projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
new helper: security_sb_eat_lsm_opts()
[linux-2.6-block.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
7efbb60b 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
d452930f
RH		 70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
1da177e4
LT		 72#include <linux/quota.h>
73#include <linux/un.h> /* for Unix socket types */
74#include <net/af_unix.h> /* for Unix socket types */
75#include <linux/parser.h>
76#include <linux/nfs_mount.h>
77#include <net/ipv6.h>
78#include <linux/hugetlb.h>
79#include <linux/personality.h>
1da177e4 80#include <linux/audit.h>
6931dfc9 81#include <linux/string.h>
877ce7c1 82#include <linux/selinux.h>
23970741 83#include <linux/mutex.h>
f06febc9 84#include <linux/posix-timers.h>
00234592 85#include <linux/syslog.h>
3486740a 86#include <linux/user_namespace.h>
44fc7ea0 87#include <linux/export.h>
40401530
AV		 88#include <linux/msg.h>
89#include <linux/shm.h>
ec27c356 90#include <linux/bpf.h>
e262e32d 91#include <uapi/linux/mount.h>
1da177e4
LT		 92
93#include "avc.h"
94#include "objsec.h"
95#include "netif.h"
224dfbd8 96#include "netnode.h"
3e112172 97#include "netport.h"
409dcf31 98#include "ibpkey.h"
d28d1e08 99#include "xfrm.h"
c60475bf 100#include "netlabel.h"
9d57a7f9 101#include "audit.h"
7b98a585 102#include "avc_ss.h"
1da177e4 103
aa8e712c
SS		 104struct selinux_state selinux_state;
105
d621d35e 106/* SECMARK reference count */
56a4ca99 107static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 108
1da177e4 109#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
aa8e712c 110static int selinux_enforcing_boot;
1da177e4
LT		 111
112static int __init enforcing_setup(char *str)
113{
f5269710 114 unsigned long enforcing;
29707b20 115 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 116 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 117 return 1;
118}
119__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 120#else
121#define selinux_enforcing_boot 1
1da177e4
LT		 122#endif
123
124#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
125int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
126
127static int __init selinux_enabled_setup(char *str)
128{
f5269710 129 unsigned long enabled;
29707b20 130 if (!kstrtoul(str, 0, &enabled))
f5269710 131 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 132 return 1;
133}
134__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 135#else
136int selinux_enabled = 1;
1da177e4
LT		 137#endif
138
aa8e712c
SS		 139static unsigned int selinux_checkreqprot_boot =
140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141
142static int __init checkreqprot_setup(char *str)
143{
144 unsigned long checkreqprot;
145
146 if (!kstrtoul(str, 0, &checkreqprot))
147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148 return 1;
149}
150__setup("checkreqprot=", checkreqprot_setup);
151
e18b890b 152static struct kmem_cache *sel_inode_cache;
63205654 153static struct kmem_cache *file_security_cache;
7cae7e26 154
d621d35e
PM		 155/**
156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157 *
158 * Description:
159 * This function checks the SECMARK reference counter to see if any SECMARK
160 * targets are currently configured, if the reference counter is greater than
161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 162 * enabled, false (0) if SECMARK is disabled. If the always_check_network
163 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 164 *
165 */
166static int selinux_secmark_enabled(void)
167{
aa8e712c
SS		 168 return (selinux_policycap_alwaysnetwork() ||
169 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 170}
171
172/**
173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174 *
175 * Description:
176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
177 * (1) if any are enabled or false (0) if neither are enabled. If the
178 * always_check_network policy capability is enabled, peer labeling
179 * is always considered enabled.
180 *
181 */
182static int selinux_peerlbl_enabled(void)
183{
aa8e712c
SS		 184 return (selinux_policycap_alwaysnetwork() ||
185 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 186}
187
615e51fd
PM		 188static int selinux_netcache_avc_callback(u32 event)
189{
190 if (event == AVC_CALLBACK_RESET) {
191 sel_netif_flush();
192 sel_netnode_flush();
193 sel_netport_flush();
194 synchronize_net();
195 }
196 return 0;
197}
198
8f408ab6
DJ		 199static int selinux_lsm_notifier_avc_callback(u32 event)
200{
409dcf31
DJ		 201 if (event == AVC_CALLBACK_RESET) {
202 sel_ib_pkey_flush();
8f408ab6 203 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 204 }
8f408ab6
DJ		 205
206 return 0;
207}
208
d84f4f99
DH		 209/*
210 * initialise the security for the init task
211 */
212static void cred_init_security(void)
1da177e4 213{
3b11a1de 214 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 215 struct task_security_struct *tsec;
216
89d155ef 217 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 218 if (!tsec)
d84f4f99 219 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 220
d84f4f99 221 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 222 cred->security = tsec;
1da177e4
LT		 223}
224
88e67f3b
DH		 225/*
226 * get the security ID of a set of credentials
227 */
228static inline u32 cred_sid(const struct cred *cred)
229{
230 const struct task_security_struct *tsec;
231
232 tsec = cred->security;
233 return tsec->sid;
234}
235
275bb41e 236/*
3b11a1de 237 * get the objective security ID of a task
275bb41e
DH		 238 */
239static inline u32 task_sid(const struct task_struct *task)
240{
275bb41e
DH		 241 u32 sid;
242
243 rcu_read_lock();
88e67f3b 244 sid = cred_sid(__task_cred(task));
275bb41e
DH		 245 rcu_read_unlock();
246 return sid;
247}
248
88e67f3b
DH		 249/* Allocate and free functions for each kind of security blob. */
250
1da177e4
LT		 251static int inode_alloc_security(struct inode *inode)
252{
1da177e4 253 struct inode_security_struct *isec;
275bb41e 254 u32 sid = current_sid();
1da177e4 255
a02fe132 256 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 257 if (!isec)
258 return -ENOMEM;
259
9287aed2 260 spin_lock_init(&isec->lock);
1da177e4 261 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 262 isec->inode = inode;
263 isec->sid = SECINITSID_UNLABELED;
264 isec->sclass = SECCLASS_FILE;
275bb41e 265 isec->task_sid = sid;
42059112 266 isec->initialized = LABEL_INVALID;
1da177e4
LT		 267 inode->i_security = isec;
268
269 return 0;
270}
271
5d226df4
AG		 272static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
273
274/*
275 * Try reloading inode security labels that have been marked as invalid. The
276 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 277 * allowed; when set to false, returns -ECHILD when the label is
e9193288 278 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 279 */
280static int __inode_security_revalidate(struct inode *inode,
e9193288 281 struct dentry *dentry,
5d226df4
AG		 282 bool may_sleep)
283{
284 struct inode_security_struct *isec = inode->i_security;
285
286 might_sleep_if(may_sleep);
287
aa8e712c
SS		 288 if (selinux_state.initialized &&
289 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 290 if (!may_sleep)
291 return -ECHILD;
292
293 /*
294 * Try reloading the inode security label. This will fail if
295 * @opt_dentry is NULL and no dentry for this inode can be
296 * found; in that case, continue using the old label.
297 */
e9193288 298 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 299 }
300 return 0;
301}
302
5d226df4
AG		 303static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304{
305 return inode->i_security;
306}
307
308static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
309{
310 int error;
311
312 error = __inode_security_revalidate(inode, NULL, !rcu);
313 if (error)
314 return ERR_PTR(error);
315 return inode->i_security;
316}
317
83da53c5
AG		 318/*
319 * Get the security label of an inode.
320 */
321static struct inode_security_struct *inode_security(struct inode *inode)
322{
5d226df4 323 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 324 return inode->i_security;
325}
326
2c97165b
PM		 327static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328{
329 struct inode *inode = d_backing_inode(dentry);
330
331 return inode->i_security;
332}
333
83da53c5
AG		 334/*
335 * Get the security label of a dentry's backing inode.
336 */
337static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338{
339 struct inode *inode = d_backing_inode(dentry);
340
5d226df4 341 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 342 return inode->i_security;
343}
344
3dc91d43
SR		 345static void inode_free_rcu(struct rcu_head *head)
346{
347 struct inode_security_struct *isec;
348
349 isec = container_of(head, struct inode_security_struct, rcu);
350 kmem_cache_free(sel_inode_cache, isec);
351}
352
1da177e4
LT		 353static void inode_free_security(struct inode *inode)
354{
355 struct inode_security_struct *isec = inode->i_security;
356 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
357
9629d04a
WL		 358 /*
359 * As not all inode security structures are in a list, we check for
360 * empty list outside of the lock to make sure that we won't waste
361 * time taking a lock doing nothing.
362 *
363 * The list_del_init() function can be safely called more than once.
364 * It should not be possible for this function to be called with
365 * concurrent list_add(), but for better safety against future changes
366 * in the code, we use list_empty_careful() here.
367 */
368 if (!list_empty_careful(&isec->list)) {
369 spin_lock(&sbsec->isec_lock);
1da177e4 370 list_del_init(&isec->list);
9629d04a
WL		 371 spin_unlock(&sbsec->isec_lock);
372 }
1da177e4 373
3dc91d43
SR		 374 /*
375 * The inode may still be referenced in a path walk and
376 * a call to selinux_inode_permission() can be made
377 * after inode_free_security() is called. Ideally, the VFS
378 * wouldn't do this, but fixing that is a much harder
379 * job. For now, simply free the i_security via RCU, and
380 * leave the current inode->i_security pointer intact.
381 * The inode will be freed after the RCU grace period too.
382 */
383 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 384}
385
386static int file_alloc_security(struct file *file)
387{
1da177e4 388 struct file_security_struct *fsec;
275bb41e 389 u32 sid = current_sid();
1da177e4 390
63205654 391 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 392 if (!fsec)
393 return -ENOMEM;
394
275bb41e
DH		 395 fsec->sid = sid;
396 fsec->fown_sid = sid;
1da177e4
LT		 397 file->f_security = fsec;
398
399 return 0;
400}
401
402static void file_free_security(struct file *file)
403{
404 struct file_security_struct *fsec = file->f_security;
1da177e4 405 file->f_security = NULL;
63205654 406 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 407}
408
409static int superblock_alloc_security(struct super_block *sb)
410{
411 struct superblock_security_struct *sbsec;
412
89d155ef 413 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 414 if (!sbsec)
415 return -ENOMEM;
416
bc7e982b 417 mutex_init(&sbsec->lock);
1da177e4
LT		 418 INIT_LIST_HEAD(&sbsec->isec_head);
419 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 420 sbsec->sb = sb;
421 sbsec->sid = SECINITSID_UNLABELED;
422 sbsec->def_sid = SECINITSID_FILE;
c312feb2 423 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 424 sb->s_security = sbsec;
425
426 return 0;
427}
428
429static void superblock_free_security(struct super_block *sb)
430{
431 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 432 sb->s_security = NULL;
433 kfree(sbsec);
434}
435
1da177e4
LT		 436static inline int inode_doinit(struct inode *inode)
437{
438 return inode_doinit_with_dentry(inode, NULL);
439}
440
441enum {
31e87930 442 Opt_error = -1,
1da177e4
LT		 443 Opt_context = 1,
444 Opt_fscontext = 2,
c9180a57
EP		 445 Opt_defcontext = 3,
446 Opt_rootcontext = 4,
11689d47 447 Opt_labelsupport = 5,
d355987f 448 Opt_nextmntopt = 6,
1da177e4
LT		 449};
450
d355987f
EP		 451#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
452
a447c093 453static const match_table_t tokens = {
832cbd9a
EP		 454 {Opt_context, CONTEXT_STR "%s"},
455 {Opt_fscontext, FSCONTEXT_STR "%s"},
456 {Opt_defcontext, DEFCONTEXT_STR "%s"},
457 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 458 {Opt_labelsupport, LABELSUPP_STR},
31e87930 459 {Opt_error, NULL},
1da177e4
LT		 460};
461
462#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
463
c312feb2
EP		 464static int may_context_mount_sb_relabel(u32 sid,
465 struct superblock_security_struct *sbsec,
275bb41e 466 const struct cred *cred)
c312feb2 467{
275bb41e 468 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 469 int rc;
470
6b6bc620
SS		 471 rc = avc_has_perm(&selinux_state,
472 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 473 FILESYSTEM__RELABELFROM, NULL);
474 if (rc)
475 return rc;
476
6b6bc620
SS		 477 rc = avc_has_perm(&selinux_state,
478 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 479 FILESYSTEM__RELABELTO, NULL);
480 return rc;
481}
482
0808925e
EP		 483static int may_context_mount_inode_relabel(u32 sid,
484 struct superblock_security_struct *sbsec,
275bb41e 485 const struct cred *cred)
0808925e 486{
275bb41e 487 const struct task_security_struct *tsec = cred->security;
0808925e 488 int rc;
6b6bc620
SS		 489 rc = avc_has_perm(&selinux_state,
490 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 491 FILESYSTEM__RELABELFROM, NULL);
492 if (rc)
493 return rc;
494
6b6bc620
SS		 495 rc = avc_has_perm(&selinux_state,
496 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 497 FILESYSTEM__ASSOCIATE, NULL);
498 return rc;
499}
500
b43e725d
EP		 501static int selinux_is_sblabel_mnt(struct super_block *sb)
502{
503 struct superblock_security_struct *sbsec = sb->s_security;
504
d5f3a5f6
MS		 505 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
506 sbsec->behavior == SECURITY_FS_USE_TRANS ||
507 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 508 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 509 /* Special handling. Genfs but also in-core setxattr handler */
510 !strcmp(sb->s_type->name, "sysfs") ||
511 !strcmp(sb->s_type->name, "pstore") ||
512 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 513 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 514 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 515 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 516 (!strcmp(sb->s_type->name, "cgroup") ||
517 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 518}
519
c9180a57 520static int sb_finish_set_opts(struct super_block *sb)
1da177e4 521{
1da177e4 522 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 523 struct dentry *root = sb->s_root;
c6f493d6 524 struct inode *root_inode = d_backing_inode(root);
c9180a57 525 int rc = 0;
1da177e4 526
c9180a57
EP		 527 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
528 /* Make sure that the xattr handler exists and that no
529 error other than -ENODATA is returned by getxattr on
530 the root directory. -ENODATA is ok, as this may be
531 the first boot of the SELinux kernel before we have
532 assigned xattr values to the filesystem. */
5d6c3191 533 if (!(root_inode->i_opflags & IOP_XATTR)) {
c103a91e 534 pr_warn("SELinux: (dev %s, type %s) has no "
29b1deb2 535 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 536 rc = -EOPNOTSUPP;
537 goto out;
538 }
5d6c3191
AG		 539
540 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 541 if (rc < 0 && rc != -ENODATA) {
542 if (rc == -EOPNOTSUPP)
c103a91e 543 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 544 "%s) has no security xattr handler\n",
545 sb->s_id, sb->s_type->name);
c9180a57 546 else
c103a91e 547 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 548 "%s) getxattr errno %d\n", sb->s_id,
549 sb->s_type->name, -rc);
c9180a57
EP		 550 goto out;
551 }
552 }
1da177e4 553
eadcabc6 554 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 555
556 /*
557 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
558 * leave the flag untouched because sb_clone_mnt_opts might be handing
559 * us a superblock that needs the flag to be cleared.
