]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-hirsute-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
resource: Add test cases for new resource API
[mirror_ubuntu-hirsute-kernel.git] / security / selinux / hooks.c
CommitLineData
d2912cb1 1// SPDX-License-Identifier: GPL-2.0-only
1da177e4
LT		 2/*
3 * NSA Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7efbb60b 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
1da177e4
LT		 11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
1da177e4 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 16 * <dgoeddel@trustedcs.com>
ed6d76e4 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 18 * Paul Moore <paul@paul-moore.com>
788e7dd4 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 21 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 22 */
23
1da177e4 24#include <linux/init.h>
0b24dcb7 25#include <linux/kd.h>
1da177e4 26#include <linux/kernel.h>
b89999d0 27#include <linux/kernel_read_file.h>
0d094efe 28#include <linux/tracehook.h>
1da177e4 29#include <linux/errno.h>
3f07c014 30#include <linux/sched/signal.h>
29930025 31#include <linux/sched/task.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
442155c1
DH		 49#include <linux/fs_context.h>
50#include <linux/fs_parser.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
d452930f
RH		 70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
1da177e4
LT		 72#include <linux/quota.h>
73#include <linux/un.h> /* for Unix socket types */
74#include <net/af_unix.h> /* for Unix socket types */
75#include <linux/parser.h>
76#include <linux/nfs_mount.h>
77#include <net/ipv6.h>
78#include <linux/hugetlb.h>
79#include <linux/personality.h>
1da177e4 80#include <linux/audit.h>
6931dfc9 81#include <linux/string.h>
23970741 82#include <linux/mutex.h>
f06febc9 83#include <linux/posix-timers.h>
00234592 84#include <linux/syslog.h>
3486740a 85#include <linux/user_namespace.h>
44fc7ea0 86#include <linux/export.h>
40401530
AV		 87#include <linux/msg.h>
88#include <linux/shm.h>
ec27c356 89#include <linux/bpf.h>
ec882da5
OM		 90#include <linux/kernfs.h>
91#include <linux/stringhash.h> /* for hashlen_string() */
e262e32d 92#include <uapi/linux/mount.h>
ac5656d8
AG		 93#include <linux/fsnotify.h>
94#include <linux/fanotify.h>
1da177e4
LT		 95
96#include "avc.h"
97#include "objsec.h"
98#include "netif.h"
224dfbd8 99#include "netnode.h"
3e112172 100#include "netport.h"
409dcf31 101#include "ibpkey.h"
d28d1e08 102#include "xfrm.h"
c60475bf 103#include "netlabel.h"
9d57a7f9 104#include "audit.h"
7b98a585 105#include "avc_ss.h"
1da177e4 106
aa8e712c
SS		 107struct selinux_state selinux_state;
108
d621d35e 109/* SECMARK reference count */
56a4ca99 110static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 111
1da177e4 112#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
6c5a682e 113static int selinux_enforcing_boot __initdata;
1da177e4
LT		 114
115static int __init enforcing_setup(char *str)
116{
f5269710 117 unsigned long enforcing;
29707b20 118 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 119 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 120 return 1;
121}
122__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 123#else
124#define selinux_enforcing_boot 1
1da177e4
LT		 125#endif
126
6c5a682e 127int selinux_enabled_boot __initdata = 1;
1da177e4 128#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
1da177e4
LT		 129static int __init selinux_enabled_setup(char *str)
130{
f5269710 131 unsigned long enabled;
29707b20 132 if (!kstrtoul(str, 0, &enabled))
6c5a682e 133 selinux_enabled_boot = enabled ? 1 : 0;
1da177e4
LT		 134 return 1;
135}
136__setup("selinux=", selinux_enabled_setup);
137#endif
138
aa8e712c
SS		 139static unsigned int selinux_checkreqprot_boot =
140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141
142static int __init checkreqprot_setup(char *str)
143{
144 unsigned long checkreqprot;
145
e9c38f9f 146 if (!kstrtoul(str, 0, &checkreqprot)) {
aa8e712c 147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
e9c38f9f
SS		 148 if (checkreqprot)
149 pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
150 }
aa8e712c
SS		 151 return 1;
152}
153__setup("checkreqprot=", checkreqprot_setup);
154
d621d35e
PM		 155/**
156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157 *
158 * Description:
159 * This function checks the SECMARK reference counter to see if any SECMARK
160 * targets are currently configured, if the reference counter is greater than
161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 162 * enabled, false (0) if SECMARK is disabled. If the always_check_network
163 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 164 *
165 */
166static int selinux_secmark_enabled(void)
167{
aa8e712c
SS		 168 return (selinux_policycap_alwaysnetwork() ||
169 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 170}
171
172/**
173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174 *
175 * Description:
176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
177 * (1) if any are enabled or false (0) if neither are enabled. If the
178 * always_check_network policy capability is enabled, peer labeling
179 * is always considered enabled.
180 *
181 */
182static int selinux_peerlbl_enabled(void)
183{
aa8e712c
SS		 184 return (selinux_policycap_alwaysnetwork() ||
185 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 186}
187
615e51fd
PM		 188static int selinux_netcache_avc_callback(u32 event)
189{
190 if (event == AVC_CALLBACK_RESET) {
191 sel_netif_flush();
192 sel_netnode_flush();
193 sel_netport_flush();
194 synchronize_net();
195 }
196 return 0;
197}
198
8f408ab6
DJ		 199static int selinux_lsm_notifier_avc_callback(u32 event)
200{
409dcf31
DJ		 201 if (event == AVC_CALLBACK_RESET) {
202 sel_ib_pkey_flush();
42df744c 203 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 204 }
8f408ab6
DJ		 205
206 return 0;
207}
208
d84f4f99
DH		 209/*
210 * initialise the security for the init task
211 */
212static void cred_init_security(void)
1da177e4 213{
3b11a1de 214 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 215 struct task_security_struct *tsec;
216
bbd3662a 217 tsec = selinux_cred(cred);
d84f4f99 218 tsec->osid = tsec->sid = SECINITSID_KERNEL;
1da177e4
LT		 219}
220
88e67f3b
DH		 221/*
222 * get the security ID of a set of credentials
223 */
224static inline u32 cred_sid(const struct cred *cred)
225{
226 const struct task_security_struct *tsec;
227
0c6cfa62 228 tsec = selinux_cred(cred);
88e67f3b
DH		 229 return tsec->sid;
230}
231
275bb41e 232/*
3b11a1de 233 * get the objective security ID of a task
275bb41e
DH		 234 */
235static inline u32 task_sid(const struct task_struct *task)
236{
275bb41e
DH		 237 u32 sid;
238
239 rcu_read_lock();
88e67f3b 240 sid = cred_sid(__task_cred(task));
275bb41e
DH		 241 rcu_read_unlock();
242 return sid;
243}
244
5d226df4
AG		 245static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247/*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 250 * allowed; when set to false, returns -ECHILD when the label is
e9193288 251 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 252 */
253static int __inode_security_revalidate(struct inode *inode,
e9193288 254 struct dentry *dentry,
5d226df4
AG		 255 bool may_sleep)
256{
80788c22 257 struct inode_security_struct *isec = selinux_inode(inode);
5d226df4
AG		 258
259 might_sleep_if(may_sleep);
260
65cddd50 261 if (selinux_initialized(&selinux_state) &&
aa8e712c 262 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
e9193288 271 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 272 }
273 return 0;
274}
275
5d226df4
AG		 276static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277{
80788c22 278 return selinux_inode(inode);
5d226df4
AG		 279}
280
281static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282{
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
80788c22 288 return selinux_inode(inode);
5d226df4
AG		 289}
290
83da53c5
AG		 291/*
292 * Get the security label of an inode.
293 */
294static struct inode_security_struct *inode_security(struct inode *inode)
295{
5d226df4 296 __inode_security_revalidate(inode, NULL, true);
80788c22 297 return selinux_inode(inode);
83da53c5
AG		 298}
299
2c97165b
PM		 300static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301{
302 struct inode *inode = d_backing_inode(dentry);
303
80788c22 304 return selinux_inode(inode);
2c97165b
PM		 305}
306
83da53c5
AG		 307/*
308 * Get the security label of a dentry's backing inode.
309 */
310static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311{
312 struct inode *inode = d_backing_inode(dentry);
313
5d226df4 314 __inode_security_revalidate(inode, dentry, true);
80788c22 315 return selinux_inode(inode);
83da53c5
AG		 316}
317
1da177e4
LT		 318static void inode_free_security(struct inode *inode)
319{
80788c22 320 struct inode_security_struct *isec = selinux_inode(inode);
afb1cbe3 321 struct superblock_security_struct *sbsec;
1da177e4 322
afb1cbe3
CS		 323 if (!isec)
324 return;
325 sbsec = inode->i_sb->s_security;
9629d04a
WL		 326 /*
327 * As not all inode security structures are in a list, we check for
328 * empty list outside of the lock to make sure that we won't waste
329 * time taking a lock doing nothing.
330 *
331 * The list_del_init() function can be safely called more than once.
332 * It should not be possible for this function to be called with
333 * concurrent list_add(), but for better safety against future changes
334 * in the code, we use list_empty_careful() here.
335 */
336 if (!list_empty_careful(&isec->list)) {
337 spin_lock(&sbsec->isec_lock);
1da177e4 338 list_del_init(&isec->list);
9629d04a
WL		 339 spin_unlock(&sbsec->isec_lock);
340 }
1da177e4
LT		 341}
342
1da177e4
LT		 343static void superblock_free_security(struct super_block *sb)
344{
345 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 346 sb->s_security = NULL;
347 kfree(sbsec);
348}
349
bd323655
AV		 350struct selinux_mnt_opts {
351 const char *fscontext, *context, *rootcontext, *defcontext;
352};
353
204cc0cc
AV		 354static void selinux_free_mnt_opts(void *mnt_opts)
355{
bd323655
AV		 356 struct selinux_mnt_opts *opts = mnt_opts;
357 kfree(opts->fscontext);
358 kfree(opts->context);
359 kfree(opts->rootcontext);
360 kfree(opts->defcontext);
204cc0cc
AV		 361 kfree(opts);
362}
363
1da177e4 364enum {
31e87930 365 Opt_error = -1,
442155c1
DH		 366 Opt_context = 0,
367 Opt_defcontext = 1,
1da177e4 368 Opt_fscontext = 2,
442155c1
DH		 369 Opt_rootcontext = 3,
370 Opt_seclabel = 4,
1da177e4
LT		 371};
372
da3d76ab 373#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
169d68ef
AV		 374static struct {
375 const char *name;
376 int len;
377 int opt;
378 bool has_arg;
379} tokens[] = {
da3d76ab
AV		 380 A(context, true),
381 A(fscontext, true),
382 A(defcontext, true),
383 A(rootcontext, true),
384 A(seclabel, false),
1da177e4 385};
169d68ef
AV		 386#undef A
387
388static int match_opt_prefix(char *s, int l, char **arg)
389{
390 int i;
391
392 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
393 size_t len = tokens[i].len;
394 if (len > l || memcmp(s, tokens[i].name, len))
395 continue;
396 if (tokens[i].has_arg) {
397 if (len == l || s[len] != '=')
398 continue;
399 *arg = s + len + 1;
400 } else if (len != l)
401 continue;
402 return tokens[i].opt;
403 }
404 return Opt_error;
405}
1da177e4
LT		 406
407#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
408
c312feb2
EP		 409static int may_context_mount_sb_relabel(u32 sid,
410 struct superblock_security_struct *sbsec,
275bb41e 411 const struct cred *cred)
c312feb2 412{
0c6cfa62 413 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 414 int rc;
415
6b6bc620
SS		 416 rc = avc_has_perm(&selinux_state,
417 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 418 FILESYSTEM__RELABELFROM, NULL);
419 if (rc)
420 return rc;
421
6b6bc620
SS		 422 rc = avc_has_perm(&selinux_state,
423 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 424 FILESYSTEM__RELABELTO, NULL);
425 return rc;
426}
427
0808925e
EP		 428static int may_context_mount_inode_relabel(u32 sid,
429 struct superblock_security_struct *sbsec,
275bb41e 430 const struct cred *cred)
0808925e 431{
0c6cfa62 432 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e 433 int rc;
6b6bc620
SS		 434 rc = avc_has_perm(&selinux_state,
435 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 436 FILESYSTEM__RELABELFROM, NULL);
437 if (rc)
438 return rc;
439
6b6bc620
SS		 440 rc = avc_has_perm(&selinux_state,
441 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 442 FILESYSTEM__ASSOCIATE, NULL);
443 return rc;
444}
445
a83d6dda 446static int selinux_is_genfs_special_handling(struct super_block *sb)
b43e725d 447{
a83d6dda
OM		 448 /* Special handling. Genfs but also in-core setxattr handler */
449 return !strcmp(sb->s_type->name, "sysfs") ||
d5f3a5f6
MS		 450 !strcmp(sb->s_type->name, "pstore") ||
451 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 452 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 453 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 454 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 455 (!strcmp(sb->s_type->name, "cgroup") ||
456 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 457}
458
a83d6dda
OM		 459static int selinux_is_sblabel_mnt(struct super_block *sb)
460{
461 struct superblock_security_struct *sbsec = sb->s_security;
462
463 /*
464 * IMPORTANT: Double-check logic in this function when adding a new
465 * SECURITY_FS_USE_* definition!
466 */
467 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
468
469 switch (sbsec->behavior) {
470 case SECURITY_FS_USE_XATTR:
471 case SECURITY_FS_USE_TRANS:
472 case SECURITY_FS_USE_TASK:
473 case SECURITY_FS_USE_NATIVE:
474 return 1;
475
476 case SECURITY_FS_USE_GENFS:
477 return selinux_is_genfs_special_handling(sb);
478
479 /* Never allow relabeling on context mounts */
480 case SECURITY_FS_USE_MNTPOINT:
481 case SECURITY_FS_USE_NONE:
482 default:
483 return 0;
484 }
485}
486
c9180a57 487static int sb_finish_set_opts(struct super_block *sb)
1da177e4 488{
1da177e4 489 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 490 struct dentry *root = sb->s_root;
c6f493d6 491 struct inode *root_inode = d_backing_inode(root);
c9180a57 492 int rc = 0;
1da177e4 493
c9180a57
EP		 494 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
495 /* Make sure that the xattr handler exists and that no
496 error other than -ENODATA is returned by getxattr on
497 the root directory. -ENODATA is ok, as this may be
498 the first boot of the SELinux kernel before we have
499 assigned xattr values to the filesystem. */
5d6c3191 500 if (!(root_inode->i_opflags & IOP_XATTR)) {
c103a91e 501 pr_warn("SELinux: (dev %s, type %s) has no "
29b1deb2 502 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 503 rc = -EOPNOTSUPP;
504 goto out;
505 }
5d6c3191
AG		 506
507 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 508 if (rc < 0 && rc != -ENODATA) {
509 if (rc == -EOPNOTSUPP)
c103a91e 510 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 511 "%s) has no security xattr handler\n",
512 sb->s_id, sb->s_type->name);
c9180a57 513 else
c103a91e 514 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 515 "%s) getxattr errno %d\n", sb->s_id,
516 sb->s_type->name, -rc);
c9180a57
EP		 517 goto out;
518 }
519 }
1da177e4 520
eadcabc6 521 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 522
523 /*
524 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
525 * leave the flag untouched because sb_clone_mnt_opts might be handing
526 * us a superblock that needs the flag to be cleared.
527 */
b43e725d 528 if (selinux_is_sblabel_mnt(sb))
12f348b9 529 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 530 else
531 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 532
c9180a57
EP		 533 /* Initialize the root inode. */
534 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 535
c9180a57
EP		 536 /* Initialize any other inodes associated with the superblock, e.g.
