avd;
b68e418c 1624 u16 sclass;
3699c53c 1625 u32 sid = cred_sid(cred);
b68e418c 1626 u32 av = CAP_TO_MASK(cap);
06112163 1627 int rc;
1da177e4 1628
50c205f5 1629 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1630 ad.u.cap = cap;
1631
b68e418c
SS		 1632 switch (CAP_TO_INDEX(cap)) {
1633 case 0:
8e4ff6f2 1634 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1635 break;
1636 case 1:
8e4ff6f2 1637 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1638 break;
1639 default:
c103a91e 1640 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1641 BUG();
a35c6c83 1642 return -EINVAL;
b68e418c 1643 }
06112163 1644
e67b7985 1645 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
c1a85a00 1646 if (!(opts & CAP_OPT_NOAUDIT)) {
e67b7985 1647 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
9ade0cf4
EP		 1648 if (rc2)
1649 return rc2;
1650 }
06112163 1651 return rc;
1da177e4
LT		 1652}
1653
1da177e4
LT		 1654/* Check whether a task has a particular permission to an inode.
1655 The 'adp' parameter is optional and allows other audit
1656 data to be passed (e.g. the dentry). */
88e67f3b 1657static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1658 struct inode *inode,
1659 u32 perms,
19e49834 1660 struct common_audit_data *adp)
1da177e4 1661{
1da177e4 1662 struct inode_security_struct *isec;
275bb41e 1663 u32 sid;
1da177e4 1664
828dfe1d 1665 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1666 return 0;
1667
88e67f3b 1668 sid = cred_sid(cred);
80788c22 1669 isec = selinux_inode(inode);
1da177e4 1670
e67b7985 1671 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1672}
1673
1674/* Same as inode_has_perm, but pass explicit audit data containing
1675 the dentry to help the auditing code to more easily generate the
1676 pathname if needed. */
88e67f3b 1677static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1678 struct dentry *dentry,
1679 u32 av)
1680{
c6f493d6 1681 struct inode *inode = d_backing_inode(dentry);
2bf49690 1682 struct common_audit_data ad;
88e67f3b 1683
50c205f5 1684 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1685 ad.u.dentry = dentry;
5d226df4 1686 __inode_security_revalidate(inode, dentry, true);
19e49834 1687 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1688}
1689
1690/* Same as inode_has_perm, but pass explicit audit data containing
1691 the path to help the auditing code to more easily generate the
1692 pathname if needed. */
1693static inline int path_has_perm(const struct cred *cred,
3f7036a0 1694 const struct path *path,
2875fa00
EP		 1695 u32 av)
1696{
c6f493d6 1697 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1698 struct common_audit_data ad;
1699
50c205f5 1700 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1701 ad.u.path = *path;
5d226df4 1702 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1703 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1704}
1705
13f8e981
DH		 1706/* Same as path_has_perm, but uses the inode from the file struct. */
1707static inline int file_path_has_perm(const struct cred *cred,
1708 struct file *file,
1709 u32 av)
1710{
1711 struct common_audit_data ad;
1712
43af5de7
VG		 1713 ad.type = LSM_AUDIT_DATA_FILE;
1714 ad.u.file = file;
19e49834 1715 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1716}
1717
f66e448c 1718#ifdef CONFIG_BPF_SYSCALL
8e4672d6 1719static int bpf_fd_pass(const struct file *file, u32 sid);
f66e448c
CF		 1720#endif
1721
1da177e4
LT		 1722/* Check whether a task can use an open file descriptor to
1723 access an inode in a given way. Check access to the
1724 descriptor itself, and then use dentry_has_perm to
1725 check a particular permission to the file.
1726 Access to the descriptor is implicitly granted if it
1727 has the same SID as the process. If av is zero, then
1728 access to the file is not checked, e.g. for cases
1729 where only the descriptor is affected like seek. */
88e67f3b
DH		 1730static int file_has_perm(const struct cred *cred,
1731 struct file *file,
1732 u32 av)
1da177e4 1733{
bb6c6b02 1734 struct file_security_struct *fsec = selinux_file(file);
496ad9aa 1735 struct inode *inode = file_inode(file);
2bf49690 1736 struct common_audit_data ad;
88e67f3b 1737 u32 sid = cred_sid(cred);
1da177e4
LT		 1738 int rc;
1739
43af5de7
VG		 1740 ad.type = LSM_AUDIT_DATA_FILE;
1741 ad.u.file = file;
1da177e4 1742
275bb41e 1743 if (sid != fsec->sid) {
e67b7985 1744 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1745 SECCLASS_FD,
1746 FD__USE,
1747 &ad);
1748 if (rc)
88e67f3b 1749 goto out;
1da177e4
LT		 1750 }
1751
f66e448c
CF		 1752#ifdef CONFIG_BPF_SYSCALL
1753 rc = bpf_fd_pass(file, cred_sid(cred));
1754 if (rc)
1755 return rc;
1756#endif
1757
1da177e4 1758 /* av is zero if only checking access to the descriptor. */
88e67f3b 1759 rc = 0;
1da177e4 1760 if (av)
19e49834 1761 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1762
88e67f3b
DH		 1763out:
1764 return rc;
1da177e4
LT		 1765}
1766
c3c188b2
DH		 1767/*
1768 * Determine the label for an inode that might be unioned.
1769 */
c957f6df
VG		 1770static int
1771selinux_determine_inode_label(const struct task_security_struct *tsec,
1772 struct inode *dir,
1773 const struct qstr *name, u16 tclass,
1774 u32 *_new_isid)
c3c188b2 1775{
1aea7808
CS		 1776 const struct superblock_security_struct *sbsec =
1777 selinux_superblock(dir->i_sb);
c3c188b2
DH		 1778
1779 if ((sbsec->flags & SE_SBINITIALIZED) &&
1780 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1781 *_new_isid = sbsec->mntpoint_sid;
1782 } else if ((sbsec->flags & SBLABEL_MNT) &&
1783 tsec->create_sid) {
1784 *_new_isid = tsec->create_sid;
1785 } else {
20cdef8d 1786 const struct inode_security_struct *dsec = inode_security(dir);
e67b7985 1787 return security_transition_sid(tsec->sid,
aa8e712c 1788 dsec->sid, tclass,
c3c188b2
DH		 1789 name, _new_isid);
1790 }
1791
1792 return 0;
1793}
1794
1da177e4
LT		 1795/* Check whether a task can create a file. */
1796static int may_create(struct inode *dir,
1797 struct dentry *dentry,
1798 u16 tclass)
1799{
0c6cfa62 1800 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1801 struct inode_security_struct *dsec;
1802 struct superblock_security_struct *sbsec;
275bb41e 1803 u32 sid, newsid;
2bf49690 1804 struct common_audit_data ad;
1da177e4
LT		 1805 int rc;
1806
83da53c5 1807 dsec = inode_security(dir);
1aea7808 1808 sbsec = selinux_superblock(dir->i_sb);
1da177e4 1809
275bb41e 1810 sid = tsec->sid;
275bb41e 1811
50c205f5 1812 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1813 ad.u.dentry = dentry;
1da177e4 1814
e67b7985 1815 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1816 DIR__ADD_NAME | DIR__SEARCH,
1817 &ad);
1818 if (rc)
1819 return rc;
1820
210a2928
YG		 1821 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1822 &newsid);
c3c188b2
DH		 1823 if (rc)
1824 return rc;
1da177e4 1825
e67b7985 1826 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1827 if (rc)
1828 return rc;
1829
e67b7985 1830 return avc_has_perm(newsid, sbsec->sid,
1da177e4
LT		 1831 SECCLASS_FILESYSTEM,
1832 FILESYSTEM__ASSOCIATE, &ad);
1833}
1834
828dfe1d
EP		 1835#define MAY_LINK 0
1836#define MAY_UNLINK 1
1837#define MAY_RMDIR 2
1da177e4
LT		 1838
1839/* Check whether a task can link, unlink, or rmdir a file/directory. */
1840static int may_link(struct inode *dir,
1841 struct dentry *dentry,
1842 int kind)
1843
1844{
1da177e4 1845 struct inode_security_struct *dsec, *isec;
2bf49690 1846 struct common_audit_data ad;
275bb41e 1847 u32 sid = current_sid();
1da177e4
LT		 1848 u32 av;
1849 int rc;
1850
83da53c5
AG		 1851 dsec = inode_security(dir);
1852 isec = backing_inode_security(dentry);
1da177e4 1853
50c205f5 1854 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1855 ad.u.dentry = dentry;
1da177e4
LT		 1856
1857 av = DIR__SEARCH;
1858 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
e67b7985 1859 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1860 if (rc)
1861 return rc;
1862
1863 switch (kind) {
1864 case MAY_LINK:
1865 av = FILE__LINK;
1866 break;
1867 case MAY_UNLINK:
1868 av = FILE__UNLINK;
1869 break;
1870 case MAY_RMDIR:
1871 av = DIR__RMDIR;
1872 break;
1873 default:
c103a91e 1874 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1875 __func__, kind);
1da177e4
LT		 1876 return 0;
1877 }
1878
e67b7985 1879 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1880 return rc;
1881}
1882
1883static inline int may_rename(struct inode *old_dir,
1884 struct dentry *old_dentry,
1885 struct inode *new_dir,
1886 struct dentry *new_dentry)
1887{
1da177e4 1888 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1889 struct common_audit_data ad;
275bb41e 1890 u32 sid = current_sid();
1da177e4
LT		 1891 u32 av;
1892 int old_is_dir, new_is_dir;
1893 int rc;
1894
83da53c5
AG		 1895 old_dsec = inode_security(old_dir);
1896 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1897 old_is_dir = d_is_dir(old_dentry);
83da53c5 1898 new_dsec = inode_security(new_dir);
1da177e4 1899
50c205f5 1900 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1901
a269434d 1902 ad.u.dentry = old_dentry;
e67b7985 1903 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1904 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1905 if (rc)
1906 return rc;
e67b7985 1907 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1908 old_isec->sclass, FILE__RENAME, &ad);
1909 if (rc)
1910 return rc;