560 */
b43e725d 561 if (selinux_is_sblabel_mnt(sb))
12f348b9 562 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 563 else
564 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 565
c9180a57
EP		 566 /* Initialize the root inode. */
567 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 568
c9180a57
EP		 569 /* Initialize any other inodes associated with the superblock, e.g.
570 inodes created prior to initial policy load or inodes created
571 during get_sb by a pseudo filesystem that directly
572 populates itself. */
573 spin_lock(&sbsec->isec_lock);
574next_inode:
575 if (!list_empty(&sbsec->isec_head)) {
576 struct inode_security_struct *isec =
577 list_entry(sbsec->isec_head.next,
578 struct inode_security_struct, list);
579 struct inode *inode = isec->inode;
923190d3 580 list_del_init(&isec->list);
c9180a57
EP		 581 spin_unlock(&sbsec->isec_lock);
582 inode = igrab(inode);
583 if (inode) {
584 if (!IS_PRIVATE(inode))
585 inode_doinit(inode);
586 iput(inode);
587 }
588 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 589 goto next_inode;
590 }
591 spin_unlock(&sbsec->isec_lock);
592out:
593 return rc;
594}
1da177e4 595
c9180a57
EP		 596/*
597 * This function should allow an FS to ask what it's mount security
598 * options were so it can use those later for submounts, displaying
599 * mount options, or whatever.
600 */
601static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 602 struct security_mnt_opts *opts)
c9180a57
EP		 603{
604 int rc = 0, i;
605 struct superblock_security_struct *sbsec = sb->s_security;
606 char *context = NULL;
607 u32 len;
608 char tmp;
1da177e4 609
e0007529 610 security_init_mnt_opts(opts);
1da177e4 611
0d90a7ec 612 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 613 return -EINVAL;
1da177e4 614
aa8e712c 615 if (!selinux_state.initialized)
c9180a57 616 return -EINVAL;
1da177e4 617
af8e50cc
EP		 618 /* make sure we always check enough bits to cover the mask */
619 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
620
0d90a7ec 621 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 622 /* count the number of mount options for this sb */
af8e50cc 623 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 624 if (tmp & 0x01)
e0007529 625 opts->num_mnt_opts++;
c9180a57
EP		 626 tmp >>= 1;
627 }
11689d47 628 /* Check if the Label support flag is set */
0b4bdb35 629 if (sbsec->flags & SBLABEL_MNT)
11689d47 630 opts->num_mnt_opts++;
1da177e4 631
e0007529
EP		 632 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
633 if (!opts->mnt_opts) {
c9180a57
EP		 634 rc = -ENOMEM;
635 goto out_free;
636 }
1da177e4 637
e0007529
EP		 638 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
639 if (!opts->mnt_opts_flags) {
c9180a57
EP		 640 rc = -ENOMEM;
641 goto out_free;
642 }
1da177e4 643
c9180a57
EP		 644 i = 0;
645 if (sbsec->flags & FSCONTEXT_MNT) {
aa8e712c
SS		 646 rc = security_sid_to_context(&selinux_state, sbsec->sid,
647 &context, &len);
c9180a57
EP		 648 if (rc)
649 goto out_free;
e0007529
EP		 650 opts->mnt_opts[i] = context;
651 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 652 }
653 if (sbsec->flags & CONTEXT_MNT) {
aa8e712c
SS		 654 rc = security_sid_to_context(&selinux_state,
655 sbsec->mntpoint_sid,
656 &context, &len);
c9180a57
EP		 657 if (rc)
658 goto out_free;
e0007529
EP		 659 opts->mnt_opts[i] = context;
660 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 661 }
662 if (sbsec->flags & DEFCONTEXT_MNT) {
aa8e712c
SS		 663 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
664 &context, &len);
c9180a57
EP		 665 if (rc)
666 goto out_free;
e0007529
EP		 667 opts->mnt_opts[i] = context;
668 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 669 }
670 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 671 struct dentry *root = sbsec->sb->s_root;
672 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 673
aa8e712c
SS		 674 rc = security_sid_to_context(&selinux_state, isec->sid,
675 &context, &len);
c9180a57
EP		 676 if (rc)
677 goto out_free;
e0007529
EP		 678 opts->mnt_opts[i] = context;
679 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 680 }
12f348b9 681 if (sbsec->flags & SBLABEL_MNT) {
11689d47 682 opts->mnt_opts[i] = NULL;
12f348b9 683 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 684 }
1da177e4 685
e0007529 686 BUG_ON(i != opts->num_mnt_opts);
1da177e4 687
c9180a57
EP		 688 return 0;
689
690out_free:
e0007529 691 security_free_mnt_opts(opts);
c9180a57
EP		 692 return rc;
693}
1da177e4 694
c9180a57
EP		 695static int bad_option(struct superblock_security_struct *sbsec, char flag,
696 u32 old_sid, u32 new_sid)
697{
0d90a7ec
DQ		 698 char mnt_flags = sbsec->flags & SE_MNTMASK;
699
c9180a57 700 /* check if the old mount command had the same options */
0d90a7ec 701 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 702 if (!(sbsec->flags & flag) ||
703 (old_sid != new_sid))
704 return 1;
705
706 /* check if we were passed the same options twice,
707 * aka someone passed context=a,context=b
708 */
0d90a7ec
DQ		 709 if (!(sbsec->flags & SE_SBINITIALIZED))
710 if (mnt_flags & flag)
c9180a57
EP		 711 return 1;
712 return 0;
713}
e0007529 714
c9180a57
EP		 715/*
716 * Allow filesystems with binary mount data to explicitly set mount point
717 * labeling information.
718 */
e0007529 719static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 720 struct security_mnt_opts *opts,
721 unsigned long kern_flags,
722 unsigned long *set_kern_flags)
c9180a57 723{
275bb41e 724 const struct cred *cred = current_cred();
c9180a57 725 int rc = 0, i;
c9180a57 726 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 727 const char *name = sb->s_type->name;
83da53c5 728 struct dentry *root = sbsec->sb->s_root;
2c97165b 729 struct inode_security_struct *root_isec;
c9180a57
EP		 730 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
731 u32 defcontext_sid = 0;
e0007529
EP		 732 char **mount_options = opts->mnt_opts;
733 int *flags = opts->mnt_opts_flags;
734 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 735
736 mutex_lock(&sbsec->lock);
737
aa8e712c 738 if (!selinux_state.initialized) {
c9180a57
EP		 739 if (!num_opts) {
740 /* Defer initialization until selinux_complete_init,
741 after the initial policy is loaded and the security
742 server is ready to handle calls. */
c9180a57
EP		 743 goto out;
744 }
745 rc = -EINVAL;
c103a91e 746 pr_warn("SELinux: Unable to set superblock options "
744ba35e 747 "before the security server is initialized\n");
1da177e4 748 goto out;
c9180a57 749 }
649f6e77
DQ		 750 if (kern_flags && !set_kern_flags) {
751 /* Specifying internal flags without providing a place to
752 * place the results is not allowed */
753 rc = -EINVAL;
754 goto out;
755 }
1da177e4 756
e0007529
EP		 757 /*
758 * Binary mount data FS will come through this function twice. Once
759 * from an explicit call and once from the generic calls from the vfs.
760 * Since the generic VFS calls will not contain any security mount data
761 * we need to skip the double mount verification.
762 *
763 * This does open a hole in which we will not notice if the first
764 * mount using this sb set explict options and a second mount using
765 * this sb does not set any security options. (The first options
766 * will be used for both mounts)
767 */
0d90a7ec 768 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 769 && (num_opts == 0))
f5269710 770 goto out;
e0007529 771
2c97165b
PM		 772 root_isec = backing_inode_security_novalidate(root);
773
c9180a57
EP		 774 /*
775 * parse the mount options, check if they are valid sids.
776 * also check if someone is trying to mount the same sb more
777 * than once with different security options.
778 */
779 for (i = 0; i < num_opts; i++) {
780 u32 sid;
11689d47 781
12f348b9 782 if (flags[i] == SBLABEL_MNT)
11689d47 783 continue;
aa8e712c
SS		 784 rc = security_context_str_to_sid(&selinux_state,
785 mount_options[i], &sid,
786 GFP_KERNEL);
1da177e4 787 if (rc) {
c103a91e 788 pr_warn("SELinux: security_context_str_to_sid"
29b1deb2
LT		 789 "(%s) failed for (dev %s, type %s) errno=%d\n",
790 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 791 goto out;
792 }
793 switch (flags[i]) {
794 case FSCONTEXT_MNT:
795 fscontext_sid = sid;
796
797 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
798 fscontext_sid))
799 goto out_double_mount;
800
801 sbsec->flags |= FSCONTEXT_MNT;
802 break;
803 case CONTEXT_MNT:
804 context_sid = sid;
805
806 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
807 context_sid))
808 goto out_double_mount;
809
810 sbsec->flags |= CONTEXT_MNT;
811 break;
812 case ROOTCONTEXT_MNT:
813 rootcontext_sid = sid;
814
815 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
816 rootcontext_sid))
817 goto out_double_mount;
818
819 sbsec->flags |= ROOTCONTEXT_MNT;
820
821 break;
822 case DEFCONTEXT_MNT:
823 defcontext_sid = sid;
824
825 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
826 defcontext_sid))
827 goto out_double_mount;
828
829 sbsec->flags |= DEFCONTEXT_MNT;
830
831 break;
832 default:
833 rc = -EINVAL;
834 goto out;
1da177e4 835 }
c9180a57
EP		 836 }
837
0d90a7ec 838 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 839 /* previously mounted with options, but not on this attempt? */
0d90a7ec 840 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 841 goto out_double_mount;
842 rc = 0;
843 goto out;
844 }
845
089be43e 846 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 847 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
848
8e014720 849 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 850 !strcmp(sb->s_type->name, "tracefs") ||
8e014720 851 !strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 852 !strcmp(sb->s_type->name, "pstore") ||
853 !strcmp(sb->s_type->name, "cgroup") ||
854 !strcmp(sb->s_type->name, "cgroup2"))
134509d5 855 sbsec->flags |= SE_SBGENFS;
c9180a57 856
eb9ae686
DQ		 857 if (!sbsec->behavior) {
858 /*
859 * Determine the labeling behavior to use for this
860 * filesystem type.
861 */
aa8e712c 862 rc = security_fs_use(&selinux_state, sb);
eb9ae686 863 if (rc) {
c103a91e 864 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 865 __func__, sb->s_type->name, rc);
866 goto out;
867 }
c9180a57 868 }
aad82892
SF		 869
870 /*
01593d32
SS		 871 * If this is a user namespace mount and the filesystem type is not
872 * explicitly whitelisted, then no contexts are allowed on the command
873 * line and security labels must be ignored.
aad82892 874 */
01593d32
SS		 875 if (sb->s_user_ns != &init_user_ns &&
876 strcmp(sb->s_type->name, "tmpfs") &&
877 strcmp(sb->s_type->name, "ramfs") &&
878 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 879 if (context_sid || fscontext_sid || rootcontext_sid ||
880 defcontext_sid) {
881 rc = -EACCES;
882 goto out;
883 }
884 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
885 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 886 rc = security_transition_sid(&selinux_state,
887 current_sid(),
888 current_sid(),
aad82892
SF		 889 SECCLASS_FILE, NULL,
890 &sbsec->mntpoint_sid);
891 if (rc)
892 goto out;
893 }
894 goto out_set_opts;
895 }
896
c9180a57
EP		 897 /* sets the context of the superblock for the fs being mounted. */
898 if (fscontext_sid) {
275bb41e 899 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 900 if (rc)
c9180a57 901 goto out;
1da177e4 902
c9180a57 903 sbsec->sid = fscontext_sid;
c312feb2
EP		 904 }
905
906 /*
907 * Switch to using mount point labeling behavior.
908 * sets the label used on all file below the mountpoint, and will set
909 * the superblock context if not already set.
910 */
eb9ae686
DQ		 911 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
912 sbsec->behavior = SECURITY_FS_USE_NATIVE;
913 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
914 }
915
c9180a57
EP		 916 if (context_sid) {
917 if (!fscontext_sid) {
275bb41e
DH		 918 rc = may_context_mount_sb_relabel(context_sid, sbsec,
919 cred);
b04ea3ce 920 if (rc)
c9180a57
EP		 921 goto out;
922 sbsec->sid = context_sid;
b04ea3ce 923 } else {
275bb41e
DH		 924 rc = may_context_mount_inode_relabel(context_sid, sbsec,
925 cred);
b04ea3ce 926 if (rc)
c9180a57 927 goto out;
b04ea3ce 928 }
c9180a57
EP		 929 if (!rootcontext_sid)
930 rootcontext_sid = context_sid;
1da177e4 931
c9180a57 932 sbsec->mntpoint_sid = context_sid;
c312feb2 933 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 934 }
935
c9180a57 936 if (rootcontext_sid) {
275bb41e
DH		 937 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
938 cred);
0808925e 939 if (rc)
c9180a57 940 goto out;
0808925e 941
c9180a57 942 root_isec->sid = rootcontext_sid;
6f3be9f5 943 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 944 }
945
c9180a57 946 if (defcontext_sid) {
eb9ae686
DQ		 947 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
948 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 949 rc = -EINVAL;
c103a91e 950 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 951 "invalid for this filesystem type\n");
952 goto out;
1da177e4
LT		 953 }
954
c9180a57
EP		 955 if (defcontext_sid != sbsec->def_sid) {
956 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 957 sbsec, cred);
c9180a57
EP		 958 if (rc)
959 goto out;
960 }
1da177e4 961
c9180a57 962 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 963 }
964
aad82892 965out_set_opts:
c9180a57 966 rc = sb_finish_set_opts(sb);
1da177e4 967out:
c9180a57 968 mutex_unlock(&sbsec->lock);
1da177e4 969 return rc;
c9180a57
EP		 970out_double_mount:
971 rc = -EINVAL;
c103a91e 972 pr_warn("SELinux: mount invalid. Same superblock, different "
29b1deb2 973 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 974 goto out;
1da177e4
LT		 975}
976
094f7b69
JL		 977static int selinux_cmp_sb_context(const struct super_block *oldsb,
978 const struct super_block *newsb)
979{
980 struct superblock_security_struct *old = oldsb->s_security;
981 struct superblock_security_struct *new = newsb->s_security;
982 char oldflags = old->flags & SE_MNTMASK;
983 char newflags = new->flags & SE_MNTMASK;
984
985 if (oldflags != newflags)
986 goto mismatch;
987 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
988 goto mismatch;
989 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
990 goto mismatch;
991 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
992 goto mismatch;
993 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 994 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
995 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 996 if (oldroot->sid != newroot->sid)
997 goto mismatch;
998 }
999 return 0;
1000mismatch:
c103a91e 1001 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 1002 "different security settings for (dev %s, "
1003 "type %s)\n", newsb->s_id, newsb->s_type->name);
1004 return -EBUSY;
1005}
1006
1007static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 1008 struct super_block *newsb,
1009 unsigned long kern_flags,
1010 unsigned long *set_kern_flags)
1da177e4 1011{
0b4d3452 1012 int rc = 0;
c9180a57
EP		 1013 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1014 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 1015
c9180a57
EP		 1016 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1017 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1018 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 1019
0f5e6420
EP		 1020 /*
1021 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 1022 * mount options. thus we can safely deal with this superblock later
0f5e6420 1023 */
aa8e712c 1024 if (!selinux_state.initialized)
094f7b69 1025 return 0;
c9180a57 1026
0b4d3452
SM		 1027 /*
1028 * Specifying internal flags without providing a place to
1029 * place the results is not allowed.
