]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
sched/headers: Prepare for new header dependencies before moving code to <linux/sched...
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4 30#include <linux/errno.h>
3f07c014 31#include <linux/sched/signal.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
63205654 129static struct kmem_cache *file_security_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 140 *
141 */
142static int selinux_secmark_enabled(void)
143{
2be4d74f
CP		 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145}
146
147/**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157static int selinux_peerlbl_enabled(void)
158{
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 160}
161
615e51fd
PM		 162static int selinux_netcache_avc_callback(u32 event)
163{
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171}
172
d84f4f99
DH		 173/*
174 * initialise the security for the init task
175 */
176static void cred_init_security(void)
1da177e4 177{
3b11a1de 178 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 179 struct task_security_struct *tsec;
180
89d155ef 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 182 if (!tsec)
d84f4f99 183 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 184
d84f4f99 185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 186 cred->security = tsec;
1da177e4
LT		 187}
188
88e67f3b
DH		 189/*
190 * get the security ID of a set of credentials
191 */
192static inline u32 cred_sid(const struct cred *cred)
193{
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198}
199
275bb41e 200/*
3b11a1de 201 * get the objective security ID of a task
275bb41e
DH		 202 */
203static inline u32 task_sid(const struct task_struct *task)
204{
275bb41e
DH		 205 u32 sid;
206
207 rcu_read_lock();
88e67f3b 208 sid = cred_sid(__task_cred(task));
275bb41e
DH		 209 rcu_read_unlock();
210 return sid;
211}
212
88e67f3b
DH		 213/* Allocate and free functions for each kind of security blob. */
214
1da177e4
LT		 215static int inode_alloc_security(struct inode *inode)
216{
1da177e4 217 struct inode_security_struct *isec;
275bb41e 218 u32 sid = current_sid();
1da177e4 219
a02fe132 220 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 221 if (!isec)
222 return -ENOMEM;
223
9287aed2 224 spin_lock_init(&isec->lock);
1da177e4 225 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 226 isec->inode = inode;
227 isec->sid = SECINITSID_UNLABELED;
228 isec->sclass = SECCLASS_FILE;
275bb41e 229 isec->task_sid = sid;
42059112 230 isec->initialized = LABEL_INVALID;
1da177e4
LT		 231 inode->i_security = isec;
232
233 return 0;
234}
235
5d226df4
AG		 236static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
237
238/*
239 * Try reloading inode security labels that have been marked as invalid. The
240 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 241 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 242 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
243 * when no dentry is available, set it to NULL instead.
244 */
245static int __inode_security_revalidate(struct inode *inode,
246 struct dentry *opt_dentry,
247 bool may_sleep)
248{
249 struct inode_security_struct *isec = inode->i_security;
250
251 might_sleep_if(may_sleep);
252
1ac42476 253 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 254 if (!may_sleep)
255 return -ECHILD;
256
257 /*
258 * Try reloading the inode security label. This will fail if
259 * @opt_dentry is NULL and no dentry for this inode can be
260 * found; in that case, continue using the old label.
261 */
262 inode_doinit_with_dentry(inode, opt_dentry);
263 }
264 return 0;
265}
266
5d226df4
AG		 267static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
268{
269 return inode->i_security;
270}
271
272static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
273{
274 int error;
275
276 error = __inode_security_revalidate(inode, NULL, !rcu);
277 if (error)
278 return ERR_PTR(error);
279 return inode->i_security;
280}
281
83da53c5
AG		 282/*
283 * Get the security label of an inode.
284 */
285static struct inode_security_struct *inode_security(struct inode *inode)
286{
5d226df4 287 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 288 return inode->i_security;
289}
290
2c97165b
PM		 291static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
292{
293 struct inode *inode = d_backing_inode(dentry);
294
295 return inode->i_security;
296}
297
83da53c5
AG		 298/*
299 * Get the security label of a dentry's backing inode.
300 */
301static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
302{
303 struct inode *inode = d_backing_inode(dentry);
304
5d226df4 305 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 306 return inode->i_security;
307}
308
3dc91d43
SR		 309static void inode_free_rcu(struct rcu_head *head)
310{
311 struct inode_security_struct *isec;
312
313 isec = container_of(head, struct inode_security_struct, rcu);
314 kmem_cache_free(sel_inode_cache, isec);
315}
316
1da177e4
LT		 317static void inode_free_security(struct inode *inode)
318{
319 struct inode_security_struct *isec = inode->i_security;
320 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
321
9629d04a
WL		 322 /*
323 * As not all inode security structures are in a list, we check for
324 * empty list outside of the lock to make sure that we won't waste
325 * time taking a lock doing nothing.
326 *
327 * The list_del_init() function can be safely called more than once.
328 * It should not be possible for this function to be called with
329 * concurrent list_add(), but for better safety against future changes
330 * in the code, we use list_empty_careful() here.
331 */
332 if (!list_empty_careful(&isec->list)) {
333 spin_lock(&sbsec->isec_lock);
1da177e4 334 list_del_init(&isec->list);
9629d04a
WL		 335 spin_unlock(&sbsec->isec_lock);
336 }
1da177e4 337
3dc91d43
SR		 338 /*
339 * The inode may still be referenced in a path walk and
340 * a call to selinux_inode_permission() can be made
341 * after inode_free_security() is called. Ideally, the VFS
342 * wouldn't do this, but fixing that is a much harder
343 * job. For now, simply free the i_security via RCU, and
344 * leave the current inode->i_security pointer intact.
345 * The inode will be freed after the RCU grace period too.
346 */
347 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 348}
349
350static int file_alloc_security(struct file *file)
351{
1da177e4 352 struct file_security_struct *fsec;
275bb41e 353 u32 sid = current_sid();
1da177e4 354
63205654 355 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 356 if (!fsec)
357 return -ENOMEM;
358
275bb41e
DH		 359 fsec->sid = sid;
360 fsec->fown_sid = sid;
1da177e4
LT		 361 file->f_security = fsec;
362
363 return 0;
364}
365
366static void file_free_security(struct file *file)
367{
368 struct file_security_struct *fsec = file->f_security;
1da177e4 369 file->f_security = NULL;
63205654 370 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 371}
372
373static int superblock_alloc_security(struct super_block *sb)
374{
375 struct superblock_security_struct *sbsec;
376
89d155ef 377 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 378 if (!sbsec)
379 return -ENOMEM;
380
bc7e982b 381 mutex_init(&sbsec->lock);
1da177e4
LT		 382 INIT_LIST_HEAD(&sbsec->isec_head);
383 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 384 sbsec->sb = sb;
385 sbsec->sid = SECINITSID_UNLABELED;
386 sbsec->def_sid = SECINITSID_FILE;
c312feb2 387 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 388 sb->s_security = sbsec;
389
390 return 0;
391}
392
393static void superblock_free_security(struct super_block *sb)
394{
395 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 396 sb->s_security = NULL;
397 kfree(sbsec);
398}
399
1da177e4
LT		 400/* The file system's label must be initialized prior to use. */
401
eb9ae686 402static const char *labeling_behaviors[7] = {
1da177e4
LT		 403 "uses xattr",
404 "uses transition SIDs",
405 "uses task SIDs",
406 "uses genfs_contexts",
407 "not configured for labeling",
408 "uses mountpoint labeling",
eb9ae686 409 "uses native labeling",
1da177e4
LT		 410};
411
1da177e4
LT		 412static inline int inode_doinit(struct inode *inode)
413{
414 return inode_doinit_with_dentry(inode, NULL);
415}
416
417enum {
31e87930 418 Opt_error = -1,
1da177e4
LT		 419 Opt_context = 1,
420 Opt_fscontext = 2,
c9180a57
EP		 421 Opt_defcontext = 3,
422 Opt_rootcontext = 4,
11689d47 423 Opt_labelsupport = 5,
d355987f 424 Opt_nextmntopt = 6,
1da177e4
LT		 425};
426
d355987f
EP		 427#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
428
a447c093 429static const match_table_t tokens = {
832cbd9a
EP		 430 {Opt_context, CONTEXT_STR "%s"},
431 {Opt_fscontext, FSCONTEXT_STR "%s"},
432 {Opt_defcontext, DEFCONTEXT_STR "%s"},
433 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 434 {Opt_labelsupport, LABELSUPP_STR},
31e87930 435 {Opt_error, NULL},
1da177e4
LT		 436};
437
438#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
439
c312feb2
EP		 440static int may_context_mount_sb_relabel(u32 sid,
441 struct superblock_security_struct *sbsec,
275bb41e 442 const struct cred *cred)
c312feb2 443{
275bb41e 444 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 445 int rc;
446
447 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
448 FILESYSTEM__RELABELFROM, NULL);
449 if (rc)
450 return rc;
451
452 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
453 FILESYSTEM__RELABELTO, NULL);
454 return rc;
455}
456
0808925e
EP		 457static int may_context_mount_inode_relabel(u32 sid,
458 struct superblock_security_struct *sbsec,
275bb41e 459 const struct cred *cred)
0808925e 460{
275bb41e 461 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 462 int rc;
463 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
464 FILESYSTEM__RELABELFROM, NULL);
465 if (rc)
466 return rc;
467
468 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
469 FILESYSTEM__ASSOCIATE, NULL);
470 return rc;
471}
472
b43e725d
EP		 473static int selinux_is_sblabel_mnt(struct super_block *sb)
474{
475 struct superblock_security_struct *sbsec = sb->s_security;
476
d5f3a5f6
MS		 477 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
478 sbsec->behavior == SECURITY_FS_USE_TRANS ||
479 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 480 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 481 /* Special handling. Genfs but also in-core setxattr handler */
482 !strcmp(sb->s_type->name, "sysfs") ||
1ea0ce40
AM		 483 !strcmp(sb->s_type->name, "cgroup") ||
484 !strcmp(sb->s_type->name, "cgroup2") ||
d5f3a5f6
MS		 485 !strcmp(sb->s_type->name, "pstore") ||
486 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 487 !strcmp(sb->s_type->name, "tracefs") ||
d5f3a5f6 488 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 489}
490
c9180a57 491static int sb_finish_set_opts(struct super_block *sb)
1da177e4 492{
1da177e4 493 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 494 struct dentry *root = sb->s_root;
c6f493d6 495 struct inode *root_inode = d_backing_inode(root);
c9180a57 496 int rc = 0;
1da177e4 497
c9180a57
EP		 498 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
499 /* Make sure that the xattr handler exists and that no
500 error other than -ENODATA is returned by getxattr on
501 the root directory. -ENODATA is ok, as this may be
502 the first boot of the SELinux kernel before we have
503 assigned xattr values to the filesystem. */
5d6c3191 504 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 505 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
506 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 507 rc = -EOPNOTSUPP;
508 goto out;
509 }
5d6c3191
AG		 510
511 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 512 if (rc < 0 && rc != -ENODATA) {
513 if (rc == -EOPNOTSUPP)
514 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 515 "%s) has no security xattr handler\n",
516 sb->s_id, sb->s_type->name);
c9180a57
EP		 517 else
518 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 519 "%s) getxattr errno %d\n", sb->s_id,
520 sb->s_type->name, -rc);
c9180a57
EP		 521 goto out;
522 }
523 }
1da177e4 524
c9180a57 525 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 526 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
527 sb->s_id, sb->s_type->name);
1da177e4 528
eadcabc6 529 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 530 if (selinux_is_sblabel_mnt(sb))
12f348b9 531 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 532
c9180a57
EP		 533 /* Initialize the root inode. */
534 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 535
c9180a57
EP		 536 /* Initialize any other inodes associated with the superblock, e.g.