1911 if (old_is_dir && new_dir != old_dir) {
e67b7985 1912 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1913 old_isec->sclass, DIR__REPARENT, &ad);
1914 if (rc)
1915 return rc;
1916 }
1917
a269434d 1918 ad.u.dentry = new_dentry;
1da177e4 1919 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1920 if (d_is_positive(new_dentry))
1da177e4 1921 av |= DIR__REMOVE_NAME;
e67b7985 1922 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1923 if (rc)
1924 return rc;
2c616d4d 1925 if (d_is_positive(new_dentry)) {
83da53c5 1926 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1927 new_is_dir = d_is_dir(new_dentry);
e67b7985 1928 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1929 new_isec->sclass,
1930 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1931 if (rc)
1932 return rc;
1933 }
1934
1935 return 0;
1936}
1937
1938/* Check whether a task can perform a filesystem operation. */
88e67f3b 1939static int superblock_has_perm(const struct cred *cred,
25cc71d1 1940 const struct super_block *sb,
1da177e4 1941 u32 perms,
2bf49690 1942 struct common_audit_data *ad)
1da177e4 1943{
1da177e4 1944 struct superblock_security_struct *sbsec;
88e67f3b 1945 u32 sid = cred_sid(cred);
1da177e4 1946
1aea7808 1947 sbsec = selinux_superblock(sb);
e67b7985 1948 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1949}
1950
1951/* Convert a Linux mode and permission mask to an access vector. */
1952static inline u32 file_mask_to_av(int mode, int mask)
1953{
1954 u32 av = 0;
1955
dba19c60 1956 if (!S_ISDIR(mode)) {
1da177e4
LT		 1957 if (mask & MAY_EXEC)
1958 av |= FILE__EXECUTE;
1959 if (mask & MAY_READ)
1960 av |= FILE__READ;
1961
1962 if (mask & MAY_APPEND)
1963 av |= FILE__APPEND;
1964 else if (mask & MAY_WRITE)
1965 av |= FILE__WRITE;
1966
1967 } else {
1968 if (mask & MAY_EXEC)
1969 av |= DIR__SEARCH;
1970 if (mask & MAY_WRITE)
1971 av |= DIR__WRITE;
1972 if (mask & MAY_READ)
1973 av |= DIR__READ;
1974 }
1975
1976 return av;
1977}
1978
8b6a5a37 1979/* Convert a Linux file to an access vector. */
8e4672d6 1980static inline u32 file_to_av(const struct file *file)
8b6a5a37
EP		 1981{
1982 u32 av = 0;
1983
1984 if (file->f_mode & FMODE_READ)
1985 av |= FILE__READ;
1986 if (file->f_mode & FMODE_WRITE) {
1987 if (file->f_flags & O_APPEND)
1988 av |= FILE__APPEND;
1989 else
1990 av |= FILE__WRITE;
1991 }
1992 if (!av) {
1993 /*
1994 * Special file opened with flags 3 for ioctl-only use.
1995 */
1996 av = FILE__IOCTL;
1997 }
1998
1999 return av;
2000}
2001
b0c636b9 2002/*
c76a2f9e 2003 * Convert a file to an access vector and include the correct
b0c636b9
EP		 2004 * open permission.
2005 */
8b6a5a37 2006static inline u32 open_file_to_av(struct file *file)
b0c636b9 2007{
8b6a5a37 2008 u32 av = file_to_av(file);
ccb54478 2009 struct inode *inode = file_inode(file);
b0c636b9 2010
aa8e712c
SS		 2011 if (selinux_policycap_openperm() &&
2012 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2013 av |= FILE__OPEN;
2014
b0c636b9
EP		 2015 return av;
2016}
2017
1da177e4
LT		 2018/* Hook functions begin here. */
2019
52f88693 2020static int selinux_binder_set_context_mgr(const struct cred *mgr)
79af7307 2021{
e67b7985 2022 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
79af7307
SS		 2023 BINDER__SET_CONTEXT_MGR, NULL);
2024}
2025
52f88693
TK		 2026static int selinux_binder_transaction(const struct cred *from,
2027 const struct cred *to)
79af7307
SS		 2028{
2029 u32 mysid = current_sid();
52f88693
TK		 2030 u32 fromsid = cred_sid(from);
2031 u32 tosid = cred_sid(to);
79af7307
SS		 2032 int rc;
2033
2034 if (mysid != fromsid) {
e67b7985 2035 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2036 BINDER__IMPERSONATE, NULL);
2037 if (rc)
2038 return rc;
2039 }
2040
e67b7985 2041 return avc_has_perm(fromsid, tosid,
eb1231f7 2042 SECCLASS_BINDER, BINDER__CALL, NULL);
79af7307
SS		 2043}
2044
52f88693
TK		 2045static int selinux_binder_transfer_binder(const struct cred *from,
2046 const struct cred *to)
79af7307 2047{
e67b7985 2048 return avc_has_perm(cred_sid(from), cred_sid(to),
eb1231f7 2049 SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2050 NULL);
2051}
2052
52f88693
TK		 2053static int selinux_binder_transfer_file(const struct cred *from,
2054 const struct cred *to,
8e4672d6 2055 const struct file *file)
79af7307 2056{
52f88693 2057 u32 sid = cred_sid(to);
bb6c6b02 2058 struct file_security_struct *fsec = selinux_file(file);
83da53c5 2059 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2060 struct inode_security_struct *isec;
79af7307
SS		 2061 struct common_audit_data ad;
2062 int rc;
2063
2064 ad.type = LSM_AUDIT_DATA_PATH;
2065 ad.u.path = file->f_path;
2066
2067 if (sid != fsec->sid) {
e67b7985 2068 rc = avc_has_perm(sid, fsec->sid,
79af7307
SS		 2069 SECCLASS_FD,
2070 FD__USE,
2071 &ad);
2072 if (rc)
2073 return rc;
2074 }
2075
f66e448c
CF		 2076#ifdef CONFIG_BPF_SYSCALL
2077 rc = bpf_fd_pass(file, sid);
2078 if (rc)
2079 return rc;
2080#endif
2081
83da53c5 2082 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2083 return 0;
2084
20cdef8d 2085 isec = backing_inode_security(dentry);
e67b7985 2086 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2087 &ad);
2088}
2089
9e48858f 2090static int selinux_ptrace_access_check(struct task_struct *child,
eb1231f7 2091 unsigned int mode)
1da177e4 2092{
be0554c9 2093 u32 sid = current_sid();
eb1231f7 2094 u32 csid = task_sid_obj(child);
be0554c9
SS		 2095
2096 if (mode & PTRACE_MODE_READ)
e67b7985
SS		 2097 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2098 NULL);
006ebb40 2099
e67b7985
SS		 2100 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2101 NULL);
5cd9c58f
DH		 2102}
2103
2104static int selinux_ptrace_traceme(struct task_struct *parent)
2105{
e67b7985 2106 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
eb1231f7 2107 SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
1da177e4
LT		 2108}
2109
6672efbb 2110static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2111 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2112{
e67b7985
SS		 2113 return avc_has_perm(current_sid(), task_sid_obj(target),
2114 SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
1da177e4
LT		 2115}
2116
d84f4f99
DH		 2117static int selinux_capset(struct cred *new, const struct cred *old,
2118 const kernel_cap_t *effective,
2119 const kernel_cap_t *inheritable,
2120 const kernel_cap_t *permitted)
1da177e4 2121{
e67b7985 2122 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2123 PROCESS__SETCAP, NULL);
1da177e4
LT		 2124}
2125
5626d3e8
JM		 2126/*
2127 * (This comment used to live with the selinux_task_setuid hook,
2128 * which was removed).
2129 *
2130 * Since setuid only affects the current process, and since the SELinux
2131 * controls are not based on the Linux identity attributes, SELinux does not
2132 * need to control this operation. However, SELinux does control the use of
2133 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2134 */
2135
6a9de491 2136static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
c1a85a00 2137 int cap, unsigned int opts)
1da177e4 2138{
c1a85a00 2139 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
1da177e4
LT		 2140}
2141
25cc71d1 2142static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb)
1da177e4 2143{
88e67f3b 2144 const struct cred *cred = current_cred();
1da177e4
LT		 2145 int rc = 0;
2146
2147 if (!sb)
2148 return 0;
2149
2150 switch (cmds) {
828dfe1d
EP		 2151 case Q_SYNC:
2152 case Q_QUOTAON:
2153 case Q_QUOTAOFF:
2154 case Q_SETINFO:
2155 case Q_SETQUOTA:
e4cfa05e
RH		 2156 case Q_XQUOTAOFF:
2157 case Q_XQUOTAON:
2158 case Q_XSETQLIM:
88e67f3b 2159 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2160 break;
2161 case Q_GETFMT:
2162 case Q_GETINFO:
2163 case Q_GETQUOTA:
e4cfa05e
RH		 2164 case Q_XGETQUOTA:
2165 case Q_XGETQSTAT:
2166 case Q_XGETQSTATV:
2167 case Q_XGETNEXTQUOTA:
88e67f3b 2168 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2169 break;
2170 default:
2171 rc = 0; /* let the kernel handle invalid cmds */
2172 break;
1da177e4
LT		 2173 }
2174 return rc;
2175}
2176
2177static int selinux_quota_on(struct dentry *dentry)
2178{
88e67f3b
DH		 2179 const struct cred *cred = current_cred();
2180
2875fa00 2181 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2182}
2183
12b3052c 2184static int selinux_syslog(int type)
1da177e4 2185{
1da177e4 2186 switch (type) {
d78ca3cd
KC		 2187 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2188 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
e67b7985 2189 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
be0554c9 2190 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2191 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2192 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2193 /* Set level of messages printed to console */
2194 case SYSLOG_ACTION_CONSOLE_LEVEL:
e67b7985 2195 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2196 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2197 NULL);
1da177e4 2198 }
be0554c9 2199 /* All other syslog types */
e67b7985 2200 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
be0554c9 2201 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2202}
2203
2204/*
2205 * Check that a process has enough memory to allocate a new virtual
2206 * mapping. 0 means there is enough memory for the allocation to
2207 * succeed and -ENOMEM implies there is not.
