]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: handle ICMPv6 consistently with ICMP
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
63205654 129static struct kmem_cache *file_security_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 140 *
141 */
142static int selinux_secmark_enabled(void)
143{
2be4d74f
CP		 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145}
146
147/**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157static int selinux_peerlbl_enabled(void)
158{
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 160}
161
615e51fd
PM		 162static int selinux_netcache_avc_callback(u32 event)
163{
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171}
172
d84f4f99
DH		 173/*
174 * initialise the security for the init task
175 */
176static void cred_init_security(void)
1da177e4 177{
3b11a1de 178 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 179 struct task_security_struct *tsec;
180
89d155ef 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 182 if (!tsec)
d84f4f99 183 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 184
d84f4f99 185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 186 cred->security = tsec;
1da177e4
LT		 187}
188
88e67f3b
DH		 189/*
190 * get the security ID of a set of credentials
191 */
192static inline u32 cred_sid(const struct cred *cred)
193{
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198}
199
275bb41e 200/*
3b11a1de 201 * get the objective security ID of a task
275bb41e
DH		 202 */
203static inline u32 task_sid(const struct task_struct *task)
204{
275bb41e
DH		 205 u32 sid;
206
207 rcu_read_lock();
88e67f3b 208 sid = cred_sid(__task_cred(task));
275bb41e
DH		 209 rcu_read_unlock();
210 return sid;
211}
212
213/*
3b11a1de 214 * get the subjective security ID of the current task
275bb41e
DH		 215 */
216static inline u32 current_sid(void)
217{
5fb49870 218 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 219
220 return tsec->sid;
221}
222
88e67f3b
DH		 223/* Allocate and free functions for each kind of security blob. */
224
1da177e4
LT		 225static int inode_alloc_security(struct inode *inode)
226{
1da177e4 227 struct inode_security_struct *isec;
275bb41e 228 u32 sid = current_sid();
1da177e4 229
a02fe132 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 231 if (!isec)
232 return -ENOMEM;
233
9287aed2 234 spin_lock_init(&isec->lock);
1da177e4 235 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
275bb41e 239 isec->task_sid = sid;
42059112 240 isec->initialized = LABEL_INVALID;
1da177e4
LT		 241 inode->i_security = isec;
242
243 return 0;
244}
245
5d226df4
AG		 246static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
247
248/*
249 * Try reloading inode security labels that have been marked as invalid. The
250 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 251 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 252 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
253 * when no dentry is available, set it to NULL instead.
254 */
255static int __inode_security_revalidate(struct inode *inode,
256 struct dentry *opt_dentry,
257 bool may_sleep)
258{
259 struct inode_security_struct *isec = inode->i_security;
260
261 might_sleep_if(may_sleep);
262
1ac42476 263 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 264 if (!may_sleep)
265 return -ECHILD;
266
267 /*
268 * Try reloading the inode security label. This will fail if
269 * @opt_dentry is NULL and no dentry for this inode can be
270 * found; in that case, continue using the old label.
271 */
272 inode_doinit_with_dentry(inode, opt_dentry);
273 }
274 return 0;
275}
276
5d226df4
AG		 277static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
278{
279 return inode->i_security;
280}
281
282static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
283{
284 int error;
285
286 error = __inode_security_revalidate(inode, NULL, !rcu);
287 if (error)
288 return ERR_PTR(error);
289 return inode->i_security;
290}
291
83da53c5
AG		 292/*
293 * Get the security label of an inode.
294 */
295static struct inode_security_struct *inode_security(struct inode *inode)
296{
5d226df4 297 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 298 return inode->i_security;
299}
300
2c97165b
PM		 301static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
302{
303 struct inode *inode = d_backing_inode(dentry);
304
305 return inode->i_security;
306}
307
83da53c5
AG		 308/*
309 * Get the security label of a dentry's backing inode.
310 */
311static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
312{
313 struct inode *inode = d_backing_inode(dentry);
314
5d226df4 315 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 316 return inode->i_security;
317}
318
3dc91d43
SR		 319static void inode_free_rcu(struct rcu_head *head)
320{
321 struct inode_security_struct *isec;
322
323 isec = container_of(head, struct inode_security_struct, rcu);
324 kmem_cache_free(sel_inode_cache, isec);
325}
326
1da177e4
LT		 327static void inode_free_security(struct inode *inode)
328{
329 struct inode_security_struct *isec = inode->i_security;
330 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
331
9629d04a
WL		 332 /*
333 * As not all inode security structures are in a list, we check for
334 * empty list outside of the lock to make sure that we won't waste
335 * time taking a lock doing nothing.
336 *
337 * The list_del_init() function can be safely called more than once.
338 * It should not be possible for this function to be called with
339 * concurrent list_add(), but for better safety against future changes
340 * in the code, we use list_empty_careful() here.
341 */
342 if (!list_empty_careful(&isec->list)) {
343 spin_lock(&sbsec->isec_lock);
1da177e4 344 list_del_init(&isec->list);
9629d04a
WL		 345 spin_unlock(&sbsec->isec_lock);
346 }
1da177e4 347
3dc91d43
SR		 348 /*
349 * The inode may still be referenced in a path walk and
350 * a call to selinux_inode_permission() can be made
351 * after inode_free_security() is called. Ideally, the VFS
352 * wouldn't do this, but fixing that is a much harder
353 * job. For now, simply free the i_security via RCU, and
354 * leave the current inode->i_security pointer intact.
355 * The inode will be freed after the RCU grace period too.
356 */
357 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 358}
359
360static int file_alloc_security(struct file *file)
361{
1da177e4 362 struct file_security_struct *fsec;
275bb41e 363 u32 sid = current_sid();
1da177e4 364
63205654 365 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 366 if (!fsec)
367 return -ENOMEM;
368
275bb41e
DH		 369 fsec->sid = sid;
370 fsec->fown_sid = sid;
1da177e4
LT		 371 file->f_security = fsec;
372
373 return 0;
374}
375
376static void file_free_security(struct file *file)
377{
378 struct file_security_struct *fsec = file->f_security;
1da177e4 379 file->f_security = NULL;
63205654 380 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 381}
382
383static int superblock_alloc_security(struct super_block *sb)
384{
385 struct superblock_security_struct *sbsec;
386
89d155ef 387 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 388 if (!sbsec)
389 return -ENOMEM;
390
bc7e982b 391 mutex_init(&sbsec->lock);
1da177e4
LT		 392 INIT_LIST_HEAD(&sbsec->isec_head);
393 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 394 sbsec->sb = sb;
395 sbsec->sid = SECINITSID_UNLABELED;
396 sbsec->def_sid = SECINITSID_FILE;
c312feb2 397 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 398 sb->s_security = sbsec;
399
400 return 0;
401}
402
403static void superblock_free_security(struct super_block *sb)
404{
405 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 406 sb->s_security = NULL;
407 kfree(sbsec);
408}
409
1da177e4
LT		 410/* The file system's label must be initialized prior to use. */
411
eb9ae686 412static const char *labeling_behaviors[7] = {
1da177e4
LT		 413 "uses xattr",
414 "uses transition SIDs",
415 "uses task SIDs",
416 "uses genfs_contexts",
417 "not configured for labeling",
418 "uses mountpoint labeling",
eb9ae686 419 "uses native labeling",
1da177e4
LT		 420};
421
1da177e4
LT		 422static inline int inode_doinit(struct inode *inode)
423{
424 return inode_doinit_with_dentry(inode, NULL);
425}
426
427enum {
31e87930 428 Opt_error = -1,
1da177e4
LT		 429 Opt_context = 1,
430 Opt_fscontext = 2,
c9180a57
EP		 431 Opt_defcontext = 3,
432 Opt_rootcontext = 4,
11689d47 433 Opt_labelsupport = 5,
d355987f 434 Opt_nextmntopt = 6,
1da177e4
LT		 435};
436
d355987f
EP		 437#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
438
a447c093 439static const match_table_t tokens = {
832cbd9a
EP		 440 {Opt_context, CONTEXT_STR "%s"},
441 {Opt_fscontext, FSCONTEXT_STR "%s"},
442 {Opt_defcontext, DEFCONTEXT_STR "%s"},
443 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 444 {Opt_labelsupport, LABELSUPP_STR},
31e87930 445 {Opt_error, NULL},
1da177e4
LT		 446};
447
448#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
449
c312feb2
EP		 450static int may_context_mount_sb_relabel(u32 sid,
451 struct superblock_security_struct *sbsec,
275bb41e 452 const struct cred *cred)
c312feb2 453{
275bb41e 454 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 455 int rc;
456
457 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
458 FILESYSTEM__RELABELFROM, NULL);
459 if (rc)
460 return rc;
461
462 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
463 FILESYSTEM__RELABELTO, NULL);
464 return rc;
465}
466
0808925e
EP		 467static int may_context_mount_inode_relabel(u32 sid,
468 struct superblock_security_struct *sbsec,
275bb41e 469 const struct cred *cred)
0808925e 470{
275bb41e 471 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 472 int rc;
473 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
474 FILESYSTEM__RELABELFROM, NULL);
475 if (rc)
476 return rc;
477
478 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
479 FILESYSTEM__ASSOCIATE, NULL);
480 return rc;
481}
482
b43e725d
EP		 483static int selinux_is_sblabel_mnt(struct super_block *sb)
484{
485 struct superblock_security_struct *sbsec = sb->s_security;
486
d5f3a5f6
MS		 487 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
488 sbsec->behavior == SECURITY_FS_USE_TRANS ||
489 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 490 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 491 /* Special handling. Genfs but also in-core setxattr handler */
492 !strcmp(sb->s_type->name, "sysfs") ||
493 !strcmp(sb->s_type->name, "pstore") ||
494 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 495 !strcmp(sb->s_type->name, "tracefs") ||
d5f3a5f6 496 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 497}
498
c9180a57 499static int sb_finish_set_opts(struct super_block *sb)
1da177e4 500{
1da177e4 501 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 502 struct dentry *root = sb->s_root;
c6f493d6 503 struct inode *root_inode = d_backing_inode(root);
c9180a57 504 int rc = 0;
1da177e4 505
c9180a57
EP		 506 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
507 /* Make sure that the xattr handler exists and that no
508 error other than -ENODATA is returned by getxattr on
509 the root directory. -ENODATA is ok, as this may be
510 the first boot of the SELinux kernel before we have
511 assigned xattr values to the filesystem. */
5d6c3191 512 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 513 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
514 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 515 rc = -EOPNOTSUPP;
516 goto out;
517 }
5d6c3191
AG		 518
519 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 520 if (rc < 0 && rc != -ENODATA) {
521 if (rc == -EOPNOTSUPP)
522 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 523 "%s) has no security xattr handler\n",
524 sb->s_id, sb->s_type->name);
c9180a57
EP		 525 else
526 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 527 "%s) getxattr errno %d\n", sb->s_id,
528 sb->s_type->name, -rc);
c9180a57
EP		 529 goto out;
530 }
531 }
1da177e4 532
c9180a57 533 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 534 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
535 sb->s_id, sb->s_type->name);
1da177e4 536
eadcabc6 537 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 538 if (selinux_is_sblabel_mnt(sb))
12f348b9 539 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 540
c9180a57
EP		 541 /* Initialize the root inode. */
542 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 543
c9180a57
EP		 544 /* Initialize any other inodes associated with the superblock, e.g.
545 inodes created prior to initial policy load or inodes created
546 during get_sb by a pseudo filesystem that directly
547 populates itself. */
548 spin_lock(&sbsec->isec_lock);
549next_inode:
550 if (!list_empty(&sbsec->isec_head)) {
551 struct inode_security_struct *isec =
552 list_entry(sbsec->isec_head.next,
553 struct inode_security_struct, list);
554 struct inode *inode = isec->inode;
923190d3 555 list_del_init(&isec->list);
c9180a57
EP		 556 spin_unlock(&sbsec->isec_lock);
557 inode = igrab(inode);
558 if (inode) {
559 if (!IS_PRIVATE(inode))
560 inode_doinit(inode);
561 iput(inode);
562 }
563 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 564 goto next_inode;
565 }
566 spin_unlock(&sbsec->isec_lock);
567out:
568 return rc;
569}
1da177e4 570
c9180a57
EP		 571/*
572 * This function should allow an FS to ask what it's mount security
573 * options were so it can use those later for submounts, displaying
574 * mount options, or whatever.