537 inodes created prior to initial policy load or inodes created
538 during get_sb by a pseudo filesystem that directly
539 populates itself. */
540 spin_lock(&sbsec->isec_lock);
541next_inode:
542 if (!list_empty(&sbsec->isec_head)) {
543 struct inode_security_struct *isec =
544 list_entry(sbsec->isec_head.next,
545 struct inode_security_struct, list);
546 struct inode *inode = isec->inode;
923190d3 547 list_del_init(&isec->list);
c9180a57
EP		 548 spin_unlock(&sbsec->isec_lock);
549 inode = igrab(inode);
550 if (inode) {
551 if (!IS_PRIVATE(inode))
552 inode_doinit(inode);
553 iput(inode);
554 }
555 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 556 goto next_inode;
557 }
558 spin_unlock(&sbsec->isec_lock);
559out:
560 return rc;
561}
1da177e4 562
c9180a57
EP		 563/*
564 * This function should allow an FS to ask what it's mount security
565 * options were so it can use those later for submounts, displaying
566 * mount options, or whatever.
567 */
568static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 569 struct security_mnt_opts *opts)
c9180a57
EP		 570{
571 int rc = 0, i;
572 struct superblock_security_struct *sbsec = sb->s_security;
573 char *context = NULL;
574 u32 len;
575 char tmp;
1da177e4 576
e0007529 577 security_init_mnt_opts(opts);
1da177e4 578
0d90a7ec 579 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 580 return -EINVAL;
1da177e4 581
c9180a57
EP		 582 if (!ss_initialized)
583 return -EINVAL;
1da177e4 584
af8e50cc
EP		 585 /* make sure we always check enough bits to cover the mask */
586 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
587
0d90a7ec 588 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 589 /* count the number of mount options for this sb */
af8e50cc 590 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 591 if (tmp & 0x01)
e0007529 592 opts->num_mnt_opts++;
c9180a57
EP		 593 tmp >>= 1;
594 }
11689d47 595 /* Check if the Label support flag is set */
0b4bdb35 596 if (sbsec->flags & SBLABEL_MNT)
11689d47 597 opts->num_mnt_opts++;
1da177e4 598
e0007529
EP		 599 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
600 if (!opts->mnt_opts) {
c9180a57
EP		 601 rc = -ENOMEM;
602 goto out_free;
603 }
1da177e4 604
e0007529
EP		 605 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
606 if (!opts->mnt_opts_flags) {
c9180a57
EP		 607 rc = -ENOMEM;
608 goto out_free;
609 }
1da177e4 610
c9180a57
EP		 611 i = 0;
612 if (sbsec->flags & FSCONTEXT_MNT) {
613 rc = security_sid_to_context(sbsec->sid, &context, &len);
614 if (rc)
615 goto out_free;
e0007529
EP		 616 opts->mnt_opts[i] = context;
617 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 618 }
619 if (sbsec->flags & CONTEXT_MNT) {
620 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
621 if (rc)
622 goto out_free;
e0007529
EP		 623 opts->mnt_opts[i] = context;
624 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 625 }
626 if (sbsec->flags & DEFCONTEXT_MNT) {
627 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
628 if (rc)
629 goto out_free;
e0007529
EP		 630 opts->mnt_opts[i] = context;
631 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 632 }
633 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 634 struct dentry *root = sbsec->sb->s_root;
635 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 636
c9180a57
EP		 637 rc = security_sid_to_context(isec->sid, &context, &len);
638 if (rc)
639 goto out_free;
e0007529
EP		 640 opts->mnt_opts[i] = context;
641 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 642 }
12f348b9 643 if (sbsec->flags & SBLABEL_MNT) {
11689d47 644 opts->mnt_opts[i] = NULL;
12f348b9 645 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 646 }
1da177e4 647
e0007529 648 BUG_ON(i != opts->num_mnt_opts);
1da177e4 649
c9180a57
EP		 650 return 0;
651
652out_free:
e0007529 653 security_free_mnt_opts(opts);
c9180a57
EP		 654 return rc;
655}
1da177e4 656
c9180a57
EP		 657static int bad_option(struct superblock_security_struct *sbsec, char flag,
658 u32 old_sid, u32 new_sid)
659{
0d90a7ec
DQ		 660 char mnt_flags = sbsec->flags & SE_MNTMASK;
661
c9180a57 662 /* check if the old mount command had the same options */
0d90a7ec 663 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 664 if (!(sbsec->flags & flag) ||
665 (old_sid != new_sid))
666 return 1;
667
668 /* check if we were passed the same options twice,
669 * aka someone passed context=a,context=b
670 */
0d90a7ec
DQ		 671 if (!(sbsec->flags & SE_SBINITIALIZED))
672 if (mnt_flags & flag)
c9180a57
EP		 673 return 1;
674 return 0;
675}
e0007529 676
c9180a57
EP		 677/*
678 * Allow filesystems with binary mount data to explicitly set mount point
679 * labeling information.
680 */
e0007529 681static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 682 struct security_mnt_opts *opts,
683 unsigned long kern_flags,
684 unsigned long *set_kern_flags)
c9180a57 685{
275bb41e 686 const struct cred *cred = current_cred();
c9180a57 687 int rc = 0, i;
c9180a57 688 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 689 const char *name = sb->s_type->name;
83da53c5 690 struct dentry *root = sbsec->sb->s_root;
2c97165b 691 struct inode_security_struct *root_isec;
c9180a57
EP		 692 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
693 u32 defcontext_sid = 0;
e0007529
EP		 694 char **mount_options = opts->mnt_opts;
695 int *flags = opts->mnt_opts_flags;
696 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 697
698 mutex_lock(&sbsec->lock);
699
700 if (!ss_initialized) {
701 if (!num_opts) {
702 /* Defer initialization until selinux_complete_init,
703 after the initial policy is loaded and the security
704 server is ready to handle calls. */
c9180a57
EP		 705 goto out;
706 }
707 rc = -EINVAL;
744ba35e
EP		 708 printk(KERN_WARNING "SELinux: Unable to set superblock options "
709 "before the security server is initialized\n");
1da177e4 710 goto out;
c9180a57 711 }
649f6e77
DQ		 712 if (kern_flags && !set_kern_flags) {
713 /* Specifying internal flags without providing a place to
714 * place the results is not allowed */
715 rc = -EINVAL;
716 goto out;
717 }
1da177e4 718
e0007529
EP		 719 /*
720 * Binary mount data FS will come through this function twice. Once
721 * from an explicit call and once from the generic calls from the vfs.
722 * Since the generic VFS calls will not contain any security mount data
723 * we need to skip the double mount verification.
724 *
725 * This does open a hole in which we will not notice if the first
726 * mount using this sb set explict options and a second mount using
727 * this sb does not set any security options. (The first options
728 * will be used for both mounts)
729 */
0d90a7ec 730 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 731 && (num_opts == 0))
f5269710 732 goto out;
e0007529 733
2c97165b
PM		 734 root_isec = backing_inode_security_novalidate(root);
735
c9180a57
EP		 736 /*
737 * parse the mount options, check if they are valid sids.
738 * also check if someone is trying to mount the same sb more
739 * than once with different security options.