2208 *
1da177e4
LT		 2209 * Do not audit the selinux permission check, as this is applied to all
2210 * processes that allocate mappings.
2211 */
34b4e4aa 2212static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2213{
2214 int rc, cap_sys_admin = 0;
1da177e4 2215
b1d9e6b0 2216 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
c1a85a00 2217 CAP_OPT_NOAUDIT, true);
1da177e4
LT		 2218 if (rc == 0)
2219 cap_sys_admin = 1;
2220
b1d9e6b0 2221 return cap_sys_admin;
1da177e4
LT		 2222}
2223
2224/* binprm security operations */
2225
be0554c9 2226static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2227{
2228 u32 sid = 0;
2229 struct task_struct *tracer;
2230
2231 rcu_read_lock();
be0554c9 2232 tracer = ptrace_parent(current);
0c6181cb 2233 if (tracer)
eb1231f7 2234 sid = task_sid_obj(tracer);
0c6181cb
PM		 2235 rcu_read_unlock();
2236
2237 return sid;
2238}
2239
7b0d0b40
SS		 2240static int check_nnp_nosuid(const struct linux_binprm *bprm,
2241 const struct task_security_struct *old_tsec,
2242 const struct task_security_struct *new_tsec)
2243{
2244 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2245 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2246 int rc;
af63f419 2247 u32 av;
7b0d0b40
SS		 2248
2249 if (!nnp && !nosuid)
2250 return 0; /* neither NNP nor nosuid */
2251
2252 if (new_tsec->sid == old_tsec->sid)
2253 return 0; /* No change in credentials */
2254
2255 /*
af63f419
SS		 2256 * If the policy enables the nnp_nosuid_transition policy capability,
2257 * then we permit transitions under NNP or nosuid if the
2258 * policy allows the corresponding permission between
2259 * the old and new contexts.
7b0d0b40 2260 */
aa8e712c 2261 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2262 av = 0;
7b0d0b40 2263 if (nnp)
af63f419
SS		 2264 av |= PROCESS2__NNP_TRANSITION;
2265 if (nosuid)
2266 av |= PROCESS2__NOSUID_TRANSITION;
e67b7985 2267 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
af63f419
SS		 2268 SECCLASS_PROCESS2, av, NULL);
2269 if (!rc)
2270 return 0;
7b0d0b40 2271 }
af63f419
SS		 2272
2273 /*
2274 * We also permit NNP or nosuid transitions to bounded SIDs,
2275 * i.e. SIDs that are guaranteed to only be allowed a subset
2276 * of the permissions of the current SID.
2277 */
e67b7985 2278 rc = security_bounded_transition(old_tsec->sid,
aa8e712c 2279 new_tsec->sid);
af63f419
SS		 2280 if (!rc)
2281 return 0;
2282
2283 /*
2284 * On failure, preserve the errno values for NNP vs nosuid.
2285 * NNP: Operation not permitted for caller.
2286 * nosuid: Permission denied to file.
2287 */
2288 if (nnp)
2289 return -EPERM;
2290 return -EACCES;
7b0d0b40
SS		 2291}
2292
b8bff599 2293static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
1da177e4 2294{
a6f76f23
DH		 2295 const struct task_security_struct *old_tsec;
2296 struct task_security_struct *new_tsec;
1da177e4 2297 struct inode_security_struct *isec;
2bf49690 2298 struct common_audit_data ad;
496ad9aa 2299 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2300 int rc;
2301
a6f76f23
DH		 2302 /* SELinux context only depends on initial program or script and not
2303 * the script interpreter */
1da177e4 2304
0c6cfa62
CS		 2305 old_tsec = selinux_cred(current_cred());
2306 new_tsec = selinux_cred(bprm->cred);
83da53c5 2307 isec = inode_security(inode);
1da177e4
LT		 2308
2309 /* Default to the current task SID. */
a6f76f23
DH		 2310 new_tsec->sid = old_tsec->sid;
2311 new_tsec->osid = old_tsec->sid;
1da177e4 2312
28eba5bf 2313 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2314 new_tsec->create_sid = 0;
2315 new_tsec->keycreate_sid = 0;
2316 new_tsec->sockcreate_sid = 0;
1da177e4 2317
ae254858
OM		 2318 /*
2319 * Before policy is loaded, label any task outside kernel space
2320 * as SECINITSID_INIT, so that any userspace tasks surviving from
2321 * early boot end up with a label different from SECINITSID_KERNEL
2322 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL).
2323 */
2324 if (!selinux_initialized()) {
2325 new_tsec->sid = SECINITSID_INIT;
2326 /* also clear the exec_sid just in case */
2327 new_tsec->exec_sid = 0;
2328 return 0;
2329 }
2330
a6f76f23
DH		 2331 if (old_tsec->exec_sid) {
2332 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2333 /* Reset exec SID on execve. */
a6f76f23 2334 new_tsec->exec_sid = 0;
259e5e6c 2335
7b0d0b40
SS		 2336 /* Fail on NNP or nosuid if not an allowed transition. */
2337 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2338 if (rc)
2339 return rc;
1da177e4
LT		 2340 } else {
2341 /* Check for a default transition on this program. */
e67b7985 2342 rc = security_transition_sid(old_tsec->sid,
aa8e712c 2343 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2344 &new_tsec->sid);
1da177e4
LT		 2345 if (rc)
2346 return rc;
7b0d0b40
SS		 2347
2348 /*
2349 * Fallback to old SID on NNP or nosuid if not an allowed
2350 * transition.
2351 */
2352 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2353 if (rc)
2354 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2355 }
2356
43af5de7
VG		 2357 ad.type = LSM_AUDIT_DATA_FILE;
2358 ad.u.file = bprm->file;
1da177e4 2359
a6f76f23 2360 if (new_tsec->sid == old_tsec->sid) {
e67b7985 2361 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2362 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2363 if (rc)
2364 return rc;
2365 } else {
2366 /* Check permissions for the transition. */
e67b7985 2367 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2368 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2369 if (rc)
2370 return rc;
2371
e67b7985 2372 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2373 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2374 if (rc)
2375 return rc;
2376
a6f76f23
DH		 2377 /* Check for shared state */
2378 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
e67b7985 2379 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2380 SECCLASS_PROCESS, PROCESS__SHARE,
2381 NULL);
2382 if (rc)
2383 return -EPERM;
2384 }
2385
2386 /* Make sure that anyone attempting to ptrace over a task that
2387 * changes its SID has the appropriate permit */
9227dd2a 2388 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2389 u32 ptsid = ptrace_parent_sid();
a6f76f23 2390 if (ptsid != 0) {
e67b7985 2391 rc = avc_has_perm(ptsid, new_tsec->sid,
a6f76f23
DH		 2392 SECCLASS_PROCESS,
2393 PROCESS__PTRACE, NULL);
2394 if (rc)
2395 return -EPERM;
2396 }
2397 }
1da177e4 2398
a6f76f23
DH		 2399 /* Clear any possibly unsafe personality bits on exec: */
2400 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2401
1da177e4
LT		 2402 /* Enable secure mode for SIDs transitions unless
2403 the noatsecure permission is granted between
2404 the two SIDs, i.e. ahp returns 0. */
e67b7985 2405 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2406 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2407 NULL);
2408 bprm->secureexec |= !!rc;
1da177e4
LT		 2409 }
2410
62874c3a 2411 return 0;
1da177e4
LT		 2412}
2413
c3c073f8
AV		 2414static int match_file(const void *p, struct file *file, unsigned fd)
2415{
2416 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2417}
2418
1da177e4 2419/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2420static inline void flush_unauthorized_files(const struct cred *cred,
2421 struct files_struct *files)
1da177e4 2422{
1da177e4 2423 struct file *file, *devnull = NULL;
b20c8122 2424 struct tty_struct *tty;
24ec839c 2425 int drop_tty = 0;
c3c073f8 2426 unsigned n;
1da177e4 2427
24ec839c 2428 tty = get_current_tty();
1da177e4 2429 if (tty) {
4a510969 2430 spin_lock(&tty->files_lock);
37dd0bd0 2431 if (!list_empty(&tty->tty_files)) {
d996b62a 2432 struct tty_file_private *file_priv;
37dd0bd0 2433
1da177e4 2434 /* Revalidate access to controlling tty.
13f8e981
DH		 2435 Use file_path_has_perm on the tty path directly
2436 rather than using file_has_perm, as this particular
2437 open file may belong to another process and we are
2438 only interested in the inode-based check here. */
d996b62a
NP		 2439 file_priv = list_first_entry(&tty->tty_files,
2440 struct tty_file_private, list);
2441 file = file_priv->file;
13f8e981 2442 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2443 drop_tty = 1;
1da177e4 2444 }
4a510969 2445 spin_unlock(&tty->files_lock);
452a00d2 2446 tty_kref_put(tty);
1da177e4 2447 }
98a27ba4
EB		 2448 /* Reset controlling tty. */
2449 if (drop_tty)
2450 no_tty();
1da177e4
LT		 2451
2452 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2453 n = iterate_fd(files, 0, match_file, cred);
2454 if (!n) /* none found? */
2455 return;
1da177e4 2456
c3c073f8 2457 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2458 if (IS_ERR(devnull))
2459 devnull = NULL;
2460 /* replace all the matching ones with this */
2461 do {
2462 replace_fd(n - 1, devnull, 0);
2463 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2464 if (devnull)
c3c073f8 2465 fput(devnull);
1da177e4
LT		 2466}
2467
a6f76f23
DH		 2468/*
2469 * Prepare a process for imminent new credential changes due to exec
2470 */
64fc9526 2471static void selinux_bprm_committing_creds(const struct linux_binprm *bprm)
1da177e4 2472{
a6f76f23
DH		 2473 struct task_security_struct *new_tsec;
2474 struct rlimit *rlim, *initrlim;
2475 int rc, i;
d84f4f99 2476
0c6cfa62 2477 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2478 if (new_tsec->sid == new_tsec->osid)
2479 return;
1da177e4 2480
a6f76f23
DH		 2481 /* Close files for which the new task SID is not authorized. */
2482 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2483
a6f76f23
DH		 2484 /* Always clear parent death signal on SID transitions. */
2485 current->pdeath_signal = 0;
0356357c 2486
a6f76f23
DH		 2487 /* Check whether the new SID can inherit resource limits from the old
2488 * SID. If not, reset all soft limits to the lower of the current
2489 * task's hard limit and the init task's soft limit.
