]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-hirsute-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
UBUNTU: SAUCE: LSM: Infrastructure management of the sock security
[mirror_ubuntu-hirsute-kernel.git] / security / selinux / hooks.c
CommitLineData
d2912cb1 1// SPDX-License-Identifier: GPL-2.0-only
1da177e4
LT		 2/*
3 * NSA Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7efbb60b 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
1da177e4
LT		 11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
1da177e4 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 16 * <dgoeddel@trustedcs.com>
ed6d76e4 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 18 * Paul Moore <paul@paul-moore.com>
788e7dd4 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 21 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 22 */
23
1da177e4 24#include <linux/init.h>
0b24dcb7 25#include <linux/kd.h>
1da177e4 26#include <linux/kernel.h>
b89999d0 27#include <linux/kernel_read_file.h>
0d094efe 28#include <linux/tracehook.h>
1da177e4 29#include <linux/errno.h>
3f07c014 30#include <linux/sched/signal.h>
29930025 31#include <linux/sched/task.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
442155c1
DH		 49#include <linux/fs_context.h>
50#include <linux/fs_parser.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
d452930f
RH		 70#include <linux/sctp.h>
71#include <net/sctp/structs.h>
1da177e4
LT		 72#include <linux/quota.h>
73#include <linux/un.h> /* for Unix socket types */
74#include <net/af_unix.h> /* for Unix socket types */
75#include <linux/parser.h>
76#include <linux/nfs_mount.h>
77#include <net/ipv6.h>
78#include <linux/hugetlb.h>
79#include <linux/personality.h>
1da177e4 80#include <linux/audit.h>
6931dfc9 81#include <linux/string.h>
23970741 82#include <linux/mutex.h>
f06febc9 83#include <linux/posix-timers.h>
00234592 84#include <linux/syslog.h>
3486740a 85#include <linux/user_namespace.h>
44fc7ea0 86#include <linux/export.h>
40401530
AV		 87#include <linux/msg.h>
88#include <linux/shm.h>
ec27c356 89#include <linux/bpf.h>
ec882da5
OM		 90#include <linux/kernfs.h>
91#include <linux/stringhash.h> /* for hashlen_string() */
e262e32d 92#include <uapi/linux/mount.h>
ac5656d8
AG		 93#include <linux/fsnotify.h>
94#include <linux/fanotify.h>
1da177e4
LT		 95
96#include "avc.h"
97#include "objsec.h"
98#include "netif.h"
224dfbd8 99#include "netnode.h"
3e112172 100#include "netport.h"
409dcf31 101#include "ibpkey.h"
d28d1e08 102#include "xfrm.h"
c60475bf 103#include "netlabel.h"
9d57a7f9 104#include "audit.h"
7b98a585 105#include "avc_ss.h"
1da177e4 106
aa8e712c
SS		 107struct selinux_state selinux_state;
108
d621d35e 109/* SECMARK reference count */
56a4ca99 110static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 111
1da177e4 112#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
6c5a682e 113static int selinux_enforcing_boot __initdata;
1da177e4
LT		 114
115static int __init enforcing_setup(char *str)
116{
f5269710 117 unsigned long enforcing;
29707b20 118 if (!kstrtoul(str, 0, &enforcing))
aa8e712c 119 selinux_enforcing_boot = enforcing ? 1 : 0;
1da177e4
LT		 120 return 1;
121}
122__setup("enforcing=", enforcing_setup);
aa8e712c
SS		 123#else
124#define selinux_enforcing_boot 1
1da177e4
LT		 125#endif
126
6c5a682e 127int selinux_enabled_boot __initdata = 1;
1da177e4 128#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
1da177e4
LT		 129static int __init selinux_enabled_setup(char *str)
130{
f5269710 131 unsigned long enabled;
29707b20 132 if (!kstrtoul(str, 0, &enabled))
6c5a682e 133 selinux_enabled_boot = enabled ? 1 : 0;
1da177e4
LT		 134 return 1;
135}
136__setup("selinux=", selinux_enabled_setup);
137#endif
138
aa8e712c
SS		 139static unsigned int selinux_checkreqprot_boot =
140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141
142static int __init checkreqprot_setup(char *str)
143{
144 unsigned long checkreqprot;
145
e9c38f9f 146 if (!kstrtoul(str, 0, &checkreqprot)) {
aa8e712c 147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
e9c38f9f
SS		 148 if (checkreqprot)
149 pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
150 }
aa8e712c
SS		 151 return 1;
152}
153__setup("checkreqprot=", checkreqprot_setup);
154
d621d35e
PM		 155/**
156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157 *
158 * Description:
159 * This function checks the SECMARK reference counter to see if any SECMARK
160 * targets are currently configured, if the reference counter is greater than
161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 162 * enabled, false (0) if SECMARK is disabled. If the always_check_network
163 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 164 *
165 */
166static int selinux_secmark_enabled(void)
167{
aa8e712c
SS		 168 return (selinux_policycap_alwaysnetwork() ||
169 atomic_read(&selinux_secmark_refcount));
2be4d74f
CP		 170}
171
172/**
173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174 *
175 * Description:
176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
177 * (1) if any are enabled or false (0) if neither are enabled. If the
178 * always_check_network policy capability is enabled, peer labeling
179 * is always considered enabled.
180 *
181 */
182static int selinux_peerlbl_enabled(void)
183{
aa8e712c
SS		 184 return (selinux_policycap_alwaysnetwork() ||
185 netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 186}
187
615e51fd
PM		 188static int selinux_netcache_avc_callback(u32 event)
189{
190 if (event == AVC_CALLBACK_RESET) {
191 sel_netif_flush();
192 sel_netnode_flush();
193 sel_netport_flush();
194 synchronize_net();
195 }
196 return 0;
197}
198
8f408ab6
DJ		 199static int selinux_lsm_notifier_avc_callback(u32 event)
200{
409dcf31
DJ		 201 if (event == AVC_CALLBACK_RESET) {
202 sel_ib_pkey_flush();
42df744c 203 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 204 }
8f408ab6
DJ		 205
206 return 0;
207}
208
d84f4f99
DH		 209/*
210 * initialise the security for the init task
211 */
212static void cred_init_security(void)
1da177e4 213{
3b11a1de 214 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 215 struct task_security_struct *tsec;
216
bbd3662a 217 tsec = selinux_cred(cred);
d84f4f99 218 tsec->osid = tsec->sid = SECINITSID_KERNEL;
1da177e4
LT		 219}
220
88e67f3b
DH		 221/*
222 * get the security ID of a set of credentials
223 */
224static inline u32 cred_sid(const struct cred *cred)
225{
226 const struct task_security_struct *tsec;
227
0c6cfa62 228 tsec = selinux_cred(cred);
88e67f3b
DH		 229 return tsec->sid;
230}
231
275bb41e 232/*
3b11a1de 233 * get the objective security ID of a task
275bb41e
DH		 234 */
235static inline u32 task_sid(const struct task_struct *task)
236{
275bb41e
DH		 237 u32 sid;
238
239 rcu_read_lock();
88e67f3b 240 sid = cred_sid(__task_cred(task));
275bb41e
DH		 241 rcu_read_unlock();
242 return sid;
243}
244
5d226df4
AG		 245static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247/*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 250 * allowed; when set to false, returns -ECHILD when the label is
e9193288 251 * invalid. The @dentry parameter should be set to a dentry of the inode.
5d226df4
AG		 252 */
253static int __inode_security_revalidate(struct inode *inode,
e9193288 254 struct dentry *dentry,
5d226df4
AG		 255 bool may_sleep)
256{
80788c22 257 struct inode_security_struct *isec = selinux_inode(inode);
5d226df4
AG		 258
259 might_sleep_if(may_sleep);
260
65cddd50 261 if (selinux_initialized(&selinux_state) &&
aa8e712c 262 isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
e9193288 271 inode_doinit_with_dentry(inode, dentry);
5d226df4
AG		 272 }
273 return 0;
274}
275
5d226df4
AG		 276static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277{
80788c22 278 return selinux_inode(inode);
5d226df4
AG		 279}
280
281static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282{
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
80788c22 288 return selinux_inode(inode);
5d226df4
AG		 289}
290
83da53c5
AG		 291/*
292 * Get the security label of an inode.
293 */
294static struct inode_security_struct *inode_security(struct inode *inode)
295{
5d226df4 296 __inode_security_revalidate(inode, NULL, true);
80788c22 297 return selinux_inode(inode);
83da53c5
AG		 298}
299
2c97165b
PM		 300static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301{
302 struct inode *inode = d_backing_inode(dentry);
303
80788c22 304 return selinux_inode(inode);
2c97165b
PM		 305}
306
83da53c5
AG		 307/*
308 * Get the security label of a dentry's backing inode.
309 */
310static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311{
312 struct inode *inode = d_backing_inode(dentry);
313
5d226df4 314 __inode_security_revalidate(inode, dentry, true);
80788c22 315 return selinux_inode(inode);
83da53c5
AG		 316}
317
1da177e4
LT		 318static void inode_free_security(struct inode *inode)
319{
80788c22 320 struct inode_security_struct *isec = selinux_inode(inode);
afb1cbe3 321 struct superblock_security_struct *sbsec;
1da177e4 322
afb1cbe3
CS		 323 if (!isec)
324 return;
325 sbsec = inode->i_sb->s_security;
9629d04a
WL		 326 /*
327 * As not all inode security structures are in a list, we check for
328 * empty list outside of the lock to make sure that we won't waste
329 * time taking a lock doing nothing.
330 *
331 * The list_del_init() function can be safely called more than once.
332 * It should not be possible for this function to be called with
333 * concurrent list_add(), but for better safety against future changes
334 * in the code, we use list_empty_careful() here.
335 */
336 if (!list_empty_careful(&isec->list)) {
337 spin_lock(&sbsec->isec_lock);
1da177e4 338 list_del_init(&isec->list);
9629d04a
WL		 339 spin_unlock(&sbsec->isec_lock);
340 }
1da177e4
LT		 341}
342
1da177e4
LT		 343static void superblock_free_security(struct super_block *sb)
344{
345 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 346 sb->s_security = NULL;
347 kfree(sbsec);
348}
349
bd323655
AV		 350struct selinux_mnt_opts {
351 const char *fscontext, *context, *rootcontext, *defcontext;
352};
353
204cc0cc
AV		 354static void selinux_free_mnt_opts(void *mnt_opts)
355{
bd323655
AV		 356 struct selinux_mnt_opts *opts = mnt_opts;
357 kfree(opts->fscontext);
358 kfree(opts->context);
359 kfree(opts->rootcontext);
360 kfree(opts->defcontext);
204cc0cc
AV		 361 kfree(opts);
362}
363
1da177e4 364enum {
31e87930 365 Opt_error = -1,
442155c1
DH		 366 Opt_context = 0,
367 Opt_defcontext = 1,
1da177e4 368 Opt_fscontext = 2,
442155c1
DH		 369 Opt_rootcontext = 3,
370 Opt_seclabel = 4,
1da177e4
LT		 371};
372
da3d76ab 373#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
169d68ef
AV		 374static struct {
375 const char *name;
376 int len;
377 int opt;
378 bool has_arg;
379} tokens[] = {
da3d76ab
AV		 380 A(context, true),
381 A(fscontext, true),
382 A(defcontext, true),
383 A(rootcontext, true),
384 A(seclabel, false),
1da177e4 385};
169d68ef
AV		 386#undef A
387
388static int match_opt_prefix(char *s, int l, char **arg)
389{
390 int i;
391
392 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
393 size_t len = tokens[i].len;
394 if (len > l || memcmp(s, tokens[i].name, len))
395 continue;
396 if (tokens[i].has_arg) {
397 if (len == l || s[len] != '=')
398 continue;
399 *arg = s + len + 1;
400 } else if (len != l)
401 continue;
402 return tokens[i].opt;
403 }
404 return Opt_error;
405}
1da177e4
LT		 406
407#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
408
c312feb2
EP		 409static int may_context_mount_sb_relabel(u32 sid,
410 struct superblock_security_struct *sbsec,
275bb41e 411 const struct cred *cred)
c312feb2 412{
0c6cfa62 413 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 414 int rc;
415
6b6bc620
SS		 416 rc = avc_has_perm(&selinux_state,
417 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 418 FILESYSTEM__RELABELFROM, NULL);
419 if (rc)
420 return rc;
421
6b6bc620
SS		 422 rc = avc_has_perm(&selinux_state,
423 tsec->sid, sid, SECCLASS_FILESYSTEM,
c312feb2
EP		 424 FILESYSTEM__RELABELTO, NULL);
425 return rc;
426}
427
0808925e
EP		 428static int may_context_mount_inode_relabel(u32 sid,
429 struct superblock_security_struct *sbsec,
275bb41e 430 const struct cred *cred)
0808925e 431{
0c6cfa62 432 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e 433 int rc;
6b6bc620
SS		 434 rc = avc_has_perm(&selinux_state,
435 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 436 FILESYSTEM__RELABELFROM, NULL);
437 if (rc)
438 return rc;
439
6b6bc620
SS		 440 rc = avc_has_perm(&selinux_state,
441 sid, sbsec->sid, SECCLASS_FILESYSTEM,
0808925e
EP		 442 FILESYSTEM__ASSOCIATE, NULL);
443 return rc;
444}
445
a83d6dda 446static int selinux_is_genfs_special_handling(struct super_block *sb)
b43e725d 447{
a83d6dda
OM		 448 /* Special handling. Genfs but also in-core setxattr handler */
449 return !strcmp(sb->s_type->name, "sysfs") ||
d5f3a5f6
MS		 450 !strcmp(sb->s_type->name, "pstore") ||
451 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 452 !strcmp(sb->s_type->name, "tracefs") ||
2651225b 453 !strcmp(sb->s_type->name, "rootfs") ||
aa8e712c 454 (selinux_policycap_cgroupseclabel() &&
2651225b
SS		 455 (!strcmp(sb->s_type->name, "cgroup") ||
456 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 457}
458
a83d6dda
OM		 459static int selinux_is_sblabel_mnt(struct super_block *sb)
460{
461 struct superblock_security_struct *sbsec = sb->s_security;
462
463 /*
464 * IMPORTANT: Double-check logic in this function when adding a new
465 * SECURITY_FS_USE_* definition!
466 */
467 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
468
469 switch (sbsec->behavior) {
470 case SECURITY_FS_USE_XATTR:
471 case SECURITY_FS_USE_TRANS:
472 case SECURITY_FS_USE_TASK:
473 case SECURITY_FS_USE_NATIVE:
474 return 1;
475
476 case SECURITY_FS_USE_GENFS:
477 return selinux_is_genfs_special_handling(sb);
478
479 /* Never allow relabeling on context mounts */
480 case SECURITY_FS_USE_MNTPOINT:
481 case SECURITY_FS_USE_NONE:
482 default:
483 return 0;
484 }
485}
486
c9180a57 487static int sb_finish_set_opts(struct super_block *sb)
1da177e4 488{
1da177e4 489 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 490 struct dentry *root = sb->s_root;
c6f493d6 491 struct inode *root_inode = d_backing_inode(root);
c9180a57 492 int rc = 0;
1da177e4 493
c9180a57
EP		 494 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
495 /* Make sure that the xattr handler exists and that no
496 error other than -ENODATA is returned by getxattr on
497 the root directory. -ENODATA is ok, as this may be
498 the first boot of the SELinux kernel before we have
499 assigned xattr values to the filesystem. */
5d6c3191 500 if (!(root_inode->i_opflags & IOP_XATTR)) {
c103a91e 501 pr_warn("SELinux: (dev %s, type %s) has no "
29b1deb2 502 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 503 rc = -EOPNOTSUPP;
504 goto out;
505 }
5d6c3191
AG		 506
507 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 508 if (rc < 0 && rc != -ENODATA) {
509 if (rc == -EOPNOTSUPP)
c103a91e 510 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 511 "%s) has no security xattr handler\n",
512 sb->s_id, sb->s_type->name);
c9180a57 513 else
c103a91e 514 pr_warn("SELinux: (dev %s, type "
29b1deb2
LT		 515 "%s) getxattr errno %d\n", sb->s_id,
516 sb->s_type->name, -rc);
c9180a57
EP		 517 goto out;
518 }
519 }
1da177e4 520
eadcabc6 521 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 522
523 /*
524 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
525 * leave the flag untouched because sb_clone_mnt_opts might be handing
526 * us a superblock that needs the flag to be cleared.