740 */
741 for (i = 0; i < num_opts; i++) {
742 u32 sid;
11689d47 743
12f348b9 744 if (flags[i] == SBLABEL_MNT)
11689d47 745 continue;
44be2f65 746 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 747 if (rc) {
44be2f65 748 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 749 "(%s) failed for (dev %s, type %s) errno=%d\n",
750 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 751 goto out;
752 }
753 switch (flags[i]) {
754 case FSCONTEXT_MNT:
755 fscontext_sid = sid;
756
757 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
758 fscontext_sid))
759 goto out_double_mount;
760
761 sbsec->flags |= FSCONTEXT_MNT;
762 break;
763 case CONTEXT_MNT:
764 context_sid = sid;
765
766 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
767 context_sid))
768 goto out_double_mount;
769
770 sbsec->flags |= CONTEXT_MNT;
771 break;
772 case ROOTCONTEXT_MNT:
773 rootcontext_sid = sid;
774
775 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
776 rootcontext_sid))
777 goto out_double_mount;
778
779 sbsec->flags |= ROOTCONTEXT_MNT;
780
781 break;
782 case DEFCONTEXT_MNT:
783 defcontext_sid = sid;
784
785 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
786 defcontext_sid))
787 goto out_double_mount;
788
789 sbsec->flags |= DEFCONTEXT_MNT;
790
791 break;
792 default:
793 rc = -EINVAL;
794 goto out;
1da177e4 795 }
c9180a57
EP		 796 }
797
0d90a7ec 798 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 799 /* previously mounted with options, but not on this attempt? */
0d90a7ec 800 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 801 goto out_double_mount;
802 rc = 0;
803 goto out;
804 }
805
089be43e 806 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 807 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
808
8e014720
SS		 809 if (!strcmp(sb->s_type->name, "debugfs") ||
810 !strcmp(sb->s_type->name, "sysfs") ||
811 !strcmp(sb->s_type->name, "pstore"))
134509d5 812 sbsec->flags |= SE_SBGENFS;
c9180a57 813
eb9ae686
DQ		 814 if (!sbsec->behavior) {
815 /*
816 * Determine the labeling behavior to use for this
817 * filesystem type.
818 */
98f700f3 819 rc = security_fs_use(sb);
eb9ae686
DQ		 820 if (rc) {
821 printk(KERN_WARNING
822 "%s: security_fs_use(%s) returned %d\n",
823 __func__, sb->s_type->name, rc);
824 goto out;
825 }
c9180a57 826 }
aad82892
SF		 827
828 /*
01593d32
SS		 829 * If this is a user namespace mount and the filesystem type is not
830 * explicitly whitelisted, then no contexts are allowed on the command
831 * line and security labels must be ignored.
aad82892 832 */
01593d32
SS		 833 if (sb->s_user_ns != &init_user_ns &&
834 strcmp(sb->s_type->name, "tmpfs") &&
835 strcmp(sb->s_type->name, "ramfs") &&
836 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 837 if (context_sid || fscontext_sid || rootcontext_sid ||
838 defcontext_sid) {
839 rc = -EACCES;
840 goto out;
841 }
842 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
843 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
844 rc = security_transition_sid(current_sid(), current_sid(),
845 SECCLASS_FILE, NULL,
846 &sbsec->mntpoint_sid);
847 if (rc)
848 goto out;
849 }
850 goto out_set_opts;
851 }
852
c9180a57
EP		 853 /* sets the context of the superblock for the fs being mounted. */
854 if (fscontext_sid) {
275bb41e 855 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 856 if (rc)
c9180a57 857 goto out;
1da177e4 858
c9180a57 859 sbsec->sid = fscontext_sid;
c312feb2
EP		 860 }
861
862 /*
863 * Switch to using mount point labeling behavior.
864 * sets the label used on all file below the mountpoint, and will set
865 * the superblock context if not already set.
866 */
eb9ae686
DQ		 867 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
868 sbsec->behavior = SECURITY_FS_USE_NATIVE;
869 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
870 }
871
c9180a57
EP		 872 if (context_sid) {
873 if (!fscontext_sid) {
275bb41e
DH		 874 rc = may_context_mount_sb_relabel(context_sid, sbsec,
875 cred);
b04ea3ce 876 if (rc)
c9180a57
EP		 877 goto out;
878 sbsec->sid = context_sid;
b04ea3ce 879 } else {
275bb41e
DH		 880 rc = may_context_mount_inode_relabel(context_sid, sbsec,
881 cred);
b04ea3ce 882 if (rc)
c9180a57 883 goto out;
b04ea3ce 884 }
c9180a57
EP		 885 if (!rootcontext_sid)
886 rootcontext_sid = context_sid;
1da177e4 887
c9180a57 888 sbsec->mntpoint_sid = context_sid;
c312feb2 889 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 890 }
891
c9180a57 892 if (rootcontext_sid) {
275bb41e
DH		 893 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
894 cred);
0808925e 895 if (rc)
c9180a57 896 goto out;
0808925e 897
c9180a57 898 root_isec->sid = rootcontext_sid;
6f3be9f5 899 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 900 }
901
c9180a57 902 if (defcontext_sid) {
eb9ae686
DQ		 903 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
904 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 905 rc = -EINVAL;
906 printk(KERN_WARNING "SELinux: defcontext option is "
907 "invalid for this filesystem type\n");
908 goto out;
1da177e4
LT		 909 }
910
c9180a57
EP		 911 if (defcontext_sid != sbsec->def_sid) {
912 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 913 sbsec, cred);
c9180a57
EP		 914 if (rc)
915 goto out;
916 }
1da177e4 917
c9180a57 918 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 919 }
920
aad82892 921out_set_opts:
c9180a57 922 rc = sb_finish_set_opts(sb);
1da177e4 923out:
c9180a57 924 mutex_unlock(&sbsec->lock);
1da177e4 925 return rc;
c9180a57
EP		 926out_double_mount:
927 rc = -EINVAL;
928 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 929 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 930 goto out;
1da177e4
LT		 931}
932
094f7b69
JL		 933static int selinux_cmp_sb_context(const struct super_block *oldsb,
934 const struct super_block *newsb)
935{
936 struct superblock_security_struct *old = oldsb->s_security;
937 struct superblock_security_struct *new = newsb->s_security;
938 char oldflags = old->flags & SE_MNTMASK;
939 char newflags = new->flags & SE_MNTMASK;
940
941 if (oldflags != newflags)
942 goto mismatch;
943 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
944 goto mismatch;
945 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
946 goto mismatch;
947 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
948 goto mismatch;
949 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 950 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
951 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 952 if (oldroot->sid != newroot->sid)
953 goto mismatch;
954 }
955 return 0;
956mismatch:
957 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
958 "different security settings for (dev %s, "
959 "type %s)\n", newsb->s_id, newsb->s_type->name);
960 return -EBUSY;
961}
962
963static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 964 struct super_block *newsb)
1da177e4 965{
c9180a57
EP		 966 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
967 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 968
c9180a57
EP		 969 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
970 int set_context = (oldsbsec->flags & CONTEXT_MNT);
971 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 972
0f5e6420
EP		 973 /*
974 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 975 * mount options. thus we can safely deal with this superblock later
0f5e6420 976 */
e8c26255 977 if (!ss_initialized)
094f7b69 978 return 0;
c9180a57 979
c9180a57 980 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 981 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 982
094f7b69 983 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 984 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 985 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 986
c9180a57
EP		 987 mutex_lock(&newsbsec->lock);
988
989 newsbsec->flags = oldsbsec->flags;
990
991 newsbsec->sid = oldsbsec->sid;
992 newsbsec->def_sid = oldsbsec->def_sid;
993 newsbsec->behavior = oldsbsec->behavior;
994
995 if (set_context) {
996 u32 sid = oldsbsec->mntpoint_sid;
997
998 if (!set_fscontext)
999 newsbsec->sid = sid;
1000 if (!set_rootcontext) {
83da53c5 1001 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1002 newisec->sid = sid;
1003 }
1004 newsbsec->mntpoint_sid = sid;
1da177e4 1005 }
c9180a57 1006 if (set_rootcontext) {
83da53c5
AG		 1007 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1008 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1009
c9180a57 1010 newisec->sid = oldisec->sid;
1da177e4
LT		 1011 }
1012
c9180a57
EP		 1013 sb_finish_set_opts(newsb);
1014 mutex_unlock(&newsbsec->lock);
094f7b69 1015 return 0;
c9180a57
EP		 1016}
1017
2e1479d9
AB		 1018static int selinux_parse_opts_str(char *options,
1019 struct security_mnt_opts *opts)
c9180a57 1020{
e0007529 1021 char *p;
c9180a57
EP		 1022 char *context = NULL, *defcontext = NULL;
1023 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1024 int rc, num_mnt_opts = 0;
1da177e4 1025
e0007529 1026 opts->num_mnt_opts = 0;
1da177e4 1027
c9180a57
EP		 1028 /* Standard string-based options. */
1029 while ((p = strsep(&options, "|")) != NULL) {
1030 int token;
1031 substring_t args[MAX_OPT_ARGS];
1da177e4 1032
c9180a57
EP		 1033 if (!*p)
1034 continue;
1da177e4 1035
c9180a57 1036 token = match_token(p, tokens, args);
1da177e4 1037
c9180a57
EP		 1038 switch (token) {
1039 case Opt_context:
1040 if (context || defcontext) {
1041 rc = -EINVAL;
1042 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1043 goto out_err;
1044 }
1045 context = match_strdup(&args[0]);
1046 if (!context) {
1047 rc = -ENOMEM;
1048 goto out_err;
1049 }
1050 break;
1051
1052 case Opt_fscontext:
1053 if (fscontext) {
1054 rc = -EINVAL;
1055 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1056 goto out_err;
1057 }
1058 fscontext = match_strdup(&args[0]);
1059 if (!fscontext) {
