]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: use kernel linux/socket.h for genheaders and mdp
[mirror_ubuntu-bionic-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
7efbb60b 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
1da177e4
LT		 70#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */
73#include <linux/parser.h>
74#include <linux/nfs_mount.h>
75#include <net/ipv6.h>
76#include <linux/hugetlb.h>
77#include <linux/personality.h>
1da177e4 78#include <linux/audit.h>
6931dfc9 79#include <linux/string.h>
877ce7c1 80#include <linux/selinux.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
ec27c356 88#include <linux/bpf.h>
1da177e4
LT		 89
90#include "avc.h"
91#include "objsec.h"
92#include "netif.h"
224dfbd8 93#include "netnode.h"
3e112172 94#include "netport.h"
409dcf31 95#include "ibpkey.h"
d28d1e08 96#include "xfrm.h"
c60475bf 97#include "netlabel.h"
9d57a7f9 98#include "audit.h"
7b98a585 99#include "avc_ss.h"
1da177e4 100
d621d35e 101/* SECMARK reference count */
56a4ca99 102static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 103
1da177e4 104#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 105int selinux_enforcing;
1da177e4
LT		 106
107static int __init enforcing_setup(char *str)
108{
f5269710 109 unsigned long enforcing;
29707b20 110 if (!kstrtoul(str, 0, &enforcing))
f5269710 111 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 112 return 1;
113}
114__setup("enforcing=", enforcing_setup);
115#endif
116
117#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119
120static int __init selinux_enabled_setup(char *str)
121{
f5269710 122 unsigned long enabled;
29707b20 123 if (!kstrtoul(str, 0, &enabled))
f5269710 124 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 125 return 1;
126}
127__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 128#else
129int selinux_enabled = 1;
1da177e4
LT		 130#endif
131
d621d35e
PM		 132/**
133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
134 *
135 * Description:
136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 139 * enabled, false (0) if SECMARK is disabled. If the always_check_network
140 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 141 *
142 */
143static int selinux_secmark_enabled(void)
144{
2be4d74f
CP		 145 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
146}
147
148/**
149 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
150 *
151 * Description:
152 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
153 * (1) if any are enabled or false (0) if neither are enabled. If the
154 * always_check_network policy capability is enabled, peer labeling
155 * is always considered enabled.
156 *
157 */
158static int selinux_peerlbl_enabled(void)
159{
160 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 161}
162
615e51fd
PM		 163static int selinux_netcache_avc_callback(u32 event)
164{
165 if (event == AVC_CALLBACK_RESET) {
166 sel_netif_flush();
167 sel_netnode_flush();
168 sel_netport_flush();
169 synchronize_net();
170 }
171 return 0;
172}
173
8f408ab6
DJ		 174static int selinux_lsm_notifier_avc_callback(u32 event)
175{
409dcf31
DJ		 176 if (event == AVC_CALLBACK_RESET) {
177 sel_ib_pkey_flush();
8f408ab6 178 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 179 }
8f408ab6
DJ		 180
181 return 0;
182}
183
d84f4f99
DH		 184/*
185 * initialise the security for the init task
186 */
187static void cred_init_security(void)
1da177e4 188{
3b11a1de 189 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 190 struct task_security_struct *tsec;
191
f1efc8c4
CS		 192 lsm_early_cred(cred);
193 tsec = selinux_cred(cred);
d84f4f99 194 tsec->osid = tsec->sid = SECINITSID_KERNEL;
1da177e4
LT		 195}
196
88e67f3b
DH		 197/*
198 * get the security ID of a set of credentials
199 */
200static inline u32 cred_sid(const struct cred *cred)
201{
202 const struct task_security_struct *tsec;
203
f1efc8c4 204 tsec = selinux_cred(cred);
88e67f3b
DH		 205 return tsec->sid;
206}
207
275bb41e 208/*
3b11a1de 209 * get the objective security ID of a task
275bb41e
DH		 210 */
211static inline u32 task_sid(const struct task_struct *task)
212{
275bb41e
DH		 213 u32 sid;
214
215 rcu_read_lock();
88e67f3b 216 sid = cred_sid(__task_cred(task));
275bb41e
DH		 217 rcu_read_unlock();
218 return sid;
219}
220
88e67f3b
DH		 221/* Allocate and free functions for each kind of security blob. */
222
1da177e4
LT		 223static int inode_alloc_security(struct inode *inode)
224{
7a90fc39 225 struct inode_security_struct *isec = selinux_inode(inode);
275bb41e 226 u32 sid = current_sid();
1da177e4 227
9287aed2 228 spin_lock_init(&isec->lock);
1da177e4 229 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 230 isec->inode = inode;
231 isec->sid = SECINITSID_UNLABELED;
232 isec->sclass = SECCLASS_FILE;
275bb41e 233 isec->task_sid = sid;
42059112 234 isec->initialized = LABEL_INVALID;
1da177e4
LT		 235
236 return 0;
237}
238
5d226df4
AG		 239static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
240
241/*
242 * Try reloading inode security labels that have been marked as invalid. The
243 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 244 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 245 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
246 * when no dentry is available, set it to NULL instead.
247 */
248static int __inode_security_revalidate(struct inode *inode,
249 struct dentry *opt_dentry,
250 bool may_sleep)
251{
7a90fc39 252 struct inode_security_struct *isec = selinux_inode(inode);
5d226df4
AG		 253
254 might_sleep_if(may_sleep);
255
1ac42476 256 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 257 if (!may_sleep)
258 return -ECHILD;
259
260 /*
261 * Try reloading the inode security label. This will fail if
262 * @opt_dentry is NULL and no dentry for this inode can be
263 * found; in that case, continue using the old label.
264 */
265 inode_doinit_with_dentry(inode, opt_dentry);
266 }
267 return 0;
268}
269
5d226df4
AG		 270static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
271{
7a90fc39 272 return selinux_inode(inode);
5d226df4
AG		 273}
274
275static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
276{
277 int error;
278
279 error = __inode_security_revalidate(inode, NULL, !rcu);
280 if (error)
281 return ERR_PTR(error);
7a90fc39 282 return selinux_inode(inode);
5d226df4
AG		 283}
284
83da53c5
AG		 285/*
286 * Get the security label of an inode.
287 */
288static struct inode_security_struct *inode_security(struct inode *inode)
289{
5d226df4 290 __inode_security_revalidate(inode, NULL, true);
7a90fc39 291 return selinux_inode(inode);
83da53c5
AG		 292}
293
2c97165b
PM		 294static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
295{
296 struct inode *inode = d_backing_inode(dentry);
297
7a90fc39 298 return selinux_inode(inode);
2c97165b
PM		 299}
300
83da53c5
AG		 301/*
302 * Get the security label of a dentry's backing inode.
303 */
304static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
305{
306 struct inode *inode = d_backing_inode(dentry);
307
5d226df4 308 __inode_security_revalidate(inode, dentry, true);
7a90fc39 309 return selinux_inode(inode);
3dc91d43
SR		 310}
311
1da177e4
LT		 312static void inode_free_security(struct inode *inode)
313{
7a90fc39
CS		 314 struct inode_security_struct *isec = selinux_inode(inode);
315 struct superblock_security_struct *sbsec =
316 selinux_superblock(inode->i_sb);
1da177e4 317
9629d04a
WL		 318 /*
319 * As not all inode security structures are in a list, we check for
320 * empty list outside of the lock to make sure that we won't waste
321 * time taking a lock doing nothing.
322 *
323 * The list_del_init() function can be safely called more than once.
324 * It should not be possible for this function to be called with
325 * concurrent list_add(), but for better safety against future changes
326 * in the code, we use list_empty_careful() here.
327 */
328 if (!list_empty_careful(&isec->list)) {
329 spin_lock(&sbsec->isec_lock);
1da177e4 330 list_del_init(&isec->list);
9629d04a
WL		 331 spin_unlock(&sbsec->isec_lock);
332 }
1da177e4
LT		 333}
334
335static int file_alloc_security(struct file *file)
336{
ab9b110b 337 struct file_security_struct *fsec = selinux_file(file);
275bb41e 338 u32 sid = current_sid();
1da177e4 339
275bb41e
DH		 340 fsec->sid = sid;
341 fsec->fown_sid = sid;
1da177e4
LT		 342
343 return 0;
344}
345
1da177e4
LT		 346static int superblock_alloc_security(struct super_block *sb)
347{
7a90fc39 348 struct superblock_security_struct *sbsec = selinux_superblock(sb);
1da177e4 349
bc7e982b 350 mutex_init(&sbsec->lock);
1da177e4
LT		 351 INIT_LIST_HEAD(&sbsec->isec_head);
352 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 353 sbsec->sb = sb;
354 sbsec->sid = SECINITSID_UNLABELED;
355 sbsec->def_sid = SECINITSID_FILE;
c312feb2 356 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 357
358 return 0;
359}
360
1da177e4
LT		 361static inline int inode_doinit(struct inode *inode)
362{
363 return inode_doinit_with_dentry(inode, NULL);
364}
365
366enum {
31e87930 367 Opt_error = -1,
1da177e4
LT		 368 Opt_context = 1,
369 Opt_fscontext = 2,
c9180a57
EP		 370 Opt_defcontext = 3,
371 Opt_rootcontext = 4,
11689d47 372 Opt_labelsupport = 5,
d355987f 373 Opt_nextmntopt = 6,
1da177e4
LT		 374};
375
d355987f
EP		 376#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
377
a447c093 378static const match_table_t tokens = {
832cbd9a
EP		 379 {Opt_context, CONTEXT_STR "%s"},
380 {Opt_fscontext, FSCONTEXT_STR "%s"},
381 {Opt_defcontext, DEFCONTEXT_STR "%s"},
382 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 383 {Opt_labelsupport, LABELSUPP_STR},
31e87930 384 {Opt_error, NULL},
1da177e4
LT		 385};
386
387#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
388
c312feb2
EP		 389static int may_context_mount_sb_relabel(u32 sid,
390 struct superblock_security_struct *sbsec,
275bb41e 391 const struct cred *cred)
c312feb2 392{
f1efc8c4 393 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 394 int rc;
395
396 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__RELABELFROM, NULL);
398 if (rc)
399 return rc;
400
401 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
402 FILESYSTEM__RELABELTO, NULL);
403 return rc;
404}
405
0808925e
EP		 406static int may_context_mount_inode_relabel(u32 sid,
407 struct superblock_security_struct *sbsec,
275bb41e 408 const struct cred *cred)
0808925e 409{
f1efc8c4 410 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e
EP		 411 int rc;
412 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
413 FILESYSTEM__RELABELFROM, NULL);
414 if (rc)
415 return rc;
416
417 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
418 FILESYSTEM__ASSOCIATE, NULL);
419 return rc;
420}
421
b43e725d
EP		 422static int selinux_is_sblabel_mnt(struct super_block *sb)
423{
7a90fc39 424 struct superblock_security_struct *sbsec = selinux_superblock(sb);
b43e725d 425
d5f3a5f6
MS		 426 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
427 sbsec->behavior == SECURITY_FS_USE_TRANS ||
428 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 429 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 430 /* Special handling. Genfs but also in-core setxattr handler */
431 !strcmp(sb->s_type->name, "sysfs") ||
432 !strcmp(sb->s_type->name, "pstore") ||
433 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 434 !strcmp(sb->s_type->name, "tracefs") ||
2651225b
SS		 435 !strcmp(sb->s_type->name, "rootfs") ||
436 (selinux_policycap_cgroupseclabel &&
437 (!strcmp(sb->s_type->name, "cgroup") ||
438 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 439}
440
c9180a57 441static int sb_finish_set_opts(struct super_block *sb)
1da177e4 442{
7a90fc39 443 struct superblock_security_struct *sbsec = selinux_superblock(sb);
c9180a57 444 struct dentry *root = sb->s_root;
c6f493d6 445 struct inode *root_inode = d_backing_inode(root);
c9180a57 446 int rc = 0;
1da177e4 447
c9180a57
EP		 448 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
449 /* Make sure that the xattr handler exists and that no
450 error other than -ENODATA is returned by getxattr on
451 the root directory. -ENODATA is ok, as this may be
452 the first boot of the SELinux kernel before we have
453 assigned xattr values to the filesystem. */
5d6c3191 454 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 455 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
456 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 457 rc = -EOPNOTSUPP;
458 goto out;
459 }
5d6c3191
AG		 460
461 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 462 if (rc < 0 && rc != -ENODATA) {
463 if (rc == -EOPNOTSUPP)
464 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 465 "%s) has no security xattr handler\n",
466 sb->s_id, sb->s_type->name);
c9180a57
EP		 467 else
468 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 469 "%s) getxattr errno %d\n", sb->s_id,
470 sb->s_type->name, -rc);
c9180a57
EP		 471 goto out;
472 }
473 }
1da177e4 474
eadcabc6 475 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 476
477 /*
478 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
479 * leave the flag untouched because sb_clone_mnt_opts might be handing
480 * us a superblock that needs the flag to be cleared.
481 */
b43e725d 482 if (selinux_is_sblabel_mnt(sb))
12f348b9 483 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 484 else
485 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 486
c9180a57
EP		 487 /* Initialize the root inode. */
488 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 489
c9180a57
EP		 490 /* Initialize any other inodes associated with the superblock, e.g.
491 inodes created prior to initial policy load or inodes created
492 during get_sb by a pseudo filesystem that directly
493 populates itself. */
494 spin_lock(&sbsec->isec_lock);
495next_inode:
496 if (!list_empty(&sbsec->isec_head)) {
497 struct inode_security_struct *isec =
498 list_entry(sbsec->isec_head.next,
499 struct inode_security_struct, list);
500 struct inode *inode = isec->inode;
923190d3 501 list_del_init(&isec->list);
c9180a57
EP		 502 spin_unlock(&sbsec->isec_lock);
503 inode = igrab(inode);
504 if (inode) {
505 if (!IS_PRIVATE(inode))
506 inode_doinit(inode);
507 iput(inode);
508 }
509 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 510 goto next_inode;
511 }
512 spin_unlock(&sbsec->isec_lock);
513out:
514 return rc;
515}
1da177e4 516
c9180a57
EP		 517/*
518 * This function should allow an FS to ask what it's mount security
519 * options were so it can use those later for submounts, displaying
520 * mount options, or whatever.
