]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
UBUNTU: SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
1da177e4
LT		 70#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */
73#include <linux/parser.h>
74#include <linux/nfs_mount.h>
75#include <net/ipv6.h>
76#include <linux/hugetlb.h>
77#include <linux/personality.h>
1da177e4 78#include <linux/audit.h>
6931dfc9 79#include <linux/string.h>
877ce7c1 80#include <linux/selinux.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
1da177e4
LT		 88
89#include "avc.h"
90#include "objsec.h"
91#include "netif.h"
224dfbd8 92#include "netnode.h"
3e112172 93#include "netport.h"
409dcf31 94#include "ibpkey.h"
d28d1e08 95#include "xfrm.h"
c60475bf 96#include "netlabel.h"
9d57a7f9 97#include "audit.h"
7b98a585 98#include "avc_ss.h"
1da177e4 99
d621d35e 100/* SECMARK reference count */
56a4ca99 101static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 102
1da177e4 103#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 104int selinux_enforcing;
1da177e4
LT		 105
106static int __init enforcing_setup(char *str)
107{
f5269710 108 unsigned long enforcing;
29707b20 109 if (!kstrtoul(str, 0, &enforcing))
f5269710 110 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 111 return 1;
112}
113__setup("enforcing=", enforcing_setup);
114#endif
115
116#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119static int __init selinux_enabled_setup(char *str)
120{
f5269710 121 unsigned long enabled;
29707b20 122 if (!kstrtoul(str, 0, &enabled))
f5269710 123 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 124 return 1;
125}
126__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 127#else
128int selinux_enabled = 1;
1da177e4
LT		 129#endif
130
e18b890b 131static struct kmem_cache *sel_inode_cache;
63205654 132static struct kmem_cache *file_security_cache;
7cae7e26 133
d621d35e
PM		 134/**
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136 *
137 * Description:
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 141 * enabled, false (0) if SECMARK is disabled. If the always_check_network
142 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 143 *
144 */
145static int selinux_secmark_enabled(void)
146{
2be4d74f
CP		 147 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148}
149
150/**
151 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152 *
153 * Description:
154 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
155 * (1) if any are enabled or false (0) if neither are enabled. If the
156 * always_check_network policy capability is enabled, peer labeling
157 * is always considered enabled.
158 *
159 */
160static int selinux_peerlbl_enabled(void)
161{
162 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 163}
164
615e51fd
PM		 165static int selinux_netcache_avc_callback(u32 event)
166{
167 if (event == AVC_CALLBACK_RESET) {
168 sel_netif_flush();
169 sel_netnode_flush();
170 sel_netport_flush();
171 synchronize_net();
172 }
173 return 0;
174}
175
8f408ab6
DJ		 176static int selinux_lsm_notifier_avc_callback(u32 event)
177{
409dcf31
DJ		 178 if (event == AVC_CALLBACK_RESET) {
179 sel_ib_pkey_flush();
8f408ab6 180 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 181 }
8f408ab6
DJ		 182
183 return 0;
184}
185
d84f4f99
DH		 186/*
187 * initialise the security for the init task
188 */
189static void cred_init_security(void)
1da177e4 190{
3b11a1de 191 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 192 struct task_security_struct *tsec;
193
89d155ef 194 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 195 if (!tsec)
d84f4f99 196 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 197
d84f4f99 198 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 199 cred->security = tsec;
1da177e4
LT		 200}
201
88e67f3b
DH		 202/*
203 * get the security ID of a set of credentials
204 */
205static inline u32 cred_sid(const struct cred *cred)
206{
207 const struct task_security_struct *tsec;
208
209 tsec = cred->security;
210 return tsec->sid;
211}
212
275bb41e 213/*
3b11a1de 214 * get the objective security ID of a task
275bb41e
DH		 215 */
216static inline u32 task_sid(const struct task_struct *task)
217{
275bb41e
DH		 218 u32 sid;
219
220 rcu_read_lock();
88e67f3b 221 sid = cred_sid(__task_cred(task));
275bb41e
DH		 222 rcu_read_unlock();
223 return sid;
224}
225
88e67f3b
DH		 226/* Allocate and free functions for each kind of security blob. */
227
1da177e4
LT		 228static int inode_alloc_security(struct inode *inode)
229{
1da177e4 230 struct inode_security_struct *isec;
275bb41e 231 u32 sid = current_sid();
1da177e4 232
a02fe132 233 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 234 if (!isec)
235 return -ENOMEM;
236
9287aed2 237 spin_lock_init(&isec->lock);
1da177e4 238 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 239 isec->inode = inode;
240 isec->sid = SECINITSID_UNLABELED;
241 isec->sclass = SECCLASS_FILE;
275bb41e 242 isec->task_sid = sid;
42059112 243 isec->initialized = LABEL_INVALID;
1da177e4
LT		 244 inode->i_security = isec;
245
246 return 0;
247}
248
5d226df4
AG		 249static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
250
251/*
252 * Try reloading inode security labels that have been marked as invalid. The
253 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 254 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 255 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
256 * when no dentry is available, set it to NULL instead.
257 */
258static int __inode_security_revalidate(struct inode *inode,
259 struct dentry *opt_dentry,
260 bool may_sleep)
261{
262 struct inode_security_struct *isec = inode->i_security;
263
264 might_sleep_if(may_sleep);
265
1ac42476 266 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 267 if (!may_sleep)
268 return -ECHILD;
269
270 /*
271 * Try reloading the inode security label. This will fail if
272 * @opt_dentry is NULL and no dentry for this inode can be
273 * found; in that case, continue using the old label.
274 */
275 inode_doinit_with_dentry(inode, opt_dentry);
276 }
277 return 0;
278}
279
5d226df4
AG		 280static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
281{
282 return inode->i_security;
283}
284
285static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
286{
287 int error;
288
289 error = __inode_security_revalidate(inode, NULL, !rcu);
290 if (error)
291 return ERR_PTR(error);
292 return inode->i_security;
293}
294
83da53c5
AG		 295/*
296 * Get the security label of an inode.
297 */
298static struct inode_security_struct *inode_security(struct inode *inode)
299{
5d226df4 300 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 301 return inode->i_security;
302}
303
2c97165b
PM		 304static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
305{
306 struct inode *inode = d_backing_inode(dentry);
307
308 return inode->i_security;
309}
310
83da53c5
AG		 311/*
312 * Get the security label of a dentry's backing inode.
313 */
314static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
315{
316 struct inode *inode = d_backing_inode(dentry);
317
5d226df4 318 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 319 return inode->i_security;
320}
321
3dc91d43
SR		 322static void inode_free_rcu(struct rcu_head *head)
323{
324 struct inode_security_struct *isec;
325
326 isec = container_of(head, struct inode_security_struct, rcu);
327 kmem_cache_free(sel_inode_cache, isec);
328}
329
1da177e4
LT		 330static void inode_free_security(struct inode *inode)
331{
332 struct inode_security_struct *isec = inode->i_security;
333 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
334
9629d04a
WL		 335 /*
336 * As not all inode security structures are in a list, we check for
337 * empty list outside of the lock to make sure that we won't waste
338 * time taking a lock doing nothing.
339 *
340 * The list_del_init() function can be safely called more than once.
341 * It should not be possible for this function to be called with
342 * concurrent list_add(), but for better safety against future changes
343 * in the code, we use list_empty_careful() here.
344 */
345 if (!list_empty_careful(&isec->list)) {
346 spin_lock(&sbsec->isec_lock);
1da177e4 347 list_del_init(&isec->list);
9629d04a
WL		 348 spin_unlock(&sbsec->isec_lock);
349 }
1da177e4 350
3dc91d43
SR		 351 /*
352 * The inode may still be referenced in a path walk and
353 * a call to selinux_inode_permission() can be made
354 * after inode_free_security() is called. Ideally, the VFS
355 * wouldn't do this, but fixing that is a much harder
356 * job. For now, simply free the i_security via RCU, and
357 * leave the current inode->i_security pointer intact.
358 * The inode will be freed after the RCU grace period too.
359 */
360 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 361}
362
363static int file_alloc_security(struct file *file)
364{
1da177e4 365 struct file_security_struct *fsec;
275bb41e 366 u32 sid = current_sid();
1da177e4 367
63205654 368 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 369 if (!fsec)
370 return -ENOMEM;
371
275bb41e
DH		 372 fsec->sid = sid;
373 fsec->fown_sid = sid;
1da177e4
LT		 374 file->f_security = fsec;
375
376 return 0;
377}
378
379static void file_free_security(struct file *file)
380{
381 struct file_security_struct *fsec = file->f_security;
1da177e4 382 file->f_security = NULL;
63205654 383 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 384}
385
386static int superblock_alloc_security(struct super_block *sb)
387{
388 struct superblock_security_struct *sbsec;
389
89d155ef 390 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 391 if (!sbsec)
392 return -ENOMEM;
393
bc7e982b 394 mutex_init(&sbsec->lock);
1da177e4
LT		 395 INIT_LIST_HEAD(&sbsec->isec_head);
396 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 397 sbsec->sb = sb;
398 sbsec->sid = SECINITSID_UNLABELED;
399 sbsec->def_sid = SECINITSID_FILE;
c312feb2 400 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 401 sb->s_security = sbsec;
402
403 return 0;
404}
405
406static void superblock_free_security(struct super_block *sb)
407{
408 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 409 sb->s_security = NULL;
410 kfree(sbsec);
411}
412
1da177e4
LT		 413static inline int inode_doinit(struct inode *inode)
414{
415 return inode_doinit_with_dentry(inode, NULL);
416}
417
418enum {
31e87930 419 Opt_error = -1,
1da177e4
LT		 420 Opt_context = 1,
421 Opt_fscontext = 2,
c9180a57
EP		 422 Opt_defcontext = 3,
423 Opt_rootcontext = 4,
11689d47 424 Opt_labelsupport = 5,
d355987f 425 Opt_nextmntopt = 6,
1da177e4
LT		 426};
427
d355987f
EP		 428#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
429
a447c093 430static const match_table_t tokens = {
832cbd9a
EP		 431 {Opt_context, CONTEXT_STR "%s"},
432 {Opt_fscontext, FSCONTEXT_STR "%s"},
433 {Opt_defcontext, DEFCONTEXT_STR "%s"},
434 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 435 {Opt_labelsupport, LABELSUPP_STR},
31e87930 436 {Opt_error, NULL},
1da177e4
LT		 437};
438
439#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
440
c312feb2
EP		 441static int may_context_mount_sb_relabel(u32 sid,
442 struct superblock_security_struct *sbsec,
275bb41e 443 const struct cred *cred)
c312feb2 444{
275bb41e 445 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 446 int rc;
447
448 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449 FILESYSTEM__RELABELFROM, NULL);
450 if (rc)
451 return rc;
452
453 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454 FILESYSTEM__RELABELTO, NULL);
455 return rc;
456}
457
0808925e
EP		 458static int may_context_mount_inode_relabel(u32 sid,
459 struct superblock_security_struct *sbsec,
275bb41e 460 const struct cred *cred)
0808925e 461{
275bb41e 462 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 463 int rc;
464 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__RELABELFROM, NULL);
466 if (rc)
467 return rc;
468
469 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470 FILESYSTEM__ASSOCIATE, NULL);
471 return rc;
472}
473
b43e725d
EP		 474static int selinux_is_sblabel_mnt(struct super_block *sb)
475{
476 struct superblock_security_struct *sbsec = sb->s_security;
477
d5f3a5f6
MS		 478 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479 sbsec->behavior == SECURITY_FS_USE_TRANS ||
480 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 481 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 482 /* Special handling. Genfs but also in-core setxattr handler */
483 !strcmp(sb->s_type->name, "sysfs") ||
484 !strcmp(sb->s_type->name, "pstore") ||
485 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 486 !strcmp(sb->s_type->name, "tracefs") ||
2651225b
SS		 487 !strcmp(sb->s_type->name, "rootfs") ||
488 (selinux_policycap_cgroupseclabel &&
489 (!strcmp(sb->s_type->name, "cgroup") ||
490 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 491}
492
c9180a57 493static int sb_finish_set_opts(struct super_block *sb)
1da177e4 494{
1da177e4 495 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 496 struct dentry *root = sb->s_root;
c6f493d6 497 struct inode *root_inode = d_backing_inode(root);
c9180a57 498 int rc = 0;
1da177e4 499
c9180a57
EP		 500 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501 /* Make sure that the xattr handler exists and that no
502 error other than -ENODATA is returned by getxattr on
503 the root directory. -ENODATA is ok, as this may be
504 the first boot of the SELinux kernel before we have
505 assigned xattr values to the filesystem. */
5d6c3191 506 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 507 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 509 rc = -EOPNOTSUPP;
510 goto out;
511 }
5d6c3191
AG		 512
513 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 514 if (rc < 0 && rc != -ENODATA) {
515 if (rc == -EOPNOTSUPP)
516 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 517 "%s) has no security xattr handler\n",
518 sb->s_id, sb->s_type->name);
c9180a57
EP		 519 else
520 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 521 "%s) getxattr errno %d\n", sb->s_id,
522 sb->s_type->name, -rc);
c9180a57
EP		 523 goto out;
524 }
525 }
1da177e4 526
eadcabc6 527 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 528
529 /*
530 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
531 * leave the flag untouched because sb_clone_mnt_opts might be handing
532 * us a superblock that needs the flag to be cleared.
533 */
b43e725d 534 if (selinux_is_sblabel_mnt(sb))
12f348b9 535 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 536 else
537 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 538
c9180a57
EP		 539 /* Initialize the root inode. */
540 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 541
c9180a57
EP		 542 /* Initialize any other inodes associated with the superblock, e.g.