1030 */
1031 if (kern_flags && !set_kern_flags)
1032 return -EINVAL;
1033
c9180a57 1034 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 1035 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 1036
094f7b69 1037 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 1038 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 1039 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 1040
c9180a57
EP		 1041 mutex_lock(&newsbsec->lock);
1042
1043 newsbsec->flags = oldsbsec->flags;
1044
1045 newsbsec->sid = oldsbsec->sid;
1046 newsbsec->def_sid = oldsbsec->def_sid;
1047 newsbsec->behavior = oldsbsec->behavior;
1048
0b4d3452
SM		 1049 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1050 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 1051 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 1052 if (rc)
1053 goto out;
1054 }
1055
1056 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1057 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1058 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1059 }
1060
c9180a57
EP		 1061 if (set_context) {
1062 u32 sid = oldsbsec->mntpoint_sid;
1063
1064 if (!set_fscontext)
1065 newsbsec->sid = sid;
1066 if (!set_rootcontext) {
83da53c5 1067 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1068 newisec->sid = sid;
1069 }
1070 newsbsec->mntpoint_sid = sid;
1da177e4 1071 }
c9180a57 1072 if (set_rootcontext) {
83da53c5
AG		 1073 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1074 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1075
c9180a57 1076 newisec->sid = oldisec->sid;
1da177e4
LT		 1077 }
1078
c9180a57 1079 sb_finish_set_opts(newsb);
0b4d3452 1080out:
c9180a57 1081 mutex_unlock(&newsbsec->lock);
0b4d3452 1082 return rc;
c9180a57
EP		 1083}
1084
2e1479d9
AB		 1085static int selinux_parse_opts_str(char *options,
1086 struct security_mnt_opts *opts)
c9180a57 1087{
e0007529 1088 char *p;
c9180a57
EP		 1089 char *context = NULL, *defcontext = NULL;
1090 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1091 int rc, num_mnt_opts = 0;
1da177e4 1092
e0007529 1093 opts->num_mnt_opts = 0;
1da177e4 1094
c9180a57
EP		 1095 /* Standard string-based options. */
1096 while ((p = strsep(&options, "|")) != NULL) {
1097 int token;
1098 substring_t args[MAX_OPT_ARGS];
1da177e4 1099
c9180a57
EP		 1100 if (!*p)
1101 continue;
1da177e4 1102
c9180a57 1103 token = match_token(p, tokens, args);
1da177e4 1104
c9180a57
EP		 1105 switch (token) {
1106 case Opt_context:
1107 if (context || defcontext) {
1108 rc = -EINVAL;
c103a91e 1109 pr_warn(SEL_MOUNT_FAIL_MSG);
c9180a57
EP		 1110 goto out_err;
1111 }
1112 context = match_strdup(&args[0]);
1113 if (!context) {
1114 rc = -ENOMEM;
1115 goto out_err;
1116 }
1117 break;
1118
1119 case Opt_fscontext:
1120 if (fscontext) {
1121 rc = -EINVAL;
c103a91e 1122 pr_warn(SEL_MOUNT_FAIL_MSG);
c9180a57
EP		 1123 goto out_err;
1124 }
1125 fscontext = match_strdup(&args[0]);
1126 if (!fscontext) {
1127 rc = -ENOMEM;
1128 goto out_err;
1129 }
1130 break;
1131
1132 case Opt_rootcontext:
1133 if (rootcontext) {
1134 rc = -EINVAL;
c103a91e 1135 pr_warn(SEL_MOUNT_FAIL_MSG);
c9180a57
EP		 1136 goto out_err;
1137 }
1138 rootcontext = match_strdup(&args[0]);
1139 if (!rootcontext) {
1140 rc = -ENOMEM;
1141 goto out_err;
1142 }
1143 break;
1144
1145 case Opt_defcontext:
1146 if (context || defcontext) {
1147 rc = -EINVAL;
c103a91e 1148 pr_warn(SEL_MOUNT_FAIL_MSG);
c9180a57
EP		 1149 goto out_err;
1150 }
1151 defcontext = match_strdup(&args[0]);
1152 if (!defcontext) {
1153 rc = -ENOMEM;
1154 goto out_err;
1155 }
1156 break;
11689d47
DQ		 1157 case Opt_labelsupport:
1158 break;
c9180a57
EP		 1159 default:
1160 rc = -EINVAL;
c103a91e 1161 pr_warn("SELinux: unknown mount option\n");
c9180a57 1162 goto out_err;
1da177e4 1163
1da177e4 1164 }
1da177e4 1165 }
c9180a57 1166
e0007529 1167 rc = -ENOMEM;
8931c3bd 1168 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1169 if (!opts->mnt_opts)
1170 goto out_err;
1171
8931c3bd
TH		 1172 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1173 GFP_KERNEL);
023f108d 1174 if (!opts->mnt_opts_flags)
e0007529 1175 goto out_err;
e0007529 1176
c9180a57 1177 if (fscontext) {
e0007529
EP		 1178 opts->mnt_opts[num_mnt_opts] = fscontext;
1179 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1180 }
1181 if (context) {
e0007529
EP		 1182 opts->mnt_opts[num_mnt_opts] = context;
1183 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1184 }
1185 if (rootcontext) {
e0007529
EP		 1186 opts->mnt_opts[num_mnt_opts] = rootcontext;
1187 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1188 }
1189 if (defcontext) {
e0007529
EP		 1190 opts->mnt_opts[num_mnt_opts] = defcontext;
1191 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1192 }
1193
e0007529
EP		 1194 opts->num_mnt_opts = num_mnt_opts;
1195 return 0;
1196
c9180a57 1197out_err:
023f108d 1198 security_free_mnt_opts(opts);
c9180a57
EP		 1199 kfree(context);
1200 kfree(defcontext);
1201 kfree(fscontext);
1202 kfree(rootcontext);
1da177e4
LT		 1203 return rc;
1204}
1205
3583a711
AB		 1206static void selinux_write_opts(struct seq_file *m,
1207 struct security_mnt_opts *opts)
2069f457
EP		 1208{
1209 int i;
1210 char *prefix;
1211
1212 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1213 char *has_comma;
1214
1215 if (opts->mnt_opts[i])
1216 has_comma = strchr(opts->mnt_opts[i], ',');
1217 else
1218 has_comma = NULL;
2069f457
EP		 1219
1220 switch (opts->mnt_opts_flags[i]) {
1221 case CONTEXT_MNT:
1222 prefix = CONTEXT_STR;
1223 break;
1224 case FSCONTEXT_MNT:
1225 prefix = FSCONTEXT_STR;
1226 break;
1227 case ROOTCONTEXT_MNT:
1228 prefix = ROOTCONTEXT_STR;
1229 break;
1230 case DEFCONTEXT_MNT:
1231 prefix = DEFCONTEXT_STR;
1232 break;
12f348b9 1233 case SBLABEL_MNT:
11689d47
DQ		 1234 seq_putc(m, ',');
1235 seq_puts(m, LABELSUPP_STR);
1236 continue;
2069f457
EP		 1237 default:
1238 BUG();
a35c6c83 1239 return;
2069f457
EP		 1240 };
1241 /* we need a comma before each option */
1242 seq_putc(m, ',');
1243 seq_puts(m, prefix);
1244 if (has_comma)
1245 seq_putc(m, '\"');
a068acf2 1246 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1247 if (has_comma)
1248 seq_putc(m, '\"');
1249 }
1250}
1251
1252static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1253{
1254 struct security_mnt_opts opts;
1255 int rc;
1256
1257 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1258 if (rc) {
1259 /* before policy load we may get EINVAL, don't show anything */
1260 if (rc == -EINVAL)
1261 rc = 0;
2069f457 1262 return rc;
383795c2 1263 }
2069f457
EP		 1264
1265 selinux_write_opts(m, &opts);
1266
1267 security_free_mnt_opts(&opts);
1268
1269 return rc;
1270}
1271
1da177e4
LT		 1272static inline u16 inode_mode_to_security_class(umode_t mode)
1273{
1274 switch (mode & S_IFMT) {
1275 case S_IFSOCK:
1276 return SECCLASS_SOCK_FILE;
1277 case S_IFLNK:
1278 return SECCLASS_LNK_FILE;
1279 case S_IFREG:
1280 return SECCLASS_FILE;
1281 case S_IFBLK:
1282 return SECCLASS_BLK_FILE;
1283 case S_IFDIR:
1284 return SECCLASS_DIR;
1285 case S_IFCHR:
1286 return SECCLASS_CHR_FILE;
1287 case S_IFIFO:
1288 return SECCLASS_FIFO_FILE;
1289
1290 }
1291
1292 return SECCLASS_FILE;
1293}
1294
13402580
JM		 1295static inline int default_protocol_stream(int protocol)
1296{
1297 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1298}
1299
1300static inline int default_protocol_dgram(int protocol)
1301{
1302 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1303}
1304
1da177e4
LT		 1305static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1306{
aa8e712c 1307 int extsockclass = selinux_policycap_extsockclass();
da69a530 1308
1da177e4
LT		 1309 switch (family) {
1310 case PF_UNIX:
1311 switch (type) {
1312 case SOCK_STREAM:
1313 case SOCK_SEQPACKET:
1314 return SECCLASS_UNIX_STREAM_SOCKET;
1315 case SOCK_DGRAM:
2a764b52 1316 case SOCK_RAW:
1da177e4
LT		 1317 return SECCLASS_UNIX_DGRAM_SOCKET;
1318 }
1319 break;
1320 case PF_INET:
1321 case PF_INET6:
1322 switch (type) {
1323 case SOCK_STREAM:
da69a530 1324 case SOCK_SEQPACKET:
13402580
JM		 1325 if (default_protocol_stream(protocol))
1326 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1327 else if (extsockclass && protocol == IPPROTO_SCTP)
1328 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1329 else
1330 return SECCLASS_RAWIP_SOCKET;
1da177e4 1331 case SOCK_DGRAM:
13402580
JM		 1332 if (default_protocol_dgram(protocol))
1333 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1334 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1335 protocol == IPPROTO_ICMPV6))
da69a530 1336 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1337 else
1338 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1339 case SOCK_DCCP:
1340 return SECCLASS_DCCP_SOCKET;
13402580 1341 default:
1da177e4
LT		 1342 return SECCLASS_RAWIP_SOCKET;
1343 }
1344 break;
1345 case PF_NETLINK:
1346 switch (protocol) {
1347 case NETLINK_ROUTE:
1348 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1349 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1350 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1351 case NETLINK_NFLOG:
1352 return SECCLASS_NETLINK_NFLOG_SOCKET;
1353 case NETLINK_XFRM:
1354 return SECCLASS_NETLINK_XFRM_SOCKET;
1355 case NETLINK_SELINUX:
1356 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1357 case NETLINK_ISCSI:
1358 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1359 case NETLINK_AUDIT:
1360 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1361 case NETLINK_FIB_LOOKUP:
1362 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1363 case NETLINK_CONNECTOR:
1364 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1365 case NETLINK_NETFILTER:
1366 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1367 case NETLINK_DNRTMSG:
1368 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1369 case NETLINK_KOBJECT_UEVENT:
1370 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1371 case NETLINK_GENERIC:
1372 return SECCLASS_NETLINK_GENERIC_SOCKET;
1373 case NETLINK_SCSITRANSPORT:
1374 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1375 case NETLINK_RDMA:
1376 return SECCLASS_NETLINK_RDMA_SOCKET;
1377 case NETLINK_CRYPTO:
1378 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1379 default:
1380 return SECCLASS_NETLINK_SOCKET;
1381 }
1382 case PF_PACKET:
1383 return SECCLASS_PACKET_SOCKET;
1384 case PF_KEY:
1385 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1386 case PF_APPLETALK:
1387 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1388 }
1389
da69a530
SS		 1390 if (extsockclass) {
1391 switch (family) {
1392 case PF_AX25:
1393 return SECCLASS_AX25_SOCKET;
1394 case PF_IPX:
1395 return SECCLASS_IPX_SOCKET;
1396 case PF_NETROM:
1397 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1398 case PF_ATMPVC:
1399 return SECCLASS_ATMPVC_SOCKET;
1400 case PF_X25:
1401 return SECCLASS_X25_SOCKET;
1402 case PF_ROSE:
1403 return SECCLASS_ROSE_SOCKET;
1404 case PF_DECnet:
1405 return SECCLASS_DECNET_SOCKET;
1406 case PF_ATMSVC:
1407 return SECCLASS_ATMSVC_SOCKET;
1408 case PF_RDS:
1409 return SECCLASS_RDS_SOCKET;
1410 case PF_IRDA:
1411 return SECCLASS_IRDA_SOCKET;
1412 case PF_PPPOX:
1413 return SECCLASS_PPPOX_SOCKET;
1414 case PF_LLC:
1415 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1416 case PF_CAN:
1417 return SECCLASS_CAN_SOCKET;
1418 case PF_TIPC:
1419 return SECCLASS_TIPC_SOCKET;
1420 case PF_BLUETOOTH:
1421 return SECCLASS_BLUETOOTH_SOCKET;
1422 case PF_IUCV:
1423 return SECCLASS_IUCV_SOCKET;
1424 case PF_RXRPC:
1425 return SECCLASS_RXRPC_SOCKET;
1426 case PF_ISDN:
1427 return SECCLASS_ISDN_SOCKET;
1428 case PF_PHONET:
1429 return SECCLASS_PHONET_SOCKET;
1430 case PF_IEEE802154:
1431 return SECCLASS_IEEE802154_SOCKET;
1432 case PF_CAIF:
1433 return SECCLASS_CAIF_SOCKET;
1434 case PF_ALG:
1435 return SECCLASS_ALG_SOCKET;
1436 case PF_NFC:
1437 return SECCLASS_NFC_SOCKET;
1438 case PF_VSOCK:
1439 return SECCLASS_VSOCK_SOCKET;
1440 case PF_KCM:
1441 return SECCLASS_KCM_SOCKET;
1442 case PF_QIPCRTR:
1443 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1444 case PF_SMC:
1445 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1446 case PF_XDP:
1447 return SECCLASS_XDP_SOCKET;
1448#if PF_MAX > 45
da69a530
SS		 1449#error New address family defined, please update this function.
1450#endif
1451 }
1452 }
1453
1da177e4
LT		 1454 return SECCLASS_SOCKET;
1455}
1456
134509d5
SS		 1457static int selinux_genfs_get_sid(struct dentry *dentry,
1458 u16 tclass,
1459 u16 flags,
1460 u32 *sid)
1da177e4 1461{
8e6c9693 1462 int rc;
fc64005c 1463 struct super_block *sb = dentry->d_sb;
8e6c9693 1464 char *buffer, *path;
1da177e4 1465
828dfe1d 1466 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1467 if (!buffer)
1468 return -ENOMEM;
1469
8e6c9693
LAG		 1470 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1471 if (IS_ERR(path))
1472 rc = PTR_ERR(path);
1473 else {
134509d5
SS		 1474 if (flags & SE_SBPROC) {
1475 /* each process gets a /proc/PID/ entry. Strip off the
1476 * PID part to get a valid selinux labeling.