527 */
b43e725d 528 if (selinux_is_sblabel_mnt(sb))
12f348b9 529 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 530 else
531 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 532
c9180a57
EP		 533 /* Initialize the root inode. */
534 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 535
c9180a57
EP		 536 /* Initialize any other inodes associated with the superblock, e.g.
537 inodes created prior to initial policy load or inodes created
538 during get_sb by a pseudo filesystem that directly
539 populates itself. */
540 spin_lock(&sbsec->isec_lock);
8d64124a 541 while (!list_empty(&sbsec->isec_head)) {
c9180a57 542 struct inode_security_struct *isec =
8d64124a 543 list_first_entry(&sbsec->isec_head,
c9180a57
EP		 544 struct inode_security_struct, list);
545 struct inode *inode = isec->inode;
923190d3 546 list_del_init(&isec->list);
c9180a57
EP		 547 spin_unlock(&sbsec->isec_lock);
548 inode = igrab(inode);
549 if (inode) {
550 if (!IS_PRIVATE(inode))
cb89e246 551 inode_doinit_with_dentry(inode, NULL);
c9180a57
EP		 552 iput(inode);
553 }
554 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 555 }
556 spin_unlock(&sbsec->isec_lock);
557out:
558 return rc;
559}
1da177e4 560
c9180a57
EP		 561static int bad_option(struct superblock_security_struct *sbsec, char flag,
562 u32 old_sid, u32 new_sid)
563{
0d90a7ec
DQ		 564 char mnt_flags = sbsec->flags & SE_MNTMASK;
565
c9180a57 566 /* check if the old mount command had the same options */
0d90a7ec 567 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 568 if (!(sbsec->flags & flag) ||
569 (old_sid != new_sid))
570 return 1;
571
572 /* check if we were passed the same options twice,
573 * aka someone passed context=a,context=b
574 */
0d90a7ec
DQ		 575 if (!(sbsec->flags & SE_SBINITIALIZED))
576 if (mnt_flags & flag)
c9180a57
EP		 577 return 1;
578 return 0;
579}
e0007529 580
bd323655
AV		 581static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
582{
583 int rc = security_context_str_to_sid(&selinux_state, s,
584 sid, GFP_KERNEL);
585 if (rc)
586 pr_warn("SELinux: security_context_str_to_sid"
587 "(%s) failed for (dev %s, type %s) errno=%d\n",
588 s, sb->s_id, sb->s_type->name, rc);
589 return rc;
590}
591
c9180a57
EP		 592/*
593 * Allow filesystems with binary mount data to explicitly set mount point
594 * labeling information.
595 */
e0007529 596static int selinux_set_mnt_opts(struct super_block *sb,
204cc0cc 597 void *mnt_opts,
649f6e77
DQ		 598 unsigned long kern_flags,
599 unsigned long *set_kern_flags)
c9180a57 600{
275bb41e 601 const struct cred *cred = current_cred();
c9180a57 602 struct superblock_security_struct *sbsec = sb->s_security;
b159e86b 603 struct dentry *root = sb->s_root;
bd323655 604 struct selinux_mnt_opts *opts = mnt_opts;
2c97165b 605 struct inode_security_struct *root_isec;
c9180a57
EP		 606 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
607 u32 defcontext_sid = 0;
bd323655 608 int rc = 0;
c9180a57
EP		 609
610 mutex_lock(&sbsec->lock);
611
65cddd50 612 if (!selinux_initialized(&selinux_state)) {
bd323655 613 if (!opts) {
c9180a57
EP		 614 /* Defer initialization until selinux_complete_init,
615 after the initial policy is loaded and the security
616 server is ready to handle calls. */
c9180a57
EP		 617 goto out;
618 }
619 rc = -EINVAL;
c103a91e 620 pr_warn("SELinux: Unable to set superblock options "
744ba35e 621 "before the security server is initialized\n");
1da177e4 622 goto out;
c9180a57 623 }
649f6e77
DQ		 624 if (kern_flags && !set_kern_flags) {
625 /* Specifying internal flags without providing a place to
626 * place the results is not allowed */
627 rc = -EINVAL;
628 goto out;
629 }
1da177e4 630
e0007529
EP		 631 /*
632 * Binary mount data FS will come through this function twice. Once
633 * from an explicit call and once from the generic calls from the vfs.
634 * Since the generic VFS calls will not contain any security mount data
635 * we need to skip the double mount verification.
636 *
637 * This does open a hole in which we will not notice if the first
638 * mount using this sb set explict options and a second mount using
639 * this sb does not set any security options. (The first options
640 * will be used for both mounts)
641 */
0d90a7ec 642 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
bd323655 643 && !opts)
f5269710 644 goto out;
e0007529 645
2c97165b
PM		 646 root_isec = backing_inode_security_novalidate(root);
647
c9180a57
EP		 648 /*
649 * parse the mount options, check if they are valid sids.
650 * also check if someone is trying to mount the same sb more
651 * than once with different security options.
652 */
bd323655
AV		 653 if (opts) {
654 if (opts->fscontext) {
655 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
656 if (rc)
657 goto out;
c9180a57
EP		 658 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
659 fscontext_sid))
660 goto out_double_mount;
c9180a57 661 sbsec->flags |= FSCONTEXT_MNT;
bd323655
AV		 662 }
663 if (opts->context) {
664 rc = parse_sid(sb, opts->context, &context_sid);
665 if (rc)
666 goto out;
c9180a57
EP		 667 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
668 context_sid))
669 goto out_double_mount;
c9180a57 670 sbsec->flags |= CONTEXT_MNT;
bd323655
AV		 671 }
672 if (opts->rootcontext) {
673 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
674 if (rc)
675 goto out;
c9180a57
EP		 676 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
677 rootcontext_sid))
678 goto out_double_mount;
c9180a57 679 sbsec->flags |= ROOTCONTEXT_MNT;
bd323655
AV		 680 }
681 if (opts->defcontext) {
682 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
683 if (rc)
684 goto out;
c9180a57
EP		 685 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
686 defcontext_sid))
687 goto out_double_mount;
c9180a57 688 sbsec->flags |= DEFCONTEXT_MNT;
1da177e4 689 }
c9180a57
EP		 690 }
691
0d90a7ec 692 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 693 /* previously mounted with options, but not on this attempt? */
bd323655 694 if ((sbsec->flags & SE_MNTMASK) && !opts)
c9180a57
EP		 695 goto out_double_mount;
696 rc = 0;
697 goto out;
698 }
699
089be43e 700 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 701 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
702
8e014720 703 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 704 !strcmp(sb->s_type->name, "tracefs") ||
a20456ae 705 !strcmp(sb->s_type->name, "binder") ||
4ca54d3d 706 !strcmp(sb->s_type->name, "bpf") ||
b754026b
OM		 707 !strcmp(sb->s_type->name, "pstore"))
708 sbsec->flags |= SE_SBGENFS;
709
710 if (!strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 711 !strcmp(sb->s_type->name, "cgroup") ||
712 !strcmp(sb->s_type->name, "cgroup2"))
b754026b 713 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
c9180a57 714
eb9ae686
DQ		 715 if (!sbsec->behavior) {
716 /*
717 * Determine the labeling behavior to use for this
718 * filesystem type.
719 */
aa8e712c 720 rc = security_fs_use(&selinux_state, sb);
eb9ae686 721 if (rc) {
c103a91e 722 pr_warn("%s: security_fs_use(%s) returned %d\n",
eb9ae686
DQ		 723 __func__, sb->s_type->name, rc);
724 goto out;
725 }
c9180a57 726 }
aad82892
SF		 727
728 /*
01593d32
SS		 729 * If this is a user namespace mount and the filesystem type is not
730 * explicitly whitelisted, then no contexts are allowed on the command
731 * line and security labels must be ignored.
aad82892 732 */
01593d32
SS		 733 if (sb->s_user_ns != &init_user_ns &&
734 strcmp(sb->s_type->name, "tmpfs") &&
735 strcmp(sb->s_type->name, "ramfs") &&
736 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 737 if (context_sid || fscontext_sid || rootcontext_sid ||
738 defcontext_sid) {
739 rc = -EACCES;
740 goto out;
741 }
742 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
743 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
aa8e712c
SS		 744 rc = security_transition_sid(&selinux_state,
745 current_sid(),
746 current_sid(),
aad82892
SF		 747 SECCLASS_FILE, NULL,
748 &sbsec->mntpoint_sid);
749 if (rc)
750 goto out;
751 }
752 goto out_set_opts;
753 }
754
c9180a57
EP		 755 /* sets the context of the superblock for the fs being mounted. */
756 if (fscontext_sid) {
275bb41e 757 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 758 if (rc)
c9180a57 759 goto out;
1da177e4 760
c9180a57 761 sbsec->sid = fscontext_sid;
c312feb2
EP		 762 }
763
764 /*
765 * Switch to using mount point labeling behavior.
766 * sets the label used on all file below the mountpoint, and will set
767 * the superblock context if not already set.
768 */
eb9ae686
DQ		 769 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
770 sbsec->behavior = SECURITY_FS_USE_NATIVE;
771 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
772 }
773
c9180a57
EP		 774 if (context_sid) {
775 if (!fscontext_sid) {
275bb41e
DH		 776 rc = may_context_mount_sb_relabel(context_sid, sbsec,
777 cred);
b04ea3ce 778 if (rc)
c9180a57
EP		 779 goto out;
780 sbsec->sid = context_sid;
b04ea3ce 781 } else {
275bb41e
DH		 782 rc = may_context_mount_inode_relabel(context_sid, sbsec,
783 cred);
b04ea3ce 784 if (rc)
c9180a57 785 goto out;
b04ea3ce 786 }
c9180a57
EP		 787 if (!rootcontext_sid)
788 rootcontext_sid = context_sid;
1da177e4 789
c9180a57 790 sbsec->mntpoint_sid = context_sid;
c312feb2 791 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 792 }
793
c9180a57 794 if (rootcontext_sid) {
275bb41e
DH		 795 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
796 cred);
0808925e 797 if (rc)
c9180a57 798 goto out;
0808925e 799
c9180a57 800 root_isec->sid = rootcontext_sid;
6f3be9f5 801 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 802 }
803
c9180a57 804 if (defcontext_sid) {
eb9ae686
DQ		 805 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
806 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57 807 rc = -EINVAL;
c103a91e 808 pr_warn("SELinux: defcontext option is "
c9180a57
EP		 809 "invalid for this filesystem type\n");
810 goto out;
1da177e4
LT		 811 }
812
c9180a57
EP		 813 if (defcontext_sid != sbsec->def_sid) {
814 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 815 sbsec, cred);
c9180a57
EP		 816 if (rc)
817 goto out;
818 }
1da177e4 819
c9180a57 820 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 821 }
822
aad82892 823out_set_opts:
c9180a57 824 rc = sb_finish_set_opts(sb);
1da177e4 825out:
c9180a57 826 mutex_unlock(&sbsec->lock);
1da177e4 827 return rc;
c9180a57
EP		 828out_double_mount:
829 rc = -EINVAL;
c103a91e 830 pr_warn("SELinux: mount invalid. Same superblock, different "
bd323655
AV		 831 "security settings for (dev %s, type %s)\n", sb->s_id,
832 sb->s_type->name);
c9180a57 833 goto out;
1da177e4
LT		 834}
835
094f7b69
JL		 836static int selinux_cmp_sb_context(const struct super_block *oldsb,
837 const struct super_block *newsb)
838{
839 struct superblock_security_struct *old = oldsb->s_security;
840 struct superblock_security_struct *new = newsb->s_security;
841 char oldflags = old->flags & SE_MNTMASK;
842 char newflags = new->flags & SE_MNTMASK;
843
844 if (oldflags != newflags)
845 goto mismatch;
846 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
847 goto mismatch;
848 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
849 goto mismatch;
850 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
851 goto mismatch;
852 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 853 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
854 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 855 if (oldroot->sid != newroot->sid)
856 goto mismatch;
857 }
858 return 0;
859mismatch:
c103a91e 860 pr_warn("SELinux: mount invalid. Same superblock, "
094f7b69
JL		 861 "different security settings for (dev %s, "
862 "type %s)\n", newsb->s_id, newsb->s_type->name);
863 return -EBUSY;
864}
865
866static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 867 struct super_block *newsb,
868 unsigned long kern_flags,
869 unsigned long *set_kern_flags)
1da177e4 870{
0b4d3452 871 int rc = 0;
c9180a57
EP		 872 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
873 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 874
c9180a57
EP		 875 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
876 int set_context = (oldsbsec->flags & CONTEXT_MNT);
877 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 878
0f5e6420
EP		 879 /*
880 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 881 * mount options. thus we can safely deal with this superblock later
0f5e6420 882 */
65cddd50 883 if (!selinux_initialized(&selinux_state))
094f7b69 884 return 0;
c9180a57 885
0b4d3452
SM		 886 /*
887 * Specifying internal flags without providing a place to
888 * place the results is not allowed.
