]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-hirsute-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'pwm/for-5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry...
[mirror_ubuntu-hirsute-kernel.git] / security / selinux / hooks.c
CommitLineData
d2912cb1 1// SPDX-License-Identifier: GPL-2.0-only
1da177e4
LT		 2/*
3 * NSA Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7efbb60b 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
1da177e4
LT		 11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
1da177e4 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 16 * <dgoeddel@trustedcs.com>
ed6d76e4 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 18 * Paul Moore <paul@paul-moore.com>
788e7dd4 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 21 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 22 */
23
1da177e4 24#include <linux/init.h>
0b24dcb7 25#include <linux/kd.h>
1da177e4 26#include <linux/kernel.h>
0d094efe 27#include <linux/tracehook.h>
1da177e4 28#include <linux/errno.h>
3f07c014 29#include <linux/sched/signal.h>
29930025 30#include <linux/sched/task.h>
3c4ed7bd 31#include <linux/lsm_hooks.h>
1da177e4
LT		 32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
0b24dcb7 39#include <linux/proc_fs.h>
1da177e4 40#include <linux/swap.h>
1da177e4
LT		 41#include <linux/spinlock.h>
42#include <linux/syscalls.h>
2a7dba39 43#include <linux/dcache.h>
1da177e4 44#include <linux/file.h>
9f3acc31 45#include <linux/fdtable.h>
1da177e4
LT		 46#include <linux/namei.h>
47#include <linux/mount.h>
442155c1
DH		 48#include <linux/fs_context.h>
49#include <linux/fs_parser.h>
1da177e4
LT		 50#include <linux/netfilter_ipv4.h>
51#include <linux/netfilter_ipv6.h>
52#include <linux/tty.h>
53#include <net/icmp.h>
227b60f5 54#include <net/ip.h> /* for local_port_range[] */
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 56#include <net/inet_connection_sock.h>
220deb96 57#include <net/net_namespace.h>
d621d35e 58#include <net/netlabel.h>
f5269710 59#include <linux/uaccess.h>
1da177e4 60#include <asm/ioctls.h>
60063497 61#include <linux/atomic.h>
1da177e4
LT		 62#include <linux/bitops.h>
63#include <linux/interrupt.h>
64#include <linux/netdevice.h> /* for network interface checks */
77954983 65#include <net/netlink.h>
1da177e4
LT		 66#include <linux/tcp.h>
67#include <linux/udp.h>
2ee92d46 68#include <linux/dccp.h>
d452930f
RH		 69#include <linux/sctp.h>
70#include <net/sctp/structs.h>
1da177e4
LT		 71#include <linux/quota.h>
72#include <linux/un.h> /* for Unix socket types */
73#include <net/af_unix.h> /* for Unix socket types */
74#include <linux/parser.h>
75#include <linux/nfs_mount.h>
76#include <net/ipv6.h>
77#include <linux/hugetlb.h>
78#include <linux/personality.h>
1da177e4 79#include <linux/audit.h>
6931dfc9 80#include <linux/string.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
ec27c356 88#include <linux/bpf.h>
ec882da5
OM		 89#include <linux/kernfs.h>
90#include <linux/stringhash.h> /* for hashlen_string() */
e262e32d 91#include <uapi/linux/mount.h>
ac5656d8
AG		 92#include <linux/fsnotify.h>
93#include <linux/fanotify.h>
1da177e4
LT		 94
95#include "avc.h"
96#include "objsec.h"
97#include "netif.h"
224dfbd8 98#include "netnode.h"
3e112172 99#include "netport.h"
409dcf31 100#include "ibpkey.h"
d28d1e08 101#include "xfrm.h"
c60475bf 102#include "netlabel.h"
9d57a7f9 103#include "audit.h"
7b98a585 104#include "avc_ss.h"
1da177e4 105
aa8e712c
SS		 106struct selinux_state selinux_state;
107
d621d35e 108/* SECMARK reference count */
56a4ca99 109static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 110
1da177e4 111#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
aa8e712c 112static int selinux_enforcing_boot;
1da177e4
LT		 113
114static int __init enforcing_setup(char *str)
115{
f5269710 116 unsigned long enforcing;
29707b20 117 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 118 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 119 return 1;
120}
121__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 122#else
123#define selinux_enforcing_boot 1
1da177e4
LT		 124#endif
125
be6ec88f 126int selinux_enabled __lsm_ro_after_init = 1;
1da177e4 127#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
1da177e4
LT		 128static int __init selinux_enabled_setup(char *str)
129{
f5269710 130 unsigned long enabled;
29707b20 131 if (!kstrtoul(str, 0, &enabled))
f5269710 132 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 133 return 1;
134}
135__setup("selinux=", selinux_enabled_setup);
136#endif
137
aa8e712c
SS		 138static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141static int __init checkreqprot_setup(char *str)
142{
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148}
149__setup("checkreqprot=", checkreqprot_setup);
150
d621d35e
PM		 151/**
152 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
153 *
154 * Description:
155 * This function checks the SECMARK reference counter to see if any SECMARK
156 * targets are currently configured, if the reference counter is greater than
157 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 158 * enabled, false (0) if SECMARK is disabled. If the always_check_network
159 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 160 *
161 */
162static int selinux_secmark_enabled(void)
163{
aa8e712c
SS		 164 return (selinux_policycap_alwaysnetwork() ||
165 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 166}
167
168/**
169 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
170 *
171 * Description:
172 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
173 * (1) if any are enabled or false (0) if neither are enabled. If the
174 * always_check_network policy capability is enabled, peer labeling
175 * is always considered enabled.
176 *
177 */
178static int selinux_peerlbl_enabled(void)
179{
aa8e712c
SS		 180 return (selinux_policycap_alwaysnetwork() ||
181 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 182}
183
615e51fd
PM		 184static int selinux_netcache_avc_callback(u32 event)
185{
186 if (event == AVC_CALLBACK_RESET) {
187 sel_netif_flush();
188 sel_netnode_flush();
189 sel_netport_flush();
190 synchronize_net();
191 }
192 return 0;
193}
194
8f408ab6
DJ		 195static int selinux_lsm_notifier_avc_callback(u32 event)
196{
409dcf31
DJ		 197 if (event == AVC_CALLBACK_RESET) {
198 sel_ib_pkey_flush();
42df744c 199 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 200 }
8f408ab6
DJ		 201
202 return 0;
203}
204
d84f4f99
DH		 205/*
206 * initialise the security for the init task
207 */
208static void cred_init_security(void)
1da177e4 209{
3b11a1de 210 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 211 struct task_security_struct *tsec;
212
bbd3662a 213 tsec = selinux_cred(cred);
d84f4f99 214 tsec->osid = tsec->sid = SECINITSID_KERNEL;
1da177e4
LT		 215}
216
88e67f3b
DH		 217/*
218 * get the security ID of a set of credentials
219 */
220static inline u32 cred_sid(const struct cred *cred)
221{
222 const struct task_security_struct *tsec;
223
0c6cfa62 224 tsec = selinux_cred(cred);
88e67f3b
DH		 225 return tsec->sid;
226}
227
275bb41e 228/*
3b11a1de 229 * get the objective security ID of a task
275bb41e
DH		 230 */
231static inline u32 task_sid(const struct task_struct *task)
232{
275bb41e
DH		 233 u32 sid;
234
235 rcu_read_lock();
88e67f3b 236 sid = cred_sid(__task_cred(task));
275bb41e
DH		 237 rcu_read_unlock();
238 return sid;
239}
240
88e67f3b
DH		 241/* Allocate and free functions for each kind of security blob. */
242
1da177e4
LT		 243static int inode_alloc_security(struct inode *inode)
244{
afb1cbe3 245 struct inode_security_struct *isec = selinux_inode(inode);
275bb41e 246 u32 sid = current_sid();
1da177e4 247
9287aed2 248 spin_lock_init(&isec->lock);
1da177e4 249 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 250 isec->inode = inode;
251 isec->sid = SECINITSID_UNLABELED;
252 isec->sclass = SECCLASS_FILE;
275bb41e 253 isec->task_sid = sid;
42059112 254 isec->initialized = LABEL_INVALID;
1da177e4
LT		 255
256 return 0;
257}
258
5d226df4
AG		 259static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
260
261/*
262 * Try reloading inode security labels that have been marked as invalid. The
263 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 264 * allowed; when set to false, returns -ECHILD when the label is
e9193288 265 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 266 */
267static int __inode_security_revalidate(struct inode *inode,
e9193288 268 struct dentry *dentry,
5d226df4
AG		 269 bool may_sleep)
270{
80788c22 271 struct inode_security_struct *isec = selinux_inode(inode);
5d226df4
AG		 272
273 might_sleep_if(may_sleep);
274
aa8e712c
SS		 275 if (selinux_state.initialized &&
276 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 277 if (!may_sleep)
278 return -ECHILD;
279
280 /*
281 * Try reloading the inode security label. This will fail if
282 * @opt_dentry is NULL and no dentry for this inode can be
283 * found; in that case, continue using the old label.
284 */
e9193288 285 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 286 }
287 return 0;
288}
289
5d226df4
AG		 290static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
291{
80788c22 292 return selinux_inode(inode);
5d226df4
AG		 293}
294
295static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
296{
297 int error;
298
299 error = __inode_security_revalidate(inode, NULL, !rcu);
300 if (error)
301 return ERR_PTR(error);
80788c22 302 return selinux_inode(inode);
5d226df4
AG		 303}
304
83da53c5
AG		 305/*
306 * Get the security label of an inode.
307 */
308static struct inode_security_struct *inode_security(struct inode *inode)
309{
5d226df4 310 __inode_security_revalidate(inode, NULL, true);
80788c22 311 return selinux_inode(inode);
83da53c5
AG		 312}
313
2c97165b
PM		 314static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
315{
316 struct inode *inode = d_backing_inode(dentry);
317
80788c22 318 return selinux_inode(inode);
2c97165b
PM		 319}
320
83da53c5
AG		 321/*
322 * Get the security label of a dentry's backing inode.
323 */
324static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
325{
326 struct inode *inode = d_backing_inode(dentry);
327
5d226df4 328 __inode_security_revalidate(inode, dentry, true);
80788c22 329 return selinux_inode(inode);
83da53c5
AG		 330}
331
1da177e4
LT		 332static void inode_free_security(struct inode *inode)
333{
80788c22 334 struct inode_security_struct *isec = selinux_inode(inode);
afb1cbe3 335 struct superblock_security_struct *sbsec;
1da177e4 336
afb1cbe3
CS		 337 if (!isec)
338 return;
339 sbsec = inode->i_sb->s_security;
9629d04a
WL		 340 /*
341 * As not all inode security structures are in a list, we check for
342 * empty list outside of the lock to make sure that we won't waste
343 * time taking a lock doing nothing.
344 *
345 * The list_del_init() function can be safely called more than once.
346 * It should not be possible for this function to be called with
347 * concurrent list_add(), but for better safety against future changes
348 * in the code, we use list_empty_careful() here.
349 */
350 if (!list_empty_careful(&isec->list)) {
351 spin_lock(&sbsec->isec_lock);
1da177e4 352 list_del_init(&isec->list);
9629d04a
WL		 353 spin_unlock(&sbsec->isec_lock);
354 }
1da177e4
LT		 355}
356
357static int file_alloc_security(struct file *file)
358{
33bf60ca 359 struct file_security_struct *fsec = selinux_file(file);
275bb41e 360 u32 sid = current_sid();
1da177e4 361
275bb41e
DH		 362 fsec->sid = sid;
363 fsec->fown_sid = sid;
1da177e4
LT		 364
365 return 0;
366}
367
1da177e4
LT		 368static int superblock_alloc_security(struct super_block *sb)
369{
370 struct superblock_security_struct *sbsec;
371
89d155ef 372 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 373 if (!sbsec)
374 return -ENOMEM;
375
bc7e982b 376 mutex_init(&sbsec->lock);
1da177e4
LT		 377 INIT_LIST_HEAD(&sbsec->isec_head);
378 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 379 sbsec->sb = sb;
380 sbsec->sid = SECINITSID_UNLABELED;
381 sbsec->def_sid = SECINITSID_FILE;
c312feb2 382 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 383 sb->s_security = sbsec;
384
385 return 0;
386}
387
388static void superblock_free_security(struct super_block *sb)
389{
390 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 391 sb->s_security = NULL;
392 kfree(sbsec);
393}
394
bd323655
AV		 395struct selinux_mnt_opts {
396 const char *fscontext, *context, *rootcontext, *defcontext;
397};
398
204cc0cc
AV		 399static void selinux_free_mnt_opts(void *mnt_opts)
400{
bd323655
AV		 401 struct selinux_mnt_opts *opts = mnt_opts;
402 kfree(opts->fscontext);
403 kfree(opts->context);
404 kfree(opts->rootcontext);
405 kfree(opts->defcontext);
204cc0cc
AV		 406 kfree(opts);
407}
408
1da177e4
LT		 409static inline int inode_doinit(struct inode *inode)
410{
411 return inode_doinit_with_dentry(inode, NULL);
412}
413
414enum {
31e87930 415 Opt_error = -1,
442155c1
DH		 416 Opt_context = 0,
417 Opt_defcontext = 1,
1da177e4 418 Opt_fscontext = 2,
442155c1
DH		 419 Opt_rootcontext = 3,
420 Opt_seclabel = 4,
1da177e4
LT		 421};
422
da3d76ab 423#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
169d68ef
AV		 424static struct {
425 const char *name;
426 int len;
427 int opt;
428 bool has_arg;
429} tokens[] = {
da3d76ab
AV		 430 A(context, true),
431 A(fscontext, true),
432 A(defcontext, true),
433 A(rootcontext, true),
434 A(seclabel, false),
1da177e4 435};
169d68ef
AV		 436#undef A
437
438static int match_opt_prefix(char *s, int l, char **arg)
439{
440 int i;
441
442 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
443 size_t len = tokens[i].len;
444 if (len > l || memcmp(s, tokens[i].name, len))
445 continue;
446 if (tokens[i].has_arg) {
447 if (len == l || s[len] != '=')
448 continue;
449 *arg = s + len + 1;
450 } else if (len != l)
451 continue;
452 return tokens[i].opt;
453 }
454 return Opt_error;
455}
1da177e4
LT		 456
457#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
458
c312feb2
EP		 459static int may_context_mount_sb_relabel(u32 sid,
460 struct superblock_security_struct *sbsec,
275bb41e 461 const struct cred *cred)
c312feb2 462{
0c6cfa62 463 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 464 int rc;
465
6b6bc620
SS		 466 rc = avc_has_perm(&selinux_state,
467 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 468 FILESYSTEM__RELABELFROM, NULL);
469 if (rc)
470 return rc;
471
6b6bc620
SS		 472 rc = avc_has_perm(&selinux_state,
473 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 474 FILESYSTEM__RELABELTO, NULL);
475 return rc;
476}
477
0808925e
EP		 478static int may_context_mount_inode_relabel(u32 sid,
479 struct superblock_security_struct *sbsec,
275bb41e 480 const struct cred *cred)
0808925e 481{
0c6cfa62 482 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e 483 int rc;
6b6bc620
SS		 484 rc = avc_has_perm(&selinux_state,
485 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 486 FILESYSTEM__RELABELFROM, NULL);
487 if (rc)
488 return rc;
489
6b6bc620
SS		 490 rc = avc_has_perm(&selinux_state,
491 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 492 FILESYSTEM__ASSOCIATE, NULL);
493 return rc;
494}
495
a83d6dda 496static int selinux_is_genfs_special_handling(struct super_block *sb)
b43e725d 497{
a83d6dda
OM		 498 /* Special handling. Genfs but also in-core setxattr handler */
499 return !strcmp(sb->s_type->name, "sysfs") ||
d5f3a5f6
MS		 500 !strcmp(sb->s_type->name, "pstore") ||
501 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 502 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 503 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 504 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 505 (!strcmp(sb->s_type->name, "cgroup") ||
506 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 507}
508
a83d6dda
OM		 509static int selinux_is_sblabel_mnt(struct super_block *sb)
510{
511 struct superblock_security_struct *sbsec = sb->s_security;
512
513 /*
514 * IMPORTANT: Double-check logic in this function when adding a new
515 * SECURITY_FS_USE_* definition!