521 */
522static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 523 struct security_mnt_opts *opts)
c9180a57
EP		 524{
525 int rc = 0, i;
7a90fc39 526 struct superblock_security_struct *sbsec = selinux_superblock(sb);
c9180a57
EP		 527 char *context = NULL;
528 u32 len;
529 char tmp;
1da177e4 530
e0007529 531 security_init_mnt_opts(opts);
1da177e4 532
0d90a7ec 533 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 534 return -EINVAL;
1da177e4 535
c9180a57
EP		 536 if (!ss_initialized)
537 return -EINVAL;
1da177e4 538
af8e50cc
EP		 539 /* make sure we always check enough bits to cover the mask */
540 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
541
0d90a7ec 542 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 543 /* count the number of mount options for this sb */
af8e50cc 544 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 545 if (tmp & 0x01)
e0007529 546 opts->num_mnt_opts++;
c9180a57
EP		 547 tmp >>= 1;
548 }
11689d47 549 /* Check if the Label support flag is set */
0b4bdb35 550 if (sbsec->flags & SBLABEL_MNT)
11689d47 551 opts->num_mnt_opts++;
1da177e4 552
e0007529
EP		 553 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
554 if (!opts->mnt_opts) {
c9180a57
EP		 555 rc = -ENOMEM;
556 goto out_free;
557 }
1da177e4 558
e0007529
EP		 559 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
560 if (!opts->mnt_opts_flags) {
c9180a57
EP		 561 rc = -ENOMEM;
562 goto out_free;
563 }
1da177e4 564
c9180a57
EP		 565 i = 0;
566 if (sbsec->flags & FSCONTEXT_MNT) {
567 rc = security_sid_to_context(sbsec->sid, &context, &len);
568 if (rc)
569 goto out_free;
e0007529
EP		 570 opts->mnt_opts[i] = context;
571 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 572 }
573 if (sbsec->flags & CONTEXT_MNT) {
574 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
575 if (rc)
576 goto out_free;
e0007529
EP		 577 opts->mnt_opts[i] = context;
578 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 579 }
580 if (sbsec->flags & DEFCONTEXT_MNT) {
581 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
582 if (rc)
583 goto out_free;
e0007529
EP		 584 opts->mnt_opts[i] = context;
585 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 586 }
587 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5 588 struct dentry *root = sbsec->sb->s_root;
7a90fc39
CS		 589 struct inode_security_struct *isec =
590 backing_inode_security(root);
0808925e 591
c9180a57
EP		 592 rc = security_sid_to_context(isec->sid, &context, &len);
593 if (rc)
594 goto out_free;
e0007529
EP		 595 opts->mnt_opts[i] = context;
596 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 597 }
12f348b9 598 if (sbsec->flags & SBLABEL_MNT) {
11689d47 599 opts->mnt_opts[i] = NULL;
12f348b9 600 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 601 }
1da177e4 602
e0007529 603 BUG_ON(i != opts->num_mnt_opts);
1da177e4 604
c9180a57
EP		 605 return 0;
606
607out_free:
e0007529 608 security_free_mnt_opts(opts);
c9180a57
EP		 609 return rc;
610}
1da177e4 611
c9180a57
EP		 612static int bad_option(struct superblock_security_struct *sbsec, char flag,
613 u32 old_sid, u32 new_sid)
614{
0d90a7ec
DQ		 615 char mnt_flags = sbsec->flags & SE_MNTMASK;
616
c9180a57 617 /* check if the old mount command had the same options */
0d90a7ec 618 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 619 if (!(sbsec->flags & flag) ||
620 (old_sid != new_sid))
621 return 1;
622
623 /* check if we were passed the same options twice,
624 * aka someone passed context=a,context=b
625 */
0d90a7ec
DQ		 626 if (!(sbsec->flags & SE_SBINITIALIZED))
627 if (mnt_flags & flag)
c9180a57
EP		 628 return 1;
629 return 0;
630}
e0007529 631
c9180a57
EP		 632/*
633 * Allow filesystems with binary mount data to explicitly set mount point
634 * labeling information.
635 */
e0007529 636static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 637 struct security_mnt_opts *opts,
638 unsigned long kern_flags,
639 unsigned long *set_kern_flags)
c9180a57 640{
275bb41e 641 const struct cred *cred = current_cred();
c9180a57 642 int rc = 0, i;
7a90fc39 643 struct superblock_security_struct *sbsec = selinux_superblock(sb);
29b1deb2 644 const char *name = sb->s_type->name;
83da53c5 645 struct dentry *root = sbsec->sb->s_root;
2c97165b 646 struct inode_security_struct *root_isec;
c9180a57
EP		 647 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
648 u32 defcontext_sid = 0;
e0007529
EP		 649 char **mount_options = opts->mnt_opts;
650 int *flags = opts->mnt_opts_flags;
651 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 652
653 mutex_lock(&sbsec->lock);
654
655 if (!ss_initialized) {
656 if (!num_opts) {
657 /* Defer initialization until selinux_complete_init,
658 after the initial policy is loaded and the security
659 server is ready to handle calls. */
c9180a57
EP		 660 goto out;
661 }
662 rc = -EINVAL;
744ba35e
EP		 663 printk(KERN_WARNING "SELinux: Unable to set superblock options "
664 "before the security server is initialized\n");
1da177e4 665 goto out;
c9180a57 666 }
649f6e77
DQ		 667 if (kern_flags && !set_kern_flags) {
668 /* Specifying internal flags without providing a place to
669 * place the results is not allowed */
670 rc = -EINVAL;
671 goto out;
672 }
1da177e4 673
e0007529
EP		 674 /*
675 * Binary mount data FS will come through this function twice. Once
676 * from an explicit call and once from the generic calls from the vfs.
677 * Since the generic VFS calls will not contain any security mount data
678 * we need to skip the double mount verification.
679 *
680 * This does open a hole in which we will not notice if the first
681 * mount using this sb set explict options and a second mount using
682 * this sb does not set any security options. (The first options
683 * will be used for both mounts)
684 */
0d90a7ec 685 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 686 && (num_opts == 0))
f5269710 687 goto out;
e0007529 688
2c97165b
PM		 689 root_isec = backing_inode_security_novalidate(root);
690
c9180a57
EP		 691 /*
692 * parse the mount options, check if they are valid sids.
693 * also check if someone is trying to mount the same sb more
694 * than once with different security options.
695 */
696 for (i = 0; i < num_opts; i++) {
697 u32 sid;
11689d47 698
12f348b9 699 if (flags[i] == SBLABEL_MNT)
11689d47 700 continue;
44be2f65 701 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 702 if (rc) {
44be2f65 703 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 704 "(%s) failed for (dev %s, type %s) errno=%d\n",
705 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 706 goto out;
707 }
708 switch (flags[i]) {
709 case FSCONTEXT_MNT:
710 fscontext_sid = sid;
711
712 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
713 fscontext_sid))
714 goto out_double_mount;
715
716 sbsec->flags |= FSCONTEXT_MNT;
717 break;
718 case CONTEXT_MNT:
719 context_sid = sid;
720
721 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
722 context_sid))
723 goto out_double_mount;
724
725 sbsec->flags |= CONTEXT_MNT;
726 break;
727 case ROOTCONTEXT_MNT:
728 rootcontext_sid = sid;
729
730 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
731 rootcontext_sid))
732 goto out_double_mount;
733
734 sbsec->flags |= ROOTCONTEXT_MNT;
735
736 break;
737 case DEFCONTEXT_MNT:
738 defcontext_sid = sid;
739
740 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
741 defcontext_sid))
742 goto out_double_mount;
743
744 sbsec->flags |= DEFCONTEXT_MNT;
745
746 break;
747 default:
748 rc = -EINVAL;
749 goto out;
1da177e4 750 }
c9180a57
EP		 751 }
752
0d90a7ec 753 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 754 /* previously mounted with options, but not on this attempt? */
0d90a7ec 755 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 756 goto out_double_mount;
757 rc = 0;
758 goto out;
759 }
760
089be43e 761 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 762 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
763
8e014720 764 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 765 !strcmp(sb->s_type->name, "tracefs") ||
8e014720 766 !strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 767 !strcmp(sb->s_type->name, "pstore") ||
768 !strcmp(sb->s_type->name, "cgroup") ||
769 !strcmp(sb->s_type->name, "cgroup2"))
134509d5 770 sbsec->flags |= SE_SBGENFS;
c9180a57 771
eb9ae686
DQ		 772 if (!sbsec->behavior) {
773 /*
774 * Determine the labeling behavior to use for this
775 * filesystem type.
776 */
98f700f3 777 rc = security_fs_use(sb);
eb9ae686
DQ		 778 if (rc) {
779 printk(KERN_WARNING
780 "%s: security_fs_use(%s) returned %d\n",
781 __func__, sb->s_type->name, rc);
782 goto out;
783 }
c9180a57 784 }
aad82892
SF		 785
786 /*
01593d32
SS		 787 * If this is a user namespace mount and the filesystem type is not
788 * explicitly whitelisted, then no contexts are allowed on the command
789 * line and security labels must be ignored.
aad82892 790 */
01593d32
SS		 791 if (sb->s_user_ns != &init_user_ns &&
792 strcmp(sb->s_type->name, "tmpfs") &&
793 strcmp(sb->s_type->name, "ramfs") &&
794 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 795 if (context_sid || fscontext_sid || rootcontext_sid ||
796 defcontext_sid) {
797 rc = -EACCES;
798 goto out;
799 }
800 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
801 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
802 rc = security_transition_sid(current_sid(), current_sid(),
803 SECCLASS_FILE, NULL,
804 &sbsec->mntpoint_sid);
805 if (rc)
806 goto out;
807 }
808 goto out_set_opts;
809 }
810
c9180a57
EP		 811 /* sets the context of the superblock for the fs being mounted. */
812 if (fscontext_sid) {
275bb41e 813 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 814 if (rc)
c9180a57 815 goto out;
1da177e4 816
c9180a57 817 sbsec->sid = fscontext_sid;
c312feb2
EP		 818 }
819
820 /*
821 * Switch to using mount point labeling behavior.
822 * sets the label used on all file below the mountpoint, and will set
823 * the superblock context if not already set.
824 */
eb9ae686
DQ		 825 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
826 sbsec->behavior = SECURITY_FS_USE_NATIVE;
827 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
828 }
829
c9180a57
EP		 830 if (context_sid) {
831 if (!fscontext_sid) {
275bb41e
DH		 832 rc = may_context_mount_sb_relabel(context_sid, sbsec,
833 cred);
b04ea3ce 834 if (rc)
c9180a57
EP		 835 goto out;
836 sbsec->sid = context_sid;
b04ea3ce 837 } else {
275bb41e
DH		 838 rc = may_context_mount_inode_relabel(context_sid, sbsec,
839 cred);
b04ea3ce 840 if (rc)
c9180a57 841 goto out;
b04ea3ce 842 }
c9180a57
EP		 843 if (!rootcontext_sid)
844 rootcontext_sid = context_sid;
1da177e4 845
c9180a57 846 sbsec->mntpoint_sid = context_sid;
c312feb2 847 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 848 }
849
c9180a57 850 if (rootcontext_sid) {
275bb41e
DH		 851 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
852 cred);
0808925e 853 if (rc)
c9180a57 854 goto out;
0808925e 855
c9180a57 856 root_isec->sid = rootcontext_sid;
6f3be9f5 857 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 858 }
859
c9180a57 860 if (defcontext_sid) {
eb9ae686
DQ		 861 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
862 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 863 rc = -EINVAL;
864 printk(KERN_WARNING "SELinux: defcontext option is "
865 "invalid for this filesystem type\n");
866 goto out;
1da177e4
LT		 867 }
868
c9180a57
EP		 869 if (defcontext_sid != sbsec->def_sid) {
870 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 871 sbsec, cred);
c9180a57
EP		 872 if (rc)
873 goto out;
874 }
1da177e4 875
c9180a57 876 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 877 }
878
aad82892 879out_set_opts:
c9180a57 880 rc = sb_finish_set_opts(sb);
1da177e4 881out:
c9180a57 882 mutex_unlock(&sbsec->lock);
1da177e4 883 return rc;
c9180a57
EP		 884out_double_mount:
885 rc = -EINVAL;
886 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 887 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 888 goto out;
1da177e4
LT		 889}
890
094f7b69
JL		 891static int selinux_cmp_sb_context(const struct super_block *oldsb,
892 const struct super_block *newsb)
893{
7a90fc39
CS		 894 struct superblock_security_struct *old = selinux_superblock(oldsb);
895 struct superblock_security_struct *new = selinux_superblock(newsb);
094f7b69
JL		 896 char oldflags = old->flags & SE_MNTMASK;
897 char newflags = new->flags & SE_MNTMASK;
898
899 if (oldflags != newflags)
900 goto mismatch;
901 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
902 goto mismatch;
903 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
904 goto mismatch;
905 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
906 goto mismatch;
907 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 908 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
909 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 910 if (oldroot->sid != newroot->sid)
911 goto mismatch;
912 }
913 return 0;
914mismatch:
915 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
916 "different security settings for (dev %s, "
917 "type %s)\n", newsb->s_id, newsb->s_type->name);
918 return -EBUSY;
919}
920
921static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 922 struct super_block *newsb,
923 unsigned long kern_flags,
924 unsigned long *set_kern_flags)
1da177e4 925{
0b4d3452 926 int rc = 0;
7a90fc39
CS		 927 const struct superblock_security_struct *oldsbsec =
928 selinux_superblock(oldsb);
929 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
1da177e4 930
c9180a57
EP		 931 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
932 int set_context = (oldsbsec->flags & CONTEXT_MNT);
933 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 934
0f5e6420
EP		 935 /*
936 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 937 * mount options. thus we can safely deal with this superblock later
0f5e6420 938 */
e8c26255 939 if (!ss_initialized)
094f7b69 940 return 0;
c9180a57 941
0b4d3452
SM		 942 /*
943 * Specifying internal flags without providing a place to
944 * place the results is not allowed.