543 inodes created prior to initial policy load or inodes created
544 during get_sb by a pseudo filesystem that directly
545 populates itself. */
546 spin_lock(&sbsec->isec_lock);
547next_inode:
548 if (!list_empty(&sbsec->isec_head)) {
549 struct inode_security_struct *isec =
550 list_entry(sbsec->isec_head.next,
551 struct inode_security_struct, list);
552 struct inode *inode = isec->inode;
923190d3 553 list_del_init(&isec->list);
c9180a57
EP		 554 spin_unlock(&sbsec->isec_lock);
555 inode = igrab(inode);
556 if (inode) {
557 if (!IS_PRIVATE(inode))
558 inode_doinit(inode);
559 iput(inode);
560 }
561 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 562 goto next_inode;
563 }
564 spin_unlock(&sbsec->isec_lock);
565out:
566 return rc;
567}
1da177e4 568
c9180a57
EP		 569/*
570 * This function should allow an FS to ask what it's mount security
571 * options were so it can use those later for submounts, displaying
572 * mount options, or whatever.
573 */
574static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 575 struct security_mnt_opts *opts)
c9180a57
EP		 576{
577 int rc = 0, i;
578 struct superblock_security_struct *sbsec = sb->s_security;
579 char *context = NULL;
580 u32 len;
581 char tmp;
1da177e4 582
e0007529 583 security_init_mnt_opts(opts);
1da177e4 584
0d90a7ec 585 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 586 return -EINVAL;
1da177e4 587
c9180a57
EP		 588 if (!ss_initialized)
589 return -EINVAL;
1da177e4 590
af8e50cc
EP		 591 /* make sure we always check enough bits to cover the mask */
592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593
0d90a7ec 594 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 595 /* count the number of mount options for this sb */
af8e50cc 596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 597 if (tmp & 0x01)
e0007529 598 opts->num_mnt_opts++;
c9180a57
EP		 599 tmp >>= 1;
600 }
11689d47 601 /* Check if the Label support flag is set */
0b4bdb35 602 if (sbsec->flags & SBLABEL_MNT)
11689d47 603 opts->num_mnt_opts++;
1da177e4 604
e0007529
EP		 605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 if (!opts->mnt_opts) {
c9180a57
EP		 607 rc = -ENOMEM;
608 goto out_free;
609 }
1da177e4 610
e0007529
EP		 611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 if (!opts->mnt_opts_flags) {
c9180a57
EP		 613 rc = -ENOMEM;
614 goto out_free;
615 }
1da177e4 616
c9180a57
EP		 617 i = 0;
618 if (sbsec->flags & FSCONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->sid, &context, &len);
620 if (rc)
621 goto out_free;
e0007529
EP		 622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 624 }
625 if (sbsec->flags & CONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627 if (rc)
628 goto out_free;
e0007529
EP		 629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 631 }
632 if (sbsec->flags & DEFCONTEXT_MNT) {
633 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634 if (rc)
635 goto out_free;
e0007529
EP		 636 opts->mnt_opts[i] = context;
637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 638 }
639 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 640 struct dentry *root = sbsec->sb->s_root;
641 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 642
c9180a57
EP		 643 rc = security_sid_to_context(isec->sid, &context, &len);
644 if (rc)
645 goto out_free;
e0007529
EP		 646 opts->mnt_opts[i] = context;
647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 648 }
12f348b9 649 if (sbsec->flags & SBLABEL_MNT) {
11689d47 650 opts->mnt_opts[i] = NULL;
12f348b9 651 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 652 }
1da177e4 653
e0007529 654 BUG_ON(i != opts->num_mnt_opts);
1da177e4 655
c9180a57
EP		 656 return 0;
657
658out_free:
e0007529 659 security_free_mnt_opts(opts);
c9180a57
EP		 660 return rc;
661}
1da177e4 662
c9180a57
EP		 663static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 u32 old_sid, u32 new_sid)
665{
0d90a7ec
DQ		 666 char mnt_flags = sbsec->flags & SE_MNTMASK;
667
c9180a57 668 /* check if the old mount command had the same options */
0d90a7ec 669 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 670 if (!(sbsec->flags & flag) ||
671 (old_sid != new_sid))
672 return 1;
673
674 /* check if we were passed the same options twice,
675 * aka someone passed context=a,context=b
676 */
0d90a7ec
DQ		 677 if (!(sbsec->flags & SE_SBINITIALIZED))
678 if (mnt_flags & flag)
c9180a57
EP		 679 return 1;
680 return 0;
681}
e0007529 682
c9180a57
EP		 683/*
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
686 */
e0007529 687static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 688 struct security_mnt_opts *opts,
689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
c9180a57 691{
275bb41e 692 const struct cred *cred = current_cred();
c9180a57 693 int rc = 0, i;
c9180a57 694 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 695 const char *name = sb->s_type->name;
83da53c5 696 struct dentry *root = sbsec->sb->s_root;
2c97165b 697 struct inode_security_struct *root_isec;
c9180a57
EP		 698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 u32 defcontext_sid = 0;
e0007529
EP		 700 char **mount_options = opts->mnt_opts;
701 int *flags = opts->mnt_opts_flags;
702 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 703
704 mutex_lock(&sbsec->lock);
705
706 if (!ss_initialized) {
707 if (!num_opts) {
708 /* Defer initialization until selinux_complete_init,
709 after the initial policy is loaded and the security
710 server is ready to handle calls. */
c9180a57
EP		 711 goto out;
712 }
713 rc = -EINVAL;
744ba35e
EP		 714 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 "before the security server is initialized\n");
1da177e4 716 goto out;
c9180a57 717 }
649f6e77
DQ		 718 if (kern_flags && !set_kern_flags) {
719 /* Specifying internal flags without providing a place to
720 * place the results is not allowed */
721 rc = -EINVAL;
722 goto out;
723 }
1da177e4 724
e0007529
EP		 725 /*
726 * Binary mount data FS will come through this function twice. Once
727 * from an explicit call and once from the generic calls from the vfs.
728 * Since the generic VFS calls will not contain any security mount data
729 * we need to skip the double mount verification.
730 *
731 * This does open a hole in which we will not notice if the first
732 * mount using this sb set explict options and a second mount using
733 * this sb does not set any security options. (The first options
734 * will be used for both mounts)
735 */
0d90a7ec 736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 737 && (num_opts == 0))
f5269710 738 goto out;
e0007529 739
2c97165b
PM		 740 root_isec = backing_inode_security_novalidate(root);
741
c9180a57
EP		 742 /*
743 * parse the mount options, check if they are valid sids.
744 * also check if someone is trying to mount the same sb more
745 * than once with different security options.
746 */
747 for (i = 0; i < num_opts; i++) {
748 u32 sid;
11689d47 749
12f348b9 750 if (flags[i] == SBLABEL_MNT)
11689d47 751 continue;
44be2f65 752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 753 if (rc) {
44be2f65 754 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 755 "(%s) failed for (dev %s, type %s) errno=%d\n",
756 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 757 goto out;
758 }
759 switch (flags[i]) {
760 case FSCONTEXT_MNT:
761 fscontext_sid = sid;
762
763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764 fscontext_sid))
765 goto out_double_mount;
766
767 sbsec->flags |= FSCONTEXT_MNT;
768 break;
769 case CONTEXT_MNT:
770 context_sid = sid;
771
772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773 context_sid))
774 goto out_double_mount;
775
776 sbsec->flags |= CONTEXT_MNT;
777 break;
778 case ROOTCONTEXT_MNT:
779 rootcontext_sid = sid;
780
781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782 rootcontext_sid))
783 goto out_double_mount;
784
785 sbsec->flags |= ROOTCONTEXT_MNT;
786
787 break;
788 case DEFCONTEXT_MNT:
789 defcontext_sid = sid;
790
791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792 defcontext_sid))
793 goto out_double_mount;
794
795 sbsec->flags |= DEFCONTEXT_MNT;
796
797 break;
798 default:
799 rc = -EINVAL;
800 goto out;
1da177e4 801 }
c9180a57
EP		 802 }
803
0d90a7ec 804 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 805 /* previously mounted with options, but not on this attempt? */
0d90a7ec 806 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 807 goto out_double_mount;
808 rc = 0;
809 goto out;
810 }
811
089be43e 812 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 813 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814
8e014720 815 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 816 !strcmp(sb->s_type->name, "tracefs") ||
8e014720
SS		 817 !strcmp(sb->s_type->name, "sysfs") ||
818 !strcmp(sb->s_type->name, "pstore"))
134509d5 819 sbsec->flags |= SE_SBGENFS;
c9180a57 820
eb9ae686
DQ		 821 if (!sbsec->behavior) {
822 /*
823 * Determine the labeling behavior to use for this
824 * filesystem type.
825 */
98f700f3 826 rc = security_fs_use(sb);
eb9ae686
DQ		 827 if (rc) {
828 printk(KERN_WARNING
829 "%s: security_fs_use(%s) returned %d\n",
830 __func__, sb->s_type->name, rc);
831 goto out;
832 }
c9180a57 833 }
aad82892
SF		 834
835 /*
01593d32
SS		 836 * If this is a user namespace mount and the filesystem type is not
837 * explicitly whitelisted, then no contexts are allowed on the command
838 * line and security labels must be ignored.
aad82892 839 */
01593d32
SS		 840 if (sb->s_user_ns != &init_user_ns &&
841 strcmp(sb->s_type->name, "tmpfs") &&
842 strcmp(sb->s_type->name, "ramfs") &&
843 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 844 if (context_sid || fscontext_sid || rootcontext_sid ||
845 defcontext_sid) {
846 rc = -EACCES;
847 goto out;
848 }
849 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
850 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
851 rc = security_transition_sid(current_sid(), current_sid(),
852 SECCLASS_FILE, NULL,
853 &sbsec->mntpoint_sid);
854 if (rc)
855 goto out;
856 }
857 goto out_set_opts;
858 }
859
c9180a57
EP		 860 /* sets the context of the superblock for the fs being mounted. */
861 if (fscontext_sid) {
275bb41e 862 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 863 if (rc)
c9180a57 864 goto out;
1da177e4 865
c9180a57 866 sbsec->sid = fscontext_sid;
c312feb2
EP		 867 }
868
869 /*
870 * Switch to using mount point labeling behavior.
871 * sets the label used on all file below the mountpoint, and will set
872 * the superblock context if not already set.
873 */
eb9ae686
DQ		 874 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
875 sbsec->behavior = SECURITY_FS_USE_NATIVE;
876 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
877 }
878
c9180a57
EP		 879 if (context_sid) {
880 if (!fscontext_sid) {
275bb41e
DH		 881 rc = may_context_mount_sb_relabel(context_sid, sbsec,
882 cred);
b04ea3ce 883 if (rc)
c9180a57
EP		 884 goto out;
885 sbsec->sid = context_sid;
b04ea3ce 886 } else {
275bb41e
DH		 887 rc = may_context_mount_inode_relabel(context_sid, sbsec,
888 cred);
b04ea3ce 889 if (rc)
c9180a57 890 goto out;
b04ea3ce 891 }
c9180a57
EP		 892 if (!rootcontext_sid)
893 rootcontext_sid = context_sid;
1da177e4 894
c9180a57 895 sbsec->mntpoint_sid = context_sid;
c312feb2 896 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 897 }
898
c9180a57 899 if (rootcontext_sid) {
275bb41e
DH		 900 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
901 cred);
0808925e 902 if (rc)
c9180a57 903 goto out;
0808925e 904
c9180a57 905 root_isec->sid = rootcontext_sid;
6f3be9f5 906 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 907 }
908
c9180a57 909 if (defcontext_sid) {
eb9ae686
DQ		 910 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
911 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 912 rc = -EINVAL;
913 printk(KERN_WARNING "SELinux: defcontext option is "
914 "invalid for this filesystem type\n");
915 goto out;
1da177e4
LT		 916 }
917
c9180a57
EP		 918 if (defcontext_sid != sbsec->def_sid) {
919 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 920 sbsec, cred);
c9180a57
EP		 921 if (rc)
922 goto out;
923 }
1da177e4 924
c9180a57 925 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 926 }
927
aad82892 928out_set_opts:
c9180a57 929 rc = sb_finish_set_opts(sb);
1da177e4 930out:
c9180a57 931 mutex_unlock(&sbsec->lock);
1da177e4 932 return rc;
c9180a57
EP		 933out_double_mount:
934 rc = -EINVAL;
935 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 936 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 937 goto out;
1da177e4
LT		 938}
939
094f7b69
JL		 940static int selinux_cmp_sb_context(const struct super_block *oldsb,
941 const struct super_block *newsb)
942{
943 struct superblock_security_struct *old = oldsb->s_security;
944 struct superblock_security_struct *new = newsb->s_security;
945 char oldflags = old->flags & SE_MNTMASK;
946 char newflags = new->flags & SE_MNTMASK;
947
948 if (oldflags != newflags)
949 goto mismatch;
950 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
951 goto mismatch;
952 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
953 goto mismatch;
954 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
955 goto mismatch;
956 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 957 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
958 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 959 if (oldroot->sid != newroot->sid)
960 goto mismatch;
961 }
962 return 0;
963mismatch:
964 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
965 "different security settings for (dev %s, "
966 "type %s)\n", newsb->s_id, newsb->s_type->name);
967 return -EBUSY;
968}
969
970static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 971 struct super_block *newsb,
972 unsigned long kern_flags,
973 unsigned long *set_kern_flags)
1da177e4 974{
0b4d3452 975 int rc = 0;
c9180a57
EP		 976 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
977 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 978
c9180a57
EP		 979 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
980 int set_context = (oldsbsec->flags & CONTEXT_MNT);
981 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 982
0f5e6420
EP		 983 /*
984 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 985 * mount options. thus we can safely deal with this superblock later
0f5e6420 986 */
e8c26255 987 if (!ss_initialized)
094f7b69 988 return 0;
c9180a57 989
0b4d3452
SM		 990 /*
991 * Specifying internal flags without providing a place to
992 * place the results is not allowed.