516 */
517 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
518
519 switch (sbsec->behavior) {
520 case SECURITY_FS_USE_XATTR:
521 case SECURITY_FS_USE_TRANS:
522 case SECURITY_FS_USE_TASK:
523 case SECURITY_FS_USE_NATIVE:
524 return 1;
525
526 case SECURITY_FS_USE_GENFS:
527 return selinux_is_genfs_special_handling(sb);
528
529 /* Never allow relabeling on context mounts */
530 case SECURITY_FS_USE_MNTPOINT:
531 case SECURITY_FS_USE_NONE:
532 default:
533 return 0;
534 }
535}
536
c9180a57 537static int sb_finish_set_opts(struct super_block *sb)
1da177e4 538{
1da177e4 539 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 540 struct dentry *root = sb->s_root;
c6f493d6 541 struct inode *root_inode = d_backing_inode(root);
c9180a57 542 int rc = 0;
1da177e4 543
c9180a57
EP		 544 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
545 /* Make sure that the xattr handler exists and that no
546 error other than -ENODATA is returned by getxattr on
547 the root directory. -ENODATA is ok, as this may be
548 the first boot of the SELinux kernel before we have
549 assigned xattr values to the filesystem. */
5d6c3191 550 if (!(root_inode->i_opflags & IOP_XATTR)) {
c103a91e 551 pr_warn("SELinux: (dev %s, type %s) has no "
29b1deb2 552 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 553 rc = -EOPNOTSUPP;
554 goto out;
555 }
5d6c3191
AG		 556
557 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 558 if (rc < 0 && rc != -ENODATA) {
559 if (rc == -EOPNOTSUPP)
c103a91e 560 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 561 "%s) has no security xattr handler\n",
562 sb->s_id, sb->s_type->name);
c9180a57 563 else
c103a91e 564 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 565 "%s) getxattr errno %d\n", sb->s_id,
566 sb->s_type->name, -rc);
c9180a57
EP		 567 goto out;
568 }
569 }
1da177e4 570
eadcabc6 571 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 572
573 /*
574 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
575 * leave the flag untouched because sb_clone_mnt_opts might be handing
576 * us a superblock that needs the flag to be cleared.
577 */
b43e725d 578 if (selinux_is_sblabel_mnt(sb))
12f348b9 579 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 580 else
581 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 582
c9180a57
EP		 583 /* Initialize the root inode. */
584 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 585
c9180a57
EP		 586 /* Initialize any other inodes associated with the superblock, e.g.
587 inodes created prior to initial policy load or inodes created
588 during get_sb by a pseudo filesystem that directly
589 populates itself. */
590 spin_lock(&sbsec->isec_lock);
8d64124a 591 while (!list_empty(&sbsec->isec_head)) {
c9180a57 592 struct inode_security_struct *isec =
8d64124a 593 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 594 struct inode_security_struct, list);
595 struct inode *inode = isec->inode;
923190d3 596 list_del_init(&isec->list);
c9180a57
EP		 597 spin_unlock(&sbsec->isec_lock);
598 inode = igrab(inode);
599 if (inode) {
600 if (!IS_PRIVATE(inode))
601 inode_doinit(inode);
602 iput(inode);
603 }
604 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 605 }
606 spin_unlock(&sbsec->isec_lock);
607out:
608 return rc;
609}
1da177e4 610
c9180a57
EP		 611static int bad_option(struct superblock_security_struct *sbsec, char flag,
612 u32 old_sid, u32 new_sid)
613{
0d90a7ec
DQ		 614 char mnt_flags = sbsec->flags & SE_MNTMASK;
615
c9180a57 616 /* check if the old mount command had the same options */
0d90a7ec 617 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 618 if (!(sbsec->flags & flag) ||
619 (old_sid != new_sid))
620 return 1;
621
622 /* check if we were passed the same options twice,
623 * aka someone passed context=a,context=b
624 */
0d90a7ec
DQ		 625 if (!(sbsec->flags & SE_SBINITIALIZED))
626 if (mnt_flags & flag)
c9180a57
EP		 627 return 1;
628 return 0;
629}
e0007529 630
bd323655
AV		 631static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
632{
633 int rc = security_context_str_to_sid(&selinux_state, s,
634 sid, GFP_KERNEL);
635 if (rc)
636 pr_warn("SELinux: security_context_str_to_sid"
637 "(%s) failed for (dev %s, type %s) errno=%d\n",
638 s, sb->s_id, sb->s_type->name, rc);
639 return rc;
640}
641
c9180a57
EP		 642/*
643 * Allow filesystems with binary mount data to explicitly set mount point
644 * labeling information.
645 */
e0007529 646static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 647 void *mnt_opts,
649f6e77
DQ		 648 unsigned long kern_flags,
649 unsigned long *set_kern_flags)
c9180a57 650{
275bb41e 651 const struct cred *cred = current_cred();
c9180a57 652 struct superblock_security_struct *sbsec = sb->s_security;
83da53c5 653 struct dentry *root = sbsec->sb->s_root;
bd323655 654 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 655 struct inode_security_struct *root_isec;
c9180a57
EP		 656 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
657 u32 defcontext_sid = 0;
bd323655 658 int rc = 0;
c9180a57
EP		 659
660 mutex_lock(&sbsec->lock);
661
aa8e712c 662 if (!selinux_state.initialized) {
bd323655 663 if (!opts) {
c9180a57
EP		 664 /* Defer initialization until selinux_complete_init,
665 after the initial policy is loaded and the security
666 server is ready to handle calls. */
c9180a57
EP		 667 goto out;
668 }
669 rc = -EINVAL;
c103a91e 670 pr_warn("SELinux: Unable to set superblock options "
744ba35e 671 "before the security server is initialized\n");
1da177e4 672 goto out;
c9180a57 673 }
649f6e77
DQ		 674 if (kern_flags && !set_kern_flags) {
675 /* Specifying internal flags without providing a place to
676 * place the results is not allowed */
677 rc = -EINVAL;
678 goto out;
679 }
1da177e4 680
e0007529
EP		 681 /*
682 * Binary mount data FS will come through this function twice. Once
683 * from an explicit call and once from the generic calls from the vfs.
684 * Since the generic VFS calls will not contain any security mount data
685 * we need to skip the double mount verification.
686 *
687 * This does open a hole in which we will not notice if the first
688 * mount using this sb set explict options and a second mount using
689 * this sb does not set any security options. (The first options
690 * will be used for both mounts)
691 */
0d90a7ec 692 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 693 && !opts)
f5269710 694 goto out;
e0007529 695
2c97165b
PM		 696 root_isec = backing_inode_security_novalidate(root);
697
c9180a57
EP		 698 /*
699 * parse the mount options, check if they are valid sids.
700 * also check if someone is trying to mount the same sb more
701 * than once with different security options.
702 */
bd323655
AV		 703 if (opts) {
704 if (opts->fscontext) {
705 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
706 if (rc)
707 goto out;
c9180a57
EP		 708 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
709 fscontext_sid))
710 goto out_double_mount;
c9180a57 711 sbsec->flags |= FSCONTEXT_MNT;
bd323655
AV		 712 }
713 if (opts->context) {
714 rc = parse_sid(sb, opts->context, &context_sid);
715 if (rc)
716 goto out;
c9180a57
EP		 717 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
718 context_sid))
719 goto out_double_mount;
c9180a57 720 sbsec->flags |= CONTEXT_MNT;
bd323655
AV		 721 }
722 if (opts->rootcontext) {
723 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
724 if (rc)
725 goto out;
c9180a57
EP		 726 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
727 rootcontext_sid))
728 goto out_double_mount;
c9180a57 729 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655
AV		 730 }
731 if (opts->defcontext) {
732 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
733 if (rc)
734 goto out;
c9180a57
EP		 735 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
736 defcontext_sid))
737 goto out_double_mount;
c9180a57 738 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 739 }
c9180a57
EP		 740 }
741
0d90a7ec 742 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 743 /* previously mounted with options, but not on this attempt? */
bd323655 744 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 745 goto out_double_mount;
746 rc = 0;
747 goto out;
748 }
749
089be43e 750 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 751 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
752
8e014720 753 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 754 !strcmp(sb->s_type->name, "tracefs") ||
b754026b
OM		 755 !strcmp(sb->s_type->name, "pstore"))
756 sbsec->flags |= SE_SBGENFS;
757
758 if (!strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 759 !strcmp(sb->s_type->name, "cgroup") ||
760 !strcmp(sb->s_type->name, "cgroup2"))
b754026b 761 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
c9180a57 762
eb9ae686
DQ		 763 if (!sbsec->behavior) {
764 /*
765 * Determine the labeling behavior to use for this
766 * filesystem type.
767 */
aa8e712c 768 rc = security_fs_use(&selinux_state, sb);
eb9ae686 769 if (rc) {
c103a91e 770 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 771 __func__, sb->s_type->name, rc);
772 goto out;
773 }
c9180a57 774 }
aad82892
SF		 775
776 /*
01593d32
SS		 777 * If this is a user namespace mount and the filesystem type is not
778 * explicitly whitelisted, then no contexts are allowed on the command
779 * line and security labels must be ignored.
aad82892 780 */
01593d32
SS		 781 if (sb->s_user_ns != &init_user_ns &&
782 strcmp(sb->s_type->name, "tmpfs") &&
783 strcmp(sb->s_type->name, "ramfs") &&
784 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 785 if (context_sid || fscontext_sid || rootcontext_sid ||
786 defcontext_sid) {
787 rc = -EACCES;
788 goto out;
789 }
790 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
791 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 792 rc = security_transition_sid(&selinux_state,
793 current_sid(),
794 current_sid(),
aad82892
SF		 795 SECCLASS_FILE, NULL,
796 &sbsec->mntpoint_sid);
797 if (rc)
798 goto out;
799 }
800 goto out_set_opts;
801 }
802
c9180a57
EP		 803 /* sets the context of the superblock for the fs being mounted. */
804 if (fscontext_sid) {
275bb41e 805 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 806 if (rc)
c9180a57 807 goto out;
1da177e4 808
c9180a57 809 sbsec->sid = fscontext_sid;
c312feb2
EP		 810 }
811
812 /*
813 * Switch to using mount point labeling behavior.
814 * sets the label used on all file below the mountpoint, and will set
815 * the superblock context if not already set.
816 */
eb9ae686
DQ		 817 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
818 sbsec->behavior = SECURITY_FS_USE_NATIVE;
819 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
820 }
821
c9180a57
EP		 822 if (context_sid) {
823 if (!fscontext_sid) {
275bb41e
DH		 824 rc = may_context_mount_sb_relabel(context_sid, sbsec,
825 cred);
b04ea3ce 826 if (rc)
c9180a57
EP		 827 goto out;
828 sbsec->sid = context_sid;
b04ea3ce 829 } else {
275bb41e
DH		 830 rc = may_context_mount_inode_relabel(context_sid, sbsec,
831 cred);
b04ea3ce 832 if (rc)
c9180a57 833 goto out;
b04ea3ce 834 }
c9180a57
EP		 835 if (!rootcontext_sid)
836 rootcontext_sid = context_sid;
1da177e4 837
c9180a57 838 sbsec->mntpoint_sid = context_sid;
c312feb2 839 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 840 }
841
c9180a57 842 if (rootcontext_sid) {
275bb41e
DH		 843 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
844 cred);
0808925e 845 if (rc)
c9180a57 846 goto out;
0808925e 847
c9180a57 848 root_isec->sid = rootcontext_sid;
6f3be9f5 849 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 850 }
851
c9180a57 852 if (defcontext_sid) {
eb9ae686
DQ		 853 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
854 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 855 rc = -EINVAL;
c103a91e 856 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 857 "invalid for this filesystem type\n");
858 goto out;
1da177e4
LT		 859 }
860
c9180a57
EP		 861 if (defcontext_sid != sbsec->def_sid) {
862 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 863 sbsec, cred);
c9180a57
EP		 864 if (rc)
865 goto out;
866 }
1da177e4 867
c9180a57 868 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 869 }
870
aad82892 871out_set_opts:
c9180a57 872 rc = sb_finish_set_opts(sb);
1da177e4 873out:
c9180a57 874 mutex_unlock(&sbsec->lock);
1da177e4 875 return rc;
c9180a57
EP		 876out_double_mount:
877 rc = -EINVAL;
c103a91e 878 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 879 "security settings for (dev %s, type %s)\n", sb->s_id,
880 sb->s_type->name);
c9180a57 881 goto out;
1da177e4
LT		 882}
883
094f7b69
JL		 884static int selinux_cmp_sb_context(const struct super_block *oldsb,
885 const struct super_block *newsb)
886{
887 struct superblock_security_struct *old = oldsb->s_security;
888 struct superblock_security_struct *new = newsb->s_security;
889 char oldflags = old->flags & SE_MNTMASK;
890 char newflags = new->flags & SE_MNTMASK;
891
892 if (oldflags != newflags)
893 goto mismatch;
894 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
895 goto mismatch;
896 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
897 goto mismatch;
898 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
899 goto mismatch;
900 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 901 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
902 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 903 if (oldroot->sid != newroot->sid)
904 goto mismatch;
905 }
906 return 0;
907mismatch:
c103a91e 908 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 909 "different security settings for (dev %s, "
910 "type %s)\n", newsb->s_id, newsb->s_type->name);
911 return -EBUSY;
912}
913
914static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 915 struct super_block *newsb,
916 unsigned long kern_flags,
917 unsigned long *set_kern_flags)
1da177e4 918{
0b4d3452 919 int rc = 0;
c9180a57
EP		 920 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
921 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 922
c9180a57
EP		 923 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
924 int set_context = (oldsbsec->flags & CONTEXT_MNT);
925 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 926
0f5e6420
EP		 927 /*
928 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 929 * mount options. thus we can safely deal with this superblock later
0f5e6420 930 */
aa8e712c 931 if (!selinux_state.initialized)
094f7b69 932 return 0;
c9180a57 933
0b4d3452
SM		 934 /*
935 * Specifying internal flags without providing a place to
936 * place the results is not allowed.