945 */
946 if (kern_flags && !set_kern_flags)
947 return -EINVAL;
948
c9180a57 949 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 950 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 951
094f7b69 952 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 953 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 954 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 955
c9180a57
EP		 956 mutex_lock(&newsbsec->lock);
957
958 newsbsec->flags = oldsbsec->flags;
959
960 newsbsec->sid = oldsbsec->sid;
961 newsbsec->def_sid = oldsbsec->def_sid;
962 newsbsec->behavior = oldsbsec->behavior;
963
0b4d3452
SM		 964 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
965 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
966 rc = security_fs_use(newsb);
967 if (rc)
968 goto out;
969 }
970
971 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
972 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
973 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
974 }
975
c9180a57
EP		 976 if (set_context) {
977 u32 sid = oldsbsec->mntpoint_sid;
978
979 if (!set_fscontext)
980 newsbsec->sid = sid;
981 if (!set_rootcontext) {
7a90fc39
CS		 982 struct inode_security_struct *newisec =
983 backing_inode_security(newsb->s_root);
c9180a57
EP		 984 newisec->sid = sid;
985 }
986 newsbsec->mntpoint_sid = sid;
1da177e4 987 }
c9180a57 988 if (set_rootcontext) {
7a90fc39
CS		 989 const struct inode_security_struct *oldisec =
990 backing_inode_security(oldsb->s_root);
991 struct inode_security_struct *newisec =
992 backing_inode_security(newsb->s_root);
1da177e4 993
c9180a57 994 newisec->sid = oldisec->sid;
1da177e4
LT		 995 }
996
c9180a57 997 sb_finish_set_opts(newsb);
0b4d3452 998out:
c9180a57 999 mutex_unlock(&newsbsec->lock);
0b4d3452 1000 return rc;
c9180a57
EP		 1001}
1002
2e1479d9
AB		 1003static int selinux_parse_opts_str(char *options,
1004 struct security_mnt_opts *opts)
c9180a57 1005{
e0007529 1006 char *p;
c9180a57
EP		 1007 char *context = NULL, *defcontext = NULL;
1008 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1009 int rc, num_mnt_opts = 0;
1da177e4 1010
e0007529 1011 opts->num_mnt_opts = 0;
1da177e4 1012
c9180a57
EP		 1013 /* Standard string-based options. */
1014 while ((p = strsep(&options, "|")) != NULL) {
1015 int token;
1016 substring_t args[MAX_OPT_ARGS];
1da177e4 1017
c9180a57
EP		 1018 if (!*p)
1019 continue;
1da177e4 1020
c9180a57 1021 token = match_token(p, tokens, args);
1da177e4 1022
c9180a57
EP		 1023 switch (token) {
1024 case Opt_context:
1025 if (context || defcontext) {
1026 rc = -EINVAL;
1027 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1028 goto out_err;
1029 }
1030 context = match_strdup(&args[0]);
1031 if (!context) {
1032 rc = -ENOMEM;
1033 goto out_err;
1034 }
1035 break;
1036
1037 case Opt_fscontext:
1038 if (fscontext) {
1039 rc = -EINVAL;
1040 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1041 goto out_err;
1042 }
1043 fscontext = match_strdup(&args[0]);
1044 if (!fscontext) {
1045 rc = -ENOMEM;
1046 goto out_err;
1047 }
1048 break;
1049
1050 case Opt_rootcontext:
1051 if (rootcontext) {
1052 rc = -EINVAL;
1053 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1054 goto out_err;
1055 }
1056 rootcontext = match_strdup(&args[0]);
1057 if (!rootcontext) {
1058 rc = -ENOMEM;
1059 goto out_err;
1060 }
1061 break;
1062
1063 case Opt_defcontext:
1064 if (context || defcontext) {
1065 rc = -EINVAL;
1066 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1067 goto out_err;
1068 }
1069 defcontext = match_strdup(&args[0]);
1070 if (!defcontext) {
1071 rc = -ENOMEM;
1072 goto out_err;
1073 }
1074 break;
11689d47
DQ		 1075 case Opt_labelsupport:
1076 break;
c9180a57
EP		 1077 default:
1078 rc = -EINVAL;
1079 printk(KERN_WARNING "SELinux: unknown mount option\n");
1080 goto out_err;
1da177e4 1081
1da177e4 1082 }
1da177e4 1083 }
c9180a57 1084
e0007529 1085 rc = -ENOMEM;
8931c3bd 1086 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1087 if (!opts->mnt_opts)
1088 goto out_err;
1089
8931c3bd
TH		 1090 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1091 GFP_KERNEL);
023f108d 1092 if (!opts->mnt_opts_flags)
e0007529 1093 goto out_err;
e0007529 1094
c9180a57 1095 if (fscontext) {
e0007529
EP		 1096 opts->mnt_opts[num_mnt_opts] = fscontext;
1097 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1098 }
1099 if (context) {
e0007529
EP		 1100 opts->mnt_opts[num_mnt_opts] = context;
1101 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1102 }
1103 if (rootcontext) {
e0007529
EP		 1104 opts->mnt_opts[num_mnt_opts] = rootcontext;
1105 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1106 }
1107 if (defcontext) {
e0007529
EP		 1108 opts->mnt_opts[num_mnt_opts] = defcontext;
1109 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1110 }
1111
e0007529
EP		 1112 opts->num_mnt_opts = num_mnt_opts;
1113 return 0;
1114
c9180a57 1115out_err:
023f108d 1116 security_free_mnt_opts(opts);
c9180a57
EP		 1117 kfree(context);
1118 kfree(defcontext);
1119 kfree(fscontext);
1120 kfree(rootcontext);
1da177e4
LT		 1121 return rc;
1122}
e0007529
EP		 1123/*
1124 * string mount options parsing and call set the sbsec
1125 */
1126static int superblock_doinit(struct super_block *sb, void *data)
1127{
1128 int rc = 0;
1129 char *options = data;
1130 struct security_mnt_opts opts;
1131
1132 security_init_mnt_opts(&opts);
1133
1134 if (!data)
1135 goto out;
1136
1137 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1138
1139 rc = selinux_parse_opts_str(options, &opts);
1140 if (rc)
1141 goto out_err;
1142
1143out:
649f6e77 1144 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1145
1146out_err:
1147 security_free_mnt_opts(&opts);
1148 return rc;
1149}
1da177e4 1150
3583a711
AB		 1151static void selinux_write_opts(struct seq_file *m,
1152 struct security_mnt_opts *opts)
2069f457
EP		 1153{
1154 int i;
1155 char *prefix;
1156
1157 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1158 char *has_comma;
1159
1160 if (opts->mnt_opts[i])
1161 has_comma = strchr(opts->mnt_opts[i], ',');
1162 else
1163 has_comma = NULL;
2069f457
EP		 1164
1165 switch (opts->mnt_opts_flags[i]) {
1166 case CONTEXT_MNT:
1167 prefix = CONTEXT_STR;
1168 break;
1169 case FSCONTEXT_MNT:
1170 prefix = FSCONTEXT_STR;
1171 break;
1172 case ROOTCONTEXT_MNT:
1173 prefix = ROOTCONTEXT_STR;
1174 break;
1175 case DEFCONTEXT_MNT:
1176 prefix = DEFCONTEXT_STR;
1177 break;
12f348b9 1178 case SBLABEL_MNT:
11689d47
DQ		 1179 seq_putc(m, ',');
1180 seq_puts(m, LABELSUPP_STR);
1181 continue;
2069f457
EP		 1182 default:
1183 BUG();
a35c6c83 1184 return;
2069f457
EP		 1185 };
1186 /* we need a comma before each option */
1187 seq_putc(m, ',');
1188 seq_puts(m, prefix);
1189 if (has_comma)
1190 seq_putc(m, '\"');
a068acf2 1191 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1192 if (has_comma)
1193 seq_putc(m, '\"');
1194 }
1195}
1196
1197static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1198{
1199 struct security_mnt_opts opts;
1200 int rc;
1201
1202 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1203 if (rc) {
1204 /* before policy load we may get EINVAL, don't show anything */
1205 if (rc == -EINVAL)
1206 rc = 0;
2069f457 1207 return rc;
383795c2 1208 }
2069f457
EP		 1209
1210 selinux_write_opts(m, &opts);
1211
1212 security_free_mnt_opts(&opts);
1213
1214 return rc;
1215}
1216
1da177e4
LT		 1217static inline u16 inode_mode_to_security_class(umode_t mode)
1218{
1219 switch (mode & S_IFMT) {
1220 case S_IFSOCK:
1221 return SECCLASS_SOCK_FILE;
1222 case S_IFLNK:
1223 return SECCLASS_LNK_FILE;
1224 case S_IFREG:
1225 return SECCLASS_FILE;
1226 case S_IFBLK:
1227 return SECCLASS_BLK_FILE;
1228 case S_IFDIR:
1229 return SECCLASS_DIR;
1230 case S_IFCHR:
1231 return SECCLASS_CHR_FILE;
1232 case S_IFIFO:
1233 return SECCLASS_FIFO_FILE;
1234
1235 }
1236
1237 return SECCLASS_FILE;
1238}
1239
13402580
JM		 1240static inline int default_protocol_stream(int protocol)
1241{
1242 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1243}
1244
1245static inline int default_protocol_dgram(int protocol)
1246{
1247 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1248}
1249
1da177e4
LT		 1250static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1251{
da69a530
SS		 1252 int extsockclass = selinux_policycap_extsockclass;
1253
1da177e4
LT		 1254 switch (family) {
1255 case PF_UNIX:
1256 switch (type) {
1257 case SOCK_STREAM:
1258 case SOCK_SEQPACKET:
1259 return SECCLASS_UNIX_STREAM_SOCKET;
1260 case SOCK_DGRAM:
2a764b52 1261 case SOCK_RAW:
1da177e4
LT		 1262 return SECCLASS_UNIX_DGRAM_SOCKET;
1263 }
1264 break;
1265 case PF_INET:
1266 case PF_INET6:
1267 switch (type) {
1268 case SOCK_STREAM:
da69a530 1269 case SOCK_SEQPACKET:
13402580
JM		 1270 if (default_protocol_stream(protocol))
1271 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1272 else if (extsockclass && protocol == IPPROTO_SCTP)
1273 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1274 else
1275 return SECCLASS_RAWIP_SOCKET;
1da177e4 1276 case SOCK_DGRAM:
13402580
JM		 1277 if (default_protocol_dgram(protocol))
1278 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1279 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1280 protocol == IPPROTO_ICMPV6))
da69a530 1281 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1282 else
1283 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1284 case SOCK_DCCP:
1285 return SECCLASS_DCCP_SOCKET;
13402580 1286 default:
1da177e4
LT		 1287 return SECCLASS_RAWIP_SOCKET;
1288 }
1289 break;
1290 case PF_NETLINK:
1291 switch (protocol) {
1292 case NETLINK_ROUTE:
1293 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1294 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1295 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1296 case NETLINK_NFLOG:
1297 return SECCLASS_NETLINK_NFLOG_SOCKET;
1298 case NETLINK_XFRM:
1299 return SECCLASS_NETLINK_XFRM_SOCKET;
1300 case NETLINK_SELINUX:
1301 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1302 case NETLINK_ISCSI:
1303 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1304 case NETLINK_AUDIT:
1305 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1306 case NETLINK_FIB_LOOKUP:
1307 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1308 case NETLINK_CONNECTOR:
1309 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1310 case NETLINK_NETFILTER:
1311 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1312 case NETLINK_DNRTMSG:
1313 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1314 case NETLINK_KOBJECT_UEVENT:
1315 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1316 case NETLINK_GENERIC:
1317 return SECCLASS_NETLINK_GENERIC_SOCKET;
1318 case NETLINK_SCSITRANSPORT:
1319 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1320 case NETLINK_RDMA:
1321 return SECCLASS_NETLINK_RDMA_SOCKET;
1322 case NETLINK_CRYPTO:
1323 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1324 default:
1325 return SECCLASS_NETLINK_SOCKET;
1326 }
1327 case PF_PACKET:
1328 return SECCLASS_PACKET_SOCKET;
1329 case PF_KEY:
1330 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1331 case PF_APPLETALK:
1332 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1333 }
1334
da69a530
SS		 1335 if (extsockclass) {
1336 switch (family) {
1337 case PF_AX25:
1338 return SECCLASS_AX25_SOCKET;
1339 case PF_IPX:
1340 return SECCLASS_IPX_SOCKET;
1341 case PF_NETROM:
1342 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1343 case PF_ATMPVC:
1344 return SECCLASS_ATMPVC_SOCKET;
1345 case PF_X25:
1346 return SECCLASS_X25_SOCKET;
1347 case PF_ROSE:
1348 return SECCLASS_ROSE_SOCKET;
1349 case PF_DECnet:
1350 return SECCLASS_DECNET_SOCKET;
1351 case PF_ATMSVC:
1352 return SECCLASS_ATMSVC_SOCKET;
1353 case PF_RDS:
1354 return SECCLASS_RDS_SOCKET;
1355 case PF_IRDA:
1356 return SECCLASS_IRDA_SOCKET;
1357 case PF_PPPOX:
1358 return SECCLASS_PPPOX_SOCKET;
1359 case PF_LLC:
1360 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1361 case PF_CAN:
1362 return SECCLASS_CAN_SOCKET;
1363 case PF_TIPC:
1364 return SECCLASS_TIPC_SOCKET;
1365 case PF_BLUETOOTH:
1366 return SECCLASS_BLUETOOTH_SOCKET;
1367 case PF_IUCV:
1368 return SECCLASS_IUCV_SOCKET;
1369 case PF_RXRPC:
1370 return SECCLASS_RXRPC_SOCKET;
1371 case PF_ISDN:
1372 return SECCLASS_ISDN_SOCKET;
1373 case PF_PHONET:
1374 return SECCLASS_PHONET_SOCKET;
1375 case PF_IEEE802154:
1376 return SECCLASS_IEEE802154_SOCKET;
1377 case PF_CAIF:
1378 return SECCLASS_CAIF_SOCKET;
1379 case PF_ALG:
1380 return SECCLASS_ALG_SOCKET;
1381 case PF_NFC:
1382 return SECCLASS_NFC_SOCKET;
1383 case PF_VSOCK:
1384 return SECCLASS_VSOCK_SOCKET;
1385 case PF_KCM:
1386 return SECCLASS_KCM_SOCKET;
1387 case PF_QIPCRTR:
1388 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1389 case PF_SMC:
1390 return SECCLASS_SMC_SOCKET;
1391#if PF_MAX > 44
da69a530
SS		 1392#error New address family defined, please update this function.