1477 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1478 while (path[1] >= '0' && path[1] <= '9') {
1479 path[1] = '/';
1480 path++;
1481 }
8e6c9693 1482 }
aa8e712c
SS		 1483 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1484 path, tclass, sid);
7bb185ed
SS		 1485 if (rc == -ENOENT) {
1486 /* No match in policy, mark as unlabeled. */
1487 *sid = SECINITSID_UNLABELED;
1488 rc = 0;
1489 }
1da177e4 1490 }
1da177e4
LT		 1491 free_page((unsigned long)buffer);
1492 return rc;
1493}
1da177e4
LT		 1494
1495/* The inode's security attributes must be initialized before first use. */
1496static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1497{
1498 struct superblock_security_struct *sbsec = NULL;
1499 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1500 u32 task_sid, sid = 0;
1501 u16 sclass;
1da177e4
LT		 1502 struct dentry *dentry;
1503#define INITCONTEXTLEN 255
1504 char *context = NULL;
1505 unsigned len = 0;
1506 int rc = 0;
1da177e4 1507
6f3be9f5 1508 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1509 return 0;
1da177e4 1510
9287aed2 1511 spin_lock(&isec->lock);
6f3be9f5 1512 if (isec->initialized == LABEL_INITIALIZED)
23970741 1513 goto out_unlock;
1da177e4 1514
13457d07
AG		 1515 if (isec->sclass == SECCLASS_FILE)
1516 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1517
1da177e4 1518 sbsec = inode->i_sb->s_security;
0d90a7ec 1519 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1520 /* Defer initialization until selinux_complete_init,
1521 after the initial policy is loaded and the security
1522 server is ready to handle calls. */
1523 spin_lock(&sbsec->isec_lock);
1524 if (list_empty(&isec->list))
1525 list_add(&isec->list, &sbsec->isec_head);
1526 spin_unlock(&sbsec->isec_lock);
23970741 1527 goto out_unlock;
1da177e4
LT		 1528 }
1529
9287aed2
AG		 1530 sclass = isec->sclass;
1531 task_sid = isec->task_sid;
1532 sid = isec->sid;
1533 isec->initialized = LABEL_PENDING;
1534 spin_unlock(&isec->lock);
1535
1da177e4 1536 switch (sbsec->behavior) {
eb9ae686
DQ		 1537 case SECURITY_FS_USE_NATIVE:
1538 break;
1da177e4 1539 case SECURITY_FS_USE_XATTR:
5d6c3191 1540 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1541 sid = sbsec->def_sid;
1da177e4
LT		 1542 break;
1543 }
1da177e4
LT		 1544 /* Need a dentry, since the xattr API requires one.
1545 Life would be simpler if we could just pass the inode. */
1546 if (opt_dentry) {
1547 /* Called from d_instantiate or d_splice_alias. */
1548 dentry = dget(opt_dentry);
1549 } else {
b127125d
AV		 1550 /*
1551 * Called from selinux_complete_init, try to find a dentry.
1552 * Some filesystems really want a connected one, so try
1553 * that first. We could split SECURITY_FS_USE_XATTR in
1554 * two, depending upon that...
1555 */
1da177e4 1556 dentry = d_find_alias(inode);
b127125d
AV		 1557 if (!dentry)
1558 dentry = d_find_any_alias(inode);
1da177e4
LT		 1559 }
1560 if (!dentry) {
df7f54c0
EP		 1561 /*
1562 * this is can be hit on boot when a file is accessed
1563 * before the policy is loaded. When we load policy we
1564 * may find inodes that have no dentry on the
1565 * sbsec->isec_head list. No reason to complain as these
1566 * will get fixed up the next time we go through
1567 * inode_doinit with a dentry, before these inodes could
1568 * be used again by userspace.
1569 */
9287aed2 1570 goto out;
1da177e4
LT		 1571 }
1572
1573 len = INITCONTEXTLEN;
4cb912f1 1574 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1575 if (!context) {
1576 rc = -ENOMEM;
1577 dput(dentry);
9287aed2 1578 goto out;
1da177e4 1579 }
4cb912f1 1580 context[len] = '\0';
5d6c3191 1581 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1582 if (rc == -ERANGE) {
314dabb8
JM		 1583 kfree(context);
1584
1da177e4 1585 /* Need a larger buffer. Query for the right size. */
5d6c3191 1586 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1587 if (rc < 0) {
1588 dput(dentry);
9287aed2 1589 goto out;
1da177e4 1590 }
1da177e4 1591 len = rc;
4cb912f1 1592 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1593 if (!context) {
1594 rc = -ENOMEM;
1595 dput(dentry);
9287aed2 1596 goto out;
1da177e4 1597 }
4cb912f1 1598 context[len] = '\0';
5d6c3191 1599 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1600 }
1601 dput(dentry);
1602 if (rc < 0) {
1603 if (rc != -ENODATA) {
c103a91e 1604 pr_warn("SELinux: %s: getxattr returned "
dd6f953a 1605 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1606 -rc, inode->i_sb->s_id, inode->i_ino);
1607 kfree(context);
9287aed2 1608 goto out;
1da177e4
LT		 1609 }
1610 /* Map ENODATA to the default file SID */
1611 sid = sbsec->def_sid;
1612 rc = 0;
1613 } else {
aa8e712c
SS		 1614 rc = security_context_to_sid_default(&selinux_state,
1615 context, rc, &sid,
869ab514
SS		 1616 sbsec->def_sid,
1617 GFP_NOFS);
1da177e4 1618 if (rc) {
4ba0a8ad
EP		 1619 char *dev = inode->i_sb->s_id;
1620 unsigned long ino = inode->i_ino;
1621
1622 if (rc == -EINVAL) {
1623 if (printk_ratelimit())
c103a91e 1624 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
4ba0a8ad
EP		 1625 "context=%s. This indicates you may need to relabel the inode or the "
1626 "filesystem in question.\n", ino, dev, context);
1627 } else {
c103a91e 1628 pr_warn("SELinux: %s: context_to_sid(%s) "
4ba0a8ad
EP		 1629 "returned %d for dev=%s ino=%ld\n",
1630 __func__, context, -rc, dev, ino);
1631 }
1da177e4
LT		 1632 kfree(context);
1633 /* Leave with the unlabeled SID */
1634 rc = 0;
1635 break;
1636 }
1637 }
1638 kfree(context);
1da177e4
LT		 1639 break;
1640 case SECURITY_FS_USE_TASK:
9287aed2 1641 sid = task_sid;
1da177e4
LT		 1642 break;
1643 case SECURITY_FS_USE_TRANS:
1644 /* Default to the fs SID. */
9287aed2 1645 sid = sbsec->sid;
1da177e4
LT		 1646
1647 /* Try to obtain a transition SID. */
aa8e712c
SS		 1648 rc = security_transition_sid(&selinux_state, task_sid, sid,
1649 sclass, NULL, &sid);
1da177e4 1650 if (rc)
9287aed2 1651 goto out;
1da177e4 1652 break;
c312feb2 1653 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1654 sid = sbsec->mntpoint_sid;
c312feb2 1655 break;
1da177e4 1656 default:
c312feb2 1657 /* Default to the fs superblock SID. */
9287aed2 1658 sid = sbsec->sid;
1da177e4 1659
134509d5 1660 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1661 /* We must have a dentry to determine the label on
1662 * procfs inodes */
b127125d 1663 if (opt_dentry) {
f64410ec
PM		 1664 /* Called from d_instantiate or
1665 * d_splice_alias. */
1666 dentry = dget(opt_dentry);
b127125d 1667 } else {
f64410ec 1668 /* Called from selinux_complete_init, try to
b127125d
AV		 1669 * find a dentry. Some filesystems really want
1670 * a connected one, so try that first.
1671 */
f64410ec 1672 dentry = d_find_alias(inode);
b127125d
AV		 1673 if (!dentry)
1674 dentry = d_find_any_alias(inode);
1675 }
f64410ec
PM		 1676 /*
1677 * This can be hit on boot when a file is accessed
1678 * before the policy is loaded. When we load policy we
1679 * may find inodes that have no dentry on the
1680 * sbsec->isec_head list. No reason to complain as
1681 * these will get fixed up the next time we go through
1682 * inode_doinit() with a dentry, before these inodes
1683 * could be used again by userspace.
1684 */
1685 if (!dentry)
9287aed2
AG		 1686 goto out;
1687 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1688 sbsec->flags, &sid);
f64410ec
PM		 1689 dput(dentry);
1690 if (rc)
9287aed2 1691 goto out;
1da177e4
LT		 1692 }
1693 break;
1694 }
1695
9287aed2
AG		 1696out:
1697 spin_lock(&isec->lock);
1698 if (isec->initialized == LABEL_PENDING) {
1699 if (!sid || rc) {
1700 isec->initialized = LABEL_INVALID;
1701 goto out_unlock;
1702 }
1703
1704 isec->initialized = LABEL_INITIALIZED;
1705 isec->sid = sid;
1706 }
1da177e4 1707
23970741 1708out_unlock:
9287aed2 1709 spin_unlock(&isec->lock);
1da177e4
LT		 1710 return rc;
1711}
1712
1713/* Convert a Linux signal to an access vector. */
1714static inline u32 signal_to_av(int sig)
1715{
1716 u32 perm = 0;
1717
1718 switch (sig) {
1719 case SIGCHLD:
1720 /* Commonly granted from child to parent. */
1721 perm = PROCESS__SIGCHLD;
1722 break;
1723 case SIGKILL:
1724 /* Cannot be caught or ignored */
1725 perm = PROCESS__SIGKILL;
1726 break;
1727 case SIGSTOP:
1728 /* Cannot be caught or ignored */
1729 perm = PROCESS__SIGSTOP;
1730 break;
1731 default:
1732 /* All other signals. */
1733 perm = PROCESS__SIGNAL;
1734 break;
1735 }
1736
1737 return perm;
1738}
1739
b68e418c
SS		 1740#if CAP_LAST_CAP > 63
1741#error Fix SELinux to handle capabilities > 63.
1742#endif
1743
1da177e4 1744/* Check whether a task is allowed to use a capability. */
6a9de491 1745static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1746 int cap, int audit, bool initns)
1da177e4 1747{
2bf49690 1748 struct common_audit_data ad;
06112163 1749 struct av_decision avd;
b68e418c 1750 u16 sclass;
3699c53c 1751 u32 sid = cred_sid(cred);
b68e418c 1752 u32 av = CAP_TO_MASK(cap);
06112163 1753 int rc;
1da177e4 1754
50c205f5 1755 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1756 ad.u.cap = cap;
1757
b68e418c
SS		 1758 switch (CAP_TO_INDEX(cap)) {
1759 case 0:
8e4ff6f2 1760 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1761 break;
1762 case 1:
8e4ff6f2 1763 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1764 break;
1765 default:
c103a91e 1766 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1767 BUG();
a35c6c83 1768 return -EINVAL;
b68e418c 1769 }
06112163 1770
6b6bc620
SS		 1771 rc = avc_has_perm_noaudit(&selinux_state,
1772 sid, sid, sclass, av, 0, &avd);
9ade0cf4 1773 if (audit == SECURITY_CAP_AUDIT) {
6b6bc620
SS		 1774 int rc2 = avc_audit(&selinux_state,
1775 sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1776 if (rc2)
1777 return rc2;
1778 }
06112163 1779 return rc;
1da177e4
LT		 1780}
1781
1da177e4
LT		 1782/* Check whether a task has a particular permission to an inode.
1783 The 'adp' parameter is optional and allows other audit
1784 data to be passed (e.g. the dentry). */
88e67f3b 1785static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1786 struct inode *inode,
1787 u32 perms,
19e49834 1788 struct common_audit_data *adp)
1da177e4 1789{
1da177e4 1790 struct inode_security_struct *isec;
275bb41e 1791 u32 sid;
1da177e4 1792
e0e81739
DH		 1793 validate_creds(cred);
1794
828dfe1d 1795 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1796 return 0;
1797
88e67f3b 1798 sid = cred_sid(cred);
1da177e4
LT		 1799 isec = inode->i_security;
1800
6b6bc620
SS		 1801 return avc_has_perm(&selinux_state,
1802 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1803}
1804
1805/* Same as inode_has_perm, but pass explicit audit data containing
1806 the dentry to help the auditing code to more easily generate the
1807 pathname if needed. */
88e67f3b 1808static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1809 struct dentry *dentry,
1810 u32 av)
1811{
c6f493d6 1812 struct inode *inode = d_backing_inode(dentry);
2bf49690 1813 struct common_audit_data ad;
88e67f3b 1814
50c205f5 1815 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1816 ad.u.dentry = dentry;
5d226df4 1817 __inode_security_revalidate(inode, dentry, true);
19e49834 1818 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1819}
1820
1821/* Same as inode_has_perm, but pass explicit audit data containing
1822 the path to help the auditing code to more easily generate the
1823 pathname if needed. */
1824static inline int path_has_perm(const struct cred *cred,
3f7036a0 1825 const struct path *path,
2875fa00
EP		 1826 u32 av)
1827{
c6f493d6 1828 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1829 struct common_audit_data ad;
1830
50c205f5 1831 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1832 ad.u.path = *path;
5d226df4 1833 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1834 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1835}
1836
13f8e981
DH		 1837/* Same as path_has_perm, but uses the inode from the file struct. */
1838static inline int file_path_has_perm(const struct cred *cred,
1839 struct file *file,
1840 u32 av)
1841{
1842 struct common_audit_data ad;
1843
43af5de7
VG		 1844 ad.type = LSM_AUDIT_DATA_FILE;
1845 ad.u.file = file;
19e49834 1846 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1847}
1848
f66e448c
CF		 1849#ifdef CONFIG_BPF_SYSCALL
1850static int bpf_fd_pass(struct file *file, u32 sid);
1851#endif
1852
1da177e4
LT		 1853/* Check whether a task can use an open file descriptor to
1854 access an inode in a given way. Check access to the
1855 descriptor itself, and then use dentry_has_perm to
1856 check a particular permission to the file.
1857 Access to the descriptor is implicitly granted if it
1858 has the same SID as the process. If av is zero, then
1859 access to the file is not checked, e.g. for cases
1860 where only the descriptor is affected like seek. */
88e67f3b
DH		 1861static int file_has_perm(const struct cred *cred,
1862 struct file *file,
1863 u32 av)
1da177e4 1864{
1da177e4 1865 struct file_security_struct *fsec = file->f_security;
496ad9aa 1866 struct inode *inode = file_inode(file);
2bf49690 1867 struct common_audit_data ad;
88e67f3b 1868 u32 sid = cred_sid(cred);
1da177e4
LT		 1869 int rc;
1870
43af5de7
VG		 1871 ad.type = LSM_AUDIT_DATA_FILE;
1872 ad.u.file = file;
1da177e4 1873
275bb41e 1874 if (sid != fsec->sid) {
6b6bc620
SS		 1875 rc = avc_has_perm(&selinux_state,
1876 sid, fsec->sid,
1da177e4
LT		 1877 SECCLASS_FD,
1878 FD__USE,
1879 &ad);
1880 if (rc)
88e67f3b 1881 goto out;
1da177e4
LT		 1882 }
1883
f66e448c
CF		 1884#ifdef CONFIG_BPF_SYSCALL
1885 rc = bpf_fd_pass(file, cred_sid(cred));
1886 if (rc)
1887 return rc;
1888#endif
1889
1da177e4 1890 /* av is zero if only checking access to the descriptor. */
88e67f3b 1891 rc = 0;
1da177e4 1892 if (av)
19e49834 1893 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1894
88e67f3b
DH		 1895out:
1896 return rc;
1da177e4
LT		 1897}
1898
c3c188b2
DH		 1899/*
1900 * Determine the label for an inode that might be unioned.