537 inodes created prior to initial policy load or inodes created
538 during get_sb by a pseudo filesystem that directly
539 populates itself. */
540 spin_lock(&sbsec->isec_lock);
8d64124a 541 while (!list_empty(&sbsec->isec_head)) {
c9180a57 542 struct inode_security_struct *isec =
8d64124a 543 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 544 struct inode_security_struct, list);
545 struct inode *inode = isec->inode;
923190d3 546 list_del_init(&isec->list);
c9180a57
EP		 547 spin_unlock(&sbsec->isec_lock);
548 inode = igrab(inode);
549 if (inode) {
550 if (!IS_PRIVATE(inode))
cb89e246 551 inode_doinit_with_dentry(inode, NULL);
c9180a57
EP		 552 iput(inode);
553 }
554 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 555 }
556 spin_unlock(&sbsec->isec_lock);
557out:
558 return rc;
559}
1da177e4 560
c9180a57
EP		 561static int bad_option(struct superblock_security_struct *sbsec, char flag,
562 u32 old_sid, u32 new_sid)
563{
0d90a7ec
DQ		 564 char mnt_flags = sbsec->flags & SE_MNTMASK;
565
c9180a57 566 /* check if the old mount command had the same options */
0d90a7ec 567 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 568 if (!(sbsec->flags & flag) ||
569 (old_sid != new_sid))
570 return 1;
571
572 /* check if we were passed the same options twice,
573 * aka someone passed context=a,context=b
574 */
0d90a7ec
DQ		 575 if (!(sbsec->flags & SE_SBINITIALIZED))
576 if (mnt_flags & flag)
c9180a57
EP		 577 return 1;
578 return 0;
579}
e0007529 580
bd323655
AV		 581static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
582{
583 int rc = security_context_str_to_sid(&selinux_state, s,
584 sid, GFP_KERNEL);
585 if (rc)
586 pr_warn("SELinux: security_context_str_to_sid"
587 "(%s) failed for (dev %s, type %s) errno=%d\n",
588 s, sb->s_id, sb->s_type->name, rc);
589 return rc;
590}
591
c9180a57
EP		 592/*
593 * Allow filesystems with binary mount data to explicitly set mount point
594 * labeling information.
595 */
e0007529 596static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 597 void *mnt_opts,
649f6e77
DQ		 598 unsigned long kern_flags,
599 unsigned long *set_kern_flags)
c9180a57 600{
275bb41e 601 const struct cred *cred = current_cred();
c9180a57 602 struct superblock_security_struct *sbsec = sb->s_security;
83da53c5 603 struct dentry *root = sbsec->sb->s_root;
bd323655 604 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 605 struct inode_security_struct *root_isec;
c9180a57
EP		 606 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
607 u32 defcontext_sid = 0;
bd323655 608 int rc = 0;
c9180a57
EP		 609
610 mutex_lock(&sbsec->lock);
611
65cddd50 612 if (!selinux_initialized(&selinux_state)) {
bd323655 613 if (!opts) {
c9180a57
EP		 614 /* Defer initialization until selinux_complete_init,
615 after the initial policy is loaded and the security
616 server is ready to handle calls. */
c9180a57
EP		 617 goto out;
618 }
619 rc = -EINVAL;
c103a91e 620 pr_warn("SELinux: Unable to set superblock options "
744ba35e 621 "before the security server is initialized\n");
1da177e4 622 goto out;
c9180a57 623 }
649f6e77
DQ		 624 if (kern_flags && !set_kern_flags) {
625 /* Specifying internal flags without providing a place to
626 * place the results is not allowed */
627 rc = -EINVAL;
628 goto out;
629 }
1da177e4 630
e0007529
EP		 631 /*
632 * Binary mount data FS will come through this function twice. Once
633 * from an explicit call and once from the generic calls from the vfs.
634 * Since the generic VFS calls will not contain any security mount data
635 * we need to skip the double mount verification.
636 *
637 * This does open a hole in which we will not notice if the first
638 * mount using this sb set explict options and a second mount using
639 * this sb does not set any security options. (The first options
640 * will be used for both mounts)
641 */
0d90a7ec 642 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 643 && !opts)
f5269710 644 goto out;
e0007529 645
2c97165b
PM		 646 root_isec = backing_inode_security_novalidate(root);
647
c9180a57
EP		 648 /*
649 * parse the mount options, check if they are valid sids.
650 * also check if someone is trying to mount the same sb more
651 * than once with different security options.
652 */
bd323655
AV		 653 if (opts) {
654 if (opts->fscontext) {
655 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
656 if (rc)
657 goto out;
c9180a57
EP		 658 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
659 fscontext_sid))
660 goto out_double_mount;
c9180a57 661 sbsec->flags |= FSCONTEXT_MNT;
bd323655
AV		 662 }
663 if (opts->context) {
664 rc = parse_sid(sb, opts->context, &context_sid);
665 if (rc)
666 goto out;
c9180a57
EP		 667 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
668 context_sid))
669 goto out_double_mount;
c9180a57 670 sbsec->flags |= CONTEXT_MNT;
bd323655
AV		 671 }
672 if (opts->rootcontext) {
673 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
674 if (rc)
675 goto out;
c9180a57
EP		 676 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
677 rootcontext_sid))
678 goto out_double_mount;
c9180a57 679 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655
AV		 680 }
681 if (opts->defcontext) {
682 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
683 if (rc)
684 goto out;
c9180a57
EP		 685 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
686 defcontext_sid))
687 goto out_double_mount;
c9180a57 688 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 689 }
c9180a57
EP		 690 }
691
0d90a7ec 692 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 693 /* previously mounted with options, but not on this attempt? */
bd323655 694 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 695 goto out_double_mount;
696 rc = 0;
697 goto out;
698 }
699
089be43e 700 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 701 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
702
8e014720 703 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 704 !strcmp(sb->s_type->name, "tracefs") ||
a20456ae 705 !strcmp(sb->s_type->name, "binder") ||
4ca54d3d 706 !strcmp(sb->s_type->name, "bpf") ||
b754026b
OM		 707 !strcmp(sb->s_type->name, "pstore"))
708 sbsec->flags |= SE_SBGENFS;
709
710 if (!strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 711 !strcmp(sb->s_type->name, "cgroup") ||
712 !strcmp(sb->s_type->name, "cgroup2"))
b754026b 713 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
c9180a57 714
eb9ae686
DQ		 715 if (!sbsec->behavior) {
716 /*
717 * Determine the labeling behavior to use for this
718 * filesystem type.
719 */
aa8e712c 720 rc = security_fs_use(&selinux_state, sb);
eb9ae686 721 if (rc) {
c103a91e 722 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 723 __func__, sb->s_type->name, rc);
724 goto out;
725 }
c9180a57 726 }
aad82892
SF		 727
728 /*
01593d32
SS		 729 * If this is a user namespace mount and the filesystem type is not
730 * explicitly whitelisted, then no contexts are allowed on the command
731 * line and security labels must be ignored.
aad82892 732 */
01593d32
SS		 733 if (sb->s_user_ns != &init_user_ns &&
734 strcmp(sb->s_type->name, "tmpfs") &&
735 strcmp(sb->s_type->name, "ramfs") &&
736 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 737 if (context_sid || fscontext_sid || rootcontext_sid ||
738 defcontext_sid) {
739 rc = -EACCES;
740 goto out;
741 }
742 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
743 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 744 rc = security_transition_sid(&selinux_state,
745 current_sid(),
746 current_sid(),
aad82892
SF		 747 SECCLASS_FILE, NULL,
748 &sbsec->mntpoint_sid);
749 if (rc)
750 goto out;
751 }
752 goto out_set_opts;
753 }
754
c9180a57
EP		 755 /* sets the context of the superblock for the fs being mounted. */
756 if (fscontext_sid) {
275bb41e 757 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 758 if (rc)
c9180a57 759 goto out;
1da177e4 760
c9180a57 761 sbsec->sid = fscontext_sid;
c312feb2
EP		 762 }
763
764 /*
765 * Switch to using mount point labeling behavior.
766 * sets the label used on all file below the mountpoint, and will set
767 * the superblock context if not already set.
768 */
eb9ae686
DQ		 769 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
770 sbsec->behavior = SECURITY_FS_USE_NATIVE;
771 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
772 }
773
c9180a57
EP		 774 if (context_sid) {
775 if (!fscontext_sid) {
275bb41e
DH		 776 rc = may_context_mount_sb_relabel(context_sid, sbsec,
777 cred);
b04ea3ce 778 if (rc)
c9180a57
EP		 779 goto out;
780 sbsec->sid = context_sid;
b04ea3ce 781 } else {
275bb41e
DH		 782 rc = may_context_mount_inode_relabel(context_sid, sbsec,
783 cred);
b04ea3ce 784 if (rc)
c9180a57 785 goto out;
b04ea3ce 786 }
c9180a57
EP		 787 if (!rootcontext_sid)
788 rootcontext_sid = context_sid;
1da177e4 789
c9180a57 790 sbsec->mntpoint_sid = context_sid;
c312feb2 791 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 792 }
793
c9180a57 794 if (rootcontext_sid) {
275bb41e
DH		 795 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
796 cred);
0808925e 797 if (rc)
c9180a57 798 goto out;
0808925e 799
c9180a57 800 root_isec->sid = rootcontext_sid;
6f3be9f5 801 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 802 }
803
c9180a57 804 if (defcontext_sid) {
eb9ae686
DQ		 805 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
806 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 807 rc = -EINVAL;
c103a91e 808 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 809 "invalid for this filesystem type\n");
810 goto out;
1da177e4
LT		 811 }
812
c9180a57
EP		 813 if (defcontext_sid != sbsec->def_sid) {
814 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 815 sbsec, cred);
c9180a57
EP		 816 if (rc)
817 goto out;
818 }
1da177e4 819
c9180a57 820 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 821 }
822
aad82892 823out_set_opts:
c9180a57 824 rc = sb_finish_set_opts(sb);
1da177e4 825out:
c9180a57 826 mutex_unlock(&sbsec->lock);
1da177e4 827 return rc;
c9180a57
EP		 828out_double_mount:
829 rc = -EINVAL;
c103a91e 830 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 831 "security settings for (dev %s, type %s)\n", sb->s_id,
832 sb->s_type->name);
c9180a57 833 goto out;
1da177e4
LT		 834}
835
094f7b69
JL		 836static int selinux_cmp_sb_context(const struct super_block *oldsb,
837 const struct super_block *newsb)
838{
839 struct superblock_security_struct *old = oldsb->s_security;
840 struct superblock_security_struct *new = newsb->s_security;
841 char oldflags = old->flags & SE_MNTMASK;
842 char newflags = new->flags & SE_MNTMASK;
843
844 if (oldflags != newflags)
845 goto mismatch;
846 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
847 goto mismatch;
848 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
849 goto mismatch;
850 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
851 goto mismatch;
852 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 853 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
854 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 855 if (oldroot->sid != newroot->sid)
856 goto mismatch;
857 }
858 return 0;
859mismatch:
c103a91e 860 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 861 "different security settings for (dev %s, "
862 "type %s)\n", newsb->s_id, newsb->s_type->name);
863 return -EBUSY;
864}
865
866static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 867 struct super_block *newsb,
868 unsigned long kern_flags,
869 unsigned long *set_kern_flags)
1da177e4 870{
0b4d3452 871 int rc = 0;
c9180a57
EP		 872 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
873 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 874
c9180a57
EP		 875 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
876 int set_context = (oldsbsec->flags & CONTEXT_MNT);
877 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 878
0f5e6420
EP		 879 /*
880 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 881 * mount options. thus we can safely deal with this superblock later
0f5e6420 882 */
65cddd50 883 if (!selinux_initialized(&selinux_state))
094f7b69 884 return 0;
c9180a57 885
0b4d3452
SM		 886 /*
887 * Specifying internal flags without providing a place to
888 * place the results is not allowed.