889 */
890 if (kern_flags && !set_kern_flags)
891 return -EINVAL;
892
c9180a57 893 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 894 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 895
094f7b69 896 /* if fs is reusing a sb, make sure that the contexts match */
3815a245
BF		 897 if (newsbsec->flags & SE_SBINITIALIZED) {
898 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
899 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
094f7b69 900 return selinux_cmp_sb_context(oldsb, newsb);
3815a245 901 }
5a552617 902
c9180a57
EP		 903 mutex_lock(&newsbsec->lock);
904
905 newsbsec->flags = oldsbsec->flags;
906
907 newsbsec->sid = oldsbsec->sid;
908 newsbsec->def_sid = oldsbsec->def_sid;
909 newsbsec->behavior = oldsbsec->behavior;
910
0b4d3452
SM		 911 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
912 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
aa8e712c 913 rc = security_fs_use(&selinux_state, newsb);
0b4d3452
SM		 914 if (rc)
915 goto out;
916 }
917
918 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
919 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
920 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
921 }
922
c9180a57
EP		 923 if (set_context) {
924 u32 sid = oldsbsec->mntpoint_sid;
925
926 if (!set_fscontext)
927 newsbsec->sid = sid;
928 if (!set_rootcontext) {
83da53c5 929 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 930 newisec->sid = sid;
931 }
932 newsbsec->mntpoint_sid = sid;
1da177e4 933 }
c9180a57 934 if (set_rootcontext) {
83da53c5
AG		 935 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
936 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 937
c9180a57 938 newisec->sid = oldisec->sid;
1da177e4
LT		 939 }
940
c9180a57 941 sb_finish_set_opts(newsb);
0b4d3452 942out:
c9180a57 943 mutex_unlock(&newsbsec->lock);
0b4d3452 944 return rc;
c9180a57
EP		 945}
946
ba641862 947static int selinux_add_opt(int token, const char *s, void **mnt_opts)
c9180a57 948{
ba641862 949 struct selinux_mnt_opts *opts = *mnt_opts;
1da177e4 950
da3d76ab 951 if (token == Opt_seclabel) /* eaten and completely ignored */
169d68ef 952 return 0;
e0007529 953
ba641862
AV		 954 if (!opts) {
955 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
956 if (!opts)
957 return -ENOMEM;
958 *mnt_opts = opts;
c9180a57 959 }
ba641862
AV		 960 if (!s)
961 return -ENOMEM;
962 switch (token) {
963 case Opt_context:
964 if (opts->context || opts->defcontext)
965 goto Einval;
966 opts->context = s;
967 break;
968 case Opt_fscontext:
969 if (opts->fscontext)
970 goto Einval;
971 opts->fscontext = s;
972 break;
973 case Opt_rootcontext:
974 if (opts->rootcontext)
975 goto Einval;
976 opts->rootcontext = s;
977 break;
978 case Opt_defcontext:
979 if (opts->context || opts->defcontext)
980 goto Einval;
981 opts->defcontext = s;
982 break;
c9180a57 983 }
e0007529 984 return 0;
ba641862
AV		 985Einval:
986 pr_warn(SEL_MOUNT_FAIL_MSG);
ba641862 987 return -EINVAL;
1da177e4 988}
e0007529 989
757cbe59
AV		 990static int selinux_add_mnt_opt(const char *option, const char *val, int len,
991 void **mnt_opts)
c9180a57 992{
757cbe59
AV		 993 int token = Opt_error;
994 int rc, i;
e0007529 995
757cbe59
AV		 996 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
997 if (strcmp(option, tokens[i].name) == 0) {
998 token = tokens[i].opt;
999 break;
169d68ef 1000 }
757cbe59 1001 }
e0007529 1002
757cbe59
AV		 1003 if (token == Opt_error)
1004 return -EINVAL;
e0007529 1005
e2e0e097 1006 if (token != Opt_seclabel) {
757cbe59 1007 val = kmemdup_nul(val, len, GFP_KERNEL);
e2e0e097
GZ		 1008 if (!val) {
1009 rc = -ENOMEM;
1010 goto free_opt;
1011 }
1012 }
757cbe59
AV		 1013 rc = selinux_add_opt(token, val, mnt_opts);
1014 if (unlikely(rc)) {
1015 kfree(val);
e2e0e097
GZ		 1016 goto free_opt;
1017 }
1018 return rc;
1019
1020free_opt:
1021 if (*mnt_opts) {
1022 selinux_free_mnt_opts(*mnt_opts);
1023 *mnt_opts = NULL;
1da177e4 1024 }
e0007529
EP		 1025 return rc;
1026}
1da177e4 1027
e3489f89 1028static int show_sid(struct seq_file *m, u32 sid)
2069f457 1029{
e3489f89
AV		 1030 char *context = NULL;
1031 u32 len;
1032 int rc;
11689d47 1033
e3489f89
AV		 1034 rc = security_sid_to_context(&selinux_state, sid,
1035 &context, &len);
1036 if (!rc) {
1037 bool has_comma = context && strchr(context, ',');
2069f457 1038
442155c1 1039 seq_putc(m, '=');
2069f457
EP		 1040 if (has_comma)
1041 seq_putc(m, '\"');
e3489f89 1042 seq_escape(m, context, "\"\n\\");
2069f457
EP		 1043 if (has_comma)
1044 seq_putc(m, '\"');
1045 }
e3489f89
AV		 1046 kfree(context);
1047 return rc;
2069f457
EP		 1048}
1049
1050static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1051{
e3489f89 1052 struct superblock_security_struct *sbsec = sb->s_security;
2069f457
EP		 1053 int rc;
1054
e3489f89
AV		 1055 if (!(sbsec->flags & SE_SBINITIALIZED))
1056 return 0;
2069f457 1057
65cddd50 1058 if (!selinux_initialized(&selinux_state))
e3489f89 1059 return 0;
2069f457 1060
e3489f89
AV		 1061 if (sbsec->flags & FSCONTEXT_MNT) {
1062 seq_putc(m, ',');
1063 seq_puts(m, FSCONTEXT_STR);
1064 rc = show_sid(m, sbsec->sid);
1065 if (rc)
1066 return rc;
1067 }
1068 if (sbsec->flags & CONTEXT_MNT) {
1069 seq_putc(m, ',');
1070 seq_puts(m, CONTEXT_STR);
1071 rc = show_sid(m, sbsec->mntpoint_sid);
1072 if (rc)
1073 return rc;
1074 }
1075 if (sbsec->flags & DEFCONTEXT_MNT) {
1076 seq_putc(m, ',');
1077 seq_puts(m, DEFCONTEXT_STR);
1078 rc = show_sid(m, sbsec->def_sid);
1079 if (rc)
1080 return rc;
1081 }
1082 if (sbsec->flags & ROOTCONTEXT_MNT) {
b159e86b 1083 struct dentry *root = sb->s_root;
e3489f89
AV		 1084 struct inode_security_struct *isec = backing_inode_security(root);
1085 seq_putc(m, ',');
1086 seq_puts(m, ROOTCONTEXT_STR);
1087 rc = show_sid(m, isec->sid);
1088 if (rc)
1089 return rc;
1090 }
1091 if (sbsec->flags & SBLABEL_MNT) {
1092 seq_putc(m, ',');
442155c1 1093 seq_puts(m, SECLABEL_STR);
e3489f89
AV		 1094 }
1095 return 0;
2069f457
EP		 1096}
1097
1da177e4
LT		 1098static inline u16 inode_mode_to_security_class(umode_t mode)
1099{
1100 switch (mode & S_IFMT) {
1101 case S_IFSOCK:
1102 return SECCLASS_SOCK_FILE;
1103 case S_IFLNK:
1104 return SECCLASS_LNK_FILE;
1105 case S_IFREG:
1106 return SECCLASS_FILE;
1107 case S_IFBLK:
1108 return SECCLASS_BLK_FILE;
1109 case S_IFDIR:
1110 return SECCLASS_DIR;
1111 case S_IFCHR:
1112 return SECCLASS_CHR_FILE;
1113 case S_IFIFO:
1114 return SECCLASS_FIFO_FILE;
1115
1116 }
1117
1118 return SECCLASS_FILE;
1119}
1120
13402580
JM		 1121static inline int default_protocol_stream(int protocol)
1122{
1123 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1124}
1125
1126static inline int default_protocol_dgram(int protocol)
1127{
1128 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1129}
1130
1da177e4
LT		 1131static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1132{
aa8e712c 1133 int extsockclass = selinux_policycap_extsockclass();
da69a530 1134
1da177e4
LT		 1135 switch (family) {
1136 case PF_UNIX:
1137 switch (type) {
1138 case SOCK_STREAM:
1139 case SOCK_SEQPACKET:
1140 return SECCLASS_UNIX_STREAM_SOCKET;
1141 case SOCK_DGRAM:
2a764b52 1142 case SOCK_RAW:
1da177e4
LT		 1143 return SECCLASS_UNIX_DGRAM_SOCKET;
1144 }
1145 break;
1146 case PF_INET:
1147 case PF_INET6:
1148 switch (type) {
1149 case SOCK_STREAM:
da69a530 1150 case SOCK_SEQPACKET:
13402580
JM		 1151 if (default_protocol_stream(protocol))
1152 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1153 else if (extsockclass && protocol == IPPROTO_SCTP)
1154 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1155 else
1156 return SECCLASS_RAWIP_SOCKET;
1da177e4 1157 case SOCK_DGRAM:
13402580
JM		 1158 if (default_protocol_dgram(protocol))
1159 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1160 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1161 protocol == IPPROTO_ICMPV6))
da69a530 1162 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1163 else
1164 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1165 case SOCK_DCCP:
1166 return SECCLASS_DCCP_SOCKET;
13402580 1167 default:
1da177e4
LT		 1168 return SECCLASS_RAWIP_SOCKET;
1169 }
1170 break;
1171 case PF_NETLINK:
1172 switch (protocol) {
1173 case NETLINK_ROUTE:
1174 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1175 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1176 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1177 case NETLINK_NFLOG:
1178 return SECCLASS_NETLINK_NFLOG_SOCKET;
1179 case NETLINK_XFRM:
1180 return SECCLASS_NETLINK_XFRM_SOCKET;
1181 case NETLINK_SELINUX:
1182 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1183 case NETLINK_ISCSI:
1184 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1185 case NETLINK_AUDIT:
1186 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1187 case NETLINK_FIB_LOOKUP:
1188 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1189 case NETLINK_CONNECTOR:
1190 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1191 case NETLINK_NETFILTER:
1192 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1193 case NETLINK_DNRTMSG:
1194 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1195 case NETLINK_KOBJECT_UEVENT:
1196 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1197 case NETLINK_GENERIC:
1198 return SECCLASS_NETLINK_GENERIC_SOCKET;
1199 case NETLINK_SCSITRANSPORT:
1200 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1201 case NETLINK_RDMA:
1202 return SECCLASS_NETLINK_RDMA_SOCKET;
1203 case NETLINK_CRYPTO:
1204 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1205 default:
1206 return SECCLASS_NETLINK_SOCKET;
1207 }
1208 case PF_PACKET:
1209 return SECCLASS_PACKET_SOCKET;
1210 case PF_KEY:
1211 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1212 case PF_APPLETALK:
1213 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1214 }
1215
da69a530
SS		 1216 if (extsockclass) {
1217 switch (family) {
1218 case PF_AX25:
1219 return SECCLASS_AX25_SOCKET;
1220 case PF_IPX:
1221 return SECCLASS_IPX_SOCKET;
1222 case PF_NETROM:
1223 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1224 case PF_ATMPVC:
1225 return SECCLASS_ATMPVC_SOCKET;
1226 case PF_X25:
1227 return SECCLASS_X25_SOCKET;
1228 case PF_ROSE:
1229 return SECCLASS_ROSE_SOCKET;
1230 case PF_DECnet:
1231 return SECCLASS_DECNET_SOCKET;
1232 case PF_ATMSVC:
1233 return SECCLASS_ATMSVC_SOCKET;
1234 case PF_RDS:
1235 return SECCLASS_RDS_SOCKET;
1236 case PF_IRDA:
1237 return SECCLASS_IRDA_SOCKET;
1238 case PF_PPPOX:
1239 return SECCLASS_PPPOX_SOCKET;
1240 case PF_LLC:
1241 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1242 case PF_CAN:
1243 return SECCLASS_CAN_SOCKET;
1244 case PF_TIPC:
1245 return SECCLASS_TIPC_SOCKET;
1246 case PF_BLUETOOTH:
1247 return SECCLASS_BLUETOOTH_SOCKET;
1248 case PF_IUCV:
1249 return SECCLASS_IUCV_SOCKET;
1250 case PF_RXRPC:
1251 return SECCLASS_RXRPC_SOCKET;
1252 case PF_ISDN:
1253 return SECCLASS_ISDN_SOCKET;
1254 case PF_PHONET:
1255 return SECCLASS_PHONET_SOCKET;
1256 case PF_IEEE802154:
1257 return SECCLASS_IEEE802154_SOCKET;
1258 case PF_CAIF:
1259 return SECCLASS_CAIF_SOCKET;
1260 case PF_ALG:
1261 return SECCLASS_ALG_SOCKET;
1262 case PF_NFC:
1263 return SECCLASS_NFC_SOCKET;
1264 case PF_VSOCK:
1265 return SECCLASS_VSOCK_SOCKET;
1266 case PF_KCM:
1267 return SECCLASS_KCM_SOCKET;
1268 case PF_QIPCRTR:
1269 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1270 case PF_SMC:
1271 return SECCLASS_SMC_SOCKET;
68e8b849
BT		 1272 case PF_XDP:
1273 return SECCLASS_XDP_SOCKET;
1274#if PF_MAX > 45
da69a530
SS		 1275#error New address family defined, please update this function.
1276#endif
1277 }
1278 }
1279
1da177e4
LT		 1280 return SECCLASS_SOCKET;
1281}
1282
134509d5
SS		 1283static int selinux_genfs_get_sid(struct dentry *dentry,
1284 u16 tclass,
1285 u16 flags,
1286 u32 *sid)
1da177e4 1287{
8e6c9693 1288 int rc;
fc64005c 1289 struct super_block *sb = dentry->d_sb;
8e6c9693 1290 char *buffer, *path;
1da177e4 1291
828dfe1d 1292 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1293 if (!buffer)
1294 return -ENOMEM;
1295
8e6c9693
LAG		 1296 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1297 if (IS_ERR(path))
1298 rc = PTR_ERR(path);
1299 else {
134509d5
SS		 1300 if (flags & SE_SBPROC) {
1301 /* each process gets a /proc/PID/ entry. Strip off the
1302 * PID part to get a valid selinux labeling.
1303 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1304 while (path[1] >= '0' && path[1] <= '9') {
1305 path[1] = '/';
1306 path++;
1307 }
8e6c9693 1308 }
aa8e712c
SS		 1309 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1310 path, tclass, sid);
7bb185ed
SS		 1311 if (rc == -ENOENT) {
1312 /* No match in policy, mark as unlabeled. */
1313 *sid = SECINITSID_UNLABELED;
1314 rc = 0;
1315 }
1da177e4 1316 }
1da177e4
LT		 1317 free_page((unsigned long)buffer);
1318 return rc;
1319}
1da177e4 1320
b754026b
OM		 1321static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1322 u32 def_sid, u32 *sid)
1323{
1324#define INITCONTEXTLEN 255
1325 char *context;
1326 unsigned int len;
1327 int rc;
1328
1329 len = INITCONTEXTLEN;
1330 context = kmalloc(len + 1, GFP_NOFS);
1331 if (!context)
1332 return -ENOMEM;
1333
1334 context[len] = '\0';
1335 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1336 if (rc == -ERANGE) {
1337 kfree(context);
1338
1339 /* Need a larger buffer. Query for the right size. */
1340 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1341 if (rc < 0)
1342 return rc;
1343
1344 len = rc;
1345 context = kmalloc(len + 1, GFP_NOFS);
1346 if (!context)
1347 return -ENOMEM;
1348
1349 context[len] = '\0';
1350 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1351 context, len);
1352 }
1353 if (rc < 0) {
1354 kfree(context);
1355 if (rc != -ENODATA) {
1356 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1357 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1358 return rc;
1359 }
1360 *sid = def_sid;
1361 return 0;
1362 }
1363
1364 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1365 def_sid, GFP_NOFS);
1366 if (rc) {
1367 char *dev = inode->i_sb->s_id;
1368 unsigned long ino = inode->i_ino;
1369
1370 if (rc == -EINVAL) {
1371 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1372 ino, dev, context);
1373 } else {
1374 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1375 __func__, context, -rc, dev, ino);
1376 }
1377 }
1378 kfree(context);
1379 return 0;
1380}
1381
1da177e4
LT		 1382/* The inode's security attributes must be initialized before first use. */
1383static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1384{
1385 struct superblock_security_struct *sbsec = NULL;
80788c22 1386 struct inode_security_struct *isec = selinux_inode(inode);
9287aed2
AG		 1387 u32 task_sid, sid = 0;
1388 u16 sclass;
1da177e4 1389 struct dentry *dentry;
1da177e4 1390 int rc = 0;
1da177e4 1391
6f3be9f5 1392 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1393 return 0;
1da177e4 1394
9287aed2 1395 spin_lock(&isec->lock);
6f3be9f5 1396 if (isec->initialized == LABEL_INITIALIZED)
23970741 1397 goto out_unlock;
1da177e4 1398
13457d07
AG		 1399 if (isec->sclass == SECCLASS_FILE)
1400 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1401
1da177e4 1402 sbsec = inode->i_sb->s_security;
0d90a7ec 1403 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1404 /* Defer initialization until selinux_complete_init,
1405 after the initial policy is loaded and the security
1406 server is ready to handle calls. */
1407 spin_lock(&sbsec->isec_lock);
1408 if (list_empty(&isec->list))
1409 list_add(&isec->list, &sbsec->isec_head);
1410 spin_unlock(&sbsec->isec_lock);
23970741 1411 goto out_unlock;
1da177e4
LT		 1412 }
1413
9287aed2
AG		 1414 sclass = isec->sclass;
1415 task_sid = isec->task_sid;
1416 sid = isec->sid;
1417 isec->initialized = LABEL_PENDING;
1418 spin_unlock(&isec->lock);
1419
1da177e4 1420 switch (sbsec->behavior) {
eb9ae686
DQ		 1421 case SECURITY_FS_USE_NATIVE:
1422 break;
1da177e4 1423 case SECURITY_FS_USE_XATTR:
5d6c3191 1424 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1425 sid = sbsec->def_sid;
1da177e4
LT		 1426 break;
1427 }
1da177e4
LT		 1428 /* Need a dentry, since the xattr API requires one.
1429 Life would be simpler if we could just pass the inode. */
1430 if (opt_dentry) {
1431 /* Called from d_instantiate or d_splice_alias. */
1432 dentry = dget(opt_dentry);
1433 } else {
b127125d
AV		 1434 /*
1435 * Called from selinux_complete_init, try to find a dentry.
1436 * Some filesystems really want a connected one, so try
1437 * that first. We could split SECURITY_FS_USE_XATTR in
1438 * two, depending upon that...
1439 */
1da177e4 1440 dentry = d_find_alias(inode);
b127125d
AV		 1441 if (!dentry)
1442 dentry = d_find_any_alias(inode);
1da177e4
LT		 1443 }
1444 if (!dentry) {
df7f54c0
EP		 1445 /*
1446 * this is can be hit on boot when a file is accessed
1447 * before the policy is loaded. When we load policy we
1448 * may find inodes that have no dentry on the
1449 * sbsec->isec_head list. No reason to complain as these
1450 * will get fixed up the next time we go through
1451 * inode_doinit with a dentry, before these inodes could
1452 * be used again by userspace.
