projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Infrastructure management of the cred security blob
[linux-2.6-block.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
7efbb60b 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
d452930f
RH		 70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
1da177e4
LT		 72#include <linux/quota.h>
73#include <linux/un.h> /* for Unix socket types */
74#include <net/af_unix.h> /* for Unix socket types */
75#include <linux/parser.h>
76#include <linux/nfs_mount.h>
77#include <net/ipv6.h>
78#include <linux/hugetlb.h>
79#include <linux/personality.h>
1da177e4 80#include <linux/audit.h>
6931dfc9 81#include <linux/string.h>
23970741 82#include <linux/mutex.h>
f06febc9 83#include <linux/posix-timers.h>
00234592 84#include <linux/syslog.h>
3486740a 85#include <linux/user_namespace.h>
44fc7ea0 86#include <linux/export.h>
40401530
AV		 87#include <linux/msg.h>
88#include <linux/shm.h>
ec27c356 89#include <linux/bpf.h>
e262e32d 90#include <uapi/linux/mount.h>
1da177e4
LT		 91
92#include "avc.h"
93#include "objsec.h"
94#include "netif.h"
224dfbd8 95#include "netnode.h"
3e112172 96#include "netport.h"
409dcf31 97#include "ibpkey.h"
d28d1e08 98#include "xfrm.h"
c60475bf 99#include "netlabel.h"
9d57a7f9 100#include "audit.h"
7b98a585 101#include "avc_ss.h"
1da177e4 102
aa8e712c
SS		 103struct selinux_state selinux_state;
104
d621d35e 105/* SECMARK reference count */
56a4ca99 106static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 107
1da177e4 108#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
aa8e712c 109static int selinux_enforcing_boot;
1da177e4
LT		 110
111static int __init enforcing_setup(char *str)
112{
f5269710 113 unsigned long enforcing;
29707b20 114 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 115 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 116 return 1;
117}
118__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 119#else
120#define selinux_enforcing_boot 1
1da177e4
LT		 121#endif
122
be6ec88f 123int selinux_enabled __lsm_ro_after_init = 1;
1da177e4 124#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
1da177e4
LT		 125static int __init selinux_enabled_setup(char *str)
126{
f5269710 127 unsigned long enabled;
29707b20 128 if (!kstrtoul(str, 0, &enabled))
f5269710 129 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 130 return 1;
131}
132__setup("selinux=", selinux_enabled_setup);
133#endif
134
aa8e712c
SS		 135static unsigned int selinux_checkreqprot_boot =
136 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
137
138static int __init checkreqprot_setup(char *str)
139{
140 unsigned long checkreqprot;
141
142 if (!kstrtoul(str, 0, &checkreqprot))
143 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
144 return 1;
145}
146__setup("checkreqprot=", checkreqprot_setup);
147
e18b890b 148static struct kmem_cache *sel_inode_cache;
63205654 149static struct kmem_cache *file_security_cache;
7cae7e26 150
d621d35e
PM		 151/**
152 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
153 *
154 * Description:
155 * This function checks the SECMARK reference counter to see if any SECMARK
156 * targets are currently configured, if the reference counter is greater than
157 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 158 * enabled, false (0) if SECMARK is disabled. If the always_check_network
159 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 160 *
161 */
162static int selinux_secmark_enabled(void)
163{
aa8e712c
SS		 164 return (selinux_policycap_alwaysnetwork() ||
165 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 166}
167
168/**
169 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
170 *
171 * Description:
172 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
173 * (1) if any are enabled or false (0) if neither are enabled. If the
174 * always_check_network policy capability is enabled, peer labeling
175 * is always considered enabled.
176 *
177 */
178static int selinux_peerlbl_enabled(void)
179{
aa8e712c
SS		 180 return (selinux_policycap_alwaysnetwork() ||
181 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 182}
183
615e51fd
PM		 184static int selinux_netcache_avc_callback(u32 event)
185{
186 if (event == AVC_CALLBACK_RESET) {
187 sel_netif_flush();
188 sel_netnode_flush();
189 sel_netport_flush();
190 synchronize_net();
191 }
192 return 0;
193}
194
8f408ab6
DJ		 195static int selinux_lsm_notifier_avc_callback(u32 event)
196{
409dcf31
DJ		 197 if (event == AVC_CALLBACK_RESET) {
198 sel_ib_pkey_flush();
8f408ab6 199 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 200 }
8f408ab6
DJ		 201
202 return 0;
203}
204
d84f4f99
DH		 205/*
206 * initialise the security for the init task
207 */
208static void cred_init_security(void)
1da177e4 209{
3b11a1de 210 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 211 struct task_security_struct *tsec;
212
bbd3662a
CS		 213 lsm_early_cred(cred);
214 tsec = selinux_cred(cred);
d84f4f99 215 tsec->osid = tsec->sid = SECINITSID_KERNEL;
1da177e4
LT		 216}
217
88e67f3b
DH		 218/*
219 * get the security ID of a set of credentials
220 */
221static inline u32 cred_sid(const struct cred *cred)
222{
223 const struct task_security_struct *tsec;
224
0c6cfa62 225 tsec = selinux_cred(cred);
88e67f3b
DH		 226 return tsec->sid;
227}
228
275bb41e 229/*
3b11a1de 230 * get the objective security ID of a task
275bb41e
DH		 231 */
232static inline u32 task_sid(const struct task_struct *task)
233{
275bb41e
DH		 234 u32 sid;
235
236 rcu_read_lock();
88e67f3b 237 sid = cred_sid(__task_cred(task));
275bb41e
DH		 238 rcu_read_unlock();
239 return sid;
240}
241
88e67f3b
DH		 242/* Allocate and free functions for each kind of security blob. */
243
1da177e4
LT		 244static int inode_alloc_security(struct inode *inode)
245{
1da177e4 246 struct inode_security_struct *isec;
275bb41e 247 u32 sid = current_sid();
1da177e4 248
a02fe132 249 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 250 if (!isec)
251 return -ENOMEM;
252
9287aed2 253 spin_lock_init(&isec->lock);
1da177e4 254 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 255 isec->inode = inode;
256 isec->sid = SECINITSID_UNLABELED;
257 isec->sclass = SECCLASS_FILE;
275bb41e 258 isec->task_sid = sid;
42059112 259 isec->initialized = LABEL_INVALID;
1da177e4
LT		 260 inode->i_security = isec;
261
262 return 0;
263}
264
5d226df4
AG		 265static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
266
267/*
268 * Try reloading inode security labels that have been marked as invalid. The
269 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 270 * allowed; when set to false, returns -ECHILD when the label is
e9193288 271 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 272 */
273static int __inode_security_revalidate(struct inode *inode,
e9193288 274 struct dentry *dentry,
5d226df4
AG		 275 bool may_sleep)
276{
277 struct inode_security_struct *isec = inode->i_security;
278
279 might_sleep_if(may_sleep);
280
aa8e712c
SS		 281 if (selinux_state.initialized &&
282 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 283 if (!may_sleep)
284 return -ECHILD;
285
286 /*
287 * Try reloading the inode security label. This will fail if
288 * @opt_dentry is NULL and no dentry for this inode can be
289 * found; in that case, continue using the old label.
290 */
e9193288 291 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 292 }
293 return 0;
294}
295
5d226df4
AG		 296static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
297{
298 return inode->i_security;
299}
300
301static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
302{
303 int error;
304
305 error = __inode_security_revalidate(inode, NULL, !rcu);
306 if (error)
307 return ERR_PTR(error);
308 return inode->i_security;
309}
310
83da53c5
AG		 311/*
312 * Get the security label of an inode.
313 */
314static struct inode_security_struct *inode_security(struct inode *inode)
315{
5d226df4 316 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 317 return inode->i_security;
318}
319
2c97165b
PM		 320static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
321{
322 struct inode *inode = d_backing_inode(dentry);
323
324 return inode->i_security;
325}
326
83da53c5
AG		 327/*
328 * Get the security label of a dentry's backing inode.
329 */
330static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
331{
332 struct inode *inode = d_backing_inode(dentry);
333
5d226df4 334 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 335 return inode->i_security;
336}
337
3dc91d43
SR		 338static void inode_free_rcu(struct rcu_head *head)
339{
340 struct inode_security_struct *isec;
341
342 isec = container_of(head, struct inode_security_struct, rcu);
343 kmem_cache_free(sel_inode_cache, isec);
344}
345
1da177e4
LT		 346static void inode_free_security(struct inode *inode)
347{
348 struct inode_security_struct *isec = inode->i_security;
349 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
350
9629d04a
WL		 351 /*
352 * As not all inode security structures are in a list, we check for
353 * empty list outside of the lock to make sure that we won't waste
354 * time taking a lock doing nothing.
355 *
356 * The list_del_init() function can be safely called more than once.
357 * It should not be possible for this function to be called with
358 * concurrent list_add(), but for better safety against future changes
359 * in the code, we use list_empty_careful() here.
360 */
361 if (!list_empty_careful(&isec->list)) {
362 spin_lock(&sbsec->isec_lock);
1da177e4 363 list_del_init(&isec->list);
9629d04a
WL		 364 spin_unlock(&sbsec->isec_lock);
365 }
1da177e4 366
3dc91d43
SR		 367 /*
368 * The inode may still be referenced in a path walk and
369 * a call to selinux_inode_permission() can be made
370 * after inode_free_security() is called. Ideally, the VFS
371 * wouldn't do this, but fixing that is a much harder
372 * job. For now, simply free the i_security via RCU, and
373 * leave the current inode->i_security pointer intact.
374 * The inode will be freed after the RCU grace period too.
375 */
376 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 377}
378
379static int file_alloc_security(struct file *file)
380{
1da177e4 381 struct file_security_struct *fsec;
275bb41e 382 u32 sid = current_sid();
1da177e4 383
63205654 384 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 385 if (!fsec)
386 return -ENOMEM;
387
275bb41e
DH		 388 fsec->sid = sid;
389 fsec->fown_sid = sid;
1da177e4
LT		 390 file->f_security = fsec;
391
392 return 0;
393}
394
395static void file_free_security(struct file *file)
396{
397 struct file_security_struct *fsec = file->f_security;
1da177e4 398 file->f_security = NULL;
63205654 399 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 400}
401
402static int superblock_alloc_security(struct super_block *sb)
403{
404 struct superblock_security_struct *sbsec;
405
89d155ef 406 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 407 if (!sbsec)
408 return -ENOMEM;
409
bc7e982b 410 mutex_init(&sbsec->lock);
1da177e4
LT		 411 INIT_LIST_HEAD(&sbsec->isec_head);
412 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 413 sbsec->sb = sb;
414 sbsec->sid = SECINITSID_UNLABELED;
415 sbsec->def_sid = SECINITSID_FILE;
c312feb2 416 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 417 sb->s_security = sbsec;
418
419 return 0;
420}
421
422static void superblock_free_security(struct super_block *sb)
423{
424 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 425 sb->s_security = NULL;
426 kfree(sbsec);
427}
428
bd323655
AV		 429struct selinux_mnt_opts {
430 const char *fscontext, *context, *rootcontext, *defcontext;
431};
432
204cc0cc
AV		 433static void selinux_free_mnt_opts(void *mnt_opts)
434{
bd323655
AV		 435 struct selinux_mnt_opts *opts = mnt_opts;
436 kfree(opts->fscontext);
437 kfree(opts->context);
438 kfree(opts->rootcontext);
439 kfree(opts->defcontext);
204cc0cc
AV		 440 kfree(opts);
441}
442
1da177e4
LT		 443static inline int inode_doinit(struct inode *inode)
444{
445 return inode_doinit_with_dentry(inode, NULL);
446}
447
448enum {
31e87930 449 Opt_error = -1,
1da177e4
LT		 450 Opt_context = 1,
451 Opt_fscontext = 2,
c9180a57
EP		 452 Opt_defcontext = 3,
453 Opt_rootcontext = 4,
da3d76ab 454 Opt_seclabel = 5,
1da177e4
LT		 455};
456
da3d76ab 457#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
169d68ef
AV		 458static struct {
459 const char *name;
460 int len;
461 int opt;
462 bool has_arg;
463} tokens[] = {
da3d76ab
AV		 464 A(context, true),
465 A(fscontext, true),
466 A(defcontext, true),
467 A(rootcontext, true),
468 A(seclabel, false),
1da177e4 469};
169d68ef
AV		 470#undef A
471
472static int match_opt_prefix(char *s, int l, char **arg)
473{
474 int i;
475
476 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
477 size_t len = tokens[i].len;
478 if (len > l || memcmp(s, tokens[i].name, len))
479 continue;
480 if (tokens[i].has_arg) {
481 if (len == l || s[len] != '=')
482 continue;
483 *arg = s + len + 1;
484 } else if (len != l)
485 continue;
486 return tokens[i].opt;
487 }
488 return Opt_error;
489}
1da177e4
LT		 490
491#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
492
c312feb2
EP		 493static int may_context_mount_sb_relabel(u32 sid,
494 struct superblock_security_struct *sbsec,
275bb41e 495 const struct cred *cred)
c312feb2 496{
0c6cfa62 497 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 498 int rc;
499
6b6bc620
SS		 500 rc = avc_has_perm(&selinux_state,
501 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 502 FILESYSTEM__RELABELFROM, NULL);
503 if (rc)
504 return rc;
505
6b6bc620
SS		 506 rc = avc_has_perm(&selinux_state,
507 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 508 FILESYSTEM__RELABELTO, NULL);
509 return rc;
510}
511
0808925e
EP		 512static int may_context_mount_inode_relabel(u32 sid,
513 struct superblock_security_struct *sbsec,
275bb41e 514 const struct cred *cred)
0808925e 515{
0c6cfa62 516 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e 517 int rc;
6b6bc620
SS		 518 rc = avc_has_perm(&selinux_state,
519 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 520 FILESYSTEM__RELABELFROM, NULL);
521 if (rc)
522 return rc;
523
6b6bc620
SS		 524 rc = avc_has_perm(&selinux_state,
525 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 526 FILESYSTEM__ASSOCIATE, NULL);
527 return rc;
528}
529
b43e725d
EP		 530static int selinux_is_sblabel_mnt(struct super_block *sb)
531{
532 struct superblock_security_struct *sbsec = sb->s_security;
533
d5f3a5f6
MS		 534 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
535 sbsec->behavior == SECURITY_FS_USE_TRANS ||
536 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 537 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 538 /* Special handling. Genfs but also in-core setxattr handler */
539 !strcmp(sb->s_type->name, "sysfs") ||
540 !strcmp(sb->s_type->name, "pstore") ||
541 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 542 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 543 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 544 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 545 (!strcmp(sb->s_type->name, "cgroup") ||
546 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 547}
548
c9180a57 549static int sb_finish_set_opts(struct super_block *sb)
1da177e4 550{
1da177e4 551 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 552 struct dentry *root = sb->s_root;
c6f493d6 553 struct inode *root_inode = d_backing_inode(root);
c9180a57 554 int rc = 0;
1da177e4 555
c9180a57
EP		 556 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
557 /* Make sure that the xattr handler exists and that no
558 error other than -ENODATA is returned by getxattr on
559 the root directory. -ENODATA is ok, as this may be
560 the first boot of the SELinux kernel before we have
561 assigned xattr values to the filesystem. */
5d6c3191 562 if (!(root_inode->i_opflags & IOP_XATTR)) {
c103a91e 563 pr_warn("SELinux: (dev %s, type %s) has no "
29b1deb2 564 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 565 rc = -EOPNOTSUPP;
566 goto out;
567 }
5d6c3191
AG		 568
569 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 570 if (rc < 0 && rc != -ENODATA) {
571 if (rc == -EOPNOTSUPP)
c103a91e 572 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 573 "%s) has no security xattr handler\n",
574 sb->s_id, sb->s_type->name);
c9180a57 575 else
c103a91e 576 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 577 "%s) getxattr errno %d\n", sb->s_id,
578 sb->s_type->name, -rc);
c9180a57
EP		 579 goto out;
580 }
581 }
1da177e4 582
eadcabc6 583 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 584
585 /*
586 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
587 * leave the flag untouched because sb_clone_mnt_opts might be handing
588 * us a superblock that needs the flag to be cleared.