2490 *
2491 * Note that the setting of hard limits (even to lower them) can be
2492 * controlled by the setrlimit check. The inclusion of the init task's
2493 * soft limit into the computation is to avoid resetting soft limits
2494 * higher than the default soft limit for cases where the default is
2495 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2496 */
e67b7985 2497 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2498 PROCESS__RLIMITINH, NULL);
2499 if (rc) {
eb2d55a3
ON		 2500 /* protect against do_prlimit() */
2501 task_lock(current);
a6f76f23
DH		 2502 for (i = 0; i < RLIM_NLIMITS; i++) {
2503 rlim = current->signal->rlim + i;
2504 initrlim = init_task.signal->rlim + i;
2505 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2506 }
eb2d55a3 2507 task_unlock(current);
baa73d9e
NP		 2508 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2509 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2510 }
2511}
2512
2513/*
a6f76f23
DH		 2514 * Clean up the process immediately after the installation of new credentials
2515 * due to exec
1da177e4 2516 */
a721f7b8 2517static void selinux_bprm_committed_creds(const struct linux_binprm *bprm)
1da177e4 2518{
0c6cfa62 2519 const struct task_security_struct *tsec = selinux_cred(current_cred());
a6f76f23 2520 u32 osid, sid;
ddbc7d06 2521 int rc;
1da177e4 2522
a6f76f23
DH		 2523 osid = tsec->osid;
2524 sid = tsec->sid;
2525
2526 if (sid == osid)
1da177e4
LT		 2527 return;
2528
a6f76f23
DH		 2529 /* Check whether the new SID can inherit signal state from the old SID.
2530 * If not, clear itimers to avoid subsequent signal generation and
2531 * flush and unblock signals.
2532 *
2533 * This must occur _after_ the task SID has been updated so that any
2534 * kill done after the flush will be checked against the new SID.
2535 */
e67b7985 2536 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2537 if (rc) {
ddbc7d06
AB		 2538 clear_itimer();
2539
0e326df0 2540 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
9e7c8f8c
ON		 2541 if (!fatal_signal_pending(current)) {
2542 flush_sigqueue(&current->pending);
2543 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2544 flush_signal_handlers(current, 1);
2545 sigemptyset(&current->blocked);
9e7c8f8c 2546 recalc_sigpending();
3bcac026 2547 }
0e326df0 2548 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
1da177e4
LT		 2549 }
2550
a6f76f23
DH		 2551 /* Wake up the parent if it is waiting so that it can recheck
2552 * wait permission to the new task SID. */
ecd6de3c 2553 read_lock(&tasklist_lock);
0e326df0 2554 __wake_up_parent(current, unrcu_pointer(current->real_parent));
ecd6de3c 2555 read_unlock(&tasklist_lock);
1da177e4
LT		 2556}
2557
2558/* superblock security operations */
2559
2560static int selinux_sb_alloc_security(struct super_block *sb)
2561{
1aea7808 2562 struct superblock_security_struct *sbsec = selinux_superblock(sb);
cb89e246
PM		 2563
2564 mutex_init(&sbsec->lock);
2565 INIT_LIST_HEAD(&sbsec->isec_head);
2566 spin_lock_init(&sbsec->isec_lock);
cb89e246
PM		 2567 sbsec->sid = SECINITSID_UNLABELED;
2568 sbsec->def_sid = SECINITSID_FILE;
2569 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
cb89e246
PM		 2570
2571 return 0;
1da177e4
LT		 2572}
2573
99dbbb59 2574static inline int opt_len(const char *s)
1da177e4 2575{
99dbbb59
AV		 2576 bool open_quote = false;
2577 int len;
2578 char c;
1da177e4 2579
99dbbb59
AV		 2580 for (len = 0; (c = s[len]) != '\0'; len++) {
2581 if (c == '"')
2582 open_quote = !open_quote;
2583 if (c == ',' && !open_quote)
2584 break;
3528a953 2585 }
99dbbb59 2586 return len;
3528a953
CO		 2587}
2588
99dbbb59 2589static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
1da177e4 2590{
99dbbb59
AV		 2591 char *from = options;
2592 char *to = options;
2593 bool first = true;
fec63753 2594 int rc;
1da177e4 2595
99dbbb59
AV		 2596 while (1) {
2597 int len = opt_len(from);
fec63753 2598 int token;
99dbbb59 2599 char *arg = NULL;
1da177e4 2600
99dbbb59 2601 token = match_opt_prefix(from, len, &arg);
1da177e4 2602
99dbbb59
AV		 2603 if (token != Opt_error) {
2604 char *p, *q;
1da177e4 2605
99dbbb59
AV		 2606 /* strip quotes */
2607 if (arg) {
2608 for (p = q = arg; p < from + len; p++) {
2609 char c = *p;
2610 if (c != '"')
2611 *q++ = c;
2612 }
2613 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
fec63753
GZ		 2614 if (!arg) {
2615 rc = -ENOMEM;
2616 goto free_opt;
2617 }
99dbbb59
AV		 2618 }
2619 rc = selinux_add_opt(token, arg, mnt_opts);
cad140d0
CG		 2620 kfree(arg);
2621 arg = NULL;
99dbbb59 2622 if (unlikely(rc)) {
fec63753 2623 goto free_opt;
99dbbb59
AV		 2624 }
2625 } else {
2626 if (!first) { // copy with preceding comma
2627 from--;
2628 len++;
2629 }
2630 if (to != from)
2631 memmove(to, from, len);
2632 to += len;
2633 first = false;
1da177e4 2634 }
99dbbb59
AV		 2635 if (!from[len])
2636 break;
2637 from += len + 1;
2638 }
2639 *to = '\0';
2640 return 0;
fec63753
GZ		 2641
2642free_opt:
2643 if (*mnt_opts) {
2644 selinux_free_mnt_opts(*mnt_opts);
2645 *mnt_opts = NULL;
2646 }
2647 return rc;
1da177e4
LT		 2648}
2649
69c4a42d
OK		 2650static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2651{
2652 struct selinux_mnt_opts *opts = mnt_opts;
0266c25e 2653 struct superblock_security_struct *sbsec = selinux_superblock(sb);
69c4a42d
OK		 2654
2655 /*
2656 * Superblock not initialized (i.e. no options) - reject if any
2657 * options specified, otherwise accept.
2658 */
2659 if (!(sbsec->flags & SE_SBINITIALIZED))
2660 return opts ? 1 : 0;
2661
2662 /*
2663 * Superblock initialized and no options specified - reject if
2664 * superblock has any options set, otherwise accept.
2665 */
2666 if (!opts)
2667 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2668
70f4169a
OM		 2669 if (opts->fscontext_sid) {
2670 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2671 opts->fscontext_sid))
69c4a42d
OK		 2672 return 1;
2673 }
70f4169a
OM		 2674 if (opts->context_sid) {
2675 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2676 opts->context_sid))
69c4a42d
OK		 2677 return 1;
2678 }
70f4169a
OM		 2679 if (opts->rootcontext_sid) {
2680 struct inode_security_struct *root_isec;
b8b87fd9 2681
70f4169a
OM		 2682 root_isec = backing_inode_security(sb->s_root);
2683 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2684 opts->rootcontext_sid))
69c4a42d 2685 return 1;
70f4169a
OM		 2686 }
2687 if (opts->defcontext_sid) {
2688 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2689 opts->defcontext_sid))
69c4a42d
OK		 2690 return 1;
2691 }
2692 return 0;
2693}
2694
204cc0cc 2695static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2696{
bd323655 2697 struct selinux_mnt_opts *opts = mnt_opts;
1aea7808 2698 struct superblock_security_struct *sbsec = selinux_superblock(sb);
026eb167
EP		 2699
2700 if (!(sbsec->flags & SE_SBINITIALIZED))
2701 return 0;
2702
204cc0cc 2703 if (!opts)
026eb167
EP		 2704 return 0;
2705
70f4169a 2706 if (opts->fscontext_sid) {
6bc1968c
SM		 2707 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2708 opts->fscontext_sid))
bd323655 2709 goto out_bad_option;
026eb167 2710 }
70f4169a 2711 if (opts->context_sid) {
6bc1968c
SM		 2712 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2713 opts->context_sid))
bd323655
AV		 2714 goto out_bad_option;
2715 }
70f4169a 2716 if (opts->rootcontext_sid) {
bd323655
AV		 2717 struct inode_security_struct *root_isec;
2718 root_isec = backing_inode_security(sb->s_root);
6bc1968c
SM		 2719 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2720 opts->rootcontext_sid))
bd323655
AV		 2721 goto out_bad_option;
2722 }
70f4169a 2723 if (opts->defcontext_sid) {
6bc1968c
SM		 2724 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2725 opts->defcontext_sid))
bd323655 2726 goto out_bad_option;
026eb167 2727 }
c039bc3c 2728 return 0;
026eb167 2729
026eb167 2730out_bad_option:
c103a91e 2731 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2732 "during remount (dev %s, type=%s)\n", sb->s_id,
2733 sb->s_type->name);
c039bc3c 2734 return -EINVAL;
026eb167
EP		 2735}
2736
20a2aa47 2737static int selinux_sb_kern_mount(const struct super_block *sb)
1da177e4 2738{
88e67f3b 2739 const struct cred *cred = current_cred();
2bf49690 2740 struct common_audit_data ad;
74192246 2741
50c205f5 2742 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2743 ad.u.dentry = sb->s_root;
88e67f3b 2744 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2745}
2746
726c3342 2747static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2748{
88e67f3b 2749 const struct cred *cred = current_cred();
2bf49690 2750 struct common_audit_data ad;
1da177e4 2751
50c205f5 2752 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2753 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2754 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2755}
2756
808d4e3c 2757static int selinux_mount(const char *dev_name,
8a04c43b 2758 const struct path *path,
808d4e3c 2759 const char *type,
828dfe1d
EP		 2760 unsigned long flags,
2761 void *data)
1da177e4 2762{
88e67f3b 2763 const struct cred *cred = current_cred();
1da177e4
LT		 2764
2765 if (flags & MS_REMOUNT)
d8c9584e 2766 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2767 FILESYSTEM__REMOUNT, NULL);
1da177e4 2768 else
2875fa00 2769 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2770}
2771
98aa0034
SS		 2772static int selinux_move_mount(const struct path *from_path,
2773 const struct path *to_path)
2774{
2775 const struct cred *cred = current_cred();
2776
2777 return path_has_perm(cred, to_path, FILE__MOUNTON);
2778}
2779
1da177e4
LT		 2780static int selinux_umount(struct vfsmount *mnt, int flags)
2781{
88e67f3b 2782 const struct cred *cred = current_cred();
1da177e4 2783
88e67f3b 2784 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2785 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2786}
2787
d80a8f1b
DH		 2788static int selinux_fs_context_submount(struct fs_context *fc,
2789 struct super_block *reference)
2790{
ccf1dab9 2791 const struct superblock_security_struct *sbsec = selinux_superblock(reference);
d80a8f1b
DH		 2792 struct selinux_mnt_opts *opts;
2793
ccf1dab9
OM		 2794 /*
2795 * Ensure that fc->security remains NULL when no options are set
2796 * as expected by selinux_set_mnt_opts().