937 */
938 if (kern_flags && !set_kern_flags)
939 return -EINVAL;
940
c9180a57 941 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 942 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 943
094f7b69 944 /* if fs is reusing a sb, make sure that the contexts match */
3815a245
BF		 945 if (newsbsec->flags & SE_SBINITIALIZED) {
946 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
947 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
094f7b69 948 return selinux_cmp_sb_context(oldsb, newsb);
3815a245 949 }
5a552617 950
c9180a57
EP		 951 mutex_lock(&newsbsec->lock);
952
953 newsbsec->flags = oldsbsec->flags;
954
955 newsbsec->sid = oldsbsec->sid;
956 newsbsec->def_sid = oldsbsec->def_sid;
957 newsbsec->behavior = oldsbsec->behavior;
958
0b4d3452
SM		 959 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
960 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 961 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 962 if (rc)
963 goto out;
964 }
965
966 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
967 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
968 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
969 }
970
c9180a57
EP		 971 if (set_context) {
972 u32 sid = oldsbsec->mntpoint_sid;
973
974 if (!set_fscontext)
975 newsbsec->sid = sid;
976 if (!set_rootcontext) {
83da53c5 977 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 978 newisec->sid = sid;
979 }
980 newsbsec->mntpoint_sid = sid;
1da177e4 981 }
c9180a57 982 if (set_rootcontext) {
83da53c5
AG		 983 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
984 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 985
c9180a57 986 newisec->sid = oldisec->sid;
1da177e4
LT		 987 }
988
c9180a57 989 sb_finish_set_opts(newsb);
0b4d3452 990out:
c9180a57 991 mutex_unlock(&newsbsec->lock);
0b4d3452 992 return rc;
c9180a57
EP		 993}
994
ba641862 995static int selinux_add_opt(int token, const char *s, void **mnt_opts)
c9180a57 996{
ba641862 997 struct selinux_mnt_opts *opts = *mnt_opts;
1da177e4 998
da3d76ab 999 if (token == Opt_seclabel) /* eaten and completely ignored */
169d68ef 1000 return 0;
e0007529 1001
ba641862
AV		 1002 if (!opts) {
1003 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1004 if (!opts)
1005 return -ENOMEM;
1006 *mnt_opts = opts;
c9180a57 1007 }
ba641862
AV		 1008 if (!s)
1009 return -ENOMEM;
1010 switch (token) {
1011 case Opt_context:
1012 if (opts->context || opts->defcontext)
1013 goto Einval;
1014 opts->context = s;
1015 break;
1016 case Opt_fscontext:
1017 if (opts->fscontext)
1018 goto Einval;
1019 opts->fscontext = s;
1020 break;
1021 case Opt_rootcontext:
1022 if (opts->rootcontext)
1023 goto Einval;
1024 opts->rootcontext = s;
1025 break;
1026 case Opt_defcontext:
1027 if (opts->context || opts->defcontext)
1028 goto Einval;
1029 opts->defcontext = s;
1030 break;
c9180a57 1031 }
e0007529 1032 return 0;
ba641862
AV		 1033Einval:
1034 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862 1035 return -EINVAL;
1da177e4 1036}
e0007529 1037
757cbe59
AV		 1038static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1039 void **mnt_opts)
c9180a57 1040{
757cbe59
AV		 1041 int token = Opt_error;
1042 int rc, i;
e0007529 1043
757cbe59
AV		 1044 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1045 if (strcmp(option, tokens[i].name) == 0) {
1046 token = tokens[i].opt;
1047 break;
169d68ef 1048 }
757cbe59 1049 }
e0007529 1050
757cbe59
AV		 1051 if (token == Opt_error)
1052 return -EINVAL;
e0007529 1053
e2e0e097 1054 if (token != Opt_seclabel) {
757cbe59 1055 val = kmemdup_nul(val, len, GFP_KERNEL);
e2e0e097
GZ		 1056 if (!val) {
1057 rc = -ENOMEM;
1058 goto free_opt;
1059 }
1060 }
757cbe59
AV		 1061 rc = selinux_add_opt(token, val, mnt_opts);
1062 if (unlikely(rc)) {
1063 kfree(val);
e2e0e097
GZ		 1064 goto free_opt;
1065 }
1066 return rc;
1067
1068free_opt:
1069 if (*mnt_opts) {
1070 selinux_free_mnt_opts(*mnt_opts);
1071 *mnt_opts = NULL;
1da177e4 1072 }
e0007529
EP		 1073 return rc;
1074}
1da177e4 1075
e3489f89 1076static int show_sid(struct seq_file *m, u32 sid)
2069f457 1077{
e3489f89
AV		 1078 char *context = NULL;
1079 u32 len;
1080 int rc;
11689d47 1081
e3489f89
AV		 1082 rc = security_sid_to_context(&selinux_state, sid,
1083 &context, &len);
1084 if (!rc) {
1085 bool has_comma = context && strchr(context, ',');
2069f457 1086
442155c1 1087 seq_putc(m, '=');
2069f457
EP		 1088 if (has_comma)
1089 seq_putc(m, '\"');
e3489f89 1090 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1091 if (has_comma)
1092 seq_putc(m, '\"');
1093 }
e3489f89
AV		 1094 kfree(context);
1095 return rc;
2069f457
EP		 1096}
1097
1098static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1099{
e3489f89 1100 struct superblock_security_struct *sbsec = sb->s_security;
2069f457
EP		 1101 int rc;
1102
e3489f89
AV		 1103 if (!(sbsec->flags & SE_SBINITIALIZED))
1104 return 0;
2069f457 1105
e3489f89
AV		 1106 if (!selinux_state.initialized)
1107 return 0;
2069f457 1108
e3489f89
AV		 1109 if (sbsec->flags & FSCONTEXT_MNT) {
1110 seq_putc(m, ',');
1111 seq_puts(m, FSCONTEXT_STR);
1112 rc = show_sid(m, sbsec->sid);
1113 if (rc)
1114 return rc;
1115 }
1116 if (sbsec->flags & CONTEXT_MNT) {
1117 seq_putc(m, ',');
1118 seq_puts(m, CONTEXT_STR);
1119 rc = show_sid(m, sbsec->mntpoint_sid);
1120 if (rc)
1121 return rc;
1122 }
1123 if (sbsec->flags & DEFCONTEXT_MNT) {
1124 seq_putc(m, ',');
1125 seq_puts(m, DEFCONTEXT_STR);
1126 rc = show_sid(m, sbsec->def_sid);
1127 if (rc)
1128 return rc;
1129 }
1130 if (sbsec->flags & ROOTCONTEXT_MNT) {
1131 struct dentry *root = sbsec->sb->s_root;
1132 struct inode_security_struct *isec = backing_inode_security(root);
1133 seq_putc(m, ',');
1134 seq_puts(m, ROOTCONTEXT_STR);
1135 rc = show_sid(m, isec->sid);
1136 if (rc)
1137 return rc;
1138 }
1139 if (sbsec->flags & SBLABEL_MNT) {
1140 seq_putc(m, ',');
442155c1 1141 seq_puts(m, SECLABEL_STR);
e3489f89
AV		 1142 }
1143 return 0;
2069f457
EP		 1144}
1145
1da177e4
LT		 1146static inline u16 inode_mode_to_security_class(umode_t mode)
1147{
1148 switch (mode & S_IFMT) {
1149 case S_IFSOCK:
1150 return SECCLASS_SOCK_FILE;
1151 case S_IFLNK:
1152 return SECCLASS_LNK_FILE;
1153 case S_IFREG:
1154 return SECCLASS_FILE;
1155 case S_IFBLK:
1156 return SECCLASS_BLK_FILE;
1157 case S_IFDIR:
1158 return SECCLASS_DIR;
1159 case S_IFCHR:
1160 return SECCLASS_CHR_FILE;
1161 case S_IFIFO:
1162 return SECCLASS_FIFO_FILE;
1163
1164 }
1165
1166 return SECCLASS_FILE;
1167}
1168
13402580
JM		 1169static inline int default_protocol_stream(int protocol)
1170{
1171 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1172}
1173
1174static inline int default_protocol_dgram(int protocol)
1175{
1176 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1177}
1178
1da177e4
LT		 1179static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1180{
aa8e712c 1181 int extsockclass = selinux_policycap_extsockclass();
da69a530 1182
1da177e4
LT		 1183 switch (family) {
1184 case PF_UNIX:
1185 switch (type) {
1186 case SOCK_STREAM:
1187 case SOCK_SEQPACKET:
1188 return SECCLASS_UNIX_STREAM_SOCKET;
1189 case SOCK_DGRAM:
2a764b52 1190 case SOCK_RAW:
1da177e4
LT		 1191 return SECCLASS_UNIX_DGRAM_SOCKET;
1192 }
1193 break;
1194 case PF_INET:
1195 case PF_INET6:
1196 switch (type) {
1197 case SOCK_STREAM:
da69a530 1198 case SOCK_SEQPACKET:
13402580
JM		 1199 if (default_protocol_stream(protocol))
1200 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1201 else if (extsockclass && protocol == IPPROTO_SCTP)
1202 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1203 else
1204 return SECCLASS_RAWIP_SOCKET;
1da177e4 1205 case SOCK_DGRAM:
13402580
JM		 1206 if (default_protocol_dgram(protocol))
1207 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1208 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1209 protocol == IPPROTO_ICMPV6))
da69a530 1210 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1211 else
1212 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1213 case SOCK_DCCP:
1214 return SECCLASS_DCCP_SOCKET;
13402580 1215 default:
1da177e4
LT		 1216 return SECCLASS_RAWIP_SOCKET;
1217 }
1218 break;
1219 case PF_NETLINK:
1220 switch (protocol) {
1221 case NETLINK_ROUTE:
1222 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1223 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1224 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1225 case NETLINK_NFLOG:
1226 return SECCLASS_NETLINK_NFLOG_SOCKET;
1227 case NETLINK_XFRM:
1228 return SECCLASS_NETLINK_XFRM_SOCKET;
1229 case NETLINK_SELINUX:
1230 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1231 case NETLINK_ISCSI:
1232 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1233 case NETLINK_AUDIT:
1234 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1235 case NETLINK_FIB_LOOKUP:
1236 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1237 case NETLINK_CONNECTOR:
1238 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1239 case NETLINK_NETFILTER:
1240 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1241 case NETLINK_DNRTMSG:
1242 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1243 case NETLINK_KOBJECT_UEVENT:
1244 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1245 case NETLINK_GENERIC:
1246 return SECCLASS_NETLINK_GENERIC_SOCKET;
1247 case NETLINK_SCSITRANSPORT:
1248 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1249 case NETLINK_RDMA:
1250 return SECCLASS_NETLINK_RDMA_SOCKET;
1251 case NETLINK_CRYPTO:
1252 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1253 default:
1254 return SECCLASS_NETLINK_SOCKET;
1255 }
1256 case PF_PACKET:
1257 return SECCLASS_PACKET_SOCKET;
1258 case PF_KEY:
1259 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1260 case PF_APPLETALK:
1261 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1262 }
1263
da69a530
SS		 1264 if (extsockclass) {
1265 switch (family) {
1266 case PF_AX25:
1267 return SECCLASS_AX25_SOCKET;
1268 case PF_IPX:
1269 return SECCLASS_IPX_SOCKET;
1270 case PF_NETROM:
1271 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1272 case PF_ATMPVC:
1273 return SECCLASS_ATMPVC_SOCKET;
1274 case PF_X25:
1275 return SECCLASS_X25_SOCKET;
1276 case PF_ROSE:
1277 return SECCLASS_ROSE_SOCKET;
1278 case PF_DECnet:
1279 return SECCLASS_DECNET_SOCKET;
1280 case PF_ATMSVC:
1281 return SECCLASS_ATMSVC_SOCKET;
1282 case PF_RDS:
1283 return SECCLASS_RDS_SOCKET;
1284 case PF_IRDA:
1285 return SECCLASS_IRDA_SOCKET;
1286 case PF_PPPOX:
1287 return SECCLASS_PPPOX_SOCKET;
1288 case PF_LLC:
1289 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1290 case PF_CAN:
1291 return SECCLASS_CAN_SOCKET;
1292 case PF_TIPC:
1293 return SECCLASS_TIPC_SOCKET;
1294 case PF_BLUETOOTH:
1295 return SECCLASS_BLUETOOTH_SOCKET;
1296 case PF_IUCV:
1297 return SECCLASS_IUCV_SOCKET;
1298 case PF_RXRPC:
1299 return SECCLASS_RXRPC_SOCKET;
1300 case PF_ISDN:
1301 return SECCLASS_ISDN_SOCKET;
1302 case PF_PHONET:
1303 return SECCLASS_PHONET_SOCKET;
1304 case PF_IEEE802154:
1305 return SECCLASS_IEEE802154_SOCKET;
1306 case PF_CAIF:
1307 return SECCLASS_CAIF_SOCKET;
1308 case PF_ALG:
1309 return SECCLASS_ALG_SOCKET;
1310 case PF_NFC:
1311 return SECCLASS_NFC_SOCKET;
1312 case PF_VSOCK:
1313 return SECCLASS_VSOCK_SOCKET;
1314 case PF_KCM:
1315 return SECCLASS_KCM_SOCKET;
1316 case PF_QIPCRTR:
1317 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1318 case PF_SMC:
1319 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1320 case PF_XDP:
1321 return SECCLASS_XDP_SOCKET;
1322#if PF_MAX > 45
da69a530
SS		 1323#error New address family defined, please update this function.
1324#endif
1325 }
1326 }
1327
1da177e4
LT		 1328 return SECCLASS_SOCKET;
1329}
1330
134509d5
SS		 1331static int selinux_genfs_get_sid(struct dentry *dentry,
1332 u16 tclass,
1333 u16 flags,
1334 u32 *sid)
1da177e4 1335{
8e6c9693 1336 int rc;
fc64005c 1337 struct super_block *sb = dentry->d_sb;
8e6c9693 1338 char *buffer, *path;
1da177e4 1339
828dfe1d 1340 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1341 if (!buffer)
1342 return -ENOMEM;
1343
8e6c9693
LAG		 1344 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1345 if (IS_ERR(path))
1346 rc = PTR_ERR(path);
1347 else {
134509d5
SS		 1348 if (flags & SE_SBPROC) {
1349 /* each process gets a /proc/PID/ entry. Strip off the
1350 * PID part to get a valid selinux labeling.
1351 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1352 while (path[1] >= '0' && path[1] <= '9') {
1353 path[1] = '/';
1354 path++;
1355 }
8e6c9693 1356 }
aa8e712c
SS		 1357 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1358 path, tclass, sid);
7bb185ed
SS		 1359 if (rc == -ENOENT) {
1360 /* No match in policy, mark as unlabeled. */
1361 *sid = SECINITSID_UNLABELED;
1362 rc = 0;
1363 }
1da177e4 1364 }
1da177e4
LT		 1365 free_page((unsigned long)buffer);
1366 return rc;
1367}
1da177e4 1368
b754026b
OM		 1369static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1370 u32 def_sid, u32 *sid)
1371{
1372#define INITCONTEXTLEN 255
1373 char *context;
1374 unsigned int len;
1375 int rc;
1376
1377 len = INITCONTEXTLEN;
1378 context = kmalloc(len + 1, GFP_NOFS);
1379 if (!context)
1380 return -ENOMEM;
1381
1382 context[len] = '\0';
1383 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1384 if (rc == -ERANGE) {
1385 kfree(context);
1386
1387 /* Need a larger buffer. Query for the right size. */
1388 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1389 if (rc < 0)
1390 return rc;
1391
1392 len = rc;
1393 context = kmalloc(len + 1, GFP_NOFS);
1394 if (!context)
1395 return -ENOMEM;
1396
1397 context[len] = '\0';
1398 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1399 context, len);
1400 }
1401 if (rc < 0) {
1402 kfree(context);
1403 if (rc != -ENODATA) {
1404 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1405 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1406 return rc;
1407 }
1408 *sid = def_sid;
1409 return 0;
1410 }
1411
1412 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1413 def_sid, GFP_NOFS);
1414 if (rc) {
1415 char *dev = inode->i_sb->s_id;
1416 unsigned long ino = inode->i_ino;
1417
1418 if (rc == -EINVAL) {
1419 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1420 ino, dev, context);
1421 } else {
1422 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1423 __func__, context, -rc, dev, ino);
1424 }
1425 }
1426 kfree(context);
1427 return 0;
1428}
1429
1da177e4
LT		 1430/* The inode's security attributes must be initialized before first use. */
1431static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1432{
1433 struct superblock_security_struct *sbsec = NULL;
80788c22 1434 struct inode_security_struct *isec = selinux_inode(inode);
9287aed2
AG		 1435 u32 task_sid, sid = 0;
1436 u16 sclass;
1da177e4 1437 struct dentry *dentry;
1da177e4 1438 int rc = 0;
1da177e4 1439
6f3be9f5 1440 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1441 return 0;
1da177e4 1442
9287aed2 1443 spin_lock(&isec->lock);
6f3be9f5 1444 if (isec->initialized == LABEL_INITIALIZED)
23970741 1445 goto out_unlock;
1da177e4 1446
13457d07
AG		 1447 if (isec->sclass == SECCLASS_FILE)
1448 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1449
1da177e4 1450 sbsec = inode->i_sb->s_security;
0d90a7ec 1451 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1452 /* Defer initialization until selinux_complete_init,
1453 after the initial policy is loaded and the security
1454 server is ready to handle calls. */
1455 spin_lock(&sbsec->isec_lock);
1456 if (list_empty(&isec->list))
1457 list_add(&isec->list, &sbsec->isec_head);
1458 spin_unlock(&sbsec->isec_lock);
23970741 1459 goto out_unlock;
1da177e4
LT		 1460 }
1461
9287aed2
AG		 1462 sclass = isec->sclass;
1463 task_sid = isec->task_sid;
1464 sid = isec->sid;
1465 isec->initialized = LABEL_PENDING;
1466 spin_unlock(&isec->lock);
1467
1da177e4 1468 switch (sbsec->behavior) {
eb9ae686
DQ		 1469 case SECURITY_FS_USE_NATIVE:
1470 break;
1da177e4 1471 case SECURITY_FS_USE_XATTR:
5d6c3191 1472 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1473 sid = sbsec->def_sid;
1da177e4
LT		 1474 break;
1475 }
1da177e4
LT		 1476 /* Need a dentry, since the xattr API requires one.