993 */
994 if (kern_flags && !set_kern_flags)
995 return -EINVAL;
996
c9180a57 997 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 998 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 999
094f7b69 1000 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 1001 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 1002 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 1003
c9180a57
EP		 1004 mutex_lock(&newsbsec->lock);
1005
1006 newsbsec->flags = oldsbsec->flags;
1007
1008 newsbsec->sid = oldsbsec->sid;
1009 newsbsec->def_sid = oldsbsec->def_sid;
1010 newsbsec->behavior = oldsbsec->behavior;
1011
0b4d3452
SM		 1012 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1013 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1014 rc = security_fs_use(newsb);
1015 if (rc)
1016 goto out;
1017 }
1018
1019 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1020 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1021 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1022 }
1023
c9180a57
EP		 1024 if (set_context) {
1025 u32 sid = oldsbsec->mntpoint_sid;
1026
1027 if (!set_fscontext)
1028 newsbsec->sid = sid;
1029 if (!set_rootcontext) {
83da53c5 1030 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1031 newisec->sid = sid;
1032 }
1033 newsbsec->mntpoint_sid = sid;
1da177e4 1034 }
c9180a57 1035 if (set_rootcontext) {
83da53c5
AG		 1036 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1037 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1038
c9180a57 1039 newisec->sid = oldisec->sid;
1da177e4
LT		 1040 }
1041
c9180a57 1042 sb_finish_set_opts(newsb);
0b4d3452 1043out:
c9180a57 1044 mutex_unlock(&newsbsec->lock);
0b4d3452 1045 return rc;
c9180a57
EP		 1046}
1047
2e1479d9
AB		 1048static int selinux_parse_opts_str(char *options,
1049 struct security_mnt_opts *opts)
c9180a57 1050{
e0007529 1051 char *p;
c9180a57
EP		 1052 char *context = NULL, *defcontext = NULL;
1053 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1054 int rc, num_mnt_opts = 0;
1da177e4 1055
e0007529 1056 opts->num_mnt_opts = 0;
1da177e4 1057
c9180a57
EP		 1058 /* Standard string-based options. */
1059 while ((p = strsep(&options, "|")) != NULL) {
1060 int token;
1061 substring_t args[MAX_OPT_ARGS];
1da177e4 1062
c9180a57
EP		 1063 if (!*p)
1064 continue;
1da177e4 1065
c9180a57 1066 token = match_token(p, tokens, args);
1da177e4 1067
c9180a57
EP		 1068 switch (token) {
1069 case Opt_context:
1070 if (context || defcontext) {
1071 rc = -EINVAL;
1072 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1073 goto out_err;
1074 }
1075 context = match_strdup(&args[0]);
1076 if (!context) {
1077 rc = -ENOMEM;
1078 goto out_err;
1079 }
1080 break;
1081
1082 case Opt_fscontext:
1083 if (fscontext) {
1084 rc = -EINVAL;
1085 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1086 goto out_err;
1087 }
1088 fscontext = match_strdup(&args[0]);
1089 if (!fscontext) {
1090 rc = -ENOMEM;
1091 goto out_err;
1092 }
1093 break;
1094
1095 case Opt_rootcontext:
1096 if (rootcontext) {
1097 rc = -EINVAL;
1098 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1099 goto out_err;
1100 }
1101 rootcontext = match_strdup(&args[0]);
1102 if (!rootcontext) {
1103 rc = -ENOMEM;
1104 goto out_err;
1105 }
1106 break;
1107
1108 case Opt_defcontext:
1109 if (context || defcontext) {
1110 rc = -EINVAL;
1111 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1112 goto out_err;
1113 }
1114 defcontext = match_strdup(&args[0]);
1115 if (!defcontext) {
1116 rc = -ENOMEM;
1117 goto out_err;
1118 }
1119 break;
11689d47
DQ		 1120 case Opt_labelsupport:
1121 break;
c9180a57
EP		 1122 default:
1123 rc = -EINVAL;
1124 printk(KERN_WARNING "SELinux: unknown mount option\n");
1125 goto out_err;
1da177e4 1126
1da177e4 1127 }
1da177e4 1128 }
c9180a57 1129
e0007529 1130 rc = -ENOMEM;
8931c3bd 1131 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1132 if (!opts->mnt_opts)
1133 goto out_err;
1134
8931c3bd
TH		 1135 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1136 GFP_KERNEL);
023f108d 1137 if (!opts->mnt_opts_flags)
e0007529 1138 goto out_err;
e0007529 1139
c9180a57 1140 if (fscontext) {
e0007529
EP		 1141 opts->mnt_opts[num_mnt_opts] = fscontext;
1142 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1143 }
1144 if (context) {
e0007529
EP		 1145 opts->mnt_opts[num_mnt_opts] = context;
1146 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1147 }
1148 if (rootcontext) {
e0007529
EP		 1149 opts->mnt_opts[num_mnt_opts] = rootcontext;
1150 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1151 }
1152 if (defcontext) {
e0007529
EP		 1153 opts->mnt_opts[num_mnt_opts] = defcontext;
1154 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1155 }
1156
e0007529
EP		 1157 opts->num_mnt_opts = num_mnt_opts;
1158 return 0;
1159
c9180a57 1160out_err:
023f108d 1161 security_free_mnt_opts(opts);
c9180a57
EP		 1162 kfree(context);
1163 kfree(defcontext);
1164 kfree(fscontext);
1165 kfree(rootcontext);
1da177e4
LT		 1166 return rc;
1167}
e0007529
EP		 1168/*
1169 * string mount options parsing and call set the sbsec
1170 */
1171static int superblock_doinit(struct super_block *sb, void *data)
1172{
1173 int rc = 0;
1174 char *options = data;
1175 struct security_mnt_opts opts;
1176
1177 security_init_mnt_opts(&opts);
1178
1179 if (!data)
1180 goto out;
1181
1182 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1183
1184 rc = selinux_parse_opts_str(options, &opts);
1185 if (rc)
1186 goto out_err;
1187
1188out:
649f6e77 1189 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1190
1191out_err:
1192 security_free_mnt_opts(&opts);
1193 return rc;
1194}
1da177e4 1195
3583a711
AB		 1196static void selinux_write_opts(struct seq_file *m,
1197 struct security_mnt_opts *opts)
2069f457
EP		 1198{
1199 int i;
1200 char *prefix;
1201
1202 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1203 char *has_comma;
1204
1205 if (opts->mnt_opts[i])
1206 has_comma = strchr(opts->mnt_opts[i], ',');
1207 else
1208 has_comma = NULL;
2069f457
EP		 1209
1210 switch (opts->mnt_opts_flags[i]) {
1211 case CONTEXT_MNT:
1212 prefix = CONTEXT_STR;
1213 break;
1214 case FSCONTEXT_MNT:
1215 prefix = FSCONTEXT_STR;
1216 break;
1217 case ROOTCONTEXT_MNT:
1218 prefix = ROOTCONTEXT_STR;
1219 break;
1220 case DEFCONTEXT_MNT:
1221 prefix = DEFCONTEXT_STR;
1222 break;
12f348b9 1223 case SBLABEL_MNT:
11689d47
DQ		 1224 seq_putc(m, ',');
1225 seq_puts(m, LABELSUPP_STR);
1226 continue;
2069f457
EP		 1227 default:
1228 BUG();
a35c6c83 1229 return;
2069f457
EP		 1230 };
1231 /* we need a comma before each option */
1232 seq_putc(m, ',');
1233 seq_puts(m, prefix);
1234 if (has_comma)
1235 seq_putc(m, '\"');
a068acf2 1236 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1237 if (has_comma)
1238 seq_putc(m, '\"');
1239 }
1240}
1241
1242static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1243{
1244 struct security_mnt_opts opts;
1245 int rc;
1246
1247 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1248 if (rc) {
1249 /* before policy load we may get EINVAL, don't show anything */
1250 if (rc == -EINVAL)
1251 rc = 0;
2069f457 1252 return rc;
383795c2 1253 }
2069f457
EP		 1254
1255 selinux_write_opts(m, &opts);
1256
1257 security_free_mnt_opts(&opts);
1258
1259 return rc;
1260}
1261
1da177e4
LT		 1262static inline u16 inode_mode_to_security_class(umode_t mode)
1263{
1264 switch (mode & S_IFMT) {
1265 case S_IFSOCK:
1266 return SECCLASS_SOCK_FILE;
1267 case S_IFLNK:
1268 return SECCLASS_LNK_FILE;
1269 case S_IFREG:
1270 return SECCLASS_FILE;
1271 case S_IFBLK:
1272 return SECCLASS_BLK_FILE;
1273 case S_IFDIR:
1274 return SECCLASS_DIR;
1275 case S_IFCHR:
1276 return SECCLASS_CHR_FILE;
1277 case S_IFIFO:
1278 return SECCLASS_FIFO_FILE;
1279
1280 }
1281
1282 return SECCLASS_FILE;
1283}
1284
13402580
JM		 1285static inline int default_protocol_stream(int protocol)
1286{
1287 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1288}
1289
1290static inline int default_protocol_dgram(int protocol)
1291{
1292 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1293}
1294
1da177e4
LT		 1295static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1296{
da69a530
SS		 1297 int extsockclass = selinux_policycap_extsockclass;
1298
1da177e4
LT		 1299 switch (family) {
1300 case PF_UNIX:
1301 switch (type) {
1302 case SOCK_STREAM:
1303 case SOCK_SEQPACKET:
1304 return SECCLASS_UNIX_STREAM_SOCKET;
1305 case SOCK_DGRAM:
1306 return SECCLASS_UNIX_DGRAM_SOCKET;
1307 }
1308 break;
1309 case PF_INET:
1310 case PF_INET6:
1311 switch (type) {
1312 case SOCK_STREAM:
da69a530 1313 case SOCK_SEQPACKET:
13402580
JM		 1314 if (default_protocol_stream(protocol))
1315 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1316 else if (extsockclass && protocol == IPPROTO_SCTP)
1317 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1318 else
1319 return SECCLASS_RAWIP_SOCKET;
1da177e4 1320 case SOCK_DGRAM:
13402580
JM		 1321 if (default_protocol_dgram(protocol))
1322 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1323 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1324 protocol == IPPROTO_ICMPV6))
da69a530 1325 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1326 else
1327 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1328 case SOCK_DCCP:
1329 return SECCLASS_DCCP_SOCKET;
13402580 1330 default:
1da177e4
LT		 1331 return SECCLASS_RAWIP_SOCKET;
1332 }
1333 break;
1334 case PF_NETLINK:
1335 switch (protocol) {
1336 case NETLINK_ROUTE:
1337 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1338 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1339 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1340 case NETLINK_NFLOG:
1341 return SECCLASS_NETLINK_NFLOG_SOCKET;
1342 case NETLINK_XFRM:
1343 return SECCLASS_NETLINK_XFRM_SOCKET;
1344 case NETLINK_SELINUX:
1345 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1346 case NETLINK_ISCSI:
1347 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1348 case NETLINK_AUDIT:
1349 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1350 case NETLINK_FIB_LOOKUP:
1351 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1352 case NETLINK_CONNECTOR:
1353 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1354 case NETLINK_NETFILTER:
1355 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1356 case NETLINK_DNRTMSG:
1357 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1358 case NETLINK_KOBJECT_UEVENT:
1359 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1360 case NETLINK_GENERIC:
1361 return SECCLASS_NETLINK_GENERIC_SOCKET;
1362 case NETLINK_SCSITRANSPORT:
1363 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1364 case NETLINK_RDMA:
1365 return SECCLASS_NETLINK_RDMA_SOCKET;
1366 case NETLINK_CRYPTO:
1367 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1368 default:
1369 return SECCLASS_NETLINK_SOCKET;
1370 }
1371 case PF_PACKET:
1372 return SECCLASS_PACKET_SOCKET;
1373 case PF_KEY:
1374 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1375 case PF_APPLETALK:
1376 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1377 }
1378
da69a530
SS		 1379 if (extsockclass) {
1380 switch (family) {
1381 case PF_AX25:
1382 return SECCLASS_AX25_SOCKET;
1383 case PF_IPX:
1384 return SECCLASS_IPX_SOCKET;
1385 case PF_NETROM:
1386 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1387 case PF_ATMPVC:
1388 return SECCLASS_ATMPVC_SOCKET;
1389 case PF_X25:
1390 return SECCLASS_X25_SOCKET;
1391 case PF_ROSE:
1392 return SECCLASS_ROSE_SOCKET;
1393 case PF_DECnet:
1394 return SECCLASS_DECNET_SOCKET;
1395 case PF_ATMSVC:
1396 return SECCLASS_ATMSVC_SOCKET;
1397 case PF_RDS:
1398 return SECCLASS_RDS_SOCKET;
1399 case PF_IRDA:
1400 return SECCLASS_IRDA_SOCKET;
1401 case PF_PPPOX:
1402 return SECCLASS_PPPOX_SOCKET;
1403 case PF_LLC:
1404 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1405 case PF_CAN:
1406 return SECCLASS_CAN_SOCKET;
1407 case PF_TIPC:
1408 return SECCLASS_TIPC_SOCKET;
1409 case PF_BLUETOOTH:
1410 return SECCLASS_BLUETOOTH_SOCKET;
1411 case PF_IUCV:
1412 return SECCLASS_IUCV_SOCKET;
1413 case PF_RXRPC:
1414 return SECCLASS_RXRPC_SOCKET;
1415 case PF_ISDN:
1416 return SECCLASS_ISDN_SOCKET;
1417 case PF_PHONET:
1418 return SECCLASS_PHONET_SOCKET;
1419 case PF_IEEE802154:
1420 return SECCLASS_IEEE802154_SOCKET;
1421 case PF_CAIF:
1422 return SECCLASS_CAIF_SOCKET;
1423 case PF_ALG:
1424 return SECCLASS_ALG_SOCKET;
1425 case PF_NFC:
1426 return SECCLASS_NFC_SOCKET;
1427 case PF_VSOCK:
1428 return SECCLASS_VSOCK_SOCKET;
1429 case PF_KCM:
1430 return SECCLASS_KCM_SOCKET;
1431 case PF_QIPCRTR:
1432 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1433 case PF_SMC:
1434 return SECCLASS_SMC_SOCKET;
1435#if PF_MAX > 44
da69a530
SS		 1436#error New address family defined, please update this function.