889 */
890 if (kern_flags && !set_kern_flags)
891 return -EINVAL;
892
c9180a57 893 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 894 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 895
094f7b69 896 /* if fs is reusing a sb, make sure that the contexts match */
3815a245
BF		 897 if (newsbsec->flags & SE_SBINITIALIZED) {
898 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
899 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
094f7b69 900 return selinux_cmp_sb_context(oldsb, newsb);
3815a245 901 }
5a552617 902
c9180a57
EP		 903 mutex_lock(&newsbsec->lock);
904
905 newsbsec->flags = oldsbsec->flags;
906
907 newsbsec->sid = oldsbsec->sid;
908 newsbsec->def_sid = oldsbsec->def_sid;
909 newsbsec->behavior = oldsbsec->behavior;
910
0b4d3452
SM		 911 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
912 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 913 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 914 if (rc)
915 goto out;
916 }
917
918 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
919 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
920 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
921 }
922
c9180a57
EP		 923 if (set_context) {
924 u32 sid = oldsbsec->mntpoint_sid;
925
926 if (!set_fscontext)
927 newsbsec->sid = sid;
928 if (!set_rootcontext) {
83da53c5 929 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 930 newisec->sid = sid;
931 }
932 newsbsec->mntpoint_sid = sid;
1da177e4 933 }
c9180a57 934 if (set_rootcontext) {
83da53c5
AG		 935 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
936 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 937
c9180a57 938 newisec->sid = oldisec->sid;
1da177e4
LT		 939 }
940
c9180a57 941 sb_finish_set_opts(newsb);
0b4d3452 942out:
c9180a57 943 mutex_unlock(&newsbsec->lock);
0b4d3452 944 return rc;
c9180a57
EP		 945}
946
ba641862 947static int selinux_add_opt(int token, const char *s, void **mnt_opts)
c9180a57 948{
ba641862 949 struct selinux_mnt_opts *opts = *mnt_opts;
1da177e4 950
da3d76ab 951 if (token == Opt_seclabel) /* eaten and completely ignored */
169d68ef 952 return 0;
e0007529 953
ba641862
AV		 954 if (!opts) {
955 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
956 if (!opts)
957 return -ENOMEM;
958 *mnt_opts = opts;
c9180a57 959 }
ba641862
AV		 960 if (!s)
961 return -ENOMEM;
962 switch (token) {
963 case Opt_context:
964 if (opts->context || opts->defcontext)
965 goto Einval;
966 opts->context = s;
967 break;
968 case Opt_fscontext:
969 if (opts->fscontext)
970 goto Einval;
971 opts->fscontext = s;
972 break;
973 case Opt_rootcontext:
974 if (opts->rootcontext)
975 goto Einval;
976 opts->rootcontext = s;
977 break;
978 case Opt_defcontext:
979 if (opts->context || opts->defcontext)
980 goto Einval;
981 opts->defcontext = s;
982 break;
c9180a57 983 }
e0007529 984 return 0;
ba641862
AV		 985Einval:
986 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862 987 return -EINVAL;
1da177e4 988}
e0007529 989
757cbe59
AV		 990static int selinux_add_mnt_opt(const char *option, const char *val, int len,
991 void **mnt_opts)
c9180a57 992{
757cbe59
AV		 993 int token = Opt_error;
994 int rc, i;
e0007529 995
757cbe59
AV		 996 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
997 if (strcmp(option, tokens[i].name) == 0) {
998 token = tokens[i].opt;
999 break;
169d68ef 1000 }
757cbe59 1001 }
e0007529 1002
757cbe59
AV		 1003 if (token == Opt_error)
1004 return -EINVAL;
e0007529 1005
e2e0e097 1006 if (token != Opt_seclabel) {
757cbe59 1007 val = kmemdup_nul(val, len, GFP_KERNEL);
e2e0e097
GZ		 1008 if (!val) {
1009 rc = -ENOMEM;
1010 goto free_opt;
1011 }
1012 }
757cbe59
AV		 1013 rc = selinux_add_opt(token, val, mnt_opts);
1014 if (unlikely(rc)) {
1015 kfree(val);
e2e0e097
GZ		 1016 goto free_opt;
1017 }
1018 return rc;
1019
1020free_opt:
1021 if (*mnt_opts) {
1022 selinux_free_mnt_opts(*mnt_opts);
1023 *mnt_opts = NULL;
1da177e4 1024 }
e0007529
EP		 1025 return rc;
1026}
1da177e4 1027
e3489f89 1028static int show_sid(struct seq_file *m, u32 sid)
2069f457 1029{
e3489f89
AV		 1030 char *context = NULL;
1031 u32 len;
1032 int rc;
11689d47 1033
e3489f89
AV		 1034 rc = security_sid_to_context(&selinux_state, sid,
1035 &context, &len);
1036 if (!rc) {
1037 bool has_comma = context && strchr(context, ',');
2069f457 1038
442155c1 1039 seq_putc(m, '=');
2069f457
EP		 1040 if (has_comma)
1041 seq_putc(m, '\"');
e3489f89 1042 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1043 if (has_comma)
1044 seq_putc(m, '\"');
1045 }
e3489f89
AV		 1046 kfree(context);
1047 return rc;
2069f457
EP		 1048}
1049
1050static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1051{
e3489f89 1052 struct superblock_security_struct *sbsec = sb->s_security;
2069f457
EP		 1053 int rc;
1054
e3489f89
AV		 1055 if (!(sbsec->flags & SE_SBINITIALIZED))
1056 return 0;
2069f457 1057
65cddd50 1058 if (!selinux_initialized(&selinux_state))
e3489f89 1059 return 0;
2069f457 1060
e3489f89
AV		 1061 if (sbsec->flags & FSCONTEXT_MNT) {
1062 seq_putc(m, ',');
1063 seq_puts(m, FSCONTEXT_STR);
1064 rc = show_sid(m, sbsec->sid);
1065 if (rc)
1066 return rc;
1067 }
1068 if (sbsec->flags & CONTEXT_MNT) {
1069 seq_putc(m, ',');
1070 seq_puts(m, CONTEXT_STR);
1071 rc = show_sid(m, sbsec->mntpoint_sid);
1072 if (rc)
1073 return rc;
1074 }
1075 if (sbsec->flags & DEFCONTEXT_MNT) {
1076 seq_putc(m, ',');
1077 seq_puts(m, DEFCONTEXT_STR);
1078 rc = show_sid(m, sbsec->def_sid);
1079 if (rc)
1080 return rc;
1081 }
1082 if (sbsec->flags & ROOTCONTEXT_MNT) {
1083 struct dentry *root = sbsec->sb->s_root;
1084 struct inode_security_struct *isec = backing_inode_security(root);
1085 seq_putc(m, ',');
1086 seq_puts(m, ROOTCONTEXT_STR);
1087 rc = show_sid(m, isec->sid);
1088 if (rc)
1089 return rc;
1090 }
1091 if (sbsec->flags & SBLABEL_MNT) {
1092 seq_putc(m, ',');
442155c1 1093 seq_puts(m, SECLABEL_STR);
e3489f89
AV		 1094 }
1095 return 0;
2069f457
EP		 1096}
1097
1da177e4
LT		 1098static inline u16 inode_mode_to_security_class(umode_t mode)
1099{
1100 switch (mode & S_IFMT) {
1101 case S_IFSOCK:
1102 return SECCLASS_SOCK_FILE;
1103 case S_IFLNK:
1104 return SECCLASS_LNK_FILE;
1105 case S_IFREG:
1106 return SECCLASS_FILE;
1107 case S_IFBLK:
1108 return SECCLASS_BLK_FILE;
1109 case S_IFDIR:
1110 return SECCLASS_DIR;
1111 case S_IFCHR:
1112 return SECCLASS_CHR_FILE;
1113 case S_IFIFO:
1114 return SECCLASS_FIFO_FILE;
1115
1116 }
1117
1118 return SECCLASS_FILE;
1119}
1120
13402580
JM		 1121static inline int default_protocol_stream(int protocol)
1122{
1123 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1124}
1125
1126static inline int default_protocol_dgram(int protocol)
1127{
1128 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1129}
1130
1da177e4
LT		 1131static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1132{
aa8e712c 1133 int extsockclass = selinux_policycap_extsockclass();
da69a530 1134
1da177e4
LT		 1135 switch (family) {
1136 case PF_UNIX:
1137 switch (type) {
1138 case SOCK_STREAM:
1139 case SOCK_SEQPACKET:
1140 return SECCLASS_UNIX_STREAM_SOCKET;
1141 case SOCK_DGRAM:
2a764b52 1142 case SOCK_RAW:
1da177e4
LT		 1143 return SECCLASS_UNIX_DGRAM_SOCKET;
1144 }
1145 break;
1146 case PF_INET:
1147 case PF_INET6:
1148 switch (type) {
1149 case SOCK_STREAM:
da69a530 1150 case SOCK_SEQPACKET:
13402580
JM		 1151 if (default_protocol_stream(protocol))
1152 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1153 else if (extsockclass && protocol == IPPROTO_SCTP)
1154 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1155 else
1156 return SECCLASS_RAWIP_SOCKET;
1da177e4 1157 case SOCK_DGRAM:
13402580
JM		 1158 if (default_protocol_dgram(protocol))
1159 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1160 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1161 protocol == IPPROTO_ICMPV6))
da69a530 1162 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1163 else
1164 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1165 case SOCK_DCCP:
1166 return SECCLASS_DCCP_SOCKET;
13402580 1167 default:
1da177e4
LT		 1168 return SECCLASS_RAWIP_SOCKET;
1169 }
1170 break;
1171 case PF_NETLINK:
1172 switch (protocol) {
1173 case NETLINK_ROUTE:
1174 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1175 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1176 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1177 case NETLINK_NFLOG:
1178 return SECCLASS_NETLINK_NFLOG_SOCKET;
1179 case NETLINK_XFRM:
1180 return SECCLASS_NETLINK_XFRM_SOCKET;
1181 case NETLINK_SELINUX:
1182 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1183 case NETLINK_ISCSI:
1184 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1185 case NETLINK_AUDIT:
1186 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1187 case NETLINK_FIB_LOOKUP:
1188 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1189 case NETLINK_CONNECTOR:
1190 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1191 case NETLINK_NETFILTER:
1192 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1193 case NETLINK_DNRTMSG:
1194 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1195 case NETLINK_KOBJECT_UEVENT:
1196 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1197 case NETLINK_GENERIC:
1198 return SECCLASS_NETLINK_GENERIC_SOCKET;
1199 case NETLINK_SCSITRANSPORT:
1200 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1201 case NETLINK_RDMA:
1202 return SECCLASS_NETLINK_RDMA_SOCKET;
1203 case NETLINK_CRYPTO:
1204 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1205 default:
1206 return SECCLASS_NETLINK_SOCKET;
1207 }
1208 case PF_PACKET:
1209 return SECCLASS_PACKET_SOCKET;
1210 case PF_KEY:
1211 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1212 case PF_APPLETALK:
1213 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1214 }
1215
da69a530
SS		 1216 if (extsockclass) {
1217 switch (family) {
1218 case PF_AX25:
1219 return SECCLASS_AX25_SOCKET;
1220 case PF_IPX:
1221 return SECCLASS_IPX_SOCKET;
1222 case PF_NETROM:
1223 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1224 case PF_ATMPVC:
1225 return SECCLASS_ATMPVC_SOCKET;
1226 case PF_X25:
1227 return SECCLASS_X25_SOCKET;
1228 case PF_ROSE:
1229 return SECCLASS_ROSE_SOCKET;
1230 case PF_DECnet:
1231 return SECCLASS_DECNET_SOCKET;
1232 case PF_ATMSVC:
1233 return SECCLASS_ATMSVC_SOCKET;
1234 case PF_RDS:
1235 return SECCLASS_RDS_SOCKET;
1236 case PF_IRDA:
1237 return SECCLASS_IRDA_SOCKET;
1238 case PF_PPPOX:
1239 return SECCLASS_PPPOX_SOCKET;
1240 case PF_LLC:
1241 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1242 case PF_CAN:
1243 return SECCLASS_CAN_SOCKET;
1244 case PF_TIPC:
1245 return SECCLASS_TIPC_SOCKET;
1246 case PF_BLUETOOTH:
1247 return SECCLASS_BLUETOOTH_SOCKET;
1248 case PF_IUCV:
1249 return SECCLASS_IUCV_SOCKET;
1250 case PF_RXRPC:
1251 return SECCLASS_RXRPC_SOCKET;
1252 case PF_ISDN:
1253 return SECCLASS_ISDN_SOCKET;
1254 case PF_PHONET:
1255 return SECCLASS_PHONET_SOCKET;
1256 case PF_IEEE802154:
1257 return SECCLASS_IEEE802154_SOCKET;
1258 case PF_CAIF:
1259 return SECCLASS_CAIF_SOCKET;
1260 case PF_ALG:
1261 return SECCLASS_ALG_SOCKET;
1262 case PF_NFC:
1263 return SECCLASS_NFC_SOCKET;
1264 case PF_VSOCK:
1265 return SECCLASS_VSOCK_SOCKET;
1266 case PF_KCM:
1267 return SECCLASS_KCM_SOCKET;
1268 case PF_QIPCRTR:
1269 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1270 case PF_SMC:
1271 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1272 case PF_XDP:
1273 return SECCLASS_XDP_SOCKET;
1274#if PF_MAX > 45
da69a530
SS		 1275#error New address family defined, please update this function.
1276#endif
1277 }
1278 }
1279
1da177e4
LT		 1280 return SECCLASS_SOCKET;
1281}
1282
134509d5
SS		 1283static int selinux_genfs_get_sid(struct dentry *dentry,
1284 u16 tclass,
1285 u16 flags,
1286 u32 *sid)
1da177e4 1287{
8e6c9693 1288 int rc;
fc64005c 1289 struct super_block *sb = dentry->d_sb;
8e6c9693 1290 char *buffer, *path;
1da177e4 1291
828dfe1d 1292 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1293 if (!buffer)
1294 return -ENOMEM;
1295
8e6c9693
LAG		 1296 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1297 if (IS_ERR(path))
1298 rc = PTR_ERR(path);
1299 else {
134509d5
SS		 1300 if (flags & SE_SBPROC) {
1301 /* each process gets a /proc/PID/ entry. Strip off the
1302 * PID part to get a valid selinux labeling.
1303 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1304 while (path[1] >= '0' && path[1] <= '9') {
1305 path[1] = '/';
1306 path++;
1307 }
8e6c9693 1308 }
aa8e712c
SS		 1309 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1310 path, tclass, sid);
7bb185ed
SS		 1311 if (rc == -ENOENT) {
1312 /* No match in policy, mark as unlabeled. */
1313 *sid = SECINITSID_UNLABELED;
1314 rc = 0;
1315 }
1da177e4 1316 }
1da177e4
LT		 1317 free_page((unsigned long)buffer);
1318 return rc;
1319}
1da177e4 1320
b754026b
OM		 1321static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1322 u32 def_sid, u32 *sid)
1323{
1324#define INITCONTEXTLEN 255
1325 char *context;
1326 unsigned int len;
1327 int rc;
1328
1329 len = INITCONTEXTLEN;
1330 context = kmalloc(len + 1, GFP_NOFS);
1331 if (!context)
1332 return -ENOMEM;
1333
1334 context[len] = '\0';
1335 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1336 if (rc == -ERANGE) {
1337 kfree(context);
1338
1339 /* Need a larger buffer. Query for the right size. */
1340 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1341 if (rc < 0)
1342 return rc;
1343
1344 len = rc;
1345 context = kmalloc(len + 1, GFP_NOFS);
1346 if (!context)
1347 return -ENOMEM;
1348
1349 context[len] = '\0';
1350 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1351 context, len);
1352 }
1353 if (rc < 0) {
1354 kfree(context);
1355 if (rc != -ENODATA) {
1356 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1357 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1358 return rc;
1359 }
1360 *sid = def_sid;
1361 return 0;
1362 }
1363
1364 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1365 def_sid, GFP_NOFS);
1366 if (rc) {
1367 char *dev = inode->i_sb->s_id;
1368 unsigned long ino = inode->i_ino;
1369
1370 if (rc == -EINVAL) {
1371 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1372 ino, dev, context);
1373 } else {
1374 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1375 __func__, context, -rc, dev, ino);
1376 }
1377 }
1378 kfree(context);
1379 return 0;
1380}
1381
1da177e4
LT		 1382/* The inode's security attributes must be initialized before first use. */
1383static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1384{
1385 struct superblock_security_struct *sbsec = NULL;
80788c22 1386 struct inode_security_struct *isec = selinux_inode(inode);
9287aed2
AG		 1387 u32 task_sid, sid = 0;
1388 u16 sclass;
1da177e4 1389 struct dentry *dentry;
1da177e4 1390 int rc = 0;
1da177e4 1391
6f3be9f5 1392 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1393 return 0;
1da177e4 1394
9287aed2 1395 spin_lock(&isec->lock);
6f3be9f5 1396 if (isec->initialized == LABEL_INITIALIZED)
23970741 1397 goto out_unlock;
1da177e4 1398
13457d07
AG		 1399 if (isec->sclass == SECCLASS_FILE)
1400 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1401
1da177e4 1402 sbsec = inode->i_sb->s_security;
0d90a7ec 1403 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1404 /* Defer initialization until selinux_complete_init,
1405 after the initial policy is loaded and the security
1406 server is ready to handle calls. */
1407 spin_lock(&sbsec->isec_lock);
1408 if (list_empty(&isec->list))
1409 list_add(&isec->list, &sbsec->isec_head);
1410 spin_unlock(&sbsec->isec_lock);
23970741 1411 goto out_unlock;
1da177e4
LT		 1412 }
1413
9287aed2
AG		 1414 sclass = isec->sclass;
1415 task_sid = isec->task_sid;
1416 sid = isec->sid;
1417 isec->initialized = LABEL_PENDING;
1418 spin_unlock(&isec->lock);
1419
1da177e4 1420 switch (sbsec->behavior) {
eb9ae686
DQ		 1421 case SECURITY_FS_USE_NATIVE:
1422 break;
1da177e4 1423 case SECURITY_FS_USE_XATTR:
5d6c3191 1424 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1425 sid = sbsec->def_sid;
1da177e4
LT		 1426 break;
1427 }
1da177e4
LT		 1428 /* Need a dentry, since the xattr API requires one.
1429 Life would be simpler if we could just pass the inode. */
1430 if (opt_dentry) {
1431 /* Called from d_instantiate or d_splice_alias. */
1432 dentry = dget(opt_dentry);
1433 } else {
b127125d
AV		 1434 /*
1435 * Called from selinux_complete_init, try to find a dentry.
1436 * Some filesystems really want a connected one, so try
1437 * that first. We could split SECURITY_FS_USE_XATTR in
1438 * two, depending upon that...
1439 */
1da177e4 1440 dentry = d_find_alias(inode);
b127125d
AV		 1441 if (!dentry)
1442 dentry = d_find_any_alias(inode);
1da177e4
LT		 1443 }
1444 if (!dentry) {
df7f54c0
EP		 1445 /*
1446 * this is can be hit on boot when a file is accessed
1447 * before the policy is loaded. When we load policy we
1448 * may find inodes that have no dentry on the
1449 * sbsec->isec_head list. No reason to complain as these
1450 * will get fixed up the next time we go through
1451 * inode_doinit with a dentry, before these inodes could
1452 * be used again by userspace.