589 */
b43e725d 590 if (selinux_is_sblabel_mnt(sb))
12f348b9 591 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 592 else
593 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 594
c9180a57
EP		 595 /* Initialize the root inode. */
596 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 597
c9180a57
EP		 598 /* Initialize any other inodes associated with the superblock, e.g.
599 inodes created prior to initial policy load or inodes created
600 during get_sb by a pseudo filesystem that directly
601 populates itself. */
602 spin_lock(&sbsec->isec_lock);
8d64124a 603 while (!list_empty(&sbsec->isec_head)) {
c9180a57 604 struct inode_security_struct *isec =
8d64124a 605 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 606 struct inode_security_struct, list);
607 struct inode *inode = isec->inode;
923190d3 608 list_del_init(&isec->list);
c9180a57
EP		 609 spin_unlock(&sbsec->isec_lock);
610 inode = igrab(inode);
611 if (inode) {
612 if (!IS_PRIVATE(inode))
613 inode_doinit(inode);
614 iput(inode);
615 }
616 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 617 }
618 spin_unlock(&sbsec->isec_lock);
619out:
620 return rc;
621}
1da177e4 622
c9180a57
EP		 623static int bad_option(struct superblock_security_struct *sbsec, char flag,
624 u32 old_sid, u32 new_sid)
625{
0d90a7ec
DQ		 626 char mnt_flags = sbsec->flags & SE_MNTMASK;
627
c9180a57 628 /* check if the old mount command had the same options */
0d90a7ec 629 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 630 if (!(sbsec->flags & flag) ||
631 (old_sid != new_sid))
632 return 1;
633
634 /* check if we were passed the same options twice,
635 * aka someone passed context=a,context=b
636 */
0d90a7ec
DQ		 637 if (!(sbsec->flags & SE_SBINITIALIZED))
638 if (mnt_flags & flag)
c9180a57
EP		 639 return 1;
640 return 0;
641}
e0007529 642
bd323655
AV		 643static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
644{
645 int rc = security_context_str_to_sid(&selinux_state, s,
646 sid, GFP_KERNEL);
647 if (rc)
648 pr_warn("SELinux: security_context_str_to_sid"
649 "(%s) failed for (dev %s, type %s) errno=%d\n",
650 s, sb->s_id, sb->s_type->name, rc);
651 return rc;
652}
653
c9180a57
EP		 654/*
655 * Allow filesystems with binary mount data to explicitly set mount point
656 * labeling information.
657 */
e0007529 658static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 659 void *mnt_opts,
649f6e77
DQ		 660 unsigned long kern_flags,
661 unsigned long *set_kern_flags)
c9180a57 662{
275bb41e 663 const struct cred *cred = current_cred();
c9180a57 664 struct superblock_security_struct *sbsec = sb->s_security;
83da53c5 665 struct dentry *root = sbsec->sb->s_root;
bd323655 666 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 667 struct inode_security_struct *root_isec;
c9180a57
EP		 668 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
669 u32 defcontext_sid = 0;
bd323655 670 int rc = 0;
c9180a57
EP		 671
672 mutex_lock(&sbsec->lock);
673
aa8e712c 674 if (!selinux_state.initialized) {
bd323655 675 if (!opts) {
c9180a57
EP		 676 /* Defer initialization until selinux_complete_init,
677 after the initial policy is loaded and the security
678 server is ready to handle calls. */
c9180a57
EP		 679 goto out;
680 }
681 rc = -EINVAL;
c103a91e 682 pr_warn("SELinux: Unable to set superblock options "
744ba35e 683 "before the security server is initialized\n");
1da177e4 684 goto out;
c9180a57 685 }
649f6e77
DQ		 686 if (kern_flags && !set_kern_flags) {
687 /* Specifying internal flags without providing a place to
688 * place the results is not allowed */
689 rc = -EINVAL;
690 goto out;
691 }
1da177e4 692
e0007529
EP		 693 /*
694 * Binary mount data FS will come through this function twice. Once
695 * from an explicit call and once from the generic calls from the vfs.
696 * Since the generic VFS calls will not contain any security mount data
697 * we need to skip the double mount verification.
698 *
699 * This does open a hole in which we will not notice if the first
700 * mount using this sb set explict options and a second mount using
701 * this sb does not set any security options. (The first options
702 * will be used for both mounts)
703 */
0d90a7ec 704 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 705 && !opts)
f5269710 706 goto out;
e0007529 707
2c97165b
PM		 708 root_isec = backing_inode_security_novalidate(root);
709
c9180a57
EP		 710 /*
711 * parse the mount options, check if they are valid sids.
712 * also check if someone is trying to mount the same sb more
713 * than once with different security options.
714 */
bd323655
AV		 715 if (opts) {
716 if (opts->fscontext) {
717 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
718 if (rc)
719 goto out;
c9180a57
EP		 720 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
721 fscontext_sid))
722 goto out_double_mount;
c9180a57 723 sbsec->flags |= FSCONTEXT_MNT;
bd323655
AV		 724 }
725 if (opts->context) {
726 rc = parse_sid(sb, opts->context, &context_sid);
727 if (rc)
728 goto out;
c9180a57
EP		 729 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
730 context_sid))
731 goto out_double_mount;
c9180a57 732 sbsec->flags |= CONTEXT_MNT;
bd323655
AV		 733 }
734 if (opts->rootcontext) {
735 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
736 if (rc)
737 goto out;
c9180a57
EP		 738 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
739 rootcontext_sid))
740 goto out_double_mount;
c9180a57 741 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655
AV		 742 }
743 if (opts->defcontext) {
744 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
745 if (rc)
746 goto out;
c9180a57
EP		 747 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
748 defcontext_sid))
749 goto out_double_mount;
c9180a57 750 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 751 }
c9180a57
EP		 752 }
753
0d90a7ec 754 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 755 /* previously mounted with options, but not on this attempt? */
bd323655 756 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 757 goto out_double_mount;
758 rc = 0;
759 goto out;
760 }
761
089be43e 762 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 763 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
764
8e014720 765 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 766 !strcmp(sb->s_type->name, "tracefs") ||
8e014720 767 !strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 768 !strcmp(sb->s_type->name, "pstore") ||
769 !strcmp(sb->s_type->name, "cgroup") ||
770 !strcmp(sb->s_type->name, "cgroup2"))
134509d5 771 sbsec->flags |= SE_SBGENFS;
c9180a57 772
eb9ae686
DQ		 773 if (!sbsec->behavior) {
774 /*
775 * Determine the labeling behavior to use for this
776 * filesystem type.
777 */
aa8e712c 778 rc = security_fs_use(&selinux_state, sb);
eb9ae686 779 if (rc) {
c103a91e 780 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 781 __func__, sb->s_type->name, rc);
782 goto out;
783 }
c9180a57 784 }
aad82892
SF		 785
786 /*
01593d32
SS		 787 * If this is a user namespace mount and the filesystem type is not
788 * explicitly whitelisted, then no contexts are allowed on the command
789 * line and security labels must be ignored.
aad82892 790 */
01593d32
SS		 791 if (sb->s_user_ns != &init_user_ns &&
792 strcmp(sb->s_type->name, "tmpfs") &&
793 strcmp(sb->s_type->name, "ramfs") &&
794 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 795 if (context_sid || fscontext_sid || rootcontext_sid ||
796 defcontext_sid) {
797 rc = -EACCES;
798 goto out;
799 }
800 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
801 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 802 rc = security_transition_sid(&selinux_state,
803 current_sid(),
804 current_sid(),
aad82892
SF		 805 SECCLASS_FILE, NULL,
806 &sbsec->mntpoint_sid);
807 if (rc)
808 goto out;
809 }
810 goto out_set_opts;
811 }
812
c9180a57
EP		 813 /* sets the context of the superblock for the fs being mounted. */
814 if (fscontext_sid) {
275bb41e 815 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 816 if (rc)
c9180a57 817 goto out;
1da177e4 818
c9180a57 819 sbsec->sid = fscontext_sid;
c312feb2
EP		 820 }
821
822 /*
823 * Switch to using mount point labeling behavior.
824 * sets the label used on all file below the mountpoint, and will set
825 * the superblock context if not already set.
826 */
eb9ae686
DQ		 827 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
828 sbsec->behavior = SECURITY_FS_USE_NATIVE;
829 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
830 }
831
c9180a57
EP		 832 if (context_sid) {
833 if (!fscontext_sid) {
275bb41e
DH		 834 rc = may_context_mount_sb_relabel(context_sid, sbsec,
835 cred);
b04ea3ce 836 if (rc)
c9180a57
EP		 837 goto out;
838 sbsec->sid = context_sid;
b04ea3ce 839 } else {
275bb41e
DH		 840 rc = may_context_mount_inode_relabel(context_sid, sbsec,
841 cred);
b04ea3ce 842 if (rc)
c9180a57 843 goto out;
b04ea3ce 844 }
c9180a57
EP		 845 if (!rootcontext_sid)
846 rootcontext_sid = context_sid;
1da177e4 847
c9180a57 848 sbsec->mntpoint_sid = context_sid;
c312feb2 849 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 850 }
851
c9180a57 852 if (rootcontext_sid) {
275bb41e
DH		 853 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
854 cred);
0808925e 855 if (rc)
c9180a57 856 goto out;
0808925e 857
c9180a57 858 root_isec->sid = rootcontext_sid;
6f3be9f5 859 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 860 }
861
c9180a57 862 if (defcontext_sid) {
eb9ae686
DQ		 863 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
864 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 865 rc = -EINVAL;
c103a91e 866 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 867 "invalid for this filesystem type\n");
868 goto out;
1da177e4
LT		 869 }
870
c9180a57
EP		 871 if (defcontext_sid != sbsec->def_sid) {
872 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 873 sbsec, cred);
c9180a57
EP		 874 if (rc)
875 goto out;
876 }
1da177e4 877
c9180a57 878 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 879 }
880
aad82892 881out_set_opts:
c9180a57 882 rc = sb_finish_set_opts(sb);
1da177e4 883out:
c9180a57 884 mutex_unlock(&sbsec->lock);
1da177e4 885 return rc;
c9180a57
EP		 886out_double_mount:
887 rc = -EINVAL;
c103a91e 888 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 889 "security settings for (dev %s, type %s)\n", sb->s_id,
890 sb->s_type->name);
c9180a57 891 goto out;
1da177e4
LT		 892}
893
094f7b69
JL		 894static int selinux_cmp_sb_context(const struct super_block *oldsb,
895 const struct super_block *newsb)
896{
897 struct superblock_security_struct *old = oldsb->s_security;
898 struct superblock_security_struct *new = newsb->s_security;
899 char oldflags = old->flags & SE_MNTMASK;
900 char newflags = new->flags & SE_MNTMASK;
901
902 if (oldflags != newflags)
903 goto mismatch;
904 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
905 goto mismatch;
906 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
907 goto mismatch;
908 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
909 goto mismatch;
910 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 911 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
912 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 913 if (oldroot->sid != newroot->sid)
914 goto mismatch;
915 }
916 return 0;
917mismatch:
c103a91e 918 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 919 "different security settings for (dev %s, "
920 "type %s)\n", newsb->s_id, newsb->s_type->name);
921 return -EBUSY;
922}
923
924static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 925 struct super_block *newsb,
926 unsigned long kern_flags,
927 unsigned long *set_kern_flags)
1da177e4 928{
0b4d3452 929 int rc = 0;
c9180a57
EP		 930 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
931 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 932
c9180a57
EP		 933 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
934 int set_context = (oldsbsec->flags & CONTEXT_MNT);
935 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 936
0f5e6420
EP		 937 /*
938 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 939 * mount options. thus we can safely deal with this superblock later
0f5e6420 940 */
aa8e712c 941 if (!selinux_state.initialized)
094f7b69 942 return 0;
c9180a57 943
0b4d3452
SM		 944 /*
945 * Specifying internal flags without providing a place to
946 * place the results is not allowed.