1477 Life would be simpler if we could just pass the inode. */
1478 if (opt_dentry) {
1479 /* Called from d_instantiate or d_splice_alias. */
1480 dentry = dget(opt_dentry);
1481 } else {
b127125d
AV		 1482 /*
1483 * Called from selinux_complete_init, try to find a dentry.
1484 * Some filesystems really want a connected one, so try
1485 * that first. We could split SECURITY_FS_USE_XATTR in
1486 * two, depending upon that...
1487 */
1da177e4 1488 dentry = d_find_alias(inode);
b127125d
AV		 1489 if (!dentry)
1490 dentry = d_find_any_alias(inode);
1da177e4
LT		 1491 }
1492 if (!dentry) {
df7f54c0
EP		 1493 /*
1494 * this is can be hit on boot when a file is accessed
1495 * before the policy is loaded. When we load policy we
1496 * may find inodes that have no dentry on the
1497 * sbsec->isec_head list. No reason to complain as these
1498 * will get fixed up the next time we go through
1499 * inode_doinit with a dentry, before these inodes could
1500 * be used again by userspace.
1501 */
9287aed2 1502 goto out;
1da177e4
LT		 1503 }
1504
b754026b
OM		 1505 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1506 &sid);
1da177e4 1507 dput(dentry);
b754026b
OM		 1508 if (rc)
1509 goto out;
1da177e4
LT		 1510 break;
1511 case SECURITY_FS_USE_TASK:
9287aed2 1512 sid = task_sid;
1da177e4
LT		 1513 break;
1514 case SECURITY_FS_USE_TRANS:
1515 /* Default to the fs SID. */
9287aed2 1516 sid = sbsec->sid;
1da177e4
LT		 1517
1518 /* Try to obtain a transition SID. */
aa8e712c
SS		 1519 rc = security_transition_sid(&selinux_state, task_sid, sid,
1520 sclass, NULL, &sid);
1da177e4 1521 if (rc)
9287aed2 1522 goto out;
1da177e4 1523 break;
c312feb2 1524 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1525 sid = sbsec->mntpoint_sid;
c312feb2 1526 break;
1da177e4 1527 default:
c312feb2 1528 /* Default to the fs superblock SID. */
9287aed2 1529 sid = sbsec->sid;
1da177e4 1530
134509d5 1531 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1532 /* We must have a dentry to determine the label on
1533 * procfs inodes */
b127125d 1534 if (opt_dentry) {
f64410ec
PM		 1535 /* Called from d_instantiate or
1536 * d_splice_alias. */
1537 dentry = dget(opt_dentry);
b127125d 1538 } else {
f64410ec 1539 /* Called from selinux_complete_init, try to
b127125d
AV		 1540 * find a dentry. Some filesystems really want
1541 * a connected one, so try that first.
1542 */
f64410ec 1543 dentry = d_find_alias(inode);
b127125d
AV		 1544 if (!dentry)
1545 dentry = d_find_any_alias(inode);
1546 }
f64410ec
PM		 1547 /*
1548 * This can be hit on boot when a file is accessed
1549 * before the policy is loaded. When we load policy we
1550 * may find inodes that have no dentry on the
1551 * sbsec->isec_head list. No reason to complain as
1552 * these will get fixed up the next time we go through
1553 * inode_doinit() with a dentry, before these inodes
1554 * could be used again by userspace.
1555 */
1556 if (!dentry)
9287aed2
AG		 1557 goto out;
1558 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1559 sbsec->flags, &sid);
b754026b
OM		 1560 if (rc) {
1561 dput(dentry);
9287aed2 1562 goto out;
b754026b
OM		 1563 }
1564
1565 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1566 (inode->i_opflags & IOP_XATTR)) {
1567 rc = inode_doinit_use_xattr(inode, dentry,
1568 sid, &sid);
1569 if (rc) {
1570 dput(dentry);
1571 goto out;
1572 }
1573 }
1574 dput(dentry);
1da177e4
LT		 1575 }
1576 break;
1577 }
1578
9287aed2
AG		 1579out:
1580 spin_lock(&isec->lock);
1581 if (isec->initialized == LABEL_PENDING) {
1582 if (!sid || rc) {
1583 isec->initialized = LABEL_INVALID;
1584 goto out_unlock;
1585 }
1586
1587 isec->initialized = LABEL_INITIALIZED;
1588 isec->sid = sid;
1589 }
1da177e4 1590
23970741 1591out_unlock:
9287aed2 1592 spin_unlock(&isec->lock);
1da177e4
LT		 1593 return rc;
1594}
1595
1596/* Convert a Linux signal to an access vector. */
1597static inline u32 signal_to_av(int sig)
1598{
1599 u32 perm = 0;
1600
1601 switch (sig) {
1602 case SIGCHLD:
1603 /* Commonly granted from child to parent. */
1604 perm = PROCESS__SIGCHLD;
1605 break;
1606 case SIGKILL:
1607 /* Cannot be caught or ignored */
1608 perm = PROCESS__SIGKILL;
1609 break;
1610 case SIGSTOP:
1611 /* Cannot be caught or ignored */
1612 perm = PROCESS__SIGSTOP;
1613 break;
1614 default:
1615 /* All other signals. */
1616 perm = PROCESS__SIGNAL;
1617 break;
1618 }
1619
1620 return perm;
1621}
1622
b68e418c
SS		 1623#if CAP_LAST_CAP > 63
1624#error Fix SELinux to handle capabilities > 63.
1625#endif
1626
1da177e4 1627/* Check whether a task is allowed to use a capability. */
6a9de491 1628static int cred_has_capability(const struct cred *cred,
c1a85a00 1629 int cap, unsigned int opts, bool initns)
1da177e4 1630{
2bf49690 1631 struct common_audit_data ad;
06112163 1632 struct av_decision avd;
b68e418c 1633 u16 sclass;
3699c53c 1634 u32 sid = cred_sid(cred);
b68e418c 1635 u32 av = CAP_TO_MASK(cap);
06112163 1636 int rc;
1da177e4 1637
50c205f5 1638 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1639 ad.u.cap = cap;
1640
b68e418c
SS		 1641 switch (CAP_TO_INDEX(cap)) {
1642 case 0:
8e4ff6f2 1643 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1644 break;
1645 case 1:
8e4ff6f2 1646 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1647 break;
1648 default:
c103a91e 1649 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1650 BUG();
a35c6c83 1651 return -EINVAL;
b68e418c 1652 }
06112163 1653
6b6bc620
SS		 1654 rc = avc_has_perm_noaudit(&selinux_state,
1655 sid, sid, sclass, av, 0, &avd);
c1a85a00 1656 if (!(opts & CAP_OPT_NOAUDIT)) {
6b6bc620
SS		 1657 int rc2 = avc_audit(&selinux_state,
1658 sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1659 if (rc2)
1660 return rc2;
1661 }
06112163 1662 return rc;
1da177e4
LT		 1663}
1664
1da177e4
LT		 1665/* Check whether a task has a particular permission to an inode.
1666 The 'adp' parameter is optional and allows other audit
1667 data to be passed (e.g. the dentry). */
88e67f3b 1668static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1669 struct inode *inode,
1670 u32 perms,
19e49834 1671 struct common_audit_data *adp)
1da177e4 1672{
1da177e4 1673 struct inode_security_struct *isec;
275bb41e 1674 u32 sid;
1da177e4 1675
e0e81739
DH		 1676 validate_creds(cred);
1677
828dfe1d 1678 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1679 return 0;
1680
88e67f3b 1681 sid = cred_sid(cred);
80788c22 1682 isec = selinux_inode(inode);
1da177e4 1683
6b6bc620
SS		 1684 return avc_has_perm(&selinux_state,
1685 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1686}
1687
1688/* Same as inode_has_perm, but pass explicit audit data containing
1689 the dentry to help the auditing code to more easily generate the
1690 pathname if needed. */
88e67f3b 1691static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1692 struct dentry *dentry,
1693 u32 av)
1694{
c6f493d6 1695 struct inode *inode = d_backing_inode(dentry);
2bf49690 1696 struct common_audit_data ad;
88e67f3b 1697
50c205f5 1698 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1699 ad.u.dentry = dentry;
5d226df4 1700 __inode_security_revalidate(inode, dentry, true);
19e49834 1701 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1702}
1703
1704/* Same as inode_has_perm, but pass explicit audit data containing
1705 the path to help the auditing code to more easily generate the
1706 pathname if needed. */
1707static inline int path_has_perm(const struct cred *cred,
3f7036a0 1708 const struct path *path,
2875fa00
EP		 1709 u32 av)
1710{
c6f493d6 1711 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1712 struct common_audit_data ad;
1713
50c205f5 1714 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1715 ad.u.path = *path;
5d226df4 1716 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1717 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1718}
1719
13f8e981
DH		 1720/* Same as path_has_perm, but uses the inode from the file struct. */
1721static inline int file_path_has_perm(const struct cred *cred,
1722 struct file *file,
1723 u32 av)
1724{
1725 struct common_audit_data ad;
1726
43af5de7
VG		 1727 ad.type = LSM_AUDIT_DATA_FILE;
1728 ad.u.file = file;
19e49834 1729 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1730}
1731
f66e448c
CF		 1732#ifdef CONFIG_BPF_SYSCALL
1733static int bpf_fd_pass(struct file *file, u32 sid);
1734#endif
1735
1da177e4
LT		 1736/* Check whether a task can use an open file descriptor to
1737 access an inode in a given way. Check access to the
1738 descriptor itself, and then use dentry_has_perm to
1739 check a particular permission to the file.
1740 Access to the descriptor is implicitly granted if it
1741 has the same SID as the process. If av is zero, then
1742 access to the file is not checked, e.g. for cases
1743 where only the descriptor is affected like seek. */
88e67f3b
DH		 1744static int file_has_perm(const struct cred *cred,
1745 struct file *file,
1746 u32 av)
1da177e4 1747{
bb6c6b02 1748 struct file_security_struct *fsec = selinux_file(file);
496ad9aa 1749 struct inode *inode = file_inode(file);
2bf49690 1750 struct common_audit_data ad;
88e67f3b 1751 u32 sid = cred_sid(cred);
1da177e4
LT		 1752 int rc;
1753
43af5de7
VG		 1754 ad.type = LSM_AUDIT_DATA_FILE;
1755 ad.u.file = file;
1da177e4 1756
275bb41e 1757 if (sid != fsec->sid) {
6b6bc620
SS		 1758 rc = avc_has_perm(&selinux_state,
1759 sid, fsec->sid,
1da177e4
LT		 1760 SECCLASS_FD,
1761 FD__USE,
1762 &ad);
1763 if (rc)
88e67f3b 1764 goto out;
1da177e4
LT		 1765 }
1766
f66e448c
CF		 1767#ifdef CONFIG_BPF_SYSCALL
1768 rc = bpf_fd_pass(file, cred_sid(cred));
1769 if (rc)
1770 return rc;
1771#endif
1772
1da177e4 1773 /* av is zero if only checking access to the descriptor. */
88e67f3b 1774 rc = 0;
1da177e4 1775 if (av)
19e49834 1776 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1777
88e67f3b
DH		 1778out:
1779 return rc;
1da177e4
LT		 1780}
1781
c3c188b2
DH		 1782/*
1783 * Determine the label for an inode that might be unioned.