1393#endif
1394 }
1395 }
1396
1da177e4
LT		 1397 return SECCLASS_SOCKET;
1398}
1399
134509d5
SS		 1400static int selinux_genfs_get_sid(struct dentry *dentry,
1401 u16 tclass,
1402 u16 flags,
1403 u32 *sid)
1da177e4 1404{
8e6c9693 1405 int rc;
fc64005c 1406 struct super_block *sb = dentry->d_sb;
8e6c9693 1407 char *buffer, *path;
1da177e4 1408
828dfe1d 1409 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1410 if (!buffer)
1411 return -ENOMEM;
1412
8e6c9693
LAG		 1413 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1414 if (IS_ERR(path))
1415 rc = PTR_ERR(path);
1416 else {
134509d5
SS		 1417 if (flags & SE_SBPROC) {
1418 /* each process gets a /proc/PID/ entry. Strip off the
1419 * PID part to get a valid selinux labeling.
1420 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1421 while (path[1] >= '0' && path[1] <= '9') {
1422 path[1] = '/';
1423 path++;
1424 }
8e6c9693 1425 }
134509d5 1426 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1427 }
1da177e4
LT		 1428 free_page((unsigned long)buffer);
1429 return rc;
1430}
1da177e4
LT		 1431
1432/* The inode's security attributes must be initialized before first use. */
1433static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1434{
1435 struct superblock_security_struct *sbsec = NULL;
7a90fc39 1436 struct inode_security_struct *isec = selinux_inode(inode);
9287aed2
AG		 1437 u32 task_sid, sid = 0;
1438 u16 sclass;
1da177e4
LT		 1439 struct dentry *dentry;
1440#define INITCONTEXTLEN 255
1441 char *context = NULL;
1442 unsigned len = 0;
1443 int rc = 0;
1da177e4 1444
6f3be9f5 1445 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1446 return 0;
1da177e4 1447
9287aed2 1448 spin_lock(&isec->lock);
6f3be9f5 1449 if (isec->initialized == LABEL_INITIALIZED)
23970741 1450 goto out_unlock;
1da177e4 1451
13457d07
AG		 1452 if (isec->sclass == SECCLASS_FILE)
1453 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1454
7a90fc39 1455 sbsec = selinux_superblock(inode->i_sb);
0d90a7ec 1456 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1457 /* Defer initialization until selinux_complete_init,
1458 after the initial policy is loaded and the security
1459 server is ready to handle calls. */
1460 spin_lock(&sbsec->isec_lock);
1461 if (list_empty(&isec->list))
1462 list_add(&isec->list, &sbsec->isec_head);
1463 spin_unlock(&sbsec->isec_lock);
23970741 1464 goto out_unlock;
1da177e4
LT		 1465 }
1466
9287aed2
AG		 1467 sclass = isec->sclass;
1468 task_sid = isec->task_sid;
1469 sid = isec->sid;
1470 isec->initialized = LABEL_PENDING;
1471 spin_unlock(&isec->lock);
1472
1da177e4 1473 switch (sbsec->behavior) {
eb9ae686
DQ		 1474 case SECURITY_FS_USE_NATIVE:
1475 break;
1da177e4 1476 case SECURITY_FS_USE_XATTR:
5d6c3191 1477 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1478 sid = sbsec->def_sid;
1da177e4
LT		 1479 break;
1480 }
1da177e4
LT		 1481 /* Need a dentry, since the xattr API requires one.
1482 Life would be simpler if we could just pass the inode. */
1483 if (opt_dentry) {
1484 /* Called from d_instantiate or d_splice_alias. */
1485 dentry = dget(opt_dentry);
1486 } else {
26b45d71
AV		 1487 /*
1488 * Called from selinux_complete_init, try to find a dentry.
1489 * Some filesystems really want a connected one, so try
1490 * that first. We could split SECURITY_FS_USE_XATTR in
1491 * two, depending upon that...
1492 */
1da177e4 1493 dentry = d_find_alias(inode);
26b45d71
AV		 1494 if (!dentry)
1495 dentry = d_find_any_alias(inode);
1da177e4
LT		 1496 }
1497 if (!dentry) {
df7f54c0
EP		 1498 /*
1499 * this is can be hit on boot when a file is accessed
1500 * before the policy is loaded. When we load policy we
1501 * may find inodes that have no dentry on the
1502 * sbsec->isec_head list. No reason to complain as these
1503 * will get fixed up the next time we go through
1504 * inode_doinit with a dentry, before these inodes could
1505 * be used again by userspace.
1506 */
9287aed2 1507 goto out;
1da177e4
LT		 1508 }
1509
1510 len = INITCONTEXTLEN;
4cb912f1 1511 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1512 if (!context) {
1513 rc = -ENOMEM;
1514 dput(dentry);
9287aed2 1515 goto out;
1da177e4 1516 }
4cb912f1 1517 context[len] = '\0';
5d6c3191 1518 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1519 if (rc == -ERANGE) {
314dabb8
JM		 1520 kfree(context);
1521
1da177e4 1522 /* Need a larger buffer. Query for the right size. */
5d6c3191 1523 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1524 if (rc < 0) {
1525 dput(dentry);
9287aed2 1526 goto out;
1da177e4 1527 }
1da177e4 1528 len = rc;
4cb912f1 1529 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1530 if (!context) {
1531 rc = -ENOMEM;
1532 dput(dentry);
9287aed2 1533 goto out;
1da177e4 1534 }
4cb912f1 1535 context[len] = '\0';
5d6c3191 1536 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1537 }
1538 dput(dentry);
1539 if (rc < 0) {
1540 if (rc != -ENODATA) {
744ba35e 1541 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1542 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1543 -rc, inode->i_sb->s_id, inode->i_ino);
1544 kfree(context);
9287aed2 1545 goto out;
1da177e4
LT		 1546 }
1547 /* Map ENODATA to the default file SID */
1548 sid = sbsec->def_sid;
1549 rc = 0;
1550 } else {
f5c1d5b2 1551 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1552 sbsec->def_sid,
1553 GFP_NOFS);
1da177e4 1554 if (rc) {
4ba0a8ad
EP		 1555 char *dev = inode->i_sb->s_id;
1556 unsigned long ino = inode->i_ino;
1557
1558 if (rc == -EINVAL) {
1559 if (printk_ratelimit())
1560 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1561 "context=%s. This indicates you may need to relabel the inode or the "
1562 "filesystem in question.\n", ino, dev, context);
1563 } else {
1564 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1565 "returned %d for dev=%s ino=%ld\n",
1566 __func__, context, -rc, dev, ino);
1567 }
1da177e4
LT		 1568 kfree(context);
1569 /* Leave with the unlabeled SID */
1570 rc = 0;
1571 break;
1572 }
1573 }
1574 kfree(context);
1da177e4
LT		 1575 break;
1576 case SECURITY_FS_USE_TASK:
9287aed2 1577 sid = task_sid;
1da177e4
LT		 1578 break;
1579 case SECURITY_FS_USE_TRANS:
1580 /* Default to the fs SID. */
9287aed2 1581 sid = sbsec->sid;
1da177e4
LT		 1582
1583 /* Try to obtain a transition SID. */
9287aed2 1584 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1da177e4 1585 if (rc)
9287aed2 1586 goto out;
1da177e4 1587 break;
c312feb2 1588 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1589 sid = sbsec->mntpoint_sid;
c312feb2 1590 break;
1da177e4 1591 default:
c312feb2 1592 /* Default to the fs superblock SID. */
9287aed2 1593 sid = sbsec->sid;
1da177e4 1594
134509d5 1595 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1596 /* We must have a dentry to determine the label on
1597 * procfs inodes */
26b45d71 1598 if (opt_dentry) {
f64410ec
PM		 1599 /* Called from d_instantiate or
1600 * d_splice_alias. */
1601 dentry = dget(opt_dentry);
26b45d71 1602 } else {
f64410ec 1603 /* Called from selinux_complete_init, try to
26b45d71
AV		 1604 * find a dentry. Some filesystems really want
1605 * a connected one, so try that first.
1606 */
f64410ec 1607 dentry = d_find_alias(inode);
26b45d71
AV		 1608 if (!dentry)
1609 dentry = d_find_any_alias(inode);
1610 }
f64410ec
PM		 1611 /*
1612 * This can be hit on boot when a file is accessed
1613 * before the policy is loaded. When we load policy we
1614 * may find inodes that have no dentry on the
1615 * sbsec->isec_head list. No reason to complain as
1616 * these will get fixed up the next time we go through
1617 * inode_doinit() with a dentry, before these inodes
1618 * could be used again by userspace.
1619 */
1620 if (!dentry)
9287aed2
AG		 1621 goto out;
1622 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1623 sbsec->flags, &sid);
f64410ec
PM		 1624 dput(dentry);
1625 if (rc)
9287aed2 1626 goto out;
1da177e4
LT		 1627 }
1628 break;
1629 }
1630
9287aed2
AG		 1631out:
1632 spin_lock(&isec->lock);
1633 if (isec->initialized == LABEL_PENDING) {
1634 if (!sid || rc) {
1635 isec->initialized = LABEL_INVALID;
1636 goto out_unlock;
1637 }
1638
1639 isec->initialized = LABEL_INITIALIZED;
1640 isec->sid = sid;
1641 }
1da177e4 1642
23970741 1643out_unlock:
9287aed2 1644 spin_unlock(&isec->lock);
1da177e4
LT		 1645 return rc;
1646}
1647
1648/* Convert a Linux signal to an access vector. */
1649static inline u32 signal_to_av(int sig)
1650{
1651 u32 perm = 0;
1652
1653 switch (sig) {
1654 case SIGCHLD:
1655 /* Commonly granted from child to parent. */
1656 perm = PROCESS__SIGCHLD;
1657 break;
1658 case SIGKILL:
1659 /* Cannot be caught or ignored */
1660 perm = PROCESS__SIGKILL;
1661 break;
1662 case SIGSTOP:
1663 /* Cannot be caught or ignored */
1664 perm = PROCESS__SIGSTOP;
1665 break;
1666 default:
1667 /* All other signals. */
1668 perm = PROCESS__SIGNAL;
1669 break;
1670 }
1671
1672 return perm;
1673}
1674
b68e418c
SS		 1675#if CAP_LAST_CAP > 63
1676#error Fix SELinux to handle capabilities > 63.
1677#endif
1678
1da177e4 1679/* Check whether a task is allowed to use a capability. */
6a9de491 1680static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1681 int cap, int audit, bool initns)
1da177e4 1682{
2bf49690 1683 struct common_audit_data ad;
06112163 1684 struct av_decision avd;
b68e418c 1685 u16 sclass;
3699c53c 1686 u32 sid = cred_sid(cred);
b68e418c 1687 u32 av = CAP_TO_MASK(cap);
06112163 1688 int rc;
1da177e4 1689
50c205f5 1690 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1691 ad.u.cap = cap;
1692
b68e418c
SS		 1693 switch (CAP_TO_INDEX(cap)) {
1694 case 0:
8e4ff6f2 1695 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1696 break;
1697 case 1:
8e4ff6f2 1698 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1699 break;
1700 default:
1701 printk(KERN_ERR
1702 "SELinux: out of range capability %d\n", cap);
1703 BUG();
a35c6c83 1704 return -EINVAL;
b68e418c 1705 }
06112163 1706
275bb41e 1707 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1708 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1709 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1710 if (rc2)
1711 return rc2;
1712 }
06112163 1713 return rc;
1da177e4
LT		 1714}
1715
1da177e4
LT		 1716/* Check whether a task has a particular permission to an inode.
1717 The 'adp' parameter is optional and allows other audit
1718 data to be passed (e.g. the dentry). */
88e67f3b 1719static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1720 struct inode *inode,
1721 u32 perms,
19e49834 1722 struct common_audit_data *adp)
1da177e4 1723{
1da177e4 1724 struct inode_security_struct *isec;
275bb41e 1725 u32 sid;
1da177e4 1726
e0e81739
DH		 1727 validate_creds(cred);
1728
828dfe1d 1729 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1730 return 0;
1731
88e67f3b 1732 sid = cred_sid(cred);
7a90fc39 1733 isec = selinux_inode(inode);
1da177e4 1734
19e49834 1735 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1736}
1737
1738/* Same as inode_has_perm, but pass explicit audit data containing
1739 the dentry to help the auditing code to more easily generate the
1740 pathname if needed. */
88e67f3b 1741static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1742 struct dentry *dentry,
1743 u32 av)
1744{
c6f493d6 1745 struct inode *inode = d_backing_inode(dentry);
2bf49690 1746 struct common_audit_data ad;
88e67f3b 1747
50c205f5 1748 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1749 ad.u.dentry = dentry;
5d226df4 1750 __inode_security_revalidate(inode, dentry, true);
19e49834 1751 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1752}
1753
1754/* Same as inode_has_perm, but pass explicit audit data containing
1755 the path to help the auditing code to more easily generate the
1756 pathname if needed. */
1757static inline int path_has_perm(const struct cred *cred,
3f7036a0 1758 const struct path *path,
2875fa00
EP		 1759 u32 av)
1760{
c6f493d6 1761 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1762 struct common_audit_data ad;
1763
50c205f5 1764 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1765 ad.u.path = *path;
5d226df4 1766 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1767 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1768}
1769
13f8e981
DH		 1770/* Same as path_has_perm, but uses the inode from the file struct. */
1771static inline int file_path_has_perm(const struct cred *cred,
1772 struct file *file,
1773 u32 av)
1774{
1775 struct common_audit_data ad;
1776
43af5de7
VG		 1777 ad.type = LSM_AUDIT_DATA_FILE;
1778 ad.u.file = file;
19e49834 1779 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1780}
1781
f66e448c
CF		 1782#ifdef CONFIG_BPF_SYSCALL
1783static int bpf_fd_pass(struct file *file, u32 sid);
1784#endif
1785
1da177e4
LT		 1786/* Check whether a task can use an open file descriptor to
1787 access an inode in a given way. Check access to the
1788 descriptor itself, and then use dentry_has_perm to
1789 check a particular permission to the file.