1453 */
200ea5a2 1454 goto out_invalid;
1da177e4
LT		 1455 }
1456
b754026b
OM		 1457 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1458 &sid);
1da177e4 1459 dput(dentry);
b754026b
OM		 1460 if (rc)
1461 goto out;
1da177e4
LT		 1462 break;
1463 case SECURITY_FS_USE_TASK:
9287aed2 1464 sid = task_sid;
1da177e4
LT		 1465 break;
1466 case SECURITY_FS_USE_TRANS:
1467 /* Default to the fs SID. */
9287aed2 1468 sid = sbsec->sid;
1da177e4
LT		 1469
1470 /* Try to obtain a transition SID. */
aa8e712c
SS		 1471 rc = security_transition_sid(&selinux_state, task_sid, sid,
1472 sclass, NULL, &sid);
1da177e4 1473 if (rc)
9287aed2 1474 goto out;
1da177e4 1475 break;
c312feb2 1476 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1477 sid = sbsec->mntpoint_sid;
c312feb2 1478 break;
1da177e4 1479 default:
c312feb2 1480 /* Default to the fs superblock SID. */
9287aed2 1481 sid = sbsec->sid;
1da177e4 1482
7470d0d1
CG		 1483 if ((sbsec->flags & SE_SBGENFS) &&
1484 (!S_ISLNK(inode->i_mode) ||
1485 selinux_policycap_genfs_seclabel_symlinks())) {
f64410ec
PM		 1486 /* We must have a dentry to determine the label on
1487 * procfs inodes */
b127125d 1488 if (opt_dentry) {
f64410ec
PM		 1489 /* Called from d_instantiate or
1490 * d_splice_alias. */
1491 dentry = dget(opt_dentry);
b127125d 1492 } else {
f64410ec 1493 /* Called from selinux_complete_init, try to
b127125d
AV		 1494 * find a dentry. Some filesystems really want
1495 * a connected one, so try that first.
1496 */
f64410ec 1497 dentry = d_find_alias(inode);
b127125d
AV		 1498 if (!dentry)
1499 dentry = d_find_any_alias(inode);
1500 }
f64410ec
PM		 1501 /*
1502 * This can be hit on boot when a file is accessed
1503 * before the policy is loaded. When we load policy we
1504 * may find inodes that have no dentry on the
1505 * sbsec->isec_head list. No reason to complain as
1506 * these will get fixed up the next time we go through
1507 * inode_doinit() with a dentry, before these inodes
1508 * could be used again by userspace.
1509 */
1510 if (!dentry)
200ea5a2 1511 goto out_invalid;
9287aed2 1512 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1513 sbsec->flags, &sid);
b754026b
OM		 1514 if (rc) {
1515 dput(dentry);
9287aed2 1516 goto out;
b754026b
OM		 1517 }
1518
1519 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1520 (inode->i_opflags & IOP_XATTR)) {
1521 rc = inode_doinit_use_xattr(inode, dentry,
1522 sid, &sid);
1523 if (rc) {
1524 dput(dentry);
1525 goto out;
1526 }
1527 }
1528 dput(dentry);
1da177e4
LT		 1529 }
1530 break;
1531 }
1532
9287aed2
AG		 1533out:
1534 spin_lock(&isec->lock);
1535 if (isec->initialized == LABEL_PENDING) {
200ea5a2 1536 if (rc) {
9287aed2
AG		 1537 isec->initialized = LABEL_INVALID;
1538 goto out_unlock;
1539 }
9287aed2
AG		 1540 isec->initialized = LABEL_INITIALIZED;
1541 isec->sid = sid;
1542 }
1da177e4 1543
23970741 1544out_unlock:
9287aed2 1545 spin_unlock(&isec->lock);
1da177e4 1546 return rc;
200ea5a2
PM		 1547
1548out_invalid:
1549 spin_lock(&isec->lock);
1550 if (isec->initialized == LABEL_PENDING) {
1551 isec->initialized = LABEL_INVALID;
1552 isec->sid = sid;
1553 }
1554 spin_unlock(&isec->lock);
1555 return 0;
1da177e4
LT		 1556}
1557
1558/* Convert a Linux signal to an access vector. */
1559static inline u32 signal_to_av(int sig)
1560{
1561 u32 perm = 0;
1562
1563 switch (sig) {
1564 case SIGCHLD:
1565 /* Commonly granted from child to parent. */
1566 perm = PROCESS__SIGCHLD;
1567 break;
1568 case SIGKILL:
1569 /* Cannot be caught or ignored */
1570 perm = PROCESS__SIGKILL;
1571 break;
1572 case SIGSTOP:
1573 /* Cannot be caught or ignored */
1574 perm = PROCESS__SIGSTOP;
1575 break;
1576 default:
1577 /* All other signals. */
1578 perm = PROCESS__SIGNAL;
1579 break;
1580 }
1581
1582 return perm;
1583}
1584
b68e418c
SS		 1585#if CAP_LAST_CAP > 63
1586#error Fix SELinux to handle capabilities > 63.
1587#endif
1588
1da177e4 1589/* Check whether a task is allowed to use a capability. */
6a9de491 1590static int cred_has_capability(const struct cred *cred,
c1a85a00 1591 int cap, unsigned int opts, bool initns)
1da177e4 1592{
2bf49690 1593 struct common_audit_data ad;
06112163 1594 struct av_decision avd;
b68e418c 1595 u16 sclass;
3699c53c 1596 u32 sid = cred_sid(cred);
b68e418c 1597 u32 av = CAP_TO_MASK(cap);
06112163 1598 int rc;
1da177e4 1599
50c205f5 1600 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1601 ad.u.cap = cap;
1602
b68e418c
SS		 1603 switch (CAP_TO_INDEX(cap)) {
1604 case 0:
8e4ff6f2 1605 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1606 break;
1607 case 1:
8e4ff6f2 1608 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1609 break;
1610 default:
c103a91e 1611 pr_err("SELinux: out of range capability %d\n", cap);
b68e418c 1612 BUG();
a35c6c83 1613 return -EINVAL;
b68e418c 1614 }
06112163 1615
6b6bc620
SS		 1616 rc = avc_has_perm_noaudit(&selinux_state,
1617 sid, sid, sclass, av, 0, &avd);
c1a85a00 1618 if (!(opts & CAP_OPT_NOAUDIT)) {
6b6bc620
SS		 1619 int rc2 = avc_audit(&selinux_state,
1620 sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1621 if (rc2)
1622 return rc2;
1623 }
06112163 1624 return rc;
1da177e4
LT		 1625}
1626
1da177e4
LT		 1627/* Check whether a task has a particular permission to an inode.
1628 The 'adp' parameter is optional and allows other audit
1629 data to be passed (e.g. the dentry). */
88e67f3b 1630static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1631 struct inode *inode,
1632 u32 perms,
19e49834 1633 struct common_audit_data *adp)
1da177e4 1634{
1da177e4 1635 struct inode_security_struct *isec;
275bb41e 1636 u32 sid;
1da177e4 1637
e0e81739
DH		 1638 validate_creds(cred);
1639
828dfe1d 1640 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1641 return 0;
1642
88e67f3b 1643 sid = cred_sid(cred);
80788c22 1644 isec = selinux_inode(inode);
1da177e4 1645
6b6bc620
SS		 1646 return avc_has_perm(&selinux_state,
1647 sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1648}
1649
1650/* Same as inode_has_perm, but pass explicit audit data containing
1651 the dentry to help the auditing code to more easily generate the
1652 pathname if needed. */
88e67f3b 1653static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1654 struct dentry *dentry,
1655 u32 av)
1656{
c6f493d6 1657 struct inode *inode = d_backing_inode(dentry);
2bf49690 1658 struct common_audit_data ad;
88e67f3b 1659
50c205f5 1660 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1661 ad.u.dentry = dentry;
5d226df4 1662 __inode_security_revalidate(inode, dentry, true);
19e49834 1663 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1664}
1665
1666/* Same as inode_has_perm, but pass explicit audit data containing
1667 the path to help the auditing code to more easily generate the
1668 pathname if needed. */
1669static inline int path_has_perm(const struct cred *cred,
3f7036a0 1670 const struct path *path,
2875fa00
EP		 1671 u32 av)
1672{
c6f493d6 1673 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1674 struct common_audit_data ad;
1675
50c205f5 1676 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1677 ad.u.path = *path;
5d226df4 1678 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1679 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1680}
1681
13f8e981
DH		 1682/* Same as path_has_perm, but uses the inode from the file struct. */
1683static inline int file_path_has_perm(const struct cred *cred,
1684 struct file *file,
1685 u32 av)
1686{
1687 struct common_audit_data ad;
1688
43af5de7
VG		 1689 ad.type = LSM_AUDIT_DATA_FILE;
1690 ad.u.file = file;
19e49834 1691 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1692}
1693
f66e448c
CF		 1694#ifdef CONFIG_BPF_SYSCALL
1695static int bpf_fd_pass(struct file *file, u32 sid);
1696#endif
1697
1da177e4
LT		 1698/* Check whether a task can use an open file descriptor to
1699 access an inode in a given way. Check access to the
1700 descriptor itself, and then use dentry_has_perm to
1701 check a particular permission to the file.
1702 Access to the descriptor is implicitly granted if it
1703 has the same SID as the process. If av is zero, then
1704 access to the file is not checked, e.g. for cases
1705 where only the descriptor is affected like seek. */
88e67f3b
DH		 1706static int file_has_perm(const struct cred *cred,
1707 struct file *file,
1708 u32 av)
1da177e4 1709{
bb6c6b02 1710 struct file_security_struct *fsec = selinux_file(file);
496ad9aa 1711 struct inode *inode = file_inode(file);
2bf49690 1712 struct common_audit_data ad;
88e67f3b 1713 u32 sid = cred_sid(cred);
1da177e4
LT		 1714 int rc;
1715
43af5de7
VG		 1716 ad.type = LSM_AUDIT_DATA_FILE;
1717 ad.u.file = file;
1da177e4 1718
275bb41e 1719 if (sid != fsec->sid) {
6b6bc620
SS		 1720 rc = avc_has_perm(&selinux_state,
1721 sid, fsec->sid,
1da177e4
LT		 1722 SECCLASS_FD,
1723 FD__USE,
1724 &ad);
1725 if (rc)
88e67f3b 1726 goto out;
1da177e4
LT		 1727 }
1728
f66e448c
CF		 1729#ifdef CONFIG_BPF_SYSCALL
1730 rc = bpf_fd_pass(file, cred_sid(cred));
1731 if (rc)
1732 return rc;
1733#endif
1734
1da177e4 1735 /* av is zero if only checking access to the descriptor. */
88e67f3b 1736 rc = 0;
1da177e4 1737 if (av)
19e49834 1738 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1739
88e67f3b
DH		 1740out:
1741 return rc;
1da177e4
LT		 1742}
1743
c3c188b2
DH		 1744/*
1745 * Determine the label for an inode that might be unioned.
1746 */
c957f6df
VG		 1747static int
1748selinux_determine_inode_label(const struct task_security_struct *tsec,
1749 struct inode *dir,
1750 const struct qstr *name, u16 tclass,
1751 u32 *_new_isid)
c3c188b2
DH		 1752{
1753 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1754
1755 if ((sbsec->flags & SE_SBINITIALIZED) &&
1756 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1757 *_new_isid = sbsec->mntpoint_sid;
1758 } else if ((sbsec->flags & SBLABEL_MNT) &&
1759 tsec->create_sid) {
1760 *_new_isid = tsec->create_sid;
1761 } else {
20cdef8d 1762 const struct inode_security_struct *dsec = inode_security(dir);
aa8e712c
SS		 1763 return security_transition_sid(&selinux_state, tsec->sid,
1764 dsec->sid, tclass,
c3c188b2
DH		 1765 name, _new_isid);
1766 }
1767
1768 return 0;
1769}
1770
1da177e4
LT		 1771/* Check whether a task can create a file. */
1772static int may_create(struct inode *dir,
1773 struct dentry *dentry,
1774 u16 tclass)
1775{
0c6cfa62 1776 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1777 struct inode_security_struct *dsec;
1778 struct superblock_security_struct *sbsec;
275bb41e 1779 u32 sid, newsid;
2bf49690 1780 struct common_audit_data ad;
1da177e4
LT		 1781 int rc;
1782
83da53c5 1783 dsec = inode_security(dir);
1da177e4
LT		 1784 sbsec = dir->i_sb->s_security;
1785
275bb41e 1786 sid = tsec->sid;
275bb41e 1787
50c205f5 1788 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1789 ad.u.dentry = dentry;
1da177e4 1790
6b6bc620
SS		 1791 rc = avc_has_perm(&selinux_state,
1792 sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1793 DIR__ADD_NAME | DIR__SEARCH,
1794 &ad);
1795 if (rc)
1796 return rc;
1797
210a2928
YG		 1798 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1799 &newsid);
c3c188b2
DH		 1800 if (rc)
1801 return rc;
1da177e4 1802
6b6bc620
SS		 1803 rc = avc_has_perm(&selinux_state,
1804 sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1805 if (rc)
1806 return rc;
1807
6b6bc620
SS		 1808 return avc_has_perm(&selinux_state,
1809 newsid, sbsec->sid,
1da177e4
LT		 1810 SECCLASS_FILESYSTEM,
1811 FILESYSTEM__ASSOCIATE, &ad);
1812}
1813
828dfe1d
EP		 1814#define MAY_LINK 0
1815#define MAY_UNLINK 1
1816#define MAY_RMDIR 2
1da177e4
LT		 1817
1818/* Check whether a task can link, unlink, or rmdir a file/directory. */
1819static int may_link(struct inode *dir,
1820 struct dentry *dentry,
1821 int kind)
1822
1823{
1da177e4 1824 struct inode_security_struct *dsec, *isec;
2bf49690 1825 struct common_audit_data ad;
275bb41e 1826 u32 sid = current_sid();
1da177e4
LT		 1827 u32 av;
1828 int rc;
1829
83da53c5
AG		 1830 dsec = inode_security(dir);
1831 isec = backing_inode_security(dentry);
1da177e4 1832
50c205f5 1833 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1834 ad.u.dentry = dentry;
1da177e4
LT		 1835
1836 av = DIR__SEARCH;
1837 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
6b6bc620
SS		 1838 rc = avc_has_perm(&selinux_state,
1839 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1840 if (rc)
1841 return rc;
1842
1843 switch (kind) {
1844 case MAY_LINK:
1845 av = FILE__LINK;
1846 break;
1847 case MAY_UNLINK:
1848 av = FILE__UNLINK;
1849 break;
1850 case MAY_RMDIR:
1851 av = DIR__RMDIR;
1852 break;
1853 default:
c103a91e 1854 pr_warn("SELinux: %s: unrecognized kind %d\n",
744ba35e 1855 __func__, kind);
1da177e4
LT		 1856 return 0;
1857 }
1858
6b6bc620
SS		 1859 rc = avc_has_perm(&selinux_state,
1860 sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1861 return rc;
1862}
1863
1864static inline int may_rename(struct inode *old_dir,
1865 struct dentry *old_dentry,
1866 struct inode *new_dir,
1867 struct dentry *new_dentry)
1868{
1da177e4 1869 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1870 struct common_audit_data ad;
275bb41e 1871 u32 sid = current_sid();
1da177e4
LT		 1872 u32 av;
1873 int old_is_dir, new_is_dir;
1874 int rc;
1875
83da53c5
AG		 1876 old_dsec = inode_security(old_dir);
1877 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1878 old_is_dir = d_is_dir(old_dentry);
83da53c5 1879 new_dsec = inode_security(new_dir);
1da177e4 1880
50c205f5 1881 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1882
a269434d 1883 ad.u.dentry = old_dentry;
6b6bc620
SS		 1884 rc = avc_has_perm(&selinux_state,
1885 sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1886 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1887 if (rc)
1888 return rc;
6b6bc620
SS		 1889 rc = avc_has_perm(&selinux_state,
1890 sid, old_isec->sid,
1da177e4
LT		 1891 old_isec->sclass, FILE__RENAME, &ad);
1892 if (rc)
1893 return rc;
1894 if (old_is_dir && new_dir != old_dir) {
6b6bc620
SS		 1895 rc = avc_has_perm(&selinux_state,
1896 sid, old_isec->sid,
1da177e4
LT		 1897 old_isec->sclass, DIR__REPARENT, &ad);
1898 if (rc)
1899 return rc;
1900 }
1901
a269434d 1902 ad.u.dentry = new_dentry;
1da177e4 1903 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1904 if (d_is_positive(new_dentry))
1da177e4 1905 av |= DIR__REMOVE_NAME;
6b6bc620
SS		 1906 rc = avc_has_perm(&selinux_state,
1907 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1908 if (rc)
1909 return rc;
2c616d4d 1910 if (d_is_positive(new_dentry)) {
83da53c5 1911 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1912 new_is_dir = d_is_dir(new_dentry);
6b6bc620
SS		 1913 rc = avc_has_perm(&selinux_state,
1914 sid, new_isec->sid,
1da177e4
LT		 1915 new_isec->sclass,
1916 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1917 if (rc)
1918 return rc;
1919 }
1920
1921 return 0;
1922}
1923
1924/* Check whether a task can perform a filesystem operation. */
88e67f3b 1925static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1926 struct super_block *sb,
1927 u32 perms,
2bf49690 1928 struct common_audit_data *ad)
1da177e4 1929{
1da177e4 1930 struct superblock_security_struct *sbsec;
88e67f3b 1931 u32 sid = cred_sid(cred);
1da177e4 1932
1da177e4 1933 sbsec = sb->s_security;
6b6bc620
SS		 1934 return avc_has_perm(&selinux_state,
1935 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1936}
1937
1938/* Convert a Linux mode and permission mask to an access vector. */
1939static inline u32 file_mask_to_av(int mode, int mask)
1940{
1941 u32 av = 0;
1942
dba19c60 1943 if (!S_ISDIR(mode)) {
1da177e4
LT		 1944 if (mask & MAY_EXEC)
1945 av |= FILE__EXECUTE;
1946 if (mask & MAY_READ)
1947 av |= FILE__READ;
1948
1949 if (mask & MAY_APPEND)
1950 av |= FILE__APPEND;
1951 else if (mask & MAY_WRITE)
1952 av |= FILE__WRITE;
1953
1954 } else {
1955 if (mask & MAY_EXEC)
1956 av |= DIR__SEARCH;
1957 if (mask & MAY_WRITE)
1958 av |= DIR__WRITE;
1959 if (mask & MAY_READ)
1960 av |= DIR__READ;
1961 }
1962
1963 return av;
1964}
1965
8b6a5a37
EP		 1966/* Convert a Linux file to an access vector. */
1967static inline u32 file_to_av(struct file *file)
1968{
1969 u32 av = 0;
1970
1971 if (file->f_mode & FMODE_READ)
1972 av |= FILE__READ;
1973 if (file->f_mode & FMODE_WRITE) {
1974 if (file->f_flags & O_APPEND)
1975 av |= FILE__APPEND;
1976 else
1977 av |= FILE__WRITE;
1978 }
1979 if (!av) {
1980 /*
1981 * Special file opened with flags 3 for ioctl-only use.