947 */
948 if (kern_flags && !set_kern_flags)
949 return -EINVAL;
950
c9180a57 951 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 952 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 953
094f7b69 954 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 955 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 956 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 957
c9180a57
EP		 958 mutex_lock(&newsbsec->lock);
959
960 newsbsec->flags = oldsbsec->flags;
961
962 newsbsec->sid = oldsbsec->sid;
963 newsbsec->def_sid = oldsbsec->def_sid;
964 newsbsec->behavior = oldsbsec->behavior;
965
0b4d3452
SM		 966 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
967 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 968 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 969 if (rc)
970 goto out;
971 }
972
973 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
974 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
975 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
976 }
977
c9180a57
EP		 978 if (set_context) {
979 u32 sid = oldsbsec->mntpoint_sid;
980
981 if (!set_fscontext)
982 newsbsec->sid = sid;
983 if (!set_rootcontext) {
83da53c5 984 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 985 newisec->sid = sid;
986 }
987 newsbsec->mntpoint_sid = sid;
1da177e4 988 }
c9180a57 989 if (set_rootcontext) {
83da53c5
AG		 990 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
991 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 992
c9180a57 993 newisec->sid = oldisec->sid;
1da177e4
LT		 994 }
995
c9180a57 996 sb_finish_set_opts(newsb);
0b4d3452 997out:
c9180a57 998 mutex_unlock(&newsbsec->lock);
0b4d3452 999 return rc;
c9180a57
EP		 1000}
1001
ba641862 1002static int selinux_add_opt(int token, const char *s, void **mnt_opts)
c9180a57 1003{
ba641862 1004 struct selinux_mnt_opts *opts = *mnt_opts;
1da177e4 1005
da3d76ab 1006 if (token == Opt_seclabel) /* eaten and completely ignored */
169d68ef 1007 return 0;
e0007529 1008
ba641862
AV		 1009 if (!opts) {
1010 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1011 if (!opts)
1012 return -ENOMEM;
1013 *mnt_opts = opts;
c9180a57 1014 }
ba641862
AV		 1015 if (!s)
1016 return -ENOMEM;
1017 switch (token) {
1018 case Opt_context:
1019 if (opts->context || opts->defcontext)
1020 goto Einval;
1021 opts->context = s;
1022 break;
1023 case Opt_fscontext:
1024 if (opts->fscontext)
1025 goto Einval;
1026 opts->fscontext = s;
1027 break;
1028 case Opt_rootcontext:
1029 if (opts->rootcontext)
1030 goto Einval;
1031 opts->rootcontext = s;
1032 break;
1033 case Opt_defcontext:
1034 if (opts->context || opts->defcontext)
1035 goto Einval;
1036 opts->defcontext = s;
1037 break;
c9180a57 1038 }
e0007529 1039 return 0;
ba641862
AV		 1040Einval:
1041 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862 1042 return -EINVAL;
1da177e4 1043}
e0007529 1044
757cbe59
AV		 1045static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1046 void **mnt_opts)
c9180a57 1047{
757cbe59
AV		 1048 int token = Opt_error;
1049 int rc, i;
e0007529 1050
757cbe59
AV		 1051 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1052 if (strcmp(option, tokens[i].name) == 0) {
1053 token = tokens[i].opt;
1054 break;
169d68ef 1055 }
757cbe59 1056 }
e0007529 1057
757cbe59
AV		 1058 if (token == Opt_error)
1059 return -EINVAL;
e0007529 1060
757cbe59
AV		 1061 if (token != Opt_seclabel)
1062 val = kmemdup_nul(val, len, GFP_KERNEL);
1063 rc = selinux_add_opt(token, val, mnt_opts);
1064 if (unlikely(rc)) {
1065 kfree(val);
1066 if (*mnt_opts) {
169d68ef
AV		 1067 selinux_free_mnt_opts(*mnt_opts);
1068 *mnt_opts = NULL;
1da177e4 1069 }
1da177e4 1070 }
e0007529
EP		 1071 return rc;
1072}
1da177e4 1073
e3489f89 1074static int show_sid(struct seq_file *m, u32 sid)
2069f457 1075{
e3489f89
AV		 1076 char *context = NULL;
1077 u32 len;
1078 int rc;
11689d47 1079
e3489f89
AV		 1080 rc = security_sid_to_context(&selinux_state, sid,
1081 &context, &len);
1082 if (!rc) {
1083 bool has_comma = context && strchr(context, ',');
2069f457 1084
2069f457
EP		 1085 if (has_comma)
1086 seq_putc(m, '\"');
e3489f89 1087 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1088 if (has_comma)
1089 seq_putc(m, '\"');
1090 }
e3489f89
AV		 1091 kfree(context);
1092 return rc;
2069f457
EP		 1093}
1094
1095static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1096{
e3489f89 1097 struct superblock_security_struct *sbsec = sb->s_security;
2069f457
EP		 1098 int rc;
1099
e3489f89
AV		 1100 if (!(sbsec->flags & SE_SBINITIALIZED))
1101 return 0;
2069f457 1102
e3489f89
AV		 1103 if (!selinux_state.initialized)
1104 return 0;
2069f457 1105
e3489f89
AV		 1106 if (sbsec->flags & FSCONTEXT_MNT) {
1107 seq_putc(m, ',');
1108 seq_puts(m, FSCONTEXT_STR);
1109 rc = show_sid(m, sbsec->sid);
1110 if (rc)
1111 return rc;
1112 }
1113 if (sbsec->flags & CONTEXT_MNT) {
1114 seq_putc(m, ',');
1115 seq_puts(m, CONTEXT_STR);
1116 rc = show_sid(m, sbsec->mntpoint_sid);
1117 if (rc)
1118 return rc;
1119 }
1120 if (sbsec->flags & DEFCONTEXT_MNT) {
1121 seq_putc(m, ',');
1122 seq_puts(m, DEFCONTEXT_STR);
1123 rc = show_sid(m, sbsec->def_sid);
1124 if (rc)
1125 return rc;
1126 }
1127 if (sbsec->flags & ROOTCONTEXT_MNT) {
1128 struct dentry *root = sbsec->sb->s_root;
1129 struct inode_security_struct *isec = backing_inode_security(root);
1130 seq_putc(m, ',');
1131 seq_puts(m, ROOTCONTEXT_STR);
1132 rc = show_sid(m, isec->sid);
1133 if (rc)
1134 return rc;
1135 }
1136 if (sbsec->flags & SBLABEL_MNT) {
1137 seq_putc(m, ',');
1138 seq_puts(m, LABELSUPP_STR);
1139 }
1140 return 0;
2069f457
EP		 1141}
1142
1da177e4
LT		 1143static inline u16 inode_mode_to_security_class(umode_t mode)
1144{
1145 switch (mode & S_IFMT) {
1146 case S_IFSOCK:
1147 return SECCLASS_SOCK_FILE;
1148 case S_IFLNK:
1149 return SECCLASS_LNK_FILE;
1150 case S_IFREG:
1151 return SECCLASS_FILE;
1152 case S_IFBLK:
1153 return SECCLASS_BLK_FILE;
1154 case S_IFDIR:
1155 return SECCLASS_DIR;
1156 case S_IFCHR:
1157 return SECCLASS_CHR_FILE;
1158 case S_IFIFO:
1159 return SECCLASS_FIFO_FILE;
1160
1161 }
1162
1163 return SECCLASS_FILE;
1164}
1165
13402580
JM		 1166static inline int default_protocol_stream(int protocol)
1167{
1168 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1169}
1170
1171static inline int default_protocol_dgram(int protocol)
1172{
1173 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1174}
1175
1da177e4
LT		 1176static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1177{
aa8e712c 1178 int extsockclass = selinux_policycap_extsockclass();
da69a530 1179
1da177e4
LT		 1180 switch (family) {
1181 case PF_UNIX:
1182 switch (type) {
1183 case SOCK_STREAM:
1184 case SOCK_SEQPACKET:
1185 return SECCLASS_UNIX_STREAM_SOCKET;
1186 case SOCK_DGRAM:
2a764b52 1187 case SOCK_RAW:
1da177e4
LT		 1188 return SECCLASS_UNIX_DGRAM_SOCKET;
1189 }
1190 break;
1191 case PF_INET:
1192 case PF_INET6:
1193 switch (type) {
1194 case SOCK_STREAM:
da69a530 1195 case SOCK_SEQPACKET:
13402580
JM		 1196 if (default_protocol_stream(protocol))
1197 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1198 else if (extsockclass && protocol == IPPROTO_SCTP)
1199 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1200 else
1201 return SECCLASS_RAWIP_SOCKET;
1da177e4 1202 case SOCK_DGRAM:
13402580
JM		 1203 if (default_protocol_dgram(protocol))
1204 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1205 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1206 protocol == IPPROTO_ICMPV6))
da69a530 1207 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1208 else
1209 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1210 case SOCK_DCCP:
1211 return SECCLASS_DCCP_SOCKET;
13402580 1212 default:
1da177e4
LT		 1213 return SECCLASS_RAWIP_SOCKET;
1214 }
1215 break;
1216 case PF_NETLINK:
1217 switch (protocol) {
1218 case NETLINK_ROUTE:
1219 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1220 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1221 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1222 case NETLINK_NFLOG:
1223 return SECCLASS_NETLINK_NFLOG_SOCKET;
1224 case NETLINK_XFRM:
1225 return SECCLASS_NETLINK_XFRM_SOCKET;
1226 case NETLINK_SELINUX:
1227 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1228 case NETLINK_ISCSI:
1229 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1230 case NETLINK_AUDIT:
1231 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1232 case NETLINK_FIB_LOOKUP:
1233 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1234 case NETLINK_CONNECTOR:
1235 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1236 case NETLINK_NETFILTER:
1237 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1238 case NETLINK_DNRTMSG:
1239 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1240 case NETLINK_KOBJECT_UEVENT:
1241 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1242 case NETLINK_GENERIC:
1243 return SECCLASS_NETLINK_GENERIC_SOCKET;
1244 case NETLINK_SCSITRANSPORT:
1245 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1246 case NETLINK_RDMA:
1247 return SECCLASS_NETLINK_RDMA_SOCKET;
1248 case NETLINK_CRYPTO:
1249 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1250 default:
1251 return SECCLASS_NETLINK_SOCKET;
1252 }
1253 case PF_PACKET:
1254 return SECCLASS_PACKET_SOCKET;
1255 case PF_KEY:
1256 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1257 case PF_APPLETALK:
1258 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1259 }
1260
da69a530
SS		 1261 if (extsockclass) {
1262 switch (family) {
1263 case PF_AX25:
1264 return SECCLASS_AX25_SOCKET;
1265 case PF_IPX:
1266 return SECCLASS_IPX_SOCKET;
1267 case PF_NETROM:
1268 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1269 case PF_ATMPVC:
1270 return SECCLASS_ATMPVC_SOCKET;
1271 case PF_X25:
1272 return SECCLASS_X25_SOCKET;
1273 case PF_ROSE:
1274 return SECCLASS_ROSE_SOCKET;
1275 case PF_DECnet:
1276 return SECCLASS_DECNET_SOCKET;
1277 case PF_ATMSVC:
1278 return SECCLASS_ATMSVC_SOCKET;
1279 case PF_RDS:
1280 return SECCLASS_RDS_SOCKET;
1281 case PF_IRDA:
1282 return SECCLASS_IRDA_SOCKET;
1283 case PF_PPPOX:
1284 return SECCLASS_PPPOX_SOCKET;
1285 case PF_LLC:
1286 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1287 case PF_CAN:
1288 return SECCLASS_CAN_SOCKET;
1289 case PF_TIPC:
1290 return SECCLASS_TIPC_SOCKET;
1291 case PF_BLUETOOTH:
1292 return SECCLASS_BLUETOOTH_SOCKET;
1293 case PF_IUCV:
1294 return SECCLASS_IUCV_SOCKET;
1295 case PF_RXRPC:
1296 return SECCLASS_RXRPC_SOCKET;
1297 case PF_ISDN:
1298 return SECCLASS_ISDN_SOCKET;
1299 case PF_PHONET:
1300 return SECCLASS_PHONET_SOCKET;
1301 case PF_IEEE802154:
1302 return SECCLASS_IEEE802154_SOCKET;
1303 case PF_CAIF:
1304 return SECCLASS_CAIF_SOCKET;
1305 case PF_ALG:
1306 return SECCLASS_ALG_SOCKET;
1307 case PF_NFC:
1308 return SECCLASS_NFC_SOCKET;
1309 case PF_VSOCK:
1310 return SECCLASS_VSOCK_SOCKET;
1311 case PF_KCM:
1312 return SECCLASS_KCM_SOCKET;
1313 case PF_QIPCRTR:
1314 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1315 case PF_SMC:
1316 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1317 case PF_XDP:
1318 return SECCLASS_XDP_SOCKET;
1319#if PF_MAX > 45
da69a530
SS		 1320#error New address family defined, please update this function.
1321#endif
1322 }
1323 }
1324
1da177e4
LT		 1325 return SECCLASS_SOCKET;
1326}
1327
134509d5
SS		 1328static int selinux_genfs_get_sid(struct dentry *dentry,
1329 u16 tclass,
1330 u16 flags,
1331 u32 *sid)
1da177e4 1332{
8e6c9693 1333 int rc;
fc64005c 1334 struct super_block *sb = dentry->d_sb;
8e6c9693 1335 char *buffer, *path;
1da177e4 1336
828dfe1d 1337 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1338 if (!buffer)
1339 return -ENOMEM;
1340
8e6c9693
LAG		 1341 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1342 if (IS_ERR(path))
1343 rc = PTR_ERR(path);
1344 else {
134509d5
SS		 1345 if (flags & SE_SBPROC) {
1346 /* each process gets a /proc/PID/ entry. Strip off the
1347 * PID part to get a valid selinux labeling.
1348 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1349 while (path[1] >= '0' && path[1] <= '9') {
1350 path[1] = '/';
1351 path++;
1352 }
8e6c9693 1353 }
aa8e712c
SS		 1354 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1355 path, tclass, sid);
7bb185ed
SS		 1356 if (rc == -ENOENT) {
1357 /* No match in policy, mark as unlabeled. */
1358 *sid = SECINITSID_UNLABELED;
1359 rc = 0;
1360 }
1da177e4 1361 }
1da177e4
LT		 1362 free_page((unsigned long)buffer);
1363 return rc;
1364}
1da177e4
LT		 1365
1366/* The inode's security attributes must be initialized before first use. */
1367static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1368{
1369 struct superblock_security_struct *sbsec = NULL;
1370 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1371 u32 task_sid, sid = 0;
1372 u16 sclass;
1da177e4
LT		 1373 struct dentry *dentry;
1374#define INITCONTEXTLEN 255
1375 char *context = NULL;
1376 unsigned len = 0;
1377 int rc = 0;
1da177e4 1378
6f3be9f5 1379 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1380 return 0;
1da177e4 1381
9287aed2 1382 spin_lock(&isec->lock);
6f3be9f5 1383 if (isec->initialized == LABEL_INITIALIZED)
23970741 1384 goto out_unlock;
1da177e4 1385
13457d07
AG		 1386 if (isec->sclass == SECCLASS_FILE)
1387 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1388
1da177e4 1389 sbsec = inode->i_sb->s_security;
0d90a7ec 1390 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1391 /* Defer initialization until selinux_complete_init,
1392 after the initial policy is loaded and the security
1393 server is ready to handle calls. */
1394 spin_lock(&sbsec->isec_lock);
1395 if (list_empty(&isec->list))
1396 list_add(&isec->list, &sbsec->isec_head);
1397 spin_unlock(&sbsec->isec_lock);
23970741 1398 goto out_unlock;
1da177e4
LT		 1399 }
1400
9287aed2
AG		 1401 sclass = isec->sclass;
1402 task_sid = isec->task_sid;
1403 sid = isec->sid;
1404 isec->initialized = LABEL_PENDING;
1405 spin_unlock(&isec->lock);
1406
1da177e4 1407 switch (sbsec->behavior) {
eb9ae686
DQ		 1408 case SECURITY_FS_USE_NATIVE:
1409 break;
1da177e4 1410 case SECURITY_FS_USE_XATTR:
5d6c3191 1411 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1412 sid = sbsec->def_sid;
1da177e4
LT		 1413 break;
1414 }
1da177e4
LT		 1415 /* Need a dentry, since the xattr API requires one.