575 */
576static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 577 struct security_mnt_opts *opts)
c9180a57
EP		 578{
579 int rc = 0, i;
580 struct superblock_security_struct *sbsec = sb->s_security;
581 char *context = NULL;
582 u32 len;
583 char tmp;
1da177e4 584
e0007529 585 security_init_mnt_opts(opts);
1da177e4 586
0d90a7ec 587 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 588 return -EINVAL;
1da177e4 589
c9180a57
EP		 590 if (!ss_initialized)
591 return -EINVAL;
1da177e4 592
af8e50cc
EP		 593 /* make sure we always check enough bits to cover the mask */
594 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
595
0d90a7ec 596 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 597 /* count the number of mount options for this sb */
af8e50cc 598 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 599 if (tmp & 0x01)
e0007529 600 opts->num_mnt_opts++;
c9180a57
EP		 601 tmp >>= 1;
602 }
11689d47 603 /* Check if the Label support flag is set */
0b4bdb35 604 if (sbsec->flags & SBLABEL_MNT)
11689d47 605 opts->num_mnt_opts++;
1da177e4 606
e0007529
EP		 607 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
608 if (!opts->mnt_opts) {
c9180a57
EP		 609 rc = -ENOMEM;
610 goto out_free;
611 }
1da177e4 612
e0007529
EP		 613 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
614 if (!opts->mnt_opts_flags) {
c9180a57
EP		 615 rc = -ENOMEM;
616 goto out_free;
617 }
1da177e4 618
c9180a57
EP		 619 i = 0;
620 if (sbsec->flags & FSCONTEXT_MNT) {
621 rc = security_sid_to_context(sbsec->sid, &context, &len);
622 if (rc)
623 goto out_free;
e0007529
EP		 624 opts->mnt_opts[i] = context;
625 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 626 }
627 if (sbsec->flags & CONTEXT_MNT) {
628 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
629 if (rc)
630 goto out_free;
e0007529
EP		 631 opts->mnt_opts[i] = context;
632 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 633 }
634 if (sbsec->flags & DEFCONTEXT_MNT) {
635 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
636 if (rc)
637 goto out_free;
e0007529
EP		 638 opts->mnt_opts[i] = context;
639 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 640 }
641 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 642 struct dentry *root = sbsec->sb->s_root;
643 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 644
c9180a57
EP		 645 rc = security_sid_to_context(isec->sid, &context, &len);
646 if (rc)
647 goto out_free;
e0007529
EP		 648 opts->mnt_opts[i] = context;
649 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 650 }
12f348b9 651 if (sbsec->flags & SBLABEL_MNT) {
11689d47 652 opts->mnt_opts[i] = NULL;
12f348b9 653 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 654 }
1da177e4 655
e0007529 656 BUG_ON(i != opts->num_mnt_opts);
1da177e4 657
c9180a57
EP		 658 return 0;
659
660out_free:
e0007529 661 security_free_mnt_opts(opts);
c9180a57
EP		 662 return rc;
663}
1da177e4 664
c9180a57
EP		 665static int bad_option(struct superblock_security_struct *sbsec, char flag,
666 u32 old_sid, u32 new_sid)
667{
0d90a7ec
DQ		 668 char mnt_flags = sbsec->flags & SE_MNTMASK;
669
c9180a57 670 /* check if the old mount command had the same options */
0d90a7ec 671 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 672 if (!(sbsec->flags & flag) ||
673 (old_sid != new_sid))
674 return 1;
675
676 /* check if we were passed the same options twice,
677 * aka someone passed context=a,context=b
678 */
0d90a7ec
DQ		 679 if (!(sbsec->flags & SE_SBINITIALIZED))
680 if (mnt_flags & flag)
c9180a57
EP		 681 return 1;
682 return 0;
683}
e0007529 684
c9180a57
EP		 685/*
686 * Allow filesystems with binary mount data to explicitly set mount point
687 * labeling information.
688 */
e0007529 689static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 690 struct security_mnt_opts *opts,
691 unsigned long kern_flags,
692 unsigned long *set_kern_flags)
c9180a57 693{
275bb41e 694 const struct cred *cred = current_cred();
c9180a57 695 int rc = 0, i;
c9180a57 696 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 697 const char *name = sb->s_type->name;
83da53c5 698 struct dentry *root = sbsec->sb->s_root;
2c97165b 699 struct inode_security_struct *root_isec;
c9180a57
EP		 700 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
701 u32 defcontext_sid = 0;
e0007529
EP		 702 char **mount_options = opts->mnt_opts;
703 int *flags = opts->mnt_opts_flags;
704 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 705
706 mutex_lock(&sbsec->lock);
707
708 if (!ss_initialized) {
709 if (!num_opts) {
710 /* Defer initialization until selinux_complete_init,
711 after the initial policy is loaded and the security
712 server is ready to handle calls. */
c9180a57
EP		 713 goto out;
714 }
715 rc = -EINVAL;
744ba35e
EP		 716 printk(KERN_WARNING "SELinux: Unable to set superblock options "
717 "before the security server is initialized\n");
1da177e4 718 goto out;
c9180a57 719 }
649f6e77
DQ		 720 if (kern_flags && !set_kern_flags) {
721 /* Specifying internal flags without providing a place to
722 * place the results is not allowed */
723 rc = -EINVAL;
724 goto out;
725 }
1da177e4 726
e0007529
EP		 727 /*
728 * Binary mount data FS will come through this function twice. Once
729 * from an explicit call and once from the generic calls from the vfs.
730 * Since the generic VFS calls will not contain any security mount data
731 * we need to skip the double mount verification.
732 *
733 * This does open a hole in which we will not notice if the first
734 * mount using this sb set explict options and a second mount using
735 * this sb does not set any security options. (The first options
736 * will be used for both mounts)
737 */
0d90a7ec 738 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 739 && (num_opts == 0))
f5269710 740 goto out;
e0007529 741
2c97165b
PM		 742 root_isec = backing_inode_security_novalidate(root);
743
c9180a57
EP		 744 /*
745 * parse the mount options, check if they are valid sids.
746 * also check if someone is trying to mount the same sb more
747 * than once with different security options.
748 */
749 for (i = 0; i < num_opts; i++) {
750 u32 sid;
11689d47 751
12f348b9 752 if (flags[i] == SBLABEL_MNT)
11689d47 753 continue;
44be2f65 754 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 755 if (rc) {
44be2f65 756 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 757 "(%s) failed for (dev %s, type %s) errno=%d\n",
758 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 759 goto out;
760 }
761 switch (flags[i]) {
762 case FSCONTEXT_MNT:
763 fscontext_sid = sid;
764
765 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
766 fscontext_sid))
767 goto out_double_mount;
768
769 sbsec->flags |= FSCONTEXT_MNT;
770 break;
771 case CONTEXT_MNT:
772 context_sid = sid;
773
774 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
775 context_sid))
776 goto out_double_mount;
777
778 sbsec->flags |= CONTEXT_MNT;
779 break;
780 case ROOTCONTEXT_MNT:
781 rootcontext_sid = sid;
782
783 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
784 rootcontext_sid))
785 goto out_double_mount;
786
787 sbsec->flags |= ROOTCONTEXT_MNT;
788
789 break;
790 case DEFCONTEXT_MNT:
791 defcontext_sid = sid;
792
793 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
794 defcontext_sid))
795 goto out_double_mount;
796
797 sbsec->flags |= DEFCONTEXT_MNT;
798
799 break;
800 default:
801 rc = -EINVAL;
802 goto out;
1da177e4 803 }
c9180a57
EP		 804 }
805
0d90a7ec 806 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 807 /* previously mounted with options, but not on this attempt? */
0d90a7ec 808 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 809 goto out_double_mount;
810 rc = 0;
811 goto out;
812 }
813
089be43e 814 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 815 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
816
8e014720
SS		 817 if (!strcmp(sb->s_type->name, "debugfs") ||
818 !strcmp(sb->s_type->name, "sysfs") ||
819 !strcmp(sb->s_type->name, "pstore"))
134509d5 820 sbsec->flags |= SE_SBGENFS;
c9180a57 821
eb9ae686
DQ		 822 if (!sbsec->behavior) {
823 /*
824 * Determine the labeling behavior to use for this
825 * filesystem type.
826 */
98f700f3 827 rc = security_fs_use(sb);
eb9ae686
DQ		 828 if (rc) {
829 printk(KERN_WARNING
830 "%s: security_fs_use(%s) returned %d\n",
831 __func__, sb->s_type->name, rc);
832 goto out;
833 }
c9180a57 834 }
aad82892
SF		 835
836 /*
837 * If this is a user namespace mount, no contexts are allowed
838 * on the command line and security labels must be ignored.
839 */
840 if (sb->s_user_ns != &init_user_ns) {
841 if (context_sid || fscontext_sid || rootcontext_sid ||
842 defcontext_sid) {
843 rc = -EACCES;
844 goto out;
845 }
846 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
847 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
848 rc = security_transition_sid(current_sid(), current_sid(),
849 SECCLASS_FILE, NULL,
850 &sbsec->mntpoint_sid);
851 if (rc)
852 goto out;
853 }
854 goto out_set_opts;
855 }
856
c9180a57
EP		 857 /* sets the context of the superblock for the fs being mounted. */
858 if (fscontext_sid) {
275bb41e 859 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 860 if (rc)
c9180a57 861 goto out;
1da177e4 862
c9180a57 863 sbsec->sid = fscontext_sid;
c312feb2
EP		 864 }
865
866 /*
867 * Switch to using mount point labeling behavior.
868 * sets the label used on all file below the mountpoint, and will set
869 * the superblock context if not already set.
870 */
eb9ae686
DQ		 871 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
872 sbsec->behavior = SECURITY_FS_USE_NATIVE;
873 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
874 }
875
c9180a57
EP		 876 if (context_sid) {
877 if (!fscontext_sid) {
275bb41e
DH		 878 rc = may_context_mount_sb_relabel(context_sid, sbsec,
879 cred);
b04ea3ce 880 if (rc)
c9180a57
EP		 881 goto out;
882 sbsec->sid = context_sid;
b04ea3ce 883 } else {
275bb41e
DH		 884 rc = may_context_mount_inode_relabel(context_sid, sbsec,
885 cred);
b04ea3ce 886 if (rc)
c9180a57 887 goto out;
b04ea3ce 888 }
c9180a57
EP		 889 if (!rootcontext_sid)
890 rootcontext_sid = context_sid;
1da177e4 891
c9180a57 892 sbsec->mntpoint_sid = context_sid;
c312feb2 893 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 894 }
895
c9180a57 896 if (rootcontext_sid) {
275bb41e
DH		 897 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
898 cred);
0808925e 899 if (rc)
c9180a57 900 goto out;
0808925e 901
c9180a57 902 root_isec->sid = rootcontext_sid;
6f3be9f5 903 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 904 }
905
c9180a57 906 if (defcontext_sid) {
eb9ae686
DQ		 907 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
908 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 909 rc = -EINVAL;
910 printk(KERN_WARNING "SELinux: defcontext option is "
911 "invalid for this filesystem type\n");
912 goto out;
1da177e4
LT		 913 }
914
c9180a57
EP		 915 if (defcontext_sid != sbsec->def_sid) {
916 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 917 sbsec, cred);
c9180a57
EP		 918 if (rc)
919 goto out;
920 }
1da177e4 921
c9180a57 922 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 923 }
924
aad82892 925out_set_opts:
c9180a57 926 rc = sb_finish_set_opts(sb);
1da177e4 927out:
c9180a57 928 mutex_unlock(&sbsec->lock);
1da177e4 929 return rc;
c9180a57
EP		 930out_double_mount:
931 rc = -EINVAL;
932 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 933 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 934 goto out;
1da177e4
LT		 935}
936
094f7b69
JL		 937static int selinux_cmp_sb_context(const struct super_block *oldsb,
938 const struct super_block *newsb)
939{
940 struct superblock_security_struct *old = oldsb->s_security;
941 struct superblock_security_struct *new = newsb->s_security;
942 char oldflags = old->flags & SE_MNTMASK;
943 char newflags = new->flags & SE_MNTMASK;
944
945 if (oldflags != newflags)
946 goto mismatch;
947 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
948 goto mismatch;
949 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
950 goto mismatch;
951 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
952 goto mismatch;
953 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 954 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
955 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 956 if (oldroot->sid != newroot->sid)
957 goto mismatch;
958 }
959 return 0;
960mismatch:
961 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
962 "different security settings for (dev %s, "
963 "type %s)\n", newsb->s_id, newsb->s_type->name);
964 return -EBUSY;
965}
966
967static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 968 struct super_block *newsb)
1da177e4 969{
c9180a57
EP		 970 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
971 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 972
c9180a57
EP		 973 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
974 int set_context = (oldsbsec->flags & CONTEXT_MNT);
975 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 976
0f5e6420
EP		 977 /*
978 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 979 * mount options. thus we can safely deal with this superblock later
0f5e6420 980 */
e8c26255 981 if (!ss_initialized)
094f7b69 982 return 0;
c9180a57 983
c9180a57 984 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 985 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 986
094f7b69 987 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 988 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 989 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 990
c9180a57
EP		 991 mutex_lock(&newsbsec->lock);
992
993 newsbsec->flags = oldsbsec->flags;
994
995 newsbsec->sid = oldsbsec->sid;
996 newsbsec->def_sid = oldsbsec->def_sid;
997 newsbsec->behavior = oldsbsec->behavior;
998
999 if (set_context) {
1000 u32 sid = oldsbsec->mntpoint_sid;
1001
1002 if (!set_fscontext)
1003 newsbsec->sid = sid;
1004 if (!set_rootcontext) {
83da53c5 1005 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1006 newisec->sid = sid;
1007 }
1008 newsbsec->mntpoint_sid = sid;
1da177e4 1009 }
c9180a57 1010 if (set_rootcontext) {
83da53c5