1437#endif
1438 }
1439 }
1440
1da177e4
LT		 1441 return SECCLASS_SOCKET;
1442}
1443
134509d5
SS		 1444static int selinux_genfs_get_sid(struct dentry *dentry,
1445 u16 tclass,
1446 u16 flags,
1447 u32 *sid)
1da177e4 1448{
8e6c9693 1449 int rc;
fc64005c 1450 struct super_block *sb = dentry->d_sb;
8e6c9693 1451 char *buffer, *path;
1da177e4 1452
828dfe1d 1453 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1454 if (!buffer)
1455 return -ENOMEM;
1456
8e6c9693
LAG		 1457 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1458 if (IS_ERR(path))
1459 rc = PTR_ERR(path);
1460 else {
134509d5
SS		 1461 if (flags & SE_SBPROC) {
1462 /* each process gets a /proc/PID/ entry. Strip off the
1463 * PID part to get a valid selinux labeling.
1464 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1465 while (path[1] >= '0' && path[1] <= '9') {
1466 path[1] = '/';
1467 path++;
1468 }
8e6c9693 1469 }
134509d5 1470 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1471 }
1da177e4
LT		 1472 free_page((unsigned long)buffer);
1473 return rc;
1474}
1da177e4
LT		 1475
1476/* The inode's security attributes must be initialized before first use. */
1477static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1478{
1479 struct superblock_security_struct *sbsec = NULL;
1480 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1481 u32 task_sid, sid = 0;
1482 u16 sclass;
1da177e4
LT		 1483 struct dentry *dentry;
1484#define INITCONTEXTLEN 255
1485 char *context = NULL;
1486 unsigned len = 0;
1487 int rc = 0;
1da177e4 1488
6f3be9f5 1489 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1490 return 0;
1da177e4 1491
9287aed2 1492 spin_lock(&isec->lock);
6f3be9f5 1493 if (isec->initialized == LABEL_INITIALIZED)
23970741 1494 goto out_unlock;
1da177e4 1495
13457d07
AG		 1496 if (isec->sclass == SECCLASS_FILE)
1497 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1498
1da177e4 1499 sbsec = inode->i_sb->s_security;
0d90a7ec 1500 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1501 /* Defer initialization until selinux_complete_init,
1502 after the initial policy is loaded and the security
1503 server is ready to handle calls. */
1504 spin_lock(&sbsec->isec_lock);
1505 if (list_empty(&isec->list))
1506 list_add(&isec->list, &sbsec->isec_head);
1507 spin_unlock(&sbsec->isec_lock);
23970741 1508 goto out_unlock;
1da177e4
LT		 1509 }
1510
9287aed2
AG		 1511 sclass = isec->sclass;
1512 task_sid = isec->task_sid;
1513 sid = isec->sid;
1514 isec->initialized = LABEL_PENDING;
1515 spin_unlock(&isec->lock);
1516
1da177e4 1517 switch (sbsec->behavior) {
eb9ae686
DQ		 1518 case SECURITY_FS_USE_NATIVE:
1519 break;
1da177e4 1520 case SECURITY_FS_USE_XATTR:
5d6c3191 1521 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1522 sid = sbsec->def_sid;
1da177e4
LT		 1523 break;
1524 }
1da177e4
LT		 1525 /* Need a dentry, since the xattr API requires one.
1526 Life would be simpler if we could just pass the inode. */
1527 if (opt_dentry) {
1528 /* Called from d_instantiate or d_splice_alias. */
1529 dentry = dget(opt_dentry);
1530 } else {
1531 /* Called from selinux_complete_init, try to find a dentry. */
1532 dentry = d_find_alias(inode);
1533 }
1534 if (!dentry) {
df7f54c0
EP		 1535 /*
1536 * this is can be hit on boot when a file is accessed
1537 * before the policy is loaded. When we load policy we
1538 * may find inodes that have no dentry on the
1539 * sbsec->isec_head list. No reason to complain as these
1540 * will get fixed up the next time we go through
1541 * inode_doinit with a dentry, before these inodes could
1542 * be used again by userspace.
1543 */
9287aed2 1544 goto out;
1da177e4
LT		 1545 }
1546
1547 len = INITCONTEXTLEN;
4cb912f1 1548 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1549 if (!context) {
1550 rc = -ENOMEM;
1551 dput(dentry);
9287aed2 1552 goto out;
1da177e4 1553 }
4cb912f1 1554 context[len] = '\0';
5d6c3191 1555 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1556 if (rc == -ERANGE) {
314dabb8
JM		 1557 kfree(context);
1558
1da177e4 1559 /* Need a larger buffer. Query for the right size. */
5d6c3191 1560 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1561 if (rc < 0) {
1562 dput(dentry);
9287aed2 1563 goto out;
1da177e4 1564 }
1da177e4 1565 len = rc;
4cb912f1 1566 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1567 if (!context) {
1568 rc = -ENOMEM;
1569 dput(dentry);
9287aed2 1570 goto out;
1da177e4 1571 }
4cb912f1 1572 context[len] = '\0';
5d6c3191 1573 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1574 }
1575 dput(dentry);
1576 if (rc < 0) {
1577 if (rc != -ENODATA) {
744ba35e 1578 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1579 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1580 -rc, inode->i_sb->s_id, inode->i_ino);
1581 kfree(context);
9287aed2 1582 goto out;
1da177e4
LT		 1583 }
1584 /* Map ENODATA to the default file SID */
1585 sid = sbsec->def_sid;
1586 rc = 0;
1587 } else {
f5c1d5b2 1588 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1589 sbsec->def_sid,
1590 GFP_NOFS);
1da177e4 1591 if (rc) {
4ba0a8ad
EP		 1592 char *dev = inode->i_sb->s_id;
1593 unsigned long ino = inode->i_ino;
1594
1595 if (rc == -EINVAL) {
1596 if (printk_ratelimit())
1597 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1598 "context=%s. This indicates you may need to relabel the inode or the "
1599 "filesystem in question.\n", ino, dev, context);
1600 } else {
1601 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1602 "returned %d for dev=%s ino=%ld\n",
1603 __func__, context, -rc, dev, ino);
1604 }
1da177e4
LT		 1605 kfree(context);
1606 /* Leave with the unlabeled SID */
1607 rc = 0;
1608 break;
1609 }
1610 }
1611 kfree(context);
1da177e4
LT		 1612 break;
1613 case SECURITY_FS_USE_TASK:
9287aed2 1614 sid = task_sid;
1da177e4
LT		 1615 break;
1616 case SECURITY_FS_USE_TRANS:
1617 /* Default to the fs SID. */
9287aed2 1618 sid = sbsec->sid;
1da177e4
LT		 1619
1620 /* Try to obtain a transition SID. */
9287aed2 1621 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1da177e4 1622 if (rc)
9287aed2 1623 goto out;
1da177e4 1624 break;
c312feb2 1625 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1626 sid = sbsec->mntpoint_sid;
c312feb2 1627 break;
1da177e4 1628 default:
c312feb2 1629 /* Default to the fs superblock SID. */
9287aed2 1630 sid = sbsec->sid;
1da177e4 1631
134509d5 1632 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1633 /* We must have a dentry to determine the label on
1634 * procfs inodes */
1635 if (opt_dentry)
1636 /* Called from d_instantiate or
1637 * d_splice_alias. */
1638 dentry = dget(opt_dentry);
1639 else
1640 /* Called from selinux_complete_init, try to
1641 * find a dentry. */
1642 dentry = d_find_alias(inode);
1643 /*
1644 * This can be hit on boot when a file is accessed
1645 * before the policy is loaded. When we load policy we
1646 * may find inodes that have no dentry on the
1647 * sbsec->isec_head list. No reason to complain as
1648 * these will get fixed up the next time we go through
1649 * inode_doinit() with a dentry, before these inodes
1650 * could be used again by userspace.
1651 */
1652 if (!dentry)
9287aed2
AG		 1653 goto out;
1654 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1655 sbsec->flags, &sid);
f64410ec
PM		 1656 dput(dentry);
1657 if (rc)
9287aed2 1658 goto out;
1da177e4
LT		 1659 }
1660 break;
1661 }
1662
9287aed2
AG		 1663out:
1664 spin_lock(&isec->lock);
1665 if (isec->initialized == LABEL_PENDING) {
1666 if (!sid || rc) {
1667 isec->initialized = LABEL_INVALID;
1668 goto out_unlock;
1669 }
1670
1671 isec->initialized = LABEL_INITIALIZED;
1672 isec->sid = sid;
1673 }
1da177e4 1674
23970741 1675out_unlock:
9287aed2 1676 spin_unlock(&isec->lock);
1da177e4
LT		 1677 return rc;
1678}
1679
1680/* Convert a Linux signal to an access vector. */
1681static inline u32 signal_to_av(int sig)
1682{
1683 u32 perm = 0;
1684
1685 switch (sig) {
1686 case SIGCHLD:
1687 /* Commonly granted from child to parent. */
1688 perm = PROCESS__SIGCHLD;
1689 break;
1690 case SIGKILL:
1691 /* Cannot be caught or ignored */
1692 perm = PROCESS__SIGKILL;
1693 break;
1694 case SIGSTOP:
1695 /* Cannot be caught or ignored */
1696 perm = PROCESS__SIGSTOP;
1697 break;
1698 default:
1699 /* All other signals. */
1700 perm = PROCESS__SIGNAL;
1701 break;
1702 }
1703
1704 return perm;
1705}
1706
b68e418c
SS		 1707#if CAP_LAST_CAP > 63
1708#error Fix SELinux to handle capabilities > 63.
1709#endif
1710
1da177e4 1711/* Check whether a task is allowed to use a capability. */
6a9de491 1712static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1713 int cap, int audit, bool initns)
1da177e4 1714{
2bf49690 1715 struct common_audit_data ad;
06112163 1716 struct av_decision avd;
b68e418c 1717 u16 sclass;
3699c53c 1718 u32 sid = cred_sid(cred);
b68e418c 1719 u32 av = CAP_TO_MASK(cap);
06112163 1720 int rc;
1da177e4 1721
50c205f5 1722 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1723 ad.u.cap = cap;
1724
b68e418c
SS		 1725 switch (CAP_TO_INDEX(cap)) {
1726 case 0:
8e4ff6f2 1727 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1728 break;
1729 case 1:
8e4ff6f2 1730 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1731 break;
1732 default:
1733 printk(KERN_ERR
1734 "SELinux: out of range capability %d\n", cap);
1735 BUG();
a35c6c83 1736 return -EINVAL;
b68e418c 1737 }
06112163 1738
275bb41e 1739 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1740 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1741 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1742 if (rc2)
1743 return rc2;
1744 }
06112163 1745 return rc;
1da177e4
LT		 1746}
1747
1da177e4
LT		 1748/* Check whether a task has a particular permission to an inode.
1749 The 'adp' parameter is optional and allows other audit
1750 data to be passed (e.g. the dentry). */
88e67f3b 1751static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1752 struct inode *inode,
1753 u32 perms,
19e49834 1754 struct common_audit_data *adp)
1da177e4 1755{
1da177e4 1756 struct inode_security_struct *isec;
275bb41e 1757 u32 sid;
1da177e4 1758
e0e81739
DH		 1759 validate_creds(cred);
1760
828dfe1d 1761 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1762 return 0;
1763
88e67f3b 1764 sid = cred_sid(cred);
1da177e4
LT		 1765 isec = inode->i_security;
1766
19e49834 1767 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1768}
1769
1770/* Same as inode_has_perm, but pass explicit audit data containing
1771 the dentry to help the auditing code to more easily generate the
1772 pathname if needed. */
88e67f3b 1773static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1774 struct dentry *dentry,
1775 u32 av)
1776{
c6f493d6 1777 struct inode *inode = d_backing_inode(dentry);
2bf49690 1778 struct common_audit_data ad;
88e67f3b 1779
50c205f5 1780 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1781 ad.u.dentry = dentry;
5d226df4 1782 __inode_security_revalidate(inode, dentry, true);
19e49834 1783 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1784}
1785
1786/* Same as inode_has_perm, but pass explicit audit data containing
1787 the path to help the auditing code to more easily generate the
1788 pathname if needed. */
1789static inline int path_has_perm(const struct cred *cred,
3f7036a0 1790 const struct path *path,
2875fa00
EP		 1791 u32 av)
1792{
c6f493d6 1793 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1794 struct common_audit_data ad;
1795
50c205f5 1796 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1797 ad.u.path = *path;
5d226df4 1798 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1799 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1800}
1801
13f8e981
DH		 1802/* Same as path_has_perm, but uses the inode from the file struct. */
1803static inline int file_path_has_perm(const struct cred *cred,
1804 struct file *file,
1805 u32 av)
1806{
1807 struct common_audit_data ad;
1808
43af5de7
VG		 1809 ad.type = LSM_AUDIT_DATA_FILE;
1810 ad.u.file = file;
19e49834 1811 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1812}
1813
1da177e4
LT		 1814/* Check whether a task can use an open file descriptor to
1815 access an inode in a given way. Check access to the
1816 descriptor itself, and then use dentry_has_perm to
1817 check a particular permission to the file.
1818 Access to the descriptor is implicitly granted if it
1819 has the same SID as the process. If av is zero, then
1820 access to the file is not checked, e.g. for cases
1821 where only the descriptor is affected like seek. */
88e67f3b
DH		 1822static int file_has_perm(const struct cred *cred,
1823 struct file *file,
1824 u32 av)
1da177e4 1825{
1da177e4 1826 struct file_security_struct *fsec = file->f_security;
496ad9aa 1827 struct inode *inode = file_inode(file);
2bf49690 1828 struct common_audit_data ad;
88e67f3b 1829 u32 sid = cred_sid(cred);
1da177e4
LT		 1830 int rc;
1831
43af5de7
VG		 1832 ad.type = LSM_AUDIT_DATA_FILE;
1833 ad.u.file = file;
1da177e4 1834
275bb41e
DH		 1835 if (sid != fsec->sid) {
1836 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1837 SECCLASS_FD,
1838 FD__USE,
1839 &ad);
1840 if (rc)
88e67f3b 1841 goto out;
1da177e4
LT		 1842 }
1843
1844 /* av is zero if only checking access to the descriptor. */
88e67f3b 1845 rc = 0;
1da177e4 1846 if (av)
19e49834 1847 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1848
88e67f3b
DH		 1849out:
1850 return rc;
1da177e4
LT		 1851}
1852
c3c188b2
DH		 1853/*
1854 * Determine the label for an inode that might be unioned.