1060 rc = -ENOMEM;
1061 goto out_err;
1062 }
1063 break;
1064
1065 case Opt_rootcontext:
1066 if (rootcontext) {
1067 rc = -EINVAL;
1068 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1069 goto out_err;
1070 }
1071 rootcontext = match_strdup(&args[0]);
1072 if (!rootcontext) {
1073 rc = -ENOMEM;
1074 goto out_err;
1075 }
1076 break;
1077
1078 case Opt_defcontext:
1079 if (context || defcontext) {
1080 rc = -EINVAL;
1081 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1082 goto out_err;
1083 }
1084 defcontext = match_strdup(&args[0]);
1085 if (!defcontext) {
1086 rc = -ENOMEM;
1087 goto out_err;
1088 }
1089 break;
11689d47
DQ		 1090 case Opt_labelsupport:
1091 break;
c9180a57
EP		 1092 default:
1093 rc = -EINVAL;
1094 printk(KERN_WARNING "SELinux: unknown mount option\n");
1095 goto out_err;
1da177e4 1096
1da177e4 1097 }
1da177e4 1098 }
c9180a57 1099
e0007529 1100 rc = -ENOMEM;
8931c3bd 1101 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1102 if (!opts->mnt_opts)
1103 goto out_err;
1104
8931c3bd
TH		 1105 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1106 GFP_KERNEL);
e0007529
EP		 1107 if (!opts->mnt_opts_flags) {
1108 kfree(opts->mnt_opts);
1109 goto out_err;
1110 }
1111
c9180a57 1112 if (fscontext) {
e0007529
EP		 1113 opts->mnt_opts[num_mnt_opts] = fscontext;
1114 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1115 }
1116 if (context) {
e0007529
EP		 1117 opts->mnt_opts[num_mnt_opts] = context;
1118 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1119 }
1120 if (rootcontext) {
e0007529
EP		 1121 opts->mnt_opts[num_mnt_opts] = rootcontext;
1122 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1123 }
1124 if (defcontext) {
e0007529
EP		 1125 opts->mnt_opts[num_mnt_opts] = defcontext;
1126 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1127 }
1128
e0007529
EP		 1129 opts->num_mnt_opts = num_mnt_opts;
1130 return 0;
1131
c9180a57
EP		 1132out_err:
1133 kfree(context);
1134 kfree(defcontext);
1135 kfree(fscontext);
1136 kfree(rootcontext);
1da177e4
LT		 1137 return rc;
1138}
e0007529
EP		 1139/*
1140 * string mount options parsing and call set the sbsec
1141 */
1142static int superblock_doinit(struct super_block *sb, void *data)
1143{
1144 int rc = 0;
1145 char *options = data;
1146 struct security_mnt_opts opts;
1147
1148 security_init_mnt_opts(&opts);
1149
1150 if (!data)
1151 goto out;
1152
1153 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1154
1155 rc = selinux_parse_opts_str(options, &opts);
1156 if (rc)
1157 goto out_err;
1158
1159out:
649f6e77 1160 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1161
1162out_err:
1163 security_free_mnt_opts(&opts);
1164 return rc;
1165}
1da177e4 1166
3583a711
AB		 1167static void selinux_write_opts(struct seq_file *m,
1168 struct security_mnt_opts *opts)
2069f457
EP		 1169{
1170 int i;
1171 char *prefix;
1172
1173 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1174 char *has_comma;
1175
1176 if (opts->mnt_opts[i])
1177 has_comma = strchr(opts->mnt_opts[i], ',');
1178 else
1179 has_comma = NULL;
2069f457
EP		 1180
1181 switch (opts->mnt_opts_flags[i]) {
1182 case CONTEXT_MNT:
1183 prefix = CONTEXT_STR;
1184 break;
1185 case FSCONTEXT_MNT:
1186 prefix = FSCONTEXT_STR;
1187 break;
1188 case ROOTCONTEXT_MNT:
1189 prefix = ROOTCONTEXT_STR;
1190 break;
1191 case DEFCONTEXT_MNT:
1192 prefix = DEFCONTEXT_STR;
1193 break;
12f348b9 1194 case SBLABEL_MNT:
11689d47
DQ		 1195 seq_putc(m, ',');
1196 seq_puts(m, LABELSUPP_STR);
1197 continue;
2069f457
EP		 1198 default:
1199 BUG();
a35c6c83 1200 return;
2069f457
EP		 1201 };
1202 /* we need a comma before each option */
1203 seq_putc(m, ',');
1204 seq_puts(m, prefix);
1205 if (has_comma)
1206 seq_putc(m, '\"');
a068acf2 1207 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1208 if (has_comma)
1209 seq_putc(m, '\"');
1210 }
1211}
1212
1213static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1214{
1215 struct security_mnt_opts opts;
1216 int rc;
1217
1218 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1219 if (rc) {
1220 /* before policy load we may get EINVAL, don't show anything */
1221 if (rc == -EINVAL)
1222 rc = 0;
2069f457 1223 return rc;
383795c2 1224 }
2069f457
EP		 1225
1226 selinux_write_opts(m, &opts);
1227
1228 security_free_mnt_opts(&opts);
1229
1230 return rc;
1231}
1232
1da177e4
LT		 1233static inline u16 inode_mode_to_security_class(umode_t mode)
1234{
1235 switch (mode & S_IFMT) {
1236 case S_IFSOCK:
1237 return SECCLASS_SOCK_FILE;
1238 case S_IFLNK:
1239 return SECCLASS_LNK_FILE;
1240 case S_IFREG:
1241 return SECCLASS_FILE;
1242 case S_IFBLK:
1243 return SECCLASS_BLK_FILE;
1244 case S_IFDIR:
1245 return SECCLASS_DIR;
1246 case S_IFCHR:
1247 return SECCLASS_CHR_FILE;
1248 case S_IFIFO:
1249 return SECCLASS_FIFO_FILE;
1250
1251 }
1252
1253 return SECCLASS_FILE;
1254}
1255
13402580
JM		 1256static inline int default_protocol_stream(int protocol)
1257{
1258 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1259}
1260
1261static inline int default_protocol_dgram(int protocol)
1262{
1263 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1264}
1265
1da177e4
LT		 1266static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1267{
da69a530
SS		 1268 int extsockclass = selinux_policycap_extsockclass;
1269
1da177e4
LT		 1270 switch (family) {
1271 case PF_UNIX:
1272 switch (type) {
1273 case SOCK_STREAM:
1274 case SOCK_SEQPACKET:
1275 return SECCLASS_UNIX_STREAM_SOCKET;
1276 case SOCK_DGRAM:
1277 return SECCLASS_UNIX_DGRAM_SOCKET;
1278 }
1279 break;
1280 case PF_INET:
1281 case PF_INET6:
1282 switch (type) {
1283 case SOCK_STREAM:
da69a530 1284 case SOCK_SEQPACKET:
13402580
JM		 1285 if (default_protocol_stream(protocol))
1286 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1287 else if (extsockclass && protocol == IPPROTO_SCTP)
1288 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1289 else
1290 return SECCLASS_RAWIP_SOCKET;
1da177e4 1291 case SOCK_DGRAM:
13402580
JM		 1292 if (default_protocol_dgram(protocol))
1293 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1294 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1295 protocol == IPPROTO_ICMPV6))
da69a530 1296 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1297 else
1298 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1299 case SOCK_DCCP:
1300 return SECCLASS_DCCP_SOCKET;
13402580 1301 default:
1da177e4
LT		 1302 return SECCLASS_RAWIP_SOCKET;
1303 }
1304 break;
1305 case PF_NETLINK:
1306 switch (protocol) {
1307 case NETLINK_ROUTE:
1308 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1309 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1310 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1311 case NETLINK_NFLOG:
1312 return SECCLASS_NETLINK_NFLOG_SOCKET;
1313 case NETLINK_XFRM:
1314 return SECCLASS_NETLINK_XFRM_SOCKET;
1315 case NETLINK_SELINUX:
1316 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1317 case NETLINK_ISCSI:
1318 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1319 case NETLINK_AUDIT:
1320 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1321 case NETLINK_FIB_LOOKUP:
1322 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1323 case NETLINK_CONNECTOR:
1324 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1325 case NETLINK_NETFILTER:
1326 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1327 case NETLINK_DNRTMSG:
1328 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1329 case NETLINK_KOBJECT_UEVENT:
1330 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1331 case NETLINK_GENERIC:
1332 return SECCLASS_NETLINK_GENERIC_SOCKET;
1333 case NETLINK_SCSITRANSPORT:
1334 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1335 case NETLINK_RDMA:
1336 return SECCLASS_NETLINK_RDMA_SOCKET;
1337 case NETLINK_CRYPTO:
1338 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1339 default:
1340 return SECCLASS_NETLINK_SOCKET;
1341 }
1342 case PF_PACKET:
1343 return SECCLASS_PACKET_SOCKET;
1344 case PF_KEY:
1345 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1346 case PF_APPLETALK:
1347 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1348 }
1349
da69a530
SS		 1350 if (extsockclass) {
1351 switch (family) {
1352 case PF_AX25:
1353 return SECCLASS_AX25_SOCKET;
1354 case PF_IPX:
1355 return SECCLASS_IPX_SOCKET;
1356 case PF_NETROM:
1357 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1358 case PF_ATMPVC:
1359 return SECCLASS_ATMPVC_SOCKET;
1360 case PF_X25:
1361 return SECCLASS_X25_SOCKET;
1362 case PF_ROSE:
1363 return SECCLASS_ROSE_SOCKET;
1364 case PF_DECnet:
1365 return SECCLASS_DECNET_SOCKET;
1366 case PF_ATMSVC:
1367 return SECCLASS_ATMSVC_SOCKET;
1368 case PF_RDS:
1369 return SECCLASS_RDS_SOCKET;
1370 case PF_IRDA:
1371 return SECCLASS_IRDA_SOCKET;
1372 case PF_PPPOX:
1373 return SECCLASS_PPPOX_SOCKET;
1374 case PF_LLC:
1375 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1376 case PF_CAN:
1377 return SECCLASS_CAN_SOCKET;
1378 case PF_TIPC:
1379 return SECCLASS_TIPC_SOCKET;
1380 case PF_BLUETOOTH:
1381 return SECCLASS_BLUETOOTH_SOCKET;
1382 case PF_IUCV:
1383 return SECCLASS_IUCV_SOCKET;
1384 case PF_RXRPC:
1385 return SECCLASS_RXRPC_SOCKET;
1386 case PF_ISDN:
1387 return SECCLASS_ISDN_SOCKET;
1388 case PF_PHONET:
1389 return SECCLASS_PHONET_SOCKET;
1390 case PF_IEEE802154:
1391 return SECCLASS_IEEE802154_SOCKET;
1392 case PF_CAIF:
1393 return SECCLASS_CAIF_SOCKET;
1394 case PF_ALG:
1395 return SECCLASS_ALG_SOCKET;
1396 case PF_NFC:
1397 return SECCLASS_NFC_SOCKET;
1398 case PF_VSOCK:
1399 return SECCLASS_VSOCK_SOCKET;
1400 case PF_KCM:
1401 return SECCLASS_KCM_SOCKET;
1402 case PF_QIPCRTR:
1403 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1404 case PF_SMC:
1405 return SECCLASS_SMC_SOCKET;
1406#if PF_MAX > 44
da69a530
SS		 1407#error New address family defined, please update this function.