2797 */
2798 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2799 return 0;
2800
d80a8f1b
DH		 2801 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2802 if (!opts)
2803 return -ENOMEM;
2804
d80a8f1b
DH		 2805 if (sbsec->flags & FSCONTEXT_MNT)
2806 opts->fscontext_sid = sbsec->sid;
2807 if (sbsec->flags & CONTEXT_MNT)
2808 opts->context_sid = sbsec->mntpoint_sid;
2809 if (sbsec->flags & DEFCONTEXT_MNT)
2810 opts->defcontext_sid = sbsec->def_sid;
2811 fc->security = opts;
2812 return 0;
2813}
2814
0b52075e
AV		 2815static int selinux_fs_context_dup(struct fs_context *fc,
2816 struct fs_context *src_fc)
2817{
2818 const struct selinux_mnt_opts *src = src_fc->security;
0b52075e
AV		 2819
2820 if (!src)
2821 return 0;
2822
70f4169a
OM		 2823 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2824 return fc->security ? 0 : -ENOMEM;
0b52075e
AV		 2825}
2826
d7167b14 2827static const struct fs_parameter_spec selinux_fs_parameters[] = {
442155c1
DH		 2828 fsparam_string(CONTEXT_STR, Opt_context),
2829 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2830 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2831 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2832 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2833 {}
2834};
2835
442155c1
DH		 2836static int selinux_fs_context_parse_param(struct fs_context *fc,
2837 struct fs_parameter *param)
2838{
2839 struct fs_parse_result result;
cad140d0 2840 int opt;
442155c1 2841
d7167b14 2842 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
442155c1
DH		 2843 if (opt < 0)
2844 return opt;
2845
cad140d0 2846 return selinux_add_opt(opt, param->string, &fc->security);
442155c1
DH		 2847}
2848
1da177e4
LT		 2849/* inode security operations */
2850
2851static int selinux_inode_alloc_security(struct inode *inode)
2852{
cb89e246
PM		 2853 struct inode_security_struct *isec = selinux_inode(inode);
2854 u32 sid = current_sid();
2855
2856 spin_lock_init(&isec->lock);
2857 INIT_LIST_HEAD(&isec->list);
2858 isec->inode = inode;
2859 isec->sid = SECINITSID_UNLABELED;
2860 isec->sclass = SECCLASS_FILE;
2861 isec->task_sid = sid;
2862 isec->initialized = LABEL_INVALID;
2863
2864 return 0;
1da177e4
LT		 2865}
2866
2867static void selinux_inode_free_security(struct inode *inode)
2868{
2869 inode_free_security(inode);
2870}
2871
d47be3df 2872static int selinux_dentry_init_security(struct dentry *dentry, int mode,
15bf3239
VG		 2873 const struct qstr *name,
2874 const char **xattr_name, void **ctx,
d47be3df
DQ		 2875 u32 *ctxlen)
2876{
d47be3df
DQ		 2877 u32 newsid;
2878 int rc;
2879
0c6cfa62 2880 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2881 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2882 inode_mode_to_security_class(mode),
2883 &newsid);
2884 if (rc)
2885 return rc;
d47be3df 2886
15bf3239
VG		 2887 if (xattr_name)
2888 *xattr_name = XATTR_NAME_SELINUX;
2889
e67b7985 2890 return security_sid_to_context(newsid, (char **)ctx,
aa8e712c 2891 ctxlen);
d47be3df
DQ		 2892}
2893
a518b0a5
VG		 2894static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2895 struct qstr *name,
2896 const struct cred *old,
2897 struct cred *new)
2898{
2899 u32 newsid;
2900 int rc;
2901 struct task_security_struct *tsec;
2902
0c6cfa62 2903 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2904 d_inode(dentry->d_parent), name,
2905 inode_mode_to_security_class(mode),
2906 &newsid);
2907 if (rc)
2908 return rc;
2909
0c6cfa62 2910 tsec = selinux_cred(new);
a518b0a5
VG		 2911 tsec->create_sid = newsid;
2912 return 0;
2913}
2914
5e41ff9e 2915static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b 2916 const struct qstr *qstr,
6bcdfd2c 2917 struct xattr *xattrs, int *xattr_count)
5e41ff9e 2918{
0c6cfa62 2919 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2920 struct superblock_security_struct *sbsec;
6bcdfd2c 2921 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
c0d4f464 2922 u32 newsid, clen;
90593caf 2923 u16 newsclass;
5e41ff9e 2924 int rc;
9548906b 2925 char *context;
5e41ff9e 2926
1aea7808 2927 sbsec = selinux_superblock(dir->i_sb);
5e41ff9e 2928
275bb41e 2929 newsid = tsec->create_sid;
90593caf
PM		 2930 newsclass = inode_mode_to_security_class(inode->i_mode);
2931 rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid);
c3c188b2
DH		 2932 if (rc)
2933 return rc;
5e41ff9e 2934
296fddf7 2935 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2936 if (sbsec->flags & SE_SBINITIALIZED) {
80788c22 2937 struct inode_security_struct *isec = selinux_inode(inode);
90593caf 2938 isec->sclass = newsclass;
296fddf7 2939 isec->sid = newsid;
6f3be9f5 2940 isec->initialized = LABEL_INITIALIZED;
296fddf7 2941 }
5e41ff9e 2942
e67b7985 2943 if (!selinux_initialized() ||
65cddd50 2944 !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2945 return -EOPNOTSUPP;
2946
6bcdfd2c 2947 if (xattr) {
e67b7985 2948 rc = security_sid_to_context_force(newsid,
aa8e712c 2949 &context, &clen);
9548906b 2950 if (rc)
570bc1c2 2951 return rc;
6bcdfd2c
RS		 2952 xattr->value = context;
2953 xattr->value_len = clen;
2954 xattr->name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2955 }
5e41ff9e 2956
5e41ff9e
SS		 2957 return 0;
2958}
2959
29cd6591
DC		 2960static int selinux_inode_init_security_anon(struct inode *inode,
2961 const struct qstr *name,
2962 const struct inode *context_inode)
2963{
2964 const struct task_security_struct *tsec = selinux_cred(current_cred());
2965 struct common_audit_data ad;
2966 struct inode_security_struct *isec;
2967 int rc;
2968
e67b7985 2969 if (unlikely(!selinux_initialized()))
29cd6591
DC		 2970 return 0;
2971
2972 isec = selinux_inode(inode);
2973
2974 /*
2975 * We only get here once per ephemeral inode. The inode has
2976 * been initialized via inode_alloc_security but is otherwise
2977 * untouched.
2978 */
2979
2980 if (context_inode) {
2981 struct inode_security_struct *context_isec =
2982 selinux_inode(context_inode);
2983 if (context_isec->initialized != LABEL_INITIALIZED) {
e5faa839 2984 pr_err("SELinux: context_inode is not initialized\n");
29cd6591
DC		 2985 return -EACCES;
2986 }
2987
2988 isec->sclass = context_isec->sclass;
2989 isec->sid = context_isec->sid;
2990 } else {
2991 isec->sclass = SECCLASS_ANON_INODE;
2992 rc = security_transition_sid(
e67b7985 2993 tsec->sid, tsec->sid,
29cd6591
DC		 2994 isec->sclass, name, &isec->sid);
2995 if (rc)
2996 return rc;
2997 }
2998
2999 isec->initialized = LABEL_INITIALIZED;
3000 /*
3001 * Now that we've initialized security, check whether we're
3002 * allowed to actually create this type of anonymous inode.