1784 */
c957f6df
VG		 1785static int
1786selinux_determine_inode_label(const struct task_security_struct *tsec,
1787 struct inode *dir,
1788 const struct qstr *name, u16 tclass,
1789 u32 *_new_isid)
c3c188b2
DH		 1790{
1791 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1792
1793 if ((sbsec->flags & SE_SBINITIALIZED) &&
1794 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1795 *_new_isid = sbsec->mntpoint_sid;
1796 } else if ((sbsec->flags & SBLABEL_MNT) &&
1797 tsec->create_sid) {
1798 *_new_isid = tsec->create_sid;
1799 } else {
20cdef8d 1800 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1801 return security_transition_sid(&selinux_state, tsec->sid,
1802 dsec->sid, tclass,
c3c188b2
DH		 1803 name, _new_isid);
1804 }
1805
1806 return 0;
1807}
1808
1da177e4
LT		 1809/* Check whether a task can create a file. */
1810static int may_create(struct inode *dir,
1811 struct dentry *dentry,
1812 u16 tclass)
1813{
0c6cfa62 1814 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1815 struct inode_security_struct *dsec;
1816 struct superblock_security_struct *sbsec;
275bb41e 1817 u32 sid, newsid;
2bf49690 1818 struct common_audit_data ad;
1da177e4
LT		 1819 int rc;
1820
83da53c5 1821 dsec = inode_security(dir);
1da177e4
LT		 1822 sbsec = dir->i_sb->s_security;
1823
275bb41e 1824 sid = tsec->sid;
275bb41e 1825
50c205f5 1826 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1827 ad.u.dentry = dentry;
1da177e4 1828
6b6bc620
SS		 1829 rc = avc_has_perm(&selinux_state,
1830 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1831 DIR__ADD_NAME | DIR__SEARCH,
1832 &ad);
1833 if (rc)
1834 return rc;
1835
0c6cfa62 1836 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
c957f6df 1837 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1838 if (rc)
1839 return rc;
1da177e4 1840
6b6bc620
SS		 1841 rc = avc_has_perm(&selinux_state,
1842 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1843 if (rc)
1844 return rc;
1845
6b6bc620
SS		 1846 return avc_has_perm(&selinux_state,
1847 newsid, sbsec->sid,
1da177e4
LT		 1848 SECCLASS_FILESYSTEM,
1849 FILESYSTEM__ASSOCIATE, &ad);
1850}
1851
828dfe1d
EP		 1852#define MAY_LINK 0
1853#define MAY_UNLINK 1
1854#define MAY_RMDIR 2
1da177e4
LT		 1855
1856/* Check whether a task can link, unlink, or rmdir a file/directory. */
1857static int may_link(struct inode *dir,
1858 struct dentry *dentry,
1859 int kind)
1860
1861{
1da177e4 1862 struct inode_security_struct *dsec, *isec;
2bf49690 1863 struct common_audit_data ad;
275bb41e 1864 u32 sid = current_sid();
1da177e4
LT		 1865 u32 av;
1866 int rc;
1867
83da53c5
AG		 1868 dsec = inode_security(dir);
1869 isec = backing_inode_security(dentry);
1da177e4 1870
50c205f5 1871 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1872 ad.u.dentry = dentry;
1da177e4
LT		 1873
1874 av = DIR__SEARCH;
1875 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 1876 rc = avc_has_perm(&selinux_state,
1877 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1878 if (rc)
1879 return rc;
1880
1881 switch (kind) {
1882 case MAY_LINK:
1883 av = FILE__LINK;
1884 break;
1885 case MAY_UNLINK:
1886 av = FILE__UNLINK;
1887 break;
1888 case MAY_RMDIR:
1889 av = DIR__RMDIR;
1890 break;
1891 default:
c103a91e 1892 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1893 __func__, kind);
1da177e4
LT		 1894 return 0;
1895 }
1896
6b6bc620
SS		 1897 rc = avc_has_perm(&selinux_state,
1898 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1899 return rc;
1900}
1901
1902static inline int may_rename(struct inode *old_dir,
1903 struct dentry *old_dentry,
1904 struct inode *new_dir,
1905 struct dentry *new_dentry)
1906{
1da177e4 1907 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1908 struct common_audit_data ad;
275bb41e 1909 u32 sid = current_sid();
1da177e4
LT		 1910 u32 av;
1911 int old_is_dir, new_is_dir;
1912 int rc;
1913
83da53c5
AG		 1914 old_dsec = inode_security(old_dir);
1915 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1916 old_is_dir = d_is_dir(old_dentry);
83da53c5 1917 new_dsec = inode_security(new_dir);
1da177e4 1918
50c205f5 1919 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1920
a269434d 1921 ad.u.dentry = old_dentry;
6b6bc620
SS		 1922 rc = avc_has_perm(&selinux_state,
1923 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1924 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1925 if (rc)
1926 return rc;
6b6bc620
SS		 1927 rc = avc_has_perm(&selinux_state,
1928 sid, old_isec->sid,
1da177e4
LT		 1929 old_isec->sclass, FILE__RENAME, &ad);
1930 if (rc)
1931 return rc;
1932 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 1933 rc = avc_has_perm(&selinux_state,
1934 sid, old_isec->sid,
1da177e4
LT		 1935 old_isec->sclass, DIR__REPARENT, &ad);
1936 if (rc)
1937 return rc;
1938 }
1939
a269434d 1940 ad.u.dentry = new_dentry;
1da177e4 1941 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1942 if (d_is_positive(new_dentry))
1da177e4 1943 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 1944 rc = avc_has_perm(&selinux_state,
1945 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1946 if (rc)
1947 return rc;
2c616d4d 1948 if (d_is_positive(new_dentry)) {
83da53c5 1949 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1950 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 1951 rc = avc_has_perm(&selinux_state,
1952 sid, new_isec->sid,
1da177e4
LT		 1953 new_isec->sclass,
1954 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1955 if (rc)
1956 return rc;
1957 }
1958
1959 return 0;
1960}
1961
1962/* Check whether a task can perform a filesystem operation. */
88e67f3b 1963static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1964 struct super_block *sb,
1965 u32 perms,
2bf49690 1966 struct common_audit_data *ad)
1da177e4 1967{
1da177e4 1968 struct superblock_security_struct *sbsec;
88e67f3b 1969 u32 sid = cred_sid(cred);
1da177e4 1970
1da177e4 1971 sbsec = sb->s_security;
6b6bc620
SS		 1972 return avc_has_perm(&selinux_state,
1973 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1974}
1975
1976/* Convert a Linux mode and permission mask to an access vector. */
1977static inline u32 file_mask_to_av(int mode, int mask)
1978{
1979 u32 av = 0;
1980
dba19c60 1981 if (!S_ISDIR(mode)) {
1da177e4
LT		 1982 if (mask & MAY_EXEC)
1983 av |= FILE__EXECUTE;
1984 if (mask & MAY_READ)
1985 av |= FILE__READ;
1986
1987 if (mask & MAY_APPEND)
1988 av |= FILE__APPEND;
1989 else if (mask & MAY_WRITE)
1990 av |= FILE__WRITE;
1991
1992 } else {
1993 if (mask & MAY_EXEC)
1994 av |= DIR__SEARCH;
1995 if (mask & MAY_WRITE)
1996 av |= DIR__WRITE;
1997 if (mask & MAY_READ)
1998 av |= DIR__READ;
1999 }
2000
2001 return av;
2002}
2003
8b6a5a37
EP		 2004/* Convert a Linux file to an access vector. */
2005static inline u32 file_to_av(struct file *file)
2006{
2007 u32 av = 0;
2008
2009 if (file->f_mode & FMODE_READ)
2010 av |= FILE__READ;
2011 if (file->f_mode & FMODE_WRITE) {
2012 if (file->f_flags & O_APPEND)
2013 av |= FILE__APPEND;
2014 else
2015 av |= FILE__WRITE;
2016 }
2017 if (!av) {
2018 /*
2019 * Special file opened with flags 3 for ioctl-only use.
2020 */
2021 av = FILE__IOCTL;
2022 }
2023
2024 return av;
2025}
2026
b0c636b9 2027/*
8b6a5a37 2028 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2029 * open permission.
2030 */
8b6a5a37 2031static inline u32 open_file_to_av(struct file *file)
b0c636b9 2032{
8b6a5a37 2033 u32 av = file_to_av(file);
ccb54478 2034 struct inode *inode = file_inode(file);
b0c636b9 2035
aa8e712c
SS		 2036 if (selinux_policycap_openperm() &&
2037 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2038 av |= FILE__OPEN;
2039
b0c636b9
EP		 2040 return av;
2041}
2042
1da177e4
LT		 2043/* Hook functions begin here. */
2044
79af7307
SS		 2045static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2046{
2047 u32 mysid = current_sid();
2048 u32 mgrsid = task_sid(mgr);
2049
6b6bc620
SS		 2050 return avc_has_perm(&selinux_state,
2051 mysid, mgrsid, SECCLASS_BINDER,
79af7307
SS		 2052 BINDER__SET_CONTEXT_MGR, NULL);
2053}
2054
2055static int selinux_binder_transaction(struct task_struct *from,
2056 struct task_struct *to)
2057{
2058 u32 mysid = current_sid();
2059 u32 fromsid = task_sid(from);
2060 u32 tosid = task_sid(to);
2061 int rc;
2062
2063 if (mysid != fromsid) {
6b6bc620
SS		 2064 rc = avc_has_perm(&selinux_state,
2065 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2066 BINDER__IMPERSONATE, NULL);
2067 if (rc)
2068 return rc;
2069 }
2070
6b6bc620
SS		 2071 return avc_has_perm(&selinux_state,
2072 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
79af7307
SS		 2073 NULL);
2074}
2075
2076static int selinux_binder_transfer_binder(struct task_struct *from,
2077 struct task_struct *to)
2078{
2079 u32 fromsid = task_sid(from);
2080 u32 tosid = task_sid(to);
2081
6b6bc620
SS		 2082 return avc_has_perm(&selinux_state,
2083 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2084 NULL);
2085}
2086
2087static int selinux_binder_transfer_file(struct task_struct *from,
2088 struct task_struct *to,
2089 struct file *file)
2090{
2091 u32 sid = task_sid(to);
bb6c6b02 2092 struct file_security_struct *fsec = selinux_file(file);
83da53c5 2093 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2094 struct inode_security_struct *isec;
79af7307
SS		 2095 struct common_audit_data ad;
2096 int rc;
2097
2098 ad.type = LSM_AUDIT_DATA_PATH;
2099 ad.u.path = file->f_path;
2100
2101 if (sid != fsec->sid) {
6b6bc620
SS		 2102 rc = avc_has_perm(&selinux_state,
2103 sid, fsec->sid,
79af7307
SS		 2104 SECCLASS_FD,
2105 FD__USE,
2106 &ad);
2107 if (rc)
2108 return rc;
2109 }
2110
f66e448c
CF		 2111#ifdef CONFIG_BPF_SYSCALL
2112 rc = bpf_fd_pass(file, sid);
2113 if (rc)
2114 return rc;
2115#endif
2116
83da53c5 2117 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2118 return 0;
2119
20cdef8d 2120 isec = backing_inode_security(dentry);
6b6bc620
SS		 2121 return avc_has_perm(&selinux_state,
2122 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2123 &ad);
2124}
2125
9e48858f 2126static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2127 unsigned int mode)
1da177e4 2128{
be0554c9
SS		 2129 u32 sid = current_sid();
2130 u32 csid = task_sid(child);
2131
2132 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2133 return avc_has_perm(&selinux_state,
2134 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2135
6b6bc620
SS		 2136 return avc_has_perm(&selinux_state,
2137 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2138}
2139
2140static int selinux_ptrace_traceme(struct task_struct *parent)
2141{
6b6bc620
SS		 2142 return avc_has_perm(&selinux_state,
2143 task_sid(parent), current_sid(), SECCLASS_PROCESS,
be0554c9 2144 PROCESS__PTRACE, NULL);
1da177e4
LT		 2145}
2146
2147static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2148 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2149{
6b6bc620
SS		 2150 return avc_has_perm(&selinux_state,
2151 current_sid(), task_sid(target), SECCLASS_PROCESS,
be0554c9 2152 PROCESS__GETCAP, NULL);
1da177e4
LT		 2153}
2154
d84f4f99
DH		 2155static int selinux_capset(struct cred *new, const struct cred *old,
2156 const kernel_cap_t *effective,
2157 const kernel_cap_t *inheritable,
2158 const kernel_cap_t *permitted)
1da177e4 2159{
6b6bc620
SS		 2160 return avc_has_perm(&selinux_state,
2161 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2162 PROCESS__SETCAP, NULL);
1da177e4
LT		 2163}
2164
5626d3e8
JM		 2165/*
2166 * (This comment used to live with the selinux_task_setuid hook,
2167 * which was removed).
2168 *
2169 * Since setuid only affects the current process, and since the SELinux
2170 * controls are not based on the Linux identity attributes, SELinux does not
2171 * need to control this operation. However, SELinux does control the use of
2172 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2173 */
2174
6a9de491 2175static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
c1a85a00 2176 int cap, unsigned int opts)
1da177e4 2177{
c1a85a00 2178 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
1da177e4
LT		 2179}
2180
1da177e4
LT		 2181static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2182{
88e67f3b 2183 const struct cred *cred = current_cred();
1da177e4
LT		 2184 int rc = 0;
2185
2186 if (!sb)
2187 return 0;
2188
2189 switch (cmds) {
828dfe1d
EP		 2190 case Q_SYNC:
2191 case Q_QUOTAON:
2192 case Q_QUOTAOFF:
2193 case Q_SETINFO:
2194 case Q_SETQUOTA:
88e67f3b 2195 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2196 break;
2197 case Q_GETFMT:
2198 case Q_GETINFO:
2199 case Q_GETQUOTA:
88e67f3b 2200 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2201 break;
2202 default:
2203 rc = 0; /* let the kernel handle invalid cmds */
2204 break;
1da177e4
LT		 2205 }
2206 return rc;
2207}
2208
2209static int selinux_quota_on(struct dentry *dentry)
2210{
88e67f3b
DH		 2211 const struct cred *cred = current_cred();
2212
2875fa00 2213 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2214}
2215
12b3052c 2216static int selinux_syslog(int type)
1da177e4 2217{
1da177e4 2218 switch (type) {
d78ca3cd
KC		 2219 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2220 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2221 return avc_has_perm(&selinux_state,
2222 current_sid(), SECINITSID_KERNEL,
be0554c9 2223 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2224 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2225 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2226 /* Set level of messages printed to console */
2227 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2228 return avc_has_perm(&selinux_state,
2229 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2230 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2231 NULL);
1da177e4 2232 }
be0554c9 2233 /* All other syslog types */
6b6bc620
SS		 2234 return avc_has_perm(&selinux_state,
2235 current_sid(), SECINITSID_KERNEL,
be0554c9 2236 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2237}
2238
2239/*
2240 * Check that a process has enough memory to allocate a new virtual
2241 * mapping. 0 means there is enough memory for the allocation to
2242 * succeed and -ENOMEM implies there is not.
2243 *
1da177e4
LT		 2244 * Do not audit the selinux permission check, as this is applied to all
2245 * processes that allocate mappings.
2246 */
34b4e4aa 2247static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2248{
2249 int rc, cap_sys_admin = 0;
1da177e4 2250
b1d9e6b0 2251 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
c1a85a00 2252 CAP_OPT_NOAUDIT, true);
1da177e4
LT		 2253 if (rc == 0)
2254 cap_sys_admin = 1;
2255
b1d9e6b0 2256 return cap_sys_admin;
1da177e4
LT		 2257}
2258
2259/* binprm security operations */
2260
be0554c9 2261static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2262{
2263 u32 sid = 0;
2264 struct task_struct *tracer;
2265
2266 rcu_read_lock();
be0554c9 2267 tracer = ptrace_parent(current);
0c6181cb
PM		 2268 if (tracer)
2269 sid = task_sid(tracer);
2270 rcu_read_unlock();
2271
2272 return sid;
2273}
2274
7b0d0b40
SS		 2275static int check_nnp_nosuid(const struct linux_binprm *bprm,
2276 const struct task_security_struct *old_tsec,
2277 const struct task_security_struct *new_tsec)
2278{
2279 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2280 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2281 int rc;
af63f419 2282 u32 av;
7b0d0b40
SS		 2283
2284 if (!nnp && !nosuid)
2285 return 0; /* neither NNP nor nosuid */
2286
2287 if (new_tsec->sid == old_tsec->sid)
2288 return 0; /* No change in credentials */
2289
2290 /*
af63f419
SS		 2291 * If the policy enables the nnp_nosuid_transition policy capability,
2292 * then we permit transitions under NNP or nosuid if the
2293 * policy allows the corresponding permission between
2294 * the old and new contexts.
7b0d0b40 2295 */
aa8e712c 2296 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2297 av = 0;
7b0d0b40 2298 if (nnp)
af63f419
SS		 2299 av |= PROCESS2__NNP_TRANSITION;
2300 if (nosuid)
2301 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2302 rc = avc_has_perm(&selinux_state,
2303 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2304 SECCLASS_PROCESS2, av, NULL);
2305 if (!rc)
2306 return 0;
7b0d0b40 2307 }
af63f419
SS		 2308
2309 /*
2310 * We also permit NNP or nosuid transitions to bounded SIDs,
2311 * i.e. SIDs that are guaranteed to only be allowed a subset
2312 * of the permissions of the current SID.
2313 */
aa8e712c
SS		 2314 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2315 new_tsec->sid);
af63f419
SS		 2316 if (!rc)
2317 return 0;
2318
2319 /*
2320 * On failure, preserve the errno values for NNP vs nosuid.
2321 * NNP: Operation not permitted for caller.
2322 * nosuid: Permission denied to file.