1408#endif
1409 }
1410 }
1411
1da177e4
LT		 1412 return SECCLASS_SOCKET;
1413}
1414
134509d5
SS		 1415static int selinux_genfs_get_sid(struct dentry *dentry,
1416 u16 tclass,
1417 u16 flags,
1418 u32 *sid)
1da177e4 1419{
8e6c9693 1420 int rc;
fc64005c 1421 struct super_block *sb = dentry->d_sb;
8e6c9693 1422 char *buffer, *path;
1da177e4 1423
828dfe1d 1424 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1425 if (!buffer)
1426 return -ENOMEM;
1427
8e6c9693
LAG		 1428 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1429 if (IS_ERR(path))
1430 rc = PTR_ERR(path);
1431 else {
134509d5
SS		 1432 if (flags & SE_SBPROC) {
1433 /* each process gets a /proc/PID/ entry. Strip off the
1434 * PID part to get a valid selinux labeling.
1435 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1436 while (path[1] >= '0' && path[1] <= '9') {
1437 path[1] = '/';
1438 path++;
1439 }
8e6c9693 1440 }
134509d5 1441 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1442 }
1da177e4
LT		 1443 free_page((unsigned long)buffer);
1444 return rc;
1445}
1da177e4
LT		 1446
1447/* The inode's security attributes must be initialized before first use. */
1448static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1449{
1450 struct superblock_security_struct *sbsec = NULL;
1451 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1452 u32 task_sid, sid = 0;
1453 u16 sclass;
1da177e4
LT		 1454 struct dentry *dentry;
1455#define INITCONTEXTLEN 255
1456 char *context = NULL;
1457 unsigned len = 0;
1458 int rc = 0;
1da177e4 1459
6f3be9f5 1460 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1461 return 0;
1da177e4 1462
9287aed2 1463 spin_lock(&isec->lock);
6f3be9f5 1464 if (isec->initialized == LABEL_INITIALIZED)
23970741 1465 goto out_unlock;
1da177e4 1466
13457d07
AG		 1467 if (isec->sclass == SECCLASS_FILE)
1468 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1469
1da177e4 1470 sbsec = inode->i_sb->s_security;
0d90a7ec 1471 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1472 /* Defer initialization until selinux_complete_init,
1473 after the initial policy is loaded and the security
1474 server is ready to handle calls. */
1475 spin_lock(&sbsec->isec_lock);
1476 if (list_empty(&isec->list))
1477 list_add(&isec->list, &sbsec->isec_head);
1478 spin_unlock(&sbsec->isec_lock);
23970741 1479 goto out_unlock;
1da177e4
LT		 1480 }
1481
9287aed2
AG		 1482 sclass = isec->sclass;
1483 task_sid = isec->task_sid;
1484 sid = isec->sid;
1485 isec->initialized = LABEL_PENDING;
1486 spin_unlock(&isec->lock);
1487
1da177e4 1488 switch (sbsec->behavior) {
eb9ae686
DQ		 1489 case SECURITY_FS_USE_NATIVE:
1490 break;
1da177e4 1491 case SECURITY_FS_USE_XATTR:
5d6c3191 1492 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1493 sid = sbsec->def_sid;
1da177e4
LT		 1494 break;
1495 }
1da177e4
LT		 1496 /* Need a dentry, since the xattr API requires one.
1497 Life would be simpler if we could just pass the inode. */
1498 if (opt_dentry) {
1499 /* Called from d_instantiate or d_splice_alias. */
1500 dentry = dget(opt_dentry);
1501 } else {
1502 /* Called from selinux_complete_init, try to find a dentry. */
1503 dentry = d_find_alias(inode);
1504 }
1505 if (!dentry) {
df7f54c0
EP		 1506 /*
1507 * this is can be hit on boot when a file is accessed
1508 * before the policy is loaded. When we load policy we
1509 * may find inodes that have no dentry on the
1510 * sbsec->isec_head list. No reason to complain as these
1511 * will get fixed up the next time we go through
1512 * inode_doinit with a dentry, before these inodes could
1513 * be used again by userspace.
1514 */
9287aed2 1515 goto out;
1da177e4
LT		 1516 }
1517
1518 len = INITCONTEXTLEN;
4cb912f1 1519 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1520 if (!context) {
1521 rc = -ENOMEM;
1522 dput(dentry);
9287aed2 1523 goto out;
1da177e4 1524 }
4cb912f1 1525 context[len] = '\0';
5d6c3191 1526 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1527 if (rc == -ERANGE) {
314dabb8
JM		 1528 kfree(context);
1529
1da177e4 1530 /* Need a larger buffer. Query for the right size. */
5d6c3191 1531 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1532 if (rc < 0) {
1533 dput(dentry);
9287aed2 1534 goto out;
1da177e4 1535 }
1da177e4 1536 len = rc;
4cb912f1 1537 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1538 if (!context) {
1539 rc = -ENOMEM;
1540 dput(dentry);
9287aed2 1541 goto out;
1da177e4 1542 }
4cb912f1 1543 context[len] = '\0';
5d6c3191 1544 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1545 }
1546 dput(dentry);
1547 if (rc < 0) {
1548 if (rc != -ENODATA) {
744ba35e 1549 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1550 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1551 -rc, inode->i_sb->s_id, inode->i_ino);
1552 kfree(context);
9287aed2 1553 goto out;
1da177e4
LT		 1554 }
1555 /* Map ENODATA to the default file SID */
1556 sid = sbsec->def_sid;
1557 rc = 0;
1558 } else {
f5c1d5b2 1559 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1560 sbsec->def_sid,
1561 GFP_NOFS);
1da177e4 1562 if (rc) {
4ba0a8ad
EP		 1563 char *dev = inode->i_sb->s_id;
1564 unsigned long ino = inode->i_ino;
1565
1566 if (rc == -EINVAL) {
1567 if (printk_ratelimit())
1568 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1569 "context=%s. This indicates you may need to relabel the inode or the "
1570 "filesystem in question.\n", ino, dev, context);
1571 } else {
1572 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1573 "returned %d for dev=%s ino=%ld\n",
1574 __func__, context, -rc, dev, ino);
1575 }
1da177e4
LT		 1576 kfree(context);
1577 /* Leave with the unlabeled SID */
1578 rc = 0;
1579 break;
1580 }
1581 }
1582 kfree(context);
1da177e4
LT		 1583 break;
1584 case SECURITY_FS_USE_TASK:
9287aed2 1585 sid = task_sid;
1da177e4
LT		 1586 break;
1587 case SECURITY_FS_USE_TRANS:
1588 /* Default to the fs SID. */
9287aed2 1589 sid = sbsec->sid;
1da177e4
LT		 1590
1591 /* Try to obtain a transition SID. */
9287aed2 1592 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1da177e4 1593 if (rc)
9287aed2 1594 goto out;
1da177e4 1595 break;
c312feb2 1596 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1597 sid = sbsec->mntpoint_sid;
c312feb2 1598 break;
1da177e4 1599 default:
c312feb2 1600 /* Default to the fs superblock SID. */
9287aed2 1601 sid = sbsec->sid;
1da177e4 1602
134509d5 1603 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1604 /* We must have a dentry to determine the label on
1605 * procfs inodes */
1606 if (opt_dentry)
1607 /* Called from d_instantiate or
1608 * d_splice_alias. */
1609 dentry = dget(opt_dentry);
1610 else
1611 /* Called from selinux_complete_init, try to
1612 * find a dentry. */
1613 dentry = d_find_alias(inode);
1614 /*
1615 * This can be hit on boot when a file is accessed
1616 * before the policy is loaded. When we load policy we
1617 * may find inodes that have no dentry on the
1618 * sbsec->isec_head list. No reason to complain as
1619 * these will get fixed up the next time we go through
1620 * inode_doinit() with a dentry, before these inodes
1621 * could be used again by userspace.
1622 */
1623 if (!dentry)
9287aed2
AG		 1624 goto out;
1625 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1626 sbsec->flags, &sid);
f64410ec
PM		 1627 dput(dentry);
1628 if (rc)
9287aed2 1629 goto out;
1da177e4
LT		 1630 }
1631 break;
1632 }
1633
9287aed2
AG		 1634out:
1635 spin_lock(&isec->lock);
1636 if (isec->initialized == LABEL_PENDING) {
1637 if (!sid || rc) {
1638 isec->initialized = LABEL_INVALID;
1639 goto out_unlock;
1640 }
1641
1642 isec->initialized = LABEL_INITIALIZED;
1643 isec->sid = sid;
1644 }
1da177e4 1645
23970741 1646out_unlock:
9287aed2 1647 spin_unlock(&isec->lock);
1da177e4
LT		 1648 return rc;
1649}
1650
1651/* Convert a Linux signal to an access vector. */
1652static inline u32 signal_to_av(int sig)
1653{
1654 u32 perm = 0;
1655
1656 switch (sig) {
1657 case SIGCHLD:
1658 /* Commonly granted from child to parent. */
1659 perm = PROCESS__SIGCHLD;
1660 break;
1661 case SIGKILL:
1662 /* Cannot be caught or ignored */
1663 perm = PROCESS__SIGKILL;
1664 break;
1665 case SIGSTOP:
1666 /* Cannot be caught or ignored */
1667 perm = PROCESS__SIGSTOP;
1668 break;
1669 default:
1670 /* All other signals. */
1671 perm = PROCESS__SIGNAL;
1672 break;
1673 }
1674
1675 return perm;
1676}
1677
b68e418c
SS		 1678#if CAP_LAST_CAP > 63
1679#error Fix SELinux to handle capabilities > 63.