1855 */
c957f6df
VG		 1856static int
1857selinux_determine_inode_label(const struct task_security_struct *tsec,
1858 struct inode *dir,
1859 const struct qstr *name, u16 tclass,
1860 u32 *_new_isid)
c3c188b2
DH		 1861{
1862 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1863
1864 if ((sbsec->flags & SE_SBINITIALIZED) &&
1865 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1866 *_new_isid = sbsec->mntpoint_sid;
1867 } else if ((sbsec->flags & SBLABEL_MNT) &&
1868 tsec->create_sid) {
1869 *_new_isid = tsec->create_sid;
1870 } else {
20cdef8d 1871 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1872 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1873 name, _new_isid);
1874 }
1875
1876 return 0;
1877}
1878
1da177e4
LT		 1879/* Check whether a task can create a file. */
1880static int may_create(struct inode *dir,
1881 struct dentry *dentry,
1882 u16 tclass)
1883{
5fb49870 1884 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1885 struct inode_security_struct *dsec;
1886 struct superblock_security_struct *sbsec;
275bb41e 1887 u32 sid, newsid;
2bf49690 1888 struct common_audit_data ad;
1da177e4
LT		 1889 int rc;
1890
83da53c5 1891 dsec = inode_security(dir);
1da177e4
LT		 1892 sbsec = dir->i_sb->s_security;
1893
275bb41e 1894 sid = tsec->sid;
275bb41e 1895
50c205f5 1896 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1897 ad.u.dentry = dentry;
1da177e4 1898
275bb41e 1899 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1900 DIR__ADD_NAME | DIR__SEARCH,
1901 &ad);
1902 if (rc)
1903 return rc;
1904
c957f6df
VG		 1905 rc = selinux_determine_inode_label(current_security(), dir,
1906 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1907 if (rc)
1908 return rc;
1da177e4 1909
275bb41e 1910 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1911 if (rc)
1912 return rc;
1913
1914 return avc_has_perm(newsid, sbsec->sid,
1915 SECCLASS_FILESYSTEM,
1916 FILESYSTEM__ASSOCIATE, &ad);
1917}
1918
828dfe1d
EP		 1919#define MAY_LINK 0
1920#define MAY_UNLINK 1
1921#define MAY_RMDIR 2
1da177e4
LT		 1922
1923/* Check whether a task can link, unlink, or rmdir a file/directory. */
1924static int may_link(struct inode *dir,
1925 struct dentry *dentry,
1926 int kind)
1927
1928{
1da177e4 1929 struct inode_security_struct *dsec, *isec;
2bf49690 1930 struct common_audit_data ad;
275bb41e 1931 u32 sid = current_sid();
1da177e4
LT		 1932 u32 av;
1933 int rc;
1934
83da53c5
AG		 1935 dsec = inode_security(dir);
1936 isec = backing_inode_security(dentry);
1da177e4 1937
50c205f5 1938 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1939 ad.u.dentry = dentry;
1da177e4
LT		 1940
1941 av = DIR__SEARCH;
1942 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1943 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1944 if (rc)
1945 return rc;
1946
1947 switch (kind) {
1948 case MAY_LINK:
1949 av = FILE__LINK;
1950 break;
1951 case MAY_UNLINK:
1952 av = FILE__UNLINK;
1953 break;
1954 case MAY_RMDIR:
1955 av = DIR__RMDIR;
1956 break;
1957 default:
744ba35e
EP		 1958 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1959 __func__, kind);
1da177e4
LT		 1960 return 0;
1961 }
1962
275bb41e 1963 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1964 return rc;
1965}
1966
1967static inline int may_rename(struct inode *old_dir,
1968 struct dentry *old_dentry,
1969 struct inode *new_dir,
1970 struct dentry *new_dentry)
1971{
1da177e4 1972 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1973 struct common_audit_data ad;
275bb41e 1974 u32 sid = current_sid();
1da177e4
LT		 1975 u32 av;
1976 int old_is_dir, new_is_dir;
1977 int rc;
1978
83da53c5
AG		 1979 old_dsec = inode_security(old_dir);
1980 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1981 old_is_dir = d_is_dir(old_dentry);
83da53c5 1982 new_dsec = inode_security(new_dir);
1da177e4 1983
50c205f5 1984 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1985
a269434d 1986 ad.u.dentry = old_dentry;
275bb41e 1987 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1988 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1989 if (rc)
1990 return rc;
275bb41e 1991 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1992 old_isec->sclass, FILE__RENAME, &ad);
1993 if (rc)
1994 return rc;
1995 if (old_is_dir && new_dir != old_dir) {
275bb41e 1996 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1997 old_isec->sclass, DIR__REPARENT, &ad);
1998 if (rc)
1999 return rc;
2000 }
2001
a269434d 2002 ad.u.dentry = new_dentry;
1da177e4 2003 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 2004 if (d_is_positive(new_dentry))
1da177e4 2005 av |= DIR__REMOVE_NAME;
275bb41e 2006 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 2007 if (rc)
2008 return rc;
2c616d4d 2009 if (d_is_positive(new_dentry)) {
83da53c5 2010 new_isec = backing_inode_security(new_dentry);
e36cb0b8 2011 new_is_dir = d_is_dir(new_dentry);
275bb41e 2012 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 2013 new_isec->sclass,
2014 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2015 if (rc)
2016 return rc;
2017 }
2018
2019 return 0;
2020}
2021
2022/* Check whether a task can perform a filesystem operation. */
88e67f3b 2023static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2024 struct super_block *sb,
2025 u32 perms,
2bf49690 2026 struct common_audit_data *ad)
1da177e4 2027{
1da177e4 2028 struct superblock_security_struct *sbsec;
88e67f3b 2029 u32 sid = cred_sid(cred);
1da177e4 2030
1da177e4 2031 sbsec = sb->s_security;
275bb41e 2032 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2033}
2034
2035/* Convert a Linux mode and permission mask to an access vector. */
2036static inline u32 file_mask_to_av(int mode, int mask)
2037{
2038 u32 av = 0;
2039
dba19c60 2040 if (!S_ISDIR(mode)) {
1da177e4
LT		 2041 if (mask & MAY_EXEC)
2042 av |= FILE__EXECUTE;
2043 if (mask & MAY_READ)
2044 av |= FILE__READ;
2045
2046 if (mask & MAY_APPEND)
2047 av |= FILE__APPEND;
2048 else if (mask & MAY_WRITE)
2049 av |= FILE__WRITE;
2050
2051 } else {
2052 if (mask & MAY_EXEC)
2053 av |= DIR__SEARCH;
2054 if (mask & MAY_WRITE)
2055 av |= DIR__WRITE;
2056 if (mask & MAY_READ)
2057 av |= DIR__READ;
2058 }
2059
2060 return av;
2061}
2062
8b6a5a37
EP		 2063/* Convert a Linux file to an access vector. */
2064static inline u32 file_to_av(struct file *file)
2065{
2066 u32 av = 0;
2067
2068 if (file->f_mode & FMODE_READ)
2069 av |= FILE__READ;
2070 if (file->f_mode & FMODE_WRITE) {
2071 if (file->f_flags & O_APPEND)
2072 av |= FILE__APPEND;
2073 else
2074 av |= FILE__WRITE;
2075 }
2076 if (!av) {
2077 /*
2078 * Special file opened with flags 3 for ioctl-only use.
2079 */
2080 av = FILE__IOCTL;
2081 }
2082
2083 return av;
2084}
2085
b0c636b9 2086/*
8b6a5a37 2087 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2088 * open permission.
2089 */
8b6a5a37 2090static inline u32 open_file_to_av(struct file *file)
b0c636b9 2091{
8b6a5a37 2092 u32 av = file_to_av(file);
ccb54478 2093 struct inode *inode = file_inode(file);
b0c636b9 2094
ccb54478 2095 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2096 av |= FILE__OPEN;
2097
b0c636b9
EP		 2098 return av;
2099}
2100
1da177e4
LT		 2101/* Hook functions begin here. */
2102
79af7307
SS		 2103static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2104{
2105 u32 mysid = current_sid();
2106 u32 mgrsid = task_sid(mgr);
2107
2108 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2109 BINDER__SET_CONTEXT_MGR, NULL);
2110}
2111
2112static int selinux_binder_transaction(struct task_struct *from,
2113 struct task_struct *to)
2114{
2115 u32 mysid = current_sid();
2116 u32 fromsid = task_sid(from);
2117 u32 tosid = task_sid(to);
2118 int rc;
2119
2120 if (mysid != fromsid) {
2121 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2122 BINDER__IMPERSONATE, NULL);
2123 if (rc)
2124 return rc;
2125 }
2126
2127 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2128 NULL);
2129}
2130
2131static int selinux_binder_transfer_binder(struct task_struct *from,
2132 struct task_struct *to)
2133{
2134 u32 fromsid = task_sid(from);
2135 u32 tosid = task_sid(to);
2136
2137 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2138 NULL);
2139}
2140
2141static int selinux_binder_transfer_file(struct task_struct *from,
2142 struct task_struct *to,
2143 struct file *file)
2144{
2145 u32 sid = task_sid(to);
2146 struct file_security_struct *fsec = file->f_security;
83da53c5 2147 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2148 struct inode_security_struct *isec;
79af7307
SS		 2149 struct common_audit_data ad;
2150 int rc;
2151
2152 ad.type = LSM_AUDIT_DATA_PATH;
2153 ad.u.path = file->f_path;
2154
2155 if (sid != fsec->sid) {
2156 rc = avc_has_perm(sid, fsec->sid,
2157 SECCLASS_FD,
2158 FD__USE,
2159 &ad);
2160 if (rc)
2161 return rc;
2162 }
2163
83da53c5 2164 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2165 return 0;
2166
20cdef8d 2167 isec = backing_inode_security(dentry);
79af7307
SS		 2168 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2169 &ad);
2170}
2171
9e48858f 2172static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2173 unsigned int mode)
1da177e4 2174{
be0554c9
SS		 2175 u32 sid = current_sid();
2176 u32 csid = task_sid(child);
2177
2178 if (mode & PTRACE_MODE_READ)
275bb41e 2179 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2180
be0554c9 2181 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2182}
2183
2184static int selinux_ptrace_traceme(struct task_struct *parent)
2185{
be0554c9
SS		 2186 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2187 PROCESS__PTRACE, NULL);
1da177e4
LT		 2188}
2189
2190static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2191 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2192{
be0554c9
SS		 2193 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2194 PROCESS__GETCAP, NULL);
1da177e4
LT		 2195}
2196
d84f4f99
DH		 2197static int selinux_capset(struct cred *new, const struct cred *old,
2198 const kernel_cap_t *effective,
2199 const kernel_cap_t *inheritable,
2200 const kernel_cap_t *permitted)
1da177e4 2201{
be0554c9
SS		 2202 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2203 PROCESS__SETCAP, NULL);
1da177e4
LT		 2204}
2205
5626d3e8
JM		 2206/*
2207 * (This comment used to live with the selinux_task_setuid hook,
2208 * which was removed).
2209 *
2210 * Since setuid only affects the current process, and since the SELinux
2211 * controls are not based on the Linux identity attributes, SELinux does not
2212 * need to control this operation. However, SELinux does control the use of
2213 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2214 */
2215
6a9de491
EP		 2216static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2217 int cap, int audit)
1da177e4 2218{
8e4ff6f2 2219 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2220}
2221
1da177e4
LT		 2222static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2223{
88e67f3b 2224 const struct cred *cred = current_cred();
1da177e4
LT		 2225 int rc = 0;
2226
2227 if (!sb)
2228 return 0;
2229
2230 switch (cmds) {
828dfe1d
EP		 2231 case Q_SYNC:
2232 case Q_QUOTAON:
2233 case Q_QUOTAOFF:
2234 case Q_SETINFO:
2235 case Q_SETQUOTA:
88e67f3b 2236 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2237 break;
2238 case Q_GETFMT:
2239 case Q_GETINFO:
2240 case Q_GETQUOTA:
88e67f3b 2241 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2242 break;
2243 default:
2244 rc = 0; /* let the kernel handle invalid cmds */
2245 break;
1da177e4
LT		 2246 }
2247 return rc;
2248}
2249
2250static int selinux_quota_on(struct dentry *dentry)
2251{
88e67f3b
DH		 2252 const struct cred *cred = current_cred();
2253
2875fa00 2254 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2255}
2256
12b3052c 2257static int selinux_syslog(int type)
1da177e4 2258{
1da177e4 2259 switch (type) {
d78ca3cd
KC		 2260 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2261 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
be0554c9
SS		 2262 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2263 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2264 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2265 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2266 /* Set level of messages printed to console */
2267 case SYSLOG_ACTION_CONSOLE_LEVEL:
be0554c9
SS		 2268 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2269 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2270 NULL);
1da177e4 2271 }
be0554c9
SS		 2272 /* All other syslog types */
2273 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2274 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2275}
2276
2277/*
2278 * Check that a process has enough memory to allocate a new virtual
2279 * mapping. 0 means there is enough memory for the allocation to
2280 * succeed and -ENOMEM implies there is not.
2281 *
1da177e4
LT		 2282 * Do not audit the selinux permission check, as this is applied to all
2283 * processes that allocate mappings.