1416 Life would be simpler if we could just pass the inode. */
1417 if (opt_dentry) {
1418 /* Called from d_instantiate or d_splice_alias. */
1419 dentry = dget(opt_dentry);
1420 } else {
b127125d
AV		 1421 /*
1422 * Called from selinux_complete_init, try to find a dentry.
1423 * Some filesystems really want a connected one, so try
1424 * that first. We could split SECURITY_FS_USE_XATTR in
1425 * two, depending upon that...
1426 */
1da177e4 1427 dentry = d_find_alias(inode);
b127125d
AV		 1428 if (!dentry)
1429 dentry = d_find_any_alias(inode);
1da177e4
LT		 1430 }
1431 if (!dentry) {
df7f54c0
EP		 1432 /*
1433 * this is can be hit on boot when a file is accessed
1434 * before the policy is loaded. When we load policy we
1435 * may find inodes that have no dentry on the
1436 * sbsec->isec_head list. No reason to complain as these
1437 * will get fixed up the next time we go through
1438 * inode_doinit with a dentry, before these inodes could
1439 * be used again by userspace.
1440 */
9287aed2 1441 goto out;
1da177e4
LT		 1442 }
1443
1444 len = INITCONTEXTLEN;
4cb912f1 1445 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1446 if (!context) {
1447 rc = -ENOMEM;
1448 dput(dentry);
9287aed2 1449 goto out;
1da177e4 1450 }
4cb912f1 1451 context[len] = '\0';
5d6c3191 1452 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1453 if (rc == -ERANGE) {
314dabb8
JM		 1454 kfree(context);
1455
1da177e4 1456 /* Need a larger buffer. Query for the right size. */
5d6c3191 1457 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1458 if (rc < 0) {
1459 dput(dentry);
9287aed2 1460 goto out;
1da177e4 1461 }
1da177e4 1462 len = rc;
4cb912f1 1463 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1464 if (!context) {
1465 rc = -ENOMEM;
1466 dput(dentry);
9287aed2 1467 goto out;
1da177e4 1468 }
4cb912f1 1469 context[len] = '\0';
5d6c3191 1470 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1471 }
1472 dput(dentry);
1473 if (rc < 0) {
1474 if (rc != -ENODATA) {
c103a91e 1475 pr_warn("SELinux: %s: getxattr returned "
dd6f953a 1476 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1477 -rc, inode->i_sb->s_id, inode->i_ino);
1478 kfree(context);
9287aed2 1479 goto out;
1da177e4
LT		 1480 }
1481 /* Map ENODATA to the default file SID */
1482 sid = sbsec->def_sid;
1483 rc = 0;
1484 } else {
aa8e712c
SS		 1485 rc = security_context_to_sid_default(&selinux_state,
1486 context, rc, &sid,
869ab514
SS		 1487 sbsec->def_sid,
1488 GFP_NOFS);
1da177e4 1489 if (rc) {
4ba0a8ad
EP		 1490 char *dev = inode->i_sb->s_id;
1491 unsigned long ino = inode->i_ino;
1492
1493 if (rc == -EINVAL) {
1494 if (printk_ratelimit())
c103a91e 1495 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
4ba0a8ad
EP		 1496 "context=%s. This indicates you may need to relabel the inode or the "
1497 "filesystem in question.\n", ino, dev, context);
1498 } else {
c103a91e 1499 pr_warn("SELinux: %s: context_to_sid(%s) "
4ba0a8ad
EP		 1500 "returned %d for dev=%s ino=%ld\n",
1501 __func__, context, -rc, dev, ino);
1502 }
1da177e4
LT		 1503 kfree(context);
1504 /* Leave with the unlabeled SID */
1505 rc = 0;
1506 break;
1507 }
1508 }
1509 kfree(context);
1da177e4
LT		 1510 break;
1511 case SECURITY_FS_USE_TASK:
9287aed2 1512 sid = task_sid;
1da177e4
LT		 1513 break;
1514 case SECURITY_FS_USE_TRANS:
1515 /* Default to the fs SID. */
9287aed2 1516 sid = sbsec->sid;
1da177e4
LT		 1517
1518 /* Try to obtain a transition SID. */
aa8e712c
SS		 1519 rc = security_transition_sid(&selinux_state, task_sid, sid,
1520 sclass, NULL, &sid);
1da177e4 1521 if (rc)
9287aed2 1522 goto out;
1da177e4 1523 break;
c312feb2 1524 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1525 sid = sbsec->mntpoint_sid;
c312feb2 1526 break;
1da177e4 1527 default:
c312feb2 1528 /* Default to the fs superblock SID. */
9287aed2 1529 sid = sbsec->sid;
1da177e4 1530
134509d5 1531 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1532 /* We must have a dentry to determine the label on
1533 * procfs inodes */
b127125d 1534 if (opt_dentry) {
f64410ec
PM		 1535 /* Called from d_instantiate or
1536 * d_splice_alias. */
1537 dentry = dget(opt_dentry);
b127125d 1538 } else {
f64410ec 1539 /* Called from selinux_complete_init, try to
b127125d
AV		 1540 * find a dentry. Some filesystems really want
1541 * a connected one, so try that first.
1542 */
f64410ec 1543 dentry = d_find_alias(inode);
b127125d
AV		 1544 if (!dentry)
1545 dentry = d_find_any_alias(inode);
1546 }
f64410ec
PM		 1547 /*
1548 * This can be hit on boot when a file is accessed
1549 * before the policy is loaded. When we load policy we
1550 * may find inodes that have no dentry on the
1551 * sbsec->isec_head list. No reason to complain as
1552 * these will get fixed up the next time we go through
1553 * inode_doinit() with a dentry, before these inodes
1554 * could be used again by userspace.
1555 */
1556 if (!dentry)
9287aed2
AG		 1557 goto out;
1558 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1559 sbsec->flags, &sid);
f64410ec
PM		 1560 dput(dentry);
1561 if (rc)
9287aed2 1562 goto out;
1da177e4
LT		 1563 }
1564 break;
1565 }
1566
9287aed2
AG		 1567out:
1568 spin_lock(&isec->lock);
1569 if (isec->initialized == LABEL_PENDING) {
1570 if (!sid || rc) {
1571 isec->initialized = LABEL_INVALID;
1572 goto out_unlock;
1573 }
1574
1575 isec->initialized = LABEL_INITIALIZED;
1576 isec->sid = sid;
1577 }
1da177e4 1578
23970741 1579out_unlock:
9287aed2 1580 spin_unlock(&isec->lock);
1da177e4
LT		 1581 return rc;
1582}
1583
1584/* Convert a Linux signal to an access vector. */
1585static inline u32 signal_to_av(int sig)
1586{
1587 u32 perm = 0;
1588
1589 switch (sig) {
1590 case SIGCHLD:
1591 /* Commonly granted from child to parent. */
1592 perm = PROCESS__SIGCHLD;
1593 break;
1594 case SIGKILL:
1595 /* Cannot be caught or ignored */
1596 perm = PROCESS__SIGKILL;
1597 break;
1598 case SIGSTOP:
1599 /* Cannot be caught or ignored */
1600 perm = PROCESS__SIGSTOP;
1601 break;
1602 default:
1603 /* All other signals. */
1604 perm = PROCESS__SIGNAL;
1605 break;
1606 }
1607
1608 return perm;
1609}
1610
b68e418c
SS		 1611#if CAP_LAST_CAP > 63
1612#error Fix SELinux to handle capabilities > 63.
1613#endif
1614
1da177e4 1615/* Check whether a task is allowed to use a capability. */
6a9de491 1616static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1617 int cap, int audit, bool initns)
1da177e4 1618{
2bf49690 1619 struct common_audit_data ad;
06112163 1620 struct av_decision avd;
b68e418c 1621 u16 sclass;
3699c53c 1622 u32 sid = cred_sid(cred);
b68e418c 1623 u32 av = CAP_TO_MASK(cap);
06112163 1624 int rc;
1da177e4 1625
50c205f5 1626 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1627 ad.u.cap = cap;
1628
b68e418c
SS		 1629 switch (CAP_TO_INDEX(cap)) {
1630 case 0:
8e4ff6f2 1631 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1632 break;
1633 case 1:
8e4ff6f2 1634 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1635 break;
1636 default:
c103a91e 1637 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1638 BUG();
a35c6c83 1639 return -EINVAL;
b68e418c 1640 }
06112163 1641
6b6bc620
SS		 1642 rc = avc_has_perm_noaudit(&selinux_state,
1643 sid, sid, sclass, av, 0, &avd);
9ade0cf4 1644 if (audit == SECURITY_CAP_AUDIT) {
6b6bc620
SS		 1645 int rc2 = avc_audit(&selinux_state,
1646 sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1647 if (rc2)
1648 return rc2;
1649 }
06112163 1650 return rc;
1da177e4
LT		 1651}
1652
1da177e4
LT		 1653/* Check whether a task has a particular permission to an inode.
1654 The 'adp' parameter is optional and allows other audit
1655 data to be passed (e.g. the dentry). */
88e67f3b 1656static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1657 struct inode *inode,
1658 u32 perms,
19e49834 1659 struct common_audit_data *adp)
1da177e4 1660{
1da177e4 1661 struct inode_security_struct *isec;
275bb41e 1662 u32 sid;
1da177e4 1663
e0e81739
DH		 1664 validate_creds(cred);
1665
828dfe1d 1666 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1667 return 0;
1668
88e67f3b 1669 sid = cred_sid(cred);
1da177e4
LT		 1670 isec = inode->i_security;
1671
6b6bc620
SS		 1672 return avc_has_perm(&selinux_state,
1673 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1674}
1675
1676/* Same as inode_has_perm, but pass explicit audit data containing
1677 the dentry to help the auditing code to more easily generate the
1678 pathname if needed. */
88e67f3b 1679static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1680 struct dentry *dentry,
1681 u32 av)
1682{
c6f493d6 1683 struct inode *inode = d_backing_inode(dentry);
2bf49690 1684 struct common_audit_data ad;
88e67f3b 1685
50c205f5 1686 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1687 ad.u.dentry = dentry;
5d226df4 1688 __inode_security_revalidate(inode, dentry, true);
19e49834 1689 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1690}
1691
1692/* Same as inode_has_perm, but pass explicit audit data containing
1693 the path to help the auditing code to more easily generate the
1694 pathname if needed. */
1695static inline int path_has_perm(const struct cred *cred,
3f7036a0 1696 const struct path *path,
2875fa00
EP		 1697 u32 av)
1698{
c6f493d6 1699 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1700 struct common_audit_data ad;
1701
50c205f5 1702 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1703 ad.u.path = *path;
5d226df4 1704 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1705 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1706}
1707
13f8e981
DH		 1708/* Same as path_has_perm, but uses the inode from the file struct. */
1709static inline int file_path_has_perm(const struct cred *cred,
1710 struct file *file,
1711 u32 av)
1712{
1713 struct common_audit_data ad;
1714
43af5de7
VG		 1715 ad.type = LSM_AUDIT_DATA_FILE;
1716 ad.u.file = file;
19e49834 1717 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1718}
1719
f66e448c
CF		 1720#ifdef CONFIG_BPF_SYSCALL
1721static int bpf_fd_pass(struct file *file, u32 sid);
1722#endif
1723
1da177e4
LT		 1724/* Check whether a task can use an open file descriptor to
1725 access an inode in a given way. Check access to the
1726 descriptor itself, and then use dentry_has_perm to
1727 check a particular permission to the file.
1728 Access to the descriptor is implicitly granted if it
1729 has the same SID as the process. If av is zero, then
1730 access to the file is not checked, e.g. for cases
1731 where only the descriptor is affected like seek. */
88e67f3b
DH		 1732static int file_has_perm(const struct cred *cred,
1733 struct file *file,
1734 u32 av)
1da177e4 1735{
1da177e4 1736 struct file_security_struct *fsec = file->f_security;
496ad9aa 1737 struct inode *inode = file_inode(file);
2bf49690 1738 struct common_audit_data ad;
88e67f3b 1739 u32 sid = cred_sid(cred);
1da177e4
LT		 1740 int rc;
1741
43af5de7
VG		 1742 ad.type = LSM_AUDIT_DATA_FILE;
1743 ad.u.file = file;
1da177e4 1744
275bb41e 1745 if (sid != fsec->sid) {
6b6bc620
SS		 1746 rc = avc_has_perm(&selinux_state,
1747 sid, fsec->sid,
1da177e4
LT		 1748 SECCLASS_FD,
1749 FD__USE,
1750 &ad);
1751 if (rc)
88e67f3b 1752 goto out;
1da177e4
LT		 1753 }
1754
f66e448c
CF		 1755#ifdef CONFIG_BPF_SYSCALL
1756 rc = bpf_fd_pass(file, cred_sid(cred));
1757 if (rc)
1758 return rc;
1759#endif
1760
1da177e4 1761 /* av is zero if only checking access to the descriptor. */
88e67f3b 1762 rc = 0;
1da177e4 1763 if (av)
19e49834 1764 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1765
88e67f3b
DH		 1766out:
1767 return rc;
1da177e4
LT		 1768}
1769
c3c188b2
DH		 1770/*
1771 * Determine the label for an inode that might be unioned.
