]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
security: bpf: Add LSM hooks for bpf object related syscall
[mirror_ubuntu-bionic-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
7efbb60b 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
1da177e4
LT		 70#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */
73#include <linux/parser.h>
74#include <linux/nfs_mount.h>
75#include <net/ipv6.h>
76#include <linux/hugetlb.h>
77#include <linux/personality.h>
1da177e4 78#include <linux/audit.h>
6931dfc9 79#include <linux/string.h>
877ce7c1 80#include <linux/selinux.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
1da177e4
LT		 88
89#include "avc.h"
90#include "objsec.h"
91#include "netif.h"
224dfbd8 92#include "netnode.h"
3e112172 93#include "netport.h"
409dcf31 94#include "ibpkey.h"
d28d1e08 95#include "xfrm.h"
c60475bf 96#include "netlabel.h"
9d57a7f9 97#include "audit.h"
7b98a585 98#include "avc_ss.h"
1da177e4 99
d621d35e 100/* SECMARK reference count */
56a4ca99 101static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 102
1da177e4 103#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 104int selinux_enforcing;
1da177e4
LT		 105
106static int __init enforcing_setup(char *str)
107{
f5269710 108 unsigned long enforcing;
29707b20 109 if (!kstrtoul(str, 0, &enforcing))
f5269710 110 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 111 return 1;
112}
113__setup("enforcing=", enforcing_setup);
114#endif
115
116#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119static int __init selinux_enabled_setup(char *str)
120{
f5269710 121 unsigned long enabled;
29707b20 122 if (!kstrtoul(str, 0, &enabled))
f5269710 123 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 124 return 1;
125}
126__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 127#else
128int selinux_enabled = 1;
1da177e4
LT		 129#endif
130
e18b890b 131static struct kmem_cache *sel_inode_cache;
63205654 132static struct kmem_cache *file_security_cache;
7cae7e26 133
d621d35e
PM		 134/**
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136 *
137 * Description:
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 141 * enabled, false (0) if SECMARK is disabled. If the always_check_network
142 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 143 *
144 */
145static int selinux_secmark_enabled(void)
146{
2be4d74f
CP		 147 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148}
149
150/**
151 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152 *
153 * Description:
154 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
155 * (1) if any are enabled or false (0) if neither are enabled. If the
156 * always_check_network policy capability is enabled, peer labeling
157 * is always considered enabled.
158 *
159 */
160static int selinux_peerlbl_enabled(void)
161{
162 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 163}
164
615e51fd
PM		 165static int selinux_netcache_avc_callback(u32 event)
166{
167 if (event == AVC_CALLBACK_RESET) {
168 sel_netif_flush();
169 sel_netnode_flush();
170 sel_netport_flush();
171 synchronize_net();
172 }
173 return 0;
174}
175
8f408ab6
DJ		 176static int selinux_lsm_notifier_avc_callback(u32 event)
177{
409dcf31
DJ		 178 if (event == AVC_CALLBACK_RESET) {
179 sel_ib_pkey_flush();
8f408ab6 180 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 181 }
8f408ab6
DJ		 182
183 return 0;
184}
185
d84f4f99
DH		 186/*
187 * initialise the security for the init task
188 */
189static void cred_init_security(void)
1da177e4 190{
3b11a1de 191 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 192 struct task_security_struct *tsec;
193
89d155ef 194 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 195 if (!tsec)
d84f4f99 196 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 197
d84f4f99 198 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 199 cred->security = tsec;
1da177e4
LT		 200}
201
88e67f3b
DH		 202/*
203 * get the security ID of a set of credentials
204 */
205static inline u32 cred_sid(const struct cred *cred)
206{
207 const struct task_security_struct *tsec;
208
209 tsec = cred->security;
210 return tsec->sid;
211}
212
275bb41e 213/*
3b11a1de 214 * get the objective security ID of a task
275bb41e
DH		 215 */
216static inline u32 task_sid(const struct task_struct *task)
217{
275bb41e
DH		 218 u32 sid;
219
220 rcu_read_lock();
88e67f3b 221 sid = cred_sid(__task_cred(task));
275bb41e
DH		 222 rcu_read_unlock();
223 return sid;
224}
225
88e67f3b
DH		 226/* Allocate and free functions for each kind of security blob. */
227
1da177e4
LT		 228static int inode_alloc_security(struct inode *inode)
229{
1da177e4 230 struct inode_security_struct *isec;
275bb41e 231 u32 sid = current_sid();
1da177e4 232
a02fe132 233 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 234 if (!isec)
235 return -ENOMEM;
236
9287aed2 237 spin_lock_init(&isec->lock);
1da177e4 238 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 239 isec->inode = inode;
240 isec->sid = SECINITSID_UNLABELED;
241 isec->sclass = SECCLASS_FILE;
275bb41e 242 isec->task_sid = sid;
42059112 243 isec->initialized = LABEL_INVALID;
1da177e4
LT		 244 inode->i_security = isec;
245
246 return 0;
247}
248
5d226df4
AG		 249static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
250
251/*
252 * Try reloading inode security labels that have been marked as invalid. The
253 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 254 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 255 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
256 * when no dentry is available, set it to NULL instead.
257 */
258static int __inode_security_revalidate(struct inode *inode,
259 struct dentry *opt_dentry,
260 bool may_sleep)
261{
262 struct inode_security_struct *isec = inode->i_security;
263
264 might_sleep_if(may_sleep);
265
1ac42476 266 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 267 if (!may_sleep)
268 return -ECHILD;
269
270 /*
271 * Try reloading the inode security label. This will fail if
272 * @opt_dentry is NULL and no dentry for this inode can be
273 * found; in that case, continue using the old label.
274 */
275 inode_doinit_with_dentry(inode, opt_dentry);
276 }
277 return 0;
278}
279
5d226df4
AG		 280static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
281{
282 return inode->i_security;
283}
284
285static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
286{
287 int error;
288
289 error = __inode_security_revalidate(inode, NULL, !rcu);
290 if (error)
291 return ERR_PTR(error);
292 return inode->i_security;
293}
294
83da53c5
AG		 295/*
296 * Get the security label of an inode.
297 */
298static struct inode_security_struct *inode_security(struct inode *inode)
299{
5d226df4 300 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 301 return inode->i_security;
302}
303
2c97165b
PM		 304static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
305{
306 struct inode *inode = d_backing_inode(dentry);
307
308 return inode->i_security;
309}
310
83da53c5
AG		 311/*
312 * Get the security label of a dentry's backing inode.
313 */
314static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
315{
316 struct inode *inode = d_backing_inode(dentry);
317
5d226df4 318 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 319 return inode->i_security;
320}
321
3dc91d43
SR		 322static void inode_free_rcu(struct rcu_head *head)
323{
324 struct inode_security_struct *isec;
325
326 isec = container_of(head, struct inode_security_struct, rcu);
327 kmem_cache_free(sel_inode_cache, isec);
328}
329
1da177e4
LT		 330static void inode_free_security(struct inode *inode)
331{
332 struct inode_security_struct *isec = inode->i_security;
333 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
334
9629d04a
WL		 335 /*
336 * As not all inode security structures are in a list, we check for
337 * empty list outside of the lock to make sure that we won't waste
338 * time taking a lock doing nothing.
339 *
340 * The list_del_init() function can be safely called more than once.
341 * It should not be possible for this function to be called with
342 * concurrent list_add(), but for better safety against future changes
343 * in the code, we use list_empty_careful() here.
344 */
345 if (!list_empty_careful(&isec->list)) {
346 spin_lock(&sbsec->isec_lock);
1da177e4 347 list_del_init(&isec->list);
9629d04a
WL		 348 spin_unlock(&sbsec->isec_lock);
349 }
1da177e4 350
3dc91d43
SR		 351 /*
352 * The inode may still be referenced in a path walk and
353 * a call to selinux_inode_permission() can be made
354 * after inode_free_security() is called. Ideally, the VFS
355 * wouldn't do this, but fixing that is a much harder
356 * job. For now, simply free the i_security via RCU, and
357 * leave the current inode->i_security pointer intact.
358 * The inode will be freed after the RCU grace period too.
359 */
360 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 361}
362
363static int file_alloc_security(struct file *file)
364{
1da177e4 365 struct file_security_struct *fsec;
275bb41e 366 u32 sid = current_sid();
1da177e4 367
63205654 368 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 369 if (!fsec)
370 return -ENOMEM;
371
275bb41e
DH		 372 fsec->sid = sid;
373 fsec->fown_sid = sid;
1da177e4
LT		 374 file->f_security = fsec;
375
376 return 0;
377}
378
379static void file_free_security(struct file *file)
380{
381 struct file_security_struct *fsec = file->f_security;
1da177e4 382 file->f_security = NULL;
63205654 383 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 384}
385
386static int superblock_alloc_security(struct super_block *sb)
387{
388 struct superblock_security_struct *sbsec;
389
89d155ef 390 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 391 if (!sbsec)
392 return -ENOMEM;
393
bc7e982b 394 mutex_init(&sbsec->lock);
1da177e4
LT		 395 INIT_LIST_HEAD(&sbsec->isec_head);
396 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 397 sbsec->sb = sb;
398 sbsec->sid = SECINITSID_UNLABELED;
399 sbsec->def_sid = SECINITSID_FILE;
c312feb2 400 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 401 sb->s_security = sbsec;
402
403 return 0;
404}
405
406static void superblock_free_security(struct super_block *sb)
407{
408 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 409 sb->s_security = NULL;
410 kfree(sbsec);
411}
412
1da177e4
LT		 413static inline int inode_doinit(struct inode *inode)
414{
415 return inode_doinit_with_dentry(inode, NULL);
416}
417
418enum {
31e87930 419 Opt_error = -1,
1da177e4
LT		 420 Opt_context = 1,
421 Opt_fscontext = 2,
c9180a57
EP		 422 Opt_defcontext = 3,
423 Opt_rootcontext = 4,
11689d47 424 Opt_labelsupport = 5,
d355987f 425 Opt_nextmntopt = 6,
1da177e4
LT		 426};
427
d355987f
EP		 428#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
429
a447c093 430static const match_table_t tokens = {
832cbd9a
EP		 431 {Opt_context, CONTEXT_STR "%s"},
432 {Opt_fscontext, FSCONTEXT_STR "%s"},
433 {Opt_defcontext, DEFCONTEXT_STR "%s"},
434 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 435 {Opt_labelsupport, LABELSUPP_STR},
31e87930 436 {Opt_error, NULL},
1da177e4
LT		 437};
438
439#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
440
c312feb2
EP		 441static int may_context_mount_sb_relabel(u32 sid,
442 struct superblock_security_struct *sbsec,
275bb41e 443 const struct cred *cred)
c312feb2 444{
275bb41e 445 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 446 int rc;
447
448 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449 FILESYSTEM__RELABELFROM, NULL);
450 if (rc)
451 return rc;
452
453 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454 FILESYSTEM__RELABELTO, NULL);
455 return rc;
456}
457
0808925e
EP		 458static int may_context_mount_inode_relabel(u32 sid,
459 struct superblock_security_struct *sbsec,
275bb41e 460 const struct cred *cred)
0808925e 461{
275bb41e 462 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 463 int rc;
464 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__RELABELFROM, NULL);
466 if (rc)
467 return rc;
468
469 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470 FILESYSTEM__ASSOCIATE, NULL);
471 return rc;
472}
473
b43e725d
EP		 474static int selinux_is_sblabel_mnt(struct super_block *sb)
475{
476 struct superblock_security_struct *sbsec = sb->s_security;
477
d5f3a5f6
MS		 478 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479 sbsec->behavior == SECURITY_FS_USE_TRANS ||
480 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 481 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 482 /* Special handling. Genfs but also in-core setxattr handler */
483 !strcmp(sb->s_type->name, "sysfs") ||
484 !strcmp(sb->s_type->name, "pstore") ||
485 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 486 !strcmp(sb->s_type->name, "tracefs") ||
2651225b
SS		 487 !strcmp(sb->s_type->name, "rootfs") ||
488 (selinux_policycap_cgroupseclabel &&
489 (!strcmp(sb->s_type->name, "cgroup") ||
490 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 491}
492
c9180a57 493static int sb_finish_set_opts(struct super_block *sb)
1da177e4 494{
1da177e4 495 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 496 struct dentry *root = sb->s_root;
c6f493d6 497 struct inode *root_inode = d_backing_inode(root);
c9180a57 498 int rc = 0;
1da177e4 499
c9180a57
EP		 500 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501 /* Make sure that the xattr handler exists and that no
502 error other than -ENODATA is returned by getxattr on
503 the root directory. -ENODATA is ok, as this may be
504 the first boot of the SELinux kernel before we have
505 assigned xattr values to the filesystem. */
5d6c3191 506 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 507 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 509 rc = -EOPNOTSUPP;
510 goto out;
511 }
5d6c3191
AG		 512
513 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 514 if (rc < 0 && rc != -ENODATA) {
515 if (rc == -EOPNOTSUPP)
516 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 517 "%s) has no security xattr handler\n",
518 sb->s_id, sb->s_type->name);
c9180a57
EP		 519 else
520 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 521 "%s) getxattr errno %d\n", sb->s_id,
522 sb->s_type->name, -rc);
c9180a57
EP		 523 goto out;
524 }
525 }
1da177e4 526
eadcabc6 527 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 528
529 /*
530 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
531 * leave the flag untouched because sb_clone_mnt_opts might be handing
532 * us a superblock that needs the flag to be cleared.
533 */
b43e725d 534 if (selinux_is_sblabel_mnt(sb))
12f348b9 535 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 536 else
537 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 538
c9180a57
EP		 539 /* Initialize the root inode. */
540 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 541
c9180a57
EP		 542 /* Initialize any other inodes associated with the superblock, e.g.