1901 */
c957f6df
VG		 1902static int
1903selinux_determine_inode_label(const struct task_security_struct *tsec,
1904 struct inode *dir,
1905 const struct qstr *name, u16 tclass,
1906 u32 *_new_isid)
c3c188b2
DH		 1907{
1908 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1909
1910 if ((sbsec->flags & SE_SBINITIALIZED) &&
1911 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1912 *_new_isid = sbsec->mntpoint_sid;
1913 } else if ((sbsec->flags & SBLABEL_MNT) &&
1914 tsec->create_sid) {
1915 *_new_isid = tsec->create_sid;
1916 } else {
20cdef8d 1917 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1918 return security_transition_sid(&selinux_state, tsec->sid,
1919 dsec->sid, tclass,
c3c188b2
DH		 1920 name, _new_isid);
1921 }
1922
1923 return 0;
1924}
1925
1da177e4
LT		 1926/* Check whether a task can create a file. */
1927static int may_create(struct inode *dir,
1928 struct dentry *dentry,
1929 u16 tclass)
1930{
5fb49870 1931 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1932 struct inode_security_struct *dsec;
1933 struct superblock_security_struct *sbsec;
275bb41e 1934 u32 sid, newsid;
2bf49690 1935 struct common_audit_data ad;
1da177e4
LT		 1936 int rc;
1937
83da53c5 1938 dsec = inode_security(dir);
1da177e4
LT		 1939 sbsec = dir->i_sb->s_security;
1940
275bb41e 1941 sid = tsec->sid;
275bb41e 1942
50c205f5 1943 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1944 ad.u.dentry = dentry;
1da177e4 1945
6b6bc620
SS		 1946 rc = avc_has_perm(&selinux_state,
1947 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1948 DIR__ADD_NAME | DIR__SEARCH,
1949 &ad);
1950 if (rc)
1951 return rc;
1952
c957f6df
VG		 1953 rc = selinux_determine_inode_label(current_security(), dir,
1954 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1955 if (rc)
1956 return rc;
1da177e4 1957
6b6bc620
SS		 1958 rc = avc_has_perm(&selinux_state,
1959 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1960 if (rc)
1961 return rc;
1962
6b6bc620
SS		 1963 return avc_has_perm(&selinux_state,
1964 newsid, sbsec->sid,
1da177e4
LT		 1965 SECCLASS_FILESYSTEM,
1966 FILESYSTEM__ASSOCIATE, &ad);
1967}
1968
828dfe1d
EP		 1969#define MAY_LINK 0
1970#define MAY_UNLINK 1
1971#define MAY_RMDIR 2
1da177e4
LT		 1972
1973/* Check whether a task can link, unlink, or rmdir a file/directory. */
1974static int may_link(struct inode *dir,
1975 struct dentry *dentry,
1976 int kind)
1977
1978{
1da177e4 1979 struct inode_security_struct *dsec, *isec;
2bf49690 1980 struct common_audit_data ad;
275bb41e 1981 u32 sid = current_sid();
1da177e4
LT		 1982 u32 av;
1983 int rc;
1984
83da53c5
AG		 1985 dsec = inode_security(dir);
1986 isec = backing_inode_security(dentry);
1da177e4 1987
50c205f5 1988 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1989 ad.u.dentry = dentry;
1da177e4
LT		 1990
1991 av = DIR__SEARCH;
1992 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 1993 rc = avc_has_perm(&selinux_state,
1994 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1995 if (rc)
1996 return rc;
1997
1998 switch (kind) {
1999 case MAY_LINK:
2000 av = FILE__LINK;
2001 break;
2002 case MAY_UNLINK:
2003 av = FILE__UNLINK;
2004 break;
2005 case MAY_RMDIR:
2006 av = DIR__RMDIR;
2007 break;
2008 default:
c103a91e 2009 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 2010 __func__, kind);
1da177e4
LT		 2011 return 0;
2012 }
2013
6b6bc620
SS		 2014 rc = avc_has_perm(&selinux_state,
2015 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 2016 return rc;
2017}
2018
2019static inline int may_rename(struct inode *old_dir,
2020 struct dentry *old_dentry,
2021 struct inode *new_dir,
2022 struct dentry *new_dentry)
2023{
1da177e4 2024 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 2025 struct common_audit_data ad;
275bb41e 2026 u32 sid = current_sid();
1da177e4
LT		 2027 u32 av;
2028 int old_is_dir, new_is_dir;
2029 int rc;
2030
83da53c5
AG		 2031 old_dsec = inode_security(old_dir);
2032 old_isec = backing_inode_security(old_dentry);
e36cb0b8 2033 old_is_dir = d_is_dir(old_dentry);
83da53c5 2034 new_dsec = inode_security(new_dir);
1da177e4 2035
50c205f5 2036 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 2037
a269434d 2038 ad.u.dentry = old_dentry;
6b6bc620
SS		 2039 rc = avc_has_perm(&selinux_state,
2040 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 2041 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2042 if (rc)
2043 return rc;
6b6bc620
SS		 2044 rc = avc_has_perm(&selinux_state,
2045 sid, old_isec->sid,
1da177e4
LT		 2046 old_isec->sclass, FILE__RENAME, &ad);
2047 if (rc)
2048 return rc;
2049 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 2050 rc = avc_has_perm(&selinux_state,
2051 sid, old_isec->sid,
1da177e4
LT		 2052 old_isec->sclass, DIR__REPARENT, &ad);
2053 if (rc)
2054 return rc;
2055 }
2056
a269434d 2057 ad.u.dentry = new_dentry;
1da177e4 2058 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 2059 if (d_is_positive(new_dentry))
1da177e4 2060 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 2061 rc = avc_has_perm(&selinux_state,
2062 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 2063 if (rc)
2064 return rc;
2c616d4d 2065 if (d_is_positive(new_dentry)) {
83da53c5 2066 new_isec = backing_inode_security(new_dentry);
e36cb0b8 2067 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 2068 rc = avc_has_perm(&selinux_state,
2069 sid, new_isec->sid,
1da177e4
LT		 2070 new_isec->sclass,
2071 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2072 if (rc)
2073 return rc;
2074 }
2075
2076 return 0;
2077}
2078
2079/* Check whether a task can perform a filesystem operation. */
88e67f3b 2080static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2081 struct super_block *sb,
2082 u32 perms,
2bf49690 2083 struct common_audit_data *ad)
1da177e4 2084{
1da177e4 2085 struct superblock_security_struct *sbsec;
88e67f3b 2086 u32 sid = cred_sid(cred);
1da177e4 2087
1da177e4 2088 sbsec = sb->s_security;
6b6bc620
SS		 2089 return avc_has_perm(&selinux_state,
2090 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2091}
2092
2093/* Convert a Linux mode and permission mask to an access vector. */
2094static inline u32 file_mask_to_av(int mode, int mask)
2095{
2096 u32 av = 0;
2097
dba19c60 2098 if (!S_ISDIR(mode)) {
1da177e4
LT		 2099 if (mask & MAY_EXEC)
2100 av |= FILE__EXECUTE;
2101 if (mask & MAY_READ)
2102 av |= FILE__READ;
2103
2104 if (mask & MAY_APPEND)
2105 av |= FILE__APPEND;
2106 else if (mask & MAY_WRITE)
2107 av |= FILE__WRITE;
2108
2109 } else {
2110 if (mask & MAY_EXEC)
2111 av |= DIR__SEARCH;
2112 if (mask & MAY_WRITE)
2113 av |= DIR__WRITE;
2114 if (mask & MAY_READ)
2115 av |= DIR__READ;
2116 }
2117
2118 return av;
2119}
2120
8b6a5a37
EP		 2121/* Convert a Linux file to an access vector. */
2122static inline u32 file_to_av(struct file *file)
2123{
2124 u32 av = 0;
2125
2126 if (file->f_mode & FMODE_READ)
2127 av |= FILE__READ;
2128 if (file->f_mode & FMODE_WRITE) {
2129 if (file->f_flags & O_APPEND)
2130 av |= FILE__APPEND;
2131 else
2132 av |= FILE__WRITE;
2133 }
2134 if (!av) {
2135 /*
2136 * Special file opened with flags 3 for ioctl-only use.
2137 */
2138 av = FILE__IOCTL;
2139 }
2140
2141 return av;
2142}
2143
b0c636b9 2144/*
8b6a5a37 2145 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2146 * open permission.
2147 */
8b6a5a37 2148static inline u32 open_file_to_av(struct file *file)
b0c636b9 2149{
8b6a5a37 2150 u32 av = file_to_av(file);
ccb54478 2151 struct inode *inode = file_inode(file);
b0c636b9 2152
aa8e712c
SS		 2153 if (selinux_policycap_openperm() &&
2154 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2155 av |= FILE__OPEN;
2156
b0c636b9
EP		 2157 return av;
2158}
2159
1da177e4
LT		 2160/* Hook functions begin here. */
2161
79af7307
SS		 2162static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2163{
2164 u32 mysid = current_sid();
2165 u32 mgrsid = task_sid(mgr);
2166
6b6bc620
SS		 2167 return avc_has_perm(&selinux_state,
2168 mysid, mgrsid, SECCLASS_BINDER,
79af7307
SS		 2169 BINDER__SET_CONTEXT_MGR, NULL);
2170}
2171
2172static int selinux_binder_transaction(struct task_struct *from,
2173 struct task_struct *to)
2174{
2175 u32 mysid = current_sid();
2176 u32 fromsid = task_sid(from);
2177 u32 tosid = task_sid(to);
2178 int rc;
2179
2180 if (mysid != fromsid) {
6b6bc620
SS		 2181 rc = avc_has_perm(&selinux_state,
2182 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2183 BINDER__IMPERSONATE, NULL);
2184 if (rc)
2185 return rc;
2186 }
2187
6b6bc620
SS		 2188 return avc_has_perm(&selinux_state,
2189 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
79af7307
SS		 2190 NULL);
2191}
2192
2193static int selinux_binder_transfer_binder(struct task_struct *from,
2194 struct task_struct *to)
2195{
2196 u32 fromsid = task_sid(from);
2197 u32 tosid = task_sid(to);
2198
6b6bc620
SS		 2199 return avc_has_perm(&selinux_state,
2200 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2201 NULL);
2202}
2203
2204static int selinux_binder_transfer_file(struct task_struct *from,
2205 struct task_struct *to,
2206 struct file *file)
2207{
2208 u32 sid = task_sid(to);
2209 struct file_security_struct *fsec = file->f_security;
83da53c5 2210 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2211 struct inode_security_struct *isec;
79af7307
SS		 2212 struct common_audit_data ad;
2213 int rc;
2214
2215 ad.type = LSM_AUDIT_DATA_PATH;
2216 ad.u.path = file->f_path;
2217
2218 if (sid != fsec->sid) {
6b6bc620
SS		 2219 rc = avc_has_perm(&selinux_state,
2220 sid, fsec->sid,
79af7307
SS		 2221 SECCLASS_FD,
2222 FD__USE,
2223 &ad);
2224 if (rc)
2225 return rc;
2226 }
2227
f66e448c
CF		 2228#ifdef CONFIG_BPF_SYSCALL
2229 rc = bpf_fd_pass(file, sid);
2230 if (rc)
2231 return rc;
2232#endif
2233
83da53c5 2234 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2235 return 0;
2236
20cdef8d 2237 isec = backing_inode_security(dentry);
6b6bc620
SS		 2238 return avc_has_perm(&selinux_state,
2239 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2240 &ad);
2241}
2242
9e48858f 2243static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2244 unsigned int mode)
1da177e4 2245{
be0554c9
SS		 2246 u32 sid = current_sid();
2247 u32 csid = task_sid(child);
2248
2249 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2250 return avc_has_perm(&selinux_state,
2251 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2252
6b6bc620
SS		 2253 return avc_has_perm(&selinux_state,
2254 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2255}
2256
2257static int selinux_ptrace_traceme(struct task_struct *parent)
2258{
6b6bc620
SS		 2259 return avc_has_perm(&selinux_state,
2260 task_sid(parent), current_sid(), SECCLASS_PROCESS,
be0554c9 2261 PROCESS__PTRACE, NULL);
1da177e4
LT		 2262}
2263
2264static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2265 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2266{
6b6bc620
SS		 2267 return avc_has_perm(&selinux_state,
2268 current_sid(), task_sid(target), SECCLASS_PROCESS,
be0554c9 2269 PROCESS__GETCAP, NULL);
1da177e4
LT		 2270}
2271
d84f4f99
DH		 2272static int selinux_capset(struct cred *new, const struct cred *old,
2273 const kernel_cap_t *effective,
2274 const kernel_cap_t *inheritable,
2275 const kernel_cap_t *permitted)
1da177e4 2276{
6b6bc620
SS		 2277 return avc_has_perm(&selinux_state,
2278 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2279 PROCESS__SETCAP, NULL);
1da177e4
LT		 2280}
2281
5626d3e8
JM		 2282/*
2283 * (This comment used to live with the selinux_task_setuid hook,
2284 * which was removed).
2285 *
2286 * Since setuid only affects the current process, and since the SELinux
2287 * controls are not based on the Linux identity attributes, SELinux does not
2288 * need to control this operation. However, SELinux does control the use of
2289 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2290 */
2291
6a9de491
EP		 2292static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2293 int cap, int audit)
1da177e4 2294{
8e4ff6f2 2295 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2296}
2297
1da177e4
LT		 2298static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2299{
88e67f3b 2300 const struct cred *cred = current_cred();
1da177e4
LT		 2301 int rc = 0;
2302
2303 if (!sb)
2304 return 0;
2305
2306 switch (cmds) {
828dfe1d
EP		 2307 case Q_SYNC:
2308 case Q_QUOTAON:
2309 case Q_QUOTAOFF:
2310 case Q_SETINFO:
2311 case Q_SETQUOTA:
88e67f3b 2312 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2313 break;
2314 case Q_GETFMT:
2315 case Q_GETINFO:
2316 case Q_GETQUOTA:
88e67f3b 2317 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2318 break;
2319 default:
2320 rc = 0; /* let the kernel handle invalid cmds */
2321 break;
1da177e4
LT		 2322 }
2323 return rc;
2324}
2325
2326static int selinux_quota_on(struct dentry *dentry)
2327{
88e67f3b
DH		 2328 const struct cred *cred = current_cred();
2329
2875fa00 2330 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2331}
2332
12b3052c 2333static int selinux_syslog(int type)
1da177e4 2334{
1da177e4 2335 switch (type) {
d78ca3cd
KC		 2336 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2337 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2338 return avc_has_perm(&selinux_state,
2339 current_sid(), SECINITSID_KERNEL,
be0554c9 2340 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2341 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2342 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2343 /* Set level of messages printed to console */
2344 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2345 return avc_has_perm(&selinux_state,
2346 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2347 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2348 NULL);
1da177e4 2349 }
be0554c9 2350 /* All other syslog types */
6b6bc620
SS		 2351 return avc_has_perm(&selinux_state,
2352 current_sid(), SECINITSID_KERNEL,
be0554c9 2353 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2354}
2355
2356/*
2357 * Check that a process has enough memory to allocate a new virtual
2358 * mapping. 0 means there is enough memory for the allocation to
2359 * succeed and -ENOMEM implies there is not.