1772 */
c957f6df
VG		 1773static int
1774selinux_determine_inode_label(const struct task_security_struct *tsec,
1775 struct inode *dir,
1776 const struct qstr *name, u16 tclass,
1777 u32 *_new_isid)
c3c188b2
DH		 1778{
1779 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1780
1781 if ((sbsec->flags & SE_SBINITIALIZED) &&
1782 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1783 *_new_isid = sbsec->mntpoint_sid;
1784 } else if ((sbsec->flags & SBLABEL_MNT) &&
1785 tsec->create_sid) {
1786 *_new_isid = tsec->create_sid;
1787 } else {
20cdef8d 1788 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1789 return security_transition_sid(&selinux_state, tsec->sid,
1790 dsec->sid, tclass,
c3c188b2
DH		 1791 name, _new_isid);
1792 }
1793
1794 return 0;
1795}
1796
1da177e4
LT		 1797/* Check whether a task can create a file. */
1798static int may_create(struct inode *dir,
1799 struct dentry *dentry,
1800 u16 tclass)
1801{
0c6cfa62 1802 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1803 struct inode_security_struct *dsec;
1804 struct superblock_security_struct *sbsec;
275bb41e 1805 u32 sid, newsid;
2bf49690 1806 struct common_audit_data ad;
1da177e4
LT		 1807 int rc;
1808
83da53c5 1809 dsec = inode_security(dir);
1da177e4
LT		 1810 sbsec = dir->i_sb->s_security;
1811
275bb41e 1812 sid = tsec->sid;
275bb41e 1813
50c205f5 1814 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1815 ad.u.dentry = dentry;
1da177e4 1816
6b6bc620
SS		 1817 rc = avc_has_perm(&selinux_state,
1818 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1819 DIR__ADD_NAME | DIR__SEARCH,
1820 &ad);
1821 if (rc)
1822 return rc;
1823
0c6cfa62 1824 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
c957f6df 1825 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1826 if (rc)
1827 return rc;
1da177e4 1828
6b6bc620
SS		 1829 rc = avc_has_perm(&selinux_state,
1830 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1831 if (rc)
1832 return rc;
1833
6b6bc620
SS		 1834 return avc_has_perm(&selinux_state,
1835 newsid, sbsec->sid,
1da177e4
LT		 1836 SECCLASS_FILESYSTEM,
1837 FILESYSTEM__ASSOCIATE, &ad);
1838}
1839
828dfe1d
EP		 1840#define MAY_LINK 0
1841#define MAY_UNLINK 1
1842#define MAY_RMDIR 2
1da177e4
LT		 1843
1844/* Check whether a task can link, unlink, or rmdir a file/directory. */
1845static int may_link(struct inode *dir,
1846 struct dentry *dentry,
1847 int kind)
1848
1849{
1da177e4 1850 struct inode_security_struct *dsec, *isec;
2bf49690 1851 struct common_audit_data ad;
275bb41e 1852 u32 sid = current_sid();
1da177e4
LT		 1853 u32 av;
1854 int rc;
1855
83da53c5
AG		 1856 dsec = inode_security(dir);
1857 isec = backing_inode_security(dentry);
1da177e4 1858
50c205f5 1859 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1860 ad.u.dentry = dentry;
1da177e4
LT		 1861
1862 av = DIR__SEARCH;
1863 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 1864 rc = avc_has_perm(&selinux_state,
1865 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1866 if (rc)
1867 return rc;
1868
1869 switch (kind) {
1870 case MAY_LINK:
1871 av = FILE__LINK;
1872 break;
1873 case MAY_UNLINK:
1874 av = FILE__UNLINK;
1875 break;
1876 case MAY_RMDIR:
1877 av = DIR__RMDIR;
1878 break;
1879 default:
c103a91e 1880 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1881 __func__, kind);
1da177e4
LT		 1882 return 0;
1883 }
1884
6b6bc620
SS		 1885 rc = avc_has_perm(&selinux_state,
1886 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1887 return rc;
1888}
1889
1890static inline int may_rename(struct inode *old_dir,
1891 struct dentry *old_dentry,
1892 struct inode *new_dir,
1893 struct dentry *new_dentry)
1894{
1da177e4 1895 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1896 struct common_audit_data ad;
275bb41e 1897 u32 sid = current_sid();
1da177e4
LT		 1898 u32 av;
1899 int old_is_dir, new_is_dir;
1900 int rc;
1901
83da53c5
AG		 1902 old_dsec = inode_security(old_dir);
1903 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1904 old_is_dir = d_is_dir(old_dentry);
83da53c5 1905 new_dsec = inode_security(new_dir);
1da177e4 1906
50c205f5 1907 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1908
a269434d 1909 ad.u.dentry = old_dentry;
6b6bc620
SS		 1910 rc = avc_has_perm(&selinux_state,
1911 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1912 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1913 if (rc)
1914 return rc;
6b6bc620
SS		 1915 rc = avc_has_perm(&selinux_state,
1916 sid, old_isec->sid,
1da177e4
LT		 1917 old_isec->sclass, FILE__RENAME, &ad);
1918 if (rc)
1919 return rc;
1920 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 1921 rc = avc_has_perm(&selinux_state,
1922 sid, old_isec->sid,
1da177e4
LT		 1923 old_isec->sclass, DIR__REPARENT, &ad);
1924 if (rc)
1925 return rc;
1926 }
1927
a269434d 1928 ad.u.dentry = new_dentry;
1da177e4 1929 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1930 if (d_is_positive(new_dentry))
1da177e4 1931 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 1932 rc = avc_has_perm(&selinux_state,
1933 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1934 if (rc)
1935 return rc;
2c616d4d 1936 if (d_is_positive(new_dentry)) {
83da53c5 1937 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1938 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 1939 rc = avc_has_perm(&selinux_state,
1940 sid, new_isec->sid,
1da177e4
LT		 1941 new_isec->sclass,
1942 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1943 if (rc)
1944 return rc;
1945 }
1946
1947 return 0;
1948}
1949
1950/* Check whether a task can perform a filesystem operation. */
88e67f3b 1951static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1952 struct super_block *sb,
1953 u32 perms,
2bf49690 1954 struct common_audit_data *ad)
1da177e4 1955{
1da177e4 1956 struct superblock_security_struct *sbsec;
88e67f3b 1957 u32 sid = cred_sid(cred);
1da177e4 1958
1da177e4 1959 sbsec = sb->s_security;
6b6bc620
SS		 1960 return avc_has_perm(&selinux_state,
1961 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1962}
1963
1964/* Convert a Linux mode and permission mask to an access vector. */
1965static inline u32 file_mask_to_av(int mode, int mask)
1966{
1967 u32 av = 0;
1968
dba19c60 1969 if (!S_ISDIR(mode)) {
1da177e4
LT		 1970 if (mask & MAY_EXEC)
1971 av |= FILE__EXECUTE;
1972 if (mask & MAY_READ)
1973 av |= FILE__READ;
1974
1975 if (mask & MAY_APPEND)
1976 av |= FILE__APPEND;
1977 else if (mask & MAY_WRITE)
1978 av |= FILE__WRITE;
1979
1980 } else {
1981 if (mask & MAY_EXEC)
1982 av |= DIR__SEARCH;
1983 if (mask & MAY_WRITE)
1984 av |= DIR__WRITE;
1985 if (mask & MAY_READ)
1986 av |= DIR__READ;
1987 }
1988
1989 return av;
1990}
1991
8b6a5a37
EP		 1992/* Convert a Linux file to an access vector. */
1993static inline u32 file_to_av(struct file *file)
1994{
1995 u32 av = 0;
1996
1997 if (file->f_mode & FMODE_READ)
1998 av |= FILE__READ;
1999 if (file->f_mode & FMODE_WRITE) {
2000 if (file->f_flags & O_APPEND)
2001 av |= FILE__APPEND;
2002 else
2003 av |= FILE__WRITE;
2004 }
2005 if (!av) {
2006 /*
2007 * Special file opened with flags 3 for ioctl-only use.
2008 */
2009 av = FILE__IOCTL;
2010 }
2011
2012 return av;
2013}
2014
b0c636b9 2015/*
8b6a5a37 2016 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2017 * open permission.
2018 */
8b6a5a37 2019static inline u32 open_file_to_av(struct file *file)
b0c636b9 2020{
8b6a5a37 2021 u32 av = file_to_av(file);
ccb54478 2022 struct inode *inode = file_inode(file);
b0c636b9 2023
aa8e712c
SS		 2024 if (selinux_policycap_openperm() &&
2025 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2026 av |= FILE__OPEN;
2027
b0c636b9
EP		 2028 return av;
2029}
2030
1da177e4
LT		 2031/* Hook functions begin here. */
2032
79af7307
SS		 2033static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2034{
2035 u32 mysid = current_sid();
2036 u32 mgrsid = task_sid(mgr);
2037
6b6bc620
SS		 2038 return avc_has_perm(&selinux_state,
2039 mysid, mgrsid, SECCLASS_BINDER,
79af7307
SS		 2040 BINDER__SET_CONTEXT_MGR, NULL);
2041}
2042
2043static int selinux_binder_transaction(struct task_struct *from,
2044 struct task_struct *to)
2045{
2046 u32 mysid = current_sid();
2047 u32 fromsid = task_sid(from);
2048 u32 tosid = task_sid(to);
2049 int rc;
2050
2051 if (mysid != fromsid) {
6b6bc620
SS		 2052 rc = avc_has_perm(&selinux_state,
2053 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2054 BINDER__IMPERSONATE, NULL);
2055 if (rc)
2056 return rc;
2057 }
2058
6b6bc620
SS		 2059 return avc_has_perm(&selinux_state,
2060 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
79af7307
SS		 2061 NULL);
2062}
2063
2064static int selinux_binder_transfer_binder(struct task_struct *from,
2065 struct task_struct *to)
2066{
2067 u32 fromsid = task_sid(from);
2068 u32 tosid = task_sid(to);
2069
6b6bc620
SS		 2070 return avc_has_perm(&selinux_state,
2071 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2072 NULL);
2073}
2074
2075static int selinux_binder_transfer_file(struct task_struct *from,
2076 struct task_struct *to,
2077 struct file *file)
2078{
2079 u32 sid = task_sid(to);
2080 struct file_security_struct *fsec = file->f_security;
83da53c5 2081 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2082 struct inode_security_struct *isec;
79af7307
SS		 2083 struct common_audit_data ad;
2084 int rc;
2085
2086 ad.type = LSM_AUDIT_DATA_PATH;
2087 ad.u.path = file->f_path;
2088
2089 if (sid != fsec->sid) {
6b6bc620
SS		 2090 rc = avc_has_perm(&selinux_state,
2091 sid, fsec->sid,
79af7307
SS		 2092 SECCLASS_FD,
2093 FD__USE,
2094 &ad);
2095 if (rc)
2096 return rc;
2097 }
2098
f66e448c
CF		 2099#ifdef CONFIG_BPF_SYSCALL
2100 rc = bpf_fd_pass(file, sid);
2101 if (rc)
2102 return rc;
2103#endif
2104
83da53c5 2105 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2106 return 0;
2107
20cdef8d 2108 isec = backing_inode_security(dentry);
6b6bc620
SS		 2109 return avc_has_perm(&selinux_state,
2110 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2111 &ad);
2112}
2113
9e48858f 2114static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2115 unsigned int mode)
1da177e4 2116{
be0554c9
SS		 2117 u32 sid = current_sid();
2118 u32 csid = task_sid(child);
2119
2120 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2121 return avc_has_perm(&selinux_state,
2122 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2123
6b6bc620
SS		 2124 return avc_has_perm(&selinux_state,
2125 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2126}
2127
2128static int selinux_ptrace_traceme(struct task_struct *parent)
2129{
6b6bc620
SS		 2130 return avc_has_perm(&selinux_state,
2131 task_sid(parent), current_sid(), SECCLASS_PROCESS,
be0554c9 2132 PROCESS__PTRACE, NULL);
1da177e4
LT		 2133}
2134
2135static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2136 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2137{
6b6bc620
SS		 2138 return avc_has_perm(&selinux_state,
2139 current_sid(), task_sid(target), SECCLASS_PROCESS,
be0554c9 2140 PROCESS__GETCAP, NULL);
1da177e4
LT		 2141}
2142
d84f4f99
DH		 2143static int selinux_capset(struct cred *new, const struct cred *old,
2144 const kernel_cap_t *effective,
2145 const kernel_cap_t *inheritable,
2146 const kernel_cap_t *permitted)
1da177e4 2147{
6b6bc620
SS		 2148 return avc_has_perm(&selinux_state,
2149 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2150 PROCESS__SETCAP, NULL);
1da177e4
LT		 2151}
2152
5626d3e8
JM		 2153/*
2154 * (This comment used to live with the selinux_task_setuid hook,
2155 * which was removed).
2156 *
2157 * Since setuid only affects the current process, and since the SELinux
2158 * controls are not based on the Linux identity attributes, SELinux does not
2159 * need to control this operation. However, SELinux does control the use of
2160 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2161 */
2162
6a9de491
EP		 2163static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2164 int cap, int audit)
1da177e4 2165{
8e4ff6f2 2166 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2167}
2168
1da177e4
LT		 2169static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2170{
88e67f3b 2171 const struct cred *cred = current_cred();
1da177e4
LT		 2172 int rc = 0;
2173
2174 if (!sb)
2175 return 0;
2176
2177 switch (cmds) {
828dfe1d
EP		 2178 case Q_SYNC:
2179 case Q_QUOTAON:
2180 case Q_QUOTAOFF:
2181 case Q_SETINFO:
2182 case Q_SETQUOTA:
88e67f3b 2183 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2184 break;
2185 case Q_GETFMT:
2186 case Q_GETINFO:
2187 case Q_GETQUOTA:
88e67f3b 2188 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2189 break;
2190 default:
2191 rc = 0; /* let the kernel handle invalid cmds */
2192 break;
1da177e4
LT		 2193 }
2194 return rc;
2195}
2196
2197static int selinux_quota_on(struct dentry *dentry)
2198{
88e67f3b
DH		 2199 const struct cred *cred = current_cred();
2200
2875fa00 2201 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2202}
2203
12b3052c 2204static int selinux_syslog(int type)
1da177e4 2205{
1da177e4 2206 switch (type) {
d78ca3cd
KC		 2207 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2208 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2209 return avc_has_perm(&selinux_state,
2210 current_sid(), SECINITSID_KERNEL,
be0554c9 2211 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2212 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2213 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2214 /* Set level of messages printed to console */
2215 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2216 return avc_has_perm(&selinux_state,
2217 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2218 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2219 NULL);
1da177e4 2220 }
be0554c9 2221 /* All other syslog types */
6b6bc620
SS		 2222 return avc_has_perm(&selinux_state,
2223 current_sid(), SECINITSID_KERNEL,
be0554c9 2224 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2225}
2226
2227/*
2228 * Check that a process has enough memory to allocate a new virtual
2229 * mapping. 0 means there is enough memory for the allocation to
2230 * succeed and -ENOMEM implies there is not.
2231 *
1da177e4
LT		 2232 * Do not audit the selinux permission check, as this is applied to all
2233 * processes that allocate mappings.