543 inodes created prior to initial policy load or inodes created
544 during get_sb by a pseudo filesystem that directly
545 populates itself. */
546 spin_lock(&sbsec->isec_lock);
547next_inode:
548 if (!list_empty(&sbsec->isec_head)) {
549 struct inode_security_struct *isec =
550 list_entry(sbsec->isec_head.next,
551 struct inode_security_struct, list);
552 struct inode *inode = isec->inode;
923190d3 553 list_del_init(&isec->list);
c9180a57
EP		 554 spin_unlock(&sbsec->isec_lock);
555 inode = igrab(inode);
556 if (inode) {
557 if (!IS_PRIVATE(inode))
558 inode_doinit(inode);
559 iput(inode);
560 }
561 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 562 goto next_inode;
563 }
564 spin_unlock(&sbsec->isec_lock);
565out:
566 return rc;
567}
1da177e4 568
c9180a57
EP		 569/*
570 * This function should allow an FS to ask what it's mount security
571 * options were so it can use those later for submounts, displaying
572 * mount options, or whatever.
573 */
574static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 575 struct security_mnt_opts *opts)
c9180a57
EP		 576{
577 int rc = 0, i;
578 struct superblock_security_struct *sbsec = sb->s_security;
579 char *context = NULL;
580 u32 len;
581 char tmp;
1da177e4 582
e0007529 583 security_init_mnt_opts(opts);
1da177e4 584
0d90a7ec 585 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 586 return -EINVAL;
1da177e4 587
c9180a57
EP		 588 if (!ss_initialized)
589 return -EINVAL;
1da177e4 590
af8e50cc
EP		 591 /* make sure we always check enough bits to cover the mask */
592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593
0d90a7ec 594 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 595 /* count the number of mount options for this sb */
af8e50cc 596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 597 if (tmp & 0x01)
e0007529 598 opts->num_mnt_opts++;
c9180a57
EP		 599 tmp >>= 1;
600 }
11689d47 601 /* Check if the Label support flag is set */
0b4bdb35 602 if (sbsec->flags & SBLABEL_MNT)
11689d47 603 opts->num_mnt_opts++;
1da177e4 604
e0007529
EP		 605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 if (!opts->mnt_opts) {
c9180a57
EP		 607 rc = -ENOMEM;
608 goto out_free;
609 }
1da177e4 610
e0007529
EP		 611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 if (!opts->mnt_opts_flags) {
c9180a57
EP		 613 rc = -ENOMEM;
614 goto out_free;
615 }
1da177e4 616
c9180a57
EP		 617 i = 0;
618 if (sbsec->flags & FSCONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->sid, &context, &len);
620 if (rc)
621 goto out_free;
e0007529
EP		 622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 624 }
625 if (sbsec->flags & CONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627 if (rc)
628 goto out_free;
e0007529
EP		 629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 631 }
632 if (sbsec->flags & DEFCONTEXT_MNT) {
633 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634 if (rc)
635 goto out_free;
e0007529
EP		 636 opts->mnt_opts[i] = context;
637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 638 }
639 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 640 struct dentry *root = sbsec->sb->s_root;
641 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 642
c9180a57
EP		 643 rc = security_sid_to_context(isec->sid, &context, &len);
644 if (rc)
645 goto out_free;
e0007529
EP		 646 opts->mnt_opts[i] = context;
647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 648 }
12f348b9 649 if (sbsec->flags & SBLABEL_MNT) {
11689d47 650 opts->mnt_opts[i] = NULL;
12f348b9 651 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 652 }
1da177e4 653
e0007529 654 BUG_ON(i != opts->num_mnt_opts);
1da177e4 655
c9180a57
EP		 656 return 0;
657
658out_free:
e0007529 659 security_free_mnt_opts(opts);
c9180a57
EP		 660 return rc;
661}
1da177e4 662
c9180a57
EP		 663static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 u32 old_sid, u32 new_sid)
665{
0d90a7ec
DQ		 666 char mnt_flags = sbsec->flags & SE_MNTMASK;
667
c9180a57 668 /* check if the old mount command had the same options */
0d90a7ec 669 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 670 if (!(sbsec->flags & flag) ||
671 (old_sid != new_sid))
672 return 1;
673
674 /* check if we were passed the same options twice,
675 * aka someone passed context=a,context=b
676 */
0d90a7ec
DQ		 677 if (!(sbsec->flags & SE_SBINITIALIZED))
678 if (mnt_flags & flag)
c9180a57
EP		 679 return 1;
680 return 0;
681}
e0007529 682
c9180a57
EP		 683/*
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
686 */
e0007529 687static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 688 struct security_mnt_opts *opts,
689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
c9180a57 691{
275bb41e 692 const struct cred *cred = current_cred();
c9180a57 693 int rc = 0, i;
c9180a57 694 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 695 const char *name = sb->s_type->name;
83da53c5 696 struct dentry *root = sbsec->sb->s_root;
2c97165b 697 struct inode_security_struct *root_isec;
c9180a57
EP		 698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 u32 defcontext_sid = 0;
e0007529
EP		 700 char **mount_options = opts->mnt_opts;
701 int *flags = opts->mnt_opts_flags;
702 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 703
704 mutex_lock(&sbsec->lock);
705
706 if (!ss_initialized) {
707 if (!num_opts) {
708 /* Defer initialization until selinux_complete_init,
709 after the initial policy is loaded and the security
710 server is ready to handle calls. */
c9180a57
EP		 711 goto out;
712 }
713 rc = -EINVAL;
744ba35e
EP		 714 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 "before the security server is initialized\n");
1da177e4 716 goto out;
c9180a57 717 }
649f6e77
DQ		 718 if (kern_flags && !set_kern_flags) {
719 /* Specifying internal flags without providing a place to
720 * place the results is not allowed */
721 rc = -EINVAL;
722 goto out;
723 }
1da177e4 724
e0007529
EP		 725 /*
726 * Binary mount data FS will come through this function twice. Once
727 * from an explicit call and once from the generic calls from the vfs.
728 * Since the generic VFS calls will not contain any security mount data
729 * we need to skip the double mount verification.
730 *
731 * This does open a hole in which we will not notice if the first
732 * mount using this sb set explict options and a second mount using
733 * this sb does not set any security options. (The first options
734 * will be used for both mounts)
735 */
0d90a7ec 736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 737 && (num_opts == 0))
f5269710 738 goto out;
e0007529 739
2c97165b
PM		 740 root_isec = backing_inode_security_novalidate(root);
741
c9180a57
EP		 742 /*
743 * parse the mount options, check if they are valid sids.
744 * also check if someone is trying to mount the same sb more
745 * than once with different security options.
746 */
747 for (i = 0; i < num_opts; i++) {
748 u32 sid;
11689d47 749
12f348b9 750 if (flags[i] == SBLABEL_MNT)
11689d47 751 continue;
44be2f65 752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 753 if (rc) {
44be2f65 754 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 755 "(%s) failed for (dev %s, type %s) errno=%d\n",
756 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 757 goto out;
758 }
759 switch (flags[i]) {
760 case FSCONTEXT_MNT:
761 fscontext_sid = sid;
762
763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764 fscontext_sid))
765 goto out_double_mount;
766
767 sbsec->flags |= FSCONTEXT_MNT;
768 break;
769 case CONTEXT_MNT:
770 context_sid = sid;
771
772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773 context_sid))
774 goto out_double_mount;
775
776 sbsec->flags |= CONTEXT_MNT;
777 break;
778 case ROOTCONTEXT_MNT:
779 rootcontext_sid = sid;
780
781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782 rootcontext_sid))
783 goto out_double_mount;
784
785 sbsec->flags |= ROOTCONTEXT_MNT;
786
787 break;
788 case DEFCONTEXT_MNT:
789 defcontext_sid = sid;
790
791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792 defcontext_sid))
793 goto out_double_mount;
794
795 sbsec->flags |= DEFCONTEXT_MNT;
796
797 break;
798 default:
799 rc = -EINVAL;
800 goto out;
1da177e4 801 }
c9180a57
EP		 802 }
803
0d90a7ec 804 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 805 /* previously mounted with options, but not on this attempt? */
0d90a7ec 806 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 807 goto out_double_mount;
808 rc = 0;
809 goto out;
810 }
811
089be43e 812 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 813 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814
8e014720 815 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 816 !strcmp(sb->s_type->name, "tracefs") ||
8e014720 817 !strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 818 !strcmp(sb->s_type->name, "pstore") ||
819 !strcmp(sb->s_type->name, "cgroup") ||
820 !strcmp(sb->s_type->name, "cgroup2"))
134509d5 821 sbsec->flags |= SE_SBGENFS;
c9180a57 822
eb9ae686
DQ		 823 if (!sbsec->behavior) {
824 /*
825 * Determine the labeling behavior to use for this
826 * filesystem type.
827 */
98f700f3 828 rc = security_fs_use(sb);
eb9ae686
DQ		 829 if (rc) {
830 printk(KERN_WARNING
831 "%s: security_fs_use(%s) returned %d\n",
832 __func__, sb->s_type->name, rc);
833 goto out;
834 }
c9180a57 835 }
aad82892
SF		 836
837 /*
01593d32
SS		 838 * If this is a user namespace mount and the filesystem type is not
839 * explicitly whitelisted, then no contexts are allowed on the command
840 * line and security labels must be ignored.
aad82892 841 */
01593d32
SS		 842 if (sb->s_user_ns != &init_user_ns &&
843 strcmp(sb->s_type->name, "tmpfs") &&
844 strcmp(sb->s_type->name, "ramfs") &&
845 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 846 if (context_sid || fscontext_sid || rootcontext_sid ||
847 defcontext_sid) {
848 rc = -EACCES;
849 goto out;
850 }
851 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
852 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
853 rc = security_transition_sid(current_sid(), current_sid(),
854 SECCLASS_FILE, NULL,
855 &sbsec->mntpoint_sid);
856 if (rc)
857 goto out;
858 }
859 goto out_set_opts;
860 }
861
c9180a57
EP		 862 /* sets the context of the superblock for the fs being mounted. */
863 if (fscontext_sid) {
275bb41e 864 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 865 if (rc)
c9180a57 866 goto out;
1da177e4 867
c9180a57 868 sbsec->sid = fscontext_sid;
c312feb2
EP		 869 }
870
871 /*
872 * Switch to using mount point labeling behavior.
873 * sets the label used on all file below the mountpoint, and will set
874 * the superblock context if not already set.
875 */
eb9ae686
DQ		 876 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
877 sbsec->behavior = SECURITY_FS_USE_NATIVE;
878 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
879 }
880
c9180a57
EP		 881 if (context_sid) {
882 if (!fscontext_sid) {
275bb41e
DH		 883 rc = may_context_mount_sb_relabel(context_sid, sbsec,
884 cred);
b04ea3ce 885 if (rc)
c9180a57
EP		 886 goto out;
887 sbsec->sid = context_sid;
b04ea3ce 888 } else {
275bb41e
DH		 889 rc = may_context_mount_inode_relabel(context_sid, sbsec,
890 cred);
b04ea3ce 891 if (rc)
c9180a57 892 goto out;
b04ea3ce 893 }
c9180a57
EP		 894 if (!rootcontext_sid)
895 rootcontext_sid = context_sid;
1da177e4 896
c9180a57 897 sbsec->mntpoint_sid = context_sid;
c312feb2 898 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 899 }
900
c9180a57 901 if (rootcontext_sid) {
275bb41e
DH		 902 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
903 cred);
0808925e 904 if (rc)
c9180a57 905 goto out;
0808925e 906
c9180a57 907 root_isec->sid = rootcontext_sid;
6f3be9f5 908 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 909 }
910
c9180a57 911 if (defcontext_sid) {
eb9ae686
DQ		 912 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
913 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 914 rc = -EINVAL;
915 printk(KERN_WARNING "SELinux: defcontext option is "
916 "invalid for this filesystem type\n");
917 goto out;
1da177e4
LT		 918 }
919
c9180a57
EP		 920 if (defcontext_sid != sbsec->def_sid) {
921 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 922 sbsec, cred);
c9180a57
EP		 923 if (rc)
924 goto out;
925 }
1da177e4 926
c9180a57 927 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 928 }
929
aad82892 930out_set_opts:
c9180a57 931 rc = sb_finish_set_opts(sb);
1da177e4 932out:
c9180a57 933 mutex_unlock(&sbsec->lock);
1da177e4 934 return rc;
c9180a57
EP		 935out_double_mount:
936 rc = -EINVAL;
937 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 938 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 939 goto out;
1da177e4
LT		 940}
941
094f7b69
JL		 942static int selinux_cmp_sb_context(const struct super_block *oldsb,
943 const struct super_block *newsb)
944{
945 struct superblock_security_struct *old = oldsb->s_security;
946 struct superblock_security_struct *new = newsb->s_security;
947 char oldflags = old->flags & SE_MNTMASK;
948 char newflags = new->flags & SE_MNTMASK;
949
950 if (oldflags != newflags)
951 goto mismatch;
952 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
953 goto mismatch;
954 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
955 goto mismatch;
956 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
957 goto mismatch;
958 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 959 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
960 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 961 if (oldroot->sid != newroot->sid)
962 goto mismatch;
963 }
964 return 0;
965mismatch:
966 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
967 "different security settings for (dev %s, "
968 "type %s)\n", newsb->s_id, newsb->s_type->name);
969 return -EBUSY;
970}
971
972static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 973 struct super_block *newsb,
974 unsigned long kern_flags,
975 unsigned long *set_kern_flags)
1da177e4 976{
0b4d3452 977 int rc = 0;
c9180a57
EP		 978 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
979 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 980
c9180a57
EP		 981 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
982 int set_context = (oldsbsec->flags & CONTEXT_MNT);
983 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 984
0f5e6420
EP		 985 /*
986 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 987 * mount options. thus we can safely deal with this superblock later
0f5e6420 988 */
e8c26255 989 if (!ss_initialized)
094f7b69 990 return 0;
c9180a57 991
0b4d3452
SM		 992 /*
993 * Specifying internal flags without providing a place to
994 * place the results is not allowed.