1453 */
9287aed2 1454 goto out;
1da177e4
LT		 1455 }
1456
b754026b
OM		 1457 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1458 &sid);
1da177e4 1459 dput(dentry);
b754026b
OM		 1460 if (rc)
1461 goto out;
1da177e4
LT		 1462 break;
1463 case SECURITY_FS_USE_TASK:
9287aed2 1464 sid = task_sid;
1da177e4
LT		 1465 break;
1466 case SECURITY_FS_USE_TRANS:
1467 /* Default to the fs SID. */
9287aed2 1468 sid = sbsec->sid;
1da177e4
LT		 1469
1470 /* Try to obtain a transition SID. */
aa8e712c
SS		 1471 rc = security_transition_sid(&selinux_state, task_sid, sid,
1472 sclass, NULL, &sid);
1da177e4 1473 if (rc)
9287aed2 1474 goto out;
1da177e4 1475 break;
c312feb2 1476 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1477 sid = sbsec->mntpoint_sid;
c312feb2 1478 break;
1da177e4 1479 default:
c312feb2 1480 /* Default to the fs superblock SID. */
9287aed2 1481 sid = sbsec->sid;
1da177e4 1482
7470d0d1
CG		 1483 if ((sbsec->flags & SE_SBGENFS) &&
1484 (!S_ISLNK(inode->i_mode) ||
1485 selinux_policycap_genfs_seclabel_symlinks())) {
f64410ec
PM		 1486 /* We must have a dentry to determine the label on
1487 * procfs inodes */
b127125d 1488 if (opt_dentry) {
f64410ec
PM		 1489 /* Called from d_instantiate or
1490 * d_splice_alias. */
1491 dentry = dget(opt_dentry);
b127125d 1492 } else {
f64410ec 1493 /* Called from selinux_complete_init, try to
b127125d
AV		 1494 * find a dentry. Some filesystems really want
1495 * a connected one, so try that first.
1496 */
f64410ec 1497 dentry = d_find_alias(inode);
b127125d
AV		 1498 if (!dentry)
1499 dentry = d_find_any_alias(inode);
1500 }
f64410ec
PM		 1501 /*
1502 * This can be hit on boot when a file is accessed
1503 * before the policy is loaded. When we load policy we
1504 * may find inodes that have no dentry on the
1505 * sbsec->isec_head list. No reason to complain as
1506 * these will get fixed up the next time we go through
1507 * inode_doinit() with a dentry, before these inodes
1508 * could be used again by userspace.
1509 */
1510 if (!dentry)
9287aed2
AG		 1511 goto out;
1512 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1513 sbsec->flags, &sid);
b754026b
OM		 1514 if (rc) {
1515 dput(dentry);
9287aed2 1516 goto out;
b754026b
OM		 1517 }
1518
1519 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1520 (inode->i_opflags & IOP_XATTR)) {
1521 rc = inode_doinit_use_xattr(inode, dentry,
1522 sid, &sid);
1523 if (rc) {
1524 dput(dentry);
1525 goto out;
1526 }
1527 }
1528 dput(dentry);
1da177e4
LT		 1529 }
1530 break;
1531 }
1532
9287aed2
AG		 1533out:
1534 spin_lock(&isec->lock);
1535 if (isec->initialized == LABEL_PENDING) {
1536 if (!sid || rc) {
1537 isec->initialized = LABEL_INVALID;
1538 goto out_unlock;
1539 }
1540
1541 isec->initialized = LABEL_INITIALIZED;
1542 isec->sid = sid;
1543 }
1da177e4 1544
23970741 1545out_unlock:
9287aed2 1546 spin_unlock(&isec->lock);
1da177e4
LT		 1547 return rc;
1548}
1549
1550/* Convert a Linux signal to an access vector. */
1551static inline u32 signal_to_av(int sig)
1552{
1553 u32 perm = 0;
1554
1555 switch (sig) {
1556 case SIGCHLD:
1557 /* Commonly granted from child to parent. */
1558 perm = PROCESS__SIGCHLD;
1559 break;
1560 case SIGKILL:
1561 /* Cannot be caught or ignored */
1562 perm = PROCESS__SIGKILL;
1563 break;
1564 case SIGSTOP:
1565 /* Cannot be caught or ignored */
1566 perm = PROCESS__SIGSTOP;
1567 break;
1568 default:
1569 /* All other signals. */
1570 perm = PROCESS__SIGNAL;
1571 break;
1572 }
1573
1574 return perm;
1575}
1576
b68e418c
SS		 1577#if CAP_LAST_CAP > 63
1578#error Fix SELinux to handle capabilities > 63.
1579#endif
1580
1da177e4 1581/* Check whether a task is allowed to use a capability. */
6a9de491 1582static int cred_has_capability(const struct cred *cred,
c1a85a00 1583 int cap, unsigned int opts, bool initns)
1da177e4 1584{
2bf49690 1585 struct common_audit_data ad;
06112163 1586 struct av_decision avd;
b68e418c 1587 u16 sclass;
3699c53c 1588 u32 sid = cred_sid(cred);
b68e418c 1589 u32 av = CAP_TO_MASK(cap);
06112163 1590 int rc;
1da177e4 1591
50c205f5 1592 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1593 ad.u.cap = cap;
1594
b68e418c
SS		 1595 switch (CAP_TO_INDEX(cap)) {
1596 case 0:
8e4ff6f2 1597 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1598 break;
1599 case 1:
8e4ff6f2 1600 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1601 break;
1602 default:
c103a91e 1603 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1604 BUG();
a35c6c83 1605 return -EINVAL;
b68e418c 1606 }
06112163 1607
6b6bc620
SS		 1608 rc = avc_has_perm_noaudit(&selinux_state,
1609 sid, sid, sclass, av, 0, &avd);
c1a85a00 1610 if (!(opts & CAP_OPT_NOAUDIT)) {
6b6bc620
SS		 1611 int rc2 = avc_audit(&selinux_state,
1612 sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1613 if (rc2)
1614 return rc2;
1615 }
06112163 1616 return rc;
1da177e4
LT		 1617}
1618
1da177e4
LT		 1619/* Check whether a task has a particular permission to an inode.
1620 The 'adp' parameter is optional and allows other audit
1621 data to be passed (e.g. the dentry). */
88e67f3b 1622static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1623 struct inode *inode,
1624 u32 perms,
19e49834 1625 struct common_audit_data *adp)
1da177e4 1626{
1da177e4 1627 struct inode_security_struct *isec;
275bb41e 1628 u32 sid;
1da177e4 1629
e0e81739
DH		 1630 validate_creds(cred);
1631
828dfe1d 1632 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1633 return 0;
1634
88e67f3b 1635 sid = cred_sid(cred);
80788c22 1636 isec = selinux_inode(inode);
1da177e4 1637
6b6bc620
SS		 1638 return avc_has_perm(&selinux_state,
1639 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1640}
1641
1642/* Same as inode_has_perm, but pass explicit audit data containing
1643 the dentry to help the auditing code to more easily generate the
1644 pathname if needed. */
88e67f3b 1645static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1646 struct dentry *dentry,
1647 u32 av)
1648{
c6f493d6 1649 struct inode *inode = d_backing_inode(dentry);
2bf49690 1650 struct common_audit_data ad;
88e67f3b 1651
50c205f5 1652 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1653 ad.u.dentry = dentry;
5d226df4 1654 __inode_security_revalidate(inode, dentry, true);
19e49834 1655 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1656}
1657
1658/* Same as inode_has_perm, but pass explicit audit data containing
1659 the path to help the auditing code to more easily generate the
1660 pathname if needed. */
1661static inline int path_has_perm(const struct cred *cred,
3f7036a0 1662 const struct path *path,
2875fa00
EP		 1663 u32 av)
1664{
c6f493d6 1665 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1666 struct common_audit_data ad;
1667
50c205f5 1668 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1669 ad.u.path = *path;
5d226df4 1670 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1671 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1672}
1673
13f8e981
DH		 1674/* Same as path_has_perm, but uses the inode from the file struct. */
1675static inline int file_path_has_perm(const struct cred *cred,
1676 struct file *file,
1677 u32 av)
1678{
1679 struct common_audit_data ad;
1680
43af5de7
VG		 1681 ad.type = LSM_AUDIT_DATA_FILE;
1682 ad.u.file = file;
19e49834 1683 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1684}
1685
f66e448c
CF		 1686#ifdef CONFIG_BPF_SYSCALL
1687static int bpf_fd_pass(struct file *file, u32 sid);
1688#endif
1689
1da177e4
LT		 1690/* Check whether a task can use an open file descriptor to
1691 access an inode in a given way. Check access to the
1692 descriptor itself, and then use dentry_has_perm to
1693 check a particular permission to the file.
1694 Access to the descriptor is implicitly granted if it
1695 has the same SID as the process. If av is zero, then
1696 access to the file is not checked, e.g. for cases
1697 where only the descriptor is affected like seek. */
88e67f3b
DH		 1698static int file_has_perm(const struct cred *cred,
1699 struct file *file,
1700 u32 av)
1da177e4 1701{
bb6c6b02 1702 struct file_security_struct *fsec = selinux_file(file);
496ad9aa 1703 struct inode *inode = file_inode(file);
2bf49690 1704 struct common_audit_data ad;
88e67f3b 1705 u32 sid = cred_sid(cred);
1da177e4
LT		 1706 int rc;
1707
43af5de7
VG		 1708 ad.type = LSM_AUDIT_DATA_FILE;
1709 ad.u.file = file;
1da177e4 1710
275bb41e 1711 if (sid != fsec->sid) {
6b6bc620
SS		 1712 rc = avc_has_perm(&selinux_state,
1713 sid, fsec->sid,
1da177e4
LT		 1714 SECCLASS_FD,
1715 FD__USE,
1716 &ad);
1717 if (rc)
88e67f3b 1718 goto out;
1da177e4
LT		 1719 }
1720
f66e448c
CF		 1721#ifdef CONFIG_BPF_SYSCALL
1722 rc = bpf_fd_pass(file, cred_sid(cred));
1723 if (rc)
1724 return rc;
1725#endif
1726
1da177e4 1727 /* av is zero if only checking access to the descriptor. */
88e67f3b 1728 rc = 0;
1da177e4 1729 if (av)
19e49834 1730 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1731
88e67f3b
DH		 1732out:
1733 return rc;
1da177e4
LT		 1734}
1735
c3c188b2
DH		 1736/*
1737 * Determine the label for an inode that might be unioned.
1738 */
c957f6df
VG		 1739static int
1740selinux_determine_inode_label(const struct task_security_struct *tsec,
1741 struct inode *dir,
1742 const struct qstr *name, u16 tclass,
1743 u32 *_new_isid)
c3c188b2
DH		 1744{
1745 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1746
1747 if ((sbsec->flags & SE_SBINITIALIZED) &&
1748 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1749 *_new_isid = sbsec->mntpoint_sid;
1750 } else if ((sbsec->flags & SBLABEL_MNT) &&
1751 tsec->create_sid) {
1752 *_new_isid = tsec->create_sid;
1753 } else {
20cdef8d 1754 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1755 return security_transition_sid(&selinux_state, tsec->sid,
1756 dsec->sid, tclass,
c3c188b2
DH		 1757 name, _new_isid);
1758 }
1759
1760 return 0;
1761}
1762
1da177e4
LT		 1763/* Check whether a task can create a file. */
1764static int may_create(struct inode *dir,
1765 struct dentry *dentry,
1766 u16 tclass)
1767{
0c6cfa62 1768 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1769 struct inode_security_struct *dsec;
1770 struct superblock_security_struct *sbsec;
275bb41e 1771 u32 sid, newsid;
2bf49690 1772 struct common_audit_data ad;
1da177e4
LT		 1773 int rc;
1774
83da53c5 1775 dsec = inode_security(dir);
1da177e4
LT		 1776 sbsec = dir->i_sb->s_security;
1777
275bb41e 1778 sid = tsec->sid;
275bb41e 1779
50c205f5 1780 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1781 ad.u.dentry = dentry;
1da177e4 1782
6b6bc620
SS		 1783 rc = avc_has_perm(&selinux_state,
1784 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1785 DIR__ADD_NAME | DIR__SEARCH,
1786 &ad);
1787 if (rc)
1788 return rc;
1789
210a2928
YG		 1790 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1791 &newsid);
c3c188b2
DH		 1792 if (rc)
1793 return rc;
1da177e4 1794
6b6bc620
SS		 1795 rc = avc_has_perm(&selinux_state,
1796 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1797 if (rc)
1798 return rc;
1799
6b6bc620
SS		 1800 return avc_has_perm(&selinux_state,
1801 newsid, sbsec->sid,
1da177e4
LT		 1802 SECCLASS_FILESYSTEM,
1803 FILESYSTEM__ASSOCIATE, &ad);
1804}
1805
828dfe1d
EP		 1806#define MAY_LINK 0
1807#define MAY_UNLINK 1
1808#define MAY_RMDIR 2
1da177e4
LT		 1809
1810/* Check whether a task can link, unlink, or rmdir a file/directory. */
1811static int may_link(struct inode *dir,
1812 struct dentry *dentry,
1813 int kind)
1814
1815{
1da177e4 1816 struct inode_security_struct *dsec, *isec;
2bf49690 1817 struct common_audit_data ad;
275bb41e 1818 u32 sid = current_sid();
1da177e4
LT		 1819 u32 av;
1820 int rc;
1821
83da53c5
AG		 1822 dsec = inode_security(dir);
1823 isec = backing_inode_security(dentry);
1da177e4 1824
50c205f5 1825 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1826 ad.u.dentry = dentry;
1da177e4
LT		 1827
1828 av = DIR__SEARCH;
1829 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 1830 rc = avc_has_perm(&selinux_state,
1831 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1832 if (rc)
1833 return rc;
1834
1835 switch (kind) {
1836 case MAY_LINK:
1837 av = FILE__LINK;
1838 break;
1839 case MAY_UNLINK:
1840 av = FILE__UNLINK;
1841 break;
1842 case MAY_RMDIR:
1843 av = DIR__RMDIR;
1844 break;
1845 default:
c103a91e 1846 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1847 __func__, kind);
1da177e4
LT		 1848 return 0;
1849 }
1850
6b6bc620
SS		 1851 rc = avc_has_perm(&selinux_state,
1852 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1853 return rc;
1854}
1855
1856static inline int may_rename(struct inode *old_dir,
1857 struct dentry *old_dentry,
1858 struct inode *new_dir,
1859 struct dentry *new_dentry)
1860{
1da177e4 1861 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1862 struct common_audit_data ad;
275bb41e 1863 u32 sid = current_sid();
1da177e4
LT		 1864 u32 av;
1865 int old_is_dir, new_is_dir;
1866 int rc;
1867
83da53c5
AG		 1868 old_dsec = inode_security(old_dir);
1869 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1870 old_is_dir = d_is_dir(old_dentry);
83da53c5 1871 new_dsec = inode_security(new_dir);
1da177e4 1872
50c205f5 1873 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1874
a269434d 1875 ad.u.dentry = old_dentry;
6b6bc620
SS		 1876 rc = avc_has_perm(&selinux_state,
1877 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1878 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1879 if (rc)
1880 return rc;
6b6bc620
SS		 1881 rc = avc_has_perm(&selinux_state,
1882 sid, old_isec->sid,
1da177e4
LT		 1883 old_isec->sclass, FILE__RENAME, &ad);
1884 if (rc)
1885 return rc;
1886 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 1887 rc = avc_has_perm(&selinux_state,
1888 sid, old_isec->sid,
1da177e4
LT		 1889 old_isec->sclass, DIR__REPARENT, &ad);
1890 if (rc)
1891 return rc;
1892 }
1893
a269434d 1894 ad.u.dentry = new_dentry;
1da177e4 1895 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1896 if (d_is_positive(new_dentry))
1da177e4 1897 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 1898 rc = avc_has_perm(&selinux_state,
1899 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1900 if (rc)
1901 return rc;
2c616d4d 1902 if (d_is_positive(new_dentry)) {
83da53c5 1903 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1904 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 1905 rc = avc_has_perm(&selinux_state,
1906 sid, new_isec->sid,
1da177e4
LT		 1907 new_isec->sclass,
1908 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1909 if (rc)
1910 return rc;
1911 }
1912
1913 return 0;
1914}
1915
1916/* Check whether a task can perform a filesystem operation. */
88e67f3b 1917static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1918 struct super_block *sb,
1919 u32 perms,
2bf49690 1920 struct common_audit_data *ad)
1da177e4 1921{
1da177e4 1922 struct superblock_security_struct *sbsec;
88e67f3b 1923 u32 sid = cred_sid(cred);
1da177e4 1924
1da177e4 1925 sbsec = sb->s_security;
6b6bc620
SS		 1926 return avc_has_perm(&selinux_state,
1927 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1928}
1929
1930/* Convert a Linux mode and permission mask to an access vector. */
1931static inline u32 file_mask_to_av(int mode, int mask)
1932{
1933 u32 av = 0;
1934
dba19c60 1935 if (!S_ISDIR(mode)) {
1da177e4
LT		 1936 if (mask & MAY_EXEC)
1937 av |= FILE__EXECUTE;
1938 if (mask & MAY_READ)
1939 av |= FILE__READ;
1940
1941 if (mask & MAY_APPEND)
1942 av |= FILE__APPEND;
1943 else if (mask & MAY_WRITE)
1944 av |= FILE__WRITE;
1945
1946 } else {
1947 if (mask & MAY_EXEC)
1948 av |= DIR__SEARCH;
1949 if (mask & MAY_WRITE)
1950 av |= DIR__WRITE;
1951 if (mask & MAY_READ)
1952 av |= DIR__READ;
1953 }
1954
1955 return av;
1956}
1957
8b6a5a37
EP		 1958/* Convert a Linux file to an access vector. */
1959static inline u32 file_to_av(struct file *file)
1960{
1961 u32 av = 0;
1962
1963 if (file->f_mode & FMODE_READ)
1964 av |= FILE__READ;
1965 if (file->f_mode & FMODE_WRITE) {
1966 if (file->f_flags & O_APPEND)
1967 av |= FILE__APPEND;
1968 else
1969 av |= FILE__WRITE;
1970 }
1971 if (!av) {
1972 /*
1973 * Special file opened with flags 3 for ioctl-only use.