2360 *
1da177e4
LT		 2361 * Do not audit the selinux permission check, as this is applied to all
2362 * processes that allocate mappings.
2363 */
34b4e4aa 2364static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2365{
2366 int rc, cap_sys_admin = 0;
1da177e4 2367
b1d9e6b0 2368 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2369 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2370 if (rc == 0)
2371 cap_sys_admin = 1;
2372
b1d9e6b0 2373 return cap_sys_admin;
1da177e4
LT		 2374}
2375
2376/* binprm security operations */
2377
be0554c9 2378static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2379{
2380 u32 sid = 0;
2381 struct task_struct *tracer;
2382
2383 rcu_read_lock();
be0554c9 2384 tracer = ptrace_parent(current);
0c6181cb
PM		 2385 if (tracer)
2386 sid = task_sid(tracer);
2387 rcu_read_unlock();
2388
2389 return sid;
2390}
2391
7b0d0b40
SS		 2392static int check_nnp_nosuid(const struct linux_binprm *bprm,
2393 const struct task_security_struct *old_tsec,
2394 const struct task_security_struct *new_tsec)
2395{
2396 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2397 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2398 int rc;
af63f419 2399 u32 av;
7b0d0b40
SS		 2400
2401 if (!nnp && !nosuid)
2402 return 0; /* neither NNP nor nosuid */
2403
2404 if (new_tsec->sid == old_tsec->sid)
2405 return 0; /* No change in credentials */
2406
2407 /*
af63f419
SS		 2408 * If the policy enables the nnp_nosuid_transition policy capability,
2409 * then we permit transitions under NNP or nosuid if the
2410 * policy allows the corresponding permission between
2411 * the old and new contexts.
7b0d0b40 2412 */
aa8e712c 2413 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2414 av = 0;
7b0d0b40 2415 if (nnp)
af63f419
SS		 2416 av |= PROCESS2__NNP_TRANSITION;
2417 if (nosuid)
2418 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2419 rc = avc_has_perm(&selinux_state,
2420 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2421 SECCLASS_PROCESS2, av, NULL);
2422 if (!rc)
2423 return 0;
7b0d0b40 2424 }
af63f419
SS		 2425
2426 /*
2427 * We also permit NNP or nosuid transitions to bounded SIDs,
2428 * i.e. SIDs that are guaranteed to only be allowed a subset
2429 * of the permissions of the current SID.
2430 */
aa8e712c
SS		 2431 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2432 new_tsec->sid);
af63f419
SS		 2433 if (!rc)
2434 return 0;
2435
2436 /*
2437 * On failure, preserve the errno values for NNP vs nosuid.
2438 * NNP: Operation not permitted for caller.
2439 * nosuid: Permission denied to file.
2440 */
2441 if (nnp)
2442 return -EPERM;
2443 return -EACCES;
7b0d0b40
SS		 2444}
2445
a6f76f23 2446static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2447{
a6f76f23
DH		 2448 const struct task_security_struct *old_tsec;
2449 struct task_security_struct *new_tsec;
1da177e4 2450 struct inode_security_struct *isec;
2bf49690 2451 struct common_audit_data ad;
496ad9aa 2452 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2453 int rc;
2454
a6f76f23
DH		 2455 /* SELinux context only depends on initial program or script and not
2456 * the script interpreter */
ddb4a144 2457 if (bprm->called_set_creds)
1da177e4
LT		 2458 return 0;
2459
a6f76f23
DH		 2460 old_tsec = current_security();
2461 new_tsec = bprm->cred->security;
83da53c5 2462 isec = inode_security(inode);
1da177e4
LT		 2463
2464 /* Default to the current task SID. */
a6f76f23
DH		 2465 new_tsec->sid = old_tsec->sid;
2466 new_tsec->osid = old_tsec->sid;
1da177e4 2467
28eba5bf 2468 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2469 new_tsec->create_sid = 0;
2470 new_tsec->keycreate_sid = 0;
2471 new_tsec->sockcreate_sid = 0;
1da177e4 2472
a6f76f23
DH		 2473 if (old_tsec->exec_sid) {
2474 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2475 /* Reset exec SID on execve. */
a6f76f23 2476 new_tsec->exec_sid = 0;
259e5e6c 2477
7b0d0b40
SS		 2478 /* Fail on NNP or nosuid if not an allowed transition. */
2479 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2480 if (rc)
2481 return rc;
1da177e4
LT		 2482 } else {
2483 /* Check for a default transition on this program. */
aa8e712c
SS		 2484 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2485 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2486 &new_tsec->sid);
1da177e4
LT		 2487 if (rc)
2488 return rc;
7b0d0b40
SS		 2489
2490 /*
2491 * Fallback to old SID on NNP or nosuid if not an allowed
2492 * transition.
2493 */
2494 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2495 if (rc)
2496 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2497 }
2498
43af5de7
VG		 2499 ad.type = LSM_AUDIT_DATA_FILE;
2500 ad.u.file = bprm->file;
1da177e4 2501
a6f76f23 2502 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2503 rc = avc_has_perm(&selinux_state,
2504 old_tsec->sid, isec->sid,
1da177e4
LT		 2505 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2506 if (rc)
2507 return rc;
2508 } else {
2509 /* Check permissions for the transition. */
6b6bc620
SS		 2510 rc = avc_has_perm(&selinux_state,
2511 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2512 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2513 if (rc)
2514 return rc;
2515
6b6bc620
SS		 2516 rc = avc_has_perm(&selinux_state,
2517 new_tsec->sid, isec->sid,
1da177e4
LT		 2518 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2519 if (rc)
2520 return rc;
2521
a6f76f23
DH		 2522 /* Check for shared state */
2523 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2524 rc = avc_has_perm(&selinux_state,
2525 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2526 SECCLASS_PROCESS, PROCESS__SHARE,
2527 NULL);
2528 if (rc)
2529 return -EPERM;
2530 }
2531
2532 /* Make sure that anyone attempting to ptrace over a task that
2533 * changes its SID has the appropriate permit */
9227dd2a 2534 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2535 u32 ptsid = ptrace_parent_sid();
a6f76f23 2536 if (ptsid != 0) {
6b6bc620
SS		 2537 rc = avc_has_perm(&selinux_state,
2538 ptsid, new_tsec->sid,
a6f76f23
DH		 2539 SECCLASS_PROCESS,
2540 PROCESS__PTRACE, NULL);
2541 if (rc)
2542 return -EPERM;
2543 }
2544 }
1da177e4 2545
a6f76f23
DH		 2546 /* Clear any possibly unsafe personality bits on exec: */
2547 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2548
1da177e4
LT		 2549 /* Enable secure mode for SIDs transitions unless
2550 the noatsecure permission is granted between
2551 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2552 rc = avc_has_perm(&selinux_state,
2553 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2554 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2555 NULL);
2556 bprm->secureexec |= !!rc;
1da177e4
LT		 2557 }
2558
62874c3a 2559 return 0;
1da177e4
LT		 2560}
2561
c3c073f8
AV		 2562static int match_file(const void *p, struct file *file, unsigned fd)
2563{
2564 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2565}
2566
1da177e4 2567/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2568static inline void flush_unauthorized_files(const struct cred *cred,
2569 struct files_struct *files)
1da177e4 2570{
1da177e4 2571 struct file *file, *devnull = NULL;
b20c8122 2572 struct tty_struct *tty;
24ec839c 2573 int drop_tty = 0;
c3c073f8 2574 unsigned n;
1da177e4 2575
24ec839c 2576 tty = get_current_tty();
1da177e4 2577 if (tty) {
4a510969 2578 spin_lock(&tty->files_lock);
37dd0bd0 2579 if (!list_empty(&tty->tty_files)) {
d996b62a 2580 struct tty_file_private *file_priv;
37dd0bd0 2581
1da177e4 2582 /* Revalidate access to controlling tty.
13f8e981
DH		 2583 Use file_path_has_perm on the tty path directly
2584 rather than using file_has_perm, as this particular
2585 open file may belong to another process and we are
2586 only interested in the inode-based check here. */
d996b62a
NP		 2587 file_priv = list_first_entry(&tty->tty_files,
2588 struct tty_file_private, list);
2589 file = file_priv->file;
13f8e981 2590 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2591 drop_tty = 1;
1da177e4 2592 }
4a510969 2593 spin_unlock(&tty->files_lock);
452a00d2 2594 tty_kref_put(tty);
1da177e4 2595 }
98a27ba4
EB		 2596 /* Reset controlling tty. */
2597 if (drop_tty)
2598 no_tty();
1da177e4
LT		 2599
2600 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2601 n = iterate_fd(files, 0, match_file, cred);
2602 if (!n) /* none found? */
2603 return;
1da177e4 2604
c3c073f8 2605 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2606 if (IS_ERR(devnull))
2607 devnull = NULL;
2608 /* replace all the matching ones with this */
2609 do {
2610 replace_fd(n - 1, devnull, 0);
2611 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2612 if (devnull)
c3c073f8 2613 fput(devnull);
1da177e4
LT		 2614}
2615
a6f76f23
DH		 2616/*
2617 * Prepare a process for imminent new credential changes due to exec
2618 */
2619static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2620{
a6f76f23
DH		 2621 struct task_security_struct *new_tsec;
2622 struct rlimit *rlim, *initrlim;
2623 int rc, i;
d84f4f99 2624
a6f76f23
DH		 2625 new_tsec = bprm->cred->security;
2626 if (new_tsec->sid == new_tsec->osid)
2627 return;
1da177e4 2628
a6f76f23
DH		 2629 /* Close files for which the new task SID is not authorized. */
2630 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2631
a6f76f23
DH		 2632 /* Always clear parent death signal on SID transitions. */
2633 current->pdeath_signal = 0;
0356357c 2634
a6f76f23
DH		 2635 /* Check whether the new SID can inherit resource limits from the old
2636 * SID. If not, reset all soft limits to the lower of the current
2637 * task's hard limit and the init task's soft limit.
2638 *
2639 * Note that the setting of hard limits (even to lower them) can be
2640 * controlled by the setrlimit check. The inclusion of the init task's
2641 * soft limit into the computation is to avoid resetting soft limits
2642 * higher than the default soft limit for cases where the default is
2643 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2644 */
6b6bc620
SS		 2645 rc = avc_has_perm(&selinux_state,
2646 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2647 PROCESS__RLIMITINH, NULL);
2648 if (rc) {
eb2d55a3
ON		 2649 /* protect against do_prlimit() */
2650 task_lock(current);
a6f76f23
DH		 2651 for (i = 0; i < RLIM_NLIMITS; i++) {
2652 rlim = current->signal->rlim + i;
2653 initrlim = init_task.signal->rlim + i;
2654 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2655 }
eb2d55a3 2656 task_unlock(current);
baa73d9e
NP		 2657 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2658 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2659 }
2660}
2661
2662/*
a6f76f23
DH		 2663 * Clean up the process immediately after the installation of new credentials
2664 * due to exec
1da177e4 2665 */
a6f76f23 2666static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2667{
a6f76f23 2668 const struct task_security_struct *tsec = current_security();
1da177e4 2669 struct itimerval itimer;
a6f76f23 2670 u32 osid, sid;
1da177e4
LT		 2671 int rc, i;
2672
a6f76f23
DH		 2673 osid = tsec->osid;
2674 sid = tsec->sid;
2675
2676 if (sid == osid)
1da177e4
LT		 2677 return;
2678
a6f76f23
DH		 2679 /* Check whether the new SID can inherit signal state from the old SID.
2680 * If not, clear itimers to avoid subsequent signal generation and
2681 * flush and unblock signals.
2682 *
2683 * This must occur _after_ the task SID has been updated so that any
2684 * kill done after the flush will be checked against the new SID.