2284 */
34b4e4aa 2285static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2286{
2287 int rc, cap_sys_admin = 0;
1da177e4 2288
b1d9e6b0 2289 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2290 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2291 if (rc == 0)
2292 cap_sys_admin = 1;
2293
b1d9e6b0 2294 return cap_sys_admin;
1da177e4
LT		 2295}
2296
2297/* binprm security operations */
2298
be0554c9 2299static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2300{
2301 u32 sid = 0;
2302 struct task_struct *tracer;
2303
2304 rcu_read_lock();
be0554c9 2305 tracer = ptrace_parent(current);
0c6181cb
PM		 2306 if (tracer)
2307 sid = task_sid(tracer);
2308 rcu_read_unlock();
2309
2310 return sid;
2311}
2312
7b0d0b40
SS		 2313static int check_nnp_nosuid(const struct linux_binprm *bprm,
2314 const struct task_security_struct *old_tsec,
2315 const struct task_security_struct *new_tsec)
2316{
2317 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
0dc04886 2318 int nosuid = path_nosuid(&bprm->file->f_path);
7b0d0b40
SS		 2319 int rc;
2320
2321 if (!nnp && !nosuid)
2322 return 0; /* neither NNP nor nosuid */
2323
2324 if (new_tsec->sid == old_tsec->sid)
2325 return 0; /* No change in credentials */
2326
2327 /*
2328 * The only transitions we permit under NNP or nosuid
2329 * are transitions to bounded SIDs, i.e. SIDs that are
2330 * guaranteed to only be allowed a subset of the permissions
2331 * of the current SID.
2332 */
2333 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2334 if (rc) {
2335 /*
2336 * On failure, preserve the errno values for NNP vs nosuid.
2337 * NNP: Operation not permitted for caller.
2338 * nosuid: Permission denied to file.
2339 */
2340 if (nnp)
2341 return -EPERM;
2342 else
2343 return -EACCES;
2344 }
2345 return 0;
2346}
2347
a6f76f23 2348static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2349{
a6f76f23
DH		 2350 const struct task_security_struct *old_tsec;
2351 struct task_security_struct *new_tsec;
1da177e4 2352 struct inode_security_struct *isec;
2bf49690 2353 struct common_audit_data ad;
496ad9aa 2354 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2355 int rc;
2356
a6f76f23
DH		 2357 /* SELinux context only depends on initial program or script and not
2358 * the script interpreter */
2359 if (bprm->cred_prepared)
1da177e4
LT		 2360 return 0;
2361
a6f76f23
DH		 2362 old_tsec = current_security();
2363 new_tsec = bprm->cred->security;
83da53c5 2364 isec = inode_security(inode);
1da177e4
LT		 2365
2366 /* Default to the current task SID. */
a6f76f23
DH		 2367 new_tsec->sid = old_tsec->sid;
2368 new_tsec->osid = old_tsec->sid;
1da177e4 2369
28eba5bf 2370 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2371 new_tsec->create_sid = 0;
2372 new_tsec->keycreate_sid = 0;
2373 new_tsec->sockcreate_sid = 0;
1da177e4 2374
a6f76f23
DH		 2375 if (old_tsec->exec_sid) {
2376 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2377 /* Reset exec SID on execve. */
a6f76f23 2378 new_tsec->exec_sid = 0;
259e5e6c 2379
7b0d0b40
SS		 2380 /* Fail on NNP or nosuid if not an allowed transition. */
2381 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2382 if (rc)
2383 return rc;
1da177e4
LT		 2384 } else {
2385 /* Check for a default transition on this program. */
a6f76f23 2386 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2387 SECCLASS_PROCESS, NULL,
2388 &new_tsec->sid);
1da177e4
LT		 2389 if (rc)
2390 return rc;
7b0d0b40
SS		 2391
2392 /*
2393 * Fallback to old SID on NNP or nosuid if not an allowed
2394 * transition.
2395 */
2396 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2397 if (rc)
2398 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2399 }
2400
43af5de7
VG		 2401 ad.type = LSM_AUDIT_DATA_FILE;
2402 ad.u.file = bprm->file;
1da177e4 2403
a6f76f23
DH		 2404 if (new_tsec->sid == old_tsec->sid) {
2405 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2406 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2407 if (rc)
2408 return rc;
2409 } else {
2410 /* Check permissions for the transition. */
a6f76f23 2411 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2412 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2413 if (rc)
2414 return rc;
2415
a6f76f23 2416 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2417 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2418 if (rc)
2419 return rc;
2420
a6f76f23
DH		 2421 /* Check for shared state */
2422 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2423 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2424 SECCLASS_PROCESS, PROCESS__SHARE,
2425 NULL);
2426 if (rc)
2427 return -EPERM;
2428 }
2429
2430 /* Make sure that anyone attempting to ptrace over a task that
2431 * changes its SID has the appropriate permit */
9227dd2a 2432 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2433 u32 ptsid = ptrace_parent_sid();
a6f76f23
DH		 2434 if (ptsid != 0) {
2435 rc = avc_has_perm(ptsid, new_tsec->sid,
2436 SECCLASS_PROCESS,
2437 PROCESS__PTRACE, NULL);
2438 if (rc)
2439 return -EPERM;
2440 }
2441 }
1da177e4 2442
a6f76f23
DH		 2443 /* Clear any possibly unsafe personality bits on exec: */
2444 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2445 }
2446
1da177e4
LT		 2447 return 0;
2448}
2449
828dfe1d 2450static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2451{
5fb49870 2452 const struct task_security_struct *tsec = current_security();
275bb41e 2453 u32 sid, osid;
1da177e4
LT		 2454 int atsecure = 0;
2455
275bb41e
DH		 2456 sid = tsec->sid;
2457 osid = tsec->osid;
2458
2459 if (osid != sid) {
1da177e4
LT		 2460 /* Enable secure mode for SIDs transitions unless
2461 the noatsecure permission is granted between
2462 the two SIDs, i.e. ahp returns 0. */
275bb41e 2463 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2464 SECCLASS_PROCESS,
2465 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2466 }
2467
b1d9e6b0 2468 return !!atsecure;
1da177e4
LT		 2469}
2470
c3c073f8
AV		 2471static int match_file(const void *p, struct file *file, unsigned fd)
2472{
2473 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2474}
2475
1da177e4 2476/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2477static inline void flush_unauthorized_files(const struct cred *cred,
2478 struct files_struct *files)
1da177e4 2479{
1da177e4 2480 struct file *file, *devnull = NULL;
b20c8122 2481 struct tty_struct *tty;
24ec839c 2482 int drop_tty = 0;
c3c073f8 2483 unsigned n;
1da177e4 2484
24ec839c 2485 tty = get_current_tty();
1da177e4 2486 if (tty) {
4a510969 2487 spin_lock(&tty->files_lock);
37dd0bd0 2488 if (!list_empty(&tty->tty_files)) {
d996b62a 2489 struct tty_file_private *file_priv;
37dd0bd0 2490
1da177e4 2491 /* Revalidate access to controlling tty.
13f8e981
DH		 2492 Use file_path_has_perm on the tty path directly
2493 rather than using file_has_perm, as this particular
2494 open file may belong to another process and we are
2495 only interested in the inode-based check here. */
d996b62a
NP		 2496 file_priv = list_first_entry(&tty->tty_files,
2497 struct tty_file_private, list);
2498 file = file_priv->file;
13f8e981 2499 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2500 drop_tty = 1;
1da177e4 2501 }
4a510969 2502 spin_unlock(&tty->files_lock);
452a00d2 2503 tty_kref_put(tty);
1da177e4 2504 }
98a27ba4
EB		 2505 /* Reset controlling tty. */
2506 if (drop_tty)
2507 no_tty();
1da177e4
LT		 2508
2509 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2510 n = iterate_fd(files, 0, match_file, cred);
2511 if (!n) /* none found? */
2512 return;
1da177e4 2513
c3c073f8 2514 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2515 if (IS_ERR(devnull))
2516 devnull = NULL;
2517 /* replace all the matching ones with this */
2518 do {
2519 replace_fd(n - 1, devnull, 0);
2520 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2521 if (devnull)
c3c073f8 2522 fput(devnull);
1da177e4
LT		 2523}
2524
a6f76f23
DH		 2525/*
2526 * Prepare a process for imminent new credential changes due to exec
2527 */
2528static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2529{
a6f76f23
DH		 2530 struct task_security_struct *new_tsec;
2531 struct rlimit *rlim, *initrlim;
2532 int rc, i;
d84f4f99 2533
a6f76f23
DH		 2534 new_tsec = bprm->cred->security;
2535 if (new_tsec->sid == new_tsec->osid)
2536 return;
1da177e4 2537
a6f76f23
DH		 2538 /* Close files for which the new task SID is not authorized. */
2539 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2540
a6f76f23
DH		 2541 /* Always clear parent death signal on SID transitions. */
2542 current->pdeath_signal = 0;
0356357c 2543
a6f76f23
DH		 2544 /* Check whether the new SID can inherit resource limits from the old
2545 * SID. If not, reset all soft limits to the lower of the current
2546 * task's hard limit and the init task's soft limit.
2547 *
2548 * Note that the setting of hard limits (even to lower them) can be
2549 * controlled by the setrlimit check. The inclusion of the init task's
2550 * soft limit into the computation is to avoid resetting soft limits
2551 * higher than the default soft limit for cases where the default is
2552 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2553 */
2554 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2555 PROCESS__RLIMITINH, NULL);
2556 if (rc) {
eb2d55a3
ON		 2557 /* protect against do_prlimit() */
2558 task_lock(current);
a6f76f23
DH		 2559 for (i = 0; i < RLIM_NLIMITS; i++) {
2560 rlim = current->signal->rlim + i;
2561 initrlim = init_task.signal->rlim + i;
2562 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2563 }
eb2d55a3 2564 task_unlock(current);
baa73d9e
NP		 2565 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2566 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2567 }
2568}
2569
2570/*
a6f76f23
DH		 2571 * Clean up the process immediately after the installation of new credentials
2572 * due to exec
1da177e4 2573 */
a6f76f23 2574static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2575{
a6f76f23 2576 const struct task_security_struct *tsec = current_security();
1da177e4 2577 struct itimerval itimer;
a6f76f23 2578 u32 osid, sid;
1da177e4
LT		 2579 int rc, i;
2580
a6f76f23
DH		 2581 osid = tsec->osid;
2582 sid = tsec->sid;
2583
2584 if (sid == osid)
1da177e4
LT		 2585 return;
2586
a6f76f23
DH		 2587 /* Check whether the new SID can inherit signal state from the old SID.
2588 * If not, clear itimers to avoid subsequent signal generation and
2589 * flush and unblock signals.
2590 *
2591 * This must occur _after_ the task SID has been updated so that any
2592 * kill done after the flush will be checked against the new SID.