1974 */
1975 av = FILE__IOCTL;
1976 }
1977
1978 return av;
1979}
1980
b0c636b9 1981/*
c76a2f9e 1982 * Convert a file to an access vector and include the correct
b0c636b9
EP		 1983 * open permission.
1984 */
8b6a5a37 1985static inline u32 open_file_to_av(struct file *file)
b0c636b9 1986{
8b6a5a37 1987 u32 av = file_to_av(file);
ccb54478 1988 struct inode *inode = file_inode(file);
b0c636b9 1989
aa8e712c
SS		 1990 if (selinux_policycap_openperm() &&
1991 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 1992 av |= FILE__OPEN;
1993
b0c636b9
EP		 1994 return av;
1995}
1996
1da177e4
LT		 1997/* Hook functions begin here. */
1998
79af7307
SS		 1999static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2000{
2001 u32 mysid = current_sid();
2002 u32 mgrsid = task_sid(mgr);
2003
6b6bc620
SS		 2004 return avc_has_perm(&selinux_state,
2005 mysid, mgrsid, SECCLASS_BINDER,
79af7307
SS		 2006 BINDER__SET_CONTEXT_MGR, NULL);
2007}
2008
2009static int selinux_binder_transaction(struct task_struct *from,
2010 struct task_struct *to)
2011{
2012 u32 mysid = current_sid();
2013 u32 fromsid = task_sid(from);
2014 u32 tosid = task_sid(to);
2015 int rc;
2016
2017 if (mysid != fromsid) {
6b6bc620
SS		 2018 rc = avc_has_perm(&selinux_state,
2019 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2020 BINDER__IMPERSONATE, NULL);
2021 if (rc)
2022 return rc;
2023 }
2024
6b6bc620
SS		 2025 return avc_has_perm(&selinux_state,
2026 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
79af7307
SS		 2027 NULL);
2028}
2029
2030static int selinux_binder_transfer_binder(struct task_struct *from,
2031 struct task_struct *to)
2032{
2033 u32 fromsid = task_sid(from);
2034 u32 tosid = task_sid(to);
2035
6b6bc620
SS		 2036 return avc_has_perm(&selinux_state,
2037 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2038 NULL);
2039}
2040
2041static int selinux_binder_transfer_file(struct task_struct *from,
2042 struct task_struct *to,
2043 struct file *file)
2044{
2045 u32 sid = task_sid(to);
bb6c6b02 2046 struct file_security_struct *fsec = selinux_file(file);
83da53c5 2047 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2048 struct inode_security_struct *isec;
79af7307
SS		 2049 struct common_audit_data ad;
2050 int rc;
2051
2052 ad.type = LSM_AUDIT_DATA_PATH;
2053 ad.u.path = file->f_path;
2054
2055 if (sid != fsec->sid) {
6b6bc620
SS		 2056 rc = avc_has_perm(&selinux_state,
2057 sid, fsec->sid,
79af7307
SS		 2058 SECCLASS_FD,
2059 FD__USE,
2060 &ad);
2061 if (rc)
2062 return rc;
2063 }
2064
f66e448c
CF		 2065#ifdef CONFIG_BPF_SYSCALL
2066 rc = bpf_fd_pass(file, sid);
2067 if (rc)
2068 return rc;
2069#endif
2070
83da53c5 2071 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2072 return 0;
2073
20cdef8d 2074 isec = backing_inode_security(dentry);
6b6bc620
SS		 2075 return avc_has_perm(&selinux_state,
2076 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2077 &ad);
2078}
2079
9e48858f 2080static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2081 unsigned int mode)
1da177e4 2082{
be0554c9
SS		 2083 u32 sid = current_sid();
2084 u32 csid = task_sid(child);
2085
2086 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2087 return avc_has_perm(&selinux_state,
2088 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2089
6b6bc620
SS		 2090 return avc_has_perm(&selinux_state,
2091 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2092}
2093
2094static int selinux_ptrace_traceme(struct task_struct *parent)
2095{
6b6bc620
SS		 2096 return avc_has_perm(&selinux_state,
2097 task_sid(parent), current_sid(), SECCLASS_PROCESS,
be0554c9 2098 PROCESS__PTRACE, NULL);
1da177e4
LT		 2099}
2100
2101static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2102 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2103{
6b6bc620
SS		 2104 return avc_has_perm(&selinux_state,
2105 current_sid(), task_sid(target), SECCLASS_PROCESS,
be0554c9 2106 PROCESS__GETCAP, NULL);
1da177e4
LT		 2107}
2108
d84f4f99
DH		 2109static int selinux_capset(struct cred *new, const struct cred *old,
2110 const kernel_cap_t *effective,
2111 const kernel_cap_t *inheritable,
2112 const kernel_cap_t *permitted)
1da177e4 2113{
6b6bc620
SS		 2114 return avc_has_perm(&selinux_state,
2115 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2116 PROCESS__SETCAP, NULL);
1da177e4
LT		 2117}
2118
5626d3e8
JM		 2119/*
2120 * (This comment used to live with the selinux_task_setuid hook,
2121 * which was removed).
2122 *
2123 * Since setuid only affects the current process, and since the SELinux
2124 * controls are not based on the Linux identity attributes, SELinux does not
2125 * need to control this operation. However, SELinux does control the use of
2126 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2127 */
2128
6a9de491 2129static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
c1a85a00 2130 int cap, unsigned int opts)
1da177e4 2131{
c1a85a00 2132 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
1da177e4
LT		 2133}
2134
1da177e4
LT		 2135static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2136{
88e67f3b 2137 const struct cred *cred = current_cred();
1da177e4
LT		 2138 int rc = 0;
2139
2140 if (!sb)
2141 return 0;
2142
2143 switch (cmds) {
828dfe1d
EP		 2144 case Q_SYNC:
2145 case Q_QUOTAON:
2146 case Q_QUOTAOFF:
2147 case Q_SETINFO:
2148 case Q_SETQUOTA:
e4cfa05e
RH		 2149 case Q_XQUOTAOFF:
2150 case Q_XQUOTAON:
2151 case Q_XSETQLIM:
88e67f3b 2152 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2153 break;
2154 case Q_GETFMT:
2155 case Q_GETINFO:
2156 case Q_GETQUOTA:
e4cfa05e
RH		 2157 case Q_XGETQUOTA:
2158 case Q_XGETQSTAT:
2159 case Q_XGETQSTATV:
2160 case Q_XGETNEXTQUOTA:
88e67f3b 2161 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2162 break;
2163 default:
2164 rc = 0; /* let the kernel handle invalid cmds */
2165 break;
1da177e4
LT		 2166 }
2167 return rc;
2168}
2169
2170static int selinux_quota_on(struct dentry *dentry)
2171{
88e67f3b
DH		 2172 const struct cred *cred = current_cred();
2173
2875fa00 2174 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2175}
2176
12b3052c 2177static int selinux_syslog(int type)
1da177e4 2178{
1da177e4 2179 switch (type) {
d78ca3cd
KC		 2180 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2181 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2182 return avc_has_perm(&selinux_state,
2183 current_sid(), SECINITSID_KERNEL,
be0554c9 2184 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2185 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2186 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2187 /* Set level of messages printed to console */
2188 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2189 return avc_has_perm(&selinux_state,
2190 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2191 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2192 NULL);
1da177e4 2193 }
be0554c9 2194 /* All other syslog types */
6b6bc620
SS		 2195 return avc_has_perm(&selinux_state,
2196 current_sid(), SECINITSID_KERNEL,
be0554c9 2197 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2198}
2199
2200/*
2201 * Check that a process has enough memory to allocate a new virtual
2202 * mapping. 0 means there is enough memory for the allocation to
2203 * succeed and -ENOMEM implies there is not.
2204 *
1da177e4
LT		 2205 * Do not audit the selinux permission check, as this is applied to all
2206 * processes that allocate mappings.
2207 */
34b4e4aa 2208static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2209{
2210 int rc, cap_sys_admin = 0;
1da177e4 2211
b1d9e6b0 2212 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
c1a85a00 2213 CAP_OPT_NOAUDIT, true);
1da177e4
LT		 2214 if (rc == 0)
2215 cap_sys_admin = 1;
2216
b1d9e6b0 2217 return cap_sys_admin;
1da177e4
LT		 2218}
2219
2220/* binprm security operations */
2221
be0554c9 2222static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2223{
2224 u32 sid = 0;
2225 struct task_struct *tracer;
2226
2227 rcu_read_lock();
be0554c9 2228 tracer = ptrace_parent(current);
0c6181cb
PM		 2229 if (tracer)
2230 sid = task_sid(tracer);
2231 rcu_read_unlock();
2232
2233 return sid;
2234}
2235
7b0d0b40
SS		 2236static int check_nnp_nosuid(const struct linux_binprm *bprm,
2237 const struct task_security_struct *old_tsec,
2238 const struct task_security_struct *new_tsec)
2239{
2240 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2241 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2242 int rc;
af63f419 2243 u32 av;
7b0d0b40
SS		 2244
2245 if (!nnp && !nosuid)
2246 return 0; /* neither NNP nor nosuid */
2247
2248 if (new_tsec->sid == old_tsec->sid)
2249 return 0; /* No change in credentials */
2250
2251 /*
af63f419
SS		 2252 * If the policy enables the nnp_nosuid_transition policy capability,
2253 * then we permit transitions under NNP or nosuid if the
2254 * policy allows the corresponding permission between
2255 * the old and new contexts.
7b0d0b40 2256 */
aa8e712c 2257 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2258 av = 0;
7b0d0b40 2259 if (nnp)
af63f419
SS		 2260 av |= PROCESS2__NNP_TRANSITION;
2261 if (nosuid)
2262 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2263 rc = avc_has_perm(&selinux_state,
2264 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2265 SECCLASS_PROCESS2, av, NULL);
2266 if (!rc)
2267 return 0;
7b0d0b40 2268 }
af63f419
SS		 2269
2270 /*
2271 * We also permit NNP or nosuid transitions to bounded SIDs,
2272 * i.e. SIDs that are guaranteed to only be allowed a subset
2273 * of the permissions of the current SID.
2274 */
aa8e712c
SS		 2275 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2276 new_tsec->sid);
af63f419
SS		 2277 if (!rc)
2278 return 0;
2279
2280 /*
2281 * On failure, preserve the errno values for NNP vs nosuid.
2282 * NNP: Operation not permitted for caller.
2283 * nosuid: Permission denied to file.
2284 */
2285 if (nnp)
2286 return -EPERM;
2287 return -EACCES;
7b0d0b40
SS		 2288}
2289
b8bff599 2290static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
1da177e4 2291{
a6f76f23
DH		 2292 const struct task_security_struct *old_tsec;
2293 struct task_security_struct *new_tsec;
1da177e4 2294 struct inode_security_struct *isec;
2bf49690 2295 struct common_audit_data ad;
496ad9aa 2296 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2297 int rc;
2298
a6f76f23
DH		 2299 /* SELinux context only depends on initial program or script and not
2300 * the script interpreter */
1da177e4 2301
0c6cfa62
CS		 2302 old_tsec = selinux_cred(current_cred());
2303 new_tsec = selinux_cred(bprm->cred);
83da53c5 2304 isec = inode_security(inode);
1da177e4
LT		 2305
2306 /* Default to the current task SID. */
a6f76f23
DH		 2307 new_tsec->sid = old_tsec->sid;
2308 new_tsec->osid = old_tsec->sid;
1da177e4 2309
28eba5bf 2310 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2311 new_tsec->create_sid = 0;
2312 new_tsec->keycreate_sid = 0;
2313 new_tsec->sockcreate_sid = 0;
1da177e4 2314
a6f76f23
DH		 2315 if (old_tsec->exec_sid) {
2316 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2317 /* Reset exec SID on execve. */
a6f76f23 2318 new_tsec->exec_sid = 0;
259e5e6c 2319
7b0d0b40
SS		 2320 /* Fail on NNP or nosuid if not an allowed transition. */
2321 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2322 if (rc)
2323 return rc;
1da177e4
LT		 2324 } else {
2325 /* Check for a default transition on this program. */
aa8e712c
SS		 2326 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2327 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2328 &new_tsec->sid);
1da177e4
LT		 2329 if (rc)
2330 return rc;
7b0d0b40
SS		 2331
2332 /*
2333 * Fallback to old SID on NNP or nosuid if not an allowed
2334 * transition.