995 */
996 if (kern_flags && !set_kern_flags)
997 return -EINVAL;
998
c9180a57 999 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 1000 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 1001
094f7b69 1002 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 1003 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 1004 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 1005
c9180a57
EP		 1006 mutex_lock(&newsbsec->lock);
1007
1008 newsbsec->flags = oldsbsec->flags;
1009
1010 newsbsec->sid = oldsbsec->sid;
1011 newsbsec->def_sid = oldsbsec->def_sid;
1012 newsbsec->behavior = oldsbsec->behavior;
1013
0b4d3452
SM		 1014 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1015 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1016 rc = security_fs_use(newsb);
1017 if (rc)
1018 goto out;
1019 }
1020
1021 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1022 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1023 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1024 }
1025
c9180a57
EP		 1026 if (set_context) {
1027 u32 sid = oldsbsec->mntpoint_sid;
1028
1029 if (!set_fscontext)
1030 newsbsec->sid = sid;
1031 if (!set_rootcontext) {
83da53c5 1032 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1033 newisec->sid = sid;
1034 }
1035 newsbsec->mntpoint_sid = sid;
1da177e4 1036 }
c9180a57 1037 if (set_rootcontext) {
83da53c5
AG		 1038 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1039 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1040
c9180a57 1041 newisec->sid = oldisec->sid;
1da177e4
LT		 1042 }
1043
c9180a57 1044 sb_finish_set_opts(newsb);
0b4d3452 1045out:
c9180a57 1046 mutex_unlock(&newsbsec->lock);
0b4d3452 1047 return rc;
c9180a57
EP		 1048}
1049
2e1479d9
AB		 1050static int selinux_parse_opts_str(char *options,
1051 struct security_mnt_opts *opts)
c9180a57 1052{
e0007529 1053 char *p;
c9180a57
EP		 1054 char *context = NULL, *defcontext = NULL;
1055 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1056 int rc, num_mnt_opts = 0;
1da177e4 1057
e0007529 1058 opts->num_mnt_opts = 0;
1da177e4 1059
c9180a57
EP		 1060 /* Standard string-based options. */
1061 while ((p = strsep(&options, "|")) != NULL) {
1062 int token;
1063 substring_t args[MAX_OPT_ARGS];
1da177e4 1064
c9180a57
EP		 1065 if (!*p)
1066 continue;
1da177e4 1067
c9180a57 1068 token = match_token(p, tokens, args);
1da177e4 1069
c9180a57
EP		 1070 switch (token) {
1071 case Opt_context:
1072 if (context || defcontext) {
1073 rc = -EINVAL;
1074 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1075 goto out_err;
1076 }
1077 context = match_strdup(&args[0]);
1078 if (!context) {
1079 rc = -ENOMEM;
1080 goto out_err;
1081 }
1082 break;
1083
1084 case Opt_fscontext:
1085 if (fscontext) {
1086 rc = -EINVAL;
1087 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1088 goto out_err;
1089 }
1090 fscontext = match_strdup(&args[0]);
1091 if (!fscontext) {
1092 rc = -ENOMEM;
1093 goto out_err;
1094 }
1095 break;
1096
1097 case Opt_rootcontext:
1098 if (rootcontext) {
1099 rc = -EINVAL;
1100 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1101 goto out_err;
1102 }
1103 rootcontext = match_strdup(&args[0]);
1104 if (!rootcontext) {
1105 rc = -ENOMEM;
1106 goto out_err;
1107 }
1108 break;
1109
1110 case Opt_defcontext:
1111 if (context || defcontext) {
1112 rc = -EINVAL;
1113 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1114 goto out_err;
1115 }
1116 defcontext = match_strdup(&args[0]);
1117 if (!defcontext) {
1118 rc = -ENOMEM;
1119 goto out_err;
1120 }
1121 break;
11689d47
DQ		 1122 case Opt_labelsupport:
1123 break;
c9180a57
EP		 1124 default:
1125 rc = -EINVAL;
1126 printk(KERN_WARNING "SELinux: unknown mount option\n");
1127 goto out_err;
1da177e4 1128
1da177e4 1129 }
1da177e4 1130 }
c9180a57 1131
e0007529 1132 rc = -ENOMEM;
8931c3bd 1133 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1134 if (!opts->mnt_opts)
1135 goto out_err;
1136
8931c3bd
TH		 1137 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1138 GFP_KERNEL);
023f108d 1139 if (!opts->mnt_opts_flags)
e0007529 1140 goto out_err;
e0007529 1141
c9180a57 1142 if (fscontext) {
e0007529
EP		 1143 opts->mnt_opts[num_mnt_opts] = fscontext;
1144 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1145 }
1146 if (context) {
e0007529
EP		 1147 opts->mnt_opts[num_mnt_opts] = context;
1148 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1149 }
1150 if (rootcontext) {
e0007529
EP		 1151 opts->mnt_opts[num_mnt_opts] = rootcontext;
1152 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1153 }
1154 if (defcontext) {
e0007529
EP		 1155 opts->mnt_opts[num_mnt_opts] = defcontext;
1156 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1157 }
1158
e0007529
EP		 1159 opts->num_mnt_opts = num_mnt_opts;
1160 return 0;
1161
c9180a57 1162out_err:
023f108d 1163 security_free_mnt_opts(opts);
c9180a57
EP		 1164 kfree(context);
1165 kfree(defcontext);
1166 kfree(fscontext);
1167 kfree(rootcontext);
1da177e4
LT		 1168 return rc;
1169}
e0007529
EP		 1170/*
1171 * string mount options parsing and call set the sbsec
1172 */
1173static int superblock_doinit(struct super_block *sb, void *data)
1174{
1175 int rc = 0;
1176 char *options = data;
1177 struct security_mnt_opts opts;
1178
1179 security_init_mnt_opts(&opts);
1180
1181 if (!data)
1182 goto out;
1183
1184 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1185
1186 rc = selinux_parse_opts_str(options, &opts);
1187 if (rc)
1188 goto out_err;
1189
1190out:
649f6e77 1191 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1192
1193out_err:
1194 security_free_mnt_opts(&opts);
1195 return rc;
1196}
1da177e4 1197
3583a711
AB		 1198static void selinux_write_opts(struct seq_file *m,
1199 struct security_mnt_opts *opts)
2069f457
EP		 1200{
1201 int i;
1202 char *prefix;
1203
1204 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1205 char *has_comma;
1206
1207 if (opts->mnt_opts[i])
1208 has_comma = strchr(opts->mnt_opts[i], ',');
1209 else
1210 has_comma = NULL;
2069f457
EP		 1211
1212 switch (opts->mnt_opts_flags[i]) {
1213 case CONTEXT_MNT:
1214 prefix = CONTEXT_STR;
1215 break;
1216 case FSCONTEXT_MNT:
1217 prefix = FSCONTEXT_STR;
1218 break;
1219 case ROOTCONTEXT_MNT:
1220 prefix = ROOTCONTEXT_STR;
1221 break;
1222 case DEFCONTEXT_MNT:
1223 prefix = DEFCONTEXT_STR;
1224 break;
12f348b9 1225 case SBLABEL_MNT:
11689d47
DQ		 1226 seq_putc(m, ',');
1227 seq_puts(m, LABELSUPP_STR);
1228 continue;
2069f457
EP		 1229 default:
1230 BUG();
a35c6c83 1231 return;
2069f457
EP		 1232 };
1233 /* we need a comma before each option */
1234 seq_putc(m, ',');
1235 seq_puts(m, prefix);
1236 if (has_comma)
1237 seq_putc(m, '\"');
a068acf2 1238 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1239 if (has_comma)
1240 seq_putc(m, '\"');
1241 }
1242}
1243
1244static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1245{
1246 struct security_mnt_opts opts;
1247 int rc;
1248
1249 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1250 if (rc) {
1251 /* before policy load we may get EINVAL, don't show anything */
1252 if (rc == -EINVAL)
1253 rc = 0;
2069f457 1254 return rc;
383795c2 1255 }
2069f457
EP		 1256
1257 selinux_write_opts(m, &opts);
1258
1259 security_free_mnt_opts(&opts);
1260
1261 return rc;
1262}
1263
1da177e4
LT		 1264static inline u16 inode_mode_to_security_class(umode_t mode)
1265{
1266 switch (mode & S_IFMT) {
1267 case S_IFSOCK:
1268 return SECCLASS_SOCK_FILE;
1269 case S_IFLNK:
1270 return SECCLASS_LNK_FILE;
1271 case S_IFREG:
1272 return SECCLASS_FILE;
1273 case S_IFBLK:
1274 return SECCLASS_BLK_FILE;
1275 case S_IFDIR:
1276 return SECCLASS_DIR;
1277 case S_IFCHR:
1278 return SECCLASS_CHR_FILE;
1279 case S_IFIFO:
1280 return SECCLASS_FIFO_FILE;
1281
1282 }
1283
1284 return SECCLASS_FILE;
1285}
1286
13402580
JM		 1287static inline int default_protocol_stream(int protocol)
1288{
1289 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1290}
1291
1292static inline int default_protocol_dgram(int protocol)
1293{
1294 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1295}
1296
1da177e4
LT		 1297static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1298{
da69a530
SS		 1299 int extsockclass = selinux_policycap_extsockclass;
1300
1da177e4
LT		 1301 switch (family) {
1302 case PF_UNIX:
1303 switch (type) {
1304 case SOCK_STREAM:
1305 case SOCK_SEQPACKET:
1306 return SECCLASS_UNIX_STREAM_SOCKET;
1307 case SOCK_DGRAM:
2a764b52 1308 case SOCK_RAW:
1da177e4
LT		 1309 return SECCLASS_UNIX_DGRAM_SOCKET;
1310 }
1311 break;
1312 case PF_INET:
1313 case PF_INET6:
1314 switch (type) {
1315 case SOCK_STREAM:
da69a530 1316 case SOCK_SEQPACKET:
13402580
JM		 1317 if (default_protocol_stream(protocol))
1318 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1319 else if (extsockclass && protocol == IPPROTO_SCTP)
1320 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1321 else
1322 return SECCLASS_RAWIP_SOCKET;
1da177e4 1323 case SOCK_DGRAM:
13402580
JM		 1324 if (default_protocol_dgram(protocol))
1325 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1326 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1327 protocol == IPPROTO_ICMPV6))
da69a530 1328 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1329 else
1330 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1331 case SOCK_DCCP:
1332 return SECCLASS_DCCP_SOCKET;
13402580 1333 default:
1da177e4
LT		 1334 return SECCLASS_RAWIP_SOCKET;
1335 }
1336 break;
1337 case PF_NETLINK:
1338 switch (protocol) {
1339 case NETLINK_ROUTE:
1340 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1341 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1342 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1343 case NETLINK_NFLOG:
1344 return SECCLASS_NETLINK_NFLOG_SOCKET;
1345 case NETLINK_XFRM:
1346 return SECCLASS_NETLINK_XFRM_SOCKET;
1347 case NETLINK_SELINUX:
1348 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1349 case NETLINK_ISCSI:
1350 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1351 case NETLINK_AUDIT:
1352 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1353 case NETLINK_FIB_LOOKUP:
1354 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1355 case NETLINK_CONNECTOR:
1356 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1357 case NETLINK_NETFILTER:
1358 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1359 case NETLINK_DNRTMSG:
1360 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1361 case NETLINK_KOBJECT_UEVENT:
1362 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1363 case NETLINK_GENERIC:
1364 return SECCLASS_NETLINK_GENERIC_SOCKET;
1365 case NETLINK_SCSITRANSPORT:
1366 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1367 case NETLINK_RDMA:
1368 return SECCLASS_NETLINK_RDMA_SOCKET;
1369 case NETLINK_CRYPTO:
1370 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1371 default:
1372 return SECCLASS_NETLINK_SOCKET;
1373 }
1374 case PF_PACKET:
1375 return SECCLASS_PACKET_SOCKET;
1376 case PF_KEY:
1377 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1378 case PF_APPLETALK:
1379 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1380 }
1381
da69a530
SS		 1382 if (extsockclass) {
1383 switch (family) {
1384 case PF_AX25:
1385 return SECCLASS_AX25_SOCKET;
1386 case PF_IPX:
1387 return SECCLASS_IPX_SOCKET;
1388 case PF_NETROM:
1389 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1390 case PF_ATMPVC:
1391 return SECCLASS_ATMPVC_SOCKET;
1392 case PF_X25:
1393 return SECCLASS_X25_SOCKET;
1394 case PF_ROSE:
1395 return SECCLASS_ROSE_SOCKET;
1396 case PF_DECnet:
1397 return SECCLASS_DECNET_SOCKET;
1398 case PF_ATMSVC:
1399 return SECCLASS_ATMSVC_SOCKET;
1400 case PF_RDS:
1401 return SECCLASS_RDS_SOCKET;
1402 case PF_IRDA:
1403 return SECCLASS_IRDA_SOCKET;
1404 case PF_PPPOX:
1405 return SECCLASS_PPPOX_SOCKET;
1406 case PF_LLC:
1407 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1408 case PF_CAN:
1409 return SECCLASS_CAN_SOCKET;
1410 case PF_TIPC:
1411 return SECCLASS_TIPC_SOCKET;
1412 case PF_BLUETOOTH:
1413 return SECCLASS_BLUETOOTH_SOCKET;
1414 case PF_IUCV:
1415 return SECCLASS_IUCV_SOCKET;
1416 case PF_RXRPC:
1417 return SECCLASS_RXRPC_SOCKET;
1418 case PF_ISDN:
1419 return SECCLASS_ISDN_SOCKET;
1420 case PF_PHONET:
1421 return SECCLASS_PHONET_SOCKET;
1422 case PF_IEEE802154:
1423 return SECCLASS_IEEE802154_SOCKET;
1424 case PF_CAIF:
1425 return SECCLASS_CAIF_SOCKET;
1426 case PF_ALG:
1427 return SECCLASS_ALG_SOCKET;
1428 case PF_NFC:
1429 return SECCLASS_NFC_SOCKET;
1430 case PF_VSOCK:
1431 return SECCLASS_VSOCK_SOCKET;
1432 case PF_KCM:
1433 return SECCLASS_KCM_SOCKET;
1434 case PF_QIPCRTR:
1435 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1436 case PF_SMC:
1437 return SECCLASS_SMC_SOCKET;
1438#if PF_MAX > 44
da69a530
SS		 1439#error New address family defined, please update this function.