1790 Access to the descriptor is implicitly granted if it
1791 has the same SID as the process. If av is zero, then
1792 access to the file is not checked, e.g. for cases
1793 where only the descriptor is affected like seek. */
88e67f3b
DH		 1794static int file_has_perm(const struct cred *cred,
1795 struct file *file,
1796 u32 av)
1da177e4 1797{
ab9b110b 1798 struct file_security_struct *fsec = selinux_file(file);
496ad9aa 1799 struct inode *inode = file_inode(file);
2bf49690 1800 struct common_audit_data ad;
88e67f3b 1801 u32 sid = cred_sid(cred);
1da177e4
LT		 1802 int rc;
1803
43af5de7
VG		 1804 ad.type = LSM_AUDIT_DATA_FILE;
1805 ad.u.file = file;
1da177e4 1806
275bb41e
DH		 1807 if (sid != fsec->sid) {
1808 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1809 SECCLASS_FD,
1810 FD__USE,
1811 &ad);
1812 if (rc)
88e67f3b 1813 goto out;
1da177e4
LT		 1814 }
1815
f66e448c
CF		 1816#ifdef CONFIG_BPF_SYSCALL
1817 rc = bpf_fd_pass(file, cred_sid(cred));
1818 if (rc)
1819 return rc;
1820#endif
1821
1da177e4 1822 /* av is zero if only checking access to the descriptor. */
88e67f3b 1823 rc = 0;
1da177e4 1824 if (av)
19e49834 1825 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1826
88e67f3b
DH		 1827out:
1828 return rc;
1da177e4
LT		 1829}
1830
c3c188b2
DH		 1831/*
1832 * Determine the label for an inode that might be unioned.
1833 */
c957f6df
VG		 1834static int
1835selinux_determine_inode_label(const struct task_security_struct *tsec,
1836 struct inode *dir,
1837 const struct qstr *name, u16 tclass,
1838 u32 *_new_isid)
c3c188b2 1839{
7a90fc39
CS		 1840 const struct superblock_security_struct *sbsec =
1841 selinux_superblock(dir->i_sb);
c3c188b2
DH		 1842
1843 if ((sbsec->flags & SE_SBINITIALIZED) &&
1844 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1845 *_new_isid = sbsec->mntpoint_sid;
1846 } else if ((sbsec->flags & SBLABEL_MNT) &&
1847 tsec->create_sid) {
1848 *_new_isid = tsec->create_sid;
1849 } else {
20cdef8d 1850 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1851 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1852 name, _new_isid);
1853 }
1854
1855 return 0;
1856}
1857
1da177e4
LT		 1858/* Check whether a task can create a file. */
1859static int may_create(struct inode *dir,
1860 struct dentry *dentry,
1861 u16 tclass)
1862{
f1efc8c4 1863 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1864 struct inode_security_struct *dsec;
1865 struct superblock_security_struct *sbsec;
275bb41e 1866 u32 sid, newsid;
2bf49690 1867 struct common_audit_data ad;
1da177e4
LT		 1868 int rc;
1869
83da53c5 1870 dsec = inode_security(dir);
7a90fc39 1871 sbsec = selinux_superblock(dir->i_sb);
1da177e4 1872
275bb41e 1873 sid = tsec->sid;
275bb41e 1874
50c205f5 1875 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1876 ad.u.dentry = dentry;
1da177e4 1877
275bb41e 1878 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1879 DIR__ADD_NAME | DIR__SEARCH,
1880 &ad);
1881 if (rc)
1882 return rc;
1883
f1efc8c4 1884 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
c957f6df 1885 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1886 if (rc)
1887 return rc;
1da177e4 1888
275bb41e 1889 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1890 if (rc)
1891 return rc;
1892
1893 return avc_has_perm(newsid, sbsec->sid,
1894 SECCLASS_FILESYSTEM,
1895 FILESYSTEM__ASSOCIATE, &ad);
1896}
1897
828dfe1d
EP		 1898#define MAY_LINK 0
1899#define MAY_UNLINK 1
1900#define MAY_RMDIR 2
1da177e4
LT		 1901
1902/* Check whether a task can link, unlink, or rmdir a file/directory. */
1903static int may_link(struct inode *dir,
1904 struct dentry *dentry,
1905 int kind)
1906
1907{
1da177e4 1908 struct inode_security_struct *dsec, *isec;
2bf49690 1909 struct common_audit_data ad;
275bb41e 1910 u32 sid = current_sid();
1da177e4
LT		 1911 u32 av;
1912 int rc;
1913
83da53c5
AG		 1914 dsec = inode_security(dir);
1915 isec = backing_inode_security(dentry);
1da177e4 1916
50c205f5 1917 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1918 ad.u.dentry = dentry;
1da177e4
LT		 1919
1920 av = DIR__SEARCH;
1921 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1922 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1923 if (rc)
1924 return rc;
1925
1926 switch (kind) {
1927 case MAY_LINK:
1928 av = FILE__LINK;
1929 break;
1930 case MAY_UNLINK:
1931 av = FILE__UNLINK;
1932 break;
1933 case MAY_RMDIR:
1934 av = DIR__RMDIR;
1935 break;
1936 default:
744ba35e
EP		 1937 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1938 __func__, kind);
1da177e4
LT		 1939 return 0;
1940 }
1941
275bb41e 1942 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1943 return rc;
1944}
1945
1946static inline int may_rename(struct inode *old_dir,
1947 struct dentry *old_dentry,
1948 struct inode *new_dir,
1949 struct dentry *new_dentry)
1950{
1da177e4 1951 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1952 struct common_audit_data ad;
275bb41e 1953 u32 sid = current_sid();
1da177e4
LT		 1954 u32 av;
1955 int old_is_dir, new_is_dir;
1956 int rc;
1957
83da53c5
AG		 1958 old_dsec = inode_security(old_dir);
1959 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1960 old_is_dir = d_is_dir(old_dentry);
83da53c5 1961 new_dsec = inode_security(new_dir);
1da177e4 1962
50c205f5 1963 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1964
a269434d 1965 ad.u.dentry = old_dentry;
275bb41e 1966 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1967 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1968 if (rc)
1969 return rc;
275bb41e 1970 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1971 old_isec->sclass, FILE__RENAME, &ad);
1972 if (rc)
1973 return rc;
1974 if (old_is_dir && new_dir != old_dir) {
275bb41e 1975 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1976 old_isec->sclass, DIR__REPARENT, &ad);
1977 if (rc)
1978 return rc;
1979 }
1980
a269434d 1981 ad.u.dentry = new_dentry;
1da177e4 1982 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1983 if (d_is_positive(new_dentry))
1da177e4 1984 av |= DIR__REMOVE_NAME;
275bb41e 1985 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1986 if (rc)
1987 return rc;
2c616d4d 1988 if (d_is_positive(new_dentry)) {
83da53c5 1989 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1990 new_is_dir = d_is_dir(new_dentry);
275bb41e 1991 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1992 new_isec->sclass,
1993 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1994 if (rc)
1995 return rc;
1996 }
1997
1998 return 0;
1999}
2000
2001/* Check whether a task can perform a filesystem operation. */
88e67f3b 2002static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2003 struct super_block *sb,
2004 u32 perms,
2bf49690 2005 struct common_audit_data *ad)
1da177e4 2006{
1da177e4 2007 struct superblock_security_struct *sbsec;
88e67f3b 2008 u32 sid = cred_sid(cred);
1da177e4 2009
7a90fc39 2010 sbsec = selinux_superblock(sb);
275bb41e 2011 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2012}
2013
2014/* Convert a Linux mode and permission mask to an access vector. */
2015static inline u32 file_mask_to_av(int mode, int mask)
2016{
2017 u32 av = 0;
2018
dba19c60 2019 if (!S_ISDIR(mode)) {
1da177e4
LT		 2020 if (mask & MAY_EXEC)
2021 av |= FILE__EXECUTE;
2022 if (mask & MAY_READ)
2023 av |= FILE__READ;
2024
2025 if (mask & MAY_APPEND)
2026 av |= FILE__APPEND;
2027 else if (mask & MAY_WRITE)
2028 av |= FILE__WRITE;
2029
2030 } else {
2031 if (mask & MAY_EXEC)
2032 av |= DIR__SEARCH;
2033 if (mask & MAY_WRITE)
2034 av |= DIR__WRITE;
2035 if (mask & MAY_READ)
2036 av |= DIR__READ;
2037 }
2038
2039 return av;
2040}
2041
8b6a5a37
EP		 2042/* Convert a Linux file to an access vector. */
2043static inline u32 file_to_av(struct file *file)
2044{
2045 u32 av = 0;
2046
2047 if (file->f_mode & FMODE_READ)
2048 av |= FILE__READ;
2049 if (file->f_mode & FMODE_WRITE) {
2050 if (file->f_flags & O_APPEND)
2051 av |= FILE__APPEND;
2052 else
2053 av |= FILE__WRITE;
2054 }
2055 if (!av) {
2056 /*
2057 * Special file opened with flags 3 for ioctl-only use.
2058 */
2059 av = FILE__IOCTL;
2060 }
2061
2062 return av;
2063}
2064
b0c636b9 2065/*
8b6a5a37 2066 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2067 * open permission.
2068 */
8b6a5a37 2069static inline u32 open_file_to_av(struct file *file)
b0c636b9 2070{
8b6a5a37 2071 u32 av = file_to_av(file);
ccb54478 2072 struct inode *inode = file_inode(file);
b0c636b9 2073
ccb54478 2074 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2075 av |= FILE__OPEN;
2076
b0c636b9
EP		 2077 return av;
2078}
2079
1da177e4
LT		 2080/* Hook functions begin here. */
2081
79af7307
SS		 2082static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2083{
2084 u32 mysid = current_sid();
2085 u32 mgrsid = task_sid(mgr);
2086
2087 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2088 BINDER__SET_CONTEXT_MGR, NULL);
2089}
2090
2091static int selinux_binder_transaction(struct task_struct *from,
2092 struct task_struct *to)
2093{
2094 u32 mysid = current_sid();
2095 u32 fromsid = task_sid(from);
2096 u32 tosid = task_sid(to);
2097 int rc;
2098
2099 if (mysid != fromsid) {
2100 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2101 BINDER__IMPERSONATE, NULL);
2102 if (rc)
2103 return rc;
2104 }
2105
2106 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2107 NULL);
2108}
2109
2110static int selinux_binder_transfer_binder(struct task_struct *from,
2111 struct task_struct *to)
2112{
2113 u32 fromsid = task_sid(from);
2114 u32 tosid = task_sid(to);
2115
2116 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2117 NULL);
2118}
2119
2120static int selinux_binder_transfer_file(struct task_struct *from,
2121 struct task_struct *to,
2122 struct file *file)
2123{
2124 u32 sid = task_sid(to);
ab9b110b 2125 struct file_security_struct *fsec = selinux_file(file);
83da53c5 2126 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2127 struct inode_security_struct *isec;
79af7307
SS		 2128 struct common_audit_data ad;
2129 int rc;
2130
2131 ad.type = LSM_AUDIT_DATA_PATH;
2132 ad.u.path = file->f_path;
2133
2134 if (sid != fsec->sid) {
2135 rc = avc_has_perm(sid, fsec->sid,
2136 SECCLASS_FD,
2137 FD__USE,
2138 &ad);
2139 if (rc)
2140 return rc;
2141 }
2142
f66e448c
CF		 2143#ifdef CONFIG_BPF_SYSCALL
2144 rc = bpf_fd_pass(file, sid);
2145 if (rc)
2146 return rc;
2147#endif
2148
83da53c5 2149 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2150 return 0;
2151
20cdef8d 2152 isec = backing_inode_security(dentry);
79af7307
SS		 2153 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2154 &ad);
2155}
2156
9e48858f 2157static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2158 unsigned int mode)
1da177e4 2159{
be0554c9
SS		 2160 u32 sid = current_sid();
2161 u32 csid = task_sid(child);
2162
2163 if (mode & PTRACE_MODE_READ)
275bb41e 2164 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2165
be0554c9 2166 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2167}
2168
2169static int selinux_ptrace_traceme(struct task_struct *parent)
2170{
be0554c9
SS		 2171 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2172 PROCESS__PTRACE, NULL);
1da177e4
LT		 2173}
2174
2175static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2176 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2177{
be0554c9
SS		 2178 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2179 PROCESS__GETCAP, NULL);
1da177e4
LT		 2180}
2181
d84f4f99
DH		 2182static int selinux_capset(struct cred *new, const struct cred *old,
2183 const kernel_cap_t *effective,
2184 const kernel_cap_t *inheritable,
2185 const kernel_cap_t *permitted)
1da177e4 2186{
be0554c9
SS		 2187 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2188 PROCESS__SETCAP, NULL);
1da177e4
LT		 2189}
2190
5626d3e8
JM		 2191/*
2192 * (This comment used to live with the selinux_task_setuid hook,
2193 * which was removed).
2194 *
2195 * Since setuid only affects the current process, and since the SELinux
2196 * controls are not based on the Linux identity attributes, SELinux does not
2197 * need to control this operation. However, SELinux does control the use of
2198 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2199 */
2200
6a9de491
EP		 2201static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2202 int cap, int audit)
1da177e4 2203{
8e4ff6f2 2204 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2205}
2206
1da177e4
LT		 2207static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2208{
88e67f3b 2209 const struct cred *cred = current_cred();
1da177e4
LT		 2210 int rc = 0;
2211
2212 if (!sb)
2213 return 0;
2214
2215 switch (cmds) {
828dfe1d
EP		 2216 case Q_SYNC:
2217 case Q_QUOTAON:
2218 case Q_QUOTAOFF:
2219 case Q_SETINFO:
2220 case Q_SETQUOTA:
88e67f3b 2221 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2222 break;
2223 case Q_GETFMT:
2224 case Q_GETINFO:
2225 case Q_GETQUOTA:
88e67f3b 2226 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2227 break;
2228 default:
2229 rc = 0; /* let the kernel handle invalid cmds */
2230 break;
1da177e4
LT		 2231 }
2232 return rc;
2233}
2234
2235static int selinux_quota_on(struct dentry *dentry)
2236{
88e67f3b
DH		 2237 const struct cred *cred = current_cred();
2238
2875fa00 2239 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2240}
2241
12b3052c 2242static int selinux_syslog(int type)
1da177e4 2243{
1da177e4 2244 switch (type) {
d78ca3cd
KC		 2245 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2246 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
be0554c9
SS		 2247 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2248 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2249 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2250 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2251 /* Set level of messages printed to console */
2252 case SYSLOG_ACTION_CONSOLE_LEVEL:
be0554c9
SS		 2253 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2254 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2255 NULL);
1da177e4 2256 }
be0554c9
SS		 2257 /* All other syslog types */
2258 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2259 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2260}
2261
2262/*
2263 * Check that a process has enough memory to allocate a new virtual
2264 * mapping. 0 means there is enough memory for the allocation to
2265 * succeed and -ENOMEM implies there is not.