AG		 1011 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1012 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1013
c9180a57 1014 newisec->sid = oldisec->sid;
1da177e4
LT		 1015 }
1016
c9180a57
EP		 1017 sb_finish_set_opts(newsb);
1018 mutex_unlock(&newsbsec->lock);
094f7b69 1019 return 0;
c9180a57
EP		 1020}
1021
2e1479d9
AB		 1022static int selinux_parse_opts_str(char *options,
1023 struct security_mnt_opts *opts)
c9180a57 1024{
e0007529 1025 char *p;
c9180a57
EP		 1026 char *context = NULL, *defcontext = NULL;
1027 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1028 int rc, num_mnt_opts = 0;
1da177e4 1029
e0007529 1030 opts->num_mnt_opts = 0;
1da177e4 1031
c9180a57
EP		 1032 /* Standard string-based options. */
1033 while ((p = strsep(&options, "|")) != NULL) {
1034 int token;
1035 substring_t args[MAX_OPT_ARGS];
1da177e4 1036
c9180a57
EP		 1037 if (!*p)
1038 continue;
1da177e4 1039
c9180a57 1040 token = match_token(p, tokens, args);
1da177e4 1041
c9180a57
EP		 1042 switch (token) {
1043 case Opt_context:
1044 if (context || defcontext) {
1045 rc = -EINVAL;
1046 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1047 goto out_err;
1048 }
1049 context = match_strdup(&args[0]);
1050 if (!context) {
1051 rc = -ENOMEM;
1052 goto out_err;
1053 }
1054 break;
1055
1056 case Opt_fscontext:
1057 if (fscontext) {
1058 rc = -EINVAL;
1059 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1060 goto out_err;
1061 }
1062 fscontext = match_strdup(&args[0]);
1063 if (!fscontext) {
1064 rc = -ENOMEM;
1065 goto out_err;
1066 }
1067 break;
1068
1069 case Opt_rootcontext:
1070 if (rootcontext) {
1071 rc = -EINVAL;
1072 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1073 goto out_err;
1074 }
1075 rootcontext = match_strdup(&args[0]);
1076 if (!rootcontext) {
1077 rc = -ENOMEM;
1078 goto out_err;
1079 }
1080 break;
1081
1082 case Opt_defcontext:
1083 if (context || defcontext) {
1084 rc = -EINVAL;
1085 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1086 goto out_err;
1087 }
1088 defcontext = match_strdup(&args[0]);
1089 if (!defcontext) {
1090 rc = -ENOMEM;
1091 goto out_err;
1092 }
1093 break;
11689d47
DQ		 1094 case Opt_labelsupport:
1095 break;
c9180a57
EP		 1096 default:
1097 rc = -EINVAL;
1098 printk(KERN_WARNING "SELinux: unknown mount option\n");
1099 goto out_err;
1da177e4 1100
1da177e4 1101 }
1da177e4 1102 }
c9180a57 1103
e0007529 1104 rc = -ENOMEM;
8931c3bd 1105 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1106 if (!opts->mnt_opts)
1107 goto out_err;
1108
8931c3bd
TH		 1109 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1110 GFP_KERNEL);
e0007529
EP		 1111 if (!opts->mnt_opts_flags) {
1112 kfree(opts->mnt_opts);
1113 goto out_err;
1114 }
1115
c9180a57 1116 if (fscontext) {
e0007529
EP		 1117 opts->mnt_opts[num_mnt_opts] = fscontext;
1118 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1119 }
1120 if (context) {
e0007529
EP		 1121 opts->mnt_opts[num_mnt_opts] = context;
1122 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1123 }
1124 if (rootcontext) {
e0007529
EP		 1125 opts->mnt_opts[num_mnt_opts] = rootcontext;
1126 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1127 }
1128 if (defcontext) {
e0007529
EP		 1129 opts->mnt_opts[num_mnt_opts] = defcontext;
1130 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1131 }
1132
e0007529
EP		 1133 opts->num_mnt_opts = num_mnt_opts;
1134 return 0;
1135
c9180a57
EP		 1136out_err:
1137 kfree(context);
1138 kfree(defcontext);
1139 kfree(fscontext);
1140 kfree(rootcontext);
1da177e4
LT		 1141 return rc;
1142}
e0007529
EP		 1143/*
1144 * string mount options parsing and call set the sbsec
1145 */
1146static int superblock_doinit(struct super_block *sb, void *data)
1147{
1148 int rc = 0;
1149 char *options = data;
1150 struct security_mnt_opts opts;
1151
1152 security_init_mnt_opts(&opts);
1153
1154 if (!data)
1155 goto out;
1156
1157 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1158
1159 rc = selinux_parse_opts_str(options, &opts);
1160 if (rc)
1161 goto out_err;
1162
1163out:
649f6e77 1164 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1165
1166out_err:
1167 security_free_mnt_opts(&opts);
1168 return rc;
1169}
1da177e4 1170
3583a711
AB		 1171static void selinux_write_opts(struct seq_file *m,
1172 struct security_mnt_opts *opts)
2069f457
EP		 1173{
1174 int i;
1175 char *prefix;
1176
1177 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1178 char *has_comma;
1179
1180 if (opts->mnt_opts[i])
1181 has_comma = strchr(opts->mnt_opts[i], ',');
1182 else
1183 has_comma = NULL;
2069f457
EP		 1184
1185 switch (opts->mnt_opts_flags[i]) {
1186 case CONTEXT_MNT:
1187 prefix = CONTEXT_STR;
1188 break;
1189 case FSCONTEXT_MNT:
1190 prefix = FSCONTEXT_STR;
1191 break;
1192 case ROOTCONTEXT_MNT:
1193 prefix = ROOTCONTEXT_STR;
1194 break;
1195 case DEFCONTEXT_MNT:
1196 prefix = DEFCONTEXT_STR;
1197 break;
12f348b9 1198 case SBLABEL_MNT:
11689d47
DQ		 1199 seq_putc(m, ',');
1200 seq_puts(m, LABELSUPP_STR);
1201 continue;
2069f457
EP		 1202 default:
1203 BUG();
a35c6c83 1204 return;
2069f457
EP		 1205 };
1206 /* we need a comma before each option */
1207 seq_putc(m, ',');
1208 seq_puts(m, prefix);
1209 if (has_comma)
1210 seq_putc(m, '\"');
a068acf2 1211 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1212 if (has_comma)
1213 seq_putc(m, '\"');
1214 }
1215}
1216
1217static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1218{
1219 struct security_mnt_opts opts;
1220 int rc;
1221
1222 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1223 if (rc) {
1224 /* before policy load we may get EINVAL, don't show anything */
1225 if (rc == -EINVAL)
1226 rc = 0;
2069f457 1227 return rc;
383795c2 1228 }
2069f457
EP		 1229
1230 selinux_write_opts(m, &opts);
1231
1232 security_free_mnt_opts(&opts);
1233
1234 return rc;
1235}
1236
1da177e4
LT		 1237static inline u16 inode_mode_to_security_class(umode_t mode)
1238{
1239 switch (mode & S_IFMT) {
1240 case S_IFSOCK:
1241 return SECCLASS_SOCK_FILE;
1242 case S_IFLNK:
1243 return SECCLASS_LNK_FILE;
1244 case S_IFREG:
1245 return SECCLASS_FILE;
1246 case S_IFBLK:
1247 return SECCLASS_BLK_FILE;
1248 case S_IFDIR:
1249 return SECCLASS_DIR;
1250 case S_IFCHR:
1251 return SECCLASS_CHR_FILE;
1252 case S_IFIFO:
1253 return SECCLASS_FIFO_FILE;
1254
1255 }
1256
1257 return SECCLASS_FILE;
1258}
1259
13402580
JM		 1260static inline int default_protocol_stream(int protocol)
1261{
1262 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1263}
1264
1265static inline int default_protocol_dgram(int protocol)
1266{
1267 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1268}
1269
1da177e4
LT		 1270static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1271{
da69a530
SS		 1272 int extsockclass = selinux_policycap_extsockclass;
1273
1da177e4
LT		 1274 switch (family) {
1275 case PF_UNIX:
1276 switch (type) {
1277 case SOCK_STREAM:
1278 case SOCK_SEQPACKET:
1279 return SECCLASS_UNIX_STREAM_SOCKET;
1280 case SOCK_DGRAM:
1281 return SECCLASS_UNIX_DGRAM_SOCKET;
1282 }
1283 break;
1284 case PF_INET:
1285 case PF_INET6:
1286 switch (type) {
1287 case SOCK_STREAM:
da69a530 1288 case SOCK_SEQPACKET:
13402580
JM		 1289 if (default_protocol_stream(protocol))
1290 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1291 else if (extsockclass && protocol == IPPROTO_SCTP)
1292 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1293 else
1294 return SECCLASS_RAWIP_SOCKET;
1da177e4 1295 case SOCK_DGRAM:
13402580
JM		 1296 if (default_protocol_dgram(protocol))
1297 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1298 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1299 protocol == IPPROTO_ICMPV6))
da69a530 1300 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1301 else
1302 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1303 case SOCK_DCCP:
1304 return SECCLASS_DCCP_SOCKET;
13402580 1305 default:
1da177e4
LT		 1306 return SECCLASS_RAWIP_SOCKET;
1307 }
1308 break;
1309 case PF_NETLINK:
1310 switch (protocol) {
1311 case NETLINK_ROUTE:
1312 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1313 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1314 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1315 case NETLINK_NFLOG:
1316 return SECCLASS_NETLINK_NFLOG_SOCKET;
1317 case NETLINK_XFRM:
1318 return SECCLASS_NETLINK_XFRM_SOCKET;
1319 case NETLINK_SELINUX:
1320 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1321 case NETLINK_ISCSI:
1322 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1323 case NETLINK_AUDIT:
1324 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1325 case NETLINK_FIB_LOOKUP:
1326 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1327 case NETLINK_CONNECTOR:
1328 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1329 case NETLINK_NETFILTER:
1330 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1331 case NETLINK_DNRTMSG:
1332 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1333 case NETLINK_KOBJECT_UEVENT:
1334 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1335 case NETLINK_GENERIC:
1336 return SECCLASS_NETLINK_GENERIC_SOCKET;
1337 case NETLINK_SCSITRANSPORT:
1338 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1339 case NETLINK_RDMA:
1340 return SECCLASS_NETLINK_RDMA_SOCKET;
1341 case NETLINK_CRYPTO:
1342 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1343 default:
1344 return SECCLASS_NETLINK_SOCKET;
1345 }
1346 case PF_PACKET:
1347 return SECCLASS_PACKET_SOCKET;
1348 case PF_KEY:
1349 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1350 case PF_APPLETALK:
1351 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1352 }
1353
da69a530
SS		 1354 if (extsockclass) {
1355 switch (family) {
1356 case PF_AX25:
1357 return SECCLASS_AX25_SOCKET;
1358 case PF_IPX:
1359 return SECCLASS_IPX_SOCKET;
1360 case PF_NETROM:
1361 return SECCLASS_NETROM_SOCKET;
1362 case PF_BRIDGE:
1363 return SECCLASS_BRIDGE_SOCKET;
1364 case PF_ATMPVC:
1365 return SECCLASS_ATMPVC_SOCKET;
1366 case PF_X25:
1367 return SECCLASS_X25_SOCKET;
1368 case PF_ROSE:
1369 return SECCLASS_ROSE_SOCKET;
1370 case PF_DECnet:
1371 return SECCLASS_DECNET_SOCKET;
1372 case PF_ATMSVC:
1373 return SECCLASS_ATMSVC_SOCKET;
1374 case PF_RDS:
1375 return SECCLASS_RDS_SOCKET;
1376 case PF_IRDA:
1377 return SECCLASS_IRDA_SOCKET;
1378 case PF_PPPOX:
1379 return SECCLASS_PPPOX_SOCKET;
1380 case PF_LLC:
1381 return SECCLASS_LLC_SOCKET;
1382 case PF_IB:
1383 return SECCLASS_IB_SOCKET;
1384 case PF_MPLS:
1385 return SECCLASS_MPLS_SOCKET;
1386 case PF_CAN:
1387 return SECCLASS_CAN_SOCKET;
1388 case PF_TIPC:
1389 return SECCLASS_TIPC_SOCKET;
1390 case PF_BLUETOOTH:
1391 return SECCLASS_BLUETOOTH_SOCKET;
1392 case PF_IUCV:
1393 return SECCLASS_IUCV_SOCKET;
1394 case PF_RXRPC:
1395 return SECCLASS_RXRPC_SOCKET;
1396 case PF_ISDN:
1397 return SECCLASS_ISDN_SOCKET;
1398 case PF_PHONET:
1399 return SECCLASS_PHONET_SOCKET;
1400 case PF_IEEE802154:
1401 return SECCLASS_IEEE802154_SOCKET;
1402 case PF_CAIF:
1403 return SECCLASS_CAIF_SOCKET;
1404 case PF_ALG:
1405 return SECCLASS_ALG_SOCKET;
1406 case PF_NFC:
1407 return SECCLASS_NFC_SOCKET;
1408 case PF_VSOCK:
1409 return SECCLASS_VSOCK_SOCKET;
1410 case PF_KCM:
1411 return SECCLASS_KCM_SOCKET;
1412 case PF_QIPCRTR:
1413 return SECCLASS_QIPCRTR_SOCKET;
1414#if PF_MAX > 43
1415#error New address family defined, please update this function.
1416#endif
1417 }
1418 }
1419
1da177e4
LT		 1420 return SECCLASS_SOCKET;
1421}
1422
134509d5
SS		 1423static int selinux_genfs_get_sid(struct dentry *dentry,
1424 u16 tclass,
1425 u16 flags,
1426 u32 *sid)
1da177e4 1427{
8e6c9693 1428 int rc;
fc64005c 1429 struct super_block *sb = dentry->d_sb;
8e6c9693 1430 char *buffer, *path;
1da177e4 1431
828dfe1d 1432 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1433 if (!buffer)
1434 return -ENOMEM;
1435
8e6c9693
LAG		 1436 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1437 if (IS_ERR(path))
1438 rc = PTR_ERR(path);
1439 else {
134509d5
SS		 1440 if (flags & SE_SBPROC) {
1441 /* each process gets a /proc/PID/ entry. Strip off the
1442 * PID part to get a valid selinux labeling.
1443 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1444 while (path[1] >= '0' && path[1] <= '9') {
1445 path[1] = '/';
1446 path++;
1447 }
8e6c9693 1448 }
134509d5 1449 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1450 }
1da177e4
LT		 1451 free_page((unsigned long)buffer);
1452 return rc;
1453}
1da177e4
LT		 1454
1455/* The inode's security attributes must be initialized before first use. */
1456static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1457{
1458 struct superblock_security_struct *sbsec = NULL;
1459 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1460 u32 task_sid, sid = 0;
1461 u16 sclass;
1da177e4
LT		 1462 struct dentry *dentry;
1463#define INITCONTEXTLEN 255
1464 char *context = NULL;
1465 unsigned len = 0;
1466 int rc = 0;
1da177e4 1467
6f3be9f5 1468 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1469 return 0;
1da177e4 1470
9287aed2 1471 spin_lock(&isec->lock);
6f3be9f5 1472 if (isec->initialized == LABEL_INITIALIZED)
23970741 1473 goto out_unlock;
1da177e4 1474
13457d07
AG		 1475 if (isec->sclass == SECCLASS_FILE)
1476 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1477
1da177e4 1478 sbsec = inode->i_sb->s_security;
0d90a7ec 1479 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1480 /* Defer initialization until selinux_complete_init,
1481 after the initial policy is loaded and the security
1482 server is ready to handle calls. */
1483 spin_lock(&sbsec->isec_lock);
1484 if (list_empty(&isec->list))
1485 list_add(&isec->list, &sbsec->isec_head);
1486 spin_unlock(&sbsec->isec_lock);
23970741 1487 goto out_unlock;
1da177e4
LT		 1488 }
1489
9287aed2
AG		 1490 sclass = isec->sclass;
1491 task_sid = isec->task_sid;
1492 sid = isec->sid;
1493 isec->initialized = LABEL_PENDING;
1494 spin_unlock(&isec->lock);
1495
1da177e4 1496 switch (sbsec->behavior) {
eb9ae686
DQ		 1497 case SECURITY_FS_USE_NATIVE:
1498 break;
1da177e4 1499 case SECURITY_FS_USE_XATTR:
5d6c3191 1500 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1501 sid = sbsec->def_sid;
1da177e4
LT		 1502 break;
1503 }
1da177e4
LT		 1504 /* Need a dentry, since the xattr API requires one.