1440#endif
1441 }
1442 }
1443
1da177e4
LT		 1444 return SECCLASS_SOCKET;
1445}
1446
134509d5
SS		 1447static int selinux_genfs_get_sid(struct dentry *dentry,
1448 u16 tclass,
1449 u16 flags,
1450 u32 *sid)
1da177e4 1451{
8e6c9693 1452 int rc;
fc64005c 1453 struct super_block *sb = dentry->d_sb;
8e6c9693 1454 char *buffer, *path;
1da177e4 1455
828dfe1d 1456 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1457 if (!buffer)
1458 return -ENOMEM;
1459
8e6c9693
LAG		 1460 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1461 if (IS_ERR(path))
1462 rc = PTR_ERR(path);
1463 else {
134509d5
SS		 1464 if (flags & SE_SBPROC) {
1465 /* each process gets a /proc/PID/ entry. Strip off the
1466 * PID part to get a valid selinux labeling.
1467 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1468 while (path[1] >= '0' && path[1] <= '9') {
1469 path[1] = '/';
1470 path++;
1471 }
8e6c9693 1472 }
134509d5 1473 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1474 }
1da177e4
LT		 1475 free_page((unsigned long)buffer);
1476 return rc;
1477}
1da177e4
LT		 1478
1479/* The inode's security attributes must be initialized before first use. */
1480static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1481{
1482 struct superblock_security_struct *sbsec = NULL;
1483 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1484 u32 task_sid, sid = 0;
1485 u16 sclass;
1da177e4
LT		 1486 struct dentry *dentry;
1487#define INITCONTEXTLEN 255
1488 char *context = NULL;
1489 unsigned len = 0;
1490 int rc = 0;
1da177e4 1491
6f3be9f5 1492 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1493 return 0;
1da177e4 1494
9287aed2 1495 spin_lock(&isec->lock);
6f3be9f5 1496 if (isec->initialized == LABEL_INITIALIZED)
23970741 1497 goto out_unlock;
1da177e4 1498
13457d07
AG		 1499 if (isec->sclass == SECCLASS_FILE)
1500 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1501
1da177e4 1502 sbsec = inode->i_sb->s_security;
0d90a7ec 1503 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1504 /* Defer initialization until selinux_complete_init,
1505 after the initial policy is loaded and the security
1506 server is ready to handle calls. */
1507 spin_lock(&sbsec->isec_lock);
1508 if (list_empty(&isec->list))
1509 list_add(&isec->list, &sbsec->isec_head);
1510 spin_unlock(&sbsec->isec_lock);
23970741 1511 goto out_unlock;
1da177e4
LT		 1512 }
1513
9287aed2
AG		 1514 sclass = isec->sclass;
1515 task_sid = isec->task_sid;
1516 sid = isec->sid;
1517 isec->initialized = LABEL_PENDING;
1518 spin_unlock(&isec->lock);
1519
1da177e4 1520 switch (sbsec->behavior) {
eb9ae686
DQ		 1521 case SECURITY_FS_USE_NATIVE:
1522 break;
1da177e4 1523 case SECURITY_FS_USE_XATTR:
5d6c3191 1524 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1525 sid = sbsec->def_sid;
1da177e4
LT		 1526 break;
1527 }
1da177e4
LT		 1528 /* Need a dentry, since the xattr API requires one.
1529 Life would be simpler if we could just pass the inode. */
1530 if (opt_dentry) {
1531 /* Called from d_instantiate or d_splice_alias. */
1532 dentry = dget(opt_dentry);
1533 } else {
1534 /* Called from selinux_complete_init, try to find a dentry. */
1535 dentry = d_find_alias(inode);
1536 }
1537 if (!dentry) {
df7f54c0
EP		 1538 /*
1539 * this is can be hit on boot when a file is accessed
1540 * before the policy is loaded. When we load policy we
1541 * may find inodes that have no dentry on the
1542 * sbsec->isec_head list. No reason to complain as these
1543 * will get fixed up the next time we go through
1544 * inode_doinit with a dentry, before these inodes could
1545 * be used again by userspace.
1546 */
9287aed2 1547 goto out;
1da177e4
LT		 1548 }
1549
1550 len = INITCONTEXTLEN;
4cb912f1 1551 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1552 if (!context) {
1553 rc = -ENOMEM;
1554 dput(dentry);
9287aed2 1555 goto out;
1da177e4 1556 }
4cb912f1 1557 context[len] = '\0';
5d6c3191 1558 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1559 if (rc == -ERANGE) {
314dabb8
JM		 1560 kfree(context);
1561
1da177e4 1562 /* Need a larger buffer. Query for the right size. */
5d6c3191 1563 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1564 if (rc < 0) {
1565 dput(dentry);
9287aed2 1566 goto out;
1da177e4 1567 }
1da177e4 1568 len = rc;
4cb912f1 1569 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1570 if (!context) {
1571 rc = -ENOMEM;
1572 dput(dentry);
9287aed2 1573 goto out;
1da177e4 1574 }
4cb912f1 1575 context[len] = '\0';
5d6c3191 1576 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1577 }
1578 dput(dentry);
1579 if (rc < 0) {
1580 if (rc != -ENODATA) {
744ba35e 1581 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1582 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1583 -rc, inode->i_sb->s_id, inode->i_ino);
1584 kfree(context);
9287aed2 1585 goto out;
1da177e4
LT		 1586 }
1587 /* Map ENODATA to the default file SID */
1588 sid = sbsec->def_sid;
1589 rc = 0;
1590 } else {
f5c1d5b2 1591 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1592 sbsec->def_sid,
1593 GFP_NOFS);
1da177e4 1594 if (rc) {
4ba0a8ad
EP		 1595 char *dev = inode->i_sb->s_id;
1596 unsigned long ino = inode->i_ino;
1597
1598 if (rc == -EINVAL) {
1599 if (printk_ratelimit())
1600 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1601 "context=%s. This indicates you may need to relabel the inode or the "
1602 "filesystem in question.\n", ino, dev, context);
1603 } else {
1604 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1605 "returned %d for dev=%s ino=%ld\n",
1606 __func__, context, -rc, dev, ino);
1607 }
1da177e4
LT		 1608 kfree(context);
1609 /* Leave with the unlabeled SID */
1610 rc = 0;
1611 break;
1612 }
1613 }
1614 kfree(context);
1da177e4
LT		 1615 break;
1616 case SECURITY_FS_USE_TASK:
9287aed2 1617 sid = task_sid;
1da177e4
LT		 1618 break;
1619 case SECURITY_FS_USE_TRANS:
1620 /* Default to the fs SID. */
9287aed2 1621 sid = sbsec->sid;
1da177e4
LT		 1622
1623 /* Try to obtain a transition SID. */
9287aed2 1624 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1da177e4 1625 if (rc)
9287aed2 1626 goto out;
1da177e4 1627 break;
c312feb2 1628 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1629 sid = sbsec->mntpoint_sid;
c312feb2 1630 break;
1da177e4 1631 default:
c312feb2 1632 /* Default to the fs superblock SID. */
9287aed2 1633 sid = sbsec->sid;
1da177e4 1634
134509d5 1635 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1636 /* We must have a dentry to determine the label on
1637 * procfs inodes */
1638 if (opt_dentry)
1639 /* Called from d_instantiate or
1640 * d_splice_alias. */
1641 dentry = dget(opt_dentry);
1642 else
1643 /* Called from selinux_complete_init, try to
1644 * find a dentry. */
1645 dentry = d_find_alias(inode);
1646 /*
1647 * This can be hit on boot when a file is accessed
1648 * before the policy is loaded. When we load policy we
1649 * may find inodes that have no dentry on the
1650 * sbsec->isec_head list. No reason to complain as
1651 * these will get fixed up the next time we go through
1652 * inode_doinit() with a dentry, before these inodes
1653 * could be used again by userspace.
1654 */
1655 if (!dentry)
9287aed2
AG		 1656 goto out;
1657 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1658 sbsec->flags, &sid);
f64410ec
PM		 1659 dput(dentry);
1660 if (rc)
9287aed2 1661 goto out;
1da177e4
LT		 1662 }
1663 break;
1664 }
1665
9287aed2
AG		 1666out:
1667 spin_lock(&isec->lock);
1668 if (isec->initialized == LABEL_PENDING) {
1669 if (!sid || rc) {
1670 isec->initialized = LABEL_INVALID;
1671 goto out_unlock;
1672 }
1673
1674 isec->initialized = LABEL_INITIALIZED;
1675 isec->sid = sid;
1676 }
1da177e4 1677
23970741 1678out_unlock:
9287aed2 1679 spin_unlock(&isec->lock);
1da177e4
LT		 1680 return rc;
1681}
1682
1683/* Convert a Linux signal to an access vector. */
1684static inline u32 signal_to_av(int sig)
1685{
1686 u32 perm = 0;
1687
1688 switch (sig) {
1689 case SIGCHLD:
1690 /* Commonly granted from child to parent. */
1691 perm = PROCESS__SIGCHLD;
1692 break;
1693 case SIGKILL:
1694 /* Cannot be caught or ignored */
1695 perm = PROCESS__SIGKILL;
1696 break;
1697 case SIGSTOP:
1698 /* Cannot be caught or ignored */
1699 perm = PROCESS__SIGSTOP;
1700 break;
1701 default:
1702 /* All other signals. */
1703 perm = PROCESS__SIGNAL;
1704 break;
1705 }
1706
1707 return perm;
1708}
1709
b68e418c
SS		 1710#if CAP_LAST_CAP > 63
1711#error Fix SELinux to handle capabilities > 63.
1712#endif
1713
1da177e4 1714/* Check whether a task is allowed to use a capability. */
6a9de491 1715static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1716 int cap, int audit, bool initns)
1da177e4 1717{
2bf49690 1718 struct common_audit_data ad;
06112163 1719 struct av_decision avd;
b68e418c 1720 u16 sclass;
3699c53c 1721 u32 sid = cred_sid(cred);
b68e418c 1722 u32 av = CAP_TO_MASK(cap);
06112163 1723 int rc;
1da177e4 1724
50c205f5 1725 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1726 ad.u.cap = cap;
1727
b68e418c
SS		 1728 switch (CAP_TO_INDEX(cap)) {
1729 case 0:
8e4ff6f2 1730 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1731 break;
1732 case 1:
8e4ff6f2 1733 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1734 break;
1735 default:
1736 printk(KERN_ERR
1737 "SELinux: out of range capability %d\n", cap);
1738 BUG();
a35c6c83 1739 return -EINVAL;
b68e418c 1740 }
06112163 1741
275bb41e 1742 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1743 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1744 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1745 if (rc2)
1746 return rc2;
1747 }
06112163 1748 return rc;
1da177e4
LT		 1749}
1750
1da177e4
LT		 1751/* Check whether a task has a particular permission to an inode.
1752 The 'adp' parameter is optional and allows other audit
1753 data to be passed (e.g. the dentry). */
88e67f3b 1754static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1755 struct inode *inode,
1756 u32 perms,
19e49834 1757 struct common_audit_data *adp)
1da177e4 1758{
1da177e4 1759 struct inode_security_struct *isec;
275bb41e 1760 u32 sid;
1da177e4 1761
e0e81739
DH		 1762 validate_creds(cred);
1763
828dfe1d 1764 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1765 return 0;
1766
88e67f3b 1767 sid = cred_sid(cred);
1da177e4
LT		 1768 isec = inode->i_security;
1769
19e49834 1770 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1771}
1772
1773/* Same as inode_has_perm, but pass explicit audit data containing
1774 the dentry to help the auditing code to more easily generate the
1775 pathname if needed. */
88e67f3b 1776static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1777 struct dentry *dentry,
1778 u32 av)
1779{
c6f493d6 1780 struct inode *inode = d_backing_inode(dentry);
2bf49690 1781 struct common_audit_data ad;
88e67f3b 1782
50c205f5 1783 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1784 ad.u.dentry = dentry;
5d226df4 1785 __inode_security_revalidate(inode, dentry, true);
19e49834 1786 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1787}
1788
1789/* Same as inode_has_perm, but pass explicit audit data containing
1790 the path to help the auditing code to more easily generate the
1791 pathname if needed. */
1792static inline int path_has_perm(const struct cred *cred,
3f7036a0 1793 const struct path *path,
2875fa00
EP		 1794 u32 av)
1795{
c6f493d6 1796 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1797 struct common_audit_data ad;
1798
50c205f5 1799 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1800 ad.u.path = *path;
5d226df4 1801 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1802 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1803}
1804
13f8e981
DH		 1805/* Same as path_has_perm, but uses the inode from the file struct. */
1806static inline int file_path_has_perm(const struct cred *cred,
1807 struct file *file,
1808 u32 av)
1809{
1810 struct common_audit_data ad;
1811
43af5de7
VG		 1812 ad.type = LSM_AUDIT_DATA_FILE;
1813 ad.u.file = file;
19e49834 1814 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1815}
1816
1da177e4
LT		 1817/* Check whether a task can use an open file descriptor to
1818 access an inode in a given way. Check access to the
1819 descriptor itself, and then use dentry_has_perm to
1820 check a particular permission to the file.
1821 Access to the descriptor is implicitly granted if it
1822 has the same SID as the process. If av is zero, then
1823 access to the file is not checked, e.g. for cases
1824 where only the descriptor is affected like seek. */
88e67f3b
DH		 1825static int file_has_perm(const struct cred *cred,
1826 struct file *file,
1827 u32 av)
1da177e4 1828{
1da177e4 1829 struct file_security_struct *fsec = file->f_security;
496ad9aa 1830 struct inode *inode = file_inode(file);
2bf49690 1831 struct common_audit_data ad;
88e67f3b 1832 u32 sid = cred_sid(cred);
1da177e4
LT		 1833 int rc;
1834
43af5de7
VG		 1835 ad.type = LSM_AUDIT_DATA_FILE;
1836 ad.u.file = file;
1da177e4 1837
275bb41e
DH		 1838 if (sid != fsec->sid) {
1839 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1840 SECCLASS_FD,
1841 FD__USE,
1842 &ad);
1843 if (rc)
88e67f3b 1844 goto out;
1da177e4
LT		 1845 }
1846
1847 /* av is zero if only checking access to the descriptor. */
88e67f3b 1848 rc = 0;
1da177e4 1849 if (av)
19e49834 1850 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1851
88e67f3b
DH		 1852out:
1853 return rc;
1da177e4
LT		 1854}
1855
c3c188b2
DH		 1856/*
1857 * Determine the label for an inode that might be unioned.