2266 *
1da177e4
LT		 2267 * Do not audit the selinux permission check, as this is applied to all
2268 * processes that allocate mappings.
2269 */
34b4e4aa 2270static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2271{
2272 int rc, cap_sys_admin = 0;
1da177e4 2273
b1d9e6b0 2274 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2275 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2276 if (rc == 0)
2277 cap_sys_admin = 1;
2278
b1d9e6b0 2279 return cap_sys_admin;
1da177e4
LT		 2280}
2281
2282/* binprm security operations */
2283
be0554c9 2284static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2285{
2286 u32 sid = 0;
2287 struct task_struct *tracer;
2288
2289 rcu_read_lock();
be0554c9 2290 tracer = ptrace_parent(current);
0c6181cb
PM		 2291 if (tracer)
2292 sid = task_sid(tracer);
2293 rcu_read_unlock();
2294
2295 return sid;
2296}
2297
7b0d0b40
SS		 2298static int check_nnp_nosuid(const struct linux_binprm *bprm,
2299 const struct task_security_struct *old_tsec,
2300 const struct task_security_struct *new_tsec)
2301{
2302 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
bf31f6b5 2303 int nosuid = path_nosuid(&bprm->file->f_path);
7b0d0b40 2304 int rc;
af63f419 2305 u32 av;
7b0d0b40
SS		 2306
2307 if (!nnp && !nosuid)
2308 return 0; /* neither NNP nor nosuid */
2309
2310 if (new_tsec->sid == old_tsec->sid)
2311 return 0; /* No change in credentials */
2312
2313 /*
af63f419
SS		 2314 * If the policy enables the nnp_nosuid_transition policy capability,
2315 * then we permit transitions under NNP or nosuid if the
2316 * policy allows the corresponding permission between
2317 * the old and new contexts.
7b0d0b40 2318 */
af63f419
SS		 2319 if (selinux_policycap_nnp_nosuid_transition) {
2320 av = 0;
7b0d0b40 2321 if (nnp)
af63f419
SS		 2322 av |= PROCESS2__NNP_TRANSITION;
2323 if (nosuid)
2324 av |= PROCESS2__NOSUID_TRANSITION;
2325 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2326 SECCLASS_PROCESS2, av, NULL);
2327 if (!rc)
2328 return 0;
7b0d0b40 2329 }
af63f419
SS		 2330
2331 /*
2332 * We also permit NNP or nosuid transitions to bounded SIDs,
2333 * i.e. SIDs that are guaranteed to only be allowed a subset
2334 * of the permissions of the current SID.
2335 */
2336 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2337 if (!rc)
2338 return 0;
2339
2340 /*
2341 * On failure, preserve the errno values for NNP vs nosuid.
2342 * NNP: Operation not permitted for caller.
2343 * nosuid: Permission denied to file.
2344 */
2345 if (nnp)
2346 return -EPERM;
2347 return -EACCES;
7b0d0b40
SS		 2348}
2349
a6f76f23 2350static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2351{
a6f76f23
DH		 2352 const struct task_security_struct *old_tsec;
2353 struct task_security_struct *new_tsec;
1da177e4 2354 struct inode_security_struct *isec;
2bf49690 2355 struct common_audit_data ad;
496ad9aa 2356 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2357 int rc;
2358
a6f76f23
DH		 2359 /* SELinux context only depends on initial program or script and not
2360 * the script interpreter */
ddb4a144 2361 if (bprm->called_set_creds)
1da177e4
LT		 2362 return 0;
2363
f1efc8c4
CS		 2364 old_tsec = selinux_cred(current_cred());
2365 new_tsec = selinux_cred(bprm->cred);
83da53c5 2366 isec = inode_security(inode);
1da177e4
LT		 2367
2368 /* Default to the current task SID. */
a6f76f23
DH		 2369 new_tsec->sid = old_tsec->sid;
2370 new_tsec->osid = old_tsec->sid;
1da177e4 2371
28eba5bf 2372 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2373 new_tsec->create_sid = 0;
2374 new_tsec->keycreate_sid = 0;
2375 new_tsec->sockcreate_sid = 0;
1da177e4 2376
a6f76f23
DH		 2377 if (old_tsec->exec_sid) {
2378 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2379 /* Reset exec SID on execve. */
a6f76f23 2380 new_tsec->exec_sid = 0;
259e5e6c 2381
7b0d0b40
SS		 2382 /* Fail on NNP or nosuid if not an allowed transition. */
2383 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2384 if (rc)
2385 return rc;
1da177e4
LT		 2386 } else {
2387 /* Check for a default transition on this program. */
a6f76f23 2388 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2389 SECCLASS_PROCESS, NULL,
2390 &new_tsec->sid);
1da177e4
LT		 2391 if (rc)
2392 return rc;
7b0d0b40
SS		 2393
2394 /*
2395 * Fallback to old SID on NNP or nosuid if not an allowed
2396 * transition.
2397 */
2398 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2399 if (rc)
2400 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2401 }
2402
43af5de7
VG		 2403 ad.type = LSM_AUDIT_DATA_FILE;
2404 ad.u.file = bprm->file;
1da177e4 2405
a6f76f23
DH		 2406 if (new_tsec->sid == old_tsec->sid) {
2407 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2408 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2409 if (rc)
2410 return rc;
2411 } else {
2412 /* Check permissions for the transition. */
a6f76f23 2413 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2414 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2415 if (rc)
2416 return rc;
2417
a6f76f23 2418 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2419 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2420 if (rc)
2421 return rc;
2422
a6f76f23
DH		 2423 /* Check for shared state */
2424 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2425 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2426 SECCLASS_PROCESS, PROCESS__SHARE,
2427 NULL);
2428 if (rc)
2429 return -EPERM;
2430 }
2431
2432 /* Make sure that anyone attempting to ptrace over a task that
2433 * changes its SID has the appropriate permit */
9227dd2a 2434 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2435 u32 ptsid = ptrace_parent_sid();
a6f76f23
DH		 2436 if (ptsid != 0) {
2437 rc = avc_has_perm(ptsid, new_tsec->sid,
2438 SECCLASS_PROCESS,
2439 PROCESS__PTRACE, NULL);
2440 if (rc)
2441 return -EPERM;
2442 }
2443 }
1da177e4 2444
a6f76f23
DH		 2445 /* Clear any possibly unsafe personality bits on exec: */
2446 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2447
1da177e4
LT		 2448 /* Enable secure mode for SIDs transitions unless
2449 the noatsecure permission is granted between
2450 the two SIDs, i.e. ahp returns 0. */
62874c3a
KC		 2451 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2452 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2453 NULL);
2454 bprm->secureexec |= !!rc;
1da177e4
LT		 2455 }
2456
62874c3a 2457 return 0;
1da177e4
LT		 2458}
2459
c3c073f8
AV		 2460static int match_file(const void *p, struct file *file, unsigned fd)
2461{
2462 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2463}
2464
1da177e4 2465/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2466static inline void flush_unauthorized_files(const struct cred *cred,
2467 struct files_struct *files)
1da177e4 2468{
1da177e4 2469 struct file *file, *devnull = NULL;
b20c8122 2470 struct tty_struct *tty;
24ec839c 2471 int drop_tty = 0;
c3c073f8 2472 unsigned n;
1da177e4 2473
24ec839c 2474 tty = get_current_tty();
1da177e4 2475 if (tty) {
4a510969 2476 spin_lock(&tty->files_lock);
37dd0bd0 2477 if (!list_empty(&tty->tty_files)) {
d996b62a 2478 struct tty_file_private *file_priv;
37dd0bd0 2479
1da177e4 2480 /* Revalidate access to controlling tty.
13f8e981
DH		 2481 Use file_path_has_perm on the tty path directly
2482 rather than using file_has_perm, as this particular
2483 open file may belong to another process and we are
2484 only interested in the inode-based check here. */
d996b62a
NP		 2485 file_priv = list_first_entry(&tty->tty_files,
2486 struct tty_file_private, list);
2487 file = file_priv->file;
13f8e981 2488 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2489 drop_tty = 1;
1da177e4 2490 }
4a510969 2491 spin_unlock(&tty->files_lock);
452a00d2 2492 tty_kref_put(tty);
1da177e4 2493 }
98a27ba4
EB		 2494 /* Reset controlling tty. */
2495 if (drop_tty)
2496 no_tty();
1da177e4
LT		 2497
2498 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2499 n = iterate_fd(files, 0, match_file, cred);
2500 if (!n) /* none found? */
2501 return;
1da177e4 2502
c3c073f8 2503 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2504 if (IS_ERR(devnull))
2505 devnull = NULL;
2506 /* replace all the matching ones with this */
2507 do {
2508 replace_fd(n - 1, devnull, 0);
2509 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2510 if (devnull)
c3c073f8 2511 fput(devnull);
1da177e4
LT		 2512}
2513
a6f76f23
DH		 2514/*
2515 * Prepare a process for imminent new credential changes due to exec
2516 */
2517static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2518{
a6f76f23
DH		 2519 struct task_security_struct *new_tsec;
2520 struct rlimit *rlim, *initrlim;
2521 int rc, i;
d84f4f99 2522
f1efc8c4 2523 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2524 if (new_tsec->sid == new_tsec->osid)
2525 return;
1da177e4 2526
a6f76f23
DH		 2527 /* Close files for which the new task SID is not authorized. */
2528 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2529
a6f76f23
DH		 2530 /* Always clear parent death signal on SID transitions. */
2531 current->pdeath_signal = 0;
0356357c 2532
a6f76f23
DH		 2533 /* Check whether the new SID can inherit resource limits from the old
2534 * SID. If not, reset all soft limits to the lower of the current
2535 * task's hard limit and the init task's soft limit.
2536 *
2537 * Note that the setting of hard limits (even to lower them) can be
2538 * controlled by the setrlimit check. The inclusion of the init task's
2539 * soft limit into the computation is to avoid resetting soft limits
2540 * higher than the default soft limit for cases where the default is
2541 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2542 */
2543 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2544 PROCESS__RLIMITINH, NULL);
2545 if (rc) {
eb2d55a3
ON		 2546 /* protect against do_prlimit() */
2547 task_lock(current);
a6f76f23
DH		 2548 for (i = 0; i < RLIM_NLIMITS; i++) {
2549 rlim = current->signal->rlim + i;
2550 initrlim = init_task.signal->rlim + i;
2551 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2552 }
eb2d55a3 2553 task_unlock(current);
baa73d9e
NP		 2554 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2555 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2556 }
2557}
2558
2559/*
a6f76f23
DH		 2560 * Clean up the process immediately after the installation of new credentials
2561 * due to exec
1da177e4 2562 */
a6f76f23 2563static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2564{
f1efc8c4 2565 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4 2566 struct itimerval itimer;
a6f76f23 2567 u32 osid, sid;
1da177e4
LT		 2568 int rc, i;
2569
a6f76f23
DH		 2570 osid = tsec->osid;
2571 sid = tsec->sid;
2572
2573 if (sid == osid)
1da177e4
LT		 2574 return;
2575
a6f76f23
DH		 2576 /* Check whether the new SID can inherit signal state from the old SID.
2577 * If not, clear itimers to avoid subsequent signal generation and
2578 * flush and unblock signals.
2579 *
2580 * This must occur _after_ the task SID has been updated so that any
2581 * kill done after the flush will be checked against the new SID.