1505 Life would be simpler if we could just pass the inode. */
1506 if (opt_dentry) {
1507 /* Called from d_instantiate or d_splice_alias. */
1508 dentry = dget(opt_dentry);
1509 } else {
1510 /* Called from selinux_complete_init, try to find a dentry. */
1511 dentry = d_find_alias(inode);
1512 }
1513 if (!dentry) {
df7f54c0
EP		 1514 /*
1515 * this is can be hit on boot when a file is accessed
1516 * before the policy is loaded. When we load policy we
1517 * may find inodes that have no dentry on the
1518 * sbsec->isec_head list. No reason to complain as these
1519 * will get fixed up the next time we go through
1520 * inode_doinit with a dentry, before these inodes could
1521 * be used again by userspace.
1522 */
9287aed2 1523 goto out;
1da177e4
LT		 1524 }
1525
1526 len = INITCONTEXTLEN;
4cb912f1 1527 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1528 if (!context) {
1529 rc = -ENOMEM;
1530 dput(dentry);
9287aed2 1531 goto out;
1da177e4 1532 }
4cb912f1 1533 context[len] = '\0';
5d6c3191 1534 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1535 if (rc == -ERANGE) {
314dabb8
JM		 1536 kfree(context);
1537
1da177e4 1538 /* Need a larger buffer. Query for the right size. */
5d6c3191 1539 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1540 if (rc < 0) {
1541 dput(dentry);
9287aed2 1542 goto out;
1da177e4 1543 }
1da177e4 1544 len = rc;
4cb912f1 1545 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1546 if (!context) {
1547 rc = -ENOMEM;
1548 dput(dentry);
9287aed2 1549 goto out;
1da177e4 1550 }
4cb912f1 1551 context[len] = '\0';
5d6c3191 1552 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1553 }
1554 dput(dentry);
1555 if (rc < 0) {
1556 if (rc != -ENODATA) {
744ba35e 1557 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1558 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1559 -rc, inode->i_sb->s_id, inode->i_ino);
1560 kfree(context);
9287aed2 1561 goto out;
1da177e4
LT		 1562 }
1563 /* Map ENODATA to the default file SID */
1564 sid = sbsec->def_sid;
1565 rc = 0;
1566 } else {
f5c1d5b2 1567 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1568 sbsec->def_sid,
1569 GFP_NOFS);
1da177e4 1570 if (rc) {
4ba0a8ad
EP		 1571 char *dev = inode->i_sb->s_id;
1572 unsigned long ino = inode->i_ino;
1573
1574 if (rc == -EINVAL) {
1575 if (printk_ratelimit())
1576 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1577 "context=%s. This indicates you may need to relabel the inode or the "
1578 "filesystem in question.\n", ino, dev, context);
1579 } else {
1580 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1581 "returned %d for dev=%s ino=%ld\n",
1582 __func__, context, -rc, dev, ino);
1583 }
1da177e4
LT		 1584 kfree(context);
1585 /* Leave with the unlabeled SID */
1586 rc = 0;
1587 break;
1588 }
1589 }
1590 kfree(context);
1da177e4
LT		 1591 break;
1592 case SECURITY_FS_USE_TASK:
9287aed2 1593 sid = task_sid;
1da177e4
LT		 1594 break;
1595 case SECURITY_FS_USE_TRANS:
1596 /* Default to the fs SID. */
9287aed2 1597 sid = sbsec->sid;
1da177e4
LT		 1598
1599 /* Try to obtain a transition SID. */
9287aed2 1600 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1da177e4 1601 if (rc)
9287aed2 1602 goto out;
1da177e4 1603 break;
c312feb2 1604 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1605 sid = sbsec->mntpoint_sid;
c312feb2 1606 break;
1da177e4 1607 default:
c312feb2 1608 /* Default to the fs superblock SID. */
9287aed2 1609 sid = sbsec->sid;
1da177e4 1610
134509d5 1611 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1612 /* We must have a dentry to determine the label on
1613 * procfs inodes */
1614 if (opt_dentry)
1615 /* Called from d_instantiate or
1616 * d_splice_alias. */
1617 dentry = dget(opt_dentry);
1618 else
1619 /* Called from selinux_complete_init, try to
1620 * find a dentry. */
1621 dentry = d_find_alias(inode);
1622 /*
1623 * This can be hit on boot when a file is accessed
1624 * before the policy is loaded. When we load policy we
1625 * may find inodes that have no dentry on the
1626 * sbsec->isec_head list. No reason to complain as
1627 * these will get fixed up the next time we go through
1628 * inode_doinit() with a dentry, before these inodes
1629 * could be used again by userspace.
1630 */
1631 if (!dentry)
9287aed2
AG		 1632 goto out;
1633 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1634 sbsec->flags, &sid);
f64410ec
PM		 1635 dput(dentry);
1636 if (rc)
9287aed2 1637 goto out;
1da177e4
LT		 1638 }
1639 break;
1640 }
1641
9287aed2
AG		 1642out:
1643 spin_lock(&isec->lock);
1644 if (isec->initialized == LABEL_PENDING) {
1645 if (!sid || rc) {
1646 isec->initialized = LABEL_INVALID;
1647 goto out_unlock;
1648 }
1649
1650 isec->initialized = LABEL_INITIALIZED;
1651 isec->sid = sid;
1652 }
1da177e4 1653
23970741 1654out_unlock:
9287aed2 1655 spin_unlock(&isec->lock);
1da177e4
LT		 1656 return rc;
1657}
1658
1659/* Convert a Linux signal to an access vector. */
1660static inline u32 signal_to_av(int sig)
1661{
1662 u32 perm = 0;
1663
1664 switch (sig) {
1665 case SIGCHLD:
1666 /* Commonly granted from child to parent. */
1667 perm = PROCESS__SIGCHLD;
1668 break;
1669 case SIGKILL:
1670 /* Cannot be caught or ignored */
1671 perm = PROCESS__SIGKILL;
1672 break;
1673 case SIGSTOP:
1674 /* Cannot be caught or ignored */
1675 perm = PROCESS__SIGSTOP;
1676 break;
1677 default:
1678 /* All other signals. */
1679 perm = PROCESS__SIGNAL;
1680 break;
1681 }
1682
1683 return perm;
1684}
1685
d84f4f99
DH		 1686/*
1687 * Check permission between a pair of credentials
1688 * fork check, ptrace check, etc.
1689 */
1690static int cred_has_perm(const struct cred *actor,
1691 const struct cred *target,
1692 u32 perms)
1693{
1694 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1695
1696 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1697}
1698
275bb41e 1699/*
88e67f3b 1700 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1701 * fork check, ptrace check, etc.
1702 * tsk1 is the actor and tsk2 is the target
3b11a1de 1703 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1704 */
1705static int task_has_perm(const struct task_struct *tsk1,
1706 const struct task_struct *tsk2,
1da177e4
LT		 1707 u32 perms)
1708{
275bb41e
DH		 1709 const struct task_security_struct *__tsec1, *__tsec2;
1710 u32 sid1, sid2;
1da177e4 1711
275bb41e
DH		 1712 rcu_read_lock();
1713 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1714 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1715 rcu_read_unlock();
1716 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1717}
1718
3b11a1de
DH		 1719/*
1720 * Check permission between current and another task, e.g. signal checks,
1721 * fork check, ptrace check, etc.
1722 * current is the actor and tsk2 is the target
1723 * - this uses current's subjective creds
1724 */
1725static int current_has_perm(const struct task_struct *tsk,
1726 u32 perms)
1727{
1728 u32 sid, tsid;
1729
1730 sid = current_sid();
1731 tsid = task_sid(tsk);
1732 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1733}
1734
b68e418c
SS		 1735#if CAP_LAST_CAP > 63
1736#error Fix SELinux to handle capabilities > 63.
1737#endif
1738
1da177e4 1739/* Check whether a task is allowed to use a capability. */
6a9de491 1740static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1741 int cap, int audit, bool initns)
1da177e4 1742{
2bf49690 1743 struct common_audit_data ad;
06112163 1744 struct av_decision avd;
b68e418c 1745 u16 sclass;
3699c53c 1746 u32 sid = cred_sid(cred);
b68e418c 1747 u32 av = CAP_TO_MASK(cap);
06112163 1748 int rc;
1da177e4 1749
50c205f5 1750 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1751 ad.u.cap = cap;
1752
b68e418c
SS		 1753 switch (CAP_TO_INDEX(cap)) {
1754 case 0:
8e4ff6f2 1755 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1756 break;
1757 case 1:
8e4ff6f2 1758 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1759 break;
1760 default:
1761 printk(KERN_ERR
1762 "SELinux: out of range capability %d\n", cap);
1763 BUG();
a35c6c83 1764 return -EINVAL;
b68e418c 1765 }
06112163 1766
275bb41e 1767 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1768 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1769 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1770 if (rc2)
1771 return rc2;
1772 }
06112163 1773 return rc;
1da177e4
LT		 1774}
1775
1776/* Check whether a task is allowed to use a system operation. */
1777static int task_has_system(struct task_struct *tsk,
1778 u32 perms)
1779{
275bb41e 1780 u32 sid = task_sid(tsk);
1da177e4 1781
275bb41e 1782 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1783 SECCLASS_SYSTEM, perms, NULL);
1784}
1785
1786/* Check whether a task has a particular permission to an inode.
1787 The 'adp' parameter is optional and allows other audit
1788 data to be passed (e.g. the dentry). */
88e67f3b 1789static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1790 struct inode *inode,
1791 u32 perms,
19e49834 1792 struct common_audit_data *adp)
1da177e4 1793{
1da177e4 1794 struct inode_security_struct *isec;
275bb41e 1795 u32 sid;
1da177e4 1796
e0e81739
DH		 1797 validate_creds(cred);
1798
828dfe1d 1799 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1800 return 0;
1801
88e67f3b 1802 sid = cred_sid(cred);
1da177e4
LT		 1803 isec = inode->i_security;
1804
19e49834 1805 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1806}
1807
1808/* Same as inode_has_perm, but pass explicit audit data containing
1809 the dentry to help the auditing code to more easily generate the
1810 pathname if needed. */
88e67f3b 1811static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1812 struct dentry *dentry,
1813 u32 av)
1814{
c6f493d6 1815 struct inode *inode = d_backing_inode(dentry);
2bf49690 1816 struct common_audit_data ad;
88e67f3b 1817
50c205f5 1818 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1819 ad.u.dentry = dentry;
5d226df4 1820 __inode_security_revalidate(inode, dentry, true);
19e49834 1821 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1822}
1823
1824/* Same as inode_has_perm, but pass explicit audit data containing
1825 the path to help the auditing code to more easily generate the
1826 pathname if needed. */
1827static inline int path_has_perm(const struct cred *cred,
3f7036a0 1828 const struct path *path,
2875fa00
EP		 1829 u32 av)
1830{
c6f493d6 1831 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1832 struct common_audit_data ad;
1833
50c205f5 1834 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1835 ad.u.path = *path;
5d226df4 1836 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1837 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1838}
1839
13f8e981
DH		 1840/* Same as path_has_perm, but uses the inode from the file struct. */
1841static inline int file_path_has_perm(const struct cred *cred,
1842 struct file *file,
1843 u32 av)
1844{
1845 struct common_audit_data ad;
1846
43af5de7
VG		 1847 ad.type = LSM_AUDIT_DATA_FILE;
1848 ad.u.file = file;
19e49834 1849 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1850}
1851
1da177e4
LT		 1852/* Check whether a task can use an open file descriptor to
1853 access an inode in a given way. Check access to the
1854 descriptor itself, and then use dentry_has_perm to
1855 check a particular permission to the file.
1856 Access to the descriptor is implicitly granted if it
1857 has the same SID as the process. If av is zero, then
1858 access to the file is not checked, e.g. for cases
1859 where only the descriptor is affected like seek. */
88e67f3b
DH		 1860static int file_has_perm(const struct cred *cred,
1861 struct file *file,
1862 u32 av)
1da177e4 1863{
1da177e4 1864 struct file_security_struct *fsec = file->f_security;
496ad9aa 1865 struct inode *inode = file_inode(file);
2bf49690 1866 struct common_audit_data ad;
88e67f3b 1867 u32 sid = cred_sid(cred);
1da177e4
LT		 1868 int rc;
1869
43af5de7
VG		 1870 ad.type = LSM_AUDIT_DATA_FILE;
1871 ad.u.file = file;
1da177e4 1872
275bb41e
DH		 1873 if (sid != fsec->sid) {
1874 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1875 SECCLASS_FD,
1876 FD__USE,
1877 &ad);
1878 if (rc)
88e67f3b 1879 goto out;
1da177e4
LT		 1880 }
1881
1882 /* av is zero if only checking access to the descriptor. */
88e67f3b 1883 rc = 0;
1da177e4 1884 if (av)
19e49834 1885 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1886
88e67f3b
DH		 1887out:
1888 return rc;
1da177e4
LT		 1889}
1890
c3c188b2
DH		 1891/*
1892 * Determine the label for an inode that might be unioned.