2323 */
2324 if (nnp)
2325 return -EPERM;
2326 return -EACCES;
7b0d0b40
SS		 2327}
2328
a6f76f23 2329static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2330{
a6f76f23
DH		 2331 const struct task_security_struct *old_tsec;
2332 struct task_security_struct *new_tsec;
1da177e4 2333 struct inode_security_struct *isec;
2bf49690 2334 struct common_audit_data ad;
496ad9aa 2335 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2336 int rc;
2337
a6f76f23
DH		 2338 /* SELinux context only depends on initial program or script and not
2339 * the script interpreter */
ddb4a144 2340 if (bprm->called_set_creds)
1da177e4
LT		 2341 return 0;
2342
0c6cfa62
CS		 2343 old_tsec = selinux_cred(current_cred());
2344 new_tsec = selinux_cred(bprm->cred);
83da53c5 2345 isec = inode_security(inode);
1da177e4
LT		 2346
2347 /* Default to the current task SID. */
a6f76f23
DH		 2348 new_tsec->sid = old_tsec->sid;
2349 new_tsec->osid = old_tsec->sid;
1da177e4 2350
28eba5bf 2351 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2352 new_tsec->create_sid = 0;
2353 new_tsec->keycreate_sid = 0;
2354 new_tsec->sockcreate_sid = 0;
1da177e4 2355
a6f76f23
DH		 2356 if (old_tsec->exec_sid) {
2357 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2358 /* Reset exec SID on execve. */
a6f76f23 2359 new_tsec->exec_sid = 0;
259e5e6c 2360
7b0d0b40
SS		 2361 /* Fail on NNP or nosuid if not an allowed transition. */
2362 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2363 if (rc)
2364 return rc;
1da177e4
LT		 2365 } else {
2366 /* Check for a default transition on this program. */
aa8e712c
SS		 2367 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2368 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2369 &new_tsec->sid);
1da177e4
LT		 2370 if (rc)
2371 return rc;
7b0d0b40
SS		 2372
2373 /*
2374 * Fallback to old SID on NNP or nosuid if not an allowed
2375 * transition.
2376 */
2377 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2378 if (rc)
2379 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2380 }
2381
43af5de7
VG		 2382 ad.type = LSM_AUDIT_DATA_FILE;
2383 ad.u.file = bprm->file;
1da177e4 2384
a6f76f23 2385 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2386 rc = avc_has_perm(&selinux_state,
2387 old_tsec->sid, isec->sid,
1da177e4
LT		 2388 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2389 if (rc)
2390 return rc;
2391 } else {
2392 /* Check permissions for the transition. */
6b6bc620
SS		 2393 rc = avc_has_perm(&selinux_state,
2394 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2395 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2396 if (rc)
2397 return rc;
2398
6b6bc620
SS		 2399 rc = avc_has_perm(&selinux_state,
2400 new_tsec->sid, isec->sid,
1da177e4
LT		 2401 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2402 if (rc)
2403 return rc;
2404
a6f76f23
DH		 2405 /* Check for shared state */
2406 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2407 rc = avc_has_perm(&selinux_state,
2408 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2409 SECCLASS_PROCESS, PROCESS__SHARE,
2410 NULL);
2411 if (rc)
2412 return -EPERM;
2413 }
2414
2415 /* Make sure that anyone attempting to ptrace over a task that
2416 * changes its SID has the appropriate permit */
9227dd2a 2417 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2418 u32 ptsid = ptrace_parent_sid();
a6f76f23 2419 if (ptsid != 0) {
6b6bc620
SS		 2420 rc = avc_has_perm(&selinux_state,
2421 ptsid, new_tsec->sid,
a6f76f23
DH		 2422 SECCLASS_PROCESS,
2423 PROCESS__PTRACE, NULL);
2424 if (rc)
2425 return -EPERM;
2426 }
2427 }
1da177e4 2428
a6f76f23
DH		 2429 /* Clear any possibly unsafe personality bits on exec: */
2430 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2431
1da177e4
LT		 2432 /* Enable secure mode for SIDs transitions unless
2433 the noatsecure permission is granted between
2434 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2435 rc = avc_has_perm(&selinux_state,
2436 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2437 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2438 NULL);
2439 bprm->secureexec |= !!rc;
1da177e4
LT		 2440 }
2441
62874c3a 2442 return 0;
1da177e4
LT		 2443}
2444
c3c073f8
AV		 2445static int match_file(const void *p, struct file *file, unsigned fd)
2446{
2447 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2448}
2449
1da177e4 2450/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2451static inline void flush_unauthorized_files(const struct cred *cred,
2452 struct files_struct *files)
1da177e4 2453{
1da177e4 2454 struct file *file, *devnull = NULL;
b20c8122 2455 struct tty_struct *tty;
24ec839c 2456 int drop_tty = 0;
c3c073f8 2457 unsigned n;
1da177e4 2458
24ec839c 2459 tty = get_current_tty();
1da177e4 2460 if (tty) {
4a510969 2461 spin_lock(&tty->files_lock);
37dd0bd0 2462 if (!list_empty(&tty->tty_files)) {
d996b62a 2463 struct tty_file_private *file_priv;
37dd0bd0 2464
1da177e4 2465 /* Revalidate access to controlling tty.
13f8e981
DH		 2466 Use file_path_has_perm on the tty path directly
2467 rather than using file_has_perm, as this particular
2468 open file may belong to another process and we are
2469 only interested in the inode-based check here. */
d996b62a
NP		 2470 file_priv = list_first_entry(&tty->tty_files,
2471 struct tty_file_private, list);
2472 file = file_priv->file;
13f8e981 2473 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2474 drop_tty = 1;
1da177e4 2475 }
4a510969 2476 spin_unlock(&tty->files_lock);
452a00d2 2477 tty_kref_put(tty);
1da177e4 2478 }
98a27ba4
EB		 2479 /* Reset controlling tty. */
2480 if (drop_tty)
2481 no_tty();
1da177e4
LT		 2482
2483 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2484 n = iterate_fd(files, 0, match_file, cred);
2485 if (!n) /* none found? */
2486 return;
1da177e4 2487
c3c073f8 2488 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2489 if (IS_ERR(devnull))
2490 devnull = NULL;
2491 /* replace all the matching ones with this */
2492 do {
2493 replace_fd(n - 1, devnull, 0);
2494 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2495 if (devnull)
c3c073f8 2496 fput(devnull);
1da177e4
LT		 2497}
2498
a6f76f23
DH		 2499/*
2500 * Prepare a process for imminent new credential changes due to exec
2501 */
2502static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2503{
a6f76f23
DH		 2504 struct task_security_struct *new_tsec;
2505 struct rlimit *rlim, *initrlim;
2506 int rc, i;
d84f4f99 2507
0c6cfa62 2508 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2509 if (new_tsec->sid == new_tsec->osid)
2510 return;
1da177e4 2511
a6f76f23
DH		 2512 /* Close files for which the new task SID is not authorized. */
2513 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2514
a6f76f23
DH		 2515 /* Always clear parent death signal on SID transitions. */
2516 current->pdeath_signal = 0;
0356357c 2517
a6f76f23
DH		 2518 /* Check whether the new SID can inherit resource limits from the old
2519 * SID. If not, reset all soft limits to the lower of the current
2520 * task's hard limit and the init task's soft limit.
2521 *
2522 * Note that the setting of hard limits (even to lower them) can be
2523 * controlled by the setrlimit check. The inclusion of the init task's
2524 * soft limit into the computation is to avoid resetting soft limits
2525 * higher than the default soft limit for cases where the default is
2526 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2527 */
6b6bc620
SS		 2528 rc = avc_has_perm(&selinux_state,
2529 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2530 PROCESS__RLIMITINH, NULL);
2531 if (rc) {
eb2d55a3
ON		 2532 /* protect against do_prlimit() */
2533 task_lock(current);
a6f76f23
DH		 2534 for (i = 0; i < RLIM_NLIMITS; i++) {
2535 rlim = current->signal->rlim + i;
2536 initrlim = init_task.signal->rlim + i;
2537 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2538 }
eb2d55a3 2539 task_unlock(current);
baa73d9e
NP		 2540 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2541 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2542 }
2543}
2544
2545/*
a6f76f23
DH		 2546 * Clean up the process immediately after the installation of new credentials
2547 * due to exec
1da177e4 2548 */
a6f76f23 2549static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2550{
0c6cfa62 2551 const struct task_security_struct *tsec = selinux_cred(current_cred());
a6f76f23 2552 u32 osid, sid;
ddbc7d06 2553 int rc;
1da177e4 2554
a6f76f23
DH		 2555 osid = tsec->osid;
2556 sid = tsec->sid;
2557
2558 if (sid == osid)
1da177e4
LT		 2559 return;
2560
a6f76f23
DH		 2561 /* Check whether the new SID can inherit signal state from the old SID.
2562 * If not, clear itimers to avoid subsequent signal generation and
2563 * flush and unblock signals.
2564 *
2565 * This must occur _after_ the task SID has been updated so that any
2566 * kill done after the flush will be checked against the new SID.
2567 */
6b6bc620
SS		 2568 rc = avc_has_perm(&selinux_state,
2569 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2570 if (rc) {
ddbc7d06
AB		 2571 clear_itimer();
2572
1da177e4 2573 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2574 if (!fatal_signal_pending(current)) {
2575 flush_sigqueue(&current->pending);
2576 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2577 flush_signal_handlers(current, 1);
2578 sigemptyset(&current->blocked);
9e7c8f8c 2579 recalc_sigpending();
3bcac026 2580 }
1da177e4
LT		 2581 spin_unlock_irq(&current->sighand->siglock);
2582 }
2583
a6f76f23
DH		 2584 /* Wake up the parent if it is waiting so that it can recheck
2585 * wait permission to the new task SID. */
ecd6de3c 2586 read_lock(&tasklist_lock);
0b7570e7 2587 __wake_up_parent(current, current->real_parent);
ecd6de3c 2588 read_unlock(&tasklist_lock);
1da177e4
LT		 2589}
2590
2591/* superblock security operations */
2592
2593static int selinux_sb_alloc_security(struct super_block *sb)
2594{
2595 return superblock_alloc_security(sb);
2596}
2597
2598static void selinux_sb_free_security(struct super_block *sb)
2599{
2600 superblock_free_security(sb);
2601}
2602
99dbbb59 2603static inline int opt_len(const char *s)
1da177e4 2604{
99dbbb59
AV		 2605 bool open_quote = false;
2606 int len;
2607 char c;
1da177e4 2608
99dbbb59
AV		 2609 for (len = 0; (c = s[len]) != '\0'; len++) {
2610 if (c == '"')
2611 open_quote = !open_quote;
2612 if (c == ',' && !open_quote)
2613 break;
3528a953 2614 }
99dbbb59 2615 return len;
3528a953
CO		 2616}
2617
99dbbb59 2618static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
1da177e4 2619{
99dbbb59
AV		 2620 char *from = options;
2621 char *to = options;
2622 bool first = true;
fec63753 2623 int rc;
1da177e4 2624
99dbbb59
AV		 2625 while (1) {
2626 int len = opt_len(from);
fec63753 2627 int token;
99dbbb59 2628 char *arg = NULL;
1da177e4 2629
99dbbb59 2630 token = match_opt_prefix(from, len, &arg);
1da177e4 2631
99dbbb59
AV		 2632 if (token != Opt_error) {
2633 char *p, *q;
1da177e4 2634
99dbbb59
AV		 2635 /* strip quotes */
2636 if (arg) {
2637 for (p = q = arg; p < from + len; p++) {
2638 char c = *p;
2639 if (c != '"')
2640 *q++ = c;
2641 }
2642 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
fec63753
GZ		 2643 if (!arg) {
2644 rc = -ENOMEM;
2645 goto free_opt;
2646 }
99dbbb59
AV		 2647 }
2648 rc = selinux_add_opt(token, arg, mnt_opts);
2649 if (unlikely(rc)) {
2650 kfree(arg);
fec63753 2651 goto free_opt;
99dbbb59
AV		 2652 }
2653 } else {
2654 if (!first) { // copy with preceding comma
2655 from--;
2656 len++;
2657 }
2658 if (to != from)
2659 memmove(to, from, len);
2660 to += len;
2661 first = false;
1da177e4 2662 }
99dbbb59
AV		 2663 if (!from[len])
2664 break;
2665 from += len + 1;
2666 }
2667 *to = '\0';
2668 return 0;
fec63753
GZ		 2669
2670free_opt:
2671 if (*mnt_opts) {
2672 selinux_free_mnt_opts(*mnt_opts);
2673 *mnt_opts = NULL;
2674 }
2675 return rc;
1da177e4
LT		 2676}
2677
204cc0cc 2678static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2679{
bd323655 2680 struct selinux_mnt_opts *opts = mnt_opts;
026eb167 2681 struct superblock_security_struct *sbsec = sb->s_security;
bd323655
AV		 2682 u32 sid;
2683 int rc;
026eb167
EP		 2684
2685 if (!(sbsec->flags & SE_SBINITIALIZED))
2686 return 0;
2687
204cc0cc 2688 if (!opts)
026eb167
EP		 2689 return 0;
2690
bd323655
AV		 2691 if (opts->fscontext) {
2692 rc = parse_sid(sb, opts->fscontext, &sid);
2693 if (rc)
c039bc3c 2694 return rc;
bd323655
AV		 2695 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2696 goto out_bad_option;
026eb167 2697 }
bd323655
AV		 2698 if (opts->context) {
2699 rc = parse_sid(sb, opts->context, &sid);
2700 if (rc)
2701 return rc;
2702 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2703 goto out_bad_option;
2704 }
2705 if (opts->rootcontext) {
2706 struct inode_security_struct *root_isec;
2707 root_isec = backing_inode_security(sb->s_root);
2708 rc = parse_sid(sb, opts->rootcontext, &sid);
2709 if (rc)
2710 return rc;
2711 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2712 goto out_bad_option;
2713 }
2714 if (opts->defcontext) {
2715 rc = parse_sid(sb, opts->defcontext, &sid);
2716 if (rc)
2717 return rc;
2718 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2719 goto out_bad_option;
026eb167 2720 }
c039bc3c 2721 return 0;
026eb167 2722
026eb167 2723out_bad_option:
c103a91e 2724 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2725 "during remount (dev %s, type=%s)\n", sb->s_id,
2726 sb->s_type->name);
c039bc3c 2727 return -EINVAL;
026eb167
EP		 2728}
2729
a10d7c22 2730static int selinux_sb_kern_mount(struct super_block *sb)
1da177e4 2731{
88e67f3b 2732 const struct cred *cred = current_cred();
2bf49690 2733 struct common_audit_data ad;
74192246 2734
50c205f5 2735 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2736 ad.u.dentry = sb->s_root;
88e67f3b 2737 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2738}
2739
726c3342 2740static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2741{
88e67f3b 2742 const struct cred *cred = current_cred();
2bf49690 2743 struct common_audit_data ad;
1da177e4 2744
50c205f5 2745 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2746 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2747 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2748}
2749
808d4e3c 2750static int selinux_mount(const char *dev_name,
8a04c43b 2751 const struct path *path,
808d4e3c 2752 const char *type,
828dfe1d
EP		 2753 unsigned long flags,
2754 void *data)
1da177e4 2755{
88e67f3b 2756 const struct cred *cred = current_cred();
1da177e4
LT		 2757
2758 if (flags & MS_REMOUNT)
d8c9584e 2759 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2760 FILESYSTEM__REMOUNT, NULL);
1da177e4 2761 else
2875fa00 2762 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2763}
2764
2765static int selinux_umount(struct vfsmount *mnt, int flags)
2766{
88e67f3b 2767 const struct cred *cred = current_cred();
1da177e4 2768
88e67f3b 2769 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2770 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2771}
2772
0b52075e
AV		 2773static int selinux_fs_context_dup(struct fs_context *fc,
2774 struct fs_context *src_fc)
2775{
2776 const struct selinux_mnt_opts *src = src_fc->security;
2777 struct selinux_mnt_opts *opts;
2778
2779 if (!src)
2780 return 0;
2781
2782 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2783 if (!fc->security)
2784 return -ENOMEM;
2785
2786 opts = fc->security;
2787
2788 if (src->fscontext) {
2789 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2790 if (!opts->fscontext)
2791 return -ENOMEM;
2792 }