1858 */
c957f6df
VG		 1859static int
1860selinux_determine_inode_label(const struct task_security_struct *tsec,
1861 struct inode *dir,
1862 const struct qstr *name, u16 tclass,
1863 u32 *_new_isid)
c3c188b2
DH		 1864{
1865 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1866
1867 if ((sbsec->flags & SE_SBINITIALIZED) &&
1868 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1869 *_new_isid = sbsec->mntpoint_sid;
1870 } else if ((sbsec->flags & SBLABEL_MNT) &&
1871 tsec->create_sid) {
1872 *_new_isid = tsec->create_sid;
1873 } else {
20cdef8d 1874 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1875 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1876 name, _new_isid);
1877 }
1878
1879 return 0;
1880}
1881
1da177e4
LT		 1882/* Check whether a task can create a file. */
1883static int may_create(struct inode *dir,
1884 struct dentry *dentry,
1885 u16 tclass)
1886{
5fb49870 1887 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1888 struct inode_security_struct *dsec;
1889 struct superblock_security_struct *sbsec;
275bb41e 1890 u32 sid, newsid;
2bf49690 1891 struct common_audit_data ad;
1da177e4
LT		 1892 int rc;
1893
83da53c5 1894 dsec = inode_security(dir);
1da177e4
LT		 1895 sbsec = dir->i_sb->s_security;
1896
275bb41e 1897 sid = tsec->sid;
275bb41e 1898
50c205f5 1899 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1900 ad.u.dentry = dentry;
1da177e4 1901
275bb41e 1902 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1903 DIR__ADD_NAME | DIR__SEARCH,
1904 &ad);
1905 if (rc)
1906 return rc;
1907
c957f6df
VG		 1908 rc = selinux_determine_inode_label(current_security(), dir,
1909 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1910 if (rc)
1911 return rc;
1da177e4 1912
275bb41e 1913 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1914 if (rc)
1915 return rc;
1916
1917 return avc_has_perm(newsid, sbsec->sid,
1918 SECCLASS_FILESYSTEM,
1919 FILESYSTEM__ASSOCIATE, &ad);
1920}
1921
828dfe1d
EP		 1922#define MAY_LINK 0
1923#define MAY_UNLINK 1
1924#define MAY_RMDIR 2
1da177e4
LT		 1925
1926/* Check whether a task can link, unlink, or rmdir a file/directory. */
1927static int may_link(struct inode *dir,
1928 struct dentry *dentry,
1929 int kind)
1930
1931{
1da177e4 1932 struct inode_security_struct *dsec, *isec;
2bf49690 1933 struct common_audit_data ad;
275bb41e 1934 u32 sid = current_sid();
1da177e4
LT		 1935 u32 av;
1936 int rc;
1937
83da53c5
AG		 1938 dsec = inode_security(dir);
1939 isec = backing_inode_security(dentry);
1da177e4 1940
50c205f5 1941 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1942 ad.u.dentry = dentry;
1da177e4
LT		 1943
1944 av = DIR__SEARCH;
1945 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1946 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1947 if (rc)
1948 return rc;
1949
1950 switch (kind) {
1951 case MAY_LINK:
1952 av = FILE__LINK;
1953 break;
1954 case MAY_UNLINK:
1955 av = FILE__UNLINK;
1956 break;
1957 case MAY_RMDIR:
1958 av = DIR__RMDIR;
1959 break;
1960 default:
744ba35e
EP		 1961 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1962 __func__, kind);
1da177e4
LT		 1963 return 0;
1964 }
1965
275bb41e 1966 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1967 return rc;
1968}
1969
1970static inline int may_rename(struct inode *old_dir,
1971 struct dentry *old_dentry,
1972 struct inode *new_dir,
1973 struct dentry *new_dentry)
1974{
1da177e4 1975 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1976 struct common_audit_data ad;
275bb41e 1977 u32 sid = current_sid();
1da177e4
LT		 1978 u32 av;
1979 int old_is_dir, new_is_dir;
1980 int rc;
1981
83da53c5
AG		 1982 old_dsec = inode_security(old_dir);
1983 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1984 old_is_dir = d_is_dir(old_dentry);
83da53c5 1985 new_dsec = inode_security(new_dir);
1da177e4 1986
50c205f5 1987 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1988
a269434d 1989 ad.u.dentry = old_dentry;
275bb41e 1990 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1991 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1992 if (rc)
1993 return rc;
275bb41e 1994 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1995 old_isec->sclass, FILE__RENAME, &ad);
1996 if (rc)
1997 return rc;
1998 if (old_is_dir && new_dir != old_dir) {
275bb41e 1999 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 2000 old_isec->sclass, DIR__REPARENT, &ad);
2001 if (rc)
2002 return rc;
2003 }
2004
a269434d 2005 ad.u.dentry = new_dentry;
1da177e4 2006 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 2007 if (d_is_positive(new_dentry))
1da177e4 2008 av |= DIR__REMOVE_NAME;
275bb41e 2009 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 2010 if (rc)
2011 return rc;
2c616d4d 2012 if (d_is_positive(new_dentry)) {
83da53c5 2013 new_isec = backing_inode_security(new_dentry);
e36cb0b8 2014 new_is_dir = d_is_dir(new_dentry);
275bb41e 2015 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 2016 new_isec->sclass,
2017 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2018 if (rc)
2019 return rc;
2020 }
2021
2022 return 0;
2023}
2024
2025/* Check whether a task can perform a filesystem operation. */
88e67f3b 2026static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2027 struct super_block *sb,
2028 u32 perms,
2bf49690 2029 struct common_audit_data *ad)
1da177e4 2030{
1da177e4 2031 struct superblock_security_struct *sbsec;
88e67f3b 2032 u32 sid = cred_sid(cred);
1da177e4 2033
1da177e4 2034 sbsec = sb->s_security;
275bb41e 2035 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2036}
2037
2038/* Convert a Linux mode and permission mask to an access vector. */
2039static inline u32 file_mask_to_av(int mode, int mask)
2040{
2041 u32 av = 0;
2042
dba19c60 2043 if (!S_ISDIR(mode)) {
1da177e4
LT		 2044 if (mask & MAY_EXEC)
2045 av |= FILE__EXECUTE;
2046 if (mask & MAY_READ)
2047 av |= FILE__READ;
2048
2049 if (mask & MAY_APPEND)
2050 av |= FILE__APPEND;
2051 else if (mask & MAY_WRITE)
2052 av |= FILE__WRITE;
2053
2054 } else {
2055 if (mask & MAY_EXEC)
2056 av |= DIR__SEARCH;
2057 if (mask & MAY_WRITE)
2058 av |= DIR__WRITE;
2059 if (mask & MAY_READ)
2060 av |= DIR__READ;
2061 }
2062
2063 return av;
2064}
2065
8b6a5a37
EP		 2066/* Convert a Linux file to an access vector. */
2067static inline u32 file_to_av(struct file *file)
2068{
2069 u32 av = 0;
2070
2071 if (file->f_mode & FMODE_READ)
2072 av |= FILE__READ;
2073 if (file->f_mode & FMODE_WRITE) {
2074 if (file->f_flags & O_APPEND)
2075 av |= FILE__APPEND;
2076 else
2077 av |= FILE__WRITE;
2078 }
2079 if (!av) {
2080 /*
2081 * Special file opened with flags 3 for ioctl-only use.
2082 */
2083 av = FILE__IOCTL;
2084 }
2085
2086 return av;
2087}
2088
b0c636b9 2089/*
8b6a5a37 2090 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2091 * open permission.
2092 */
8b6a5a37 2093static inline u32 open_file_to_av(struct file *file)
b0c636b9 2094{
8b6a5a37 2095 u32 av = file_to_av(file);
ccb54478 2096 struct inode *inode = file_inode(file);
b0c636b9 2097
ccb54478 2098 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2099 av |= FILE__OPEN;
2100
b0c636b9
EP		 2101 return av;
2102}
2103
1da177e4
LT		 2104/* Hook functions begin here. */
2105
79af7307
SS		 2106static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2107{
2108 u32 mysid = current_sid();
2109 u32 mgrsid = task_sid(mgr);
2110
2111 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2112 BINDER__SET_CONTEXT_MGR, NULL);
2113}
2114
2115static int selinux_binder_transaction(struct task_struct *from,
2116 struct task_struct *to)
2117{
2118 u32 mysid = current_sid();
2119 u32 fromsid = task_sid(from);
2120 u32 tosid = task_sid(to);
2121 int rc;
2122
2123 if (mysid != fromsid) {
2124 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2125 BINDER__IMPERSONATE, NULL);
2126 if (rc)
2127 return rc;
2128 }
2129
2130 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2131 NULL);
2132}
2133
2134static int selinux_binder_transfer_binder(struct task_struct *from,
2135 struct task_struct *to)
2136{
2137 u32 fromsid = task_sid(from);
2138 u32 tosid = task_sid(to);
2139
2140 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2141 NULL);
2142}
2143
2144static int selinux_binder_transfer_file(struct task_struct *from,
2145 struct task_struct *to,
2146 struct file *file)
2147{
2148 u32 sid = task_sid(to);
2149 struct file_security_struct *fsec = file->f_security;
83da53c5 2150 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2151 struct inode_security_struct *isec;
79af7307
SS		 2152 struct common_audit_data ad;
2153 int rc;
2154
2155 ad.type = LSM_AUDIT_DATA_PATH;
2156 ad.u.path = file->f_path;
2157
2158 if (sid != fsec->sid) {
2159 rc = avc_has_perm(sid, fsec->sid,
2160 SECCLASS_FD,
2161 FD__USE,
2162 &ad);
2163 if (rc)
2164 return rc;
2165 }
2166
83da53c5 2167 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2168 return 0;
2169
20cdef8d 2170 isec = backing_inode_security(dentry);
79af7307
SS		 2171 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2172 &ad);
2173}
2174
9e48858f 2175static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2176 unsigned int mode)
1da177e4 2177{
be0554c9
SS		 2178 u32 sid = current_sid();
2179 u32 csid = task_sid(child);
2180
2181 if (mode & PTRACE_MODE_READ)
275bb41e 2182 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2183
be0554c9 2184 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2185}
2186
2187static int selinux_ptrace_traceme(struct task_struct *parent)
2188{
be0554c9
SS		 2189 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2190 PROCESS__PTRACE, NULL);
1da177e4
LT		 2191}
2192
2193static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2194 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2195{
be0554c9
SS		 2196 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2197 PROCESS__GETCAP, NULL);
1da177e4
LT		 2198}
2199
d84f4f99
DH		 2200static int selinux_capset(struct cred *new, const struct cred *old,
2201 const kernel_cap_t *effective,
2202 const kernel_cap_t *inheritable,
2203 const kernel_cap_t *permitted)
1da177e4 2204{
be0554c9
SS		 2205 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2206 PROCESS__SETCAP, NULL);
1da177e4
LT		 2207}
2208
5626d3e8
JM		 2209/*
2210 * (This comment used to live with the selinux_task_setuid hook,
2211 * which was removed).
2212 *
2213 * Since setuid only affects the current process, and since the SELinux
2214 * controls are not based on the Linux identity attributes, SELinux does not
2215 * need to control this operation. However, SELinux does control the use of
2216 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2217 */
2218
6a9de491
EP		 2219static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2220 int cap, int audit)
1da177e4 2221{
8e4ff6f2 2222 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2223}
2224
1da177e4
LT		 2225static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2226{
88e67f3b 2227 const struct cred *cred = current_cred();
1da177e4
LT		 2228 int rc = 0;
2229
2230 if (!sb)
2231 return 0;
2232
2233 switch (cmds) {
828dfe1d
EP		 2234 case Q_SYNC:
2235 case Q_QUOTAON:
2236 case Q_QUOTAOFF:
2237 case Q_SETINFO:
2238 case Q_SETQUOTA:
88e67f3b 2239 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2240 break;
2241 case Q_GETFMT:
2242 case Q_GETINFO:
2243 case Q_GETQUOTA:
88e67f3b 2244 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2245 break;
2246 default:
2247 rc = 0; /* let the kernel handle invalid cmds */
2248 break;
1da177e4
LT		 2249 }
2250 return rc;
2251}
2252
2253static int selinux_quota_on(struct dentry *dentry)
2254{
88e67f3b
DH		 2255 const struct cred *cred = current_cred();
2256
2875fa00 2257 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2258}
2259
12b3052c 2260static int selinux_syslog(int type)
1da177e4 2261{
1da177e4 2262 switch (type) {
d78ca3cd
KC		 2263 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2264 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
be0554c9
SS		 2265 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2266 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2267 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2268 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2269 /* Set level of messages printed to console */
2270 case SYSLOG_ACTION_CONSOLE_LEVEL:
be0554c9
SS		 2271 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2272 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2273 NULL);
1da177e4 2274 }
be0554c9
SS		 2275 /* All other syslog types */
2276 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2277 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2278}
2279
2280/*
2281 * Check that a process has enough memory to allocate a new virtual
2282 * mapping. 0 means there is enough memory for the allocation to
2283 * succeed and -ENOMEM implies there is not.
2284 *
1da177e4
LT		 2285 * Do not audit the selinux permission check, as this is applied to all
2286 * processes that allocate mappings.
2287 */
34b4e4aa 2288static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2289{
2290 int rc, cap_sys_admin = 0;
1da177e4 2291
b1d9e6b0 2292 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2293 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2294 if (rc == 0)
2295 cap_sys_admin = 1;
2296
b1d9e6b0 2297 return cap_sys_admin;
1da177e4
LT		 2298}
2299
2300/* binprm security operations */
2301
be0554c9 2302static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2303{
2304 u32 sid = 0;
2305 struct task_struct *tracer;
2306
2307 rcu_read_lock();
be0554c9 2308 tracer = ptrace_parent(current);
0c6181cb
PM		 2309 if (tracer)
2310 sid = task_sid(tracer);
2311 rcu_read_unlock();
2312
2313 return sid;
2314}
2315
7b0d0b40
SS		 2316static int check_nnp_nosuid(const struct linux_binprm *bprm,
2317 const struct task_security_struct *old_tsec,
2318 const struct task_security_struct *new_tsec)
2319{
2320 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2321 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40 2322 int rc;
af63f419 2323 u32 av;
7b0d0b40
SS		 2324
2325 if (!nnp && !nosuid)
2326 return 0; /* neither NNP nor nosuid */
2327
2328 if (new_tsec->sid == old_tsec->sid)
2329 return 0; /* No change in credentials */
2330
2331 /*
af63f419
SS		 2332 * If the policy enables the nnp_nosuid_transition policy capability,
2333 * then we permit transitions under NNP or nosuid if the
2334 * policy allows the corresponding permission between
2335 * the old and new contexts.