2335 */
2336 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2337 if (rc)
2338 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2339 }
2340
43af5de7
VG		 2341 ad.type = LSM_AUDIT_DATA_FILE;
2342 ad.u.file = bprm->file;
1da177e4 2343
a6f76f23 2344 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2345 rc = avc_has_perm(&selinux_state,
2346 old_tsec->sid, isec->sid,
1da177e4
LT		 2347 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2348 if (rc)
2349 return rc;
2350 } else {
2351 /* Check permissions for the transition. */
6b6bc620
SS		 2352 rc = avc_has_perm(&selinux_state,
2353 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2354 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2355 if (rc)
2356 return rc;
2357
6b6bc620
SS		 2358 rc = avc_has_perm(&selinux_state,
2359 new_tsec->sid, isec->sid,
1da177e4
LT		 2360 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2361 if (rc)
2362 return rc;
2363
a6f76f23
DH		 2364 /* Check for shared state */
2365 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2366 rc = avc_has_perm(&selinux_state,
2367 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2368 SECCLASS_PROCESS, PROCESS__SHARE,
2369 NULL);
2370 if (rc)
2371 return -EPERM;
2372 }
2373
2374 /* Make sure that anyone attempting to ptrace over a task that
2375 * changes its SID has the appropriate permit */
9227dd2a 2376 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2377 u32 ptsid = ptrace_parent_sid();
a6f76f23 2378 if (ptsid != 0) {
6b6bc620
SS		 2379 rc = avc_has_perm(&selinux_state,
2380 ptsid, new_tsec->sid,
a6f76f23
DH		 2381 SECCLASS_PROCESS,
2382 PROCESS__PTRACE, NULL);
2383 if (rc)
2384 return -EPERM;
2385 }
2386 }
1da177e4 2387
a6f76f23
DH		 2388 /* Clear any possibly unsafe personality bits on exec: */
2389 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2390
1da177e4
LT		 2391 /* Enable secure mode for SIDs transitions unless
2392 the noatsecure permission is granted between
2393 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2394 rc = avc_has_perm(&selinux_state,
2395 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2396 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2397 NULL);
2398 bprm->secureexec |= !!rc;
1da177e4
LT		 2399 }
2400
62874c3a 2401 return 0;
1da177e4
LT		 2402}
2403
c3c073f8
AV		 2404static int match_file(const void *p, struct file *file, unsigned fd)
2405{
2406 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2407}
2408
1da177e4 2409/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2410static inline void flush_unauthorized_files(const struct cred *cred,
2411 struct files_struct *files)
1da177e4 2412{
1da177e4 2413 struct file *file, *devnull = NULL;
b20c8122 2414 struct tty_struct *tty;
24ec839c 2415 int drop_tty = 0;
c3c073f8 2416 unsigned n;
1da177e4 2417
24ec839c 2418 tty = get_current_tty();
1da177e4 2419 if (tty) {
4a510969 2420 spin_lock(&tty->files_lock);
37dd0bd0 2421 if (!list_empty(&tty->tty_files)) {
d996b62a 2422 struct tty_file_private *file_priv;
37dd0bd0 2423
1da177e4 2424 /* Revalidate access to controlling tty.
13f8e981
DH		 2425 Use file_path_has_perm on the tty path directly
2426 rather than using file_has_perm, as this particular
2427 open file may belong to another process and we are
2428 only interested in the inode-based check here. */
d996b62a
NP		 2429 file_priv = list_first_entry(&tty->tty_files,
2430 struct tty_file_private, list);
2431 file = file_priv->file;
13f8e981 2432 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2433 drop_tty = 1;
1da177e4 2434 }
4a510969 2435 spin_unlock(&tty->files_lock);
452a00d2 2436 tty_kref_put(tty);
1da177e4 2437 }
98a27ba4
EB		 2438 /* Reset controlling tty. */
2439 if (drop_tty)
2440 no_tty();
1da177e4
LT		 2441
2442 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2443 n = iterate_fd(files, 0, match_file, cred);
2444 if (!n) /* none found? */
2445 return;
1da177e4 2446
c3c073f8 2447 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2448 if (IS_ERR(devnull))
2449 devnull = NULL;
2450 /* replace all the matching ones with this */
2451 do {
2452 replace_fd(n - 1, devnull, 0);
2453 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2454 if (devnull)
c3c073f8 2455 fput(devnull);
1da177e4
LT		 2456}
2457
a6f76f23
DH		 2458/*
2459 * Prepare a process for imminent new credential changes due to exec
2460 */
2461static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2462{
a6f76f23
DH		 2463 struct task_security_struct *new_tsec;
2464 struct rlimit *rlim, *initrlim;
2465 int rc, i;
d84f4f99 2466
0c6cfa62 2467 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2468 if (new_tsec->sid == new_tsec->osid)
2469 return;
1da177e4 2470
a6f76f23
DH		 2471 /* Close files for which the new task SID is not authorized. */
2472 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2473
a6f76f23
DH		 2474 /* Always clear parent death signal on SID transitions. */
2475 current->pdeath_signal = 0;
0356357c 2476
a6f76f23
DH		 2477 /* Check whether the new SID can inherit resource limits from the old
2478 * SID. If not, reset all soft limits to the lower of the current
2479 * task's hard limit and the init task's soft limit.
2480 *
2481 * Note that the setting of hard limits (even to lower them) can be
2482 * controlled by the setrlimit check. The inclusion of the init task's
2483 * soft limit into the computation is to avoid resetting soft limits
2484 * higher than the default soft limit for cases where the default is
2485 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2486 */
6b6bc620
SS		 2487 rc = avc_has_perm(&selinux_state,
2488 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2489 PROCESS__RLIMITINH, NULL);
2490 if (rc) {
eb2d55a3
ON		 2491 /* protect against do_prlimit() */
2492 task_lock(current);
a6f76f23
DH		 2493 for (i = 0; i < RLIM_NLIMITS; i++) {
2494 rlim = current->signal->rlim + i;
2495 initrlim = init_task.signal->rlim + i;
2496 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2497 }
eb2d55a3 2498 task_unlock(current);
baa73d9e
NP		 2499 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2500 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2501 }
2502}
2503
2504/*
a6f76f23
DH		 2505 * Clean up the process immediately after the installation of new credentials
2506 * due to exec
1da177e4 2507 */
a6f76f23 2508static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2509{
0c6cfa62 2510 const struct task_security_struct *tsec = selinux_cred(current_cred());
a6f76f23 2511 u32 osid, sid;
ddbc7d06 2512 int rc;
1da177e4 2513
a6f76f23
DH		 2514 osid = tsec->osid;
2515 sid = tsec->sid;
2516
2517 if (sid == osid)
1da177e4
LT		 2518 return;
2519
a6f76f23
DH		 2520 /* Check whether the new SID can inherit signal state from the old SID.
2521 * If not, clear itimers to avoid subsequent signal generation and
2522 * flush and unblock signals.
2523 *
2524 * This must occur _after_ the task SID has been updated so that any
2525 * kill done after the flush will be checked against the new SID.
2526 */
6b6bc620
SS		 2527 rc = avc_has_perm(&selinux_state,
2528 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2529 if (rc) {
ddbc7d06
AB		 2530 clear_itimer();
2531
1da177e4 2532 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2533 if (!fatal_signal_pending(current)) {
2534 flush_sigqueue(&current->pending);
2535 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2536 flush_signal_handlers(current, 1);
2537 sigemptyset(&current->blocked);
9e7c8f8c 2538 recalc_sigpending();
3bcac026 2539 }
1da177e4
LT		 2540 spin_unlock_irq(&current->sighand->siglock);
2541 }
2542
a6f76f23
DH		 2543 /* Wake up the parent if it is waiting so that it can recheck
2544 * wait permission to the new task SID. */
ecd6de3c 2545 read_lock(&tasklist_lock);
0b7570e7 2546 __wake_up_parent(current, current->real_parent);
ecd6de3c 2547 read_unlock(&tasklist_lock);
1da177e4
LT		 2548}
2549
2550/* superblock security operations */
2551
2552static int selinux_sb_alloc_security(struct super_block *sb)
2553{
cb89e246
PM		 2554 struct superblock_security_struct *sbsec;
2555
2556 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
2557 if (!sbsec)
2558 return -ENOMEM;
2559
2560 mutex_init(&sbsec->lock);
2561 INIT_LIST_HEAD(&sbsec->isec_head);
2562 spin_lock_init(&sbsec->isec_lock);
2563 sbsec->sb = sb;
2564 sbsec->sid = SECINITSID_UNLABELED;
2565 sbsec->def_sid = SECINITSID_FILE;
2566 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2567 sb->s_security = sbsec;
2568
2569 return 0;
1da177e4
LT		 2570}
2571
2572static void selinux_sb_free_security(struct super_block *sb)
2573{
2574 superblock_free_security(sb);
2575}
2576
99dbbb59 2577static inline int opt_len(const char *s)
1da177e4 2578{
99dbbb59
AV		 2579 bool open_quote = false;
2580 int len;
2581 char c;
1da177e4 2582
99dbbb59
AV		 2583 for (len = 0; (c = s[len]) != '\0'; len++) {
2584 if (c == '"')
2585 open_quote = !open_quote;
2586 if (c == ',' && !open_quote)
2587 break;
3528a953 2588 }
99dbbb59 2589 return len;
3528a953
CO		 2590}
2591
99dbbb59 2592static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
1da177e4 2593{
99dbbb59
AV		 2594 char *from = options;
2595 char *to = options;
2596 bool first = true;
fec63753 2597 int rc;
1da177e4 2598
99dbbb59
AV		 2599 while (1) {
2600 int len = opt_len(from);
fec63753 2601 int token;
99dbbb59 2602 char *arg = NULL;
1da177e4 2603
99dbbb59 2604 token = match_opt_prefix(from, len, &arg);
1da177e4 2605
99dbbb59
AV		 2606 if (token != Opt_error) {
2607 char *p, *q;
1da177e4 2608
99dbbb59
AV		 2609 /* strip quotes */
2610 if (arg) {
2611 for (p = q = arg; p < from + len; p++) {
2612 char c = *p;
2613 if (c != '"')
2614 *q++ = c;
2615 }
2616 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
fec63753
GZ		 2617 if (!arg) {
2618 rc = -ENOMEM;
2619 goto free_opt;
2620 }
99dbbb59
AV		 2621 }
2622 rc = selinux_add_opt(token, arg, mnt_opts);
2623 if (unlikely(rc)) {
2624 kfree(arg);
fec63753 2625 goto free_opt;
99dbbb59
AV		 2626 }
2627 } else {
2628 if (!first) { // copy with preceding comma
2629 from--;
2630 len++;
2631 }
2632 if (to != from)
2633 memmove(to, from, len);
2634 to += len;
2635 first = false;
1da177e4 2636 }
99dbbb59
AV		 2637 if (!from[len])
2638 break;
2639 from += len + 1;
2640 }
2641 *to = '\0';
2642 return 0;
fec63753
GZ		 2643
2644free_opt:
2645 if (*mnt_opts) {
2646 selinux_free_mnt_opts(*mnt_opts);
2647 *mnt_opts = NULL;
2648 }
2649 return rc;
1da177e4
LT		 2650}
2651
204cc0cc 2652static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2653{
bd323655 2654 struct selinux_mnt_opts *opts = mnt_opts;
026eb167 2655 struct superblock_security_struct *sbsec = sb->s_security;
bd323655
AV		 2656 u32 sid;
2657 int rc;
026eb167
EP		 2658
2659 if (!(sbsec->flags & SE_SBINITIALIZED))
2660 return 0;
2661
204cc0cc 2662 if (!opts)
026eb167
EP		 2663 return 0;
2664
bd323655
AV		 2665 if (opts->fscontext) {
2666 rc = parse_sid(sb, opts->fscontext, &sid);
2667 if (rc)
c039bc3c 2668 return rc;
bd323655
AV		 2669 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2670 goto out_bad_option;
026eb167 2671 }
bd323655
AV		 2672 if (opts->context) {
2673 rc = parse_sid(sb, opts->context, &sid);
2674 if (rc)
2675 return rc;
2676 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2677 goto out_bad_option;
2678 }
2679 if (opts->rootcontext) {
2680 struct inode_security_struct *root_isec;
2681 root_isec = backing_inode_security(sb->s_root);
2682 rc = parse_sid(sb, opts->rootcontext, &sid);
2683 if (rc)
2684 return rc;
2685 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2686 goto out_bad_option;
2687 }
2688 if (opts->defcontext) {
2689 rc = parse_sid(sb, opts->defcontext, &sid);
2690 if (rc)
2691 return rc;
2692 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2693 goto out_bad_option;
026eb167 2694 }
c039bc3c 2695 return 0;
026eb167 2696
026eb167 2697out_bad_option:
c103a91e 2698 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2699 "during remount (dev %s, type=%s)\n", sb->s_id,
2700 sb->s_type->name);
c039bc3c 2701 return -EINVAL;
026eb167
EP		 2702}
2703
a10d7c22 2704static int selinux_sb_kern_mount(struct super_block *sb)
1da177e4 2705{
88e67f3b 2706 const struct cred *cred = current_cred();
2bf49690 2707 struct common_audit_data ad;
74192246 2708
50c205f5 2709 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2710 ad.u.dentry = sb->s_root;
88e67f3b 2711 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2712}
2713
726c3342 2714static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2715{
88e67f3b 2716 const struct cred *cred = current_cred();
2bf49690 2717 struct common_audit_data ad;
1da177e4 2718
50c205f5 2719 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2720 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2721 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2722}
2723
808d4e3c 2724static int selinux_mount(const char *dev_name,
8a04c43b 2725 const struct path *path,
808d4e3c 2726 const char *type,
828dfe1d
EP		 2727 unsigned long flags,
2728 void *data)
1da177e4 2729{
88e67f3b 2730 const struct cred *cred = current_cred();
1da177e4
LT		 2731
2732 if (flags & MS_REMOUNT)
d8c9584e 2733 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2734 FILESYSTEM__REMOUNT, NULL);
1da177e4 2735 else
2875fa00 2736 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2737}
2738
98aa0034
SS		 2739static int selinux_move_mount(const struct path *from_path,
2740 const struct path *to_path)
2741{
2742 const struct cred *cred = current_cred();
2743
2744 return path_has_perm(cred, to_path, FILE__MOUNTON);
2745}
2746
1da177e4
LT		 2747static int selinux_umount(struct vfsmount *mnt, int flags)
2748{
88e67f3b 2749 const struct cred *cred = current_cred();
1da177e4 2750
88e67f3b 2751 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2752 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2753}
2754
0b52075e
AV		 2755static int selinux_fs_context_dup(struct fs_context *fc,
2756 struct fs_context *src_fc)
2757{
2758 const struct selinux_mnt_opts *src = src_fc->security;
2759 struct selinux_mnt_opts *opts;
2760
2761 if (!src)
2762 return 0;
2763
2764 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2765 if (!fc->security)
2766 return -ENOMEM;
2767
2768 opts = fc->security;
2769
2770 if (src->fscontext) {
2771 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2772 if (!opts->fscontext)
2773 return -ENOMEM;
2774 }
2775 if (src->context) {
2776 opts->context = kstrdup(src->context, GFP_KERNEL);
2777 if (!opts->context)
2778 return -ENOMEM;
2779 }
2780 if (src->rootcontext) {
2781 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2782 if (!opts->rootcontext)
2783 return -ENOMEM;
2784 }
2785 if (src->defcontext) {
2786 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2787 if (!opts->defcontext)
2788 return -ENOMEM;
2789 }
2790 return 0;
2791}
2792
d7167b14 2793static const struct fs_parameter_spec selinux_fs_parameters[] = {
442155c1
DH		 2794 fsparam_string(CONTEXT_STR, Opt_context),
2795 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2796 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2797 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2798 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2799 {}
2800};
2801
442155c1
DH		 2802static int selinux_fs_context_parse_param(struct fs_context *fc,
2803 struct fs_parameter *param)
2804{
2805 struct fs_parse_result result;
2806 int opt, rc;
2807
d7167b14 2808 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
442155c1
DH		 2809 if (opt < 0)