1893 */
c957f6df
VG		 1894static int
1895selinux_determine_inode_label(const struct task_security_struct *tsec,
1896 struct inode *dir,
1897 const struct qstr *name, u16 tclass,
1898 u32 *_new_isid)
c3c188b2
DH		 1899{
1900 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1901
1902 if ((sbsec->flags & SE_SBINITIALIZED) &&
1903 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1904 *_new_isid = sbsec->mntpoint_sid;
1905 } else if ((sbsec->flags & SBLABEL_MNT) &&
1906 tsec->create_sid) {
1907 *_new_isid = tsec->create_sid;
1908 } else {
20cdef8d 1909 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1910 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1911 name, _new_isid);
1912 }
1913
1914 return 0;
1915}
1916
1da177e4
LT		 1917/* Check whether a task can create a file. */
1918static int may_create(struct inode *dir,
1919 struct dentry *dentry,
1920 u16 tclass)
1921{
5fb49870 1922 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1923 struct inode_security_struct *dsec;
1924 struct superblock_security_struct *sbsec;
275bb41e 1925 u32 sid, newsid;
2bf49690 1926 struct common_audit_data ad;
1da177e4
LT		 1927 int rc;
1928
83da53c5 1929 dsec = inode_security(dir);
1da177e4
LT		 1930 sbsec = dir->i_sb->s_security;
1931
275bb41e 1932 sid = tsec->sid;
275bb41e 1933
50c205f5 1934 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1935 ad.u.dentry = dentry;
1da177e4 1936
275bb41e 1937 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1938 DIR__ADD_NAME | DIR__SEARCH,
1939 &ad);
1940 if (rc)
1941 return rc;
1942
c957f6df
VG		 1943 rc = selinux_determine_inode_label(current_security(), dir,
1944 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1945 if (rc)
1946 return rc;
1da177e4 1947
275bb41e 1948 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1949 if (rc)
1950 return rc;
1951
1952 return avc_has_perm(newsid, sbsec->sid,
1953 SECCLASS_FILESYSTEM,
1954 FILESYSTEM__ASSOCIATE, &ad);
1955}
1956
4eb582cf
ML		 1957/* Check whether a task can create a key. */
1958static int may_create_key(u32 ksid,
1959 struct task_struct *ctx)
1960{
275bb41e 1961 u32 sid = task_sid(ctx);
4eb582cf 1962
275bb41e 1963 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1964}
1965
828dfe1d
EP		 1966#define MAY_LINK 0
1967#define MAY_UNLINK 1
1968#define MAY_RMDIR 2
1da177e4
LT		 1969
1970/* Check whether a task can link, unlink, or rmdir a file/directory. */
1971static int may_link(struct inode *dir,
1972 struct dentry *dentry,
1973 int kind)
1974
1975{
1da177e4 1976 struct inode_security_struct *dsec, *isec;
2bf49690 1977 struct common_audit_data ad;
275bb41e 1978 u32 sid = current_sid();
1da177e4
LT		 1979 u32 av;
1980 int rc;
1981
83da53c5
AG		 1982 dsec = inode_security(dir);
1983 isec = backing_inode_security(dentry);
1da177e4 1984
50c205f5 1985 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1986 ad.u.dentry = dentry;
1da177e4
LT		 1987
1988 av = DIR__SEARCH;
1989 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1990 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1991 if (rc)
1992 return rc;
1993
1994 switch (kind) {
1995 case MAY_LINK:
1996 av = FILE__LINK;
1997 break;
1998 case MAY_UNLINK:
1999 av = FILE__UNLINK;
2000 break;
2001 case MAY_RMDIR:
2002 av = DIR__RMDIR;
2003 break;
2004 default:
744ba35e
EP		 2005 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
2006 __func__, kind);
1da177e4
LT		 2007 return 0;
2008 }
2009
275bb41e 2010 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 2011 return rc;
2012}
2013
2014static inline int may_rename(struct inode *old_dir,
2015 struct dentry *old_dentry,
2016 struct inode *new_dir,
2017 struct dentry *new_dentry)
2018{
1da177e4 2019 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 2020 struct common_audit_data ad;
275bb41e 2021 u32 sid = current_sid();
1da177e4
LT		 2022 u32 av;
2023 int old_is_dir, new_is_dir;
2024 int rc;
2025
83da53c5
AG		 2026 old_dsec = inode_security(old_dir);
2027 old_isec = backing_inode_security(old_dentry);
e36cb0b8 2028 old_is_dir = d_is_dir(old_dentry);
83da53c5 2029 new_dsec = inode_security(new_dir);
1da177e4 2030
50c205f5 2031 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 2032
a269434d 2033 ad.u.dentry = old_dentry;
275bb41e 2034 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 2035 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2036 if (rc)
2037 return rc;
275bb41e 2038 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 2039 old_isec->sclass, FILE__RENAME, &ad);
2040 if (rc)
2041 return rc;
2042 if (old_is_dir && new_dir != old_dir) {
275bb41e 2043 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 2044 old_isec->sclass, DIR__REPARENT, &ad);
2045 if (rc)
2046 return rc;
2047 }
2048
a269434d 2049 ad.u.dentry = new_dentry;
1da177e4 2050 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 2051 if (d_is_positive(new_dentry))
1da177e4 2052 av |= DIR__REMOVE_NAME;
275bb41e 2053 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 2054 if (rc)
2055 return rc;
2c616d4d 2056 if (d_is_positive(new_dentry)) {
83da53c5 2057 new_isec = backing_inode_security(new_dentry);
e36cb0b8 2058 new_is_dir = d_is_dir(new_dentry);
275bb41e 2059 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 2060 new_isec->sclass,
2061 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2062 if (rc)
2063 return rc;
2064 }
2065
2066 return 0;
2067}
2068
2069/* Check whether a task can perform a filesystem operation. */
88e67f3b 2070static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2071 struct super_block *sb,
2072 u32 perms,
2bf49690 2073 struct common_audit_data *ad)
1da177e4 2074{
1da177e4 2075 struct superblock_security_struct *sbsec;
88e67f3b 2076 u32 sid = cred_sid(cred);
1da177e4 2077
1da177e4 2078 sbsec = sb->s_security;
275bb41e 2079 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2080}
2081
2082/* Convert a Linux mode and permission mask to an access vector. */
2083static inline u32 file_mask_to_av(int mode, int mask)
2084{
2085 u32 av = 0;
2086
dba19c60 2087 if (!S_ISDIR(mode)) {
1da177e4
LT		 2088 if (mask & MAY_EXEC)
2089 av |= FILE__EXECUTE;
2090 if (mask & MAY_READ)
2091 av |= FILE__READ;
2092
2093 if (mask & MAY_APPEND)
2094 av |= FILE__APPEND;
2095 else if (mask & MAY_WRITE)
2096 av |= FILE__WRITE;
2097
2098 } else {
2099 if (mask & MAY_EXEC)
2100 av |= DIR__SEARCH;
2101 if (mask & MAY_WRITE)
2102 av |= DIR__WRITE;
2103 if (mask & MAY_READ)
2104 av |= DIR__READ;
2105 }
2106
2107 return av;
2108}
2109
8b6a5a37
EP		 2110/* Convert a Linux file to an access vector. */
2111static inline u32 file_to_av(struct file *file)
2112{
2113 u32 av = 0;
2114
2115 if (file->f_mode & FMODE_READ)
2116 av |= FILE__READ;
2117 if (file->f_mode & FMODE_WRITE) {
2118 if (file->f_flags & O_APPEND)
2119 av |= FILE__APPEND;
2120 else
2121 av |= FILE__WRITE;
2122 }
2123 if (!av) {
2124 /*
2125 * Special file opened with flags 3 for ioctl-only use.
2126 */
2127 av = FILE__IOCTL;
2128 }
2129
2130 return av;
2131}
2132
b0c636b9 2133/*
8b6a5a37 2134 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2135 * open permission.
2136 */
8b6a5a37 2137static inline u32 open_file_to_av(struct file *file)
b0c636b9 2138{
8b6a5a37 2139 u32 av = file_to_av(file);
b0c636b9 2140
49b7b8de
EP		 2141 if (selinux_policycap_openperm)
2142 av |= FILE__OPEN;
2143
b0c636b9
EP		 2144 return av;
2145}
2146
1da177e4
LT		 2147/* Hook functions begin here. */
2148
79af7307
SS		 2149static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2150{
2151 u32 mysid = current_sid();
2152 u32 mgrsid = task_sid(mgr);
2153
2154 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2155 BINDER__SET_CONTEXT_MGR, NULL);
2156}
2157
2158static int selinux_binder_transaction(struct task_struct *from,
2159 struct task_struct *to)
2160{
2161 u32 mysid = current_sid();
2162 u32 fromsid = task_sid(from);
2163 u32 tosid = task_sid(to);
2164 int rc;
2165
2166 if (mysid != fromsid) {
2167 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2168 BINDER__IMPERSONATE, NULL);
2169 if (rc)
2170 return rc;
2171 }
2172
2173 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2174 NULL);
2175}
2176
2177static int selinux_binder_transfer_binder(struct task_struct *from,
2178 struct task_struct *to)
2179{
2180 u32 fromsid = task_sid(from);
2181 u32 tosid = task_sid(to);
2182
2183 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2184 NULL);
2185}
2186
2187static int selinux_binder_transfer_file(struct task_struct *from,
2188 struct task_struct *to,
2189 struct file *file)
2190{
2191 u32 sid = task_sid(to);
2192 struct file_security_struct *fsec = file->f_security;
83da53c5 2193 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2194 struct inode_security_struct *isec;
79af7307
SS		 2195 struct common_audit_data ad;
2196 int rc;
2197
2198 ad.type = LSM_AUDIT_DATA_PATH;
2199 ad.u.path = file->f_path;
2200
2201 if (sid != fsec->sid) {
2202 rc = avc_has_perm(sid, fsec->sid,
2203 SECCLASS_FD,
2204 FD__USE,
2205 &ad);
2206 if (rc)
2207 return rc;
2208 }
2209
83da53c5 2210 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2211 return 0;
2212
20cdef8d 2213 isec = backing_inode_security(dentry);
79af7307
SS		 2214 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2215 &ad);
2216}
2217
9e48858f 2218static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2219 unsigned int mode)
1da177e4 2220{
69f594a3 2221 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2222 u32 sid = current_sid();
2223 u32 csid = task_sid(child);
2224 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2225 }
2226
3b11a1de 2227 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2228}
2229
2230static int selinux_ptrace_traceme(struct task_struct *parent)
2231{
5cd9c58f 2232 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2233}
2234
2235static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2236 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2237{
b1d9e6b0 2238 return current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2239}
2240
d84f4f99
DH		 2241static int selinux_capset(struct cred *new, const struct cred *old,
2242 const kernel_cap_t *effective,
2243 const kernel_cap_t *inheritable,
2244 const kernel_cap_t *permitted)
1da177e4 2245{
d84f4f99 2246 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2247}
2248
5626d3e8
JM		 2249/*
2250 * (This comment used to live with the selinux_task_setuid hook,
2251 * which was removed).
2252 *
2253 * Since setuid only affects the current process, and since the SELinux
2254 * controls are not based on the Linux identity attributes, SELinux does not
2255 * need to control this operation. However, SELinux does control the use of
2256 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2257 */
2258
6a9de491
EP		 2259static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2260 int cap, int audit)
1da177e4 2261{
8e4ff6f2 2262 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2263}
2264
1da177e4
LT		 2265static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2266{
88e67f3b 2267 const struct cred *cred = current_cred();
1da177e4
LT		 2268 int rc = 0;
2269
2270 if (!sb)
2271 return 0;
2272
2273 switch (cmds) {
828dfe1d
EP		 2274 case Q_SYNC:
2275 case Q_QUOTAON:
2276 case Q_QUOTAOFF:
2277 case Q_SETINFO:
2278 case Q_SETQUOTA:
88e67f3b 2279 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2280 break;
2281 case Q_GETFMT:
2282 case Q_GETINFO:
2283 case Q_GETQUOTA:
88e67f3b 2284 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2285 break;
2286 default:
2287 rc = 0; /* let the kernel handle invalid cmds */
2288 break;
1da177e4
LT		 2289 }
2290 return rc;
2291}
2292
2293static int selinux_quota_on(struct dentry *dentry)
2294{
88e67f3b
DH		 2295 const struct cred *cred = current_cred();
2296
2875fa00 2297 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2298}
2299
12b3052c 2300static int selinux_syslog(int type)
1da177e4
LT		 2301{
2302 int rc;
2303
1da177e4 2304 switch (type) {
d78ca3cd
KC		 2305 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2306 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2307 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2308 break;
d78ca3cd
KC		 2309 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2310 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2311 /* Set level of messages printed to console */
2312 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2313 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2314 break;
d78ca3cd
KC		 2315 case SYSLOG_ACTION_CLOSE: /* Close log */
2316 case SYSLOG_ACTION_OPEN: /* Open log */
2317 case SYSLOG_ACTION_READ: /* Read from log */
2318 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2319 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2320 default:
2321 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2322 break;
1da177e4
LT		 2323 }
2324 return rc;
2325}
2326
2327/*
2328 * Check that a process has enough memory to allocate a new virtual
2329 * mapping. 0 means there is enough memory for the allocation to
2330 * succeed and -ENOMEM implies there is not.
2331 *
1da177e4
LT		 2332 * Do not audit the selinux permission check, as this is applied to all
2333 * processes that allocate mappings.