2793 if (src->context) {
2794 opts->context = kstrdup(src->context, GFP_KERNEL);
2795 if (!opts->context)
2796 return -ENOMEM;
2797 }
2798 if (src->rootcontext) {
2799 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2800 if (!opts->rootcontext)
2801 return -ENOMEM;
2802 }
2803 if (src->defcontext) {
2804 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2805 if (!opts->defcontext)
2806 return -ENOMEM;
2807 }
2808 return 0;
2809}
2810
442155c1
DH		 2811static const struct fs_parameter_spec selinux_param_specs[] = {
2812 fsparam_string(CONTEXT_STR, Opt_context),
2813 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2814 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2815 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2816 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2817 {}
2818};
2819
2820static const struct fs_parameter_description selinux_fs_parameters = {
2821 .name = "SELinux",
2822 .specs = selinux_param_specs,
2823};
2824
2825static int selinux_fs_context_parse_param(struct fs_context *fc,
2826 struct fs_parameter *param)
2827{
2828 struct fs_parse_result result;
2829 int opt, rc;
2830
2831 opt = fs_parse(fc, &selinux_fs_parameters, param, &result);
2832 if (opt < 0)
2833 return opt;
2834
2835 rc = selinux_add_opt(opt, param->string, &fc->security);
2836 if (!rc) {
2837 param->string = NULL;
2838 rc = 1;
2839 }
2840 return rc;
2841}
2842
1da177e4
LT		 2843/* inode security operations */
2844
2845static int selinux_inode_alloc_security(struct inode *inode)
2846{
2847 return inode_alloc_security(inode);
2848}
2849
2850static void selinux_inode_free_security(struct inode *inode)
2851{
2852 inode_free_security(inode);
2853}
2854
d47be3df 2855static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2856 const struct qstr *name, void **ctx,
d47be3df
DQ		 2857 u32 *ctxlen)
2858{
d47be3df
DQ		 2859 u32 newsid;
2860 int rc;
2861
0c6cfa62 2862 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2863 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2864 inode_mode_to_security_class(mode),
2865 &newsid);
2866 if (rc)
2867 return rc;
d47be3df 2868
aa8e712c
SS		 2869 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2870 ctxlen);
d47be3df
DQ		 2871}
2872
a518b0a5
VG		 2873static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2874 struct qstr *name,
2875 const struct cred *old,
2876 struct cred *new)
2877{
2878 u32 newsid;
2879 int rc;
2880 struct task_security_struct *tsec;
2881
0c6cfa62 2882 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2883 d_inode(dentry->d_parent), name,
2884 inode_mode_to_security_class(mode),
2885 &newsid);
2886 if (rc)
2887 return rc;
2888
0c6cfa62 2889 tsec = selinux_cred(new);
a518b0a5
VG		 2890 tsec->create_sid = newsid;
2891 return 0;
2892}
2893
5e41ff9e 2894static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2895 const struct qstr *qstr,
2896 const char **name,
2a7dba39 2897 void **value, size_t *len)
5e41ff9e 2898{
0c6cfa62 2899 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2900 struct superblock_security_struct *sbsec;
c0d4f464 2901 u32 newsid, clen;
5e41ff9e 2902 int rc;
9548906b 2903 char *context;
5e41ff9e 2904
5e41ff9e 2905 sbsec = dir->i_sb->s_security;
5e41ff9e 2906
275bb41e
DH		 2907 newsid = tsec->create_sid;
2908
0c6cfa62 2909 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c3c188b2
DH		 2910 dir, qstr,
2911 inode_mode_to_security_class(inode->i_mode),
2912 &newsid);
2913 if (rc)
2914 return rc;
5e41ff9e 2915
296fddf7 2916 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2917 if (sbsec->flags & SE_SBINITIALIZED) {
80788c22 2918 struct inode_security_struct *isec = selinux_inode(inode);
296fddf7
EP		 2919 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2920 isec->sid = newsid;
6f3be9f5 2921 isec->initialized = LABEL_INITIALIZED;
296fddf7 2922 }
5e41ff9e 2923
aa8e712c 2924 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2925 return -EOPNOTSUPP;
2926
9548906b
TH		 2927 if (name)
2928 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2929
570bc1c2 2930 if (value && len) {
aa8e712c
SS		 2931 rc = security_sid_to_context_force(&selinux_state, newsid,
2932 &context, &clen);
9548906b 2933 if (rc)
570bc1c2 2934 return rc;
570bc1c2
SS		 2935 *value = context;
2936 *len = clen;
5e41ff9e 2937 }
5e41ff9e 2938
5e41ff9e
SS		 2939 return 0;
2940}
2941
4acdaf27 2942static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2943{
2944 return may_create(dir, dentry, SECCLASS_FILE);
2945}
2946
1da177e4
LT		 2947static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2948{
1da177e4
LT		 2949 return may_link(dir, old_dentry, MAY_LINK);
2950}
2951
1da177e4
LT		 2952static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2953{
1da177e4
LT		 2954 return may_link(dir, dentry, MAY_UNLINK);
2955}
2956
2957static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2958{
2959 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2960}
2961
18bb1db3 2962static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2963{
2964 return may_create(dir, dentry, SECCLASS_DIR);
2965}
2966
1da177e4
LT		 2967static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2968{
2969 return may_link(dir, dentry, MAY_RMDIR);
2970}
2971
1a67aafb 2972static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2973{
1da177e4
LT		 2974 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2975}
2976
1da177e4 2977static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2978 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2979{
2980 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2981}
2982
1da177e4
LT		 2983static int selinux_inode_readlink(struct dentry *dentry)
2984{
88e67f3b
DH		 2985 const struct cred *cred = current_cred();
2986
2875fa00 2987 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2988}
2989
bda0be7a
N		 2990static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2991 bool rcu)
1da177e4 2992{
88e67f3b 2993 const struct cred *cred = current_cred();
bda0be7a
N		 2994 struct common_audit_data ad;
2995 struct inode_security_struct *isec;
2996 u32 sid;
1da177e4 2997
bda0be7a
N		 2998 validate_creds(cred);
2999
3000 ad.type = LSM_AUDIT_DATA_DENTRY;
3001 ad.u.dentry = dentry;
3002 sid = cred_sid(cred);
5d226df4
AG		 3003 isec = inode_security_rcu(inode, rcu);
3004 if (IS_ERR(isec))
3005 return PTR_ERR(isec);
bda0be7a 3006
e46e01ee
SS		 3007 return avc_has_perm(&selinux_state,
3008 sid, isec->sid, isec->sclass, FILE__READ, &ad);
1da177e4
LT		 3009}
3010
d4cf970d
EP		 3011static noinline int audit_inode_permission(struct inode *inode,
3012 u32 perms, u32 audited, u32 denied,
626b9740 3013 int result,
d4cf970d 3014 unsigned flags)
1da177e4 3015{
b782e0a6 3016 struct common_audit_data ad;
80788c22 3017 struct inode_security_struct *isec = selinux_inode(inode);
d4cf970d
EP		 3018 int rc;
3019
50c205f5 3020 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3021 ad.u.inode = inode;
3022
6b6bc620
SS		 3023 rc = slow_avc_audit(&selinux_state,
3024 current_sid(), isec->sid, isec->sclass, perms,
626b9740 3025 audited, denied, result, &ad, flags);
d4cf970d
EP		 3026 if (rc)
3027 return rc;
3028 return 0;
3029}
3030
e74f71eb 3031static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3032{
88e67f3b 3033 const struct cred *cred = current_cred();
b782e0a6
EP		 3034 u32 perms;
3035 bool from_access;
cf1dd1da 3036 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3037 struct inode_security_struct *isec;
3038 u32 sid;
3039 struct av_decision avd;
3040 int rc, rc2;
3041 u32 audited, denied;
1da177e4 3042
b782e0a6 3043 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3044 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3045
b782e0a6
EP		 3046 /* No permission to check. Existence test. */
3047 if (!mask)
1da177e4 3048 return 0;
1da177e4 3049
2e334057 3050 validate_creds(cred);
b782e0a6 3051
2e334057
EP		 3052 if (unlikely(IS_PRIVATE(inode)))
3053 return 0;
b782e0a6
EP		 3054
3055 perms = file_mask_to_av(inode->i_mode, mask);
3056
2e334057 3057 sid = cred_sid(cred);
5d226df4
AG		 3058 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3059 if (IS_ERR(isec))
3060 return PTR_ERR(isec);
2e334057 3061
6b6bc620 3062 rc = avc_has_perm_noaudit(&selinux_state,
3a28cff3
SS		 3063 sid, isec->sid, isec->sclass, perms,
3064 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3065 &avd);
2e334057
EP		 3066 audited = avc_audit_required(perms, &avd, rc,
3067 from_access ? FILE__AUDIT_ACCESS : 0,
3068 &denied);
3069 if (likely(!audited))
3070 return rc;
3071
626b9740 3072 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3073 if (rc2)
3074 return rc2;
3075 return rc;
1da177e4
LT		 3076}
3077
3078static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3079{
88e67f3b 3080 const struct cred *cred = current_cred();
ccb54478 3081 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3082 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3083 __u32 av = FILE__WRITE;
1da177e4 3084
bc6a6008
AW		 3085 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3086 if (ia_valid & ATTR_FORCE) {
3087 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3088 ATTR_FORCE);
3089 if (!ia_valid)
3090 return 0;
3091 }
1da177e4 3092
bc6a6008
AW		 3093 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3094 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3095 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3096
aa8e712c 3097 if (selinux_policycap_openperm() &&
ccb54478
SS		 3098 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3099 (ia_valid & ATTR_SIZE) &&
3100 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3101 av |= FILE__OPEN;
3102
3103 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3104}
3105
3f7036a0 3106static int selinux_inode_getattr(const struct path *path)
1da177e4 3107{
3f7036a0 3108 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3109}
3110
db59000a
SS		 3111static bool has_cap_mac_admin(bool audit)
3112{
3113 const struct cred *cred = current_cred();
c1a85a00 3114 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
db59000a 3115
c1a85a00 3116 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
db59000a 3117 return false;
c1a85a00 3118 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
db59000a
SS		 3119 return false;
3120 return true;
3121}
3122
8f0cfa52
DH		 3123static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3124 const void *value, size_t size, int flags)
1da177e4 3125{
c6f493d6 3126 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3127 struct inode_security_struct *isec;
1da177e4 3128 struct superblock_security_struct *sbsec;
2bf49690 3129 struct common_audit_data ad;
275bb41e 3130 u32 newsid, sid = current_sid();
1da177e4
LT		 3131 int rc = 0;
3132
6b240306
EB		 3133 if (strcmp(name, XATTR_NAME_SELINUX)) {
3134 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3135 if (rc)
3136 return rc;
3137
3138 /* Not an attribute we recognize, so just check the
3139 ordinary setattr permission. */
3140 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3141 }
1da177e4 3142
3e3e24b4
JL		 3143 if (!selinux_state.initialized)
3144 return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3145
1da177e4 3146 sbsec = inode->i_sb->s_security;
12f348b9 3147 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3148 return -EOPNOTSUPP;
3149
2e149670 3150 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3151 return -EPERM;
3152
50c205f5 3153 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3154 ad.u.dentry = dentry;
1da177e4 3155
20cdef8d 3156 isec = backing_inode_security(dentry);
6b6bc620
SS		 3157 rc = avc_has_perm(&selinux_state,
3158 sid, isec->sid, isec->sclass,
1da177e4
LT		 3159 FILE__RELABELFROM, &ad);
3160 if (rc)
3161 return rc;
3162
aa8e712c
SS		 3163 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3164 GFP_KERNEL);
12b29f34 3165 if (rc == -EINVAL) {
db59000a 3166 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3167 struct audit_buffer *ab;
3168 size_t audit_size;
d6ea83ec
EP		 3169
3170 /* We strip a nul only if it is at the end, otherwise the
3171 * context contains a nul and we should audit that */
e3fea3f7 3172 if (value) {
add24372
CIK		 3173 const char *str = value;
3174
e3fea3f7
AV		 3175 if (str[size - 1] == '\0')
3176 audit_size = size - 1;
3177 else
3178 audit_size = size;
3179 } else {
e3fea3f7
AV		 3180 audit_size = 0;
3181 }
cdfb6b34
RGB		 3182 ab = audit_log_start(audit_context(),
3183 GFP_ATOMIC, AUDIT_SELINUX_ERR);
d6ea83ec
EP		 3184 audit_log_format(ab, "op=setxattr invalid_context=");
3185 audit_log_n_untrustedstring(ab, value, audit_size);
3186 audit_log_end(ab);
3187
12b29f34 3188 return rc;
d6ea83ec 3189 }
aa8e712c
SS		 3190 rc = security_context_to_sid_force(&selinux_state, value,
3191 size, &newsid);
12b29f34 3192 }
1da177e4
LT		 3193 if (rc)
3194 return rc;
3195
6b6bc620
SS		 3196 rc = avc_has_perm(&selinux_state,
3197 sid, newsid, isec->sclass,
1da177e4
LT		 3198 FILE__RELABELTO, &ad);
3199 if (rc)
3200 return rc;
3201
aa8e712c
SS		 3202 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3203 sid, isec->sclass);
1da177e4
LT		 3204 if (rc)
3205 return rc;
3206
6b6bc620
SS		 3207 return avc_has_perm(&selinux_state,
3208 newsid,
1da177e4
LT		 3209 sbsec->sid,
3210 SECCLASS_FILESYSTEM,
3211 FILESYSTEM__ASSOCIATE,
3212 &ad);
3213}
3214
8f0cfa52 3215static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3216 const void *value, size_t size,
8f0cfa52 3217 int flags)
1da177e4 3218{
c6f493d6 3219 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3220 struct inode_security_struct *isec;
1da177e4
LT		 3221 u32 newsid;
3222 int rc;
3223
3224 if (strcmp(name, XATTR_NAME_SELINUX)) {
3225 /* Not an attribute we recognize, so nothing to do. */
3226 return;
3227 }
3228
3e3e24b4
JL		 3229 if (!selinux_state.initialized) {
3230 /* If we haven't even been initialized, then we can't validate
3231 * against a policy, so leave the label as invalid. It may
3232 * resolve to a valid label on the next revalidation try if
3233 * we've since initialized.
3234 */
3235 return;
3236 }
3237
aa8e712c
SS		 3238 rc = security_context_to_sid_force(&selinux_state, value, size,
3239 &newsid);
1da177e4 3240 if (rc) {
c103a91e 3241 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3242 "for (%s, %lu), rc=%d\n",
3243 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3244 return;
3245 }
3246
20cdef8d 3247 isec = backing_inode_security(dentry);
9287aed2 3248 spin_lock(&isec->lock);
aa9c2669 3249 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3250 isec->sid = newsid;
6f3be9f5 3251 isec->initialized = LABEL_INITIALIZED;
9287aed2 3252 spin_unlock(&isec->lock);
aa9c2669 3253
1da177e4
LT		 3254 return;
3255}
3256
8f0cfa52 3257static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3258{
88e67f3b
DH		 3259 const struct cred *cred = current_cred();
3260
2875fa00 3261 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3262}
3263
828dfe1d 3264static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3265{
88e67f3b
DH		 3266 const struct cred *cred = current_cred();
3267
2875fa00 3268 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3269}
3270
8f0cfa52 3271static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3272{
6b240306
EB		 3273 if (strcmp(name, XATTR_NAME_SELINUX)) {
3274 int rc = cap_inode_removexattr(dentry, name);
3275 if (rc)
3276 return rc;
3277
3278 /* Not an attribute we recognize, so just check the
3279 ordinary setattr permission. */
3280 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3281 }
1da177e4
LT		 3282
3283 /* No one is allowed to remove a SELinux security label.