3003 */
3004
c29722fa
CG		 3005 ad.type = LSM_AUDIT_DATA_ANONINODE;
3006 ad.u.anonclass = name ? (const char *)name->name : "?";
29cd6591 3007
e67b7985 3008 return avc_has_perm(tsec->sid,
29cd6591
DC		 3009 isec->sid,
3010 isec->sclass,
3011 FILE__CREATE,
3012 &ad);
3013}
3014
4acdaf27 3015static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 3016{
3017 return may_create(dir, dentry, SECCLASS_FILE);
3018}
3019
1da177e4
LT		 3020static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3021{
1da177e4
LT		 3022 return may_link(dir, old_dentry, MAY_LINK);
3023}
3024
1da177e4
LT		 3025static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3026{
1da177e4
LT		 3027 return may_link(dir, dentry, MAY_UNLINK);
3028}
3029
3030static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3031{
3032 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3033}
3034
18bb1db3 3035static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 3036{
3037 return may_create(dir, dentry, SECCLASS_DIR);
3038}
3039
1da177e4
LT		 3040static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3041{
3042 return may_link(dir, dentry, MAY_RMDIR);
3043}
3044
1a67aafb 3045static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 3046{
1da177e4
LT		 3047 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3048}
3049
1da177e4 3050static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 3051 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 3052{
3053 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3054}
3055
1da177e4
LT		 3056static int selinux_inode_readlink(struct dentry *dentry)
3057{
88e67f3b
DH		 3058 const struct cred *cred = current_cred();
3059
2875fa00 3060 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3061}
3062
bda0be7a
N		 3063static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3064 bool rcu)
1da177e4 3065{
88e67f3b 3066 const struct cred *cred = current_cred();
bda0be7a
N		 3067 struct common_audit_data ad;
3068 struct inode_security_struct *isec;
3069 u32 sid;
1da177e4 3070
bda0be7a
N		 3071 ad.type = LSM_AUDIT_DATA_DENTRY;
3072 ad.u.dentry = dentry;
3073 sid = cred_sid(cred);
5d226df4
AG		 3074 isec = inode_security_rcu(inode, rcu);
3075 if (IS_ERR(isec))
3076 return PTR_ERR(isec);
bda0be7a 3077
e67b7985 3078 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
1da177e4
LT		 3079}
3080
d4cf970d
EP		 3081static noinline int audit_inode_permission(struct inode *inode,
3082 u32 perms, u32 audited, u32 denied,
0188d5c0 3083 int result)
1da177e4 3084{
b782e0a6 3085 struct common_audit_data ad;
80788c22 3086 struct inode_security_struct *isec = selinux_inode(inode);
d4cf970d 3087
50c205f5 3088 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3089 ad.u.inode = inode;
3090
e67b7985 3091 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
0188d5c0 3092 audited, denied, result, &ad);
d4cf970d
EP		 3093}
3094
e74f71eb 3095static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3096{
88e67f3b 3097 const struct cred *cred = current_cred();
b782e0a6
EP		 3098 u32 perms;
3099 bool from_access;
5298d0b9 3100 bool no_block = mask & MAY_NOT_BLOCK;
2e334057
EP		 3101 struct inode_security_struct *isec;
3102 u32 sid;
3103 struct av_decision avd;
3104 int rc, rc2;
3105 u32 audited, denied;
1da177e4 3106
b782e0a6 3107 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3108 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3109
b782e0a6
EP		 3110 /* No permission to check. Existence test. */
3111 if (!mask)
1da177e4 3112 return 0;
1da177e4 3113
2e334057
EP		 3114 if (unlikely(IS_PRIVATE(inode)))
3115 return 0;
b782e0a6
EP		 3116
3117 perms = file_mask_to_av(inode->i_mode, mask);
3118
2e334057 3119 sid = cred_sid(cred);
5298d0b9 3120 isec = inode_security_rcu(inode, no_block);
5d226df4
AG		 3121 if (IS_ERR(isec))
3122 return PTR_ERR(isec);
2e334057 3123
e67b7985 3124 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0,
3a28cff3 3125 &avd);
2e334057
EP		 3126 audited = avc_audit_required(perms, &avd, rc,
3127 from_access ? FILE__AUDIT_ACCESS : 0,
3128 &denied);
3129 if (likely(!audited))
3130 return rc;
3131
0188d5c0 3132 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
2e334057
EP		 3133 if (rc2)
3134 return rc2;
3135 return rc;
1da177e4
LT		 3136}
3137
3138static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3139{
88e67f3b 3140 const struct cred *cred = current_cred();
ccb54478 3141 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3142 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3143 __u32 av = FILE__WRITE;
1da177e4 3144
bc6a6008
AW		 3145 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3146 if (ia_valid & ATTR_FORCE) {
3147 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3148 ATTR_FORCE);
3149 if (!ia_valid)
3150 return 0;
3151 }
1da177e4 3152
bc6a6008
AW		 3153 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3154 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3155 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3156
aa8e712c 3157 if (selinux_policycap_openperm() &&
ccb54478
SS		 3158 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3159 (ia_valid & ATTR_SIZE) &&
3160 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3161 av |= FILE__OPEN;
3162
3163 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3164}
3165
3f7036a0 3166static int selinux_inode_getattr(const struct path *path)
1da177e4 3167{
3f7036a0 3168 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3169}
3170
db59000a
SS		 3171static bool has_cap_mac_admin(bool audit)
3172{
3173 const struct cred *cred = current_cred();
c1a85a00 3174 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
db59000a 3175
c1a85a00 3176 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
db59000a 3177 return false;
c1a85a00 3178 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
db59000a
SS		 3179 return false;
3180 return true;
3181}
3182
39f60c1c 3183static int selinux_inode_setxattr(struct mnt_idmap *idmap,
71bc356f 3184 struct dentry *dentry, const char *name,
8f0cfa52 3185 const void *value, size_t size, int flags)
1da177e4 3186{
c6f493d6 3187 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3188 struct inode_security_struct *isec;
1da177e4 3189 struct superblock_security_struct *sbsec;
2bf49690 3190 struct common_audit_data ad;
275bb41e 3191 u32 newsid, sid = current_sid();
1da177e4
LT		 3192 int rc = 0;
3193
6b240306
EB		 3194 if (strcmp(name, XATTR_NAME_SELINUX)) {
3195 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3196 if (rc)
3197 return rc;
3198
3199 /* Not an attribute we recognize, so just check the
3200 ordinary setattr permission. */
3201 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3202 }
1da177e4 3203
e67b7985 3204 if (!selinux_initialized())
01beba79 3205 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3e3e24b4 3206
1aea7808 3207 sbsec = selinux_superblock(inode->i_sb);
12f348b9 3208 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3209 return -EOPNOTSUPP;
3210
01beba79 3211 if (!inode_owner_or_capable(idmap, inode))
1da177e4
LT		 3212 return -EPERM;
3213
50c205f5 3214 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3215 ad.u.dentry = dentry;
1da177e4 3216
20cdef8d 3217 isec = backing_inode_security(dentry);
e67b7985 3218 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3219 FILE__RELABELFROM, &ad);
3220 if (rc)
3221 return rc;
3222
e67b7985 3223 rc = security_context_to_sid(value, size, &newsid,
aa8e712c 3224 GFP_KERNEL);
12b29f34 3225 if (rc == -EINVAL) {
db59000a 3226 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3227 struct audit_buffer *ab;
3228 size_t audit_size;
d6ea83ec
EP		 3229
3230 /* We strip a nul only if it is at the end, otherwise the
3231 * context contains a nul and we should audit that */
e3fea3f7 3232 if (value) {
add24372
CIK		 3233 const char *str = value;
3234
e3fea3f7
AV		 3235 if (str[size - 1] == '\0')
3236 audit_size = size - 1;
3237 else
3238 audit_size = size;
3239 } else {
e3fea3f7
AV		 3240 audit_size = 0;
3241 }
cdfb6b34
RGB		 3242 ab = audit_log_start(audit_context(),
3243 GFP_ATOMIC, AUDIT_SELINUX_ERR);
893c47d1
AK		 3244 if (!ab)
3245 return rc;
d6ea83ec
EP		 3246 audit_log_format(ab, "op=setxattr invalid_context=");
3247 audit_log_n_untrustedstring(ab, value, audit_size);
3248 audit_log_end(ab);
3249
12b29f34 3250 return rc;
d6ea83ec 3251 }
e67b7985 3252 rc = security_context_to_sid_force(value,
aa8e712c 3253 size, &newsid);
12b29f34 3254 }
1da177e4
LT		 3255 if (rc)
3256 return rc;
3257
e67b7985 3258 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3259 FILE__RELABELTO, &ad);
3260 if (rc)
3261 return rc;
3262
e67b7985 3263 rc = security_validate_transition(isec->sid, newsid,
aa8e712c 3264 sid, isec->sclass);
1da177e4
LT		 3265 if (rc)
3266 return rc;
3267
e67b7985 3268 return avc_has_perm(newsid,
1da177e4
LT		 3269 sbsec->sid,
3270 SECCLASS_FILESYSTEM,
3271 FILESYSTEM__ASSOCIATE,
3272 &ad);
3273}
3274
700b7940 3275static int selinux_inode_set_acl(struct mnt_idmap *idmap,
1bdeb218
CB		 3276 struct dentry *dentry, const char *acl_name,
3277 struct posix_acl *kacl)
3278{
3279 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3280}
3281
700b7940 3282static int selinux_inode_get_acl(struct mnt_idmap *idmap,
1bdeb218
CB		 3283 struct dentry *dentry, const char *acl_name)
3284{
3285 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3286}
3287
700b7940 3288static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
1bdeb218
CB		 3289 struct dentry *dentry, const char *acl_name)
3290{
3291 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3292}
3293
8f0cfa52 3294static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3295 const void *value, size_t size,
8f0cfa52 3296 int flags)
1da177e4 3297{
c6f493d6 3298 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3299 struct inode_security_struct *isec;
1da177e4
LT		 3300 u32 newsid;
3301 int rc;
3302
3303 if (strcmp(name, XATTR_NAME_SELINUX)) {
3304 /* Not an attribute we recognize, so nothing to do. */
3305 return;
3306 }
3307
e67b7985 3308 if (!selinux_initialized()) {
3e3e24b4
JL		 3309 /* If we haven't even been initialized, then we can't validate
3310 * against a policy, so leave the label as invalid. It may
3311 * resolve to a valid label on the next revalidation try if
3312 * we've since initialized.