1680#endif
1681
1da177e4 1682/* Check whether a task is allowed to use a capability. */
6a9de491 1683static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1684 int cap, int audit, bool initns)
1da177e4 1685{
2bf49690 1686 struct common_audit_data ad;
06112163 1687 struct av_decision avd;
b68e418c 1688 u16 sclass;
3699c53c 1689 u32 sid = cred_sid(cred);
b68e418c 1690 u32 av = CAP_TO_MASK(cap);
06112163 1691 int rc;
1da177e4 1692
50c205f5 1693 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1694 ad.u.cap = cap;
1695
b68e418c
SS		 1696 switch (CAP_TO_INDEX(cap)) {
1697 case 0:
8e4ff6f2 1698 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1699 break;
1700 case 1:
8e4ff6f2 1701 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1702 break;
1703 default:
1704 printk(KERN_ERR
1705 "SELinux: out of range capability %d\n", cap);
1706 BUG();
a35c6c83 1707 return -EINVAL;
b68e418c 1708 }
06112163 1709
275bb41e 1710 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1711 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1712 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1713 if (rc2)
1714 return rc2;
1715 }
06112163 1716 return rc;
1da177e4
LT		 1717}
1718
1da177e4
LT		 1719/* Check whether a task has a particular permission to an inode.
1720 The 'adp' parameter is optional and allows other audit
1721 data to be passed (e.g. the dentry). */
88e67f3b 1722static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1723 struct inode *inode,
1724 u32 perms,
19e49834 1725 struct common_audit_data *adp)
1da177e4 1726{
1da177e4 1727 struct inode_security_struct *isec;
275bb41e 1728 u32 sid;
1da177e4 1729
e0e81739
DH		 1730 validate_creds(cred);
1731
828dfe1d 1732 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1733 return 0;
1734
88e67f3b 1735 sid = cred_sid(cred);
1da177e4
LT		 1736 isec = inode->i_security;
1737
19e49834 1738 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1739}
1740
1741/* Same as inode_has_perm, but pass explicit audit data containing
1742 the dentry to help the auditing code to more easily generate the
1743 pathname if needed. */
88e67f3b 1744static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1745 struct dentry *dentry,
1746 u32 av)
1747{
c6f493d6 1748 struct inode *inode = d_backing_inode(dentry);
2bf49690 1749 struct common_audit_data ad;
88e67f3b 1750
50c205f5 1751 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1752 ad.u.dentry = dentry;
5d226df4 1753 __inode_security_revalidate(inode, dentry, true);
19e49834 1754 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1755}
1756
1757/* Same as inode_has_perm, but pass explicit audit data containing
1758 the path to help the auditing code to more easily generate the
1759 pathname if needed. */
1760static inline int path_has_perm(const struct cred *cred,
3f7036a0 1761 const struct path *path,
2875fa00
EP		 1762 u32 av)
1763{
c6f493d6 1764 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1765 struct common_audit_data ad;
1766
50c205f5 1767 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1768 ad.u.path = *path;
5d226df4 1769 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1770 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1771}
1772
13f8e981
DH		 1773/* Same as path_has_perm, but uses the inode from the file struct. */
1774static inline int file_path_has_perm(const struct cred *cred,
1775 struct file *file,
1776 u32 av)
1777{
1778 struct common_audit_data ad;
1779
43af5de7
VG		 1780 ad.type = LSM_AUDIT_DATA_FILE;
1781 ad.u.file = file;
19e49834 1782 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1783}
1784
1da177e4
LT		 1785/* Check whether a task can use an open file descriptor to
1786 access an inode in a given way. Check access to the
1787 descriptor itself, and then use dentry_has_perm to
1788 check a particular permission to the file.
1789 Access to the descriptor is implicitly granted if it
1790 has the same SID as the process. If av is zero, then
1791 access to the file is not checked, e.g. for cases
1792 where only the descriptor is affected like seek. */
88e67f3b
DH		 1793static int file_has_perm(const struct cred *cred,
1794 struct file *file,
1795 u32 av)
1da177e4 1796{
1da177e4 1797 struct file_security_struct *fsec = file->f_security;
496ad9aa 1798 struct inode *inode = file_inode(file);
2bf49690 1799 struct common_audit_data ad;
88e67f3b 1800 u32 sid = cred_sid(cred);
1da177e4
LT		 1801 int rc;
1802
43af5de7
VG		 1803 ad.type = LSM_AUDIT_DATA_FILE;
1804 ad.u.file = file;
1da177e4 1805
275bb41e
DH		 1806 if (sid != fsec->sid) {
1807 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1808 SECCLASS_FD,
1809 FD__USE,
1810 &ad);
1811 if (rc)
88e67f3b 1812 goto out;
1da177e4
LT		 1813 }
1814
1815 /* av is zero if only checking access to the descriptor. */
88e67f3b 1816 rc = 0;
1da177e4 1817 if (av)
19e49834 1818 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1819
88e67f3b
DH		 1820out:
1821 return rc;
1da177e4
LT		 1822}
1823
c3c188b2
DH		 1824/*
1825 * Determine the label for an inode that might be unioned.
1826 */
c957f6df
VG		 1827static int
1828selinux_determine_inode_label(const struct task_security_struct *tsec,
1829 struct inode *dir,
1830 const struct qstr *name, u16 tclass,
1831 u32 *_new_isid)
c3c188b2
DH		 1832{
1833 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1834
1835 if ((sbsec->flags & SE_SBINITIALIZED) &&
1836 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1837 *_new_isid = sbsec->mntpoint_sid;
1838 } else if ((sbsec->flags & SBLABEL_MNT) &&
1839 tsec->create_sid) {
1840 *_new_isid = tsec->create_sid;
1841 } else {
20cdef8d 1842 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1843 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1844 name, _new_isid);
1845 }
1846
1847 return 0;
1848}
1849
1da177e4
LT		 1850/* Check whether a task can create a file. */
1851static int may_create(struct inode *dir,
1852 struct dentry *dentry,
1853 u16 tclass)
1854{
5fb49870 1855 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1856 struct inode_security_struct *dsec;
1857 struct superblock_security_struct *sbsec;
275bb41e 1858 u32 sid, newsid;
2bf49690 1859 struct common_audit_data ad;
1da177e4
LT		 1860 int rc;
1861
83da53c5 1862 dsec = inode_security(dir);
1da177e4
LT		 1863 sbsec = dir->i_sb->s_security;
1864
275bb41e 1865 sid = tsec->sid;
275bb41e 1866
50c205f5 1867 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1868 ad.u.dentry = dentry;
1da177e4 1869
275bb41e 1870 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1871 DIR__ADD_NAME | DIR__SEARCH,
1872 &ad);
1873 if (rc)
1874 return rc;
1875
c957f6df
VG		 1876 rc = selinux_determine_inode_label(current_security(), dir,
1877 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1878 if (rc)
1879 return rc;
1da177e4 1880
275bb41e 1881 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1882 if (rc)
1883 return rc;
1884
1885 return avc_has_perm(newsid, sbsec->sid,
1886 SECCLASS_FILESYSTEM,
1887 FILESYSTEM__ASSOCIATE, &ad);
1888}
1889
828dfe1d
EP		 1890#define MAY_LINK 0
1891#define MAY_UNLINK 1
1892#define MAY_RMDIR 2
1da177e4
LT		 1893
1894/* Check whether a task can link, unlink, or rmdir a file/directory. */
1895static int may_link(struct inode *dir,
1896 struct dentry *dentry,
1897 int kind)
1898
1899{
1da177e4 1900 struct inode_security_struct *dsec, *isec;
2bf49690 1901 struct common_audit_data ad;
275bb41e 1902 u32 sid = current_sid();
1da177e4
LT		 1903 u32 av;
1904 int rc;
1905
83da53c5
AG		 1906 dsec = inode_security(dir);
1907 isec = backing_inode_security(dentry);
1da177e4 1908
50c205f5 1909 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1910 ad.u.dentry = dentry;
1da177e4
LT		 1911
1912 av = DIR__SEARCH;
1913 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1914 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1915 if (rc)
1916 return rc;
1917
1918 switch (kind) {
1919 case MAY_LINK:
1920 av = FILE__LINK;
1921 break;
1922 case MAY_UNLINK:
1923 av = FILE__UNLINK;
1924 break;
1925 case MAY_RMDIR:
1926 av = DIR__RMDIR;
1927 break;
1928 default:
744ba35e
EP		 1929 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1930 __func__, kind);
1da177e4
LT		 1931 return 0;
1932 }
1933
275bb41e 1934 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1935 return rc;
1936}
1937
1938static inline int may_rename(struct inode *old_dir,
1939 struct dentry *old_dentry,
1940 struct inode *new_dir,
1941 struct dentry *new_dentry)
1942{
1da177e4 1943 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1944 struct common_audit_data ad;
275bb41e 1945 u32 sid = current_sid();
1da177e4
LT		 1946 u32 av;
1947 int old_is_dir, new_is_dir;
1948 int rc;
1949
83da53c5
AG		 1950 old_dsec = inode_security(old_dir);
1951 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1952 old_is_dir = d_is_dir(old_dentry);
83da53c5 1953 new_dsec = inode_security(new_dir);
1da177e4 1954
50c205f5 1955 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1956
a269434d 1957 ad.u.dentry = old_dentry;
275bb41e 1958 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1959 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1960 if (rc)
1961 return rc;
275bb41e 1962 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1963 old_isec->sclass, FILE__RENAME, &ad);
1964 if (rc)
1965 return rc;
1966 if (old_is_dir && new_dir != old_dir) {
275bb41e 1967 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1968 old_isec->sclass, DIR__REPARENT, &ad);
1969 if (rc)
1970 return rc;
1971 }
1972
a269434d 1973 ad.u.dentry = new_dentry;
1da177e4 1974 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1975 if (d_is_positive(new_dentry))
1da177e4 1976 av |= DIR__REMOVE_NAME;
275bb41e 1977 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1978 if (rc)
1979 return rc;
2c616d4d 1980 if (d_is_positive(new_dentry)) {
83da53c5 1981 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1982 new_is_dir = d_is_dir(new_dentry);
275bb41e 1983 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1984 new_isec->sclass,
1985 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1986 if (rc)
1987 return rc;
1988 }
1989
1990 return 0;
1991}
1992
1993/* Check whether a task can perform a filesystem operation. */
88e67f3b 1994static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1995 struct super_block *sb,
1996 u32 perms,
2bf49690 1997 struct common_audit_data *ad)
1da177e4 1998{
1da177e4 1999 struct superblock_security_struct *sbsec;
88e67f3b 2000 u32 sid = cred_sid(cred);
1da177e4 2001
1da177e4 2002 sbsec = sb->s_security;
275bb41e 2003 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2004}
2005
2006/* Convert a Linux mode and permission mask to an access vector. */
2007static inline u32 file_mask_to_av(int mode, int mask)
2008{
2009 u32 av = 0;
2010
dba19c60 2011 if (!S_ISDIR(mode)) {
1da177e4
LT		 2012 if (mask & MAY_EXEC)
2013 av |= FILE__EXECUTE;
2014 if (mask & MAY_READ)
2015 av |= FILE__READ;
2016
2017 if (mask & MAY_APPEND)
2018 av |= FILE__APPEND;
2019 else if (mask & MAY_WRITE)
2020 av |= FILE__WRITE;
2021
2022 } else {
2023 if (mask & MAY_EXEC)
2024 av |= DIR__SEARCH;
2025 if (mask & MAY_WRITE)
2026 av |= DIR__WRITE;
2027 if (mask & MAY_READ)
2028 av |= DIR__READ;
2029 }
2030
2031 return av;
2032}
2033
8b6a5a37
EP		 2034/* Convert a Linux file to an access vector. */
2035static inline u32 file_to_av(struct file *file)
2036{
2037 u32 av = 0;
2038
2039 if (file->f_mode & FMODE_READ)
2040 av |= FILE__READ;
2041 if (file->f_mode & FMODE_WRITE) {
2042 if (file->f_flags & O_APPEND)
2043 av |= FILE__APPEND;
2044 else
2045 av |= FILE__WRITE;
2046 }
2047 if (!av) {
2048 /*
2049 * Special file opened with flags 3 for ioctl-only use.