7b0d0b40 2336 */
af63f419
SS		 2337 if (selinux_policycap_nnp_nosuid_transition) {
2338 av = 0;
7b0d0b40 2339 if (nnp)
af63f419
SS		 2340 av |= PROCESS2__NNP_TRANSITION;
2341 if (nosuid)
2342 av |= PROCESS2__NOSUID_TRANSITION;
2343 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2344 SECCLASS_PROCESS2, av, NULL);
2345 if (!rc)
2346 return 0;
7b0d0b40 2347 }
af63f419
SS		 2348
2349 /*
2350 * We also permit NNP or nosuid transitions to bounded SIDs,
2351 * i.e. SIDs that are guaranteed to only be allowed a subset
2352 * of the permissions of the current SID.
2353 */
2354 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2355 if (!rc)
2356 return 0;
2357
2358 /*
2359 * On failure, preserve the errno values for NNP vs nosuid.
2360 * NNP: Operation not permitted for caller.
2361 * nosuid: Permission denied to file.
2362 */
2363 if (nnp)
2364 return -EPERM;
2365 return -EACCES;
7b0d0b40
SS		 2366}
2367
a6f76f23 2368static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2369{
a6f76f23
DH		 2370 const struct task_security_struct *old_tsec;
2371 struct task_security_struct *new_tsec;
1da177e4 2372 struct inode_security_struct *isec;
2bf49690 2373 struct common_audit_data ad;
496ad9aa 2374 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2375 int rc;
2376
a6f76f23
DH		 2377 /* SELinux context only depends on initial program or script and not
2378 * the script interpreter */
ddb4a144 2379 if (bprm->called_set_creds)
1da177e4
LT		 2380 return 0;
2381
a6f76f23
DH		 2382 old_tsec = current_security();
2383 new_tsec = bprm->cred->security;
83da53c5 2384 isec = inode_security(inode);
1da177e4
LT		 2385
2386 /* Default to the current task SID. */
a6f76f23
DH		 2387 new_tsec->sid = old_tsec->sid;
2388 new_tsec->osid = old_tsec->sid;
1da177e4 2389
28eba5bf 2390 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2391 new_tsec->create_sid = 0;
2392 new_tsec->keycreate_sid = 0;
2393 new_tsec->sockcreate_sid = 0;
1da177e4 2394
a6f76f23
DH		 2395 if (old_tsec->exec_sid) {
2396 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2397 /* Reset exec SID on execve. */
a6f76f23 2398 new_tsec->exec_sid = 0;
259e5e6c 2399
7b0d0b40
SS		 2400 /* Fail on NNP or nosuid if not an allowed transition. */
2401 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2402 if (rc)
2403 return rc;
1da177e4
LT		 2404 } else {
2405 /* Check for a default transition on this program. */
a6f76f23 2406 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2407 SECCLASS_PROCESS, NULL,
2408 &new_tsec->sid);
1da177e4
LT		 2409 if (rc)
2410 return rc;
7b0d0b40
SS		 2411
2412 /*
2413 * Fallback to old SID on NNP or nosuid if not an allowed
2414 * transition.
2415 */
2416 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2417 if (rc)
2418 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2419 }
2420
43af5de7
VG		 2421 ad.type = LSM_AUDIT_DATA_FILE;
2422 ad.u.file = bprm->file;
1da177e4 2423
a6f76f23
DH		 2424 if (new_tsec->sid == old_tsec->sid) {
2425 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2426 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2427 if (rc)
2428 return rc;
2429 } else {
2430 /* Check permissions for the transition. */
a6f76f23 2431 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2432 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2433 if (rc)
2434 return rc;
2435
a6f76f23 2436 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2437 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2438 if (rc)
2439 return rc;
2440
a6f76f23
DH		 2441 /* Check for shared state */
2442 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2443 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2444 SECCLASS_PROCESS, PROCESS__SHARE,
2445 NULL);
2446 if (rc)
2447 return -EPERM;
2448 }
2449
2450 /* Make sure that anyone attempting to ptrace over a task that
2451 * changes its SID has the appropriate permit */
9227dd2a 2452 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2453 u32 ptsid = ptrace_parent_sid();
a6f76f23
DH		 2454 if (ptsid != 0) {
2455 rc = avc_has_perm(ptsid, new_tsec->sid,
2456 SECCLASS_PROCESS,
2457 PROCESS__PTRACE, NULL);
2458 if (rc)
2459 return -EPERM;
2460 }
2461 }
1da177e4 2462
a6f76f23
DH		 2463 /* Clear any possibly unsafe personality bits on exec: */
2464 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2465
1da177e4
LT		 2466 /* Enable secure mode for SIDs transitions unless
2467 the noatsecure permission is granted between
2468 the two SIDs, i.e. ahp returns 0. */
62874c3a
KC		 2469 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2470 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2471 NULL);
2472 bprm->secureexec |= !!rc;
1da177e4
LT		 2473 }
2474
62874c3a 2475 return 0;
1da177e4
LT		 2476}
2477
c3c073f8
AV		 2478static int match_file(const void *p, struct file *file, unsigned fd)
2479{
2480 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2481}
2482
1da177e4 2483/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2484static inline void flush_unauthorized_files(const struct cred *cred,
2485 struct files_struct *files)
1da177e4 2486{
1da177e4 2487 struct file *file, *devnull = NULL;
b20c8122 2488 struct tty_struct *tty;
24ec839c 2489 int drop_tty = 0;
c3c073f8 2490 unsigned n;
1da177e4 2491
24ec839c 2492 tty = get_current_tty();
1da177e4 2493 if (tty) {
4a510969 2494 spin_lock(&tty->files_lock);
37dd0bd0 2495 if (!list_empty(&tty->tty_files)) {
d996b62a 2496 struct tty_file_private *file_priv;
37dd0bd0 2497
1da177e4 2498 /* Revalidate access to controlling tty.
13f8e981
DH		 2499 Use file_path_has_perm on the tty path directly
2500 rather than using file_has_perm, as this particular
2501 open file may belong to another process and we are
2502 only interested in the inode-based check here. */
d996b62a
NP		 2503 file_priv = list_first_entry(&tty->tty_files,
2504 struct tty_file_private, list);
2505 file = file_priv->file;
13f8e981 2506 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2507 drop_tty = 1;
1da177e4 2508 }
4a510969 2509 spin_unlock(&tty->files_lock);
452a00d2 2510 tty_kref_put(tty);
1da177e4 2511 }
98a27ba4
EB		 2512 /* Reset controlling tty. */
2513 if (drop_tty)
2514 no_tty();
1da177e4
LT		 2515
2516 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2517 n = iterate_fd(files, 0, match_file, cred);
2518 if (!n) /* none found? */
2519 return;
1da177e4 2520
c3c073f8 2521 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2522 if (IS_ERR(devnull))
2523 devnull = NULL;
2524 /* replace all the matching ones with this */
2525 do {
2526 replace_fd(n - 1, devnull, 0);
2527 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2528 if (devnull)
c3c073f8 2529 fput(devnull);
1da177e4
LT		 2530}
2531
a6f76f23
DH		 2532/*
2533 * Prepare a process for imminent new credential changes due to exec
2534 */
2535static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2536{
a6f76f23
DH		 2537 struct task_security_struct *new_tsec;
2538 struct rlimit *rlim, *initrlim;
2539 int rc, i;
d84f4f99 2540
a6f76f23
DH		 2541 new_tsec = bprm->cred->security;
2542 if (new_tsec->sid == new_tsec->osid)
2543 return;
1da177e4 2544
a6f76f23
DH		 2545 /* Close files for which the new task SID is not authorized. */
2546 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2547
a6f76f23
DH		 2548 /* Always clear parent death signal on SID transitions. */
2549 current->pdeath_signal = 0;
0356357c 2550
a6f76f23
DH		 2551 /* Check whether the new SID can inherit resource limits from the old
2552 * SID. If not, reset all soft limits to the lower of the current
2553 * task's hard limit and the init task's soft limit.
2554 *
2555 * Note that the setting of hard limits (even to lower them) can be
2556 * controlled by the setrlimit check. The inclusion of the init task's
2557 * soft limit into the computation is to avoid resetting soft limits
2558 * higher than the default soft limit for cases where the default is
2559 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2560 */
2561 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2562 PROCESS__RLIMITINH, NULL);
2563 if (rc) {
eb2d55a3
ON		 2564 /* protect against do_prlimit() */
2565 task_lock(current);
a6f76f23
DH		 2566 for (i = 0; i < RLIM_NLIMITS; i++) {
2567 rlim = current->signal->rlim + i;
2568 initrlim = init_task.signal->rlim + i;
2569 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2570 }
eb2d55a3 2571 task_unlock(current);
baa73d9e
NP		 2572 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2573 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2574 }
2575}
2576
2577/*
a6f76f23
DH		 2578 * Clean up the process immediately after the installation of new credentials
2579 * due to exec
1da177e4 2580 */
a6f76f23 2581static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2582{
a6f76f23 2583 const struct task_security_struct *tsec = current_security();
1da177e4 2584 struct itimerval itimer;
a6f76f23 2585 u32 osid, sid;
1da177e4
LT		 2586 int rc, i;
2587
a6f76f23
DH		 2588 osid = tsec->osid;
2589 sid = tsec->sid;
2590
2591 if (sid == osid)
1da177e4
LT		 2592 return;
2593
a6f76f23
DH		 2594 /* Check whether the new SID can inherit signal state from the old SID.
2595 * If not, clear itimers to avoid subsequent signal generation and
2596 * flush and unblock signals.
2597 *
2598 * This must occur _after_ the task SID has been updated so that any
2599 * kill done after the flush will be checked against the new SID.