2582 */
2583 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2584 if (rc) {
baa73d9e
NP		 2585 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2586 memset(&itimer, 0, sizeof itimer);
2587 for (i = 0; i < 3; i++)
2588 do_setitimer(i, &itimer, NULL);
2589 }
1da177e4 2590 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2591 if (!fatal_signal_pending(current)) {
2592 flush_sigqueue(&current->pending);
2593 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2594 flush_signal_handlers(current, 1);
2595 sigemptyset(&current->blocked);
9e7c8f8c 2596 recalc_sigpending();
3bcac026 2597 }
1da177e4
LT		 2598 spin_unlock_irq(&current->sighand->siglock);
2599 }
2600
a6f76f23
DH		 2601 /* Wake up the parent if it is waiting so that it can recheck
2602 * wait permission to the new task SID. */
ecd6de3c 2603 read_lock(&tasklist_lock);
0b7570e7 2604 __wake_up_parent(current, current->real_parent);
ecd6de3c 2605 read_unlock(&tasklist_lock);
1da177e4
LT		 2606}
2607
2608/* superblock security operations */
2609
2610static int selinux_sb_alloc_security(struct super_block *sb)
2611{
2612 return superblock_alloc_security(sb);
2613}
2614
1da177e4
LT		 2615static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2616{
2617 if (plen > olen)
2618 return 0;
2619
2620 return !memcmp(prefix, option, plen);
2621}
2622
2623static inline int selinux_option(char *option, int len)
2624{
832cbd9a
EP		 2625 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2626 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2627 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2628 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2629 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2630}
2631
2632static inline void take_option(char **to, char *from, int *first, int len)
2633{
2634 if (!*first) {
2635 **to = ',';
2636 *to += 1;
3528a953 2637 } else
1da177e4
LT		 2638 *first = 0;
2639 memcpy(*to, from, len);
2640 *to += len;
2641}
2642
828dfe1d
EP		 2643static inline void take_selinux_option(char **to, char *from, int *first,
2644 int len)
3528a953
CO		 2645{
2646 int current_size = 0;
2647
2648 if (!*first) {
2649 **to = '|';
2650 *to += 1;
828dfe1d 2651 } else
3528a953
CO		 2652 *first = 0;
2653
2654 while (current_size < len) {
2655 if (*from != '"') {
2656 **to = *from;
2657 *to += 1;
2658 }
2659 from += 1;
2660 current_size += 1;
2661 }
2662}
2663
e0007529 2664static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2665{
2666 int fnosec, fsec, rc = 0;
2667 char *in_save, *in_curr, *in_end;
2668 char *sec_curr, *nosec_save, *nosec;
3528a953 2669 int open_quote = 0;
1da177e4
LT		 2670
2671 in_curr = orig;
2672 sec_curr = copy;
2673
1da177e4
LT		 2674 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2675 if (!nosec) {
2676 rc = -ENOMEM;
2677 goto out;
2678 }
2679
2680 nosec_save = nosec;
2681 fnosec = fsec = 1;
2682 in_save = in_end = orig;
2683
2684 do {
3528a953
CO		 2685 if (*in_end == '"')
2686 open_quote = !open_quote;
2687 if ((*in_end == ',' && open_quote == 0) ||
2688 *in_end == '\0') {
1da177e4
LT		 2689 int len = in_end - in_curr;
2690
2691 if (selinux_option(in_curr, len))
3528a953 2692 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2693 else
2694 take_option(&nosec, in_curr, &fnosec, len);
2695
2696 in_curr = in_end + 1;
2697 }
2698 } while (*in_end++);
2699
6931dfc9 2700 strcpy(in_save, nosec_save);
da3caa20 2701 free_page((unsigned long)nosec_save);
1da177e4
LT		 2702out:
2703 return rc;
2704}
2705
026eb167
EP		 2706static int selinux_sb_remount(struct super_block *sb, void *data)
2707{
2708 int rc, i, *flags;
2709 struct security_mnt_opts opts;
2710 char *secdata, **mount_options;
7a90fc39 2711 struct superblock_security_struct *sbsec = selinux_superblock(sb);
026eb167
EP		 2712
2713 if (!(sbsec->flags & SE_SBINITIALIZED))
2714 return 0;
2715
2716 if (!data)
2717 return 0;
2718
2719 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2720 return 0;
2721
2722 security_init_mnt_opts(&opts);
2723 secdata = alloc_secdata();
2724 if (!secdata)
2725 return -ENOMEM;
2726 rc = selinux_sb_copy_data(data, secdata);
2727 if (rc)
2728 goto out_free_secdata;
2729
2730 rc = selinux_parse_opts_str(secdata, &opts);
2731 if (rc)
2732 goto out_free_secdata;
2733
2734 mount_options = opts.mnt_opts;
2735 flags = opts.mnt_opts_flags;
2736
2737 for (i = 0; i < opts.num_mnt_opts; i++) {
2738 u32 sid;
026eb167 2739
12f348b9 2740 if (flags[i] == SBLABEL_MNT)
026eb167 2741 continue;
44be2f65 2742 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2743 if (rc) {
44be2f65 2744 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2745 "(%s) failed for (dev %s, type %s) errno=%d\n",
2746 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2747 goto out_free_opts;
2748 }
2749 rc = -EINVAL;
2750 switch (flags[i]) {
2751 case FSCONTEXT_MNT:
2752 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2753 goto out_bad_option;
2754 break;
2755 case CONTEXT_MNT:
2756 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2757 goto out_bad_option;
2758 break;
2759 case ROOTCONTEXT_MNT: {
2760 struct inode_security_struct *root_isec;
83da53c5 2761 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2762
2763 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2764 goto out_bad_option;
2765 break;
2766 }
2767 case DEFCONTEXT_MNT:
2768 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2769 goto out_bad_option;
2770 break;
2771 default:
2772 goto out_free_opts;
2773 }
2774 }
2775
2776 rc = 0;
2777out_free_opts:
2778 security_free_mnt_opts(&opts);
2779out_free_secdata:
2780 free_secdata(secdata);
2781 return rc;
2782out_bad_option:
2783 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2784 "during remount (dev %s, type=%s)\n", sb->s_id,
2785 sb->s_type->name);
026eb167
EP		 2786 goto out_free_opts;
2787}
2788
12204e24 2789static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2790{
88e67f3b 2791 const struct cred *cred = current_cred();
2bf49690 2792 struct common_audit_data ad;
1da177e4
LT		 2793 int rc;
2794
2795 rc = superblock_doinit(sb, data);
2796 if (rc)
2797 return rc;
2798
74192246
JM		 2799 /* Allow all mounts performed by the kernel */
2800 if (flags & MS_KERNMOUNT)
2801 return 0;
2802
50c205f5 2803 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2804 ad.u.dentry = sb->s_root;
88e67f3b 2805 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2806}
2807
726c3342 2808static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2809{
88e67f3b 2810 const struct cred *cred = current_cred();
2bf49690 2811 struct common_audit_data ad;
1da177e4 2812
50c205f5 2813 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2814 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2815 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2816}
2817
808d4e3c 2818static int selinux_mount(const char *dev_name,
8a04c43b 2819 const struct path *path,
808d4e3c 2820 const char *type,
828dfe1d
EP		 2821 unsigned long flags,
2822 void *data)
1da177e4 2823{
88e67f3b 2824 const struct cred *cred = current_cred();
1da177e4
LT		 2825
2826 if (flags & MS_REMOUNT)
d8c9584e 2827 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2828 FILESYSTEM__REMOUNT, NULL);
1da177e4 2829 else
2875fa00 2830 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2831}
2832
2833static int selinux_umount(struct vfsmount *mnt, int flags)
2834{
88e67f3b 2835 const struct cred *cred = current_cred();
1da177e4 2836
88e67f3b 2837 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2838 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2839}
2840
2841/* inode security operations */
2842
2843static int selinux_inode_alloc_security(struct inode *inode)
2844{
2845 return inode_alloc_security(inode);
2846}
2847
2848static void selinux_inode_free_security(struct inode *inode)
2849{
2850 inode_free_security(inode);
2851}
2852
d47be3df 2853static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2854 const struct qstr *name, void **ctx,
d47be3df
DQ		 2855 u32 *ctxlen)
2856{
d47be3df
DQ		 2857 u32 newsid;
2858 int rc;
2859
f1efc8c4 2860 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2861 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2862 inode_mode_to_security_class(mode),
2863 &newsid);
2864 if (rc)
2865 return rc;
d47be3df
DQ		 2866
2867 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2868}
2869
a518b0a5
VG		 2870static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2871 struct qstr *name,
2872 const struct cred *old,
2873 struct cred *new)
2874{
2875 u32 newsid;
2876 int rc;
2877 struct task_security_struct *tsec;
2878
f1efc8c4 2879 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2880 d_inode(dentry->d_parent), name,
2881 inode_mode_to_security_class(mode),
2882 &newsid);
2883 if (rc)
2884 return rc;
2885
f1efc8c4 2886 tsec = selinux_cred(new);
a518b0a5
VG		 2887 tsec->create_sid = newsid;
2888 return 0;
2889}
2890
5e41ff9e 2891static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2892 const struct qstr *qstr,
2893 const char **name,
2a7dba39 2894 void **value, size_t *len)
5e41ff9e 2895{
f1efc8c4 2896 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2897 struct superblock_security_struct *sbsec;
c0d4f464 2898 u32 newsid, clen;
5e41ff9e 2899 int rc;
9548906b 2900 char *context;
5e41ff9e 2901
7a90fc39 2902 sbsec = selinux_superblock(dir->i_sb);
5e41ff9e 2903
275bb41e
DH		 2904 newsid = tsec->create_sid;
2905
f1efc8c4 2906 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c3c188b2
DH		 2907 dir, qstr,
2908 inode_mode_to_security_class(inode->i_mode),
2909 &newsid);
2910 if (rc)
2911 return rc;
5e41ff9e 2912
296fddf7 2913 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2914 if (sbsec->flags & SE_SBINITIALIZED) {
7a90fc39 2915 struct inode_security_struct *isec = selinux_inode(inode);
296fddf7
EP		 2916 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2917 isec->sid = newsid;
6f3be9f5 2918 isec->initialized = LABEL_INITIALIZED;
296fddf7 2919 }
5e41ff9e 2920
12f348b9 2921 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2922 return -EOPNOTSUPP;
2923
9548906b
TH		 2924 if (name)
2925 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2926
570bc1c2 2927 if (value && len) {
12b29f34 2928 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2929 if (rc)
570bc1c2 2930 return rc;
570bc1c2
SS		 2931 *value = context;
2932 *len = clen;
5e41ff9e 2933 }
5e41ff9e 2934
5e41ff9e
SS		 2935 return 0;
2936}
2937
4acdaf27 2938static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2939{
2940 return may_create(dir, dentry, SECCLASS_FILE);
2941}
2942
1da177e4
LT		 2943static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2944{
1da177e4
LT		 2945 return may_link(dir, old_dentry, MAY_LINK);
2946}
2947
1da177e4
LT		 2948static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2949{
1da177e4
LT		 2950 return may_link(dir, dentry, MAY_UNLINK);
2951}
2952
2953static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2954{
2955 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2956}
2957
18bb1db3 2958static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2959{
2960 return may_create(dir, dentry, SECCLASS_DIR);
2961}
2962
1da177e4
LT		 2963static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2964{
2965 return may_link(dir, dentry, MAY_RMDIR);
2966}
2967
1a67aafb 2968static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2969{
1da177e4
LT		 2970 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2971}
2972
1da177e4 2973static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2974 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2975{
2976 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2977}
2978
1da177e4
LT		 2979static int selinux_inode_readlink(struct dentry *dentry)
2980{
88e67f3b
DH		 2981 const struct cred *cred = current_cred();
2982
2875fa00 2983 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2984}
2985
bda0be7a
N		 2986static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2987 bool rcu)
1da177e4 2988{
88e67f3b 2989 const struct cred *cred = current_cred();
bda0be7a
N		 2990 struct common_audit_data ad;
2991 struct inode_security_struct *isec;
2992 u32 sid;
1da177e4 2993
bda0be7a
N		 2994 validate_creds(cred);
2995
2996 ad.type = LSM_AUDIT_DATA_DENTRY;
2997 ad.u.dentry = dentry;
2998 sid = cred_sid(cred);
5d226df4
AG		 2999 isec = inode_security_rcu(inode, rcu);
3000 if (IS_ERR(isec))
3001 return PTR_ERR(isec);
bda0be7a
N		 3002
3003 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3004 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3005}
3006
d4cf970d
EP		 3007static noinline int audit_inode_permission(struct inode *inode,
3008 u32 perms, u32 audited, u32 denied,
626b9740 3009 int result,
d4cf970d 3010 unsigned flags)
1da177e4 3011{
b782e0a6 3012 struct common_audit_data ad;
7a90fc39 3013 struct inode_security_struct *isec = selinux_inode(inode);
d4cf970d
EP		 3014 int rc;
3015
50c205f5 3016 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3017 ad.u.inode = inode;
3018
3019 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 3020 audited, denied, result, &ad, flags);
d4cf970d
EP		 3021 if (rc)
3022 return rc;
3023 return 0;
3024}
3025
e74f71eb 3026static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3027{
88e67f3b 3028 const struct cred *cred = current_cred();
b782e0a6
EP		 3029 u32 perms;
3030 bool from_access;
cf1dd1da 3031 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3032 struct inode_security_struct *isec;
3033 u32 sid;
3034 struct av_decision avd;
3035 int rc, rc2;
3036 u32 audited, denied;
1da177e4 3037
b782e0a6 3038 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3039 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3040
b782e0a6
EP		 3041 /* No permission to check. Existence test. */
3042 if (!mask)
1da177e4 3043 return 0;
1da177e4 3044
2e334057 3045 validate_creds(cred);
b782e0a6 3046
2e334057
EP		 3047 if (unlikely(IS_PRIVATE(inode)))
3048 return 0;
b782e0a6
EP		 3049
3050 perms = file_mask_to_av(inode->i_mode, mask);
3051
2e334057 3052 sid = cred_sid(cred);
5d226df4
AG		 3053 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3054 if (IS_ERR(isec))
3055 return PTR_ERR(isec);
2e334057
EP		 3056
3057 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3058 audited = avc_audit_required(perms, &avd, rc,
3059 from_access ? FILE__AUDIT_ACCESS : 0,
3060 &denied);
3061 if (likely(!audited))
3062 return rc;
3063
626b9740 3064 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3065 if (rc2)
3066 return rc2;
3067 return rc;
1da177e4
LT		 3068}
3069
3070static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3071{
88e67f3b 3072 const struct cred *cred = current_cred();
ccb54478 3073 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3074 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3075 __u32 av = FILE__WRITE;
1da177e4 3076
bc6a6008
AW		 3077 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3078 if (ia_valid & ATTR_FORCE) {
3079 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3080 ATTR_FORCE);
3081 if (!ia_valid)
3082 return 0;
3083 }
1da177e4 3084
bc6a6008
AW		 3085 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3086 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3087 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3088
ccb54478
SS		 3089 if (selinux_policycap_openperm &&
3090 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3091 (ia_valid & ATTR_SIZE) &&
3092 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3093 av |= FILE__OPEN;
3094
3095 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3096}
3097
3f7036a0 3098static int selinux_inode_getattr(const struct path *path)
1da177e4 3099{
3f7036a0 3100 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3101}
3102
db59000a
SS		 3103static bool has_cap_mac_admin(bool audit)
3104{
3105 const struct cred *cred = current_cred();
3106 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3107
3108 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3109 return false;
3110 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3111 return false;
3112 return true;
3113}
3114
8f0cfa52
DH		 3115static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3116 const void *value, size_t size, int flags)
1da177e4 3117{
c6f493d6 3118 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3119 struct inode_security_struct *isec;
1da177e4 3120 struct superblock_security_struct *sbsec;
2bf49690 3121 struct common_audit_data ad;
275bb41e 3122 u32 newsid, sid = current_sid();
1da177e4
LT		 3123 int rc = 0;
3124
6b240306
EB		 3125 if (strcmp(name, XATTR_NAME_SELINUX)) {
3126 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3127 if (rc)
3128 return rc;
3129
3130 /* Not an attribute we recognize, so just check the
3131 ordinary setattr permission. */
3132 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3133 }
1da177e4 3134
7a90fc39 3135 sbsec = selinux_superblock(inode->i_sb);
12f348b9 3136 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3137 return -EOPNOTSUPP;
3138
2e149670 3139 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3140 return -EPERM;
3141
50c205f5 3142 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3143 ad.u.dentry = dentry;
1da177e4 3144
20cdef8d 3145 isec = backing_inode_security(dentry);
275bb41e 3146 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3147 FILE__RELABELFROM, &ad);
3148 if (rc)
3149 return rc;
3150
52a4c640 3151 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3152 if (rc == -EINVAL) {
db59000a 3153 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3154 struct audit_buffer *ab;
3155 size_t audit_size;
d6ea83ec
EP		 3156
3157 /* We strip a nul only if it is at the end, otherwise the
3158 * context contains a nul and we should audit that */
e3fea3f7 3159 if (value) {
add24372
CIK		 3160 const char *str = value;
3161
e3fea3f7
AV		 3162 if (str[size - 1] == '\0')
3163 audit_size = size - 1;
3164 else
3165 audit_size = size;
3166 } else {
e3fea3f7
AV		 3167 audit_size = 0;
3168 }
d6ea83ec
EP		 3169 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3170 audit_log_format(ab, "op=setxattr invalid_context=");
3171 audit_log_n_untrustedstring(ab, value, audit_size);
3172 audit_log_end(ab);
3173
12b29f34 3174 return rc;
d6ea83ec 3175 }
12b29f34
SS		 3176 rc = security_context_to_sid_force(value, size, &newsid);
3177 }
1da177e4
LT		 3178 if (rc)
3179 return rc;
3180
275bb41e 3181 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3182 FILE__RELABELTO, &ad);
3183 if (rc)
3184 return rc;
3185
275bb41e 3186 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3187 isec->sclass);
1da177e4
LT		 3188 if (rc)
3189 return rc;
3190
3191 return avc_has_perm(newsid,
3192 sbsec->sid,
3193 SECCLASS_FILESYSTEM,
3194 FILESYSTEM__ASSOCIATE,
3195 &ad);
3196}
3197
8f0cfa52 3198static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3199 const void *value, size_t size,
8f0cfa52 3200 int flags)
1da177e4 3201{
c6f493d6 3202 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3203 struct inode_security_struct *isec;
1da177e4
LT		 3204 u32 newsid;
3205 int rc;
3206
3207 if (strcmp(name, XATTR_NAME_SELINUX)) {
3208 /* Not an attribute we recognize, so nothing to do. */
3209 return;
3210 }
3211
12b29f34 3212 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3213 if (rc) {
12b29f34
SS		 3214 printk(KERN_ERR "SELinux: unable to map context to SID"
3215 "for (%s, %lu), rc=%d\n",
3216 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3217 return;
3218 }
3219
20cdef8d 3220 isec = backing_inode_security(dentry);
9287aed2 3221 spin_lock(&isec->lock);
aa9c2669 3222 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3223 isec->sid = newsid;
6f3be9f5 3224 isec->initialized = LABEL_INITIALIZED;
9287aed2 3225 spin_unlock(&isec->lock);
aa9c2669 3226
1da177e4
LT		 3227 return;
3228}
3229
8f0cfa52 3230static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3231{
88e67f3b
DH		 3232 const struct cred *cred = current_cred();
3233
2875fa00 3234 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3235}
3236
828dfe1d 3237static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3238{
88e67f3b
DH		 3239 const struct cred *cred = current_cred();
3240
2875fa00 3241 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3242}
3243
8f0cfa52 3244static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3245{
6b240306
EB		 3246 if (strcmp(name, XATTR_NAME_SELINUX)) {
3247 int rc = cap_inode_removexattr(dentry, name);
3248 if (rc)
3249 return rc;
3250
3251 /* Not an attribute we recognize, so just check the
3252 ordinary setattr permission. */
3253 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3254 }
1da177e4
LT		 3255
3256 /* No one is allowed to remove a SELinux security label.