1982 */
1983 av = FILE__IOCTL;
1984 }
1985
1986 return av;
1987}
1988
b0c636b9 1989/*
c76a2f9e 1990 * Convert a file to an access vector and include the correct
b0c636b9
EP		 1991 * open permission.
1992 */
8b6a5a37 1993static inline u32 open_file_to_av(struct file *file)
b0c636b9 1994{
8b6a5a37 1995 u32 av = file_to_av(file);
ccb54478 1996 struct inode *inode = file_inode(file);
b0c636b9 1997
aa8e712c
SS		 1998 if (selinux_policycap_openperm() &&
1999 inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2000 av |= FILE__OPEN;
2001
b0c636b9
EP		 2002 return av;
2003}
2004
1da177e4
LT		 2005/* Hook functions begin here. */
2006
79af7307
SS		 2007static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2008{
2009 u32 mysid = current_sid();
2010 u32 mgrsid = task_sid(mgr);
2011
6b6bc620
SS		 2012 return avc_has_perm(&selinux_state,
2013 mysid, mgrsid, SECCLASS_BINDER,
79af7307
SS		 2014 BINDER__SET_CONTEXT_MGR, NULL);
2015}
2016
2017static int selinux_binder_transaction(struct task_struct *from,
2018 struct task_struct *to)
2019{
2020 u32 mysid = current_sid();
2021 u32 fromsid = task_sid(from);
2022 u32 tosid = task_sid(to);
2023 int rc;
2024
2025 if (mysid != fromsid) {
6b6bc620
SS		 2026 rc = avc_has_perm(&selinux_state,
2027 mysid, fromsid, SECCLASS_BINDER,
79af7307
SS		 2028 BINDER__IMPERSONATE, NULL);
2029 if (rc)
2030 return rc;
2031 }
2032
6b6bc620
SS		 2033 return avc_has_perm(&selinux_state,
2034 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
79af7307
SS		 2035 NULL);
2036}
2037
2038static int selinux_binder_transfer_binder(struct task_struct *from,
2039 struct task_struct *to)
2040{
2041 u32 fromsid = task_sid(from);
2042 u32 tosid = task_sid(to);
2043
6b6bc620
SS		 2044 return avc_has_perm(&selinux_state,
2045 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
79af7307
SS		 2046 NULL);
2047}
2048
2049static int selinux_binder_transfer_file(struct task_struct *from,
2050 struct task_struct *to,
2051 struct file *file)
2052{
2053 u32 sid = task_sid(to);
bb6c6b02 2054 struct file_security_struct *fsec = selinux_file(file);
83da53c5 2055 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2056 struct inode_security_struct *isec;
79af7307
SS		 2057 struct common_audit_data ad;
2058 int rc;
2059
2060 ad.type = LSM_AUDIT_DATA_PATH;
2061 ad.u.path = file->f_path;
2062
2063 if (sid != fsec->sid) {
6b6bc620
SS		 2064 rc = avc_has_perm(&selinux_state,
2065 sid, fsec->sid,
79af7307
SS		 2066 SECCLASS_FD,
2067 FD__USE,
2068 &ad);
2069 if (rc)
2070 return rc;
2071 }
2072
f66e448c
CF		 2073#ifdef CONFIG_BPF_SYSCALL
2074 rc = bpf_fd_pass(file, sid);
2075 if (rc)
2076 return rc;
2077#endif
2078
83da53c5 2079 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2080 return 0;
2081
20cdef8d 2082 isec = backing_inode_security(dentry);
6b6bc620
SS		 2083 return avc_has_perm(&selinux_state,
2084 sid, isec->sid, isec->sclass, file_to_av(file),
79af7307
SS		 2085 &ad);
2086}
2087
9e48858f 2088static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2089 unsigned int mode)
1da177e4 2090{
be0554c9
SS		 2091 u32 sid = current_sid();
2092 u32 csid = task_sid(child);
2093
2094 if (mode & PTRACE_MODE_READ)
6b6bc620
SS		 2095 return avc_has_perm(&selinux_state,
2096 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2097
6b6bc620
SS		 2098 return avc_has_perm(&selinux_state,
2099 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2100}
2101
2102static int selinux_ptrace_traceme(struct task_struct *parent)
2103{
6b6bc620
SS		 2104 return avc_has_perm(&selinux_state,
2105 task_sid(parent), current_sid(), SECCLASS_PROCESS,
be0554c9 2106 PROCESS__PTRACE, NULL);
1da177e4
LT		 2107}
2108
2109static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2110 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2111{
6b6bc620
SS		 2112 return avc_has_perm(&selinux_state,
2113 current_sid(), task_sid(target), SECCLASS_PROCESS,
be0554c9 2114 PROCESS__GETCAP, NULL);
1da177e4
LT		 2115}
2116
d84f4f99
DH		 2117static int selinux_capset(struct cred *new, const struct cred *old,
2118 const kernel_cap_t *effective,
2119 const kernel_cap_t *inheritable,
2120 const kernel_cap_t *permitted)
1da177e4 2121{
6b6bc620
SS		 2122 return avc_has_perm(&selinux_state,
2123 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
be0554c9 2124 PROCESS__SETCAP, NULL);
1da177e4
LT		 2125}
2126
5626d3e8
JM		 2127/*
2128 * (This comment used to live with the selinux_task_setuid hook,
2129 * which was removed).
2130 *
2131 * Since setuid only affects the current process, and since the SELinux
2132 * controls are not based on the Linux identity attributes, SELinux does not
2133 * need to control this operation. However, SELinux does control the use of
2134 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2135 */
2136
6a9de491 2137static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
c1a85a00 2138 int cap, unsigned int opts)
1da177e4 2139{
c1a85a00 2140 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
1da177e4
LT		 2141}
2142
1da177e4
LT		 2143static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2144{
88e67f3b 2145 const struct cred *cred = current_cred();
1da177e4
LT		 2146 int rc = 0;
2147
2148 if (!sb)
2149 return 0;
2150
2151 switch (cmds) {
828dfe1d
EP		 2152 case Q_SYNC:
2153 case Q_QUOTAON:
2154 case Q_QUOTAOFF:
2155 case Q_SETINFO:
2156 case Q_SETQUOTA:
e4cfa05e
RH		 2157 case Q_XQUOTAOFF:
2158 case Q_XQUOTAON:
2159 case Q_XSETQLIM:
88e67f3b 2160 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2161 break;
2162 case Q_GETFMT:
2163 case Q_GETINFO:
2164 case Q_GETQUOTA:
e4cfa05e
RH		 2165 case Q_XGETQUOTA:
2166 case Q_XGETQSTAT:
2167 case Q_XGETQSTATV:
2168 case Q_XGETNEXTQUOTA:
88e67f3b 2169 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2170 break;
2171 default:
2172 rc = 0; /* let the kernel handle invalid cmds */
2173 break;
1da177e4
LT		 2174 }
2175 return rc;
2176}
2177
2178static int selinux_quota_on(struct dentry *dentry)
2179{
88e67f3b
DH		 2180 const struct cred *cred = current_cred();
2181
2875fa00 2182 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2183}
2184
12b3052c 2185static int selinux_syslog(int type)
1da177e4 2186{
1da177e4 2187 switch (type) {
d78ca3cd
KC		 2188 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2189 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
6b6bc620
SS		 2190 return avc_has_perm(&selinux_state,
2191 current_sid(), SECINITSID_KERNEL,
be0554c9 2192 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2193 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2194 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2195 /* Set level of messages printed to console */
2196 case SYSLOG_ACTION_CONSOLE_LEVEL:
6b6bc620
SS		 2197 return avc_has_perm(&selinux_state,
2198 current_sid(), SECINITSID_KERNEL,
be0554c9
SS		 2199 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2200 NULL);
1da177e4 2201 }
be0554c9 2202 /* All other syslog types */
6b6bc620
SS		 2203 return avc_has_perm(&selinux_state,
2204 current_sid(), SECINITSID_KERNEL,
be0554c9 2205 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2206}
2207
2208/*
2209 * Check that a process has enough memory to allocate a new virtual
2210 * mapping. 0 means there is enough memory for the allocation to
2211 * succeed and -ENOMEM implies there is not.
2212 *
1da177e4
LT		 2213 * Do not audit the selinux permission check, as this is applied to all
2214 * processes that allocate mappings.
2215 */
34b4e4aa 2216static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2217{
2218 int rc, cap_sys_admin = 0;
1da177e4 2219
b1d9e6b0 2220 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
c1a85a00 2221 CAP_OPT_NOAUDIT, true);
1da177e4
LT		 2222 if (rc == 0)
2223 cap_sys_admin = 1;
2224
b1d9e6b0 2225 return cap_sys_admin;
1da177e4
LT		 2226}
2227
2228/* binprm security operations */
2229
be0554c9 2230static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2231{
2232 u32 sid = 0;
2233 struct task_struct *tracer;
2234
2235 rcu_read_lock();
be0554c9 2236 tracer = ptrace_parent(current);
0c6181cb
PM		 2237 if (tracer)
2238 sid = task_sid(tracer);
2239 rcu_read_unlock();
2240
2241 return sid;
2242}
2243
7b0d0b40
SS		 2244static int check_nnp_nosuid(const struct linux_binprm *bprm,
2245 const struct task_security_struct *old_tsec,
2246 const struct task_security_struct *new_tsec)
2247{
2248 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
104c1332 2249 int nosuid = path_nosuid(&bprm->file->f_path);
7b0d0b40 2250 int rc;
af63f419 2251 u32 av;
7b0d0b40
SS		 2252
2253 if (!nnp && !nosuid)
2254 return 0; /* neither NNP nor nosuid */
2255
2256 if (new_tsec->sid == old_tsec->sid)
2257 return 0; /* No change in credentials */
2258
2259 /*
af63f419
SS		 2260 * If the policy enables the nnp_nosuid_transition policy capability,
2261 * then we permit transitions under NNP or nosuid if the
2262 * policy allows the corresponding permission between
2263 * the old and new contexts.
7b0d0b40 2264 */
aa8e712c 2265 if (selinux_policycap_nnp_nosuid_transition()) {
af63f419 2266 av = 0;
7b0d0b40 2267 if (nnp)
af63f419
SS		 2268 av |= PROCESS2__NNP_TRANSITION;
2269 if (nosuid)
2270 av |= PROCESS2__NOSUID_TRANSITION;
6b6bc620
SS		 2271 rc = avc_has_perm(&selinux_state,
2272 old_tsec->sid, new_tsec->sid,
af63f419
SS		 2273 SECCLASS_PROCESS2, av, NULL);
2274 if (!rc)
2275 return 0;
7b0d0b40 2276 }
af63f419
SS		 2277
2278 /*
2279 * We also permit NNP or nosuid transitions to bounded SIDs,
2280 * i.e. SIDs that are guaranteed to only be allowed a subset
2281 * of the permissions of the current SID.
2282 */
aa8e712c
SS		 2283 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2284 new_tsec->sid);
af63f419
SS		 2285 if (!rc)
2286 return 0;
2287
2288 /*
2289 * On failure, preserve the errno values for NNP vs nosuid.
2290 * NNP: Operation not permitted for caller.
2291 * nosuid: Permission denied to file.
2292 */
2293 if (nnp)
2294 return -EPERM;
2295 return -EACCES;
7b0d0b40
SS		 2296}
2297
b8bff599 2298static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
1da177e4 2299{
a6f76f23
DH		 2300 const struct task_security_struct *old_tsec;
2301 struct task_security_struct *new_tsec;
1da177e4 2302 struct inode_security_struct *isec;
2bf49690 2303 struct common_audit_data ad;
496ad9aa 2304 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2305 int rc;
2306
a6f76f23
DH		 2307 /* SELinux context only depends on initial program or script and not
2308 * the script interpreter */
1da177e4 2309
0c6cfa62
CS		 2310 old_tsec = selinux_cred(current_cred());
2311 new_tsec = selinux_cred(bprm->cred);
83da53c5 2312 isec = inode_security(inode);
1da177e4
LT		 2313
2314 /* Default to the current task SID. */
a6f76f23
DH		 2315 new_tsec->sid = old_tsec->sid;
2316 new_tsec->osid = old_tsec->sid;
1da177e4 2317
28eba5bf 2318 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2319 new_tsec->create_sid = 0;
2320 new_tsec->keycreate_sid = 0;
2321 new_tsec->sockcreate_sid = 0;
1da177e4 2322
a6f76f23
DH		 2323 if (old_tsec->exec_sid) {
2324 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2325 /* Reset exec SID on execve. */
a6f76f23 2326 new_tsec->exec_sid = 0;
259e5e6c 2327
7b0d0b40
SS		 2328 /* Fail on NNP or nosuid if not an allowed transition. */
2329 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2330 if (rc)
2331 return rc;
1da177e4
LT		 2332 } else {
2333 /* Check for a default transition on this program. */
aa8e712c
SS		 2334 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2335 isec->sid, SECCLASS_PROCESS, NULL,
652bb9b0 2336 &new_tsec->sid);
1da177e4
LT		 2337 if (rc)
2338 return rc;
7b0d0b40
SS		 2339
2340 /*
2341 * Fallback to old SID on NNP or nosuid if not an allowed
2342 * transition.