2600 */
2601 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2602 if (rc) {
baa73d9e
NP		 2603 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2604 memset(&itimer, 0, sizeof itimer);
2605 for (i = 0; i < 3; i++)
2606 do_setitimer(i, &itimer, NULL);
2607 }
1da177e4 2608 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2609 if (!fatal_signal_pending(current)) {
2610 flush_sigqueue(&current->pending);
2611 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2612 flush_signal_handlers(current, 1);
2613 sigemptyset(&current->blocked);
9e7c8f8c 2614 recalc_sigpending();
3bcac026 2615 }
1da177e4
LT		 2616 spin_unlock_irq(&current->sighand->siglock);
2617 }
2618
a6f76f23
DH		 2619 /* Wake up the parent if it is waiting so that it can recheck
2620 * wait permission to the new task SID. */
ecd6de3c 2621 read_lock(&tasklist_lock);
0b7570e7 2622 __wake_up_parent(current, current->real_parent);
ecd6de3c 2623 read_unlock(&tasklist_lock);
1da177e4
LT		 2624}
2625
2626/* superblock security operations */
2627
2628static int selinux_sb_alloc_security(struct super_block *sb)
2629{
2630 return superblock_alloc_security(sb);
2631}
2632
2633static void selinux_sb_free_security(struct super_block *sb)
2634{
2635 superblock_free_security(sb);
2636}
2637
2638static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2639{
2640 if (plen > olen)
2641 return 0;
2642
2643 return !memcmp(prefix, option, plen);
2644}
2645
2646static inline int selinux_option(char *option, int len)
2647{
832cbd9a
EP		 2648 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2649 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2650 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2651 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2652 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2653}
2654
2655static inline void take_option(char **to, char *from, int *first, int len)
2656{
2657 if (!*first) {
2658 **to = ',';
2659 *to += 1;
3528a953 2660 } else
1da177e4
LT		 2661 *first = 0;
2662 memcpy(*to, from, len);
2663 *to += len;
2664}
2665
828dfe1d
EP		 2666static inline void take_selinux_option(char **to, char *from, int *first,
2667 int len)
3528a953
CO		 2668{
2669 int current_size = 0;
2670
2671 if (!*first) {
2672 **to = '|';
2673 *to += 1;
828dfe1d 2674 } else
3528a953
CO		 2675 *first = 0;
2676
2677 while (current_size < len) {
2678 if (*from != '"') {
2679 **to = *from;
2680 *to += 1;
2681 }
2682 from += 1;
2683 current_size += 1;
2684 }
2685}
2686
e0007529 2687static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2688{
2689 int fnosec, fsec, rc = 0;
2690 char *in_save, *in_curr, *in_end;
2691 char *sec_curr, *nosec_save, *nosec;
3528a953 2692 int open_quote = 0;
1da177e4
LT		 2693
2694 in_curr = orig;
2695 sec_curr = copy;
2696
1da177e4
LT		 2697 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2698 if (!nosec) {
2699 rc = -ENOMEM;
2700 goto out;
2701 }
2702
2703 nosec_save = nosec;
2704 fnosec = fsec = 1;
2705 in_save = in_end = orig;
2706
2707 do {
3528a953
CO		 2708 if (*in_end == '"')
2709 open_quote = !open_quote;
2710 if ((*in_end == ',' && open_quote == 0) ||
2711 *in_end == '\0') {
1da177e4
LT		 2712 int len = in_end - in_curr;
2713
2714 if (selinux_option(in_curr, len))
3528a953 2715 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2716 else
2717 take_option(&nosec, in_curr, &fnosec, len);
2718
2719 in_curr = in_end + 1;
2720 }
2721 } while (*in_end++);
2722
6931dfc9 2723 strcpy(in_save, nosec_save);
da3caa20 2724 free_page((unsigned long)nosec_save);
1da177e4
LT		 2725out:
2726 return rc;
2727}
2728
026eb167
EP		 2729static int selinux_sb_remount(struct super_block *sb, void *data)
2730{
2731 int rc, i, *flags;
2732 struct security_mnt_opts opts;
2733 char *secdata, **mount_options;
2734 struct superblock_security_struct *sbsec = sb->s_security;
2735
2736 if (!(sbsec->flags & SE_SBINITIALIZED))
2737 return 0;
2738
2739 if (!data)
2740 return 0;
2741
2742 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2743 return 0;
2744
2745 security_init_mnt_opts(&opts);
2746 secdata = alloc_secdata();
2747 if (!secdata)
2748 return -ENOMEM;
2749 rc = selinux_sb_copy_data(data, secdata);
2750 if (rc)
2751 goto out_free_secdata;
2752
2753 rc = selinux_parse_opts_str(secdata, &opts);
2754 if (rc)
2755 goto out_free_secdata;
2756
2757 mount_options = opts.mnt_opts;
2758 flags = opts.mnt_opts_flags;
2759
2760 for (i = 0; i < opts.num_mnt_opts; i++) {
2761 u32 sid;
026eb167 2762
12f348b9 2763 if (flags[i] == SBLABEL_MNT)
026eb167 2764 continue;
44be2f65 2765 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2766 if (rc) {
44be2f65 2767 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2768 "(%s) failed for (dev %s, type %s) errno=%d\n",
2769 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2770 goto out_free_opts;
2771 }
2772 rc = -EINVAL;
2773 switch (flags[i]) {
2774 case FSCONTEXT_MNT:
2775 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2776 goto out_bad_option;
2777 break;
2778 case CONTEXT_MNT:
2779 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2780 goto out_bad_option;
2781 break;
2782 case ROOTCONTEXT_MNT: {
2783 struct inode_security_struct *root_isec;
83da53c5 2784 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2785
2786 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2787 goto out_bad_option;
2788 break;
2789 }
2790 case DEFCONTEXT_MNT:
2791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2792 goto out_bad_option;
2793 break;
2794 default:
2795 goto out_free_opts;
2796 }
2797 }
2798
2799 rc = 0;
2800out_free_opts:
2801 security_free_mnt_opts(&opts);
2802out_free_secdata:
2803 free_secdata(secdata);
2804 return rc;
2805out_bad_option:
2806 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2807 "during remount (dev %s, type=%s)\n", sb->s_id,
2808 sb->s_type->name);
026eb167
EP		 2809 goto out_free_opts;
2810}
2811
12204e24 2812static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2813{
88e67f3b 2814 const struct cred *cred = current_cred();
2bf49690 2815 struct common_audit_data ad;
1da177e4
LT		 2816 int rc;
2817
2818 rc = superblock_doinit(sb, data);
2819 if (rc)
2820 return rc;
2821
74192246
JM		 2822 /* Allow all mounts performed by the kernel */
2823 if (flags & MS_KERNMOUNT)
2824 return 0;
2825
50c205f5 2826 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2827 ad.u.dentry = sb->s_root;
88e67f3b 2828 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2829}
2830
726c3342 2831static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2832{
88e67f3b 2833 const struct cred *cred = current_cred();
2bf49690 2834 struct common_audit_data ad;
1da177e4 2835
50c205f5 2836 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2837 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2838 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2839}
2840
808d4e3c 2841static int selinux_mount(const char *dev_name,
8a04c43b 2842 const struct path *path,
808d4e3c 2843 const char *type,
828dfe1d
EP		 2844 unsigned long flags,
2845 void *data)
1da177e4 2846{
88e67f3b 2847 const struct cred *cred = current_cred();
1da177e4
LT		 2848
2849 if (flags & MS_REMOUNT)
d8c9584e 2850 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2851 FILESYSTEM__REMOUNT, NULL);
1da177e4 2852 else
2875fa00 2853 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2854}
2855
2856static int selinux_umount(struct vfsmount *mnt, int flags)
2857{
88e67f3b 2858 const struct cred *cred = current_cred();
1da177e4 2859
88e67f3b 2860 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2861 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2862}
2863
2864/* inode security operations */
2865
2866static int selinux_inode_alloc_security(struct inode *inode)
2867{
2868 return inode_alloc_security(inode);
2869}
2870
2871static void selinux_inode_free_security(struct inode *inode)
2872{
2873 inode_free_security(inode);
2874}
2875
d47be3df 2876static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2877 const struct qstr *name, void **ctx,
d47be3df
DQ		 2878 u32 *ctxlen)
2879{
d47be3df
DQ		 2880 u32 newsid;
2881 int rc;
2882
c957f6df
VG		 2883 rc = selinux_determine_inode_label(current_security(),
2884 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2885 inode_mode_to_security_class(mode),
2886 &newsid);
2887 if (rc)
2888 return rc;
d47be3df
DQ		 2889
2890 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2891}
2892
a518b0a5
VG		 2893static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2894 struct qstr *name,
2895 const struct cred *old,
2896 struct cred *new)
2897{
2898 u32 newsid;
2899 int rc;
2900 struct task_security_struct *tsec;
2901
2902 rc = selinux_determine_inode_label(old->security,
2903 d_inode(dentry->d_parent), name,
2904 inode_mode_to_security_class(mode),
2905 &newsid);
2906 if (rc)
2907 return rc;
2908
2909 tsec = new->security;
2910 tsec->create_sid = newsid;
2911 return 0;
2912}
2913
5e41ff9e 2914static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2915 const struct qstr *qstr,
2916 const char **name,
2a7dba39 2917 void **value, size_t *len)
5e41ff9e 2918{
5fb49870 2919 const struct task_security_struct *tsec = current_security();
5e41ff9e 2920 struct superblock_security_struct *sbsec;
275bb41e 2921 u32 sid, newsid, clen;
5e41ff9e 2922 int rc;
9548906b 2923 char *context;
5e41ff9e 2924
5e41ff9e 2925 sbsec = dir->i_sb->s_security;
5e41ff9e 2926
275bb41e
DH		 2927 sid = tsec->sid;
2928 newsid = tsec->create_sid;
2929
c957f6df 2930 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2931 dir, qstr,
2932 inode_mode_to_security_class(inode->i_mode),
2933 &newsid);
2934 if (rc)
2935 return rc;
5e41ff9e 2936
296fddf7 2937 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2938 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2939 struct inode_security_struct *isec = inode->i_security;
2940 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2941 isec->sid = newsid;
6f3be9f5 2942 isec->initialized = LABEL_INITIALIZED;
296fddf7 2943 }
5e41ff9e 2944
12f348b9 2945 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2946 return -EOPNOTSUPP;
2947
9548906b
TH		 2948 if (name)
2949 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2950
570bc1c2 2951 if (value && len) {
12b29f34 2952 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2953 if (rc)
570bc1c2 2954 return rc;
570bc1c2
SS		 2955 *value = context;
2956 *len = clen;
5e41ff9e 2957 }
5e41ff9e 2958
5e41ff9e
SS		 2959 return 0;
2960}
2961
4acdaf27 2962static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2963{
2964 return may_create(dir, dentry, SECCLASS_FILE);
2965}
2966
1da177e4
LT		 2967static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2968{
1da177e4
LT		 2969 return may_link(dir, old_dentry, MAY_LINK);
2970}
2971
1da177e4
LT		 2972static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2973{
1da177e4
LT		 2974 return may_link(dir, dentry, MAY_UNLINK);
2975}
2976
2977static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2978{
2979 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2980}
2981
18bb1db3 2982static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2983{
2984 return may_create(dir, dentry, SECCLASS_DIR);
2985}
2986
1da177e4
LT		 2987static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2988{
2989 return may_link(dir, dentry, MAY_RMDIR);
2990}
2991
1a67aafb 2992static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2993{
1da177e4
LT		 2994 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2995}
2996
1da177e4 2997static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2998 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2999{
3000 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3001}
3002
1da177e4
LT		 3003static int selinux_inode_readlink(struct dentry *dentry)
3004{
88e67f3b
DH		 3005 const struct cred *cred = current_cred();
3006
2875fa00 3007 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3008}
3009
bda0be7a
N		 3010static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3011 bool rcu)
1da177e4 3012{
88e67f3b 3013 const struct cred *cred = current_cred();
bda0be7a
N		 3014 struct common_audit_data ad;
3015 struct inode_security_struct *isec;
3016 u32 sid;
1da177e4 3017
bda0be7a
N		 3018 validate_creds(cred);
3019
3020 ad.type = LSM_AUDIT_DATA_DENTRY;
3021 ad.u.dentry = dentry;
3022 sid = cred_sid(cred);
5d226df4
AG		 3023 isec = inode_security_rcu(inode, rcu);
3024 if (IS_ERR(isec))
3025 return PTR_ERR(isec);
bda0be7a
N		 3026
3027 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3028 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3029}
3030
d4cf970d
EP		 3031static noinline int audit_inode_permission(struct inode *inode,
3032 u32 perms, u32 audited, u32 denied,
626b9740 3033 int result,
d4cf970d 3034 unsigned flags)
1da177e4 3035{
b782e0a6 3036 struct common_audit_data ad;
d4cf970d
EP		 3037 struct inode_security_struct *isec = inode->i_security;
3038 int rc;
3039
50c205f5 3040 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3041 ad.u.inode = inode;
3042
3043 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 3044 audited, denied, result, &ad, flags);
d4cf970d
EP		 3045 if (rc)
3046 return rc;
3047 return 0;
3048}
3049
e74f71eb 3050static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3051{
88e67f3b 3052 const struct cred *cred = current_cred();
b782e0a6
EP		 3053 u32 perms;
3054 bool from_access;
cf1dd1da 3055 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3056 struct inode_security_struct *isec;
3057 u32 sid;
3058 struct av_decision avd;
3059 int rc, rc2;
3060 u32 audited, denied;
1da177e4 3061
b782e0a6 3062 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3063 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3064
b782e0a6
EP		 3065 /* No permission to check. Existence test. */
3066 if (!mask)
1da177e4 3067 return 0;
1da177e4 3068
2e334057 3069 validate_creds(cred);
b782e0a6 3070
2e334057
EP		 3071 if (unlikely(IS_PRIVATE(inode)))
3072 return 0;
b782e0a6
EP		 3073
3074 perms = file_mask_to_av(inode->i_mode, mask);
3075
2e334057 3076 sid = cred_sid(cred);
5d226df4
AG		 3077 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3078 if (IS_ERR(isec))
3079 return PTR_ERR(isec);
2e334057
EP		 3080
3081 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3082 audited = avc_audit_required(perms, &avd, rc,
3083 from_access ? FILE__AUDIT_ACCESS : 0,
3084 &denied);
3085 if (likely(!audited))
3086 return rc;
3087
626b9740 3088 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3089 if (rc2)
3090 return rc2;
3091 return rc;
1da177e4
LT		 3092}
3093
3094static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3095{
88e67f3b 3096 const struct cred *cred = current_cred();
ccb54478 3097 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3098 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3099 __u32 av = FILE__WRITE;
1da177e4 3100
bc6a6008
AW		 3101 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3102 if (ia_valid & ATTR_FORCE) {
3103 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3104 ATTR_FORCE);
3105 if (!ia_valid)
3106 return 0;
3107 }
1da177e4 3108
bc6a6008
AW		 3109 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3110 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3111 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3112
ccb54478
SS		 3113 if (selinux_policycap_openperm &&
3114 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3115 (ia_valid & ATTR_SIZE) &&
3116 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3117 av |= FILE__OPEN;
3118
3119 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3120}
3121
3f7036a0 3122static int selinux_inode_getattr(const struct path *path)
1da177e4 3123{
3f7036a0 3124 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3125}
3126
8f0cfa52 3127static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3128{
88e67f3b
DH		 3129 const struct cred *cred = current_cred();
3130
b5376771
SH		 3131 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3132 sizeof XATTR_SECURITY_PREFIX - 1)) {
3133 if (!strcmp(name, XATTR_NAME_CAPS)) {
3134 if (!capable(CAP_SETFCAP))
3135 return -EPERM;
3136 } else if (!capable(CAP_SYS_ADMIN)) {
3137 /* A different attribute in the security namespace.