3284 You can change the label, but all data must be labeled. */
3285 return -EACCES;
3286}
3287
ac5656d8
AG		 3288static int selinux_path_notify(const struct path *path, u64 mask,
3289 unsigned int obj_type)
3290{
3291 int ret;
3292 u32 perm;
3293
3294 struct common_audit_data ad;
3295
3296 ad.type = LSM_AUDIT_DATA_PATH;
3297 ad.u.path = *path;
3298
3299 /*
3300 * Set permission needed based on the type of mark being set.
3301 * Performs an additional check for sb watches.
3302 */
3303 switch (obj_type) {
3304 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3305 perm = FILE__WATCH_MOUNT;
3306 break;
3307 case FSNOTIFY_OBJ_TYPE_SB:
3308 perm = FILE__WATCH_SB;
3309 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3310 FILESYSTEM__WATCH, &ad);
3311 if (ret)
3312 return ret;
3313 break;
3314 case FSNOTIFY_OBJ_TYPE_INODE:
3315 perm = FILE__WATCH;
3316 break;
3317 default:
3318 return -EINVAL;
3319 }
3320
3321 /* blocking watches require the file:watch_with_perm permission */
3322 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3323 perm |= FILE__WATCH_WITH_PERM;
3324
3325 /* watches on read-like events need the file:watch_reads permission */
3326 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3327 perm |= FILE__WATCH_READS;
3328
3329 return path_has_perm(current_cred(), path, perm);
3330}
3331
d381d8a9 3332/*
abc69bb6 3333 * Copy the inode security context value to the user.
d381d8a9
JM		 3334 *
3335 * Permission check is handled by selinux_inode_getxattr hook.
3336 */
ea861dfd 3337static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3338{
42492594
DQ		 3339 u32 size;
3340 int error;
3341 char *context = NULL;
20cdef8d 3342 struct inode_security_struct *isec;
d381d8a9 3343
8c8570fb
DK		 3344 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3345 return -EOPNOTSUPP;
d381d8a9 3346
abc69bb6
SS		 3347 /*
3348 * If the caller has CAP_MAC_ADMIN, then get the raw context
3349 * value even if it is not defined by current policy; otherwise,
3350 * use the in-core value under current policy.
3351 * Use the non-auditing forms of the permission checks since
3352 * getxattr may be called by unprivileged processes commonly
3353 * and lack of permission just means that we fall back to the
3354 * in-core context value, not a denial.
3355 */
20cdef8d 3356 isec = inode_security(inode);
db59000a 3357 if (has_cap_mac_admin(false))
aa8e712c
SS		 3358 error = security_sid_to_context_force(&selinux_state,
3359 isec->sid, &context,
abc69bb6
SS		 3360 &size);
3361 else
aa8e712c
SS		 3362 error = security_sid_to_context(&selinux_state, isec->sid,
3363 &context, &size);
42492594
DQ		 3364 if (error)
3365 return error;
3366 error = size;
3367 if (alloc) {
3368 *buffer = context;
3369 goto out_nofree;
3370 }
3371 kfree(context);
3372out_nofree:
3373 return error;
1da177e4
LT		 3374}
3375
3376static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3377 const void *value, size_t size, int flags)
1da177e4 3378{
2c97165b 3379 struct inode_security_struct *isec = inode_security_novalidate(inode);
53e0c2aa 3380 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1da177e4
LT		 3381 u32 newsid;
3382 int rc;
3383
3384 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3385 return -EOPNOTSUPP;
3386
53e0c2aa
OM		 3387 if (!(sbsec->flags & SBLABEL_MNT))
3388 return -EOPNOTSUPP;
3389
1da177e4
LT		 3390 if (!value || !size)
3391 return -EACCES;
3392
aa8e712c
SS		 3393 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3394 GFP_KERNEL);
1da177e4
LT		 3395 if (rc)
3396 return rc;
3397
9287aed2 3398 spin_lock(&isec->lock);
aa9c2669 3399 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3400 isec->sid = newsid;
6f3be9f5 3401 isec->initialized = LABEL_INITIALIZED;
9287aed2 3402 spin_unlock(&isec->lock);
1da177e4
LT		 3403 return 0;
3404}
3405
3406static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3407{
3408 const int len = sizeof(XATTR_NAME_SELINUX);
3409 if (buffer && len <= buffer_size)
3410 memcpy(buffer, XATTR_NAME_SELINUX, len);
3411 return len;
3412}
3413
d6335d77 3414static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3415{
e817c2f3 3416 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3417 *secid = isec->sid;
3418}
3419
56909eb3
VG		 3420static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3421{
3422 u32 sid;
3423 struct task_security_struct *tsec;
3424 struct cred *new_creds = *new;
3425
3426 if (new_creds == NULL) {
3427 new_creds = prepare_creds();
3428 if (!new_creds)
3429 return -ENOMEM;
3430 }
3431
0c6cfa62 3432 tsec = selinux_cred(new_creds);
56909eb3
VG		 3433 /* Get label from overlay inode and set it in create_sid */
3434 selinux_inode_getsecid(d_inode(src), &sid);
3435 tsec->create_sid = sid;
3436 *new = new_creds;
3437 return 0;
3438}
3439
19472b69
VG		 3440static int selinux_inode_copy_up_xattr(const char *name)
3441{
3442 /* The copy_up hook above sets the initial context on an inode, but we
3443 * don't then want to overwrite it by blindly copying all the lower
3444 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3445 */
3446 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3447 return 1; /* Discard */
3448 /*
3449 * Any other attribute apart from SELINUX is not claimed, supported
3450 * by selinux.
3451 */
3452 return -EOPNOTSUPP;
3453}
3454
ec882da5
OM		 3455/* kernfs node operations */
3456
c72c4cde
Y		 3457static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3458 struct kernfs_node *kn)
ec882da5 3459{
169ce0c0 3460 const struct task_security_struct *tsec = selinux_cred(current_cred());
ec882da5
OM		 3461 u32 parent_sid, newsid, clen;
3462 int rc;
3463 char *context;
3464
1537ad15 3465 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
ec882da5
OM		 3466 if (rc == -ENODATA)
3467 return 0;
3468 else if (rc < 0)
3469 return rc;
3470
3471 clen = (u32)rc;
3472 context = kmalloc(clen, GFP_KERNEL);
3473 if (!context)
3474 return -ENOMEM;
3475
1537ad15 3476 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
ec882da5
OM		 3477 if (rc < 0) {
3478 kfree(context);
3479 return rc;
3480 }
3481
3482 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3483 GFP_KERNEL);
3484 kfree(context);
3485 if (rc)
3486 return rc;
3487
3488 if (tsec->create_sid) {
3489 newsid = tsec->create_sid;
3490 } else {
3491 u16 secclass = inode_mode_to_security_class(kn->mode);
3492 struct qstr q;
3493
3494 q.name = kn->name;
3495 q.hash_len = hashlen_string(kn_dir, kn->name);
3496
3497 rc = security_transition_sid(&selinux_state, tsec->sid,
3498 parent_sid, secclass, &q,
3499 &newsid);
3500 if (rc)
3501 return rc;
3502 }
3503
3504 rc = security_sid_to_context_force(&selinux_state, newsid,
3505 &context, &clen);
3506 if (rc)
3507 return rc;
3508
1537ad15
OM		 3509 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3510 XATTR_CREATE);
ec882da5
OM		 3511 kfree(context);
3512 return rc;
3513}
3514
3515
1da177e4
LT		 3516/* file security operations */
3517
788e7dd4 3518static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3519{
88e67f3b 3520 const struct cred *cred = current_cred();
496ad9aa 3521 struct inode *inode = file_inode(file);
1da177e4 3522
1da177e4
LT		 3523 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3524 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3525 mask |= MAY_APPEND;
3526
389fb800
PM		 3527 return file_has_perm(cred, file,
3528 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3529}
3530
788e7dd4
YN		 3531static int selinux_file_permission(struct file *file, int mask)
3532{
496ad9aa 3533 struct inode *inode = file_inode(file);
bb6c6b02 3534 struct file_security_struct *fsec = selinux_file(file);
b197367e 3535 struct inode_security_struct *isec;
20dda18b
SS		 3536 u32 sid = current_sid();
3537
389fb800 3538 if (!mask)
788e7dd4
YN		 3539 /* No permission to check. Existence test. */
3540 return 0;
788e7dd4 3541
b197367e 3542 isec = inode_security(inode);
20dda18b 3543 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3544 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3545 /* No change since file_open check. */
20dda18b
SS		 3546 return 0;
3547
788e7dd4
YN		 3548 return selinux_revalidate_file_permission(file, mask);
3549}
3550
1da177e4
LT		 3551static int selinux_file_alloc_security(struct file *file)
3552{
3553 return file_alloc_security(file);
3554}
3555
fa1aa143
JVS		 3556/*
3557 * Check whether a task has the ioctl permission and cmd
3558 * operation to an inode.
3559 */
1d2a168a 3560static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3561 u32 requested, u16 cmd)
3562{
3563 struct common_audit_data ad;
bb6c6b02 3564 struct file_security_struct *fsec = selinux_file(file);
fa1aa143 3565 struct inode *inode = file_inode(file);
20cdef8d 3566 struct inode_security_struct *isec;
fa1aa143
JVS		 3567 struct lsm_ioctlop_audit ioctl;
3568 u32 ssid = cred_sid(cred);
3569 int rc;
3570 u8 driver = cmd >> 8;
3571 u8 xperm = cmd & 0xff;
3572
3573 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3574 ad.u.op = &ioctl;
3575 ad.u.op->cmd = cmd;
3576 ad.u.op->path = file->f_path;
3577
3578 if (ssid != fsec->sid) {
6b6bc620
SS		 3579 rc = avc_has_perm(&selinux_state,
3580 ssid, fsec->sid,
fa1aa143
JVS		 3581 SECCLASS_FD,
3582 FD__USE,
3583 &ad);
3584 if (rc)
3585 goto out;
3586 }
3587
3588 if (unlikely(IS_PRIVATE(inode)))
3589 return 0;
3590
20cdef8d 3591 isec = inode_security(inode);
6b6bc620
SS		 3592 rc = avc_has_extended_perms(&selinux_state,
3593 ssid, isec->sid, isec->sclass,
3594 requested, driver, xperm, &ad);
fa1aa143
JVS		 3595out:
3596 return rc;
3597}
3598
1da177e4
LT		 3599static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3600 unsigned long arg)
3601{
88e67f3b 3602 const struct cred *cred = current_cred();
0b24dcb7 3603 int error = 0;
1da177e4 3604
0b24dcb7
EP		 3605 switch (cmd) {
3606 case FIONREAD:
3607 /* fall through */
3608 case FIBMAP:
3609 /* fall through */
3610 case FIGETBSZ:
3611 /* fall through */
2f99c369 3612 case FS_IOC_GETFLAGS:
0b24dcb7 3613 /* fall through */
2f99c369 3614 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3615 error = file_has_perm(cred, file, FILE__GETATTR);
3616 break;
1da177e4 3617
2f99c369 3618 case FS_IOC_SETFLAGS:
0b24dcb7 3619 /* fall through */
2f99c369 3620 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3621 error = file_has_perm(cred, file, FILE__SETATTR);
3622 break;
3623
3624 /* sys_ioctl() checks */
3625 case FIONBIO:
3626 /* fall through */
3627 case FIOASYNC:
3628 error = file_has_perm(cred, file, 0);
3629 break;
1da177e4 3630
0b24dcb7
EP		 3631 case KDSKBENT:
3632 case KDSKBSENT:
6a9de491 3633 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
c1a85a00 3634 CAP_OPT_NONE, true);
0b24dcb7
EP		 3635 break;
3636
3637 /* default case assumes that the command will go
3638 * to the file's ioctl() function.
3639 */
3640 default:
fa1aa143 3641 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3642 }
3643 return error;
1da177e4
LT		 3644}
3645
fcaaade1
SS		 3646static int default_noexec;
3647
1da177e4
LT		 3648static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3649{
88e67f3b 3650 const struct cred *cred = current_cred();
be0554c9 3651 u32 sid = cred_sid(cred);
d84f4f99 3652 int rc = 0;
88e67f3b 3653
fcaaade1 3654 if (default_noexec &&
892e8cac
SS		 3655 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3656 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3657 /*
3658 * We are making executable an anonymous mapping or a
3659 * private file mapping that will also be writable.
3660 * This has an additional check.
3661 */
6b6bc620
SS		 3662 rc = avc_has_perm(&selinux_state,
3663 sid, sid, SECCLASS_PROCESS,
be0554c9 3664 PROCESS__EXECMEM, NULL);
1da177e4 3665 if (rc)
d84f4f99 3666 goto error;
1da177e4 3667 }
1da177e4
LT		 3668
3669 if (file) {
3670 /* read access is always possible with a mapping */
3671 u32 av = FILE__READ;
3672
3673 /* write access only matters if the mapping is shared */
3674 if (shared && (prot & PROT_WRITE))
3675 av |= FILE__WRITE;
3676
3677 if (prot & PROT_EXEC)
3678 av |= FILE__EXECUTE;
3679
88e67f3b 3680 return file_has_perm(cred, file, av);
1da177e4 3681 }
d84f4f99
DH		 3682
3683error:
3684 return rc;
1da177e4
LT		 3685}
3686
e5467859 3687static int selinux_mmap_addr(unsigned long addr)
1da177e4 3688{
b1d9e6b0 3689 int rc = 0;
1da177e4 3690
a2551df7 3691 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3692 u32 sid = current_sid();
6b6bc620
SS		 3693 rc = avc_has_perm(&selinux_state,
3694 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3695 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3696 }
3697
98883bfd 3698 return rc;
e5467859 3699}
1da177e4 3700
e5467859
AV		 3701static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3702 unsigned long prot, unsigned long flags)
3703{
3ba4bf5f
SS		 3704 struct common_audit_data ad;
3705 int rc;
3706
3707 if (file) {
3708 ad.type = LSM_AUDIT_DATA_FILE;
3709 ad.u.file = file;
3710 rc = inode_has_perm(current_cred(), file_inode(file),
3711 FILE__MAP, &ad);
3712 if (rc)
3713 return rc;
3714 }
3715
aa8e712c 3716 if (selinux_state.checkreqprot)
1da177e4
LT		 3717 prot = reqprot;
3718
3719 return file_map_prot_check(file, prot,
3720 (flags & MAP_TYPE) == MAP_SHARED);
3721}
3722
3723static int selinux_file_mprotect(struct vm_area_struct *vma,
3724 unsigned long reqprot,
3725 unsigned long prot)
3726{
88e67f3b 3727 const struct cred *cred = current_cred();
be0554c9 3728 u32 sid = cred_sid(cred);
1da177e4 3729
aa8e712c 3730 if (selinux_state.checkreqprot)
1da177e4
LT		 3731 prot = reqprot;
3732
fcaaade1
SS		 3733 if (default_noexec &&
3734 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3735 int rc = 0;
db4c9641
SS		 3736 if (vma->vm_start >= vma->vm_mm->start_brk &&
3737 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3738 rc = avc_has_perm(&selinux_state,
3739 sid, sid, SECCLASS_PROCESS,
be0554c9 3740 PROCESS__EXECHEAP, NULL);
db4c9641 3741 } else if (!vma->vm_file &&
c2316dbf
SS		 3742 ((vma->vm_start <= vma->vm_mm->start_stack &&
3743 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3744 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3745 rc = avc_has_perm(&selinux_state,
3746 sid, sid, SECCLASS_PROCESS,
be0554c9 3747 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3748 } else if (vma->vm_file && vma->anon_vma) {
3749 /*
3750 * We are making executable a file mapping that has
3751 * had some COW done. Since pages might have been
3752 * written, check ability to execute the possibly
3753 * modified content. This typically should only
3754 * occur for text relocations.
3755 */
d84f4f99 3756 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3757 }