2685 */
6b6bc620
SS		 2686 rc = avc_has_perm(&selinux_state,
2687 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2688 if (rc) {
baa73d9e
NP		 2689 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2690 memset(&itimer, 0, sizeof itimer);
2691 for (i = 0; i < 3; i++)
2692 do_setitimer(i, &itimer, NULL);
2693 }
1da177e4 2694 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2695 if (!fatal_signal_pending(current)) {
2696 flush_sigqueue(&current->pending);
2697 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2698 flush_signal_handlers(current, 1);
2699 sigemptyset(&current->blocked);
9e7c8f8c 2700 recalc_sigpending();
3bcac026 2701 }
1da177e4
LT		 2702 spin_unlock_irq(&current->sighand->siglock);
2703 }
2704
a6f76f23
DH		 2705 /* Wake up the parent if it is waiting so that it can recheck
2706 * wait permission to the new task SID. */
ecd6de3c 2707 read_lock(&tasklist_lock);
0b7570e7 2708 __wake_up_parent(current, current->real_parent);
ecd6de3c 2709 read_unlock(&tasklist_lock);
1da177e4
LT		 2710}
2711
2712/* superblock security operations */
2713
2714static int selinux_sb_alloc_security(struct super_block *sb)
2715{
2716 return superblock_alloc_security(sb);
2717}
2718
2719static void selinux_sb_free_security(struct super_block *sb)
2720{
2721 superblock_free_security(sb);
2722}
2723
2724static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2725{
2726 if (plen > olen)
2727 return 0;
2728
2729 return !memcmp(prefix, option, plen);
2730}
2731
2732static inline int selinux_option(char *option, int len)
2733{
832cbd9a
EP		 2734 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2735 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2736 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2737 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2738 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2739}
2740
2741static inline void take_option(char **to, char *from, int *first, int len)
2742{
2743 if (!*first) {
2744 **to = ',';
2745 *to += 1;
3528a953 2746 } else
1da177e4
LT		 2747 *first = 0;
2748 memcpy(*to, from, len);
2749 *to += len;
2750}
2751
828dfe1d
EP		 2752static inline void take_selinux_option(char **to, char *from, int *first,
2753 int len)
3528a953
CO		 2754{
2755 int current_size = 0;
2756
2757 if (!*first) {
2758 **to = '|';
2759 *to += 1;
828dfe1d 2760 } else
3528a953
CO		 2761 *first = 0;
2762
2763 while (current_size < len) {
2764 if (*from != '"') {
2765 **to = *from;
2766 *to += 1;
2767 }
2768 from += 1;
2769 current_size += 1;
2770 }
2771}
2772
e0007529 2773static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2774{
2775 int fnosec, fsec, rc = 0;
2776 char *in_save, *in_curr, *in_end;
2777 char *sec_curr, *nosec_save, *nosec;
3528a953 2778 int open_quote = 0;
1da177e4
LT		 2779
2780 in_curr = orig;
2781 sec_curr = copy;
2782
1da177e4
LT		 2783 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2784 if (!nosec) {
2785 rc = -ENOMEM;
2786 goto out;
2787 }
2788
2789 nosec_save = nosec;
2790 fnosec = fsec = 1;
2791 in_save = in_end = orig;
2792
2793 do {
3528a953
CO		 2794 if (*in_end == '"')
2795 open_quote = !open_quote;
2796 if ((*in_end == ',' && open_quote == 0) ||
2797 *in_end == '\0') {
1da177e4
LT		 2798 int len = in_end - in_curr;
2799
2800 if (selinux_option(in_curr, len))
3528a953 2801 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2802 else
2803 take_option(&nosec, in_curr, &fnosec, len);
2804
2805 in_curr = in_end + 1;
2806 }
2807 } while (*in_end++);
2808
6931dfc9 2809 strcpy(in_save, nosec_save);
da3caa20 2810 free_page((unsigned long)nosec_save);
1da177e4
LT		 2811out:
2812 return rc;
2813}
2814
c039bc3c
AV		 2815static int selinux_sb_remount(struct super_block *sb,
2816 struct security_mnt_opts *opts)
026eb167 2817{
c039bc3c
AV		 2818 int i, *flags;
2819 char **mount_options;
026eb167
EP		 2820 struct superblock_security_struct *sbsec = sb->s_security;
2821
2822 if (!(sbsec->flags & SE_SBINITIALIZED))
2823 return 0;
2824
c039bc3c
AV		 2825 mount_options = opts->mnt_opts;
2826 flags = opts->mnt_opts_flags;
026eb167 2827
c039bc3c 2828 for (i = 0; i < opts->num_mnt_opts; i++) {
026eb167 2829 u32 sid;
c039bc3c 2830 int rc;
026eb167 2831
12f348b9 2832 if (flags[i] == SBLABEL_MNT)
026eb167 2833 continue;
aa8e712c
SS		 2834 rc = security_context_str_to_sid(&selinux_state,
2835 mount_options[i], &sid,
2836 GFP_KERNEL);
026eb167 2837 if (rc) {
c103a91e 2838 pr_warn("SELinux: security_context_str_to_sid"
29b1deb2
LT		 2839 "(%s) failed for (dev %s, type %s) errno=%d\n",
2840 mount_options[i], sb->s_id, sb->s_type->name, rc);
c039bc3c 2841 return rc;
026eb167 2842 }
026eb167
EP		 2843 switch (flags[i]) {
2844 case FSCONTEXT_MNT:
2845 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2846 goto out_bad_option;
2847 break;
2848 case CONTEXT_MNT:
2849 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2850 goto out_bad_option;
2851 break;
2852 case ROOTCONTEXT_MNT: {
2853 struct inode_security_struct *root_isec;
83da53c5 2854 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2855
2856 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2857 goto out_bad_option;
2858 break;
2859 }
2860 case DEFCONTEXT_MNT:
2861 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2862 goto out_bad_option;
2863 break;
2864 default:
c039bc3c 2865 return -EINVAL;
026eb167
EP		 2866 }
2867 }
c039bc3c 2868 return 0;
026eb167 2869
026eb167 2870out_bad_option:
c103a91e 2871 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2872 "during remount (dev %s, type=%s)\n", sb->s_id,
2873 sb->s_type->name);
c039bc3c 2874 return -EINVAL;
026eb167
EP		 2875}
2876
6be8750b
AV		 2877static int selinux_sb_kern_mount(struct super_block *sb, int flags,
2878 struct security_mnt_opts *opts)
1da177e4 2879{
88e67f3b 2880 const struct cred *cred = current_cred();
2bf49690 2881 struct common_audit_data ad;
6be8750b 2882 int rc = selinux_set_mnt_opts(sb, opts, 0, NULL);
1da177e4
LT		 2883 if (rc)
2884 return rc;
2885
74192246
JM		 2886 /* Allow all mounts performed by the kernel */
2887 if (flags & MS_KERNMOUNT)
2888 return 0;
2889
50c205f5 2890 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2891 ad.u.dentry = sb->s_root;
88e67f3b 2892 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2893}
2894
726c3342 2895static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2896{
88e67f3b 2897 const struct cred *cred = current_cred();
2bf49690 2898 struct common_audit_data ad;
1da177e4 2899
50c205f5 2900 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2901 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2902 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2903}
2904
808d4e3c 2905static int selinux_mount(const char *dev_name,
8a04c43b 2906 const struct path *path,
808d4e3c 2907 const char *type,
828dfe1d
EP		 2908 unsigned long flags,
2909 void *data)
1da177e4 2910{
88e67f3b 2911 const struct cred *cred = current_cred();
1da177e4
LT		 2912
2913 if (flags & MS_REMOUNT)
d8c9584e 2914 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2915 FILESYSTEM__REMOUNT, NULL);
1da177e4 2916 else
2875fa00 2917 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2918}
2919
2920static int selinux_umount(struct vfsmount *mnt, int flags)
2921{
88e67f3b 2922 const struct cred *cred = current_cred();
1da177e4 2923
88e67f3b 2924 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2925 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2926}
2927
2928/* inode security operations */
2929
2930static int selinux_inode_alloc_security(struct inode *inode)
2931{
2932 return inode_alloc_security(inode);
2933}
2934
2935static void selinux_inode_free_security(struct inode *inode)
2936{
2937 inode_free_security(inode);
2938}
2939
d47be3df 2940static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2941 const struct qstr *name, void **ctx,
d47be3df
DQ		 2942 u32 *ctxlen)
2943{
d47be3df
DQ		 2944 u32 newsid;
2945 int rc;
2946
c957f6df
VG		 2947 rc = selinux_determine_inode_label(current_security(),
2948 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2949 inode_mode_to_security_class(mode),
2950 &newsid);
2951 if (rc)
2952 return rc;
d47be3df 2953
aa8e712c
SS		 2954 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2955 ctxlen);
d47be3df
DQ		 2956}
2957
a518b0a5
VG		 2958static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2959 struct qstr *name,
2960 const struct cred *old,
2961 struct cred *new)
2962{
2963 u32 newsid;
2964 int rc;
2965 struct task_security_struct *tsec;
2966
2967 rc = selinux_determine_inode_label(old->security,
2968 d_inode(dentry->d_parent), name,
2969 inode_mode_to_security_class(mode),
2970 &newsid);
2971 if (rc)
2972 return rc;
2973
2974 tsec = new->security;
2975 tsec->create_sid = newsid;
2976 return 0;
2977}
2978
5e41ff9e 2979static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2980 const struct qstr *qstr,
2981 const char **name,
2a7dba39 2982 void **value, size_t *len)
5e41ff9e 2983{
5fb49870 2984 const struct task_security_struct *tsec = current_security();
5e41ff9e 2985 struct superblock_security_struct *sbsec;
c0d4f464 2986 u32 newsid, clen;
5e41ff9e 2987 int rc;
9548906b 2988 char *context;
5e41ff9e 2989
5e41ff9e 2990 sbsec = dir->i_sb->s_security;
5e41ff9e 2991
275bb41e
DH		 2992 newsid = tsec->create_sid;
2993
c957f6df 2994 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2995 dir, qstr,
2996 inode_mode_to_security_class(inode->i_mode),
2997 &newsid);
2998 if (rc)
2999 return rc;
5e41ff9e 3000
296fddf7 3001 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 3002 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 3003 struct inode_security_struct *isec = inode->i_security;
3004 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3005 isec->sid = newsid;
6f3be9f5 3006 isec->initialized = LABEL_INITIALIZED;
296fddf7 3007 }
5e41ff9e 3008
aa8e712c 3009 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 3010 return -EOPNOTSUPP;
3011
9548906b
TH		 3012 if (name)
3013 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 3014
570bc1c2 3015 if (value && len) {
aa8e712c
SS		 3016 rc = security_sid_to_context_force(&selinux_state, newsid,
3017 &context, &clen);
9548906b 3018 if (rc)
570bc1c2 3019 return rc;
570bc1c2
SS		 3020 *value = context;
3021 *len = clen;
5e41ff9e 3022 }
5e41ff9e 3023
5e41ff9e
SS		 3024 return 0;
3025}
3026
4acdaf27 3027static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 3028{
3029 return may_create(dir, dentry, SECCLASS_FILE);
3030}
3031
1da177e4
LT		 3032static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3033{
1da177e4
LT		 3034 return may_link(dir, old_dentry, MAY_LINK);
3035}
3036
1da177e4
LT		 3037static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3038{
1da177e4
LT		 3039 return may_link(dir, dentry, MAY_UNLINK);
3040}
3041
3042static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3043{
3044 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3045}
3046
18bb1db3 3047static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 3048{
3049 return may_create(dir, dentry, SECCLASS_DIR);
3050}
3051
1da177e4
LT		 3052static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3053{
3054 return may_link(dir, dentry, MAY_RMDIR);
3055}
3056
1a67aafb 3057static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 3058{
1da177e4
LT		 3059 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3060}
3061
1da177e4 3062static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 3063 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 3064{
3065 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3066}
3067
1da177e4
LT		 3068static int selinux_inode_readlink(struct dentry *dentry)
3069{
88e67f3b
DH		 3070 const struct cred *cred = current_cred();
3071
2875fa00 3072 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3073}
3074
bda0be7a
N		 3075static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3076 bool rcu)
1da177e4 3077{
88e67f3b 3078 const struct cred *cred = current_cred();
bda0be7a
N		 3079 struct common_audit_data ad;
3080 struct inode_security_struct *isec;
3081 u32 sid;
1da177e4 3082
bda0be7a
N		 3083 validate_creds(cred);
3084
3085 ad.type = LSM_AUDIT_DATA_DENTRY;
3086 ad.u.dentry = dentry;
3087 sid = cred_sid(cred);
5d226df4
AG		 3088 isec = inode_security_rcu(inode, rcu);
3089 if (IS_ERR(isec))
3090 return PTR_ERR(isec);
bda0be7a 3091
6b6bc620
SS		 3092 return avc_has_perm_flags(&selinux_state,
3093 sid, isec->sid, isec->sclass, FILE__READ, &ad,
bda0be7a 3094 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3095}
3096
d4cf970d
EP		 3097static noinline int audit_inode_permission(struct inode *inode,
3098 u32 perms, u32 audited, u32 denied,
626b9740 3099 int result,
d4cf970d 3100 unsigned flags)
1da177e4 3101{
b782e0a6 3102 struct common_audit_data ad;
d4cf970d
EP		 3103 struct inode_security_struct *isec = inode->i_security;
3104 int rc;
3105
50c205f5 3106 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3107 ad.u.inode = inode;
3108
6b6bc620
SS		 3109 rc = slow_avc_audit(&selinux_state,
3110 current_sid(), isec->sid, isec->sclass, perms,
626b9740 3111 audited, denied, result, &ad, flags);
d4cf970d
EP		 3112 if (rc)
3113 return rc;
3114 return 0;
3115}
3116
e74f71eb 3117static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3118{
88e67f3b 3119 const struct cred *cred = current_cred();
b782e0a6
EP		 3120 u32 perms;
3121 bool from_access;
cf1dd1da 3122 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3123 struct inode_security_struct *isec;
3124 u32 sid;
3125 struct av_decision avd;
3126 int rc, rc2;
3127 u32 audited, denied;
1da177e4 3128
b782e0a6 3129 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3130 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3131
b782e0a6
EP		 3132 /* No permission to check. Existence test. */
3133 if (!mask)
1da177e4 3134 return 0;
1da177e4 3135
2e334057 3136 validate_creds(cred);
b782e0a6 3137
2e334057
EP		 3138 if (unlikely(IS_PRIVATE(inode)))
3139 return 0;
b782e0a6
EP		 3140
3141 perms = file_mask_to_av(inode->i_mode, mask);
3142
2e334057 3143 sid = cred_sid(cred);
5d226df4
AG		 3144 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3145 if (IS_ERR(isec))
3146 return PTR_ERR(isec);
2e334057 3147
6b6bc620
SS		 3148 rc = avc_has_perm_noaudit(&selinux_state,
3149 sid, isec->sid, isec->sclass, perms, 0, &avd);
2e334057
EP		 3150 audited = avc_audit_required(perms, &avd, rc,
3151 from_access ? FILE__AUDIT_ACCESS : 0,
3152 &denied);
3153 if (likely(!audited))
3154 return rc;
3155
626b9740 3156 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3157 if (rc2)
3158 return rc2;
3159 return rc;
1da177e4
LT		 3160}
3161
3162static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3163{
88e67f3b 3164 const struct cred *cred = current_cred();
ccb54478 3165 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3166 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3167 __u32 av = FILE__WRITE;
1da177e4 3168
bc6a6008
AW		 3169 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3170 if (ia_valid & ATTR_FORCE) {
3171 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3172 ATTR_FORCE);
3173 if (!ia_valid)
3174 return 0;
3175 }
1da177e4 3176
bc6a6008
AW		 3177 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3178 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3179 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3180
aa8e712c 3181 if (selinux_policycap_openperm() &&
ccb54478
SS		 3182 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3183 (ia_valid & ATTR_SIZE) &&
3184 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3185 av |= FILE__OPEN;
3186
3187 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3188}
3189
3f7036a0 3190static int selinux_inode_getattr(const struct path *path)
1da177e4 3191{
3f7036a0 3192 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3193}
3194
db59000a
SS		 3195static bool has_cap_mac_admin(bool audit)
3196{
3197 const struct cred *cred = current_cred();
3198 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3199
3200 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3201 return false;
3202 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3203 return false;
3204 return true;
3205}
3206
8f0cfa52
DH		 3207static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3208 const void *value, size_t size, int flags)
1da177e4 3209{
c6f493d6 3210 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3211 struct inode_security_struct *isec;
1da177e4 3212 struct superblock_security_struct *sbsec;
2bf49690 3213 struct common_audit_data ad;
275bb41e 3214 u32 newsid, sid = current_sid();
1da177e4
LT		 3215 int rc = 0;
3216
6b240306
EB		 3217 if (strcmp(name, XATTR_NAME_SELINUX)) {
3218 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3219 if (rc)
3220 return rc;
3221
3222 /* Not an attribute we recognize, so just check the
3223 ordinary setattr permission. */
3224 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3225 }
1da177e4
LT		 3226
3227 sbsec = inode->i_sb->s_security;
12f348b9 3228 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3229 return -EOPNOTSUPP;
3230
2e149670 3231 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3232 return -EPERM;
3233
50c205f5 3234 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3235 ad.u.dentry = dentry;
1da177e4 3236
20cdef8d 3237 isec = backing_inode_security(dentry);
6b6bc620
SS		 3238 rc = avc_has_perm(&selinux_state,
3239 sid, isec->sid, isec->sclass,
1da177e4
LT		 3240 FILE__RELABELFROM, &ad);
3241 if (rc)
3242 return rc;
3243
aa8e712c
SS		 3244 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3245 GFP_KERNEL);
12b29f34 3246 if (rc == -EINVAL) {
db59000a 3247 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3248 struct audit_buffer *ab;
3249 size_t audit_size;
d6ea83ec
EP		 3250
3251 /* We strip a nul only if it is at the end, otherwise the
3252 * context contains a nul and we should audit that */
e3fea3f7 3253 if (value) {
add24372
CIK		 3254 const char *str = value;
3255
e3fea3f7
AV		 3256 if (str[size - 1] == '\0')
3257 audit_size = size - 1;
3258 else
3259 audit_size = size;
3260 } else {
e3fea3f7
AV		 3261 audit_size = 0;
3262 }
cdfb6b34
RGB		 3263 ab = audit_log_start(audit_context(),
3264 GFP_ATOMIC, AUDIT_SELINUX_ERR);
d6ea83ec
EP		 3265 audit_log_format(ab, "op=setxattr invalid_context=");
3266 audit_log_n_untrustedstring(ab, value, audit_size);
3267 audit_log_end(ab);
3268
12b29f34 3269 return rc;
d6ea83ec 3270 }
aa8e712c
SS		 3271 rc = security_context_to_sid_force(&selinux_state, value,
3272 size, &newsid);
12b29f34 3273 }
1da177e4
LT		 3274 if (rc)
3275 return rc;
3276
6b6bc620
SS		 3277 rc = avc_has_perm(&selinux_state,
3278 sid, newsid, isec->sclass,
1da177e4
LT		 3279 FILE__RELABELTO, &ad);
3280 if (rc)
3281 return rc;
3282
aa8e712c
SS		 3283 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3284 sid, isec->sclass);
1da177e4
LT		 3285 if (rc)
3286 return rc;
3287
6b6bc620
SS		 3288 return avc_has_perm(&selinux_state,
3289 newsid,
1da177e4
LT		 3290 sbsec->sid,
3291 SECCLASS_FILESYSTEM,
3292 FILESYSTEM__ASSOCIATE,
3293 &ad);
3294}
3295
8f0cfa52 3296static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3297 const void *value, size_t size,
8f0cfa52 3298 int flags)
1da177e4 3299{
c6f493d6 3300 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3301 struct inode_security_struct *isec;
1da177e4
LT		 3302 u32 newsid;
3303 int rc;
3304
3305 if (strcmp(name, XATTR_NAME_SELINUX)) {
3306 /* Not an attribute we recognize, so nothing to do. */
3307 return;
3308 }
3309
aa8e712c
SS		 3310 rc = security_context_to_sid_force(&selinux_state, value, size,
3311 &newsid);
1da177e4 3312 if (rc) {
c103a91e 3313 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3314 "for (%s, %lu), rc=%d\n",
3315 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3316 return;
3317 }
3318
20cdef8d 3319 isec = backing_inode_security(dentry);
9287aed2 3320 spin_lock(&isec->lock);
aa9c2669 3321 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3322 isec->sid = newsid;
6f3be9f5 3323 isec->initialized = LABEL_INITIALIZED;
9287aed2 3324 spin_unlock(&isec->lock);
aa9c2669 3325
1da177e4
LT		 3326 return;
3327}
3328
8f0cfa52 3329static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3330{
88e67f3b
DH		 3331 const struct cred *cred = current_cred();
3332
2875fa00 3333 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3334}
3335
828dfe1d 3336static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3337{
88e67f3b
DH		 3338 const struct cred *cred = current_cred();
3339
2875fa00 3340 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3341}
3342
8f0cfa52 3343static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3344{
6b240306
EB		 3345 if (strcmp(name, XATTR_NAME_SELINUX)) {
3346 int rc = cap_inode_removexattr(dentry, name);
3347 if (rc)
3348 return rc;
3349
3350 /* Not an attribute we recognize, so just check the
3351 ordinary setattr permission. */
3352 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3353 }
1da177e4
LT		 3354
3355 /* No one is allowed to remove a SELinux security label.