2593 */
2594 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2595 if (rc) {
baa73d9e
NP		 2596 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2597 memset(&itimer, 0, sizeof itimer);
2598 for (i = 0; i < 3; i++)
2599 do_setitimer(i, &itimer, NULL);
2600 }
1da177e4 2601 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2602 if (!fatal_signal_pending(current)) {
2603 flush_sigqueue(&current->pending);
2604 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2605 flush_signal_handlers(current, 1);
2606 sigemptyset(&current->blocked);
9e7c8f8c 2607 recalc_sigpending();
3bcac026 2608 }
1da177e4
LT		 2609 spin_unlock_irq(&current->sighand->siglock);
2610 }
2611
a6f76f23
DH		 2612 /* Wake up the parent if it is waiting so that it can recheck
2613 * wait permission to the new task SID. */
ecd6de3c 2614 read_lock(&tasklist_lock);
0b7570e7 2615 __wake_up_parent(current, current->real_parent);
ecd6de3c 2616 read_unlock(&tasklist_lock);
1da177e4
LT		 2617}
2618
2619/* superblock security operations */
2620
2621static int selinux_sb_alloc_security(struct super_block *sb)
2622{
2623 return superblock_alloc_security(sb);
2624}
2625
2626static void selinux_sb_free_security(struct super_block *sb)
2627{
2628 superblock_free_security(sb);
2629}
2630
2631static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2632{
2633 if (plen > olen)
2634 return 0;
2635
2636 return !memcmp(prefix, option, plen);
2637}
2638
2639static inline int selinux_option(char *option, int len)
2640{
832cbd9a
EP		 2641 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2642 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2643 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2644 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2645 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2646}
2647
2648static inline void take_option(char **to, char *from, int *first, int len)
2649{
2650 if (!*first) {
2651 **to = ',';
2652 *to += 1;
3528a953 2653 } else
1da177e4
LT		 2654 *first = 0;
2655 memcpy(*to, from, len);
2656 *to += len;
2657}
2658
828dfe1d
EP		 2659static inline void take_selinux_option(char **to, char *from, int *first,
2660 int len)
3528a953
CO		 2661{
2662 int current_size = 0;
2663
2664 if (!*first) {
2665 **to = '|';
2666 *to += 1;
828dfe1d 2667 } else
3528a953
CO		 2668 *first = 0;
2669
2670 while (current_size < len) {
2671 if (*from != '"') {
2672 **to = *from;
2673 *to += 1;
2674 }
2675 from += 1;
2676 current_size += 1;
2677 }
2678}
2679
e0007529 2680static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2681{
2682 int fnosec, fsec, rc = 0;
2683 char *in_save, *in_curr, *in_end;
2684 char *sec_curr, *nosec_save, *nosec;
3528a953 2685 int open_quote = 0;
1da177e4
LT		 2686
2687 in_curr = orig;
2688 sec_curr = copy;
2689
1da177e4
LT		 2690 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2691 if (!nosec) {
2692 rc = -ENOMEM;
2693 goto out;
2694 }
2695
2696 nosec_save = nosec;
2697 fnosec = fsec = 1;
2698 in_save = in_end = orig;
2699
2700 do {
3528a953
CO		 2701 if (*in_end == '"')
2702 open_quote = !open_quote;
2703 if ((*in_end == ',' && open_quote == 0) ||
2704 *in_end == '\0') {
1da177e4
LT		 2705 int len = in_end - in_curr;
2706
2707 if (selinux_option(in_curr, len))
3528a953 2708 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2709 else
2710 take_option(&nosec, in_curr, &fnosec, len);
2711
2712 in_curr = in_end + 1;
2713 }
2714 } while (*in_end++);
2715
6931dfc9 2716 strcpy(in_save, nosec_save);
da3caa20 2717 free_page((unsigned long)nosec_save);
1da177e4
LT		 2718out:
2719 return rc;
2720}
2721
026eb167
EP		 2722static int selinux_sb_remount(struct super_block *sb, void *data)
2723{
2724 int rc, i, *flags;
2725 struct security_mnt_opts opts;
2726 char *secdata, **mount_options;
2727 struct superblock_security_struct *sbsec = sb->s_security;
2728
2729 if (!(sbsec->flags & SE_SBINITIALIZED))
2730 return 0;
2731
2732 if (!data)
2733 return 0;
2734
2735 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2736 return 0;
2737
2738 security_init_mnt_opts(&opts);
2739 secdata = alloc_secdata();
2740 if (!secdata)
2741 return -ENOMEM;
2742 rc = selinux_sb_copy_data(data, secdata);
2743 if (rc)
2744 goto out_free_secdata;
2745
2746 rc = selinux_parse_opts_str(secdata, &opts);
2747 if (rc)
2748 goto out_free_secdata;
2749
2750 mount_options = opts.mnt_opts;
2751 flags = opts.mnt_opts_flags;
2752
2753 for (i = 0; i < opts.num_mnt_opts; i++) {
2754 u32 sid;
026eb167 2755
12f348b9 2756 if (flags[i] == SBLABEL_MNT)
026eb167 2757 continue;
44be2f65 2758 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2759 if (rc) {
44be2f65 2760 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2761 "(%s) failed for (dev %s, type %s) errno=%d\n",
2762 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2763 goto out_free_opts;
2764 }
2765 rc = -EINVAL;
2766 switch (flags[i]) {
2767 case FSCONTEXT_MNT:
2768 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2769 goto out_bad_option;
2770 break;
2771 case CONTEXT_MNT:
2772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2773 goto out_bad_option;
2774 break;
2775 case ROOTCONTEXT_MNT: {
2776 struct inode_security_struct *root_isec;
83da53c5 2777 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2778
2779 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2780 goto out_bad_option;
2781 break;
2782 }
2783 case DEFCONTEXT_MNT:
2784 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2785 goto out_bad_option;
2786 break;
2787 default:
2788 goto out_free_opts;
2789 }
2790 }
2791
2792 rc = 0;
2793out_free_opts:
2794 security_free_mnt_opts(&opts);
2795out_free_secdata:
2796 free_secdata(secdata);
2797 return rc;
2798out_bad_option:
2799 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2800 "during remount (dev %s, type=%s)\n", sb->s_id,
2801 sb->s_type->name);
026eb167
EP		 2802 goto out_free_opts;
2803}
2804
12204e24 2805static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2806{
88e67f3b 2807 const struct cred *cred = current_cred();
2bf49690 2808 struct common_audit_data ad;
1da177e4
LT		 2809 int rc;
2810
2811 rc = superblock_doinit(sb, data);
2812 if (rc)
2813 return rc;
2814
74192246
JM		 2815 /* Allow all mounts performed by the kernel */
2816 if (flags & MS_KERNMOUNT)
2817 return 0;
2818
50c205f5 2819 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2820 ad.u.dentry = sb->s_root;
88e67f3b 2821 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2822}
2823
726c3342 2824static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2825{
88e67f3b 2826 const struct cred *cred = current_cred();
2bf49690 2827 struct common_audit_data ad;
1da177e4 2828
50c205f5 2829 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2830 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2831 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2832}
2833
808d4e3c 2834static int selinux_mount(const char *dev_name,
8a04c43b 2835 const struct path *path,
808d4e3c 2836 const char *type,
828dfe1d
EP		 2837 unsigned long flags,
2838 void *data)
1da177e4 2839{
88e67f3b 2840 const struct cred *cred = current_cred();
1da177e4
LT		 2841
2842 if (flags & MS_REMOUNT)
d8c9584e 2843 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2844 FILESYSTEM__REMOUNT, NULL);
1da177e4 2845 else
2875fa00 2846 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2847}
2848
2849static int selinux_umount(struct vfsmount *mnt, int flags)
2850{
88e67f3b 2851 const struct cred *cred = current_cred();
1da177e4 2852
88e67f3b 2853 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2854 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2855}
2856
2857/* inode security operations */
2858
2859static int selinux_inode_alloc_security(struct inode *inode)
2860{
2861 return inode_alloc_security(inode);
2862}
2863
2864static void selinux_inode_free_security(struct inode *inode)
2865{
2866 inode_free_security(inode);
2867}
2868
d47be3df 2869static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2870 const struct qstr *name, void **ctx,
d47be3df
DQ		 2871 u32 *ctxlen)
2872{
d47be3df
DQ		 2873 u32 newsid;
2874 int rc;
2875
c957f6df
VG		 2876 rc = selinux_determine_inode_label(current_security(),
2877 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2878 inode_mode_to_security_class(mode),
2879 &newsid);
2880 if (rc)
2881 return rc;
d47be3df
DQ		 2882
2883 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2884}
2885
a518b0a5
VG		 2886static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2887 struct qstr *name,
2888 const struct cred *old,
2889 struct cred *new)
2890{
2891 u32 newsid;
2892 int rc;
2893 struct task_security_struct *tsec;
2894
2895 rc = selinux_determine_inode_label(old->security,
2896 d_inode(dentry->d_parent), name,
2897 inode_mode_to_security_class(mode),
2898 &newsid);
2899 if (rc)
2900 return rc;
2901
2902 tsec = new->security;
2903 tsec->create_sid = newsid;
2904 return 0;
2905}
2906
5e41ff9e 2907static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2908 const struct qstr *qstr,
2909 const char **name,
2a7dba39 2910 void **value, size_t *len)
5e41ff9e 2911{
5fb49870 2912 const struct task_security_struct *tsec = current_security();
5e41ff9e 2913 struct superblock_security_struct *sbsec;
275bb41e 2914 u32 sid, newsid, clen;
5e41ff9e 2915 int rc;
9548906b 2916 char *context;
5e41ff9e 2917
5e41ff9e 2918 sbsec = dir->i_sb->s_security;
5e41ff9e 2919
275bb41e
DH		 2920 sid = tsec->sid;
2921 newsid = tsec->create_sid;
2922
c957f6df 2923 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2924 dir, qstr,
2925 inode_mode_to_security_class(inode->i_mode),
2926 &newsid);
2927 if (rc)
2928 return rc;
5e41ff9e 2929
296fddf7 2930 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2931 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2932 struct inode_security_struct *isec = inode->i_security;
2933 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2934 isec->sid = newsid;
6f3be9f5 2935 isec->initialized = LABEL_INITIALIZED;
296fddf7 2936 }
5e41ff9e 2937
12f348b9 2938 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2939 return -EOPNOTSUPP;
2940
9548906b
TH		 2941 if (name)
2942 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2943
570bc1c2 2944 if (value && len) {
12b29f34 2945 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2946 if (rc)
570bc1c2 2947 return rc;
570bc1c2
SS		 2948 *value = context;
2949 *len = clen;
5e41ff9e 2950 }
5e41ff9e 2951
5e41ff9e
SS		 2952 return 0;
2953}
2954
4acdaf27 2955static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2956{
2957 return may_create(dir, dentry, SECCLASS_FILE);
2958}
2959
1da177e4
LT		 2960static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2961{
1da177e4
LT		 2962 return may_link(dir, old_dentry, MAY_LINK);
2963}
2964
1da177e4
LT		 2965static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2966{
1da177e4
LT		 2967 return may_link(dir, dentry, MAY_UNLINK);
2968}
2969
2970static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2971{
2972 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2973}
2974
18bb1db3 2975static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2976{
2977 return may_create(dir, dentry, SECCLASS_DIR);
2978}
2979
1da177e4
LT		 2980static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2981{
2982 return may_link(dir, dentry, MAY_RMDIR);
2983}
2984
1a67aafb 2985static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2986{
1da177e4
LT		 2987 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2988}
2989
1da177e4 2990static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2991 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2992{
2993 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2994}
2995
1da177e4
LT		 2996static int selinux_inode_readlink(struct dentry *dentry)
2997{
88e67f3b
DH		 2998 const struct cred *cred = current_cred();
2999
2875fa00 3000 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3001}
3002
bda0be7a
N		 3003static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3004 bool rcu)
1da177e4 3005{
88e67f3b 3006 const struct cred *cred = current_cred();
bda0be7a
N		 3007 struct common_audit_data ad;
3008 struct inode_security_struct *isec;
3009 u32 sid;
1da177e4 3010
bda0be7a
N		 3011 validate_creds(cred);
3012
3013 ad.type = LSM_AUDIT_DATA_DENTRY;
3014 ad.u.dentry = dentry;
3015 sid = cred_sid(cred);
5d226df4
AG		 3016 isec = inode_security_rcu(inode, rcu);
3017 if (IS_ERR(isec))
3018 return PTR_ERR(isec);
bda0be7a
N		 3019
3020 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3021 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3022}
3023
d4cf970d
EP		 3024static noinline int audit_inode_permission(struct inode *inode,
3025 u32 perms, u32 audited, u32 denied,
626b9740 3026 int result,
d4cf970d 3027 unsigned flags)
1da177e4 3028{
b782e0a6 3029 struct common_audit_data ad;
d4cf970d
EP		 3030 struct inode_security_struct *isec = inode->i_security;
3031 int rc;
3032
50c205f5 3033 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3034 ad.u.inode = inode;
3035
3036 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 3037 audited, denied, result, &ad, flags);
d4cf970d
EP		 3038 if (rc)
3039 return rc;
3040 return 0;
3041}
3042
e74f71eb 3043static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3044{
88e67f3b 3045 const struct cred *cred = current_cred();
b782e0a6
EP		 3046 u32 perms;
3047 bool from_access;
cf1dd1da 3048 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3049 struct inode_security_struct *isec;
3050 u32 sid;
3051 struct av_decision avd;
3052 int rc, rc2;
3053 u32 audited, denied;
1da177e4 3054
b782e0a6 3055 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3056 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3057
b782e0a6
EP		 3058 /* No permission to check. Existence test. */
3059 if (!mask)
1da177e4 3060 return 0;
1da177e4 3061
2e334057 3062 validate_creds(cred);
b782e0a6 3063
2e334057
EP		 3064 if (unlikely(IS_PRIVATE(inode)))
3065 return 0;
b782e0a6
EP		 3066
3067 perms = file_mask_to_av(inode->i_mode, mask);
3068
2e334057 3069 sid = cred_sid(cred);
5d226df4
AG		 3070 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3071 if (IS_ERR(isec))
3072 return PTR_ERR(isec);
2e334057
EP		 3073
3074 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3075 audited = avc_audit_required(perms, &avd, rc,
3076 from_access ? FILE__AUDIT_ACCESS : 0,
3077 &denied);
3078 if (likely(!audited))
3079 return rc;
3080
626b9740 3081 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3082 if (rc2)
3083 return rc2;
3084 return rc;
1da177e4
LT		 3085}
3086
3087static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3088{
88e67f3b 3089 const struct cred *cred = current_cred();
ccb54478 3090 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3091 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3092 __u32 av = FILE__WRITE;
1da177e4 3093
bc6a6008
AW		 3094 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3095 if (ia_valid & ATTR_FORCE) {
3096 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3097 ATTR_FORCE);
3098 if (!ia_valid)
3099 return 0;
3100 }
1da177e4 3101
bc6a6008
AW		 3102 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3103 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3104 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3105
ccb54478
SS		 3106 if (selinux_policycap_openperm &&
3107 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3108 (ia_valid & ATTR_SIZE) &&
3109 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3110 av |= FILE__OPEN;
3111
3112 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3113}
3114
3f7036a0 3115static int selinux_inode_getattr(const struct path *path)
1da177e4 3116{
3f7036a0 3117 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3118}
3119
8f0cfa52 3120static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3121{
88e67f3b
DH		 3122 const struct cred *cred = current_cred();
3123
b5376771
SH		 3124 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3125 sizeof XATTR_SECURITY_PREFIX - 1)) {
3126 if (!strcmp(name, XATTR_NAME_CAPS)) {
3127 if (!capable(CAP_SETFCAP))
3128 return -EPERM;
3129 } else if (!capable(CAP_SYS_ADMIN)) {
3130 /* A different attribute in the security namespace.