3313 */
3314 return;
3315 }
3316
e67b7985 3317 rc = security_context_to_sid_force(value, size,
aa8e712c 3318 &newsid);
1da177e4 3319 if (rc) {
c103a91e 3320 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3321 "for (%s, %lu), rc=%d\n",
3322 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3323 return;
3324 }
3325
20cdef8d 3326 isec = backing_inode_security(dentry);
9287aed2 3327 spin_lock(&isec->lock);
aa9c2669 3328 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3329 isec->sid = newsid;
6f3be9f5 3330 isec->initialized = LABEL_INITIALIZED;
9287aed2 3331 spin_unlock(&isec->lock);
1da177e4
LT		 3332}
3333
8f0cfa52 3334static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3335{
88e67f3b
DH		 3336 const struct cred *cred = current_cred();
3337
2875fa00 3338 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3339}
3340
828dfe1d 3341static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3342{
88e67f3b
DH		 3343 const struct cred *cred = current_cred();
3344
2875fa00 3345 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3346}
3347
39f60c1c 3348static int selinux_inode_removexattr(struct mnt_idmap *idmap,
71bc356f 3349 struct dentry *dentry, const char *name)
1da177e4 3350{
6b240306 3351 if (strcmp(name, XATTR_NAME_SELINUX)) {
39f60c1c 3352 int rc = cap_inode_removexattr(idmap, dentry, name);
6b240306
EB		 3353 if (rc)
3354 return rc;
3355
3356 /* Not an attribute we recognize, so just check the
3357 ordinary setattr permission. */
3358 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3359 }
1da177e4 3360
e67b7985 3361 if (!selinux_initialized())
9530a3e0
SS		 3362 return 0;
3363
1da177e4
LT		 3364 /* No one is allowed to remove a SELinux security label.
3365 You can change the label, but all data must be labeled. */
3366 return -EACCES;
3367}
3368
ac5656d8
AG		 3369static int selinux_path_notify(const struct path *path, u64 mask,
3370 unsigned int obj_type)
3371{
3372 int ret;
3373 u32 perm;
3374
3375 struct common_audit_data ad;
3376
3377 ad.type = LSM_AUDIT_DATA_PATH;
3378 ad.u.path = *path;
3379
3380 /*
3381 * Set permission needed based on the type of mark being set.
3382 * Performs an additional check for sb watches.
3383 */
3384 switch (obj_type) {
3385 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3386 perm = FILE__WATCH_MOUNT;
3387 break;
3388 case FSNOTIFY_OBJ_TYPE_SB:
3389 perm = FILE__WATCH_SB;
3390 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3391 FILESYSTEM__WATCH, &ad);
3392 if (ret)
3393 return ret;
3394 break;
3395 case FSNOTIFY_OBJ_TYPE_INODE:
3396 perm = FILE__WATCH;
3397 break;
3398 default:
3399 return -EINVAL;
3400 }
3401
3402 /* blocking watches require the file:watch_with_perm permission */
3403 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3404 perm |= FILE__WATCH_WITH_PERM;
3405
3406 /* watches on read-like events need the file:watch_reads permission */
3407 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3408 perm |= FILE__WATCH_READS;
3409
3410 return path_has_perm(current_cred(), path, perm);
3411}
3412
d381d8a9 3413/*
abc69bb6 3414 * Copy the inode security context value to the user.
d381d8a9
JM		 3415 *
3416 * Permission check is handled by selinux_inode_getxattr hook.
3417 */
4609e1f1 3418static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
71bc356f
CB		 3419 struct inode *inode, const char *name,
3420 void **buffer, bool alloc)
1da177e4 3421{
42492594
DQ		 3422 u32 size;
3423 int error;
3424 char *context = NULL;
20cdef8d 3425 struct inode_security_struct *isec;
d381d8a9 3426
c8e22261
JL		 3427 /*
3428 * If we're not initialized yet, then we can't validate contexts, so
3429 * just let vfs_getxattr fall back to using the on-disk xattr.
3430 */
e67b7985 3431 if (!selinux_initialized() ||
c8e22261 3432 strcmp(name, XATTR_SELINUX_SUFFIX))
8c8570fb 3433 return -EOPNOTSUPP;
d381d8a9 3434
abc69bb6
SS		 3435 /*
3436 * If the caller has CAP_MAC_ADMIN, then get the raw context
3437 * value even if it is not defined by current policy; otherwise,
3438 * use the in-core value under current policy.
3439 * Use the non-auditing forms of the permission checks since
3440 * getxattr may be called by unprivileged processes commonly
3441 * and lack of permission just means that we fall back to the
3442 * in-core context value, not a denial.
3443 */
20cdef8d 3444 isec = inode_security(inode);
db59000a 3445 if (has_cap_mac_admin(false))
e67b7985 3446 error = security_sid_to_context_force(isec->sid, &context,
abc69bb6
SS		 3447 &size);
3448 else
e67b7985 3449 error = security_sid_to_context(isec->sid,
aa8e712c 3450 &context, &size);
42492594
DQ		 3451 if (error)
3452 return error;
3453 error = size;
3454 if (alloc) {
3455 *buffer = context;
3456 goto out_nofree;
3457 }
3458 kfree(context);
3459out_nofree:
3460 return error;
1da177e4
LT		 3461}
3462
3463static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3464 const void *value, size_t size, int flags)
1da177e4 3465{
2c97165b 3466 struct inode_security_struct *isec = inode_security_novalidate(inode);
1aea7808 3467 struct superblock_security_struct *sbsec;
1da177e4
LT		 3468 u32 newsid;
3469 int rc;
3470
3471 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3472 return -EOPNOTSUPP;
3473
1aea7808 3474 sbsec = selinux_superblock(inode->i_sb);
53e0c2aa
OM		 3475 if (!(sbsec->flags & SBLABEL_MNT))
3476 return -EOPNOTSUPP;
3477
1da177e4
LT		 3478 if (!value || !size)
3479 return -EACCES;
3480
e67b7985 3481 rc = security_context_to_sid(value, size, &newsid,
aa8e712c 3482 GFP_KERNEL);
1da177e4
LT		 3483 if (rc)
3484 return rc;
3485
9287aed2 3486 spin_lock(&isec->lock);
aa9c2669 3487 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3488 isec->sid = newsid;
6f3be9f5 3489 isec->initialized = LABEL_INITIALIZED;
9287aed2 3490 spin_unlock(&isec->lock);
1da177e4
LT		 3491 return 0;
3492}
3493
3494static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3495{
3496 const int len = sizeof(XATTR_NAME_SELINUX);
a9ffe682 3497
e67b7985 3498 if (!selinux_initialized())
a9ffe682
AG		 3499 return 0;
3500
1da177e4
LT		 3501 if (buffer && len <= buffer_size)
3502 memcpy(buffer, XATTR_NAME_SELINUX, len);
3503 return len;
3504}
3505
d6335d77 3506static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3507{
e817c2f3 3508 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3509 *secid = isec->sid;
3510}
3511
56909eb3
VG		 3512static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3513{
3514 u32 sid;
3515 struct task_security_struct *tsec;
3516 struct cred *new_creds = *new;
3517
3518 if (new_creds == NULL) {
3519 new_creds = prepare_creds();
3520 if (!new_creds)
3521 return -ENOMEM;
3522 }
3523
0c6cfa62 3524 tsec = selinux_cred(new_creds);
56909eb3
VG		 3525 /* Get label from overlay inode and set it in create_sid */
3526 selinux_inode_getsecid(d_inode(src), &sid);
3527 tsec->create_sid = sid;
3528 *new = new_creds;
3529 return 0;
3530}
3531
19472b69
VG		 3532static int selinux_inode_copy_up_xattr(const char *name)
3533{
3534 /* The copy_up hook above sets the initial context on an inode, but we
3535 * don't then want to overwrite it by blindly copying all the lower
3536 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3537 */
3538 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3539 return 1; /* Discard */
3540 /*
3541 * Any other attribute apart from SELINUX is not claimed, supported
3542 * by selinux.