2810 return opt;
2811
2812 rc = selinux_add_opt(opt, param->string, &fc->security);
2813 if (!rc) {
2814 param->string = NULL;
2815 rc = 1;
2816 }
2817 return rc;
2818}
2819
1da177e4
LT		 2820/* inode security operations */
2821
2822static int selinux_inode_alloc_security(struct inode *inode)
2823{
cb89e246
PM		 2824 struct inode_security_struct *isec = selinux_inode(inode);
2825 u32 sid = current_sid();
2826
2827 spin_lock_init(&isec->lock);
2828 INIT_LIST_HEAD(&isec->list);
2829 isec->inode = inode;
2830 isec->sid = SECINITSID_UNLABELED;
2831 isec->sclass = SECCLASS_FILE;
2832 isec->task_sid = sid;
2833 isec->initialized = LABEL_INVALID;
2834
2835 return 0;
1da177e4
LT		 2836}
2837
2838static void selinux_inode_free_security(struct inode *inode)
2839{
2840 inode_free_security(inode);
2841}
2842
d47be3df 2843static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2844 const struct qstr *name, void **ctx,
d47be3df
DQ		 2845 u32 *ctxlen)
2846{
d47be3df
DQ		 2847 u32 newsid;
2848 int rc;
2849
0c6cfa62 2850 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2851 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2852 inode_mode_to_security_class(mode),
2853 &newsid);
2854 if (rc)
2855 return rc;
d47be3df 2856
aa8e712c
SS		 2857 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2858 ctxlen);
d47be3df
DQ		 2859}
2860
a518b0a5
VG		 2861static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2862 struct qstr *name,
2863 const struct cred *old,
2864 struct cred *new)
2865{
2866 u32 newsid;
2867 int rc;
2868 struct task_security_struct *tsec;
2869
0c6cfa62 2870 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2871 d_inode(dentry->d_parent), name,
2872 inode_mode_to_security_class(mode),
2873 &newsid);
2874 if (rc)
2875 return rc;
2876
0c6cfa62 2877 tsec = selinux_cred(new);
a518b0a5
VG		 2878 tsec->create_sid = newsid;
2879 return 0;
2880}
2881
5e41ff9e 2882static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2883 const struct qstr *qstr,
2884 const char **name,
2a7dba39 2885 void **value, size_t *len)
5e41ff9e 2886{
0c6cfa62 2887 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2888 struct superblock_security_struct *sbsec;
c0d4f464 2889 u32 newsid, clen;
5e41ff9e 2890 int rc;
9548906b 2891 char *context;
5e41ff9e 2892
5e41ff9e 2893 sbsec = dir->i_sb->s_security;
5e41ff9e 2894
275bb41e
DH		 2895 newsid = tsec->create_sid;
2896
210a2928 2897 rc = selinux_determine_inode_label(tsec, dir, qstr,
c3c188b2
DH		 2898 inode_mode_to_security_class(inode->i_mode),
2899 &newsid);
2900 if (rc)
2901 return rc;
5e41ff9e 2902
296fddf7 2903 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2904 if (sbsec->flags & SE_SBINITIALIZED) {
80788c22 2905 struct inode_security_struct *isec = selinux_inode(inode);
296fddf7
EP		 2906 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2907 isec->sid = newsid;
6f3be9f5 2908 isec->initialized = LABEL_INITIALIZED;
296fddf7 2909 }
5e41ff9e 2910
65cddd50
OM		 2911 if (!selinux_initialized(&selinux_state) ||
2912 !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2913 return -EOPNOTSUPP;
2914
9548906b
TH		 2915 if (name)
2916 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2917
570bc1c2 2918 if (value && len) {
aa8e712c
SS		 2919 rc = security_sid_to_context_force(&selinux_state, newsid,
2920 &context, &clen);
9548906b 2921 if (rc)
570bc1c2 2922 return rc;
570bc1c2
SS		 2923 *value = context;
2924 *len = clen;
5e41ff9e 2925 }
5e41ff9e 2926
5e41ff9e
SS		 2927 return 0;
2928}
2929
4acdaf27 2930static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2931{
2932 return may_create(dir, dentry, SECCLASS_FILE);
2933}
2934
1da177e4
LT		 2935static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2936{
1da177e4
LT		 2937 return may_link(dir, old_dentry, MAY_LINK);
2938}
2939
1da177e4
LT		 2940static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2941{
1da177e4
LT		 2942 return may_link(dir, dentry, MAY_UNLINK);
2943}
2944
2945static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2946{
2947 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2948}
2949
18bb1db3 2950static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2951{
2952 return may_create(dir, dentry, SECCLASS_DIR);
2953}
2954
1da177e4
LT		 2955static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2956{
2957 return may_link(dir, dentry, MAY_RMDIR);
2958}
2959
1a67aafb 2960static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2961{
1da177e4
LT		 2962 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2963}
2964
1da177e4 2965static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2966 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2967{
2968 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2969}
2970
1da177e4
LT		 2971static int selinux_inode_readlink(struct dentry *dentry)
2972{
88e67f3b
DH		 2973 const struct cred *cred = current_cred();
2974
2875fa00 2975 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2976}
2977
bda0be7a
N		 2978static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2979 bool rcu)
1da177e4 2980{
88e67f3b 2981 const struct cred *cred = current_cred();
bda0be7a
N		 2982 struct common_audit_data ad;
2983 struct inode_security_struct *isec;
2984 u32 sid;
1da177e4 2985
bda0be7a
N		 2986 validate_creds(cred);
2987
2988 ad.type = LSM_AUDIT_DATA_DENTRY;
2989 ad.u.dentry = dentry;
2990 sid = cred_sid(cred);
5d226df4
AG		 2991 isec = inode_security_rcu(inode, rcu);
2992 if (IS_ERR(isec))
2993 return PTR_ERR(isec);
bda0be7a 2994
1a37079c
SS		 2995 return avc_has_perm_flags(&selinux_state,
2996 sid, isec->sid, isec->sclass, FILE__READ, &ad,
2997 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2998}
2999
d4cf970d
EP		 3000static noinline int audit_inode_permission(struct inode *inode,
3001 u32 perms, u32 audited, u32 denied,
0188d5c0 3002 int result)
1da177e4 3003{
b782e0a6 3004 struct common_audit_data ad;
80788c22 3005 struct inode_security_struct *isec = selinux_inode(inode);
d4cf970d
EP		 3006 int rc;
3007
50c205f5 3008 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3009 ad.u.inode = inode;
3010
6b6bc620
SS		 3011 rc = slow_avc_audit(&selinux_state,
3012 current_sid(), isec->sid, isec->sclass, perms,
0188d5c0 3013 audited, denied, result, &ad);
d4cf970d
EP		 3014 if (rc)
3015 return rc;
3016 return 0;
3017}
3018
e74f71eb 3019static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3020{
88e67f3b 3021 const struct cred *cred = current_cred();
b782e0a6
EP		 3022 u32 perms;
3023 bool from_access;
5298d0b9 3024 bool no_block = mask & MAY_NOT_BLOCK;
2e334057
EP		 3025 struct inode_security_struct *isec;
3026 u32 sid;
3027 struct av_decision avd;
3028 int rc, rc2;
3029 u32 audited, denied;
1da177e4 3030
b782e0a6 3031 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3032 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3033
b782e0a6
EP		 3034 /* No permission to check. Existence test. */
3035 if (!mask)
1da177e4 3036 return 0;
1da177e4 3037
2e334057 3038 validate_creds(cred);
b782e0a6 3039
2e334057
EP		 3040 if (unlikely(IS_PRIVATE(inode)))
3041 return 0;
b782e0a6
EP		 3042
3043 perms = file_mask_to_av(inode->i_mode, mask);
3044
2e334057 3045 sid = cred_sid(cred);
5298d0b9 3046 isec = inode_security_rcu(inode, no_block);
5d226df4
AG		 3047 if (IS_ERR(isec))
3048 return PTR_ERR(isec);
2e334057 3049
6b6bc620 3050 rc = avc_has_perm_noaudit(&selinux_state,
3a28cff3 3051 sid, isec->sid, isec->sclass, perms,
5298d0b9 3052 no_block ? AVC_NONBLOCKING : 0,
3a28cff3 3053 &avd);
2e334057
EP		 3054 audited = avc_audit_required(perms, &avd, rc,
3055 from_access ? FILE__AUDIT_ACCESS : 0,
3056 &denied);
3057 if (likely(!audited))
3058 return rc;
3059
0188d5c0 3060 /* fall back to ref-walk if we have to generate audit */
5298d0b9 3061 if (no_block)
0188d5c0
SS		 3062 return -ECHILD;
3063
3064 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
2e334057
EP		 3065 if (rc2)
3066 return rc2;
3067 return rc;
1da177e4
LT		 3068}
3069
3070static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3071{
88e67f3b 3072 const struct cred *cred = current_cred();
ccb54478 3073 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3074 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3075 __u32 av = FILE__WRITE;
1da177e4 3076
bc6a6008
AW		 3077 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3078 if (ia_valid & ATTR_FORCE) {
3079 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3080 ATTR_FORCE);
3081 if (!ia_valid)
3082 return 0;
3083 }
1da177e4 3084
bc6a6008
AW		 3085 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3086 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3087 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3088
aa8e712c 3089 if (selinux_policycap_openperm() &&
ccb54478
SS		 3090 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3091 (ia_valid & ATTR_SIZE) &&
3092 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3093 av |= FILE__OPEN;
3094
3095 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3096}
3097
3f7036a0 3098static int selinux_inode_getattr(const struct path *path)
1da177e4 3099{
3f7036a0 3100 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3101}
3102
db59000a
SS		 3103static bool has_cap_mac_admin(bool audit)
3104{
3105 const struct cred *cred = current_cred();
c1a85a00 3106 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
db59000a 3107
c1a85a00 3108 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
db59000a 3109 return false;
c1a85a00 3110 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
db59000a
SS		 3111 return false;
3112 return true;
3113}
3114
8f0cfa52
DH		 3115static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3116 const void *value, size_t size, int flags)
1da177e4 3117{
c6f493d6 3118 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3119 struct inode_security_struct *isec;
1da177e4 3120 struct superblock_security_struct *sbsec;
2bf49690 3121 struct common_audit_data ad;
275bb41e 3122 u32 newsid, sid = current_sid();
1da177e4
LT		 3123 int rc = 0;
3124
6b240306
EB		 3125 if (strcmp(name, XATTR_NAME_SELINUX)) {
3126 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3127 if (rc)
3128 return rc;
3129
3130 /* Not an attribute we recognize, so just check the
3131 ordinary setattr permission. */
3132 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3133 }
1da177e4 3134
65cddd50 3135 if (!selinux_initialized(&selinux_state))
3e3e24b4
JL		 3136 return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3137
1da177e4 3138 sbsec = inode->i_sb->s_security;
12f348b9 3139 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3140 return -EOPNOTSUPP;
3141
2e149670 3142 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3143 return -EPERM;
3144
50c205f5 3145 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3146 ad.u.dentry = dentry;
1da177e4 3147
20cdef8d 3148 isec = backing_inode_security(dentry);
6b6bc620
SS		 3149 rc = avc_has_perm(&selinux_state,
3150 sid, isec->sid, isec->sclass,
1da177e4
LT		 3151 FILE__RELABELFROM, &ad);
3152 if (rc)
3153 return rc;
3154
aa8e712c
SS		 3155 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3156 GFP_KERNEL);
12b29f34 3157 if (rc == -EINVAL) {
db59000a 3158 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3159 struct audit_buffer *ab;
3160 size_t audit_size;
d6ea83ec
EP		 3161
3162 /* We strip a nul only if it is at the end, otherwise the
3163 * context contains a nul and we should audit that */
e3fea3f7 3164 if (value) {
add24372
CIK		 3165 const char *str = value;
3166
e3fea3f7
AV		 3167 if (str[size - 1] == '\0')
3168 audit_size = size - 1;
3169 else
3170 audit_size = size;
3171 } else {
e3fea3f7
AV		 3172 audit_size = 0;
3173 }
cdfb6b34
RGB		 3174 ab = audit_log_start(audit_context(),
3175 GFP_ATOMIC, AUDIT_SELINUX_ERR);
d6ea83ec
EP		 3176 audit_log_format(ab, "op=setxattr invalid_context=");
3177 audit_log_n_untrustedstring(ab, value, audit_size);
3178 audit_log_end(ab);
3179
12b29f34 3180 return rc;
d6ea83ec 3181 }
aa8e712c
SS		 3182 rc = security_context_to_sid_force(&selinux_state, value,
3183 size, &newsid);
12b29f34 3184 }
1da177e4
LT		 3185 if (rc)
3186 return rc;
3187
6b6bc620
SS		 3188 rc = avc_has_perm(&selinux_state,
3189 sid, newsid, isec->sclass,
1da177e4
LT		 3190 FILE__RELABELTO, &ad);
3191 if (rc)
3192 return rc;
3193
aa8e712c
SS		 3194 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3195 sid, isec->sclass);
1da177e4
LT		 3196 if (rc)
3197 return rc;
3198
6b6bc620
SS		 3199 return avc_has_perm(&selinux_state,
3200 newsid,
1da177e4
LT		 3201 sbsec->sid,
3202 SECCLASS_FILESYSTEM,
3203 FILESYSTEM__ASSOCIATE,
3204 &ad);
3205}
3206
8f0cfa52 3207static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3208 const void *value, size_t size,
8f0cfa52 3209 int flags)
1da177e4 3210{
c6f493d6 3211 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3212 struct inode_security_struct *isec;
1da177e4
LT		 3213 u32 newsid;
3214 int rc;
3215
3216 if (strcmp(name, XATTR_NAME_SELINUX)) {
3217 /* Not an attribute we recognize, so nothing to do. */
3218 return;
3219 }
3220
65cddd50 3221 if (!selinux_initialized(&selinux_state)) {
3e3e24b4
JL		 3222 /* If we haven't even been initialized, then we can't validate
3223 * against a policy, so leave the label as invalid. It may
3224 * resolve to a valid label on the next revalidation try if
3225 * we've since initialized.
3226 */
3227 return;
3228 }
3229
aa8e712c
SS		 3230 rc = security_context_to_sid_force(&selinux_state, value, size,
3231 &newsid);
1da177e4 3232 if (rc) {
c103a91e 3233 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3234 "for (%s, %lu), rc=%d\n",
3235 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3236 return;
3237 }
3238
20cdef8d 3239 isec = backing_inode_security(dentry);
9287aed2 3240 spin_lock(&isec->lock);
aa9c2669 3241 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3242 isec->sid = newsid;
6f3be9f5 3243 isec->initialized = LABEL_INITIALIZED;
9287aed2 3244 spin_unlock(&isec->lock);
aa9c2669 3245
1da177e4
LT		 3246 return;
3247}
3248
8f0cfa52 3249static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3250{
88e67f3b
DH		 3251 const struct cred *cred = current_cred();
3252
2875fa00 3253 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3254}
3255
828dfe1d 3256static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3257{
88e67f3b
DH		 3258 const struct cred *cred = current_cred();
3259
2875fa00 3260 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3261}
3262
8f0cfa52 3263static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3264{
6b240306
EB		 3265 if (strcmp(name, XATTR_NAME_SELINUX)) {
3266 int rc = cap_inode_removexattr(dentry, name);
3267 if (rc)
3268 return rc;
3269
3270 /* Not an attribute we recognize, so just check the
3271 ordinary setattr permission. */
3272 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3273 }
1da177e4 3274
9530a3e0
SS		 3275 if (!selinux_initialized(&selinux_state))
3276 return 0;
3277
1da177e4
LT		 3278 /* No one is allowed to remove a SELinux security label.
3279 You can change the label, but all data must be labeled. */
3280 return -EACCES;
3281}
3282
ac5656d8
AG		 3283static int selinux_path_notify(const struct path *path, u64 mask,
3284 unsigned int obj_type)
3285{
3286 int ret;
3287 u32 perm;
3288
3289 struct common_audit_data ad;
3290
3291 ad.type = LSM_AUDIT_DATA_PATH;
3292 ad.u.path = *path;
3293
3294 /*
3295 * Set permission needed based on the type of mark being set.
3296 * Performs an additional check for sb watches.