2050 */
2051 av = FILE__IOCTL;
2052 }
2053
2054 return av;
2055}
2056
b0c636b9 2057/*
8b6a5a37 2058 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2059 * open permission.
2060 */
8b6a5a37 2061static inline u32 open_file_to_av(struct file *file)
b0c636b9 2062{
8b6a5a37 2063 u32 av = file_to_av(file);
b0c636b9 2064
49b7b8de
EP		 2065 if (selinux_policycap_openperm)
2066 av |= FILE__OPEN;
2067
b0c636b9
EP		 2068 return av;
2069}
2070
1da177e4
LT		 2071/* Hook functions begin here. */
2072
79af7307
SS		 2073static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2074{
2075 u32 mysid = current_sid();
2076 u32 mgrsid = task_sid(mgr);
2077
2078 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2079 BINDER__SET_CONTEXT_MGR, NULL);
2080}
2081
2082static int selinux_binder_transaction(struct task_struct *from,
2083 struct task_struct *to)
2084{
2085 u32 mysid = current_sid();
2086 u32 fromsid = task_sid(from);
2087 u32 tosid = task_sid(to);
2088 int rc;
2089
2090 if (mysid != fromsid) {
2091 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2092 BINDER__IMPERSONATE, NULL);
2093 if (rc)
2094 return rc;
2095 }
2096
2097 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2098 NULL);
2099}
2100
2101static int selinux_binder_transfer_binder(struct task_struct *from,
2102 struct task_struct *to)
2103{
2104 u32 fromsid = task_sid(from);
2105 u32 tosid = task_sid(to);
2106
2107 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2108 NULL);
2109}
2110
2111static int selinux_binder_transfer_file(struct task_struct *from,
2112 struct task_struct *to,
2113 struct file *file)
2114{
2115 u32 sid = task_sid(to);
2116 struct file_security_struct *fsec = file->f_security;
83da53c5 2117 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2118 struct inode_security_struct *isec;
79af7307
SS		 2119 struct common_audit_data ad;
2120 int rc;
2121
2122 ad.type = LSM_AUDIT_DATA_PATH;
2123 ad.u.path = file->f_path;
2124
2125 if (sid != fsec->sid) {
2126 rc = avc_has_perm(sid, fsec->sid,
2127 SECCLASS_FD,
2128 FD__USE,
2129 &ad);
2130 if (rc)
2131 return rc;
2132 }
2133
83da53c5 2134 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2135 return 0;
2136
20cdef8d 2137 isec = backing_inode_security(dentry);
79af7307
SS		 2138 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2139 &ad);
2140}
2141
9e48858f 2142static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2143 unsigned int mode)
1da177e4 2144{
be0554c9
SS		 2145 u32 sid = current_sid();
2146 u32 csid = task_sid(child);
2147
2148 if (mode & PTRACE_MODE_READ)
275bb41e 2149 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2150
be0554c9 2151 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2152}
2153
2154static int selinux_ptrace_traceme(struct task_struct *parent)
2155{
be0554c9
SS		 2156 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2157 PROCESS__PTRACE, NULL);
1da177e4
LT		 2158}
2159
2160static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2161 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2162{
be0554c9
SS		 2163 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2164 PROCESS__GETCAP, NULL);
1da177e4
LT		 2165}
2166
d84f4f99
DH		 2167static int selinux_capset(struct cred *new, const struct cred *old,
2168 const kernel_cap_t *effective,
2169 const kernel_cap_t *inheritable,
2170 const kernel_cap_t *permitted)
1da177e4 2171{
be0554c9
SS		 2172 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2173 PROCESS__SETCAP, NULL);
1da177e4
LT		 2174}
2175
5626d3e8
JM		 2176/*
2177 * (This comment used to live with the selinux_task_setuid hook,
2178 * which was removed).
2179 *
2180 * Since setuid only affects the current process, and since the SELinux
2181 * controls are not based on the Linux identity attributes, SELinux does not
2182 * need to control this operation. However, SELinux does control the use of
2183 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2184 */
2185
6a9de491
EP		 2186static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2187 int cap, int audit)
1da177e4 2188{
8e4ff6f2 2189 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2190}
2191
1da177e4
LT		 2192static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2193{
88e67f3b 2194 const struct cred *cred = current_cred();
1da177e4
LT		 2195 int rc = 0;
2196
2197 if (!sb)
2198 return 0;
2199
2200 switch (cmds) {
828dfe1d
EP		 2201 case Q_SYNC:
2202 case Q_QUOTAON:
2203 case Q_QUOTAOFF:
2204 case Q_SETINFO:
2205 case Q_SETQUOTA:
88e67f3b 2206 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2207 break;
2208 case Q_GETFMT:
2209 case Q_GETINFO:
2210 case Q_GETQUOTA:
88e67f3b 2211 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2212 break;
2213 default:
2214 rc = 0; /* let the kernel handle invalid cmds */
2215 break;
1da177e4
LT		 2216 }
2217 return rc;
2218}
2219
2220static int selinux_quota_on(struct dentry *dentry)
2221{
88e67f3b
DH		 2222 const struct cred *cred = current_cred();
2223
2875fa00 2224 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2225}
2226
12b3052c 2227static int selinux_syslog(int type)
1da177e4 2228{
1da177e4 2229 switch (type) {
d78ca3cd
KC		 2230 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2231 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
be0554c9
SS		 2232 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2233 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2234 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2235 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2236 /* Set level of messages printed to console */
2237 case SYSLOG_ACTION_CONSOLE_LEVEL:
be0554c9
SS		 2238 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2239 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2240 NULL);
1da177e4 2241 }
be0554c9
SS		 2242 /* All other syslog types */
2243 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2244 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2245}
2246
2247/*
2248 * Check that a process has enough memory to allocate a new virtual
2249 * mapping. 0 means there is enough memory for the allocation to
2250 * succeed and -ENOMEM implies there is not.
2251 *
1da177e4
LT		 2252 * Do not audit the selinux permission check, as this is applied to all
2253 * processes that allocate mappings.
2254 */
34b4e4aa 2255static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2256{
2257 int rc, cap_sys_admin = 0;
1da177e4 2258
b1d9e6b0 2259 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2260 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2261 if (rc == 0)
2262 cap_sys_admin = 1;
2263
b1d9e6b0 2264 return cap_sys_admin;
1da177e4
LT		 2265}
2266
2267/* binprm security operations */
2268
be0554c9 2269static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2270{
2271 u32 sid = 0;
2272 struct task_struct *tracer;
2273
2274 rcu_read_lock();
be0554c9 2275 tracer = ptrace_parent(current);
0c6181cb
PM		 2276 if (tracer)
2277 sid = task_sid(tracer);
2278 rcu_read_unlock();
2279
2280 return sid;
2281}
2282
7b0d0b40
SS		 2283static int check_nnp_nosuid(const struct linux_binprm *bprm,
2284 const struct task_security_struct *old_tsec,
2285 const struct task_security_struct *new_tsec)
2286{
2287 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
380cf5ba 2288 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
7b0d0b40
SS		 2289 int rc;
2290
2291 if (!nnp && !nosuid)
2292 return 0; /* neither NNP nor nosuid */
2293
2294 if (new_tsec->sid == old_tsec->sid)
2295 return 0; /* No change in credentials */
2296
2297 /*
2298 * The only transitions we permit under NNP or nosuid
2299 * are transitions to bounded SIDs, i.e. SIDs that are
2300 * guaranteed to only be allowed a subset of the permissions
2301 * of the current SID.