2234 */
34b4e4aa 2235static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2236{
2237 int rc, cap_sys_admin = 0;
1da177e4 2238
b1d9e6b0 2239 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2240 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2241 if (rc == 0)
2242 cap_sys_admin = 1;
2243
b1d9e6b0 2244 return cap_sys_admin;
1da177e4
LT		 2245}
2246
2247/* binprm security operations */
2248
be0554c9 2249static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2250{
2251 u32 sid = 0;
2252 struct task_struct *tracer;
2253
2254 rcu_read_lock();
be0554c9 2255 tracer = ptrace_parent(current);
0c6181cb
PM		 2256 if (tracer)
2257 sid = task_sid(tracer);
2258 rcu_read_unlock();
2259
2260 return sid;
2261}
2262
7b0d0b40
SS		 2263static int check_nnp_nosuid(const struct linux_binprm *bprm,
2264 const struct task_security_struct *old_tsec,
2265 const struct task_security_struct *new_tsec)
2266{
2267 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2268 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2269 int rc;
af63f419 2270 u32 av;
7b0d0b40
SS		 2271
2272 if (!nnp && !nosuid)
2273 return 0; /* neither NNP nor nosuid */
2274
2275 if (new_tsec->sid == old_tsec->sid)
2276 return 0; /* No change in credentials */
2277
2278 /*
af63f419
SS		 2279 * If the policy enables the nnp_nosuid_transition policy capability,
2280 * then we permit transitions under NNP or nosuid if the
2281 * policy allows the corresponding permission between
2282 * the old and new contexts.
7b0d0b40 2283 */
aa8e712c 2284 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2285 av = 0;
7b0d0b40 2286 if (nnp)
af63f419
SS		 2287 av |= PROCESS2__NNP_TRANSITION;
2288 if (nosuid)
2289 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2290 rc = avc_has_perm(&selinux_state,
2291 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2292 SECCLASS_PROCESS2, av, NULL);
2293 if (!rc)
2294 return 0;
7b0d0b40 2295 }
af63f419
SS		 2296
2297 /*
2298 * We also permit NNP or nosuid transitions to bounded SIDs,
2299 * i.e. SIDs that are guaranteed to only be allowed a subset
2300 * of the permissions of the current SID.
2301 */
aa8e712c
SS		 2302 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2303 new_tsec->sid);
af63f419
SS		 2304 if (!rc)
2305 return 0;
2306
2307 /*
2308 * On failure, preserve the errno values for NNP vs nosuid.
2309 * NNP: Operation not permitted for caller.
2310 * nosuid: Permission denied to file.
2311 */
2312 if (nnp)
2313 return -EPERM;
2314 return -EACCES;
7b0d0b40
SS		 2315}
2316
a6f76f23 2317static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2318{
a6f76f23
DH		 2319 const struct task_security_struct *old_tsec;
2320 struct task_security_struct *new_tsec;
1da177e4 2321 struct inode_security_struct *isec;
2bf49690 2322 struct common_audit_data ad;
496ad9aa 2323 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2324 int rc;
2325
a6f76f23
DH		 2326 /* SELinux context only depends on initial program or script and not
2327 * the script interpreter */
ddb4a144 2328 if (bprm->called_set_creds)
1da177e4
LT		 2329 return 0;
2330
0c6cfa62
CS		 2331 old_tsec = selinux_cred(current_cred());
2332 new_tsec = selinux_cred(bprm->cred);
83da53c5 2333 isec = inode_security(inode);
1da177e4
LT		 2334
2335 /* Default to the current task SID. */
a6f76f23
DH		 2336 new_tsec->sid = old_tsec->sid;
2337 new_tsec->osid = old_tsec->sid;
1da177e4 2338
28eba5bf 2339 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2340 new_tsec->create_sid = 0;
2341 new_tsec->keycreate_sid = 0;
2342 new_tsec->sockcreate_sid = 0;
1da177e4 2343
a6f76f23
DH		 2344 if (old_tsec->exec_sid) {
2345 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2346 /* Reset exec SID on execve. */
a6f76f23 2347 new_tsec->exec_sid = 0;
259e5e6c 2348
7b0d0b40
SS		 2349 /* Fail on NNP or nosuid if not an allowed transition. */
2350 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2351 if (rc)
2352 return rc;
1da177e4
LT		 2353 } else {
2354 /* Check for a default transition on this program. */
aa8e712c
SS		 2355 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2356 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2357 &new_tsec->sid);
1da177e4
LT		 2358 if (rc)
2359 return rc;
7b0d0b40
SS		 2360
2361 /*
2362 * Fallback to old SID on NNP or nosuid if not an allowed
2363 * transition.
2364 */
2365 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2366 if (rc)
2367 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2368 }
2369
43af5de7
VG		 2370 ad.type = LSM_AUDIT_DATA_FILE;
2371 ad.u.file = bprm->file;
1da177e4 2372
a6f76f23 2373 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2374 rc = avc_has_perm(&selinux_state,
2375 old_tsec->sid, isec->sid,
1da177e4
LT		 2376 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2377 if (rc)
2378 return rc;
2379 } else {
2380 /* Check permissions for the transition. */
6b6bc620
SS		 2381 rc = avc_has_perm(&selinux_state,
2382 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2383 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2384 if (rc)
2385 return rc;
2386
6b6bc620
SS		 2387 rc = avc_has_perm(&selinux_state,
2388 new_tsec->sid, isec->sid,
1da177e4
LT		 2389 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2390 if (rc)
2391 return rc;
2392
a6f76f23
DH		 2393 /* Check for shared state */
2394 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2395 rc = avc_has_perm(&selinux_state,
2396 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2397 SECCLASS_PROCESS, PROCESS__SHARE,
2398 NULL);
2399 if (rc)
2400 return -EPERM;
2401 }
2402
2403 /* Make sure that anyone attempting to ptrace over a task that
2404 * changes its SID has the appropriate permit */
9227dd2a 2405 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2406 u32 ptsid = ptrace_parent_sid();
a6f76f23 2407 if (ptsid != 0) {
6b6bc620
SS		 2408 rc = avc_has_perm(&selinux_state,
2409 ptsid, new_tsec->sid,
a6f76f23
DH		 2410 SECCLASS_PROCESS,
2411 PROCESS__PTRACE, NULL);
2412 if (rc)
2413 return -EPERM;
2414 }
2415 }
1da177e4 2416
a6f76f23
DH		 2417 /* Clear any possibly unsafe personality bits on exec: */
2418 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2419
1da177e4
LT		 2420 /* Enable secure mode for SIDs transitions unless
2421 the noatsecure permission is granted between
2422 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2423 rc = avc_has_perm(&selinux_state,
2424 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2425 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2426 NULL);
2427 bprm->secureexec |= !!rc;
1da177e4
LT		 2428 }
2429
62874c3a 2430 return 0;
1da177e4
LT		 2431}
2432
c3c073f8
AV		 2433static int match_file(const void *p, struct file *file, unsigned fd)
2434{
2435 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2436}
2437
1da177e4 2438/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2439static inline void flush_unauthorized_files(const struct cred *cred,
2440 struct files_struct *files)
1da177e4 2441{
1da177e4 2442 struct file *file, *devnull = NULL;
b20c8122 2443 struct tty_struct *tty;
24ec839c 2444 int drop_tty = 0;
c3c073f8 2445 unsigned n;
1da177e4 2446
24ec839c 2447 tty = get_current_tty();
1da177e4 2448 if (tty) {
4a510969 2449 spin_lock(&tty->files_lock);
37dd0bd0 2450 if (!list_empty(&tty->tty_files)) {
d996b62a 2451 struct tty_file_private *file_priv;
37dd0bd0 2452
1da177e4 2453 /* Revalidate access to controlling tty.
13f8e981
DH		 2454 Use file_path_has_perm on the tty path directly
2455 rather than using file_has_perm, as this particular
2456 open file may belong to another process and we are
2457 only interested in the inode-based check here. */
d996b62a
NP		 2458 file_priv = list_first_entry(&tty->tty_files,
2459 struct tty_file_private, list);
2460 file = file_priv->file;
13f8e981 2461 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2462 drop_tty = 1;
1da177e4 2463 }
4a510969 2464 spin_unlock(&tty->files_lock);
452a00d2 2465 tty_kref_put(tty);
1da177e4 2466 }
98a27ba4
EB		 2467 /* Reset controlling tty. */
2468 if (drop_tty)
2469 no_tty();
1da177e4
LT		 2470
2471 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2472 n = iterate_fd(files, 0, match_file, cred);
2473 if (!n) /* none found? */
2474 return;
1da177e4 2475
c3c073f8 2476 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2477 if (IS_ERR(devnull))
2478 devnull = NULL;
2479 /* replace all the matching ones with this */
2480 do {
2481 replace_fd(n - 1, devnull, 0);
2482 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2483 if (devnull)
c3c073f8 2484 fput(devnull);
1da177e4
LT		 2485}
2486
a6f76f23
DH		 2487/*
2488 * Prepare a process for imminent new credential changes due to exec
2489 */
2490static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2491{
a6f76f23
DH		 2492 struct task_security_struct *new_tsec;
2493 struct rlimit *rlim, *initrlim;
2494 int rc, i;
d84f4f99 2495
0c6cfa62 2496 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2497 if (new_tsec->sid == new_tsec->osid)
2498 return;
1da177e4 2499
a6f76f23
DH		 2500 /* Close files for which the new task SID is not authorized. */
2501 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2502
a6f76f23
DH		 2503 /* Always clear parent death signal on SID transitions. */
2504 current->pdeath_signal = 0;
0356357c 2505
a6f76f23
DH		 2506 /* Check whether the new SID can inherit resource limits from the old
2507 * SID. If not, reset all soft limits to the lower of the current
2508 * task's hard limit and the init task's soft limit.
2509 *
2510 * Note that the setting of hard limits (even to lower them) can be
2511 * controlled by the setrlimit check. The inclusion of the init task's
2512 * soft limit into the computation is to avoid resetting soft limits
2513 * higher than the default soft limit for cases where the default is
2514 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2515 */
6b6bc620
SS		 2516 rc = avc_has_perm(&selinux_state,
2517 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2518 PROCESS__RLIMITINH, NULL);
2519 if (rc) {
eb2d55a3
ON		 2520 /* protect against do_prlimit() */
2521 task_lock(current);
a6f76f23
DH		 2522 for (i = 0; i < RLIM_NLIMITS; i++) {
2523 rlim = current->signal->rlim + i;
2524 initrlim = init_task.signal->rlim + i;
2525 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2526 }
eb2d55a3 2527 task_unlock(current);
baa73d9e
NP		 2528 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2529 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2530 }
2531}
2532
2533/*
a6f76f23
DH		 2534 * Clean up the process immediately after the installation of new credentials
2535 * due to exec
1da177e4 2536 */
a6f76f23 2537static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2538{
0c6cfa62 2539 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4 2540 struct itimerval itimer;
a6f76f23 2541 u32 osid, sid;
1da177e4
LT		 2542 int rc, i;
2543
a6f76f23
DH		 2544 osid = tsec->osid;
2545 sid = tsec->sid;
2546
2547 if (sid == osid)
1da177e4
LT		 2548 return;
2549
a6f76f23
DH		 2550 /* Check whether the new SID can inherit signal state from the old SID.
2551 * If not, clear itimers to avoid subsequent signal generation and
2552 * flush and unblock signals.
2553 *
2554 * This must occur _after_ the task SID has been updated so that any
2555 * kill done after the flush will be checked against the new SID.