2334 */
34b4e4aa 2335static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2336{
2337 int rc, cap_sys_admin = 0;
1da177e4 2338
b1d9e6b0 2339 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2340 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2341 if (rc == 0)
2342 cap_sys_admin = 1;
2343
b1d9e6b0 2344 return cap_sys_admin;
1da177e4
LT		 2345}
2346
2347/* binprm security operations */
2348
0c6181cb
PM		 2349static u32 ptrace_parent_sid(struct task_struct *task)
2350{
2351 u32 sid = 0;
2352 struct task_struct *tracer;
2353
2354 rcu_read_lock();
2355 tracer = ptrace_parent(task);
2356 if (tracer)
2357 sid = task_sid(tracer);
2358 rcu_read_unlock();
2359
2360 return sid;
2361}
2362
7b0d0b40
SS		 2363static int check_nnp_nosuid(const struct linux_binprm *bprm,
2364 const struct task_security_struct *old_tsec,
2365 const struct task_security_struct *new_tsec)
2366{
2367 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2368 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40
SS		 2369 int rc;
2370
2371 if (!nnp && !nosuid)
2372 return 0; /* neither NNP nor nosuid */
2373
2374 if (new_tsec->sid == old_tsec->sid)
2375 return 0; /* No change in credentials */
2376
2377 /*
2378 * The only transitions we permit under NNP or nosuid
2379 * are transitions to bounded SIDs, i.e. SIDs that are
2380 * guaranteed to only be allowed a subset of the permissions
2381 * of the current SID.
2382 */
2383 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2384 if (rc) {
2385 /*
2386 * On failure, preserve the errno values for NNP vs nosuid.
2387 * NNP: Operation not permitted for caller.
2388 * nosuid: Permission denied to file.
2389 */
2390 if (nnp)
2391 return -EPERM;
2392 else
2393 return -EACCES;
2394 }
2395 return 0;
2396}
2397
a6f76f23 2398static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2399{
a6f76f23
DH		 2400 const struct task_security_struct *old_tsec;
2401 struct task_security_struct *new_tsec;
1da177e4 2402 struct inode_security_struct *isec;
2bf49690 2403 struct common_audit_data ad;
496ad9aa 2404 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2405 int rc;
2406
a6f76f23
DH		 2407 /* SELinux context only depends on initial program or script and not
2408 * the script interpreter */
2409 if (bprm->cred_prepared)
1da177e4
LT		 2410 return 0;
2411
a6f76f23
DH		 2412 old_tsec = current_security();
2413 new_tsec = bprm->cred->security;
83da53c5 2414 isec = inode_security(inode);
1da177e4
LT		 2415
2416 /* Default to the current task SID. */
a6f76f23
DH		 2417 new_tsec->sid = old_tsec->sid;
2418 new_tsec->osid = old_tsec->sid;
1da177e4 2419
28eba5bf 2420 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2421 new_tsec->create_sid = 0;
2422 new_tsec->keycreate_sid = 0;
2423 new_tsec->sockcreate_sid = 0;
1da177e4 2424
a6f76f23
DH		 2425 if (old_tsec->exec_sid) {
2426 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2427 /* Reset exec SID on execve. */
a6f76f23 2428 new_tsec->exec_sid = 0;
259e5e6c 2429
7b0d0b40
SS		 2430 /* Fail on NNP or nosuid if not an allowed transition. */
2431 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2432 if (rc)
2433 return rc;
1da177e4
LT		 2434 } else {
2435 /* Check for a default transition on this program. */
a6f76f23 2436 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2437 SECCLASS_PROCESS, NULL,
2438 &new_tsec->sid);
1da177e4
LT		 2439 if (rc)
2440 return rc;
7b0d0b40
SS		 2441
2442 /*
2443 * Fallback to old SID on NNP or nosuid if not an allowed
2444 * transition.
2445 */
2446 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2447 if (rc)
2448 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2449 }
2450
43af5de7
VG		 2451 ad.type = LSM_AUDIT_DATA_FILE;
2452 ad.u.file = bprm->file;
1da177e4 2453
a6f76f23
DH		 2454 if (new_tsec->sid == old_tsec->sid) {
2455 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2456 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2457 if (rc)
2458 return rc;
2459 } else {
2460 /* Check permissions for the transition. */
a6f76f23 2461 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2462 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2463 if (rc)
2464 return rc;
2465
a6f76f23 2466 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2467 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2468 if (rc)
2469 return rc;
2470
a6f76f23
DH		 2471 /* Check for shared state */
2472 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2473 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2474 SECCLASS_PROCESS, PROCESS__SHARE,
2475 NULL);
2476 if (rc)
2477 return -EPERM;
2478 }
2479
2480 /* Make sure that anyone attempting to ptrace over a task that
2481 * changes its SID has the appropriate permit */
2482 if (bprm->unsafe &
2483 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0c6181cb 2484 u32 ptsid = ptrace_parent_sid(current);
a6f76f23
DH		 2485 if (ptsid != 0) {
2486 rc = avc_has_perm(ptsid, new_tsec->sid,
2487 SECCLASS_PROCESS,
2488 PROCESS__PTRACE, NULL);
2489 if (rc)
2490 return -EPERM;
2491 }
2492 }
1da177e4 2493
a6f76f23
DH		 2494 /* Clear any possibly unsafe personality bits on exec: */
2495 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2496 }
2497
1da177e4
LT		 2498 return 0;
2499}
2500
828dfe1d 2501static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2502{
5fb49870 2503 const struct task_security_struct *tsec = current_security();
275bb41e 2504 u32 sid, osid;
1da177e4
LT		 2505 int atsecure = 0;
2506
275bb41e
DH		 2507 sid = tsec->sid;
2508 osid = tsec->osid;
2509
2510 if (osid != sid) {
1da177e4
LT		 2511 /* Enable secure mode for SIDs transitions unless
2512 the noatsecure permission is granted between
2513 the two SIDs, i.e. ahp returns 0. */
275bb41e 2514 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2515 SECCLASS_PROCESS,
2516 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2517 }
2518
b1d9e6b0 2519 return !!atsecure;
1da177e4
LT		 2520}
2521
c3c073f8
AV		 2522static int match_file(const void *p, struct file *file, unsigned fd)
2523{
2524 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2525}
2526
1da177e4 2527/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2528static inline void flush_unauthorized_files(const struct cred *cred,
2529 struct files_struct *files)
1da177e4 2530{
1da177e4 2531 struct file *file, *devnull = NULL;
b20c8122 2532 struct tty_struct *tty;
24ec839c 2533 int drop_tty = 0;
c3c073f8 2534 unsigned n;
1da177e4 2535
24ec839c 2536 tty = get_current_tty();
1da177e4 2537 if (tty) {
4a510969 2538 spin_lock(&tty->files_lock);
37dd0bd0 2539 if (!list_empty(&tty->tty_files)) {
d996b62a 2540 struct tty_file_private *file_priv;
37dd0bd0 2541
1da177e4 2542 /* Revalidate access to controlling tty.
13f8e981
DH		 2543 Use file_path_has_perm on the tty path directly
2544 rather than using file_has_perm, as this particular
2545 open file may belong to another process and we are
2546 only interested in the inode-based check here. */
d996b62a
NP		 2547 file_priv = list_first_entry(&tty->tty_files,
2548 struct tty_file_private, list);
2549 file = file_priv->file;
13f8e981 2550 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2551 drop_tty = 1;
1da177e4 2552 }
4a510969 2553 spin_unlock(&tty->files_lock);
452a00d2 2554 tty_kref_put(tty);
1da177e4 2555 }
98a27ba4
EB		 2556 /* Reset controlling tty. */
2557 if (drop_tty)
2558 no_tty();
1da177e4
LT		 2559
2560 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2561 n = iterate_fd(files, 0, match_file, cred);
2562 if (!n) /* none found? */
2563 return;
1da177e4 2564
c3c073f8 2565 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2566 if (IS_ERR(devnull))
2567 devnull = NULL;
2568 /* replace all the matching ones with this */
2569 do {
2570 replace_fd(n - 1, devnull, 0);
2571 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2572 if (devnull)
c3c073f8 2573 fput(devnull);
1da177e4
LT		 2574}
2575
a6f76f23
DH		 2576/*
2577 * Prepare a process for imminent new credential changes due to exec
2578 */
2579static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2580{
a6f76f23
DH		 2581 struct task_security_struct *new_tsec;
2582 struct rlimit *rlim, *initrlim;
2583 int rc, i;
d84f4f99 2584
a6f76f23
DH		 2585 new_tsec = bprm->cred->security;
2586 if (new_tsec->sid == new_tsec->osid)
2587 return;
1da177e4 2588
a6f76f23
DH		 2589 /* Close files for which the new task SID is not authorized. */
2590 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2591
a6f76f23
DH		 2592 /* Always clear parent death signal on SID transitions. */
2593 current->pdeath_signal = 0;
0356357c 2594
a6f76f23
DH		 2595 /* Check whether the new SID can inherit resource limits from the old
2596 * SID. If not, reset all soft limits to the lower of the current
2597 * task's hard limit and the init task's soft limit.
2598 *
2599 * Note that the setting of hard limits (even to lower them) can be
2600 * controlled by the setrlimit check. The inclusion of the init task's
2601 * soft limit into the computation is to avoid resetting soft limits
2602 * higher than the default soft limit for cases where the default is
2603 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2604 */
2605 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2606 PROCESS__RLIMITINH, NULL);
2607 if (rc) {
eb2d55a3
ON		 2608 /* protect against do_prlimit() */
2609 task_lock(current);
a6f76f23
DH		 2610 for (i = 0; i < RLIM_NLIMITS; i++) {
2611 rlim = current->signal->rlim + i;
2612 initrlim = init_task.signal->rlim + i;
2613 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2614 }
eb2d55a3 2615 task_unlock(current);
baa73d9e
NP		 2616 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2617 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2618 }
2619}
2620
2621/*
a6f76f23
DH		 2622 * Clean up the process immediately after the installation of new credentials
2623 * due to exec
1da177e4 2624 */
a6f76f23 2625static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2626{
a6f76f23 2627 const struct task_security_struct *tsec = current_security();
1da177e4 2628 struct itimerval itimer;
a6f76f23 2629 u32 osid, sid;
1da177e4
LT		 2630 int rc, i;
2631
a6f76f23
DH		 2632 osid = tsec->osid;
2633 sid = tsec->sid;
2634
2635 if (sid == osid)
1da177e4
LT		 2636 return;
2637
a6f76f23
DH		 2638 /* Check whether the new SID can inherit signal state from the old SID.
2639 * If not, clear itimers to avoid subsequent signal generation and
2640 * flush and unblock signals.
2641 *
2642 * This must occur _after_ the task SID has been updated so that any
2643 * kill done after the flush will be checked against the new SID.