3138 Restrict to administrator. */
3139 return -EPERM;
3140 }
3141 }
3142
3143 /* Not an attribute we recognize, so just check the
3144 ordinary setattr permission. */
2875fa00 3145 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3146}
3147
db59000a
SS		 3148static bool has_cap_mac_admin(bool audit)
3149{
3150 const struct cred *cred = current_cred();
3151 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3152
3153 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3154 return false;
3155 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3156 return false;
3157 return true;
3158}
3159
8f0cfa52
DH		 3160static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3161 const void *value, size_t size, int flags)
1da177e4 3162{
c6f493d6 3163 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3164 struct inode_security_struct *isec;
1da177e4 3165 struct superblock_security_struct *sbsec;
2bf49690 3166 struct common_audit_data ad;
275bb41e 3167 u32 newsid, sid = current_sid();
1da177e4
LT		 3168 int rc = 0;
3169
b5376771
SH		 3170 if (strcmp(name, XATTR_NAME_SELINUX))
3171 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3172
3173 sbsec = inode->i_sb->s_security;
12f348b9 3174 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3175 return -EOPNOTSUPP;
3176
2e149670 3177 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3178 return -EPERM;
3179
50c205f5 3180 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3181 ad.u.dentry = dentry;
1da177e4 3182
20cdef8d 3183 isec = backing_inode_security(dentry);
275bb41e 3184 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3185 FILE__RELABELFROM, &ad);
3186 if (rc)
3187 return rc;
3188
52a4c640 3189 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3190 if (rc == -EINVAL) {
db59000a 3191 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3192 struct audit_buffer *ab;
3193 size_t audit_size;
3194 const char *str;
3195
3196 /* We strip a nul only if it is at the end, otherwise the
3197 * context contains a nul and we should audit that */
e3fea3f7
AV		 3198 if (value) {
3199 str = value;
3200 if (str[size - 1] == '\0')
3201 audit_size = size - 1;
3202 else
3203 audit_size = size;
3204 } else {
3205 str = "";
3206 audit_size = 0;
3207 }
d6ea83ec
EP		 3208 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3209 audit_log_format(ab, "op=setxattr invalid_context=");
3210 audit_log_n_untrustedstring(ab, value, audit_size);
3211 audit_log_end(ab);
3212
12b29f34 3213 return rc;
d6ea83ec 3214 }
12b29f34
SS		 3215 rc = security_context_to_sid_force(value, size, &newsid);
3216 }
1da177e4
LT		 3217 if (rc)
3218 return rc;
3219
275bb41e 3220 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3221 FILE__RELABELTO, &ad);
3222 if (rc)
3223 return rc;
3224
275bb41e 3225 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3226 isec->sclass);
1da177e4
LT		 3227 if (rc)
3228 return rc;
3229
3230 return avc_has_perm(newsid,
3231 sbsec->sid,
3232 SECCLASS_FILESYSTEM,
3233 FILESYSTEM__ASSOCIATE,
3234 &ad);
3235}
3236
8f0cfa52 3237static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3238 const void *value, size_t size,
8f0cfa52 3239 int flags)
1da177e4 3240{
c6f493d6 3241 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3242 struct inode_security_struct *isec;
1da177e4
LT		 3243 u32 newsid;
3244 int rc;
3245
3246 if (strcmp(name, XATTR_NAME_SELINUX)) {
3247 /* Not an attribute we recognize, so nothing to do. */
3248 return;
3249 }
3250
12b29f34 3251 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3252 if (rc) {
12b29f34
SS		 3253 printk(KERN_ERR "SELinux: unable to map context to SID"
3254 "for (%s, %lu), rc=%d\n",
3255 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3256 return;
3257 }
3258
20cdef8d 3259 isec = backing_inode_security(dentry);
9287aed2 3260 spin_lock(&isec->lock);
aa9c2669 3261 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3262 isec->sid = newsid;
6f3be9f5 3263 isec->initialized = LABEL_INITIALIZED;
9287aed2 3264 spin_unlock(&isec->lock);
aa9c2669 3265
1da177e4
LT		 3266 return;
3267}
3268
8f0cfa52 3269static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3270{
88e67f3b
DH		 3271 const struct cred *cred = current_cred();
3272
2875fa00 3273 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3274}
3275
828dfe1d 3276static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3277{
88e67f3b
DH		 3278 const struct cred *cred = current_cred();
3279
2875fa00 3280 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3281}
3282
8f0cfa52 3283static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3284{
b5376771
SH		 3285 if (strcmp(name, XATTR_NAME_SELINUX))
3286 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3287
3288 /* No one is allowed to remove a SELinux security label.
3289 You can change the label, but all data must be labeled. */
3290 return -EACCES;
3291}
3292
d381d8a9 3293/*
abc69bb6 3294 * Copy the inode security context value to the user.
d381d8a9
JM		 3295 *
3296 * Permission check is handled by selinux_inode_getxattr hook.
3297 */
ea861dfd 3298static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3299{
42492594
DQ		 3300 u32 size;
3301 int error;
3302 char *context = NULL;
20cdef8d 3303 struct inode_security_struct *isec;
d381d8a9 3304
8c8570fb
DK		 3305 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3306 return -EOPNOTSUPP;
d381d8a9 3307
abc69bb6
SS		 3308 /*
3309 * If the caller has CAP_MAC_ADMIN, then get the raw context
3310 * value even if it is not defined by current policy; otherwise,
3311 * use the in-core value under current policy.
3312 * Use the non-auditing forms of the permission checks since
3313 * getxattr may be called by unprivileged processes commonly
3314 * and lack of permission just means that we fall back to the
3315 * in-core context value, not a denial.
3316 */
20cdef8d 3317 isec = inode_security(inode);
db59000a 3318 if (has_cap_mac_admin(false))
abc69bb6
SS		 3319 error = security_sid_to_context_force(isec->sid, &context,
3320 &size);
3321 else
3322 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3323 if (error)
3324 return error;
3325 error = size;
3326 if (alloc) {
3327 *buffer = context;
3328 goto out_nofree;
3329 }
3330 kfree(context);
3331out_nofree:
3332 return error;
1da177e4
LT		 3333}
3334
3335static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3336 const void *value, size_t size, int flags)
1da177e4 3337{
2c97165b 3338 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3339 u32 newsid;
3340 int rc;
3341
3342 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3343 return -EOPNOTSUPP;
3344
3345 if (!value || !size)
3346 return -EACCES;
3347
20ba96ae 3348 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3349 if (rc)
3350 return rc;
3351
9287aed2 3352 spin_lock(&isec->lock);
aa9c2669 3353 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3354 isec->sid = newsid;
6f3be9f5 3355 isec->initialized = LABEL_INITIALIZED;
9287aed2 3356 spin_unlock(&isec->lock);
1da177e4
LT		 3357 return 0;
3358}
3359
3360static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3361{
3362 const int len = sizeof(XATTR_NAME_SELINUX);
3363 if (buffer && len <= buffer_size)
3364 memcpy(buffer, XATTR_NAME_SELINUX, len);
3365 return len;
3366}
3367
d6335d77 3368static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3369{
e817c2f3 3370 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3371 *secid = isec->sid;
3372}
3373
56909eb3
VG		 3374static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3375{
3376 u32 sid;
3377 struct task_security_struct *tsec;
3378 struct cred *new_creds = *new;
3379
3380 if (new_creds == NULL) {
3381 new_creds = prepare_creds();
3382 if (!new_creds)
3383 return -ENOMEM;
3384 }
3385
3386 tsec = new_creds->security;
3387 /* Get label from overlay inode and set it in create_sid */
3388 selinux_inode_getsecid(d_inode(src), &sid);
3389 tsec->create_sid = sid;
3390 *new = new_creds;
3391 return 0;
3392}
3393
19472b69
VG		 3394static int selinux_inode_copy_up_xattr(const char *name)
3395{
3396 /* The copy_up hook above sets the initial context on an inode, but we
3397 * don't then want to overwrite it by blindly copying all the lower
3398 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3399 */
3400 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3401 return 1; /* Discard */
3402 /*
3403 * Any other attribute apart from SELINUX is not claimed, supported
3404 * by selinux.
3405 */
3406 return -EOPNOTSUPP;
3407}
3408
1da177e4
LT		 3409/* file security operations */
3410
788e7dd4 3411static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3412{
88e67f3b 3413 const struct cred *cred = current_cred();
496ad9aa 3414 struct inode *inode = file_inode(file);
1da177e4 3415
1da177e4
LT		 3416 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3417 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3418 mask |= MAY_APPEND;
3419
389fb800
PM		 3420 return file_has_perm(cred, file,
3421 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3422}
3423
788e7dd4
YN		 3424static int selinux_file_permission(struct file *file, int mask)
3425{
496ad9aa 3426 struct inode *inode = file_inode(file);
20dda18b 3427 struct file_security_struct *fsec = file->f_security;
b197367e 3428 struct inode_security_struct *isec;
20dda18b
SS		 3429 u32 sid = current_sid();
3430
389fb800 3431 if (!mask)
788e7dd4
YN		 3432 /* No permission to check. Existence test. */
3433 return 0;
788e7dd4 3434
b197367e 3435 isec = inode_security(inode);
20dda18b
SS		 3436 if (sid == fsec->sid && fsec->isid == isec->sid &&
3437 fsec->pseqno == avc_policy_seqno())
83d49856 3438 /* No change since file_open check. */
20dda18b
SS		 3439 return 0;
3440
788e7dd4
YN		 3441 return selinux_revalidate_file_permission(file, mask);
3442}
3443
1da177e4
LT		 3444static int selinux_file_alloc_security(struct file *file)
3445{
3446 return file_alloc_security(file);
3447}
3448
3449static void selinux_file_free_security(struct file *file)
3450{
3451 file_free_security(file);
3452}
3453
fa1aa143
JVS		 3454/*
3455 * Check whether a task has the ioctl permission and cmd
3456 * operation to an inode.
3457 */
1d2a168a 3458static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3459 u32 requested, u16 cmd)
3460{
3461 struct common_audit_data ad;
3462 struct file_security_struct *fsec = file->f_security;
3463 struct inode *inode = file_inode(file);
20cdef8d 3464 struct inode_security_struct *isec;
fa1aa143
JVS		 3465 struct lsm_ioctlop_audit ioctl;
3466 u32 ssid = cred_sid(cred);
3467 int rc;
3468 u8 driver = cmd >> 8;
3469 u8 xperm = cmd & 0xff;
3470
3471 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3472 ad.u.op = &ioctl;
3473 ad.u.op->cmd = cmd;
3474 ad.u.op->path = file->f_path;
3475
3476 if (ssid != fsec->sid) {
3477 rc = avc_has_perm(ssid, fsec->sid,
3478 SECCLASS_FD,
3479 FD__USE,
3480 &ad);
3481 if (rc)
3482 goto out;
3483 }
3484
3485 if (unlikely(IS_PRIVATE(inode)))
3486 return 0;
3487
20cdef8d 3488 isec = inode_security(inode);
fa1aa143
JVS		 3489 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3490 requested, driver, xperm, &ad);
3491out:
3492 return rc;
3493}
3494
1da177e4
LT		 3495static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3496 unsigned long arg)
3497{
88e67f3b 3498 const struct cred *cred = current_cred();
0b24dcb7 3499 int error = 0;
1da177e4 3500
0b24dcb7
EP		 3501 switch (cmd) {
3502 case FIONREAD:
3503 /* fall through */
3504 case FIBMAP:
3505 /* fall through */
3506 case FIGETBSZ:
3507 /* fall through */
2f99c369 3508 case FS_IOC_GETFLAGS:
0b24dcb7 3509 /* fall through */
2f99c369 3510 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3511 error = file_has_perm(cred, file, FILE__GETATTR);
3512 break;
1da177e4 3513
2f99c369 3514 case FS_IOC_SETFLAGS:
0b24dcb7 3515 /* fall through */
2f99c369 3516 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3517 error = file_has_perm(cred, file, FILE__SETATTR);
3518 break;
3519
3520 /* sys_ioctl() checks */
3521 case FIONBIO:
3522 /* fall through */
3523 case FIOASYNC:
3524 error = file_has_perm(cred, file, 0);
3525 break;
1da177e4 3526
0b24dcb7
EP		 3527 case KDSKBENT:
3528 case KDSKBSENT:
6a9de491 3529 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3530 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3531 break;
3532
3533 /* default case assumes that the command will go
3534 * to the file's ioctl() function.
3535 */
3536 default:
fa1aa143 3537 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3538 }
3539 return error;
1da177e4
LT		 3540}
3541
fcaaade1
SS		 3542static int default_noexec;
3543
1da177e4
LT		 3544static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3545{
88e67f3b 3546 const struct cred *cred = current_cred();
be0554c9 3547 u32 sid = cred_sid(cred);
d84f4f99 3548 int rc = 0;
88e67f3b 3549
fcaaade1 3550 if (default_noexec &&
892e8cac
SS		 3551 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3552 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3553 /*
3554 * We are making executable an anonymous mapping or a
3555 * private file mapping that will also be writable.
3556 * This has an additional check.
3557 */
be0554c9
SS		 3558 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3559 PROCESS__EXECMEM, NULL);
1da177e4 3560 if (rc)
d84f4f99 3561 goto error;
1da177e4 3562 }
1da177e4
LT		 3563
3564 if (file) {
3565 /* read access is always possible with a mapping */
3566 u32 av = FILE__READ;
3567
3568 /* write access only matters if the mapping is shared */
3569 if (shared && (prot & PROT_WRITE))
3570 av |= FILE__WRITE;
3571
3572 if (prot & PROT_EXEC)
3573 av |= FILE__EXECUTE;
3574
88e67f3b 3575 return file_has_perm(cred, file, av);
1da177e4 3576 }
d84f4f99
DH		 3577
3578error:
3579 return rc;
1da177e4
LT		 3580}
3581
e5467859 3582static int selinux_mmap_addr(unsigned long addr)
1da177e4 3583{
b1d9e6b0 3584 int rc = 0;
1da177e4 3585
a2551df7 3586 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3587 u32 sid = current_sid();
ed032189
EP		 3588 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3589 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3590 }
3591
98883bfd 3592 return rc;
e5467859 3593}
1da177e4 3594
e5467859
AV		 3595static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3596 unsigned long prot, unsigned long flags)
3597{
3ba4bf5f
SS		 3598 struct common_audit_data ad;
3599 int rc;
3600
3601 if (file) {
3602 ad.type = LSM_AUDIT_DATA_FILE;
3603 ad.u.file = file;
3604 rc = inode_has_perm(current_cred(), file_inode(file),
3605 FILE__MAP, &ad);
3606 if (rc)
3607 return rc;
3608 }
3609
1da177e4
LT		 3610 if (selinux_checkreqprot)
3611 prot = reqprot;
3612
3613 return file_map_prot_check(file, prot,
3614 (flags & MAP_TYPE) == MAP_SHARED);
3615}
3616
3617static int selinux_file_mprotect(struct vm_area_struct *vma,
3618 unsigned long reqprot,
3619 unsigned long prot)
3620{
88e67f3b 3621 const struct cred *cred = current_cred();
be0554c9 3622 u32 sid = cred_sid(cred);
1da177e4
LT		 3623
3624 if (selinux_checkreqprot)
3625 prot = reqprot;
3626
fcaaade1
SS		 3627 if (default_noexec &&
3628 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3629 int rc = 0;
db4c9641
SS		 3630 if (vma->vm_start >= vma->vm_mm->start_brk &&
3631 vma->vm_end <= vma->vm_mm->brk) {
be0554c9
SS		 3632 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3633 PROCESS__EXECHEAP, NULL);
db4c9641 3634 } else if (!vma->vm_file &&
c2316dbf
SS		 3635 ((vma->vm_start <= vma->vm_mm->start_stack &&
3636 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3637 vma_is_stack_for_current(vma))) {
be0554c9
SS		 3638 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3639 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3640 } else if (vma->vm_file && vma->anon_vma) {
3641 /*
3642 * We are making executable a file mapping that has
3643 * had some COW done. Since pages might have been
3644 * written, check ability to execute the possibly
3645 * modified content. This typically should only
3646 * occur for text relocations.
3647 */
d84f4f99 3648 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3649 }