2556 */
6b6bc620
SS		 2557 rc = avc_has_perm(&selinux_state,
2558 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2559 if (rc) {
baa73d9e
NP		 2560 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2561 memset(&itimer, 0, sizeof itimer);
2562 for (i = 0; i < 3; i++)
2563 do_setitimer(i, &itimer, NULL);
2564 }
1da177e4 2565 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2566 if (!fatal_signal_pending(current)) {
2567 flush_sigqueue(&current->pending);
2568 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2569 flush_signal_handlers(current, 1);
2570 sigemptyset(&current->blocked);
9e7c8f8c 2571 recalc_sigpending();
3bcac026 2572 }
1da177e4
LT		 2573 spin_unlock_irq(&current->sighand->siglock);
2574 }
2575
a6f76f23
DH		 2576 /* Wake up the parent if it is waiting so that it can recheck
2577 * wait permission to the new task SID. */
ecd6de3c 2578 read_lock(&tasklist_lock);
0b7570e7 2579 __wake_up_parent(current, current->real_parent);
ecd6de3c 2580 read_unlock(&tasklist_lock);
1da177e4
LT		 2581}
2582
2583/* superblock security operations */
2584
2585static int selinux_sb_alloc_security(struct super_block *sb)
2586{
2587 return superblock_alloc_security(sb);
2588}
2589
2590static void selinux_sb_free_security(struct super_block *sb)
2591{
2592 superblock_free_security(sb);
2593}
2594
99dbbb59 2595static inline int opt_len(const char *s)
1da177e4 2596{
99dbbb59
AV		 2597 bool open_quote = false;
2598 int len;
2599 char c;
1da177e4 2600
99dbbb59
AV		 2601 for (len = 0; (c = s[len]) != '\0'; len++) {
2602 if (c == '"')
2603 open_quote = !open_quote;
2604 if (c == ',' && !open_quote)
2605 break;
3528a953 2606 }
99dbbb59 2607 return len;
3528a953
CO		 2608}
2609
99dbbb59 2610static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
1da177e4 2611{
99dbbb59
AV		 2612 char *from = options;
2613 char *to = options;
2614 bool first = true;
1da177e4 2615
99dbbb59
AV		 2616 while (1) {
2617 int len = opt_len(from);
2618 int token, rc;
2619 char *arg = NULL;
1da177e4 2620
99dbbb59 2621 token = match_opt_prefix(from, len, &arg);
1da177e4 2622
99dbbb59
AV		 2623 if (token != Opt_error) {
2624 char *p, *q;
1da177e4 2625
99dbbb59
AV		 2626 /* strip quotes */
2627 if (arg) {
2628 for (p = q = arg; p < from + len; p++) {
2629 char c = *p;
2630 if (c != '"')
2631 *q++ = c;
2632 }
2633 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2634 }
2635 rc = selinux_add_opt(token, arg, mnt_opts);
2636 if (unlikely(rc)) {
2637 kfree(arg);
2638 if (*mnt_opts) {
2639 selinux_free_mnt_opts(*mnt_opts);
2640 *mnt_opts = NULL;
2641 }
2642 return rc;
2643 }
2644 } else {
2645 if (!first) { // copy with preceding comma
2646 from--;
2647 len++;
2648 }
2649 if (to != from)
2650 memmove(to, from, len);
2651 to += len;
2652 first = false;
1da177e4 2653 }
99dbbb59
AV		 2654 if (!from[len])
2655 break;
2656 from += len + 1;
2657 }
2658 *to = '\0';
2659 return 0;
1da177e4
LT		 2660}
2661
204cc0cc 2662static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2663{
bd323655 2664 struct selinux_mnt_opts *opts = mnt_opts;
026eb167 2665 struct superblock_security_struct *sbsec = sb->s_security;
bd323655
AV		 2666 u32 sid;
2667 int rc;
026eb167
EP		 2668
2669 if (!(sbsec->flags & SE_SBINITIALIZED))
2670 return 0;
2671
204cc0cc 2672 if (!opts)
026eb167
EP		 2673 return 0;
2674
bd323655
AV		 2675 if (opts->fscontext) {
2676 rc = parse_sid(sb, opts->fscontext, &sid);
2677 if (rc)
c039bc3c 2678 return rc;
bd323655
AV		 2679 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2680 goto out_bad_option;
026eb167 2681 }
bd323655
AV		 2682 if (opts->context) {
2683 rc = parse_sid(sb, opts->context, &sid);
2684 if (rc)
2685 return rc;
2686 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2687 goto out_bad_option;
2688 }
2689 if (opts->rootcontext) {
2690 struct inode_security_struct *root_isec;
2691 root_isec = backing_inode_security(sb->s_root);
2692 rc = parse_sid(sb, opts->rootcontext, &sid);
2693 if (rc)
2694 return rc;
2695 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2696 goto out_bad_option;
2697 }
2698 if (opts->defcontext) {
2699 rc = parse_sid(sb, opts->defcontext, &sid);
2700 if (rc)
2701 return rc;
2702 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2703 goto out_bad_option;
026eb167 2704 }
c039bc3c 2705 return 0;
026eb167 2706
026eb167 2707out_bad_option:
c103a91e 2708 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2709 "during remount (dev %s, type=%s)\n", sb->s_id,
2710 sb->s_type->name);
c039bc3c 2711 return -EINVAL;
026eb167
EP		 2712}
2713
a10d7c22 2714static int selinux_sb_kern_mount(struct super_block *sb)
1da177e4 2715{
88e67f3b 2716 const struct cred *cred = current_cred();
2bf49690 2717 struct common_audit_data ad;
74192246 2718
50c205f5 2719 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2720 ad.u.dentry = sb->s_root;
88e67f3b 2721 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2722}
2723
726c3342 2724static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2725{
88e67f3b 2726 const struct cred *cred = current_cred();
2bf49690 2727 struct common_audit_data ad;
1da177e4 2728
50c205f5 2729 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2730 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2731 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2732}
2733
808d4e3c 2734static int selinux_mount(const char *dev_name,
8a04c43b 2735 const struct path *path,
808d4e3c 2736 const char *type,
828dfe1d
EP		 2737 unsigned long flags,
2738 void *data)
1da177e4 2739{
88e67f3b 2740 const struct cred *cred = current_cred();
1da177e4
LT		 2741
2742 if (flags & MS_REMOUNT)
d8c9584e 2743 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2744 FILESYSTEM__REMOUNT, NULL);
1da177e4 2745 else
2875fa00 2746 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2747}
2748
2749static int selinux_umount(struct vfsmount *mnt, int flags)
2750{
88e67f3b 2751 const struct cred *cred = current_cred();
1da177e4 2752
88e67f3b 2753 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2754 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2755}
2756
2757/* inode security operations */
2758
2759static int selinux_inode_alloc_security(struct inode *inode)
2760{
2761 return inode_alloc_security(inode);
2762}
2763
2764static void selinux_inode_free_security(struct inode *inode)
2765{
2766 inode_free_security(inode);
2767}
2768
d47be3df 2769static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2770 const struct qstr *name, void **ctx,
d47be3df
DQ		 2771 u32 *ctxlen)
2772{
d47be3df
DQ		 2773 u32 newsid;
2774 int rc;
2775
0c6cfa62 2776 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2777 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2778 inode_mode_to_security_class(mode),
2779 &newsid);
2780 if (rc)
2781 return rc;
d47be3df 2782
aa8e712c
SS		 2783 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2784 ctxlen);
d47be3df
DQ		 2785}
2786
a518b0a5
VG		 2787static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2788 struct qstr *name,
2789 const struct cred *old,
2790 struct cred *new)
2791{
2792 u32 newsid;
2793 int rc;
2794 struct task_security_struct *tsec;
2795
0c6cfa62 2796 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2797 d_inode(dentry->d_parent), name,
2798 inode_mode_to_security_class(mode),
2799 &newsid);
2800 if (rc)
2801 return rc;
2802
0c6cfa62 2803 tsec = selinux_cred(new);
a518b0a5
VG		 2804 tsec->create_sid = newsid;
2805 return 0;
2806}
2807
5e41ff9e 2808static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2809 const struct qstr *qstr,
2810 const char **name,
2a7dba39 2811 void **value, size_t *len)
5e41ff9e 2812{
0c6cfa62 2813 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2814 struct superblock_security_struct *sbsec;
c0d4f464 2815 u32 newsid, clen;
5e41ff9e 2816 int rc;
9548906b 2817 char *context;
5e41ff9e 2818
5e41ff9e 2819 sbsec = dir->i_sb->s_security;
5e41ff9e 2820
275bb41e
DH		 2821 newsid = tsec->create_sid;
2822
0c6cfa62 2823 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c3c188b2
DH		 2824 dir, qstr,
2825 inode_mode_to_security_class(inode->i_mode),
2826 &newsid);
2827 if (rc)
2828 return rc;
5e41ff9e 2829
296fddf7 2830 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2831 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2832 struct inode_security_struct *isec = inode->i_security;
2833 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2834 isec->sid = newsid;
6f3be9f5 2835 isec->initialized = LABEL_INITIALIZED;
296fddf7 2836 }
5e41ff9e 2837
aa8e712c 2838 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2839 return -EOPNOTSUPP;
2840
9548906b
TH		 2841 if (name)
2842 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2843
570bc1c2 2844 if (value && len) {
aa8e712c
SS		 2845 rc = security_sid_to_context_force(&selinux_state, newsid,
2846 &context, &clen);
9548906b 2847 if (rc)
570bc1c2 2848 return rc;
570bc1c2
SS		 2849 *value = context;
2850 *len = clen;
5e41ff9e 2851 }
5e41ff9e 2852
5e41ff9e
SS		 2853 return 0;
2854}
2855
4acdaf27 2856static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2857{
2858 return may_create(dir, dentry, SECCLASS_FILE);
2859}
2860
1da177e4
LT		 2861static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2862{
1da177e4
LT		 2863 return may_link(dir, old_dentry, MAY_LINK);
2864}
2865
1da177e4
LT		 2866static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2867{
1da177e4
LT		 2868 return may_link(dir, dentry, MAY_UNLINK);
2869}
2870
2871static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2872{
2873 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2874}
2875
18bb1db3 2876static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2877{
2878 return may_create(dir, dentry, SECCLASS_DIR);
2879}
2880
1da177e4
LT		 2881static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2882{
2883 return may_link(dir, dentry, MAY_RMDIR);
2884}
2885
1a67aafb 2886static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2887{
1da177e4
LT		 2888 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2889}
2890
1da177e4 2891static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2892 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2893{
2894 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2895}
2896
1da177e4
LT		 2897static int selinux_inode_readlink(struct dentry *dentry)
2898{
88e67f3b
DH		 2899 const struct cred *cred = current_cred();
2900
2875fa00 2901 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2902}
2903
bda0be7a
N		 2904static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2905 bool rcu)
1da177e4 2906{
88e67f3b 2907 const struct cred *cred = current_cred();
bda0be7a
N		 2908 struct common_audit_data ad;
2909 struct inode_security_struct *isec;
2910 u32 sid;
1da177e4 2911
bda0be7a
N		 2912 validate_creds(cred);
2913
2914 ad.type = LSM_AUDIT_DATA_DENTRY;
2915 ad.u.dentry = dentry;
2916 sid = cred_sid(cred);
5d226df4
AG		 2917 isec = inode_security_rcu(inode, rcu);
2918 if (IS_ERR(isec))
2919 return PTR_ERR(isec);
bda0be7a 2920
6b6bc620
SS		 2921 return avc_has_perm_flags(&selinux_state,
2922 sid, isec->sid, isec->sclass, FILE__READ, &ad,
bda0be7a 2923 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2924}
2925
d4cf970d
EP		 2926static noinline int audit_inode_permission(struct inode *inode,
2927 u32 perms, u32 audited, u32 denied,
626b9740 2928 int result,
d4cf970d 2929 unsigned flags)
1da177e4 2930{
b782e0a6 2931 struct common_audit_data ad;
d4cf970d
EP		 2932 struct inode_security_struct *isec = inode->i_security;
2933 int rc;
2934
50c205f5 2935 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2936 ad.u.inode = inode;
2937
6b6bc620
SS		 2938 rc = slow_avc_audit(&selinux_state,
2939 current_sid(), isec->sid, isec->sclass, perms,
626b9740 2940 audited, denied, result, &ad, flags);
d4cf970d
EP		 2941 if (rc)
2942 return rc;
2943 return 0;
2944}
2945
e74f71eb 2946static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2947{
88e67f3b 2948 const struct cred *cred = current_cred();
b782e0a6
EP		 2949 u32 perms;
2950 bool from_access;
cf1dd1da 2951 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2952 struct inode_security_struct *isec;
2953 u32 sid;
2954 struct av_decision avd;
2955 int rc, rc2;
2956 u32 audited, denied;
1da177e4 2957
b782e0a6 2958 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2959 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2960
b782e0a6
EP		 2961 /* No permission to check. Existence test. */
2962 if (!mask)
1da177e4 2963 return 0;
1da177e4 2964
2e334057 2965 validate_creds(cred);
b782e0a6 2966
2e334057
EP		 2967 if (unlikely(IS_PRIVATE(inode)))
2968 return 0;
b782e0a6
EP		 2969
2970 perms = file_mask_to_av(inode->i_mode, mask);
2971
2e334057 2972 sid = cred_sid(cred);
5d226df4
AG		 2973 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2974 if (IS_ERR(isec))
2975 return PTR_ERR(isec);
2e334057 2976
6b6bc620
SS		 2977 rc = avc_has_perm_noaudit(&selinux_state,
2978 sid, isec->sid, isec->sclass, perms, 0, &avd);
2e334057
EP		 2979 audited = avc_audit_required(perms, &avd, rc,
2980 from_access ? FILE__AUDIT_ACCESS : 0,
2981 &denied);
2982 if (likely(!audited))
2983 return rc;
2984
626b9740 2985 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 2986 if (rc2)
2987 return rc2;
2988 return rc;
1da177e4
LT		 2989}
2990
2991static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2992{
88e67f3b 2993 const struct cred *cred = current_cred();
ccb54478 2994 struct inode *inode = d_backing_inode(dentry);
bc6a6008 2995 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2996 __u32 av = FILE__WRITE;
1da177e4 2997
bc6a6008
AW		 2998 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2999 if (ia_valid & ATTR_FORCE) {
3000 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3001 ATTR_FORCE);
3002 if (!ia_valid)
3003 return 0;
3004 }
1da177e4 3005
bc6a6008
AW		 3006 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3007 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3008 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3009
aa8e712c 3010 if (selinux_policycap_openperm() &&
ccb54478
SS		 3011 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3012 (ia_valid & ATTR_SIZE) &&
3013 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3014 av |= FILE__OPEN;
3015
3016 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3017}
3018
3f7036a0 3019static int selinux_inode_getattr(const struct path *path)
1da177e4 3020{
3f7036a0 3021 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3022}
3023
db59000a
SS		 3024static bool has_cap_mac_admin(bool audit)
3025{
3026 const struct cred *cred = current_cred();
3027 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3028
3029 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3030 return false;
3031 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3032 return false;
3033 return true;
3034}
3035
8f0cfa52
DH		 3036static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3037 const void *value, size_t size, int flags)
1da177e4 3038{
c6f493d6 3039 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3040 struct inode_security_struct *isec;
1da177e4 3041 struct superblock_security_struct *sbsec;
2bf49690 3042 struct common_audit_data ad;
275bb41e 3043 u32 newsid, sid = current_sid();
1da177e4
LT		 3044 int rc = 0;
3045
6b240306
EB		 3046 if (strcmp(name, XATTR_NAME_SELINUX)) {
3047 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3048 if (rc)
3049 return rc;
3050
3051 /* Not an attribute we recognize, so just check the
3052 ordinary setattr permission. */
3053 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3054 }
1da177e4
LT		 3055
3056 sbsec = inode->i_sb->s_security;
12f348b9 3057 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3058 return -EOPNOTSUPP;
3059
2e149670 3060 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3061 return -EPERM;
3062
50c205f5 3063 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3064 ad.u.dentry = dentry;
1da177e4 3065
20cdef8d 3066 isec = backing_inode_security(dentry);
6b6bc620
SS		 3067 rc = avc_has_perm(&selinux_state,
3068 sid, isec->sid, isec->sclass,
1da177e4
LT		 3069 FILE__RELABELFROM, &ad);
3070 if (rc)
3071 return rc;
3072
aa8e712c
SS		 3073 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3074 GFP_KERNEL);
12b29f34 3075 if (rc == -EINVAL) {
db59000a 3076 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3077 struct audit_buffer *ab;
3078 size_t audit_size;
d6ea83ec
EP		 3079
3080 /* We strip a nul only if it is at the end, otherwise the
3081 * context contains a nul and we should audit that */
e3fea3f7 3082 if (value) {
add24372
CIK		 3083 const char *str = value;
3084
e3fea3f7
AV		 3085 if (str[size - 1] == '\0')
3086 audit_size = size - 1;
3087 else
3088 audit_size = size;
3089 } else {
e3fea3f7
AV		 3090 audit_size = 0;
3091 }
cdfb6b34
RGB		 3092 ab = audit_log_start(audit_context(),
3093 GFP_ATOMIC, AUDIT_SELINUX_ERR);
d6ea83ec
EP		 3094 audit_log_format(ab, "op=setxattr invalid_context=");
3095 audit_log_n_untrustedstring(ab, value, audit_size);
3096 audit_log_end(ab);
3097
12b29f34 3098 return rc;
d6ea83ec 3099 }
aa8e712c
SS		 3100 rc = security_context_to_sid_force(&selinux_state, value,
3101 size, &newsid);
12b29f34 3102 }
1da177e4
LT		 3103 if (rc)
3104 return rc;
3105
6b6bc620
SS		 3106 rc = avc_has_perm(&selinux_state,
3107 sid, newsid, isec->sclass,
1da177e4
LT		 3108 FILE__RELABELTO, &ad);
3109 if (rc)
3110 return rc;
3111
aa8e712c
SS		 3112 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3113 sid, isec->sclass);
1da177e4
LT		 3114 if (rc)
3115 return rc;
3116
6b6bc620
SS		 3117 return avc_has_perm(&selinux_state,
3118 newsid,
1da177e4
LT		 3119 sbsec->sid,
3120 SECCLASS_FILESYSTEM,
3121 FILESYSTEM__ASSOCIATE,
3122 &ad);
3123}
3124
8f0cfa52 3125static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3126 const void *value, size_t size,
8f0cfa52 3127 int flags)
1da177e4 3128{
c6f493d6 3129 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3130 struct inode_security_struct *isec;
1da177e4
LT		 3131 u32 newsid;
3132 int rc;
3133
3134 if (strcmp(name, XATTR_NAME_SELINUX)) {
3135 /* Not an attribute we recognize, so nothing to do. */
3136 return;
3137 }
3138
aa8e712c
SS		 3139 rc = security_context_to_sid_force(&selinux_state, value, size,
3140 &newsid);
1da177e4 3141 if (rc) {
c103a91e 3142 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3143 "for (%s, %lu), rc=%d\n",
3144 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3145 return;
3146 }
3147
20cdef8d 3148 isec = backing_inode_security(dentry);
9287aed2 3149 spin_lock(&isec->lock);
aa9c2669 3150 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3151 isec->sid = newsid;
6f3be9f5 3152 isec->initialized = LABEL_INITIALIZED;
9287aed2 3153 spin_unlock(&isec->lock);
aa9c2669 3154
1da177e4
LT		 3155 return;
3156}
3157
8f0cfa52 3158static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3159{
88e67f3b
DH		 3160 const struct cred *cred = current_cred();
3161
2875fa00 3162 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3163}
3164
828dfe1d 3165static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3166{
88e67f3b
DH		 3167 const struct cred *cred = current_cred();
3168
2875fa00 3169 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3170}
3171
8f0cfa52 3172static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3173{
6b240306
EB		 3174 if (strcmp(name, XATTR_NAME_SELINUX)) {
3175 int rc = cap_inode_removexattr(dentry, name);
3176 if (rc)
3177 return rc;
3178
3179 /* Not an attribute we recognize, so just check the
3180 ordinary setattr permission. */
3181 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3182 }
1da177e4
LT		 3183
3184 /* No one is allowed to remove a SELinux security label.