3257 You can change the label, but all data must be labeled. */
3258 return -EACCES;
3259}
3260
d381d8a9 3261/*
abc69bb6 3262 * Copy the inode security context value to the user.
d381d8a9
JM		 3263 *
3264 * Permission check is handled by selinux_inode_getxattr hook.
3265 */
ea861dfd 3266static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3267{
42492594
DQ		 3268 u32 size;
3269 int error;
3270 char *context = NULL;
20cdef8d 3271 struct inode_security_struct *isec;
d381d8a9 3272
8c8570fb
DK		 3273 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3274 return -EOPNOTSUPP;
d381d8a9 3275
abc69bb6
SS		 3276 /*
3277 * If the caller has CAP_MAC_ADMIN, then get the raw context
3278 * value even if it is not defined by current policy; otherwise,
3279 * use the in-core value under current policy.
3280 * Use the non-auditing forms of the permission checks since
3281 * getxattr may be called by unprivileged processes commonly
3282 * and lack of permission just means that we fall back to the
3283 * in-core context value, not a denial.
3284 */
20cdef8d 3285 isec = inode_security(inode);
db59000a 3286 if (has_cap_mac_admin(false))
abc69bb6
SS		 3287 error = security_sid_to_context_force(isec->sid, &context,
3288 &size);
3289 else
3290 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3291 if (error)
3292 return error;
3293 error = size;
3294 if (alloc) {
3295 *buffer = context;
3296 goto out_nofree;
3297 }
3298 kfree(context);
3299out_nofree:
3300 return error;
1da177e4
LT		 3301}
3302
3303static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3304 const void *value, size_t size, int flags)
1da177e4 3305{
2c97165b 3306 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3307 u32 newsid;
3308 int rc;
3309
3310 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3311 return -EOPNOTSUPP;
3312
3313 if (!value || !size)
3314 return -EACCES;
3315
20ba96ae 3316 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3317 if (rc)
3318 return rc;
3319
9287aed2 3320 spin_lock(&isec->lock);
aa9c2669 3321 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3322 isec->sid = newsid;
6f3be9f5 3323 isec->initialized = LABEL_INITIALIZED;
9287aed2 3324 spin_unlock(&isec->lock);
1da177e4
LT		 3325 return 0;
3326}
3327
3328static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3329{
3330 const int len = sizeof(XATTR_NAME_SELINUX);
3331 if (buffer && len <= buffer_size)
3332 memcpy(buffer, XATTR_NAME_SELINUX, len);
3333 return len;
3334}
3335
d6335d77 3336static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3337{
e817c2f3 3338 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3339 *secid = isec->sid;
3340}
3341
56909eb3
VG		 3342static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3343{
3344 u32 sid;
3345 struct task_security_struct *tsec;
3346 struct cred *new_creds = *new;
3347
3348 if (new_creds == NULL) {
3349 new_creds = prepare_creds();
3350 if (!new_creds)
3351 return -ENOMEM;
3352 }
3353
f1efc8c4 3354 tsec = selinux_cred(new_creds);
56909eb3
VG		 3355 /* Get label from overlay inode and set it in create_sid */
3356 selinux_inode_getsecid(d_inode(src), &sid);
3357 tsec->create_sid = sid;
3358 *new = new_creds;
3359 return 0;
3360}
3361
19472b69
VG		 3362static int selinux_inode_copy_up_xattr(const char *name)
3363{
3364 /* The copy_up hook above sets the initial context on an inode, but we
3365 * don't then want to overwrite it by blindly copying all the lower
3366 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3367 */
3368 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3369 return 1; /* Discard */
3370 /*
3371 * Any other attribute apart from SELINUX is not claimed, supported
3372 * by selinux.
3373 */
3374 return -EOPNOTSUPP;
3375}
3376
1da177e4
LT		 3377/* file security operations */
3378
788e7dd4 3379static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3380{
88e67f3b 3381 const struct cred *cred = current_cred();
496ad9aa 3382 struct inode *inode = file_inode(file);
1da177e4 3383
1da177e4
LT		 3384 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3385 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3386 mask |= MAY_APPEND;
3387
389fb800
PM		 3388 return file_has_perm(cred, file,
3389 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3390}
3391
788e7dd4
YN		 3392static int selinux_file_permission(struct file *file, int mask)
3393{
496ad9aa 3394 struct inode *inode = file_inode(file);
ab9b110b 3395 struct file_security_struct *fsec = selinux_file(file);
b197367e 3396 struct inode_security_struct *isec;
20dda18b
SS		 3397 u32 sid = current_sid();
3398
389fb800 3399 if (!mask)
788e7dd4
YN		 3400 /* No permission to check. Existence test. */
3401 return 0;
788e7dd4 3402
b197367e 3403 isec = inode_security(inode);
20dda18b
SS		 3404 if (sid == fsec->sid && fsec->isid == isec->sid &&
3405 fsec->pseqno == avc_policy_seqno())
83d49856 3406 /* No change since file_open check. */
20dda18b
SS		 3407 return 0;
3408
788e7dd4
YN		 3409 return selinux_revalidate_file_permission(file, mask);
3410}
3411
1da177e4
LT		 3412static int selinux_file_alloc_security(struct file *file)
3413{
3414 return file_alloc_security(file);
3415}
3416
fa1aa143
JVS		 3417/*
3418 * Check whether a task has the ioctl permission and cmd
3419 * operation to an inode.
3420 */
1d2a168a 3421static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3422 u32 requested, u16 cmd)
3423{
3424 struct common_audit_data ad;
ab9b110b 3425 struct file_security_struct *fsec = selinux_file(file);
fa1aa143 3426 struct inode *inode = file_inode(file);
20cdef8d 3427 struct inode_security_struct *isec;
fa1aa143
JVS		 3428 struct lsm_ioctlop_audit ioctl;
3429 u32 ssid = cred_sid(cred);
3430 int rc;
3431 u8 driver = cmd >> 8;
3432 u8 xperm = cmd & 0xff;
3433
3434 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3435 ad.u.op = &ioctl;
3436 ad.u.op->cmd = cmd;
3437 ad.u.op->path = file->f_path;
3438
3439 if (ssid != fsec->sid) {
3440 rc = avc_has_perm(ssid, fsec->sid,
3441 SECCLASS_FD,
3442 FD__USE,
3443 &ad);
3444 if (rc)
3445 goto out;
3446 }
3447
3448 if (unlikely(IS_PRIVATE(inode)))
3449 return 0;
3450
20cdef8d 3451 isec = inode_security(inode);
fa1aa143
JVS		 3452 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3453 requested, driver, xperm, &ad);
3454out:
3455 return rc;
3456}
3457
1da177e4
LT		 3458static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3459 unsigned long arg)
3460{
88e67f3b 3461 const struct cred *cred = current_cred();
0b24dcb7 3462 int error = 0;
1da177e4 3463
0b24dcb7
EP		 3464 switch (cmd) {
3465 case FIONREAD:
3466 /* fall through */
3467 case FIBMAP:
3468 /* fall through */
3469 case FIGETBSZ:
3470 /* fall through */
2f99c369 3471 case FS_IOC_GETFLAGS:
0b24dcb7 3472 /* fall through */
2f99c369 3473 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3474 error = file_has_perm(cred, file, FILE__GETATTR);
3475 break;
1da177e4 3476
2f99c369 3477 case FS_IOC_SETFLAGS:
0b24dcb7 3478 /* fall through */
2f99c369 3479 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3480 error = file_has_perm(cred, file, FILE__SETATTR);
3481 break;
3482
3483 /* sys_ioctl() checks */
3484 case FIONBIO:
3485 /* fall through */
3486 case FIOASYNC:
3487 error = file_has_perm(cred, file, 0);
3488 break;
1da177e4 3489
0b24dcb7
EP		 3490 case KDSKBENT:
3491 case KDSKBSENT:
6a9de491 3492 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3493 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3494 break;
3495
3496 /* default case assumes that the command will go
3497 * to the file's ioctl() function.
3498 */
3499 default:
fa1aa143 3500 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3501 }
3502 return error;
1da177e4
LT		 3503}
3504
fcaaade1
SS		 3505static int default_noexec;
3506
1da177e4
LT		 3507static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3508{
88e67f3b 3509 const struct cred *cred = current_cred();
be0554c9 3510 u32 sid = cred_sid(cred);
d84f4f99 3511 int rc = 0;
88e67f3b 3512
fcaaade1 3513 if (default_noexec &&
892e8cac
SS		 3514 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3515 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3516 /*
3517 * We are making executable an anonymous mapping or a
3518 * private file mapping that will also be writable.
3519 * This has an additional check.
3520 */
be0554c9
SS		 3521 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3522 PROCESS__EXECMEM, NULL);
1da177e4 3523 if (rc)
d84f4f99 3524 goto error;
1da177e4 3525 }
1da177e4
LT		 3526
3527 if (file) {
3528 /* read access is always possible with a mapping */
3529 u32 av = FILE__READ;
3530
3531 /* write access only matters if the mapping is shared */
3532 if (shared && (prot & PROT_WRITE))
3533 av |= FILE__WRITE;
3534
3535 if (prot & PROT_EXEC)
3536 av |= FILE__EXECUTE;
3537
88e67f3b 3538 return file_has_perm(cred, file, av);
1da177e4 3539 }
d84f4f99
DH		 3540
3541error:
3542 return rc;
1da177e4
LT		 3543}
3544
e5467859 3545static int selinux_mmap_addr(unsigned long addr)
1da177e4 3546{
b1d9e6b0 3547 int rc = 0;
1da177e4 3548
a2551df7 3549 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3550 u32 sid = current_sid();
ed032189
EP		 3551 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3552 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3553 }
3554
98883bfd 3555 return rc;
e5467859 3556}
1da177e4 3557
e5467859
AV		 3558static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3559 unsigned long prot, unsigned long flags)
3560{
3ba4bf5f
SS		 3561 struct common_audit_data ad;
3562 int rc;
3563
3564 if (file) {
3565 ad.type = LSM_AUDIT_DATA_FILE;
3566 ad.u.file = file;
3567 rc = inode_has_perm(current_cred(), file_inode(file),
3568 FILE__MAP, &ad);
3569 if (rc)
3570 return rc;
3571 }
3572
1da177e4
LT		 3573 if (selinux_checkreqprot)
3574 prot = reqprot;
3575
3576 return file_map_prot_check(file, prot,
3577 (flags & MAP_TYPE) == MAP_SHARED);
3578}
3579
3580static int selinux_file_mprotect(struct vm_area_struct *vma,
3581 unsigned long reqprot,
3582 unsigned long prot)
3583{
88e67f3b 3584 const struct cred *cred = current_cred();
be0554c9 3585 u32 sid = cred_sid(cred);
1da177e4
LT		 3586
3587 if (selinux_checkreqprot)
3588 prot = reqprot;
3589
fcaaade1
SS		 3590 if (default_noexec &&
3591 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3592 int rc = 0;
db4c9641
SS		 3593 if (vma->vm_start >= vma->vm_mm->start_brk &&
3594 vma->vm_end <= vma->vm_mm->brk) {
be0554c9
SS		 3595 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3596 PROCESS__EXECHEAP, NULL);
db4c9641 3597 } else if (!vma->vm_file &&
c2316dbf
SS		 3598 ((vma->vm_start <= vma->vm_mm->start_stack &&
3599 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3600 vma_is_stack_for_current(vma))) {
be0554c9
SS		 3601 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3602 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3603 } else if (vma->vm_file && vma->anon_vma) {
3604 /*
3605 * We are making executable a file mapping that has
3606 * had some COW done. Since pages might have been
3607 * written, check ability to execute the possibly
3608 * modified content. This typically should only
3609 * occur for text relocations.
3610 */
d84f4f99 3611 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3612 }