2343 */
2344 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2345 if (rc)
2346 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2347 }
2348
43af5de7
VG		 2349 ad.type = LSM_AUDIT_DATA_FILE;
2350 ad.u.file = bprm->file;
1da177e4 2351
a6f76f23 2352 if (new_tsec->sid == old_tsec->sid) {
6b6bc620
SS		 2353 rc = avc_has_perm(&selinux_state,
2354 old_tsec->sid, isec->sid,
1da177e4
LT		 2355 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2356 if (rc)
2357 return rc;
2358 } else {
2359 /* Check permissions for the transition. */
6b6bc620
SS		 2360 rc = avc_has_perm(&selinux_state,
2361 old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2362 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2363 if (rc)
2364 return rc;
2365
6b6bc620
SS		 2366 rc = avc_has_perm(&selinux_state,
2367 new_tsec->sid, isec->sid,
1da177e4
LT		 2368 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2369 if (rc)
2370 return rc;
2371
a6f76f23
DH		 2372 /* Check for shared state */
2373 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
6b6bc620
SS		 2374 rc = avc_has_perm(&selinux_state,
2375 old_tsec->sid, new_tsec->sid,
a6f76f23
DH		 2376 SECCLASS_PROCESS, PROCESS__SHARE,
2377 NULL);
2378 if (rc)
2379 return -EPERM;
2380 }
2381
2382 /* Make sure that anyone attempting to ptrace over a task that
2383 * changes its SID has the appropriate permit */
9227dd2a 2384 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2385 u32 ptsid = ptrace_parent_sid();
a6f76f23 2386 if (ptsid != 0) {
6b6bc620
SS		 2387 rc = avc_has_perm(&selinux_state,
2388 ptsid, new_tsec->sid,
a6f76f23
DH		 2389 SECCLASS_PROCESS,
2390 PROCESS__PTRACE, NULL);
2391 if (rc)
2392 return -EPERM;
2393 }
2394 }
1da177e4 2395
a6f76f23
DH		 2396 /* Clear any possibly unsafe personality bits on exec: */
2397 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2398
1da177e4
LT		 2399 /* Enable secure mode for SIDs transitions unless
2400 the noatsecure permission is granted between
2401 the two SIDs, i.e. ahp returns 0. */
6b6bc620
SS		 2402 rc = avc_has_perm(&selinux_state,
2403 old_tsec->sid, new_tsec->sid,
62874c3a
KC		 2404 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2405 NULL);
2406 bprm->secureexec |= !!rc;
1da177e4
LT		 2407 }
2408
62874c3a 2409 return 0;
1da177e4
LT		 2410}
2411
c3c073f8
AV		 2412static int match_file(const void *p, struct file *file, unsigned fd)
2413{
2414 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2415}
2416
1da177e4 2417/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2418static inline void flush_unauthorized_files(const struct cred *cred,
2419 struct files_struct *files)
1da177e4 2420{
1da177e4 2421 struct file *file, *devnull = NULL;
b20c8122 2422 struct tty_struct *tty;
24ec839c 2423 int drop_tty = 0;
c3c073f8 2424 unsigned n;
1da177e4 2425
24ec839c 2426 tty = get_current_tty();
1da177e4 2427 if (tty) {
4a510969 2428 spin_lock(&tty->files_lock);
37dd0bd0 2429 if (!list_empty(&tty->tty_files)) {
d996b62a 2430 struct tty_file_private *file_priv;
37dd0bd0 2431
1da177e4 2432 /* Revalidate access to controlling tty.
13f8e981
DH		 2433 Use file_path_has_perm on the tty path directly
2434 rather than using file_has_perm, as this particular
2435 open file may belong to another process and we are
2436 only interested in the inode-based check here. */
d996b62a
NP		 2437 file_priv = list_first_entry(&tty->tty_files,
2438 struct tty_file_private, list);
2439 file = file_priv->file;
13f8e981 2440 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2441 drop_tty = 1;
1da177e4 2442 }
4a510969 2443 spin_unlock(&tty->files_lock);
452a00d2 2444 tty_kref_put(tty);
1da177e4 2445 }
98a27ba4
EB		 2446 /* Reset controlling tty. */
2447 if (drop_tty)
2448 no_tty();
1da177e4
LT		 2449
2450 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2451 n = iterate_fd(files, 0, match_file, cred);
2452 if (!n) /* none found? */
2453 return;
1da177e4 2454
c3c073f8 2455 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2456 if (IS_ERR(devnull))
2457 devnull = NULL;
2458 /* replace all the matching ones with this */
2459 do {
2460 replace_fd(n - 1, devnull, 0);
2461 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2462 if (devnull)
c3c073f8 2463 fput(devnull);
1da177e4
LT		 2464}
2465
a6f76f23
DH		 2466/*
2467 * Prepare a process for imminent new credential changes due to exec
2468 */
2469static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2470{
a6f76f23
DH		 2471 struct task_security_struct *new_tsec;
2472 struct rlimit *rlim, *initrlim;
2473 int rc, i;
d84f4f99 2474
0c6cfa62 2475 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2476 if (new_tsec->sid == new_tsec->osid)
2477 return;
1da177e4 2478
a6f76f23
DH		 2479 /* Close files for which the new task SID is not authorized. */
2480 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2481
a6f76f23
DH		 2482 /* Always clear parent death signal on SID transitions. */
2483 current->pdeath_signal = 0;
0356357c 2484
a6f76f23
DH		 2485 /* Check whether the new SID can inherit resource limits from the old
2486 * SID. If not, reset all soft limits to the lower of the current
2487 * task's hard limit and the init task's soft limit.
2488 *
2489 * Note that the setting of hard limits (even to lower them) can be
2490 * controlled by the setrlimit check. The inclusion of the init task's
2491 * soft limit into the computation is to avoid resetting soft limits
2492 * higher than the default soft limit for cases where the default is
2493 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2494 */
6b6bc620
SS		 2495 rc = avc_has_perm(&selinux_state,
2496 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
a6f76f23
DH		 2497 PROCESS__RLIMITINH, NULL);
2498 if (rc) {
eb2d55a3
ON		 2499 /* protect against do_prlimit() */
2500 task_lock(current);
a6f76f23
DH		 2501 for (i = 0; i < RLIM_NLIMITS; i++) {
2502 rlim = current->signal->rlim + i;
2503 initrlim = init_task.signal->rlim + i;
2504 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2505 }
eb2d55a3 2506 task_unlock(current);
baa73d9e
NP		 2507 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2508 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2509 }
2510}
2511
2512/*
a6f76f23
DH		 2513 * Clean up the process immediately after the installation of new credentials
2514 * due to exec
1da177e4 2515 */
a6f76f23 2516static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2517{
0c6cfa62 2518 const struct task_security_struct *tsec = selinux_cred(current_cred());
a6f76f23 2519 u32 osid, sid;
ddbc7d06 2520 int rc;
1da177e4 2521
a6f76f23
DH		 2522 osid = tsec->osid;
2523 sid = tsec->sid;
2524
2525 if (sid == osid)
1da177e4
LT		 2526 return;
2527
a6f76f23
DH		 2528 /* Check whether the new SID can inherit signal state from the old SID.
2529 * If not, clear itimers to avoid subsequent signal generation and
2530 * flush and unblock signals.
2531 *
2532 * This must occur _after_ the task SID has been updated so that any
2533 * kill done after the flush will be checked against the new SID.
2534 */
6b6bc620
SS		 2535 rc = avc_has_perm(&selinux_state,
2536 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2537 if (rc) {
ddbc7d06
AB		 2538 clear_itimer();
2539
1da177e4 2540 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2541 if (!fatal_signal_pending(current)) {
2542 flush_sigqueue(&current->pending);
2543 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2544 flush_signal_handlers(current, 1);
2545 sigemptyset(&current->blocked);
9e7c8f8c 2546 recalc_sigpending();
3bcac026 2547 }
1da177e4
LT		 2548 spin_unlock_irq(&current->sighand->siglock);
2549 }
2550
a6f76f23
DH		 2551 /* Wake up the parent if it is waiting so that it can recheck
2552 * wait permission to the new task SID. */
ecd6de3c 2553 read_lock(&tasklist_lock);
0b7570e7 2554 __wake_up_parent(current, current->real_parent);
ecd6de3c 2555 read_unlock(&tasklist_lock);
1da177e4
LT		 2556}
2557
2558/* superblock security operations */
2559
2560static int selinux_sb_alloc_security(struct super_block *sb)
2561{
cb89e246
PM		 2562 struct superblock_security_struct *sbsec;
2563
2564 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
2565 if (!sbsec)
2566 return -ENOMEM;
2567
2568 mutex_init(&sbsec->lock);
2569 INIT_LIST_HEAD(&sbsec->isec_head);
2570 spin_lock_init(&sbsec->isec_lock);
cb89e246
PM		 2571 sbsec->sid = SECINITSID_UNLABELED;
2572 sbsec->def_sid = SECINITSID_FILE;
2573 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2574 sb->s_security = sbsec;
2575
2576 return 0;
1da177e4
LT		 2577}
2578
2579static void selinux_sb_free_security(struct super_block *sb)
2580{
2581 superblock_free_security(sb);
2582}
2583
99dbbb59 2584static inline int opt_len(const char *s)
1da177e4 2585{
99dbbb59
AV		 2586 bool open_quote = false;
2587 int len;
2588 char c;
1da177e4 2589
99dbbb59
AV		 2590 for (len = 0; (c = s[len]) != '\0'; len++) {
2591 if (c == '"')
2592 open_quote = !open_quote;
2593 if (c == ',' && !open_quote)
2594 break;
3528a953 2595 }
99dbbb59 2596 return len;
3528a953
CO		 2597}
2598
99dbbb59 2599static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
1da177e4 2600{
99dbbb59
AV		 2601 char *from = options;
2602 char *to = options;
2603 bool first = true;
fec63753 2604 int rc;
1da177e4 2605
99dbbb59
AV		 2606 while (1) {
2607 int len = opt_len(from);
fec63753 2608 int token;
99dbbb59 2609 char *arg = NULL;
1da177e4 2610
99dbbb59 2611 token = match_opt_prefix(from, len, &arg);
1da177e4 2612
99dbbb59
AV		 2613 if (token != Opt_error) {
2614 char *p, *q;
1da177e4 2615
99dbbb59
AV		 2616 /* strip quotes */
2617 if (arg) {
2618 for (p = q = arg; p < from + len; p++) {
2619 char c = *p;
2620 if (c != '"')
2621 *q++ = c;
2622 }
2623 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
fec63753
GZ		 2624 if (!arg) {
2625 rc = -ENOMEM;
2626 goto free_opt;
2627 }
99dbbb59
AV		 2628 }
2629 rc = selinux_add_opt(token, arg, mnt_opts);
2630 if (unlikely(rc)) {
2631 kfree(arg);
fec63753 2632 goto free_opt;
99dbbb59
AV		 2633 }
2634 } else {
2635 if (!first) { // copy with preceding comma
2636 from--;
2637 len++;
2638 }
2639 if (to != from)
2640 memmove(to, from, len);
2641 to += len;
2642 first = false;
1da177e4 2643 }
99dbbb59
AV		 2644 if (!from[len])
2645 break;
2646 from += len + 1;
2647 }
2648 *to = '\0';
2649 return 0;
fec63753
GZ		 2650
2651free_opt:
2652 if (*mnt_opts) {
2653 selinux_free_mnt_opts(*mnt_opts);
2654 *mnt_opts = NULL;
2655 }
2656 return rc;
1da177e4
LT		 2657}
2658
204cc0cc 2659static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
026eb167 2660{
bd323655 2661 struct selinux_mnt_opts *opts = mnt_opts;
026eb167 2662 struct superblock_security_struct *sbsec = sb->s_security;
bd323655
AV		 2663 u32 sid;
2664 int rc;
026eb167
EP		 2665
2666 if (!(sbsec->flags & SE_SBINITIALIZED))
2667 return 0;
2668
204cc0cc 2669 if (!opts)
026eb167
EP		 2670 return 0;
2671
bd323655
AV		 2672 if (opts->fscontext) {
2673 rc = parse_sid(sb, opts->fscontext, &sid);
2674 if (rc)
c039bc3c 2675 return rc;
bd323655
AV		 2676 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2677 goto out_bad_option;
026eb167 2678 }
bd323655
AV		 2679 if (opts->context) {
2680 rc = parse_sid(sb, opts->context, &sid);
2681 if (rc)
2682 return rc;
2683 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2684 goto out_bad_option;
2685 }
2686 if (opts->rootcontext) {
2687 struct inode_security_struct *root_isec;
2688 root_isec = backing_inode_security(sb->s_root);
2689 rc = parse_sid(sb, opts->rootcontext, &sid);
2690 if (rc)
2691 return rc;
2692 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2693 goto out_bad_option;
2694 }
2695 if (opts->defcontext) {
2696 rc = parse_sid(sb, opts->defcontext, &sid);
2697 if (rc)
2698 return rc;
2699 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2700 goto out_bad_option;
026eb167 2701 }
c039bc3c 2702 return 0;
026eb167 2703
026eb167 2704out_bad_option:
c103a91e 2705 pr_warn("SELinux: unable to change security options "
29b1deb2
LT		 2706 "during remount (dev %s, type=%s)\n", sb->s_id,
2707 sb->s_type->name);
c039bc3c 2708 return -EINVAL;
026eb167
EP		 2709}
2710
a10d7c22 2711static int selinux_sb_kern_mount(struct super_block *sb)
1da177e4 2712{
88e67f3b 2713 const struct cred *cred = current_cred();
2bf49690 2714 struct common_audit_data ad;
74192246 2715
50c205f5 2716 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2717 ad.u.dentry = sb->s_root;
88e67f3b 2718 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2719}
2720
726c3342 2721static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2722{
88e67f3b 2723 const struct cred *cred = current_cred();
2bf49690 2724 struct common_audit_data ad;
1da177e4 2725
50c205f5 2726 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2727 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2728 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2729}
2730
808d4e3c 2731static int selinux_mount(const char *dev_name,
8a04c43b 2732 const struct path *path,
808d4e3c 2733 const char *type,
828dfe1d
EP		 2734 unsigned long flags,
2735 void *data)
1da177e4 2736{
88e67f3b 2737 const struct cred *cred = current_cred();
1da177e4
LT		 2738
2739 if (flags & MS_REMOUNT)
d8c9584e 2740 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2741 FILESYSTEM__REMOUNT, NULL);
1da177e4 2742 else
2875fa00 2743 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2744}
2745
98aa0034
SS		 2746static int selinux_move_mount(const struct path *from_path,
2747 const struct path *to_path)
2748{
2749 const struct cred *cred = current_cred();
2750
2751 return path_has_perm(cred, to_path, FILE__MOUNTON);
2752}
2753
1da177e4
LT		 2754static int selinux_umount(struct vfsmount *mnt, int flags)
2755{
88e67f3b 2756 const struct cred *cred = current_cred();
1da177e4 2757
88e67f3b 2758 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2759 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2760}
2761
0b52075e
AV		 2762static int selinux_fs_context_dup(struct fs_context *fc,
2763 struct fs_context *src_fc)
2764{
2765 const struct selinux_mnt_opts *src = src_fc->security;
2766 struct selinux_mnt_opts *opts;
2767
2768 if (!src)
2769 return 0;
2770
2771 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2772 if (!fc->security)
2773 return -ENOMEM;
2774
2775 opts = fc->security;
2776
2777 if (src->fscontext) {
2778 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2779 if (!opts->fscontext)
2780 return -ENOMEM;
2781 }
2782 if (src->context) {
2783 opts->context = kstrdup(src->context, GFP_KERNEL);
2784 if (!opts->context)
2785 return -ENOMEM;
2786 }
2787 if (src->rootcontext) {
2788 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2789 if (!opts->rootcontext)
2790 return -ENOMEM;
2791 }
2792 if (src->defcontext) {
2793 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2794 if (!opts->defcontext)
2795 return -ENOMEM;
2796 }
2797 return 0;
2798}
2799
d7167b14 2800static const struct fs_parameter_spec selinux_fs_parameters[] = {
442155c1
DH		 2801 fsparam_string(CONTEXT_STR, Opt_context),
2802 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2803 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2804 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2805 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2806 {}
2807};
2808
442155c1
DH		 2809static int selinux_fs_context_parse_param(struct fs_context *fc,
2810 struct fs_parameter *param)
2811{
2812 struct fs_parse_result result;
2813 int opt, rc;
2814
d7167b14 2815 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