3356 You can change the label, but all data must be labeled. */
3357 return -EACCES;
3358}
3359
d381d8a9 3360/*
abc69bb6 3361 * Copy the inode security context value to the user.
d381d8a9
JM		 3362 *
3363 * Permission check is handled by selinux_inode_getxattr hook.
3364 */
ea861dfd 3365static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3366{
42492594
DQ		 3367 u32 size;
3368 int error;
3369 char *context = NULL;
20cdef8d 3370 struct inode_security_struct *isec;
d381d8a9 3371
8c8570fb
DK		 3372 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3373 return -EOPNOTSUPP;
d381d8a9 3374
abc69bb6
SS		 3375 /*
3376 * If the caller has CAP_MAC_ADMIN, then get the raw context
3377 * value even if it is not defined by current policy; otherwise,
3378 * use the in-core value under current policy.
3379 * Use the non-auditing forms of the permission checks since
3380 * getxattr may be called by unprivileged processes commonly
3381 * and lack of permission just means that we fall back to the
3382 * in-core context value, not a denial.
3383 */
20cdef8d 3384 isec = inode_security(inode);
db59000a 3385 if (has_cap_mac_admin(false))
aa8e712c
SS		 3386 error = security_sid_to_context_force(&selinux_state,
3387 isec->sid, &context,
abc69bb6
SS		 3388 &size);
3389 else
aa8e712c
SS		 3390 error = security_sid_to_context(&selinux_state, isec->sid,
3391 &context, &size);
42492594
DQ		 3392 if (error)
3393 return error;
3394 error = size;
3395 if (alloc) {
3396 *buffer = context;
3397 goto out_nofree;
3398 }
3399 kfree(context);
3400out_nofree:
3401 return error;
1da177e4
LT		 3402}
3403
3404static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3405 const void *value, size_t size, int flags)
1da177e4 3406{
2c97165b 3407 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3408 u32 newsid;
3409 int rc;
3410
3411 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3412 return -EOPNOTSUPP;
3413
3414 if (!value || !size)
3415 return -EACCES;
3416
aa8e712c
SS		 3417 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3418 GFP_KERNEL);
1da177e4
LT		 3419 if (rc)
3420 return rc;
3421
9287aed2 3422 spin_lock(&isec->lock);
aa9c2669 3423 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3424 isec->sid = newsid;
6f3be9f5 3425 isec->initialized = LABEL_INITIALIZED;
9287aed2 3426 spin_unlock(&isec->lock);
1da177e4
LT		 3427 return 0;
3428}
3429
3430static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3431{
3432 const int len = sizeof(XATTR_NAME_SELINUX);
3433 if (buffer && len <= buffer_size)
3434 memcpy(buffer, XATTR_NAME_SELINUX, len);
3435 return len;
3436}
3437
d6335d77 3438static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3439{
e817c2f3 3440 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3441 *secid = isec->sid;
3442}
3443
56909eb3
VG		 3444static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3445{
3446 u32 sid;
3447 struct task_security_struct *tsec;
3448 struct cred *new_creds = *new;
3449
3450 if (new_creds == NULL) {
3451 new_creds = prepare_creds();
3452 if (!new_creds)
3453 return -ENOMEM;
3454 }
3455
3456 tsec = new_creds->security;
3457 /* Get label from overlay inode and set it in create_sid */
3458 selinux_inode_getsecid(d_inode(src), &sid);
3459 tsec->create_sid = sid;
3460 *new = new_creds;
3461 return 0;
3462}
3463
19472b69
VG		 3464static int selinux_inode_copy_up_xattr(const char *name)
3465{
3466 /* The copy_up hook above sets the initial context on an inode, but we
3467 * don't then want to overwrite it by blindly copying all the lower
3468 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3469 */
3470 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3471 return 1; /* Discard */
3472 /*
3473 * Any other attribute apart from SELINUX is not claimed, supported
3474 * by selinux.
3475 */
3476 return -EOPNOTSUPP;
3477}
3478
1da177e4
LT		 3479/* file security operations */
3480
788e7dd4 3481static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3482{
88e67f3b 3483 const struct cred *cred = current_cred();
496ad9aa 3484 struct inode *inode = file_inode(file);
1da177e4 3485
1da177e4
LT		 3486 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3487 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3488 mask |= MAY_APPEND;
3489
389fb800
PM		 3490 return file_has_perm(cred, file,
3491 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3492}
3493
788e7dd4
YN		 3494static int selinux_file_permission(struct file *file, int mask)
3495{
496ad9aa 3496 struct inode *inode = file_inode(file);
20dda18b 3497 struct file_security_struct *fsec = file->f_security;
b197367e 3498 struct inode_security_struct *isec;
20dda18b
SS		 3499 u32 sid = current_sid();
3500
389fb800 3501 if (!mask)
788e7dd4
YN		 3502 /* No permission to check. Existence test. */
3503 return 0;
788e7dd4 3504
b197367e 3505 isec = inode_security(inode);
20dda18b 3506 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3507 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3508 /* No change since file_open check. */
20dda18b
SS		 3509 return 0;
3510
788e7dd4
YN		 3511 return selinux_revalidate_file_permission(file, mask);
3512}
3513
1da177e4
LT		 3514static int selinux_file_alloc_security(struct file *file)
3515{
3516 return file_alloc_security(file);
3517}
3518
3519static void selinux_file_free_security(struct file *file)
3520{
3521 file_free_security(file);
3522}
3523
fa1aa143
JVS		 3524/*
3525 * Check whether a task has the ioctl permission and cmd
3526 * operation to an inode.
3527 */
1d2a168a 3528static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3529 u32 requested, u16 cmd)
3530{
3531 struct common_audit_data ad;
3532 struct file_security_struct *fsec = file->f_security;
3533 struct inode *inode = file_inode(file);
20cdef8d 3534 struct inode_security_struct *isec;
fa1aa143
JVS		 3535 struct lsm_ioctlop_audit ioctl;
3536 u32 ssid = cred_sid(cred);
3537 int rc;
3538 u8 driver = cmd >> 8;
3539 u8 xperm = cmd & 0xff;
3540
3541 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3542 ad.u.op = &ioctl;
3543 ad.u.op->cmd = cmd;
3544 ad.u.op->path = file->f_path;
3545
3546 if (ssid != fsec->sid) {
6b6bc620
SS		 3547 rc = avc_has_perm(&selinux_state,
3548 ssid, fsec->sid,
fa1aa143
JVS		 3549 SECCLASS_FD,
3550 FD__USE,
3551 &ad);
3552 if (rc)
3553 goto out;
3554 }
3555
3556 if (unlikely(IS_PRIVATE(inode)))
3557 return 0;
3558
20cdef8d 3559 isec = inode_security(inode);
6b6bc620
SS		 3560 rc = avc_has_extended_perms(&selinux_state,
3561 ssid, isec->sid, isec->sclass,
3562 requested, driver, xperm, &ad);
fa1aa143
JVS		 3563out:
3564 return rc;
3565}
3566
1da177e4
LT		 3567static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3568 unsigned long arg)
3569{
88e67f3b 3570 const struct cred *cred = current_cred();
0b24dcb7 3571 int error = 0;
1da177e4 3572
0b24dcb7
EP		 3573 switch (cmd) {
3574 case FIONREAD:
3575 /* fall through */
3576 case FIBMAP:
3577 /* fall through */
3578 case FIGETBSZ:
3579 /* fall through */
2f99c369 3580 case FS_IOC_GETFLAGS:
0b24dcb7 3581 /* fall through */
2f99c369 3582 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3583 error = file_has_perm(cred, file, FILE__GETATTR);
3584 break;
1da177e4 3585
2f99c369 3586 case FS_IOC_SETFLAGS:
0b24dcb7 3587 /* fall through */
2f99c369 3588 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3589 error = file_has_perm(cred, file, FILE__SETATTR);
3590 break;
3591
3592 /* sys_ioctl() checks */
3593 case FIONBIO:
3594 /* fall through */
3595 case FIOASYNC:
3596 error = file_has_perm(cred, file, 0);
3597 break;
1da177e4 3598
0b24dcb7
EP		 3599 case KDSKBENT:
3600 case KDSKBSENT:
6a9de491 3601 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3602 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3603 break;
3604
3605 /* default case assumes that the command will go
3606 * to the file's ioctl() function.
3607 */
3608 default:
fa1aa143 3609 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3610 }
3611 return error;
1da177e4
LT		 3612}
3613
fcaaade1
SS		 3614static int default_noexec;
3615
1da177e4
LT		 3616static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3617{
88e67f3b 3618 const struct cred *cred = current_cred();
be0554c9 3619 u32 sid = cred_sid(cred);
d84f4f99 3620 int rc = 0;
88e67f3b 3621
fcaaade1 3622 if (default_noexec &&
892e8cac
SS		 3623 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3624 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3625 /*
3626 * We are making executable an anonymous mapping or a
3627 * private file mapping that will also be writable.
3628 * This has an additional check.
3629 */
6b6bc620
SS		 3630 rc = avc_has_perm(&selinux_state,
3631 sid, sid, SECCLASS_PROCESS,
be0554c9 3632 PROCESS__EXECMEM, NULL);
1da177e4 3633 if (rc)
d84f4f99 3634 goto error;
1da177e4 3635 }
1da177e4
LT		 3636
3637 if (file) {
3638 /* read access is always possible with a mapping */
3639 u32 av = FILE__READ;
3640
3641 /* write access only matters if the mapping is shared */
3642 if (shared && (prot & PROT_WRITE))
3643 av |= FILE__WRITE;
3644
3645 if (prot & PROT_EXEC)
3646 av |= FILE__EXECUTE;
3647
88e67f3b 3648 return file_has_perm(cred, file, av);
1da177e4 3649 }
d84f4f99
DH		 3650
3651error:
3652 return rc;
1da177e4
LT		 3653}
3654
e5467859 3655static int selinux_mmap_addr(unsigned long addr)
1da177e4 3656{
b1d9e6b0 3657 int rc = 0;
1da177e4 3658
a2551df7 3659 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3660 u32 sid = current_sid();
6b6bc620
SS		 3661 rc = avc_has_perm(&selinux_state,
3662 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3663 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3664 }
3665
98883bfd 3666 return rc;
e5467859 3667}
1da177e4 3668
e5467859
AV		 3669static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3670 unsigned long prot, unsigned long flags)
3671{
3ba4bf5f
SS		 3672 struct common_audit_data ad;
3673 int rc;
3674
3675 if (file) {
3676 ad.type = LSM_AUDIT_DATA_FILE;
3677 ad.u.file = file;
3678 rc = inode_has_perm(current_cred(), file_inode(file),
3679 FILE__MAP, &ad);
3680 if (rc)
3681 return rc;
3682 }
3683
aa8e712c 3684 if (selinux_state.checkreqprot)
1da177e4
LT		 3685 prot = reqprot;
3686
3687 return file_map_prot_check(file, prot,
3688 (flags & MAP_TYPE) == MAP_SHARED);
3689}
3690
3691static int selinux_file_mprotect(struct vm_area_struct *vma,
3692 unsigned long reqprot,
3693 unsigned long prot)
3694{
88e67f3b 3695 const struct cred *cred = current_cred();
be0554c9 3696 u32 sid = cred_sid(cred);
1da177e4 3697
aa8e712c 3698 if (selinux_state.checkreqprot)
1da177e4
LT		 3699 prot = reqprot;
3700
fcaaade1
SS		 3701 if (default_noexec &&
3702 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3703 int rc = 0;
db4c9641
SS		 3704 if (vma->vm_start >= vma->vm_mm->start_brk &&
3705 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3706 rc = avc_has_perm(&selinux_state,
3707 sid, sid, SECCLASS_PROCESS,
be0554c9 3708 PROCESS__EXECHEAP, NULL);
db4c9641 3709 } else if (!vma->vm_file &&
c2316dbf
SS		 3710 ((vma->vm_start <= vma->vm_mm->start_stack &&
3711 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3712 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3713 rc = avc_has_perm(&selinux_state,
3714 sid, sid, SECCLASS_PROCESS,
be0554c9 3715 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3716 } else if (vma->vm_file && vma->anon_vma) {
3717 /*
3718 * We are making executable a file mapping that has
3719 * had some COW done. Since pages might have been
3720 * written, check ability to execute the possibly
3721 * modified content. This typically should only
3722 * occur for text relocations.
3723 */
d84f4f99 3724 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3725 }