2644 */
2645 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2646 if (rc) {
baa73d9e
NP		 2647 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2648 memset(&itimer, 0, sizeof itimer);
2649 for (i = 0; i < 3; i++)
2650 do_setitimer(i, &itimer, NULL);
2651 }
1da177e4 2652 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2653 if (!fatal_signal_pending(current)) {
2654 flush_sigqueue(&current->pending);
2655 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2656 flush_signal_handlers(current, 1);
2657 sigemptyset(&current->blocked);
9e7c8f8c 2658 recalc_sigpending();
3bcac026 2659 }
1da177e4
LT		 2660 spin_unlock_irq(&current->sighand->siglock);
2661 }
2662
a6f76f23
DH		 2663 /* Wake up the parent if it is waiting so that it can recheck
2664 * wait permission to the new task SID. */
ecd6de3c 2665 read_lock(&tasklist_lock);
0b7570e7 2666 __wake_up_parent(current, current->real_parent);
ecd6de3c 2667 read_unlock(&tasklist_lock);
1da177e4
LT		 2668}
2669
2670/* superblock security operations */
2671
2672static int selinux_sb_alloc_security(struct super_block *sb)
2673{
2674 return superblock_alloc_security(sb);
2675}
2676
2677static void selinux_sb_free_security(struct super_block *sb)
2678{
2679 superblock_free_security(sb);
2680}
2681
2682static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2683{
2684 if (plen > olen)
2685 return 0;
2686
2687 return !memcmp(prefix, option, plen);
2688}
2689
2690static inline int selinux_option(char *option, int len)
2691{
832cbd9a
EP		 2692 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2693 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2694 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2695 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2696 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2697}
2698
2699static inline void take_option(char **to, char *from, int *first, int len)
2700{
2701 if (!*first) {
2702 **to = ',';
2703 *to += 1;
3528a953 2704 } else
1da177e4
LT		 2705 *first = 0;
2706 memcpy(*to, from, len);
2707 *to += len;
2708}
2709
828dfe1d
EP		 2710static inline void take_selinux_option(char **to, char *from, int *first,
2711 int len)
3528a953
CO		 2712{
2713 int current_size = 0;
2714
2715 if (!*first) {
2716 **to = '|';
2717 *to += 1;
828dfe1d 2718 } else
3528a953
CO		 2719 *first = 0;
2720
2721 while (current_size < len) {
2722 if (*from != '"') {
2723 **to = *from;
2724 *to += 1;
2725 }
2726 from += 1;
2727 current_size += 1;
2728 }
2729}
2730
e0007529 2731static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2732{
2733 int fnosec, fsec, rc = 0;
2734 char *in_save, *in_curr, *in_end;
2735 char *sec_curr, *nosec_save, *nosec;
3528a953 2736 int open_quote = 0;
1da177e4
LT		 2737
2738 in_curr = orig;
2739 sec_curr = copy;
2740
1da177e4
LT		 2741 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2742 if (!nosec) {
2743 rc = -ENOMEM;
2744 goto out;
2745 }
2746
2747 nosec_save = nosec;
2748 fnosec = fsec = 1;
2749 in_save = in_end = orig;
2750
2751 do {
3528a953
CO		 2752 if (*in_end == '"')
2753 open_quote = !open_quote;
2754 if ((*in_end == ',' && open_quote == 0) ||
2755 *in_end == '\0') {
1da177e4
LT		 2756 int len = in_end - in_curr;
2757
2758 if (selinux_option(in_curr, len))
3528a953 2759 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2760 else
2761 take_option(&nosec, in_curr, &fnosec, len);
2762
2763 in_curr = in_end + 1;
2764 }
2765 } while (*in_end++);
2766
6931dfc9 2767 strcpy(in_save, nosec_save);
da3caa20 2768 free_page((unsigned long)nosec_save);
1da177e4
LT		 2769out:
2770 return rc;
2771}
2772
026eb167
EP		 2773static int selinux_sb_remount(struct super_block *sb, void *data)
2774{
2775 int rc, i, *flags;
2776 struct security_mnt_opts opts;
2777 char *secdata, **mount_options;
2778 struct superblock_security_struct *sbsec = sb->s_security;
2779
2780 if (!(sbsec->flags & SE_SBINITIALIZED))
2781 return 0;
2782
2783 if (!data)
2784 return 0;
2785
2786 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2787 return 0;
2788
2789 security_init_mnt_opts(&opts);
2790 secdata = alloc_secdata();
2791 if (!secdata)
2792 return -ENOMEM;
2793 rc = selinux_sb_copy_data(data, secdata);
2794 if (rc)
2795 goto out_free_secdata;
2796
2797 rc = selinux_parse_opts_str(secdata, &opts);
2798 if (rc)
2799 goto out_free_secdata;
2800
2801 mount_options = opts.mnt_opts;
2802 flags = opts.mnt_opts_flags;
2803
2804 for (i = 0; i < opts.num_mnt_opts; i++) {
2805 u32 sid;
026eb167 2806
12f348b9 2807 if (flags[i] == SBLABEL_MNT)
026eb167 2808 continue;
44be2f65 2809 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2810 if (rc) {
44be2f65 2811 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2812 "(%s) failed for (dev %s, type %s) errno=%d\n",
2813 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2814 goto out_free_opts;
2815 }
2816 rc = -EINVAL;
2817 switch (flags[i]) {
2818 case FSCONTEXT_MNT:
2819 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2820 goto out_bad_option;
2821 break;
2822 case CONTEXT_MNT:
2823 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2824 goto out_bad_option;
2825 break;
2826 case ROOTCONTEXT_MNT: {
2827 struct inode_security_struct *root_isec;
83da53c5 2828 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2829
2830 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2831 goto out_bad_option;
2832 break;
2833 }
2834 case DEFCONTEXT_MNT:
2835 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2836 goto out_bad_option;
2837 break;
2838 default:
2839 goto out_free_opts;
2840 }
2841 }
2842
2843 rc = 0;
2844out_free_opts:
2845 security_free_mnt_opts(&opts);
2846out_free_secdata:
2847 free_secdata(secdata);
2848 return rc;
2849out_bad_option:
2850 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2851 "during remount (dev %s, type=%s)\n", sb->s_id,
2852 sb->s_type->name);
026eb167
EP		 2853 goto out_free_opts;
2854}
2855
12204e24 2856static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2857{
88e67f3b 2858 const struct cred *cred = current_cred();
2bf49690 2859 struct common_audit_data ad;
1da177e4
LT		 2860 int rc;
2861
2862 rc = superblock_doinit(sb, data);
2863 if (rc)
2864 return rc;
2865
74192246
JM		 2866 /* Allow all mounts performed by the kernel */
2867 if (flags & MS_KERNMOUNT)
2868 return 0;
2869
50c205f5 2870 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2871 ad.u.dentry = sb->s_root;
88e67f3b 2872 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2873}
2874
726c3342 2875static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2876{
88e67f3b 2877 const struct cred *cred = current_cred();
2bf49690 2878 struct common_audit_data ad;
1da177e4 2879
50c205f5 2880 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2881 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2882 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2883}
2884
808d4e3c 2885static int selinux_mount(const char *dev_name,
8a04c43b 2886 const struct path *path,
808d4e3c 2887 const char *type,
828dfe1d
EP		 2888 unsigned long flags,
2889 void *data)
1da177e4 2890{
88e67f3b 2891 const struct cred *cred = current_cred();
1da177e4
LT		 2892
2893 if (flags & MS_REMOUNT)
d8c9584e 2894 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2895 FILESYSTEM__REMOUNT, NULL);
1da177e4 2896 else
2875fa00 2897 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2898}
2899
2900static int selinux_umount(struct vfsmount *mnt, int flags)
2901{
88e67f3b 2902 const struct cred *cred = current_cred();
1da177e4 2903
88e67f3b 2904 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2905 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2906}
2907
2908/* inode security operations */
2909
2910static int selinux_inode_alloc_security(struct inode *inode)
2911{
2912 return inode_alloc_security(inode);
2913}
2914
2915static void selinux_inode_free_security(struct inode *inode)
2916{
2917 inode_free_security(inode);
2918}
2919
d47be3df 2920static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2921 const struct qstr *name, void **ctx,
d47be3df
DQ		 2922 u32 *ctxlen)
2923{
d47be3df
DQ		 2924 u32 newsid;
2925 int rc;
2926
c957f6df
VG		 2927 rc = selinux_determine_inode_label(current_security(),
2928 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2929 inode_mode_to_security_class(mode),
2930 &newsid);
2931 if (rc)
2932 return rc;
d47be3df
DQ		 2933
2934 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2935}
2936
a518b0a5
VG		 2937static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2938 struct qstr *name,
2939 const struct cred *old,
2940 struct cred *new)
2941{
2942 u32 newsid;
2943 int rc;
2944 struct task_security_struct *tsec;
2945
2946 rc = selinux_determine_inode_label(old->security,
2947 d_inode(dentry->d_parent), name,
2948 inode_mode_to_security_class(mode),
2949 &newsid);
2950 if (rc)
2951 return rc;
2952
2953 tsec = new->security;
2954 tsec->create_sid = newsid;
2955 return 0;
2956}
2957
5e41ff9e 2958static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2959 const struct qstr *qstr,
2960 const char **name,
2a7dba39 2961 void **value, size_t *len)
5e41ff9e 2962{
5fb49870 2963 const struct task_security_struct *tsec = current_security();
5e41ff9e 2964 struct superblock_security_struct *sbsec;
275bb41e 2965 u32 sid, newsid, clen;
5e41ff9e 2966 int rc;
9548906b 2967 char *context;
5e41ff9e 2968
5e41ff9e 2969 sbsec = dir->i_sb->s_security;
5e41ff9e 2970
275bb41e
DH		 2971 sid = tsec->sid;
2972 newsid = tsec->create_sid;
2973
c957f6df 2974 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2975 dir, qstr,
2976 inode_mode_to_security_class(inode->i_mode),
2977 &newsid);
2978 if (rc)
2979 return rc;
5e41ff9e 2980
296fddf7 2981 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2982 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2983 struct inode_security_struct *isec = inode->i_security;
2984 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2985 isec->sid = newsid;
6f3be9f5 2986 isec->initialized = LABEL_INITIALIZED;
296fddf7 2987 }
5e41ff9e 2988
12f348b9 2989 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2990 return -EOPNOTSUPP;
2991
9548906b
TH		 2992 if (name)
2993 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2994
570bc1c2 2995 if (value && len) {
12b29f34 2996 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2997 if (rc)
570bc1c2 2998 return rc;
570bc1c2
SS		 2999 *value = context;
3000 *len = clen;
5e41ff9e 3001 }
5e41ff9e 3002
5e41ff9e
SS		 3003 return 0;
3004}
3005
4acdaf27 3006static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 3007{
3008 return may_create(dir, dentry, SECCLASS_FILE);
3009}
3010
1da177e4
LT		 3011static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3012{
1da177e4
LT		 3013 return may_link(dir, old_dentry, MAY_LINK);
3014}
3015
1da177e4
LT		 3016static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3017{
1da177e4
LT		 3018 return may_link(dir, dentry, MAY_UNLINK);
3019}
3020
3021static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3022{
3023 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3024}
3025
18bb1db3 3026static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 3027{
3028 return may_create(dir, dentry, SECCLASS_DIR);
3029}
3030
1da177e4
LT		 3031static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3032{
3033 return may_link(dir, dentry, MAY_RMDIR);
3034}
3035
1a67aafb 3036static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 3037{
1da177e4
LT		 3038 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3039}
3040
1da177e4 3041static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 3042 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 3043{
3044 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3045}
3046
1da177e4
LT		 3047static int selinux_inode_readlink(struct dentry *dentry)
3048{
88e67f3b
DH		 3049 const struct cred *cred = current_cred();
3050
2875fa00 3051 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 3052}
3053
bda0be7a
N		 3054static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3055 bool rcu)
1da177e4 3056{
88e67f3b 3057 const struct cred *cred = current_cred();
bda0be7a
N		 3058 struct common_audit_data ad;
3059 struct inode_security_struct *isec;
3060 u32 sid;
1da177e4 3061
bda0be7a
N		 3062 validate_creds(cred);
3063
3064 ad.type = LSM_AUDIT_DATA_DENTRY;
3065 ad.u.dentry = dentry;
3066 sid = cred_sid(cred);
5d226df4
AG		 3067 isec = inode_security_rcu(inode, rcu);
3068 if (IS_ERR(isec))
3069 return PTR_ERR(isec);
bda0be7a
N		 3070
3071 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3072 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3073}
3074
d4cf970d
EP		 3075static noinline int audit_inode_permission(struct inode *inode,
3076 u32 perms, u32 audited, u32 denied,
626b9740 3077 int result,
d4cf970d 3078 unsigned flags)
1da177e4 3079{
b782e0a6 3080 struct common_audit_data ad;
d4cf970d
EP		 3081 struct inode_security_struct *isec = inode->i_security;
3082 int rc;
3083
50c205f5 3084 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3085 ad.u.inode = inode;
3086
3087 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 3088 audited, denied, result, &ad, flags);
d4cf970d
EP		 3089 if (rc)
3090 return rc;
3091 return 0;
3092}
3093
e74f71eb 3094static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3095{
88e67f3b 3096 const struct cred *cred = current_cred();
b782e0a6
EP		 3097 u32 perms;
3098 bool from_access;
cf1dd1da 3099 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3100 struct inode_security_struct *isec;
3101 u32 sid;
3102 struct av_decision avd;
3103 int rc, rc2;
3104 u32 audited, denied;
1da177e4 3105
b782e0a6 3106 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3107 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3108
b782e0a6
EP		 3109 /* No permission to check. Existence test. */
3110 if (!mask)
1da177e4 3111 return 0;
1da177e4 3112
2e334057 3113 validate_creds(cred);
b782e0a6 3114
2e334057
EP		 3115 if (unlikely(IS_PRIVATE(inode)))
3116 return 0;
b782e0a6
EP		 3117
3118 perms = file_mask_to_av(inode->i_mode, mask);
3119
2e334057 3120 sid = cred_sid(cred);
5d226df4
AG		 3121 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3122 if (IS_ERR(isec))
3123 return PTR_ERR(isec);
2e334057
EP		 3124
3125 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3126 audited = avc_audit_required(perms, &avd, rc,
3127 from_access ? FILE__AUDIT_ACCESS : 0,
3128 &denied);
3129 if (likely(!audited))
3130 return rc;
3131
626b9740 3132 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3133 if (rc2)
3134 return rc2;
3135 return rc;
1da177e4
LT		 3136}
3137
3138static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3139{
88e67f3b 3140 const struct cred *cred = current_cred();
bc6a6008 3141 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3142 __u32 av = FILE__WRITE;
1da177e4 3143
bc6a6008
AW		 3144 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3145 if (ia_valid & ATTR_FORCE) {
3146 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3147 ATTR_FORCE);
3148 if (!ia_valid)
3149 return 0;
3150 }
1da177e4 3151
bc6a6008
AW		 3152 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3153 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3154 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3155
44d37ad3
JVS		 3156 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3157 && !(ia_valid & ATTR_FILE))
95dbf739
EP		 3158 av |= FILE__OPEN;
3159
3160 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3161}
3162
3f7036a0 3163static int selinux_inode_getattr(const struct path *path)
1da177e4 3164{
3f7036a0 3165 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3166}
3167
8f0cfa52 3168static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3169{
88e67f3b
DH		 3170 const struct cred *cred = current_cred();
3171
b5376771
SH		 3172 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3173 sizeof XATTR_SECURITY_PREFIX - 1)) {
3174 if (!strcmp(name, XATTR_NAME_CAPS)) {
3175 if (!capable(CAP_SETFCAP))
3176 return -EPERM;
3177 } else if (!capable(CAP_SYS_ADMIN)) {
3178 /* A different attribute in the security namespace.