442155c1
DH		 2816 if (opt < 0)
2817 return opt;
2818
2819 rc = selinux_add_opt(opt, param->string, &fc->security);
2820 if (!rc) {
2821 param->string = NULL;
2822 rc = 1;
2823 }
2824 return rc;
2825}
2826
1da177e4
LT		 2827/* inode security operations */
2828
2829static int selinux_inode_alloc_security(struct inode *inode)
2830{
cb89e246
PM		 2831 struct inode_security_struct *isec = selinux_inode(inode);
2832 u32 sid = current_sid();
2833
2834 spin_lock_init(&isec->lock);
2835 INIT_LIST_HEAD(&isec->list);
2836 isec->inode = inode;
2837 isec->sid = SECINITSID_UNLABELED;
2838 isec->sclass = SECCLASS_FILE;
2839 isec->task_sid = sid;
2840 isec->initialized = LABEL_INVALID;
2841
2842 return 0;
1da177e4
LT		 2843}
2844
2845static void selinux_inode_free_security(struct inode *inode)
2846{
2847 inode_free_security(inode);
2848}
2849
d47be3df 2850static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2851 const struct qstr *name, void **ctx,
d47be3df
DQ		 2852 u32 *ctxlen)
2853{
d47be3df
DQ		 2854 u32 newsid;
2855 int rc;
2856
0c6cfa62 2857 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2858 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2859 inode_mode_to_security_class(mode),
2860 &newsid);
2861 if (rc)
2862 return rc;
d47be3df 2863
aa8e712c
SS		 2864 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2865 ctxlen);
d47be3df
DQ		 2866}
2867
a518b0a5
VG		 2868static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2869 struct qstr *name,
2870 const struct cred *old,
2871 struct cred *new)
2872{
2873 u32 newsid;
2874 int rc;
2875 struct task_security_struct *tsec;
2876
0c6cfa62 2877 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2878 d_inode(dentry->d_parent), name,
2879 inode_mode_to_security_class(mode),
2880 &newsid);
2881 if (rc)
2882 return rc;
2883
0c6cfa62 2884 tsec = selinux_cred(new);
a518b0a5
VG		 2885 tsec->create_sid = newsid;
2886 return 0;
2887}
2888
5e41ff9e 2889static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2890 const struct qstr *qstr,
2891 const char **name,
2a7dba39 2892 void **value, size_t *len)
5e41ff9e 2893{
0c6cfa62 2894 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2895 struct superblock_security_struct *sbsec;
c0d4f464 2896 u32 newsid, clen;
5e41ff9e 2897 int rc;
9548906b 2898 char *context;
5e41ff9e 2899
5e41ff9e 2900 sbsec = dir->i_sb->s_security;
5e41ff9e 2901
275bb41e
DH		 2902 newsid = tsec->create_sid;
2903
210a2928 2904 rc = selinux_determine_inode_label(tsec, dir, qstr,
c3c188b2
DH		 2905 inode_mode_to_security_class(inode->i_mode),
2906 &newsid);
2907 if (rc)
2908 return rc;
5e41ff9e 2909
296fddf7 2910 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2911 if (sbsec->flags & SE_SBINITIALIZED) {
80788c22 2912 struct inode_security_struct *isec = selinux_inode(inode);
296fddf7
EP		 2913 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2914 isec->sid = newsid;
6f3be9f5 2915 isec->initialized = LABEL_INITIALIZED;
296fddf7 2916 }
5e41ff9e 2917
65cddd50
OM		 2918 if (!selinux_initialized(&selinux_state) ||
2919 !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2920 return -EOPNOTSUPP;
2921
9548906b
TH		 2922 if (name)
2923 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2924
570bc1c2 2925 if (value && len) {
aa8e712c
SS		 2926 rc = security_sid_to_context_force(&selinux_state, newsid,
2927 &context, &clen);
9548906b 2928 if (rc)
570bc1c2 2929 return rc;
570bc1c2
SS		 2930 *value = context;
2931 *len = clen;
5e41ff9e 2932 }
5e41ff9e 2933
5e41ff9e
SS		 2934 return 0;
2935}
2936
4acdaf27 2937static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2938{
2939 return may_create(dir, dentry, SECCLASS_FILE);
2940}
2941
1da177e4
LT		 2942static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2943{
1da177e4
LT		 2944 return may_link(dir, old_dentry, MAY_LINK);
2945}
2946
1da177e4
LT		 2947static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2948{
1da177e4
LT		 2949 return may_link(dir, dentry, MAY_UNLINK);
2950}
2951
2952static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2953{
2954 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2955}
2956
18bb1db3 2957static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2958{
2959 return may_create(dir, dentry, SECCLASS_DIR);
2960}
2961
1da177e4
LT		 2962static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2963{
2964 return may_link(dir, dentry, MAY_RMDIR);
2965}
2966
1a67aafb 2967static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2968{
1da177e4
LT		 2969 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2970}
2971
1da177e4 2972static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2973 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2974{
2975 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2976}
2977
1da177e4
LT		 2978static int selinux_inode_readlink(struct dentry *dentry)
2979{
88e67f3b
DH		 2980 const struct cred *cred = current_cred();
2981
2875fa00 2982 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2983}
2984
bda0be7a
N		 2985static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2986 bool rcu)
1da177e4 2987{
88e67f3b 2988 const struct cred *cred = current_cred();
bda0be7a
N		 2989 struct common_audit_data ad;
2990 struct inode_security_struct *isec;
2991 u32 sid;
1da177e4 2992
bda0be7a
N		 2993 validate_creds(cred);
2994
2995 ad.type = LSM_AUDIT_DATA_DENTRY;
2996 ad.u.dentry = dentry;
2997 sid = cred_sid(cred);
5d226df4
AG		 2998 isec = inode_security_rcu(inode, rcu);
2999 if (IS_ERR(isec))
3000 return PTR_ERR(isec);
bda0be7a 3001
1a37079c
SS		 3002 return avc_has_perm_flags(&selinux_state,
3003 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3004 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3005}
3006
d4cf970d
EP		 3007static noinline int audit_inode_permission(struct inode *inode,
3008 u32 perms, u32 audited, u32 denied,
0188d5c0 3009 int result)
1da177e4 3010{
b782e0a6 3011 struct common_audit_data ad;
80788c22 3012 struct inode_security_struct *isec = selinux_inode(inode);
d4cf970d
EP		 3013 int rc;
3014
50c205f5 3015 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3016 ad.u.inode = inode;
3017
6b6bc620
SS		 3018 rc = slow_avc_audit(&selinux_state,
3019 current_sid(), isec->sid, isec->sclass, perms,
0188d5c0 3020 audited, denied, result, &ad);
d4cf970d
EP		 3021 if (rc)
3022 return rc;
3023 return 0;
3024}
3025
e74f71eb 3026static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3027{
88e67f3b 3028 const struct cred *cred = current_cred();
b782e0a6
EP		 3029 u32 perms;
3030 bool from_access;
5298d0b9 3031 bool no_block = mask & MAY_NOT_BLOCK;
2e334057
EP		 3032 struct inode_security_struct *isec;
3033 u32 sid;
3034 struct av_decision avd;
3035 int rc, rc2;
3036 u32 audited, denied;
1da177e4 3037
b782e0a6 3038 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3039 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3040
b782e0a6
EP		 3041 /* No permission to check. Existence test. */
3042 if (!mask)
1da177e4 3043 return 0;
1da177e4 3044
2e334057 3045 validate_creds(cred);
b782e0a6 3046
2e334057
EP		 3047 if (unlikely(IS_PRIVATE(inode)))
3048 return 0;
b782e0a6
EP		 3049
3050 perms = file_mask_to_av(inode->i_mode, mask);
3051
2e334057 3052 sid = cred_sid(cred);
5298d0b9 3053 isec = inode_security_rcu(inode, no_block);
5d226df4
AG		 3054 if (IS_ERR(isec))
3055 return PTR_ERR(isec);
2e334057 3056
6b6bc620 3057 rc = avc_has_perm_noaudit(&selinux_state,
3a28cff3 3058 sid, isec->sid, isec->sclass, perms,
5298d0b9 3059 no_block ? AVC_NONBLOCKING : 0,
3a28cff3 3060 &avd);
2e334057
EP		 3061 audited = avc_audit_required(perms, &avd, rc,
3062 from_access ? FILE__AUDIT_ACCESS : 0,
3063 &denied);
3064 if (likely(!audited))
3065 return rc;
3066
0188d5c0 3067 /* fall back to ref-walk if we have to generate audit */
5298d0b9 3068 if (no_block)
0188d5c0
SS		 3069 return -ECHILD;
3070
3071 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
2e334057
EP		 3072 if (rc2)
3073 return rc2;
3074 return rc;
1da177e4
LT		 3075}
3076
3077static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3078{
88e67f3b 3079 const struct cred *cred = current_cred();
ccb54478 3080 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3081 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3082 __u32 av = FILE__WRITE;
1da177e4 3083
bc6a6008
AW		 3084 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3085 if (ia_valid & ATTR_FORCE) {
3086 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3087 ATTR_FORCE);
3088 if (!ia_valid)
3089 return 0;
3090 }
1da177e4 3091
bc6a6008
AW		 3092 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3093 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3094 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3095
aa8e712c 3096 if (selinux_policycap_openperm() &&
ccb54478
SS		 3097 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3098 (ia_valid & ATTR_SIZE) &&
3099 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3100 av |= FILE__OPEN;
3101
3102 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3103}
3104
3f7036a0 3105static int selinux_inode_getattr(const struct path *path)
1da177e4 3106{
3f7036a0 3107 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3108}
3109
db59000a
SS		 3110static bool has_cap_mac_admin(bool audit)
3111{
3112 const struct cred *cred = current_cred();
c1a85a00 3113 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
db59000a 3114
c1a85a00 3115 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
db59000a 3116 return false;
c1a85a00 3117 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
db59000a
SS		 3118 return false;
3119 return true;
3120}
3121
8f0cfa52
DH		 3122static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3123 const void *value, size_t size, int flags)
1da177e4 3124{
c6f493d6 3125 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3126 struct inode_security_struct *isec;
1da177e4 3127 struct superblock_security_struct *sbsec;
2bf49690 3128 struct common_audit_data ad;
275bb41e 3129 u32 newsid, sid = current_sid();
1da177e4
LT		 3130 int rc = 0;
3131
6b240306
EB		 3132 if (strcmp(name, XATTR_NAME_SELINUX)) {
3133 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3134 if (rc)
3135 return rc;
3136
3137 /* Not an attribute we recognize, so just check the
3138 ordinary setattr permission. */
3139 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3140 }
1da177e4 3141
65cddd50 3142 if (!selinux_initialized(&selinux_state))
3e3e24b4
JL		 3143 return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3144
1da177e4 3145 sbsec = inode->i_sb->s_security;
12f348b9 3146 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3147 return -EOPNOTSUPP;
3148
2e149670 3149 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3150 return -EPERM;
3151
50c205f5 3152 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3153 ad.u.dentry = dentry;
1da177e4 3154
20cdef8d 3155 isec = backing_inode_security(dentry);
6b6bc620
SS		 3156 rc = avc_has_perm(&selinux_state,
3157 sid, isec->sid, isec->sclass,
1da177e4
LT		 3158 FILE__RELABELFROM, &ad);
3159 if (rc)
3160 return rc;
3161
aa8e712c
SS		 3162 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3163 GFP_KERNEL);
12b29f34 3164 if (rc == -EINVAL) {
db59000a 3165 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3166 struct audit_buffer *ab;
3167 size_t audit_size;
d6ea83ec
EP		 3168
3169 /* We strip a nul only if it is at the end, otherwise the
3170 * context contains a nul and we should audit that */
e3fea3f7 3171 if (value) {
add24372
CIK		 3172 const char *str = value;
3173
e3fea3f7
AV		 3174 if (str[size - 1] == '\0')
3175 audit_size = size - 1;
3176 else
3177 audit_size = size;
3178 } else {
e3fea3f7
AV		 3179 audit_size = 0;
3180 }
cdfb6b34
RGB		 3181 ab = audit_log_start(audit_context(),
3182 GFP_ATOMIC, AUDIT_SELINUX_ERR);
d6ea83ec
EP		 3183 audit_log_format(ab, "op=setxattr invalid_context=");
3184 audit_log_n_untrustedstring(ab, value, audit_size);
3185 audit_log_end(ab);
3186
12b29f34 3187 return rc;
d6ea83ec 3188 }
aa8e712c
SS		 3189 rc = security_context_to_sid_force(&selinux_state, value,
3190 size, &newsid);
12b29f34 3191 }
1da177e4
LT		 3192 if (rc)
3193 return rc;
3194
6b6bc620
SS		 3195 rc = avc_has_perm(&selinux_state,
3196 sid, newsid, isec->sclass,
1da177e4
LT		 3197 FILE__RELABELTO, &ad);
3198 if (rc)
3199 return rc;
3200
aa8e712c
SS		 3201 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3202 sid, isec->sclass);
1da177e4
LT		 3203 if (rc)
3204 return rc;
3205
6b6bc620
SS		 3206 return avc_has_perm(&selinux_state,
3207 newsid,
1da177e4
LT		 3208 sbsec->sid,
3209 SECCLASS_FILESYSTEM,
3210 FILESYSTEM__ASSOCIATE,
3211 &ad);
3212}
3213
8f0cfa52 3214static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3215 const void *value, size_t size,
8f0cfa52 3216 int flags)
1da177e4 3217{
c6f493d6 3218 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3219 struct inode_security_struct *isec;
1da177e4
LT		 3220 u32 newsid;
3221 int rc;
3222
3223 if (strcmp(name, XATTR_NAME_SELINUX)) {
3224 /* Not an attribute we recognize, so nothing to do. */
3225 return;
3226 }
3227
65cddd50 3228 if (!selinux_initialized(&selinux_state)) {
3e3e24b4
JL		 3229 /* If we haven't even been initialized, then we can't validate
3230 * against a policy, so leave the label as invalid. It may
3231 * resolve to a valid label on the next revalidation try if
3232 * we've since initialized.
3233 */
3234 return;
3235 }
3236
aa8e712c
SS		 3237 rc = security_context_to_sid_force(&selinux_state, value, size,
3238 &newsid);
1da177e4 3239 if (rc) {
c103a91e 3240 pr_err("SELinux: unable to map context to SID"
12b29f34
SS		 3241 "for (%s, %lu), rc=%d\n",
3242 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3243 return;
3244 }
3245
20cdef8d 3246 isec = backing_inode_security(dentry);
9287aed2 3247 spin_lock(&isec->lock);
aa9c2669 3248 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3249 isec->sid = newsid;
6f3be9f5 3250 isec->initialized = LABEL_INITIALIZED;
9287aed2 3251 spin_unlock(&isec->lock);
aa9c2669 3252
1da177e4
LT		 3253 return;
3254}
3255
8f0cfa52 3256static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3257{
88e67f3b
DH		 3258 const struct cred *cred = current_cred();
3259
2875fa00 3260 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3261}
3262
828dfe1d 3263static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3264{
88e67f3b
DH		 3265 const struct cred *cred = current_cred();
3266
2875fa00 3267 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3268}
3269
8f0cfa52 3270static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3271{
6b240306
EB		 3272 if (strcmp(name, XATTR_NAME_SELINUX)) {
3273 int rc = cap_inode_removexattr(dentry, name);
3274 if (rc)
3275 return rc;
3276
3277 /* Not an attribute we recognize, so just check the
3278 ordinary setattr permission. */
3279 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3280 }
1da177e4 3281
9530a3e0
SS		 3282 if (!selinux_initialized(&selinux_state))
3283 return 0;
3284
1da177e4
LT		 3285 /* No one is allowed to remove a SELinux security label.
3286 You can change the label, but all data must be labeled. */
3287 return -EACCES;
3288}
3289
ac5656d8
AG		 3290static int selinux_path_notify(const struct path *path, u64 mask,
3291 unsigned int obj_type)
3292{
3293 int ret;
3294 u32 perm;
3295
3296 struct common_audit_data ad;
3297
3298 ad.type = LSM_AUDIT_DATA_PATH;
3299 ad.u.path = *path;
3300
3301 /*
3302 * Set permission needed based on the type of mark being set.