3297 */
3298 switch (obj_type) {
3299 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3300 perm = FILE__WATCH_MOUNT;
3301 break;
3302 case FSNOTIFY_OBJ_TYPE_SB:
3303 perm = FILE__WATCH_SB;
3304 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3305 FILESYSTEM__WATCH, &ad);
3306 if (ret)
3307 return ret;
3308 break;
3309 case FSNOTIFY_OBJ_TYPE_INODE:
3310 perm = FILE__WATCH;
3311 break;
3312 default:
3313 return -EINVAL;
3314 }
3315
3316 /* blocking watches require the file:watch_with_perm permission */
3317 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3318 perm |= FILE__WATCH_WITH_PERM;
3319
3320 /* watches on read-like events need the file:watch_reads permission */
3321 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3322 perm |= FILE__WATCH_READS;
3323
3324 return path_has_perm(current_cred(), path, perm);
3325}
3326
d381d8a9 3327/*
abc69bb6 3328 * Copy the inode security context value to the user.
d381d8a9
JM		 3329 *
3330 * Permission check is handled by selinux_inode_getxattr hook.
3331 */
ea861dfd 3332static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3333{
42492594
DQ		 3334 u32 size;
3335 int error;
3336 char *context = NULL;
20cdef8d 3337 struct inode_security_struct *isec;
d381d8a9 3338
c8e22261
JL		 3339 /*
3340 * If we're not initialized yet, then we can't validate contexts, so
3341 * just let vfs_getxattr fall back to using the on-disk xattr.
3342 */
3343 if (!selinux_initialized(&selinux_state) ||
3344 strcmp(name, XATTR_SELINUX_SUFFIX))
8c8570fb 3345 return -EOPNOTSUPP;
d381d8a9 3346
abc69bb6
SS		 3347 /*
3348 * If the caller has CAP_MAC_ADMIN, then get the raw context
3349 * value even if it is not defined by current policy; otherwise,
3350 * use the in-core value under current policy.
3351 * Use the non-auditing forms of the permission checks since
3352 * getxattr may be called by unprivileged processes commonly
3353 * and lack of permission just means that we fall back to the
3354 * in-core context value, not a denial.
3355 */
20cdef8d 3356 isec = inode_security(inode);
db59000a 3357 if (has_cap_mac_admin(false))
aa8e712c
SS		 3358 error = security_sid_to_context_force(&selinux_state,
3359 isec->sid, &context,
abc69bb6
SS		 3360 &size);
3361 else
aa8e712c
SS		 3362 error = security_sid_to_context(&selinux_state, isec->sid,
3363 &context, &size);
42492594
DQ		 3364 if (error)
3365 return error;
3366 error = size;
3367 if (alloc) {
3368 *buffer = context;
3369 goto out_nofree;
3370 }
3371 kfree(context);
3372out_nofree:
3373 return error;
1da177e4
LT		 3374}
3375
3376static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3377 const void *value, size_t size, int flags)
1da177e4 3378{
2c97165b 3379 struct inode_security_struct *isec = inode_security_novalidate(inode);
53e0c2aa 3380 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1da177e4
LT		 3381 u32 newsid;
3382 int rc;
3383
3384 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3385 return -EOPNOTSUPP;
3386
53e0c2aa
OM		 3387 if (!(sbsec->flags & SBLABEL_MNT))
3388 return -EOPNOTSUPP;
3389
1da177e4
LT		 3390 if (!value || !size)
3391 return -EACCES;
3392
aa8e712c
SS		 3393 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3394 GFP_KERNEL);
1da177e4
LT		 3395 if (rc)
3396 return rc;
3397
9287aed2 3398 spin_lock(&isec->lock);
aa9c2669 3399 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3400 isec->sid = newsid;
6f3be9f5 3401 isec->initialized = LABEL_INITIALIZED;
9287aed2 3402 spin_unlock(&isec->lock);
1da177e4
LT		 3403 return 0;
3404}
3405
3406static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3407{
3408 const int len = sizeof(XATTR_NAME_SELINUX);
3409 if (buffer && len <= buffer_size)
3410 memcpy(buffer, XATTR_NAME_SELINUX, len);
3411 return len;
3412}
3413
d6335d77 3414static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3415{
e817c2f3 3416 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3417 *secid = isec->sid;
3418}
3419
56909eb3
VG		 3420static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3421{
3422 u32 sid;
3423 struct task_security_struct *tsec;
3424 struct cred *new_creds = *new;
3425
3426 if (new_creds == NULL) {
3427 new_creds = prepare_creds();
3428 if (!new_creds)
3429 return -ENOMEM;
3430 }
3431
0c6cfa62 3432 tsec = selinux_cred(new_creds);
56909eb3
VG		 3433 /* Get label from overlay inode and set it in create_sid */
3434 selinux_inode_getsecid(d_inode(src), &sid);
3435 tsec->create_sid = sid;
3436 *new = new_creds;
3437 return 0;
3438}
3439
19472b69
VG		 3440static int selinux_inode_copy_up_xattr(const char *name)
3441{
3442 /* The copy_up hook above sets the initial context on an inode, but we
3443 * don't then want to overwrite it by blindly copying all the lower
3444 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3445 */
3446 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3447 return 1; /* Discard */
3448 /*
3449 * Any other attribute apart from SELINUX is not claimed, supported
3450 * by selinux.
3451 */
3452 return -EOPNOTSUPP;
3453}
3454
ec882da5
OM		 3455/* kernfs node operations */
3456
c72c4cde
Y		 3457static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3458 struct kernfs_node *kn)
ec882da5 3459{
169ce0c0 3460 const struct task_security_struct *tsec = selinux_cred(current_cred());
ec882da5
OM		 3461 u32 parent_sid, newsid, clen;
3462 int rc;
3463 char *context;
3464
1537ad15 3465 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
ec882da5
OM		 3466 if (rc == -ENODATA)
3467 return 0;
3468 else if (rc < 0)
3469 return rc;
3470
3471 clen = (u32)rc;
3472 context = kmalloc(clen, GFP_KERNEL);
3473 if (!context)
3474 return -ENOMEM;
3475
1537ad15 3476 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
ec882da5
OM		 3477 if (rc < 0) {
3478 kfree(context);
3479 return rc;
3480 }
3481
3482 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3483 GFP_KERNEL);
3484 kfree(context);
3485 if (rc)
3486 return rc;
3487
3488 if (tsec->create_sid) {
3489 newsid = tsec->create_sid;
3490 } else {
3491 u16 secclass = inode_mode_to_security_class(kn->mode);
3492 struct qstr q;
3493
3494 q.name = kn->name;
3495 q.hash_len = hashlen_string(kn_dir, kn->name);
3496
3497 rc = security_transition_sid(&selinux_state, tsec->sid,
3498 parent_sid, secclass, &q,
3499 &newsid);
3500 if (rc)
3501 return rc;
3502 }
3503
3504 rc = security_sid_to_context_force(&selinux_state, newsid,
3505 &context, &clen);
3506 if (rc)
3507 return rc;
3508
1537ad15
OM		 3509 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3510 XATTR_CREATE);
ec882da5
OM		 3511 kfree(context);
3512 return rc;
3513}
3514
3515
1da177e4
LT		 3516/* file security operations */
3517
788e7dd4 3518static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3519{
88e67f3b 3520 const struct cred *cred = current_cred();
496ad9aa 3521 struct inode *inode = file_inode(file);
1da177e4 3522
1da177e4
LT		 3523 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3524 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3525 mask |= MAY_APPEND;
3526
389fb800
PM		 3527 return file_has_perm(cred, file,
3528 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3529}
3530
788e7dd4
YN		 3531static int selinux_file_permission(struct file *file, int mask)
3532{
496ad9aa 3533 struct inode *inode = file_inode(file);
bb6c6b02 3534 struct file_security_struct *fsec = selinux_file(file);
b197367e 3535 struct inode_security_struct *isec;
20dda18b
SS		 3536 u32 sid = current_sid();
3537
389fb800 3538 if (!mask)
788e7dd4
YN		 3539 /* No permission to check. Existence test. */
3540 return 0;
788e7dd4 3541
b197367e 3542 isec = inode_security(inode);
20dda18b 3543 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3544 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3545 /* No change since file_open check. */
20dda18b
SS		 3546 return 0;
3547
788e7dd4
YN		 3548 return selinux_revalidate_file_permission(file, mask);
3549}
3550
1da177e4
LT		 3551static int selinux_file_alloc_security(struct file *file)
3552{
cb89e246
PM		 3553 struct file_security_struct *fsec = selinux_file(file);
3554 u32 sid = current_sid();
3555
3556 fsec->sid = sid;
3557 fsec->fown_sid = sid;
3558
3559 return 0;
1da177e4
LT		 3560}
3561
fa1aa143
JVS		 3562/*
3563 * Check whether a task has the ioctl permission and cmd
3564 * operation to an inode.
3565 */
1d2a168a 3566static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3567 u32 requested, u16 cmd)
3568{
3569 struct common_audit_data ad;
bb6c6b02 3570 struct file_security_struct *fsec = selinux_file(file);
fa1aa143 3571 struct inode *inode = file_inode(file);
20cdef8d 3572 struct inode_security_struct *isec;
fa1aa143
JVS		 3573 struct lsm_ioctlop_audit ioctl;
3574 u32 ssid = cred_sid(cred);
3575 int rc;
3576 u8 driver = cmd >> 8;
3577 u8 xperm = cmd & 0xff;
3578
3579 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3580 ad.u.op = &ioctl;
3581 ad.u.op->cmd = cmd;
3582 ad.u.op->path = file->f_path;
3583
3584 if (ssid != fsec->sid) {
6b6bc620
SS		 3585 rc = avc_has_perm(&selinux_state,
3586 ssid, fsec->sid,
fa1aa143
JVS		 3587 SECCLASS_FD,
3588 FD__USE,
3589 &ad);
3590 if (rc)
3591 goto out;
3592 }
3593
3594 if (unlikely(IS_PRIVATE(inode)))
3595 return 0;
3596
20cdef8d 3597 isec = inode_security(inode);
6b6bc620
SS		 3598 rc = avc_has_extended_perms(&selinux_state,
3599 ssid, isec->sid, isec->sclass,
3600 requested, driver, xperm, &ad);
fa1aa143
JVS		 3601out:
3602 return rc;
3603}
3604
1da177e4
LT		 3605static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3606 unsigned long arg)
3607{
88e67f3b 3608 const struct cred *cred = current_cred();
0b24dcb7 3609 int error = 0;
1da177e4 3610
0b24dcb7
EP		 3611 switch (cmd) {
3612 case FIONREAD:
0b24dcb7 3613 case FIBMAP:
0b24dcb7 3614 case FIGETBSZ:
2f99c369 3615 case FS_IOC_GETFLAGS:
2f99c369 3616 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3617 error = file_has_perm(cred, file, FILE__GETATTR);
3618 break;
1da177e4 3619
2f99c369 3620 case FS_IOC_SETFLAGS:
2f99c369 3621 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3622 error = file_has_perm(cred, file, FILE__SETATTR);
3623 break;
3624
3625 /* sys_ioctl() checks */
3626 case FIONBIO:
0b24dcb7
EP		 3627 case FIOASYNC:
3628 error = file_has_perm(cred, file, 0);
3629 break;
1da177e4 3630
0b24dcb7
EP		 3631 case KDSKBENT:
3632 case KDSKBSENT:
6a9de491 3633 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
c1a85a00 3634 CAP_OPT_NONE, true);
0b24dcb7
EP		 3635 break;
3636
3637 /* default case assumes that the command will go
3638 * to the file's ioctl() function.
3639 */
3640 default:
fa1aa143 3641 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3642 }
3643 return error;
1da177e4
LT		 3644}
3645
b78b7d59 3646static int default_noexec __ro_after_init;
fcaaade1 3647
1da177e4
LT		 3648static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3649{
88e67f3b 3650 const struct cred *cred = current_cred();
be0554c9 3651 u32 sid = cred_sid(cred);
d84f4f99 3652 int rc = 0;
88e67f3b 3653
fcaaade1 3654 if (default_noexec &&
892e8cac
SS		 3655 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3656 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3657 /*
3658 * We are making executable an anonymous mapping or a
3659 * private file mapping that will also be writable.
3660 * This has an additional check.
3661 */
6b6bc620
SS		 3662 rc = avc_has_perm(&selinux_state,
3663 sid, sid, SECCLASS_PROCESS,
be0554c9 3664 PROCESS__EXECMEM, NULL);
1da177e4 3665 if (rc)
d84f4f99 3666 goto error;
1da177e4 3667 }
1da177e4
LT		 3668
3669 if (file) {
3670 /* read access is always possible with a mapping */
3671 u32 av = FILE__READ;
3672
3673 /* write access only matters if the mapping is shared */
3674 if (shared && (prot & PROT_WRITE))
3675 av |= FILE__WRITE;
3676
3677 if (prot & PROT_EXEC)
3678 av |= FILE__EXECUTE;
3679
88e67f3b 3680 return file_has_perm(cred, file, av);
1da177e4 3681 }
d84f4f99
DH		 3682
3683error:
3684 return rc;
1da177e4
LT		 3685}
3686
e5467859 3687static int selinux_mmap_addr(unsigned long addr)
1da177e4 3688{
b1d9e6b0 3689 int rc = 0;
1da177e4 3690
a2551df7 3691 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3692 u32 sid = current_sid();
6b6bc620
SS		 3693 rc = avc_has_perm(&selinux_state,
3694 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3695 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3696 }
3697
98883bfd 3698 return rc;
e5467859 3699}
1da177e4 3700
e5467859
AV		 3701static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3702 unsigned long prot, unsigned long flags)
3703{
3ba4bf5f
SS		 3704 struct common_audit_data ad;
3705 int rc;
3706
3707 if (file) {
3708 ad.type = LSM_AUDIT_DATA_FILE;
3709 ad.u.file = file;
3710 rc = inode_has_perm(current_cred(), file_inode(file),
3711 FILE__MAP, &ad);
3712 if (rc)
3713 return rc;
3714 }
3715
8861d0af 3716 if (checkreqprot_get(&selinux_state))
1da177e4
LT		 3717 prot = reqprot;
3718
3719 return file_map_prot_check(file, prot,
3720 (flags & MAP_TYPE) == MAP_SHARED);
3721}
3722
3723static int selinux_file_mprotect(struct vm_area_struct *vma,
3724 unsigned long reqprot,
3725 unsigned long prot)
3726{
88e67f3b 3727 const struct cred *cred = current_cred();
be0554c9 3728 u32 sid = cred_sid(cred);
1da177e4 3729
8861d0af 3730 if (checkreqprot_get(&selinux_state))
1da177e4
LT		 3731 prot = reqprot;
3732
fcaaade1
SS		 3733 if (default_noexec &&
3734 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3735 int rc = 0;
db4c9641
SS		 3736 if (vma->vm_start >= vma->vm_mm->start_brk &&
3737 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3738 rc = avc_has_perm(&selinux_state,
3739 sid, sid, SECCLASS_PROCESS,
be0554c9 3740 PROCESS__EXECHEAP, NULL);
db4c9641 3741 } else if (!vma->vm_file &&
c2316dbf
SS		 3742 ((vma->vm_start <= vma->vm_mm->start_stack &&
3743 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3744 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3745 rc = avc_has_perm(&selinux_state,
3746 sid, sid, SECCLASS_PROCESS,
be0554c9 3747 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3748 } else if (vma->vm_file && vma->anon_vma) {
3749 /*
3750 * We are making executable a file mapping that has
3751 * had some COW done. Since pages might have been
3752 * written, check ability to execute the possibly
3753 * modified content. This typically should only
3754 * occur for text relocations.
3755 */
d84f4f99 3756 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3757 }