3185 You can change the label, but all data must be labeled. */
3186 return -EACCES;
3187}
3188
d381d8a9 3189/*
abc69bb6 3190 * Copy the inode security context value to the user.
d381d8a9
JM		 3191 *
3192 * Permission check is handled by selinux_inode_getxattr hook.
3193 */
ea861dfd 3194static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3195{
42492594
DQ		 3196 u32 size;
3197 int error;
3198 char *context = NULL;
20cdef8d 3199 struct inode_security_struct *isec;
d381d8a9 3200
8c8570fb
DK		 3201 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3202 return -EOPNOTSUPP;
d381d8a9 3203
abc69bb6
SS		 3204 /*
3205 * If the caller has CAP_MAC_ADMIN, then get the raw context
3206 * value even if it is not defined by current policy; otherwise,
3207 * use the in-core value under current policy.
3208 * Use the non-auditing forms of the permission checks since
3209 * getxattr may be called by unprivileged processes commonly
3210 * and lack of permission just means that we fall back to the
3211 * in-core context value, not a denial.
3212 */
20cdef8d 3213 isec = inode_security(inode);
db59000a 3214 if (has_cap_mac_admin(false))
aa8e712c
SS		 3215 error = security_sid_to_context_force(&selinux_state,
3216 isec->sid, &context,
abc69bb6
SS		 3217 &size);
3218 else
aa8e712c
SS		 3219 error = security_sid_to_context(&selinux_state, isec->sid,
3220 &context, &size);
42492594
DQ		 3221 if (error)
3222 return error;
3223 error = size;
3224 if (alloc) {
3225 *buffer = context;
3226 goto out_nofree;
3227 }
3228 kfree(context);
3229out_nofree:
3230 return error;
1da177e4
LT		 3231}
3232
3233static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3234 const void *value, size_t size, int flags)
1da177e4 3235{
2c97165b 3236 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3237 u32 newsid;
3238 int rc;
3239
3240 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3241 return -EOPNOTSUPP;
3242
3243 if (!value || !size)
3244 return -EACCES;
3245
aa8e712c
SS		 3246 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3247 GFP_KERNEL);
1da177e4
LT		 3248 if (rc)
3249 return rc;
3250
9287aed2 3251 spin_lock(&isec->lock);
aa9c2669 3252 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3253 isec->sid = newsid;
6f3be9f5 3254 isec->initialized = LABEL_INITIALIZED;
9287aed2 3255 spin_unlock(&isec->lock);
1da177e4
LT		 3256 return 0;
3257}
3258
3259static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3260{
3261 const int len = sizeof(XATTR_NAME_SELINUX);
3262 if (buffer && len <= buffer_size)
3263 memcpy(buffer, XATTR_NAME_SELINUX, len);
3264 return len;
3265}
3266
d6335d77 3267static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3268{
e817c2f3 3269 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3270 *secid = isec->sid;
3271}
3272
56909eb3
VG		 3273static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3274{
3275 u32 sid;
3276 struct task_security_struct *tsec;
3277 struct cred *new_creds = *new;
3278
3279 if (new_creds == NULL) {
3280 new_creds = prepare_creds();
3281 if (!new_creds)
3282 return -ENOMEM;
3283 }
3284
0c6cfa62 3285 tsec = selinux_cred(new_creds);
56909eb3
VG		 3286 /* Get label from overlay inode and set it in create_sid */
3287 selinux_inode_getsecid(d_inode(src), &sid);
3288 tsec->create_sid = sid;
3289 *new = new_creds;
3290 return 0;
3291}
3292
19472b69
VG		 3293static int selinux_inode_copy_up_xattr(const char *name)
3294{
3295 /* The copy_up hook above sets the initial context on an inode, but we
3296 * don't then want to overwrite it by blindly copying all the lower
3297 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3298 */
3299 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3300 return 1; /* Discard */
3301 /*
3302 * Any other attribute apart from SELINUX is not claimed, supported
3303 * by selinux.
3304 */
3305 return -EOPNOTSUPP;
3306}
3307
1da177e4
LT		 3308/* file security operations */
3309
788e7dd4 3310static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3311{
88e67f3b 3312 const struct cred *cred = current_cred();
496ad9aa 3313 struct inode *inode = file_inode(file);
1da177e4 3314
1da177e4
LT		 3315 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3316 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3317 mask |= MAY_APPEND;
3318
389fb800
PM		 3319 return file_has_perm(cred, file,
3320 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3321}
3322
788e7dd4
YN		 3323static int selinux_file_permission(struct file *file, int mask)
3324{
496ad9aa 3325 struct inode *inode = file_inode(file);
20dda18b 3326 struct file_security_struct *fsec = file->f_security;
b197367e 3327 struct inode_security_struct *isec;
20dda18b
SS		 3328 u32 sid = current_sid();
3329
389fb800 3330 if (!mask)
788e7dd4
YN		 3331 /* No permission to check. Existence test. */
3332 return 0;
788e7dd4 3333
b197367e 3334 isec = inode_security(inode);
20dda18b 3335 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3336 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3337 /* No change since file_open check. */
20dda18b
SS		 3338 return 0;
3339
788e7dd4
YN		 3340 return selinux_revalidate_file_permission(file, mask);
3341}
3342
1da177e4
LT		 3343static int selinux_file_alloc_security(struct file *file)
3344{
3345 return file_alloc_security(file);
3346}
3347
3348static void selinux_file_free_security(struct file *file)
3349{
3350 file_free_security(file);
3351}
3352
fa1aa143
JVS		 3353/*
3354 * Check whether a task has the ioctl permission and cmd
3355 * operation to an inode.
3356 */
1d2a168a 3357static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3358 u32 requested, u16 cmd)
3359{
3360 struct common_audit_data ad;
3361 struct file_security_struct *fsec = file->f_security;
3362 struct inode *inode = file_inode(file);
20cdef8d 3363 struct inode_security_struct *isec;
fa1aa143
JVS		 3364 struct lsm_ioctlop_audit ioctl;
3365 u32 ssid = cred_sid(cred);
3366 int rc;
3367 u8 driver = cmd >> 8;
3368 u8 xperm = cmd & 0xff;
3369
3370 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3371 ad.u.op = &ioctl;
3372 ad.u.op->cmd = cmd;
3373 ad.u.op->path = file->f_path;
3374
3375 if (ssid != fsec->sid) {
6b6bc620
SS		 3376 rc = avc_has_perm(&selinux_state,
3377 ssid, fsec->sid,
fa1aa143
JVS		 3378 SECCLASS_FD,
3379 FD__USE,
3380 &ad);
3381 if (rc)
3382 goto out;
3383 }
3384
3385 if (unlikely(IS_PRIVATE(inode)))
3386 return 0;
3387
20cdef8d 3388 isec = inode_security(inode);
6b6bc620
SS		 3389 rc = avc_has_extended_perms(&selinux_state,
3390 ssid, isec->sid, isec->sclass,
3391 requested, driver, xperm, &ad);
fa1aa143
JVS		 3392out:
3393 return rc;
3394}
3395
1da177e4
LT		 3396static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3397 unsigned long arg)
3398{
88e67f3b 3399 const struct cred *cred = current_cred();
0b24dcb7 3400 int error = 0;
1da177e4 3401
0b24dcb7
EP		 3402 switch (cmd) {
3403 case FIONREAD:
3404 /* fall through */
3405 case FIBMAP:
3406 /* fall through */
3407 case FIGETBSZ:
3408 /* fall through */
2f99c369 3409 case FS_IOC_GETFLAGS:
0b24dcb7 3410 /* fall through */
2f99c369 3411 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3412 error = file_has_perm(cred, file, FILE__GETATTR);
3413 break;
1da177e4 3414
2f99c369 3415 case FS_IOC_SETFLAGS:
0b24dcb7 3416 /* fall through */
2f99c369 3417 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3418 error = file_has_perm(cred, file, FILE__SETATTR);
3419 break;
3420
3421 /* sys_ioctl() checks */
3422 case FIONBIO:
3423 /* fall through */
3424 case FIOASYNC:
3425 error = file_has_perm(cred, file, 0);
3426 break;
1da177e4 3427
0b24dcb7
EP		 3428 case KDSKBENT:
3429 case KDSKBSENT:
6a9de491 3430 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3431 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3432 break;
3433
3434 /* default case assumes that the command will go
3435 * to the file's ioctl() function.
3436 */
3437 default:
fa1aa143 3438 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3439 }
3440 return error;
1da177e4
LT		 3441}
3442
fcaaade1
SS		 3443static int default_noexec;
3444
1da177e4
LT		 3445static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3446{
88e67f3b 3447 const struct cred *cred = current_cred();
be0554c9 3448 u32 sid = cred_sid(cred);
d84f4f99 3449 int rc = 0;
88e67f3b 3450
fcaaade1 3451 if (default_noexec &&
892e8cac
SS		 3452 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3453 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3454 /*
3455 * We are making executable an anonymous mapping or a
3456 * private file mapping that will also be writable.
3457 * This has an additional check.
3458 */
6b6bc620
SS		 3459 rc = avc_has_perm(&selinux_state,
3460 sid, sid, SECCLASS_PROCESS,
be0554c9 3461 PROCESS__EXECMEM, NULL);
1da177e4 3462 if (rc)
d84f4f99 3463 goto error;
1da177e4 3464 }
1da177e4
LT		 3465
3466 if (file) {
3467 /* read access is always possible with a mapping */
3468 u32 av = FILE__READ;
3469
3470 /* write access only matters if the mapping is shared */
3471 if (shared && (prot & PROT_WRITE))
3472 av |= FILE__WRITE;
3473
3474 if (prot & PROT_EXEC)
3475 av |= FILE__EXECUTE;
3476
88e67f3b 3477 return file_has_perm(cred, file, av);
1da177e4 3478 }
d84f4f99
DH		 3479
3480error:
3481 return rc;
1da177e4
LT		 3482}
3483
e5467859 3484static int selinux_mmap_addr(unsigned long addr)
1da177e4 3485{
b1d9e6b0 3486 int rc = 0;
1da177e4 3487
a2551df7 3488 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3489 u32 sid = current_sid();
6b6bc620
SS		 3490 rc = avc_has_perm(&selinux_state,
3491 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3492 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3493 }
3494
98883bfd 3495 return rc;
e5467859 3496}
1da177e4 3497
e5467859
AV		 3498static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3499 unsigned long prot, unsigned long flags)
3500{
3ba4bf5f
SS		 3501 struct common_audit_data ad;
3502 int rc;
3503
3504 if (file) {
3505 ad.type = LSM_AUDIT_DATA_FILE;
3506 ad.u.file = file;
3507 rc = inode_has_perm(current_cred(), file_inode(file),
3508 FILE__MAP, &ad);
3509 if (rc)
3510 return rc;
3511 }
3512
aa8e712c 3513 if (selinux_state.checkreqprot)
1da177e4
LT		 3514 prot = reqprot;
3515
3516 return file_map_prot_check(file, prot,
3517 (flags & MAP_TYPE) == MAP_SHARED);
3518}
3519
3520static int selinux_file_mprotect(struct vm_area_struct *vma,
3521 unsigned long reqprot,
3522 unsigned long prot)
3523{
88e67f3b 3524 const struct cred *cred = current_cred();
be0554c9 3525 u32 sid = cred_sid(cred);
1da177e4 3526
aa8e712c 3527 if (selinux_state.checkreqprot)
1da177e4
LT		 3528 prot = reqprot;
3529
fcaaade1
SS		 3530 if (default_noexec &&
3531 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3532 int rc = 0;
db4c9641
SS		 3533 if (vma->vm_start >= vma->vm_mm->start_brk &&
3534 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3535 rc = avc_has_perm(&selinux_state,
3536 sid, sid, SECCLASS_PROCESS,
be0554c9 3537 PROCESS__EXECHEAP, NULL);
db4c9641 3538 } else if (!vma->vm_file &&
c2316dbf
SS		 3539 ((vma->vm_start <= vma->vm_mm->start_stack &&
3540 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3541 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3542 rc = avc_has_perm(&selinux_state,
3543 sid, sid, SECCLASS_PROCESS,
be0554c9 3544 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3545 } else if (vma->vm_file && vma->anon_vma) {
3546 /*
3547 * We are making executable a file mapping that has
3548 * had some COW done. Since pages might have been
3549 * written, check ability to execute the possibly
3550 * modified content. This typically should only
3551 * occur for text relocations.
3552 */
d84f4f99 3553 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3554 }