3303 * Performs an additional check for sb watches.
3304 */
3305 switch (obj_type) {
3306 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3307 perm = FILE__WATCH_MOUNT;
3308 break;
3309 case FSNOTIFY_OBJ_TYPE_SB:
3310 perm = FILE__WATCH_SB;
3311 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3312 FILESYSTEM__WATCH, &ad);
3313 if (ret)
3314 return ret;
3315 break;
3316 case FSNOTIFY_OBJ_TYPE_INODE:
3317 perm = FILE__WATCH;
3318 break;
3319 default:
3320 return -EINVAL;
3321 }
3322
3323 /* blocking watches require the file:watch_with_perm permission */
3324 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3325 perm |= FILE__WATCH_WITH_PERM;
3326
3327 /* watches on read-like events need the file:watch_reads permission */
3328 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3329 perm |= FILE__WATCH_READS;
3330
3331 return path_has_perm(current_cred(), path, perm);
3332}
3333
d381d8a9 3334/*
abc69bb6 3335 * Copy the inode security context value to the user.
d381d8a9
JM		 3336 *
3337 * Permission check is handled by selinux_inode_getxattr hook.
3338 */
ea861dfd 3339static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3340{
42492594
DQ		 3341 u32 size;
3342 int error;
3343 char *context = NULL;
20cdef8d 3344 struct inode_security_struct *isec;
d381d8a9 3345
c8e22261
JL		 3346 /*
3347 * If we're not initialized yet, then we can't validate contexts, so
3348 * just let vfs_getxattr fall back to using the on-disk xattr.
3349 */
3350 if (!selinux_initialized(&selinux_state) ||
3351 strcmp(name, XATTR_SELINUX_SUFFIX))
8c8570fb 3352 return -EOPNOTSUPP;
d381d8a9 3353
abc69bb6
SS		 3354 /*
3355 * If the caller has CAP_MAC_ADMIN, then get the raw context
3356 * value even if it is not defined by current policy; otherwise,
3357 * use the in-core value under current policy.
3358 * Use the non-auditing forms of the permission checks since
3359 * getxattr may be called by unprivileged processes commonly
3360 * and lack of permission just means that we fall back to the
3361 * in-core context value, not a denial.
3362 */
20cdef8d 3363 isec = inode_security(inode);
db59000a 3364 if (has_cap_mac_admin(false))
aa8e712c
SS		 3365 error = security_sid_to_context_force(&selinux_state,
3366 isec->sid, &context,
abc69bb6
SS		 3367 &size);
3368 else
aa8e712c
SS		 3369 error = security_sid_to_context(&selinux_state, isec->sid,
3370 &context, &size);
42492594
DQ		 3371 if (error)
3372 return error;
3373 error = size;
3374 if (alloc) {
3375 *buffer = context;
3376 goto out_nofree;
3377 }
3378 kfree(context);
3379out_nofree:
3380 return error;
1da177e4
LT		 3381}
3382
3383static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3384 const void *value, size_t size, int flags)
1da177e4 3385{
2c97165b 3386 struct inode_security_struct *isec = inode_security_novalidate(inode);
53e0c2aa 3387 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1da177e4
LT		 3388 u32 newsid;
3389 int rc;
3390
3391 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3392 return -EOPNOTSUPP;
3393
53e0c2aa
OM		 3394 if (!(sbsec->flags & SBLABEL_MNT))
3395 return -EOPNOTSUPP;
3396
1da177e4
LT		 3397 if (!value || !size)
3398 return -EACCES;
3399
aa8e712c
SS		 3400 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3401 GFP_KERNEL);
1da177e4
LT		 3402 if (rc)
3403 return rc;
3404
9287aed2 3405 spin_lock(&isec->lock);
aa9c2669 3406 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3407 isec->sid = newsid;
6f3be9f5 3408 isec->initialized = LABEL_INITIALIZED;
9287aed2 3409 spin_unlock(&isec->lock);
1da177e4
LT		 3410 return 0;
3411}
3412
3413static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3414{
3415 const int len = sizeof(XATTR_NAME_SELINUX);
3416 if (buffer && len <= buffer_size)
3417 memcpy(buffer, XATTR_NAME_SELINUX, len);
3418 return len;
3419}
3420
d6335d77 3421static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3422{
e817c2f3 3423 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3424 *secid = isec->sid;
3425}
3426
56909eb3
VG		 3427static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3428{
3429 u32 sid;
3430 struct task_security_struct *tsec;
3431 struct cred *new_creds = *new;
3432
3433 if (new_creds == NULL) {
3434 new_creds = prepare_creds();
3435 if (!new_creds)
3436 return -ENOMEM;
3437 }
3438
0c6cfa62 3439 tsec = selinux_cred(new_creds);
56909eb3
VG		 3440 /* Get label from overlay inode and set it in create_sid */
3441 selinux_inode_getsecid(d_inode(src), &sid);
3442 tsec->create_sid = sid;
3443 *new = new_creds;
3444 return 0;
3445}
3446
19472b69
VG		 3447static int selinux_inode_copy_up_xattr(const char *name)
3448{
3449 /* The copy_up hook above sets the initial context on an inode, but we
3450 * don't then want to overwrite it by blindly copying all the lower
3451 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3452 */
3453 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3454 return 1; /* Discard */
3455 /*
3456 * Any other attribute apart from SELINUX is not claimed, supported
3457 * by selinux.
3458 */
3459 return -EOPNOTSUPP;
3460}
3461
ec882da5
OM		 3462/* kernfs node operations */
3463
c72c4cde
Y		 3464static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3465 struct kernfs_node *kn)
ec882da5 3466{
169ce0c0 3467 const struct task_security_struct *tsec = selinux_cred(current_cred());
ec882da5
OM		 3468 u32 parent_sid, newsid, clen;
3469 int rc;
3470 char *context;
3471
1537ad15 3472 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
ec882da5
OM		 3473 if (rc == -ENODATA)
3474 return 0;
3475 else if (rc < 0)
3476 return rc;
3477
3478 clen = (u32)rc;
3479 context = kmalloc(clen, GFP_KERNEL);
3480 if (!context)
3481 return -ENOMEM;
3482
1537ad15 3483 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
ec882da5
OM		 3484 if (rc < 0) {
3485 kfree(context);
3486 return rc;
3487 }
3488
3489 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3490 GFP_KERNEL);
3491 kfree(context);
3492 if (rc)
3493 return rc;
3494
3495 if (tsec->create_sid) {
3496 newsid = tsec->create_sid;
3497 } else {
3498 u16 secclass = inode_mode_to_security_class(kn->mode);
3499 struct qstr q;
3500
3501 q.name = kn->name;
3502 q.hash_len = hashlen_string(kn_dir, kn->name);
3503
3504 rc = security_transition_sid(&selinux_state, tsec->sid,
3505 parent_sid, secclass, &q,
3506 &newsid);
3507 if (rc)
3508 return rc;
3509 }
3510
3511 rc = security_sid_to_context_force(&selinux_state, newsid,
3512 &context, &clen);
3513 if (rc)
3514 return rc;
3515
1537ad15
OM		 3516 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3517 XATTR_CREATE);
ec882da5
OM		 3518 kfree(context);
3519 return rc;
3520}
3521
3522
1da177e4
LT		 3523/* file security operations */
3524
788e7dd4 3525static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3526{
88e67f3b 3527 const struct cred *cred = current_cred();
496ad9aa 3528 struct inode *inode = file_inode(file);
1da177e4 3529
1da177e4
LT		 3530 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3531 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3532 mask |= MAY_APPEND;
3533
389fb800
PM		 3534 return file_has_perm(cred, file,
3535 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3536}
3537
788e7dd4
YN		 3538static int selinux_file_permission(struct file *file, int mask)
3539{
496ad9aa 3540 struct inode *inode = file_inode(file);
bb6c6b02 3541 struct file_security_struct *fsec = selinux_file(file);
b197367e 3542 struct inode_security_struct *isec;
20dda18b
SS		 3543 u32 sid = current_sid();
3544
389fb800 3545 if (!mask)
788e7dd4
YN		 3546 /* No permission to check. Existence test. */
3547 return 0;
788e7dd4 3548
b197367e 3549 isec = inode_security(inode);
20dda18b 3550 if (sid == fsec->sid && fsec->isid == isec->sid &&
6b6bc620 3551 fsec->pseqno == avc_policy_seqno(&selinux_state))
83d49856 3552 /* No change since file_open check. */
20dda18b
SS		 3553 return 0;
3554
788e7dd4
YN		 3555 return selinux_revalidate_file_permission(file, mask);
3556}
3557
1da177e4
LT		 3558static int selinux_file_alloc_security(struct file *file)
3559{
cb89e246
PM		 3560 struct file_security_struct *fsec = selinux_file(file);
3561 u32 sid = current_sid();
3562
3563 fsec->sid = sid;
3564 fsec->fown_sid = sid;
3565
3566 return 0;
1da177e4
LT		 3567}
3568
fa1aa143
JVS		 3569/*
3570 * Check whether a task has the ioctl permission and cmd
3571 * operation to an inode.
3572 */
1d2a168a 3573static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3574 u32 requested, u16 cmd)
3575{
3576 struct common_audit_data ad;
bb6c6b02 3577 struct file_security_struct *fsec = selinux_file(file);
fa1aa143 3578 struct inode *inode = file_inode(file);
20cdef8d 3579 struct inode_security_struct *isec;
fa1aa143
JVS		 3580 struct lsm_ioctlop_audit ioctl;
3581 u32 ssid = cred_sid(cred);
3582 int rc;
3583 u8 driver = cmd >> 8;
3584 u8 xperm = cmd & 0xff;
3585
3586 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3587 ad.u.op = &ioctl;
3588 ad.u.op->cmd = cmd;
3589 ad.u.op->path = file->f_path;
3590
3591 if (ssid != fsec->sid) {
6b6bc620
SS		 3592 rc = avc_has_perm(&selinux_state,
3593 ssid, fsec->sid,
fa1aa143
JVS		 3594 SECCLASS_FD,
3595 FD__USE,
3596 &ad);
3597 if (rc)
3598 goto out;
3599 }
3600
3601 if (unlikely(IS_PRIVATE(inode)))
3602 return 0;
3603
20cdef8d 3604 isec = inode_security(inode);
6b6bc620
SS		 3605 rc = avc_has_extended_perms(&selinux_state,
3606 ssid, isec->sid, isec->sclass,
3607 requested, driver, xperm, &ad);
fa1aa143
JVS		 3608out:
3609 return rc;
3610}
3611
1da177e4
LT		 3612static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3613 unsigned long arg)
3614{
88e67f3b 3615 const struct cred *cred = current_cred();
0b24dcb7 3616 int error = 0;
1da177e4 3617
0b24dcb7
EP		 3618 switch (cmd) {
3619 case FIONREAD:
0b24dcb7 3620 case FIBMAP:
0b24dcb7 3621 case FIGETBSZ:
2f99c369 3622 case FS_IOC_GETFLAGS:
2f99c369 3623 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3624 error = file_has_perm(cred, file, FILE__GETATTR);
3625 break;
1da177e4 3626
2f99c369 3627 case FS_IOC_SETFLAGS:
2f99c369 3628 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3629 error = file_has_perm(cred, file, FILE__SETATTR);
3630 break;
3631
3632 /* sys_ioctl() checks */
3633 case FIONBIO:
0b24dcb7
EP		 3634 case FIOASYNC:
3635 error = file_has_perm(cred, file, 0);
3636 break;
1da177e4 3637
0b24dcb7
EP		 3638 case KDSKBENT:
3639 case KDSKBSENT:
6a9de491 3640 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
c1a85a00 3641 CAP_OPT_NONE, true);
0b24dcb7
EP		 3642 break;
3643
3644 /* default case assumes that the command will go
3645 * to the file's ioctl() function.
3646 */
3647 default:
fa1aa143 3648 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3649 }
3650 return error;
1da177e4
LT		 3651}
3652
b78b7d59 3653static int default_noexec __ro_after_init;
fcaaade1 3654
1da177e4
LT		 3655static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3656{
88e67f3b 3657 const struct cred *cred = current_cred();
be0554c9 3658 u32 sid = cred_sid(cred);
d84f4f99 3659 int rc = 0;
88e67f3b 3660
fcaaade1 3661 if (default_noexec &&
892e8cac
SS		 3662 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3663 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3664 /*
3665 * We are making executable an anonymous mapping or a
3666 * private file mapping that will also be writable.
3667 * This has an additional check.
3668 */
6b6bc620
SS		 3669 rc = avc_has_perm(&selinux_state,
3670 sid, sid, SECCLASS_PROCESS,
be0554c9 3671 PROCESS__EXECMEM, NULL);
1da177e4 3672 if (rc)
d84f4f99 3673 goto error;
1da177e4 3674 }
1da177e4
LT		 3675
3676 if (file) {
3677 /* read access is always possible with a mapping */
3678 u32 av = FILE__READ;
3679
3680 /* write access only matters if the mapping is shared */
3681 if (shared && (prot & PROT_WRITE))
3682 av |= FILE__WRITE;
3683
3684 if (prot & PROT_EXEC)
3685 av |= FILE__EXECUTE;
3686
88e67f3b 3687 return file_has_perm(cred, file, av);
1da177e4 3688 }
d84f4f99
DH		 3689
3690error:
3691 return rc;
1da177e4
LT		 3692}
3693
e5467859 3694static int selinux_mmap_addr(unsigned long addr)
1da177e4 3695{
b1d9e6b0 3696 int rc = 0;
1da177e4 3697
a2551df7 3698 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3699 u32 sid = current_sid();
6b6bc620
SS		 3700 rc = avc_has_perm(&selinux_state,
3701 sid, sid, SECCLASS_MEMPROTECT,
ed032189 3702 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3703 }
3704
98883bfd 3705 return rc;
e5467859 3706}
1da177e4 3707
e5467859
AV		 3708static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3709 unsigned long prot, unsigned long flags)
3710{
3ba4bf5f
SS		 3711 struct common_audit_data ad;
3712 int rc;
3713
3714 if (file) {
3715 ad.type = LSM_AUDIT_DATA_FILE;
3716 ad.u.file = file;
3717 rc = inode_has_perm(current_cred(), file_inode(file),
3718 FILE__MAP, &ad);
3719 if (rc)
3720 return rc;
3721 }
3722
8861d0af 3723 if (checkreqprot_get(&selinux_state))
1da177e4
LT		 3724 prot = reqprot;
3725
3726 return file_map_prot_check(file, prot,
3727 (flags & MAP_TYPE) == MAP_SHARED);
3728}
3729
3730static int selinux_file_mprotect(struct vm_area_struct *vma,
3731 unsigned long reqprot,
3732 unsigned long prot)
3733{
88e67f3b 3734 const struct cred *cred = current_cred();
be0554c9 3735 u32 sid = cred_sid(cred);
1da177e4 3736
8861d0af 3737 if (checkreqprot_get(&selinux_state))
1da177e4
LT		 3738 prot = reqprot;
3739
fcaaade1
SS		 3740 if (default_noexec &&
3741 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3742 int rc = 0;
db4c9641
SS		 3743 if (vma->vm_start >= vma->vm_mm->start_brk &&
3744 vma->vm_end <= vma->vm_mm->brk) {
6b6bc620
SS		 3745 rc = avc_has_perm(&selinux_state,
3746 sid, sid, SECCLASS_PROCESS,
be0554c9 3747 PROCESS__EXECHEAP, NULL);
db4c9641 3748 } else if (!vma->vm_file &&
c2316dbf
SS		 3749 ((vma->vm_start <= vma->vm_mm->start_stack &&
3750 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3751 vma_is_stack_for_current(vma))) {
6b6bc620
SS		 3752 rc = avc_has_perm(&selinux_state,
3753 sid, sid, SECCLASS_PROCESS,
be0554c9 3754 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3755 } else if (vma->vm_file && vma->anon_vma) {
3756 /*
3757 * We are making executable a file mapping that has
3758 * had some COW done. Since pages might have been
3759 * written, check ability to execute the possibly
3760 * modified content. This typically should only
3761 * occur for text relocations.
3762 */
d84f4f99 3763 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3764 }