3179 Restrict to administrator. */
3180 return -EPERM;
3181 }
3182 }
3183
3184 /* Not an attribute we recognize, so just check the
3185 ordinary setattr permission. */
2875fa00 3186 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3187}
3188
8f0cfa52
DH		 3189static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3190 const void *value, size_t size, int flags)
1da177e4 3191{
c6f493d6 3192 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3193 struct inode_security_struct *isec;
1da177e4 3194 struct superblock_security_struct *sbsec;
2bf49690 3195 struct common_audit_data ad;
275bb41e 3196 u32 newsid, sid = current_sid();
1da177e4
LT		 3197 int rc = 0;
3198
b5376771
SH		 3199 if (strcmp(name, XATTR_NAME_SELINUX))
3200 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3201
3202 sbsec = inode->i_sb->s_security;
12f348b9 3203 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3204 return -EOPNOTSUPP;
3205
2e149670 3206 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3207 return -EPERM;
3208
50c205f5 3209 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3210 ad.u.dentry = dentry;
1da177e4 3211
20cdef8d 3212 isec = backing_inode_security(dentry);
275bb41e 3213 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3214 FILE__RELABELFROM, &ad);
3215 if (rc)
3216 return rc;
3217
52a4c640 3218 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3219 if (rc == -EINVAL) {
d6ea83ec
EP		 3220 if (!capable(CAP_MAC_ADMIN)) {
3221 struct audit_buffer *ab;
3222 size_t audit_size;
3223 const char *str;
3224
3225 /* We strip a nul only if it is at the end, otherwise the
3226 * context contains a nul and we should audit that */
e3fea3f7
AV		 3227 if (value) {
3228 str = value;
3229 if (str[size - 1] == '\0')
3230 audit_size = size - 1;
3231 else
3232 audit_size = size;
3233 } else {
3234 str = "";
3235 audit_size = 0;
3236 }
d6ea83ec
EP		 3237 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3238 audit_log_format(ab, "op=setxattr invalid_context=");
3239 audit_log_n_untrustedstring(ab, value, audit_size);
3240 audit_log_end(ab);
3241
12b29f34 3242 return rc;
d6ea83ec 3243 }
12b29f34
SS		 3244 rc = security_context_to_sid_force(value, size, &newsid);
3245 }
1da177e4
LT		 3246 if (rc)
3247 return rc;
3248
275bb41e 3249 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3250 FILE__RELABELTO, &ad);
3251 if (rc)
3252 return rc;
3253
275bb41e 3254 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3255 isec->sclass);
1da177e4
LT		 3256 if (rc)
3257 return rc;
3258
3259 return avc_has_perm(newsid,
3260 sbsec->sid,
3261 SECCLASS_FILESYSTEM,
3262 FILESYSTEM__ASSOCIATE,
3263 &ad);
3264}
3265
8f0cfa52 3266static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3267 const void *value, size_t size,
8f0cfa52 3268 int flags)
1da177e4 3269{
c6f493d6 3270 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3271 struct inode_security_struct *isec;
1da177e4
LT		 3272 u32 newsid;
3273 int rc;
3274
3275 if (strcmp(name, XATTR_NAME_SELINUX)) {
3276 /* Not an attribute we recognize, so nothing to do. */
3277 return;
3278 }
3279
12b29f34 3280 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3281 if (rc) {
12b29f34
SS		 3282 printk(KERN_ERR "SELinux: unable to map context to SID"
3283 "for (%s, %lu), rc=%d\n",
3284 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3285 return;
3286 }
3287
20cdef8d 3288 isec = backing_inode_security(dentry);
9287aed2 3289 spin_lock(&isec->lock);
aa9c2669 3290 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3291 isec->sid = newsid;
6f3be9f5 3292 isec->initialized = LABEL_INITIALIZED;
9287aed2 3293 spin_unlock(&isec->lock);
aa9c2669 3294
1da177e4
LT		 3295 return;
3296}
3297
8f0cfa52 3298static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3299{
88e67f3b
DH		 3300 const struct cred *cred = current_cred();
3301
2875fa00 3302 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3303}
3304
828dfe1d 3305static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3306{
88e67f3b
DH		 3307 const struct cred *cred = current_cred();
3308
2875fa00 3309 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3310}
3311
8f0cfa52 3312static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3313{
b5376771
SH		 3314 if (strcmp(name, XATTR_NAME_SELINUX))
3315 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3316
3317 /* No one is allowed to remove a SELinux security label.
3318 You can change the label, but all data must be labeled. */
3319 return -EACCES;
3320}
3321
d381d8a9 3322/*
abc69bb6 3323 * Copy the inode security context value to the user.
d381d8a9
JM		 3324 *
3325 * Permission check is handled by selinux_inode_getxattr hook.
3326 */
ea861dfd 3327static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3328{
42492594
DQ		 3329 u32 size;
3330 int error;
3331 char *context = NULL;
20cdef8d 3332 struct inode_security_struct *isec;
d381d8a9 3333
8c8570fb
DK		 3334 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3335 return -EOPNOTSUPP;
d381d8a9 3336
abc69bb6
SS		 3337 /*
3338 * If the caller has CAP_MAC_ADMIN, then get the raw context
3339 * value even if it is not defined by current policy; otherwise,
3340 * use the in-core value under current policy.
3341 * Use the non-auditing forms of the permission checks since
3342 * getxattr may be called by unprivileged processes commonly
3343 * and lack of permission just means that we fall back to the
3344 * in-core context value, not a denial.
3345 */
b1d9e6b0
CS		 3346 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3347 SECURITY_CAP_NOAUDIT);
3348 if (!error)
3349 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
8e4ff6f2 3350 SECURITY_CAP_NOAUDIT, true);
20cdef8d 3351 isec = inode_security(inode);
abc69bb6
SS		 3352 if (!error)
3353 error = security_sid_to_context_force(isec->sid, &context,
3354 &size);
3355 else
3356 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3357 if (error)
3358 return error;
3359 error = size;
3360 if (alloc) {
3361 *buffer = context;
3362 goto out_nofree;
3363 }
3364 kfree(context);
3365out_nofree:
3366 return error;
1da177e4
LT		 3367}
3368
3369static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3370 const void *value, size_t size, int flags)
1da177e4 3371{
2c97165b 3372 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3373 u32 newsid;
3374 int rc;
3375
3376 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3377 return -EOPNOTSUPP;
3378
3379 if (!value || !size)
3380 return -EACCES;
3381
20ba96ae 3382 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3383 if (rc)
3384 return rc;
3385
9287aed2 3386 spin_lock(&isec->lock);
aa9c2669 3387 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3388 isec->sid = newsid;
6f3be9f5 3389 isec->initialized = LABEL_INITIALIZED;
9287aed2 3390 spin_unlock(&isec->lock);
1da177e4
LT		 3391 return 0;
3392}
3393
3394static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3395{
3396 const int len = sizeof(XATTR_NAME_SELINUX);
3397 if (buffer && len <= buffer_size)
3398 memcpy(buffer, XATTR_NAME_SELINUX, len);
3399 return len;
3400}
3401
d6335d77 3402static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3403{
e817c2f3 3404 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3405 *secid = isec->sid;
3406}
3407
56909eb3
VG		 3408static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3409{
3410 u32 sid;
3411 struct task_security_struct *tsec;
3412 struct cred *new_creds = *new;
3413
3414 if (new_creds == NULL) {
3415 new_creds = prepare_creds();
3416 if (!new_creds)
3417 return -ENOMEM;
3418 }
3419
3420 tsec = new_creds->security;
3421 /* Get label from overlay inode and set it in create_sid */
3422 selinux_inode_getsecid(d_inode(src), &sid);
3423 tsec->create_sid = sid;
3424 *new = new_creds;
3425 return 0;
3426}
3427
19472b69
VG		 3428static int selinux_inode_copy_up_xattr(const char *name)
3429{
3430 /* The copy_up hook above sets the initial context on an inode, but we
3431 * don't then want to overwrite it by blindly copying all the lower
3432 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3433 */
3434 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3435 return 1; /* Discard */
3436 /*
3437 * Any other attribute apart from SELINUX is not claimed, supported
3438 * by selinux.
3439 */
3440 return -EOPNOTSUPP;
3441}
3442
1da177e4
LT		 3443/* file security operations */
3444
788e7dd4 3445static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3446{
88e67f3b 3447 const struct cred *cred = current_cred();
496ad9aa 3448 struct inode *inode = file_inode(file);
1da177e4 3449
1da177e4
LT		 3450 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3451 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3452 mask |= MAY_APPEND;
3453
389fb800
PM		 3454 return file_has_perm(cred, file,
3455 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3456}
3457
788e7dd4
YN		 3458static int selinux_file_permission(struct file *file, int mask)
3459{
496ad9aa 3460 struct inode *inode = file_inode(file);
20dda18b 3461 struct file_security_struct *fsec = file->f_security;
b197367e 3462 struct inode_security_struct *isec;
20dda18b
SS		 3463 u32 sid = current_sid();
3464
389fb800 3465 if (!mask)
788e7dd4
YN		 3466 /* No permission to check. Existence test. */
3467 return 0;
788e7dd4 3468
b197367e 3469 isec = inode_security(inode);
20dda18b
SS		 3470 if (sid == fsec->sid && fsec->isid == isec->sid &&
3471 fsec->pseqno == avc_policy_seqno())
83d49856 3472 /* No change since file_open check. */
20dda18b
SS		 3473 return 0;
3474
788e7dd4
YN		 3475 return selinux_revalidate_file_permission(file, mask);
3476}
3477
1da177e4
LT		 3478static int selinux_file_alloc_security(struct file *file)
3479{
3480 return file_alloc_security(file);
3481}
3482
3483static void selinux_file_free_security(struct file *file)
3484{
3485 file_free_security(file);
3486}
3487
fa1aa143
JVS		 3488/*
3489 * Check whether a task has the ioctl permission and cmd
3490 * operation to an inode.
3491 */
1d2a168a 3492static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3493 u32 requested, u16 cmd)
3494{
3495 struct common_audit_data ad;
3496 struct file_security_struct *fsec = file->f_security;
3497 struct inode *inode = file_inode(file);
20cdef8d 3498 struct inode_security_struct *isec;
fa1aa143
JVS		 3499 struct lsm_ioctlop_audit ioctl;
3500 u32 ssid = cred_sid(cred);
3501 int rc;
3502 u8 driver = cmd >> 8;
3503 u8 xperm = cmd & 0xff;
3504
3505 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3506 ad.u.op = &ioctl;
3507 ad.u.op->cmd = cmd;
3508 ad.u.op->path = file->f_path;
3509
3510 if (ssid != fsec->sid) {
3511 rc = avc_has_perm(ssid, fsec->sid,
3512 SECCLASS_FD,
3513 FD__USE,
3514 &ad);
3515 if (rc)
3516 goto out;
3517 }
3518
3519 if (unlikely(IS_PRIVATE(inode)))
3520 return 0;
3521
20cdef8d 3522 isec = inode_security(inode);
fa1aa143
JVS		 3523 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3524 requested, driver, xperm, &ad);
3525out:
3526 return rc;
3527}
3528
1da177e4
LT		 3529static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3530 unsigned long arg)
3531{
88e67f3b 3532 const struct cred *cred = current_cred();
0b24dcb7 3533 int error = 0;
1da177e4 3534
0b24dcb7
EP		 3535 switch (cmd) {
3536 case FIONREAD:
3537 /* fall through */
3538 case FIBMAP:
3539 /* fall through */
3540 case FIGETBSZ:
3541 /* fall through */
2f99c369 3542 case FS_IOC_GETFLAGS:
0b24dcb7 3543 /* fall through */
2f99c369 3544 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3545 error = file_has_perm(cred, file, FILE__GETATTR);
3546 break;
1da177e4 3547
2f99c369 3548 case FS_IOC_SETFLAGS:
0b24dcb7 3549 /* fall through */
2f99c369 3550 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3551 error = file_has_perm(cred, file, FILE__SETATTR);
3552 break;
3553
3554 /* sys_ioctl() checks */
3555 case FIONBIO:
3556 /* fall through */
3557 case FIOASYNC:
3558 error = file_has_perm(cred, file, 0);
3559 break;
1da177e4 3560
0b24dcb7
EP		 3561 case KDSKBENT:
3562 case KDSKBSENT:
6a9de491 3563 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3564 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3565 break;
3566
3567 /* default case assumes that the command will go
3568 * to the file's ioctl() function.
3569 */
3570 default:
fa1aa143 3571 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3572 }
3573 return error;
1da177e4
LT		 3574}
3575
fcaaade1
SS		 3576static int default_noexec;
3577
1da177e4
LT		 3578static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3579{
88e67f3b 3580 const struct cred *cred = current_cred();
d84f4f99 3581 int rc = 0;
88e67f3b 3582
fcaaade1 3583 if (default_noexec &&
892e8cac
SS		 3584 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3585 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3586 /*
3587 * We are making executable an anonymous mapping or a
3588 * private file mapping that will also be writable.
3589 * This has an additional check.
3590 */
d84f4f99 3591 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3592 if (rc)
d84f4f99 3593 goto error;
1da177e4 3594 }
1da177e4
LT		 3595
3596 if (file) {
3597 /* read access is always possible with a mapping */
3598 u32 av = FILE__READ;
3599
3600 /* write access only matters if the mapping is shared */
3601 if (shared && (prot & PROT_WRITE))
3602 av |= FILE__WRITE;
3603
3604 if (prot & PROT_EXEC)
3605 av |= FILE__EXECUTE;
3606
88e67f3b 3607 return file_has_perm(cred, file, av);
1da177e4 3608 }
d84f4f99
DH		 3609
3610error:
3611 return rc;
1da177e4
LT		 3612}
3613
e5467859 3614static int selinux_mmap_addr(unsigned long addr)
1da177e4 3615{
b1d9e6b0 3616 int rc = 0;
1da177e4 3617
a2551df7 3618 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3619 u32 sid = current_sid();
ed032189
EP		 3620 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3621 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3622 }
3623
98883bfd 3624 return rc;
e5467859 3625}
1da177e4 3626
e5467859
AV		 3627static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3628 unsigned long prot, unsigned long flags)
3629{
1da177e4
LT		 3630 if (selinux_checkreqprot)
3631 prot = reqprot;
3632
3633 return file_map_prot_check(file, prot,
3634 (flags & MAP_TYPE) == MAP_SHARED);
3635}
3636
3637static int selinux_file_mprotect(struct vm_area_struct *vma,
3638 unsigned long reqprot,
3639 unsigned long prot)
3640{
88e67f3b 3641 const struct cred *cred = current_cred();
1da177e4
LT		 3642
3643 if (selinux_checkreqprot)
3644 prot = reqprot;
3645
fcaaade1
SS		 3646 if (default_noexec &&
3647 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3648 int rc = 0;
db4c9641
SS		 3649 if (vma->vm_start >= vma->vm_mm->start_brk &&
3650 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3651 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641 3652 } else if (!vma->vm_file &&
c2316dbf
SS		 3653 ((vma->vm_start <= vma->vm_mm->start_stack &&
3654 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3655 vma_is_stack_for_current(vma))) {
3b11a1de 3656 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3657 } else if (vma->vm_file && vma->anon_vma) {
3658 /*
3659 * We are making executable a file mapping that has
3660 * had some COW done. Since pages might have been
3661 * written, check ability to execute the possibly
3662 * modified content. This typically should only
3663 * occur for text relocations.
3664 */
d84f4f99 3665 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3666 }