3131 Restrict to administrator. */
3132 return -EPERM;
3133 }
3134 }
3135
3136 /* Not an attribute we recognize, so just check the
3137 ordinary setattr permission. */
2875fa00 3138 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3139}
3140
db59000a
SS		 3141static bool has_cap_mac_admin(bool audit)
3142{
3143 const struct cred *cred = current_cred();
3144 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3145
3146 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3147 return false;
3148 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3149 return false;
3150 return true;
3151}
3152
8f0cfa52
DH		 3153static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3154 const void *value, size_t size, int flags)
1da177e4 3155{
c6f493d6 3156 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3157 struct inode_security_struct *isec;
1da177e4 3158 struct superblock_security_struct *sbsec;
2bf49690 3159 struct common_audit_data ad;
275bb41e 3160 u32 newsid, sid = current_sid();
1da177e4
LT		 3161 int rc = 0;
3162
b5376771
SH		 3163 if (strcmp(name, XATTR_NAME_SELINUX))
3164 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3165
3166 sbsec = inode->i_sb->s_security;
12f348b9 3167 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3168 return -EOPNOTSUPP;
3169
2e149670 3170 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3171 return -EPERM;
3172
50c205f5 3173 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3174 ad.u.dentry = dentry;
1da177e4 3175
20cdef8d 3176 isec = backing_inode_security(dentry);
275bb41e 3177 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3178 FILE__RELABELFROM, &ad);
3179 if (rc)
3180 return rc;
3181
52a4c640 3182 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3183 if (rc == -EINVAL) {
db59000a 3184 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3185 struct audit_buffer *ab;
3186 size_t audit_size;
3187 const char *str;
3188
3189 /* We strip a nul only if it is at the end, otherwise the
3190 * context contains a nul and we should audit that */
e3fea3f7
AV		 3191 if (value) {
3192 str = value;
3193 if (str[size - 1] == '\0')
3194 audit_size = size - 1;
3195 else
3196 audit_size = size;
3197 } else {
3198 str = "";
3199 audit_size = 0;
3200 }
d6ea83ec
EP		 3201 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3202 audit_log_format(ab, "op=setxattr invalid_context=");
3203 audit_log_n_untrustedstring(ab, value, audit_size);
3204 audit_log_end(ab);
3205
12b29f34 3206 return rc;
d6ea83ec 3207 }
12b29f34
SS		 3208 rc = security_context_to_sid_force(value, size, &newsid);
3209 }
1da177e4
LT		 3210 if (rc)
3211 return rc;
3212
275bb41e 3213 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3214 FILE__RELABELTO, &ad);
3215 if (rc)
3216 return rc;
3217
275bb41e 3218 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3219 isec->sclass);
1da177e4
LT		 3220 if (rc)
3221 return rc;
3222
3223 return avc_has_perm(newsid,
3224 sbsec->sid,
3225 SECCLASS_FILESYSTEM,
3226 FILESYSTEM__ASSOCIATE,
3227 &ad);
3228}
3229
8f0cfa52 3230static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3231 const void *value, size_t size,
8f0cfa52 3232 int flags)
1da177e4 3233{
c6f493d6 3234 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3235 struct inode_security_struct *isec;
1da177e4
LT		 3236 u32 newsid;
3237 int rc;
3238
3239 if (strcmp(name, XATTR_NAME_SELINUX)) {
3240 /* Not an attribute we recognize, so nothing to do. */
3241 return;
3242 }
3243
12b29f34 3244 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3245 if (rc) {
12b29f34
SS		 3246 printk(KERN_ERR "SELinux: unable to map context to SID"
3247 "for (%s, %lu), rc=%d\n",
3248 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3249 return;
3250 }
3251
20cdef8d 3252 isec = backing_inode_security(dentry);
9287aed2 3253 spin_lock(&isec->lock);
aa9c2669 3254 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3255 isec->sid = newsid;
6f3be9f5 3256 isec->initialized = LABEL_INITIALIZED;
9287aed2 3257 spin_unlock(&isec->lock);
aa9c2669 3258
1da177e4
LT		 3259 return;
3260}
3261
8f0cfa52 3262static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3263{
88e67f3b
DH		 3264 const struct cred *cred = current_cred();
3265
2875fa00 3266 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3267}
3268
828dfe1d 3269static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3270{
88e67f3b
DH		 3271 const struct cred *cred = current_cred();
3272
2875fa00 3273 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3274}
3275
8f0cfa52 3276static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3277{
b5376771
SH		 3278 if (strcmp(name, XATTR_NAME_SELINUX))
3279 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3280
3281 /* No one is allowed to remove a SELinux security label.
3282 You can change the label, but all data must be labeled. */
3283 return -EACCES;
3284}
3285
d381d8a9 3286/*
abc69bb6 3287 * Copy the inode security context value to the user.
d381d8a9
JM		 3288 *
3289 * Permission check is handled by selinux_inode_getxattr hook.
3290 */
ea861dfd 3291static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3292{
42492594
DQ		 3293 u32 size;
3294 int error;
3295 char *context = NULL;
20cdef8d 3296 struct inode_security_struct *isec;
d381d8a9 3297
8c8570fb
DK		 3298 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3299 return -EOPNOTSUPP;
d381d8a9 3300
abc69bb6
SS		 3301 /*
3302 * If the caller has CAP_MAC_ADMIN, then get the raw context
3303 * value even if it is not defined by current policy; otherwise,
3304 * use the in-core value under current policy.
3305 * Use the non-auditing forms of the permission checks since
3306 * getxattr may be called by unprivileged processes commonly
3307 * and lack of permission just means that we fall back to the
3308 * in-core context value, not a denial.
3309 */
20cdef8d 3310 isec = inode_security(inode);
db59000a 3311 if (has_cap_mac_admin(false))
abc69bb6
SS		 3312 error = security_sid_to_context_force(isec->sid, &context,
3313 &size);
3314 else
3315 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3316 if (error)
3317 return error;
3318 error = size;
3319 if (alloc) {
3320 *buffer = context;
3321 goto out_nofree;
3322 }
3323 kfree(context);
3324out_nofree:
3325 return error;
1da177e4
LT		 3326}
3327
3328static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3329 const void *value, size_t size, int flags)
1da177e4 3330{
2c97165b 3331 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3332 u32 newsid;
3333 int rc;
3334
3335 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3336 return -EOPNOTSUPP;
3337
3338 if (!value || !size)
3339 return -EACCES;
3340
20ba96ae 3341 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3342 if (rc)
3343 return rc;
3344
9287aed2 3345 spin_lock(&isec->lock);
aa9c2669 3346 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3347 isec->sid = newsid;
6f3be9f5 3348 isec->initialized = LABEL_INITIALIZED;
9287aed2 3349 spin_unlock(&isec->lock);
1da177e4
LT		 3350 return 0;
3351}
3352
3353static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3354{
3355 const int len = sizeof(XATTR_NAME_SELINUX);
3356 if (buffer && len <= buffer_size)
3357 memcpy(buffer, XATTR_NAME_SELINUX, len);
3358 return len;
3359}
3360
d6335d77 3361static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3362{
e817c2f3 3363 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3364 *secid = isec->sid;
3365}
3366
56909eb3
VG		 3367static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3368{
3369 u32 sid;
3370 struct task_security_struct *tsec;
3371 struct cred *new_creds = *new;
3372
3373 if (new_creds == NULL) {
3374 new_creds = prepare_creds();
3375 if (!new_creds)
3376 return -ENOMEM;
3377 }
3378
3379 tsec = new_creds->security;
3380 /* Get label from overlay inode and set it in create_sid */
3381 selinux_inode_getsecid(d_inode(src), &sid);
3382 tsec->create_sid = sid;
3383 *new = new_creds;
3384 return 0;
3385}
3386
19472b69
VG		 3387static int selinux_inode_copy_up_xattr(const char *name)
3388{
3389 /* The copy_up hook above sets the initial context on an inode, but we
3390 * don't then want to overwrite it by blindly copying all the lower
3391 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3392 */
3393 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3394 return 1; /* Discard */
3395 /*
3396 * Any other attribute apart from SELINUX is not claimed, supported
3397 * by selinux.
3398 */
3399 return -EOPNOTSUPP;
3400}
3401
1da177e4
LT		 3402/* file security operations */
3403
788e7dd4 3404static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3405{
88e67f3b 3406 const struct cred *cred = current_cred();
496ad9aa 3407 struct inode *inode = file_inode(file);
1da177e4 3408
1da177e4
LT		 3409 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3410 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3411 mask |= MAY_APPEND;
3412
389fb800
PM		 3413 return file_has_perm(cred, file,
3414 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3415}
3416
788e7dd4
YN		 3417static int selinux_file_permission(struct file *file, int mask)
3418{
496ad9aa 3419 struct inode *inode = file_inode(file);
20dda18b 3420 struct file_security_struct *fsec = file->f_security;
b197367e 3421 struct inode_security_struct *isec;
20dda18b
SS		 3422 u32 sid = current_sid();
3423
389fb800 3424 if (!mask)
788e7dd4
YN		 3425 /* No permission to check. Existence test. */
3426 return 0;
788e7dd4 3427
b197367e 3428 isec = inode_security(inode);
20dda18b
SS		 3429 if (sid == fsec->sid && fsec->isid == isec->sid &&
3430 fsec->pseqno == avc_policy_seqno())
83d49856 3431 /* No change since file_open check. */
20dda18b
SS		 3432 return 0;
3433
788e7dd4
YN		 3434 return selinux_revalidate_file_permission(file, mask);
3435}
3436
1da177e4
LT		 3437static int selinux_file_alloc_security(struct file *file)
3438{
3439 return file_alloc_security(file);
3440}
3441
3442static void selinux_file_free_security(struct file *file)
3443{
3444 file_free_security(file);
3445}
3446
fa1aa143
JVS		 3447/*
3448 * Check whether a task has the ioctl permission and cmd
3449 * operation to an inode.
3450 */
1d2a168a 3451static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3452 u32 requested, u16 cmd)
3453{
3454 struct common_audit_data ad;
3455 struct file_security_struct *fsec = file->f_security;
3456 struct inode *inode = file_inode(file);
20cdef8d 3457 struct inode_security_struct *isec;
fa1aa143
JVS		 3458 struct lsm_ioctlop_audit ioctl;
3459 u32 ssid = cred_sid(cred);
3460 int rc;
3461 u8 driver = cmd >> 8;
3462 u8 xperm = cmd & 0xff;
3463
3464 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3465 ad.u.op = &ioctl;
3466 ad.u.op->cmd = cmd;
3467 ad.u.op->path = file->f_path;
3468
3469 if (ssid != fsec->sid) {
3470 rc = avc_has_perm(ssid, fsec->sid,
3471 SECCLASS_FD,
3472 FD__USE,
3473 &ad);
3474 if (rc)
3475 goto out;
3476 }
3477
3478 if (unlikely(IS_PRIVATE(inode)))
3479 return 0;
3480
20cdef8d 3481 isec = inode_security(inode);
fa1aa143
JVS		 3482 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3483 requested, driver, xperm, &ad);
3484out:
3485 return rc;
3486}
3487
1da177e4
LT		 3488static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3489 unsigned long arg)
3490{
88e67f3b 3491 const struct cred *cred = current_cred();
0b24dcb7 3492 int error = 0;
1da177e4 3493
0b24dcb7
EP		 3494 switch (cmd) {
3495 case FIONREAD:
3496 /* fall through */
3497 case FIBMAP:
3498 /* fall through */
3499 case FIGETBSZ:
3500 /* fall through */
2f99c369 3501 case FS_IOC_GETFLAGS:
0b24dcb7 3502 /* fall through */
2f99c369 3503 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3504 error = file_has_perm(cred, file, FILE__GETATTR);
3505 break;
1da177e4 3506
2f99c369 3507 case FS_IOC_SETFLAGS:
0b24dcb7 3508 /* fall through */
2f99c369 3509 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3510 error = file_has_perm(cred, file, FILE__SETATTR);
3511 break;
3512
3513 /* sys_ioctl() checks */
3514 case FIONBIO:
3515 /* fall through */
3516 case FIOASYNC:
3517 error = file_has_perm(cred, file, 0);
3518 break;
1da177e4 3519
0b24dcb7
EP		 3520 case KDSKBENT:
3521 case KDSKBSENT:
6a9de491 3522 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3523 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3524 break;
3525
3526 /* default case assumes that the command will go
3527 * to the file's ioctl() function.
3528 */
3529 default:
fa1aa143 3530 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3531 }
3532 return error;
1da177e4
LT		 3533}
3534
fcaaade1
SS		 3535static int default_noexec;
3536
1da177e4
LT		 3537static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3538{
88e67f3b 3539 const struct cred *cred = current_cred();
be0554c9 3540 u32 sid = cred_sid(cred);
d84f4f99 3541 int rc = 0;
88e67f3b 3542
fcaaade1 3543 if (default_noexec &&
892e8cac
SS		 3544 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3545 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3546 /*
3547 * We are making executable an anonymous mapping or a
3548 * private file mapping that will also be writable.
3549 * This has an additional check.
3550 */
be0554c9
SS		 3551 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3552 PROCESS__EXECMEM, NULL);
1da177e4 3553 if (rc)
d84f4f99 3554 goto error;
1da177e4 3555 }
1da177e4
LT		 3556
3557 if (file) {
3558 /* read access is always possible with a mapping */
3559 u32 av = FILE__READ;
3560
3561 /* write access only matters if the mapping is shared */
3562 if (shared && (prot & PROT_WRITE))
3563 av |= FILE__WRITE;
3564
3565 if (prot & PROT_EXEC)
3566 av |= FILE__EXECUTE;
3567
88e67f3b 3568 return file_has_perm(cred, file, av);
1da177e4 3569 }
d84f4f99
DH		 3570
3571error:
3572 return rc;
1da177e4
LT		 3573}
3574
e5467859 3575static int selinux_mmap_addr(unsigned long addr)
1da177e4 3576{
b1d9e6b0 3577 int rc = 0;
1da177e4 3578
a2551df7 3579 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3580 u32 sid = current_sid();
ed032189
EP		 3581 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3582 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3583 }
3584
98883bfd 3585 return rc;
e5467859 3586}
1da177e4 3587
e5467859
AV		 3588static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3589 unsigned long prot, unsigned long flags)
3590{
3ba4bf5f
SS		 3591 struct common_audit_data ad;
3592 int rc;
3593
3594 if (file) {
3595 ad.type = LSM_AUDIT_DATA_FILE;
3596 ad.u.file = file;
3597 rc = inode_has_perm(current_cred(), file_inode(file),
3598 FILE__MAP, &ad);
3599 if (rc)
3600 return rc;
3601 }
3602
1da177e4
LT		 3603 if (selinux_checkreqprot)
3604 prot = reqprot;
3605
3606 return file_map_prot_check(file, prot,
3607 (flags & MAP_TYPE) == MAP_SHARED);
3608}
3609
3610static int selinux_file_mprotect(struct vm_area_struct *vma,
3611 unsigned long reqprot,
3612 unsigned long prot)
3613{
88e67f3b 3614 const struct cred *cred = current_cred();
be0554c9 3615 u32 sid = cred_sid(cred);
1da177e4
LT		 3616
3617 if (selinux_checkreqprot)
3618 prot = reqprot;
3619
fcaaade1
SS		 3620 if (default_noexec &&
3621 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3622 int rc = 0;
db4c9641
SS		 3623 if (vma->vm_start >= vma->vm_mm->start_brk &&
3624 vma->vm_end <= vma->vm_mm->brk) {
be0554c9
SS		 3625 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3626 PROCESS__EXECHEAP, NULL);
db4c9641 3627 } else if (!vma->vm_file &&
c2316dbf
SS		 3628 ((vma->vm_start <= vma->vm_mm->start_stack &&
3629 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3630 vma_is_stack_for_current(vma))) {
be0554c9
SS		 3631 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3632 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3633 } else if (vma->vm_file && vma->anon_vma) {
3634 /*
3635 * We are making executable a file mapping that has
3636 * had some COW done. Since pages might have been
3637 * written, check ability to execute the possibly
3638 * modified content. This typically should only
3639 * occur for text relocations.
3640 */
d84f4f99 3641 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3642 }