3543 */
3544 return -EOPNOTSUPP;
3545}
3546
ec882da5
OM		 3547/* kernfs node operations */
3548
c72c4cde
Y		 3549static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3550 struct kernfs_node *kn)
ec882da5 3551{
169ce0c0 3552 const struct task_security_struct *tsec = selinux_cred(current_cred());
ec882da5
OM		 3553 u32 parent_sid, newsid, clen;
3554 int rc;
3555 char *context;
3556
1537ad15 3557 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
ec882da5
OM		 3558 if (rc == -ENODATA)
3559 return 0;
3560 else if (rc < 0)
3561 return rc;
3562
3563 clen = (u32)rc;
3564 context = kmalloc(clen, GFP_KERNEL);
3565 if (!context)
3566 return -ENOMEM;
3567
1537ad15 3568 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
ec882da5
OM		 3569 if (rc < 0) {
3570 kfree(context);
3571 return rc;
3572 }
3573
e67b7985 3574 rc = security_context_to_sid(context, clen, &parent_sid,
ec882da5
OM		 3575 GFP_KERNEL);
3576 kfree(context);
3577 if (rc)
3578 return rc;
3579
3580 if (tsec->create_sid) {
3581 newsid = tsec->create_sid;
3582 } else {
3583 u16 secclass = inode_mode_to_security_class(kn->mode);
3584 struct qstr q;
3585
3586 q.name = kn->name;
3587 q.hash_len = hashlen_string(kn_dir, kn->name);
3588
e67b7985 3589 rc = security_transition_sid(tsec->sid,
ec882da5
OM		 3590 parent_sid, secclass, &q,
3591 &newsid);
3592 if (rc)
3593 return rc;
3594 }
3595
e67b7985 3596 rc = security_sid_to_context_force(newsid,
ec882da5
OM		 3597 &context, &clen);
3598 if (rc)
3599 return rc;
3600
1537ad15
OM		 3601 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3602 XATTR_CREATE);
ec882da5
OM		 3603 kfree(context);
3604 return rc;
3605}
3606
3607
1da177e4
LT		 3608/* file security operations */
3609
788e7dd4 3610static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3611{
88e67f3b 3612 const struct cred *cred = current_cred();
496ad9aa 3613 struct inode *inode = file_inode(file);
1da177e4 3614
1da177e4
LT		 3615 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3616 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3617 mask |= MAY_APPEND;
3618
389fb800
PM		 3619 return file_has_perm(cred, file,
3620 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3621}
3622
788e7dd4
YN		 3623static int selinux_file_permission(struct file *file, int mask)
3624{
496ad9aa 3625 struct inode *inode = file_inode(file);
bb6c6b02 3626 struct file_security_struct *fsec = selinux_file(file);
b197367e 3627 struct inode_security_struct *isec;
20dda18b
SS		 3628 u32 sid = current_sid();
3629
389fb800 3630 if (!mask)
788e7dd4
YN		 3631 /* No permission to check. Existence test. */
3632 return 0;
788e7dd4 3633
b197367e 3634 isec = inode_security(inode);
20dda18b 3635 if (sid == fsec->sid && fsec->isid == isec->sid &&
e67b7985 3636 fsec->pseqno == avc_policy_seqno())
83d49856 3637 /* No change since file_open check. */
20dda18b
SS		 3638 return 0;
3639
788e7dd4
YN		 3640 return selinux_revalidate_file_permission(file, mask);
3641}
3642
1da177e4
LT		 3643static int selinux_file_alloc_security(struct file *file)
3644{
cb89e246
PM		 3645 struct file_security_struct *fsec = selinux_file(file);
3646 u32 sid = current_sid();
3647
3648 fsec->sid = sid;
3649 fsec->fown_sid = sid;
3650
3651 return 0;
1da177e4
LT		 3652}
3653
fa1aa143
JVS		 3654/*
3655 * Check whether a task has the ioctl permission and cmd
3656 * operation to an inode.
3657 */
1d2a168a 3658static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3659 u32 requested, u16 cmd)
3660{
3661 struct common_audit_data ad;
bb6c6b02 3662 struct file_security_struct *fsec = selinux_file(file);
fa1aa143 3663 struct inode *inode = file_inode(file);
20cdef8d 3664 struct inode_security_struct *isec;
fa1aa143
JVS		 3665 struct lsm_ioctlop_audit ioctl;
3666 u32 ssid = cred_sid(cred);
3667 int rc;
3668 u8 driver = cmd >> 8;
3669 u8 xperm = cmd & 0xff;
3670
3671 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3672 ad.u.op = &ioctl;
3673 ad.u.op->cmd = cmd;
3674 ad.u.op->path = file->f_path;
3675
3676 if (ssid != fsec->sid) {
e67b7985 3677 rc = avc_has_perm(ssid, fsec->sid,
fa1aa143
JVS		 3678 SECCLASS_FD,
3679 FD__USE,
3680 &ad);
3681 if (rc)
3682 goto out;
3683 }
3684
3685 if (unlikely(IS_PRIVATE(inode)))
3686 return 0;
3687
20cdef8d 3688 isec = inode_security(inode);
e67b7985 3689 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
6b6bc620 3690 requested, driver, xperm, &ad);
fa1aa143
JVS		 3691out:
3692 return rc;
3693}
3694
1da177e4
LT		 3695static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3696 unsigned long arg)
3697{
88e67f3b 3698 const struct cred *cred = current_cred();
0b24dcb7 3699 int error = 0;
1da177e4 3700
0b24dcb7
EP		 3701 switch (cmd) {
3702 case FIONREAD:
0b24dcb7 3703 case FIBMAP:
0b24dcb7 3704 case FIGETBSZ:
2f99c369 3705 case FS_IOC_GETFLAGS:
2f99c369 3706 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3707 error = file_has_perm(cred, file, FILE__GETATTR);
3708 break;
1da177e4 3709
2f99c369 3710 case FS_IOC_SETFLAGS:
2f99c369 3711 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3712 error = file_has_perm(cred, file, FILE__SETATTR);
3713 break;
3714
3715 /* sys_ioctl() checks */
3716 case FIONBIO:
0b24dcb7
EP		 3717 case FIOASYNC:
3718 error = file_has_perm(cred, file, 0);
3719 break;
1da177e4 3720
0b24dcb7
EP		 3721 case KDSKBENT:
3722 case KDSKBSENT:
6a9de491 3723 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
c1a85a00 3724 CAP_OPT_NONE, true);
0b24dcb7
EP		 3725 break;
3726
65881e1d
RH		 3727 case FIOCLEX:
3728 case FIONCLEX:
3729 if (!selinux_policycap_ioctl_skip_cloexec())
3730 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3731 break;
3732
0b24dcb7
EP		 3733 /* default case assumes that the command will go
3734 * to the file's ioctl() function.
3735 */
3736 default:
fa1aa143 3737 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3738 }
3739 return error;
1da177e4
LT		 3740}
3741
f1bb47a3
AP		 3742static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3743 unsigned long arg)
3744{
3745 /*
3746 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3747 * make sure we don't compare 32-bit flags to 64-bit flags.
3748 */
3749 switch (cmd) {
3750 case FS_IOC32_GETFLAGS:
3751 cmd = FS_IOC_GETFLAGS;
3752 break;
3753 case FS_IOC32_SETFLAGS:
3754 cmd = FS_IOC_SETFLAGS;
3755 break;
3756 case FS_IOC32_GETVERSION:
3757 cmd = FS_IOC_GETVERSION;
3758 break;
3759 case FS_IOC32_SETVERSION:
3760 cmd = FS_IOC_SETVERSION;
3761 break;
3762 default:
3763 break;
3764 }
3765
3766 return selinux_file_ioctl(file, cmd, arg);
3767}
3768
b78b7d59 3769static int default_noexec __ro_after_init;
fcaaade1 3770
1da177e4
LT		 3771static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3772{
88e67f3b 3773 const struct cred *cred = current_cred();
be0554c9 3774 u32 sid = cred_sid(cred);
d84f4f99 3775 int rc = 0;
88e67f3b 3776
fcaaade1 3777 if (default_noexec &&
892e8cac
SS		 3778 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3779 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3780 /*
3781 * We are making executable an anonymous mapping or a
3782 * private file mapping that will also be writable.
3783 * This has an additional check.
3784 */
e67b7985 3785 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
be0554c9 3786 PROCESS__EXECMEM, NULL);
1da177e4 3787 if (rc)
d84f4f99 3788 goto error;
1da177e4 3789 }
1da177e4
LT		 3790
3791 if (file) {
3792 /* read access is always possible with a mapping */
3793 u32 av = FILE__READ;
3794
3795 /* write access only matters if the mapping is shared */
3796 if (shared && (prot & PROT_WRITE))
3797 av |= FILE__WRITE;
3798
3799 if (prot & PROT_EXEC)
3800 av |= FILE__EXECUTE;
3801
88e67f3b 3802 return file_has_perm(cred, file, av);
1da177e4 3803 }
d84f4f99
DH		 3804
3805error:
3806 return rc;
1da177e4
LT		 3807}
3808
e5467859 3809static int selinux_mmap_addr(unsigned long addr)
1da177e4 3810{
b1d9e6b0 3811 int rc = 0;
1da177e4 3812
a2551df7 3813 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3814 u32 sid = current_sid();
e67b7985 3815 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
ed032189 3816 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3817 }
3818
98883bfd 3819 return rc;
e5467859 3820}
1da177e4 3821
a7e4676e
PM		 3822static int selinux_mmap_file(struct file *file,
3823 unsigned long reqprot __always_unused,
e5467859
AV		 3824 unsigned long prot, unsigned long flags)
3825{
3ba4bf5f
SS		 3826 struct common_audit_data ad;
3827 int rc;
3828
3829 if (file) {
3830 ad.type = LSM_AUDIT_DATA_FILE;
3831 ad.u.file = file;
3832 rc = inode_has_perm(current_cred(), file_inode(file),
3833 FILE__MAP, &ad);
3834 if (rc)
3835 return rc;
3836 }
3837
1da177e4
LT		 3838 return file_map_prot_check(file, prot,
3839 (flags & MAP_TYPE) == MAP_SHARED);
3840}
3841
3842static int selinux_file_mprotect(struct vm_area_struct *vma,
a7e4676e 3843 unsigned long reqprot __always_unused,
1da177e4
LT		 3844 unsigned long prot)
3845{
88e67f3b 3846 const struct cred *cred = current_cred();
be0554c9 3847 u32 sid = cred_sid(cred);
1da177e4 3848
fcaaade1
SS		 3849 if (default_noexec &&
3850 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3851 int rc = 0;
68df1baf 3852 if (vma_is_initial_heap(vma)) {
e67b7985 3853 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
be0554c9 3854 PROCESS__EXECHEAP, NULL);
68df1baf 3855 } else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
d17af505 3856 vma_is_stack_for_current(vma))) {
e67b7985 3857 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
be0554c9 3858 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3859 } else if (vma->vm_file && vma->anon_vma) {
3860 /*
3861 * We are making executable a file mapping that has
3862 * had some COW done. Since pages might have been
3863 * written, check ability to execute the possibly
3864 * modified content. This typically should only
3865 * occur for text relocations.
3866 */
d84f4f99 3867 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3868 }