2302 */
2303 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2304 if (rc) {
2305 /*
2306 * On failure, preserve the errno values for NNP vs nosuid.
2307 * NNP: Operation not permitted for caller.
2308 * nosuid: Permission denied to file.
2309 */
2310 if (nnp)
2311 return -EPERM;
2312 else
2313 return -EACCES;
2314 }
2315 return 0;
2316}
2317
a6f76f23 2318static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2319{
a6f76f23
DH		 2320 const struct task_security_struct *old_tsec;
2321 struct task_security_struct *new_tsec;
1da177e4 2322 struct inode_security_struct *isec;
2bf49690 2323 struct common_audit_data ad;
496ad9aa 2324 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2325 int rc;
2326
a6f76f23
DH		 2327 /* SELinux context only depends on initial program or script and not
2328 * the script interpreter */
2329 if (bprm->cred_prepared)
1da177e4
LT		 2330 return 0;
2331
a6f76f23
DH		 2332 old_tsec = current_security();
2333 new_tsec = bprm->cred->security;
83da53c5 2334 isec = inode_security(inode);
1da177e4
LT		 2335
2336 /* Default to the current task SID. */
a6f76f23
DH		 2337 new_tsec->sid = old_tsec->sid;
2338 new_tsec->osid = old_tsec->sid;
1da177e4 2339
28eba5bf 2340 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2341 new_tsec->create_sid = 0;
2342 new_tsec->keycreate_sid = 0;
2343 new_tsec->sockcreate_sid = 0;
1da177e4 2344
a6f76f23
DH		 2345 if (old_tsec->exec_sid) {
2346 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2347 /* Reset exec SID on execve. */
a6f76f23 2348 new_tsec->exec_sid = 0;
259e5e6c 2349
7b0d0b40
SS		 2350 /* Fail on NNP or nosuid if not an allowed transition. */
2351 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2352 if (rc)
2353 return rc;
1da177e4
LT		 2354 } else {
2355 /* Check for a default transition on this program. */
a6f76f23 2356 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2357 SECCLASS_PROCESS, NULL,
2358 &new_tsec->sid);
1da177e4
LT		 2359 if (rc)
2360 return rc;
7b0d0b40
SS		 2361
2362 /*
2363 * Fallback to old SID on NNP or nosuid if not an allowed
2364 * transition.
2365 */
2366 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2367 if (rc)
2368 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2369 }
2370
43af5de7
VG		 2371 ad.type = LSM_AUDIT_DATA_FILE;
2372 ad.u.file = bprm->file;
1da177e4 2373
a6f76f23
DH		 2374 if (new_tsec->sid == old_tsec->sid) {
2375 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2376 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2377 if (rc)
2378 return rc;
2379 } else {
2380 /* Check permissions for the transition. */
a6f76f23 2381 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2382 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2383 if (rc)
2384 return rc;
2385
a6f76f23 2386 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2387 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2388 if (rc)
2389 return rc;
2390
a6f76f23
DH		 2391 /* Check for shared state */
2392 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2393 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2394 SECCLASS_PROCESS, PROCESS__SHARE,
2395 NULL);
2396 if (rc)
2397 return -EPERM;
2398 }
2399
2400 /* Make sure that anyone attempting to ptrace over a task that
2401 * changes its SID has the appropriate permit */
9227dd2a 2402 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2403 u32 ptsid = ptrace_parent_sid();
a6f76f23
DH		 2404 if (ptsid != 0) {
2405 rc = avc_has_perm(ptsid, new_tsec->sid,
2406 SECCLASS_PROCESS,
2407 PROCESS__PTRACE, NULL);
2408 if (rc)
2409 return -EPERM;
2410 }
2411 }
1da177e4 2412
a6f76f23
DH		 2413 /* Clear any possibly unsafe personality bits on exec: */
2414 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2415 }
2416
1da177e4
LT		 2417 return 0;
2418}
2419
828dfe1d 2420static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2421{
5fb49870 2422 const struct task_security_struct *tsec = current_security();
275bb41e 2423 u32 sid, osid;
1da177e4
LT		 2424 int atsecure = 0;
2425
275bb41e
DH		 2426 sid = tsec->sid;
2427 osid = tsec->osid;
2428
2429 if (osid != sid) {
1da177e4
LT		 2430 /* Enable secure mode for SIDs transitions unless
2431 the noatsecure permission is granted between
2432 the two SIDs, i.e. ahp returns 0. */
275bb41e 2433 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2434 SECCLASS_PROCESS,
2435 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2436 }
2437
b1d9e6b0 2438 return !!atsecure;
1da177e4
LT		 2439}
2440
c3c073f8
AV		 2441static int match_file(const void *p, struct file *file, unsigned fd)
2442{
2443 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2444}
2445
1da177e4 2446/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2447static inline void flush_unauthorized_files(const struct cred *cred,
2448 struct files_struct *files)
1da177e4 2449{
1da177e4 2450 struct file *file, *devnull = NULL;
b20c8122 2451 struct tty_struct *tty;
24ec839c 2452 int drop_tty = 0;
c3c073f8 2453 unsigned n;
1da177e4 2454
24ec839c 2455 tty = get_current_tty();
1da177e4 2456 if (tty) {
4a510969 2457 spin_lock(&tty->files_lock);
37dd0bd0 2458 if (!list_empty(&tty->tty_files)) {
d996b62a 2459 struct tty_file_private *file_priv;
37dd0bd0 2460
1da177e4 2461 /* Revalidate access to controlling tty.
13f8e981
DH		 2462 Use file_path_has_perm on the tty path directly
2463 rather than using file_has_perm, as this particular
2464 open file may belong to another process and we are
2465 only interested in the inode-based check here. */
d996b62a
NP		 2466 file_priv = list_first_entry(&tty->tty_files,
2467 struct tty_file_private, list);
2468 file = file_priv->file;
13f8e981 2469 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2470 drop_tty = 1;
1da177e4 2471 }
4a510969 2472 spin_unlock(&tty->files_lock);
452a00d2 2473 tty_kref_put(tty);
1da177e4 2474 }
98a27ba4
EB		 2475 /* Reset controlling tty. */
2476 if (drop_tty)
2477 no_tty();
1da177e4
LT		 2478
2479 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2480 n = iterate_fd(files, 0, match_file, cred);
2481 if (!n) /* none found? */
2482 return;
1da177e4 2483
c3c073f8 2484 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2485 if (IS_ERR(devnull))
2486 devnull = NULL;
2487 /* replace all the matching ones with this */
2488 do {
2489 replace_fd(n - 1, devnull, 0);
2490 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2491 if (devnull)
c3c073f8 2492 fput(devnull);
1da177e4
LT		 2493}
2494
a6f76f23
DH		 2495/*
2496 * Prepare a process for imminent new credential changes due to exec
2497 */
2498static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2499{
a6f76f23
DH		 2500 struct task_security_struct *new_tsec;
2501 struct rlimit *rlim, *initrlim;
2502 int rc, i;
d84f4f99 2503
a6f76f23
DH		 2504 new_tsec = bprm->cred->security;
2505 if (new_tsec->sid == new_tsec->osid)
2506 return;
1da177e4 2507
a6f76f23
DH		 2508 /* Close files for which the new task SID is not authorized. */
2509 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2510
a6f76f23
DH		 2511 /* Always clear parent death signal on SID transitions. */
2512 current->pdeath_signal = 0;
0356357c 2513
a6f76f23
DH		 2514 /* Check whether the new SID can inherit resource limits from the old
2515 * SID. If not, reset all soft limits to the lower of the current
2516 * task's hard limit and the init task's soft limit.
2517 *
2518 * Note that the setting of hard limits (even to lower them) can be
2519 * controlled by the setrlimit check. The inclusion of the init task's
2520 * soft limit into the computation is to avoid resetting soft limits
2521 * higher than the default soft limit for cases where the default is
2522 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2523 */
2524 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2525 PROCESS__RLIMITINH, NULL);
2526 if (rc) {
eb2d55a3
ON		 2527 /* protect against do_prlimit() */
2528 task_lock(current);
a6f76f23
DH		 2529 for (i = 0; i < RLIM_NLIMITS; i++) {
2530 rlim = current->signal->rlim + i;
2531 initrlim = init_task.signal->rlim + i;
2532 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2533 }
eb2d55a3 2534 task_unlock(current);
baa73d9e
NP		 2535 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2536 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2537 }
2538}
2539
2540/*
a6f76f23
DH		 2541 * Clean up the process immediately after the installation of new credentials
2542 * due to exec
1da177e4 2543 */
a6f76f23 2544static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2545{
a6f76f23 2546 const struct task_security_struct *tsec = current_security();
1da177e4 2547 struct itimerval itimer;
a6f76f23 2548 u32 osid, sid;
1da177e4
LT		 2549 int rc, i;
2550
a6f76f23
DH		 2551 osid = tsec->osid;
2552 sid = tsec->sid;
2553
2554 if (sid == osid)
1da177e4
LT		 2555 return;
2556
a6f76f23
DH		 2557 /* Check whether the new SID can inherit signal state from the old SID.
2558 * If not, clear itimers to avoid subsequent signal generation and
2559 * flush and unblock signals.
2560 *
2561 * This must occur _after_ the task SID has been updated so that any
2562 * kill done after the flush will be checked against the new SID.
2563 */
2564 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2565 if (rc) {
baa73d9e
NP		 2566 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2567 memset(&itimer, 0, sizeof itimer);
2568 for (i = 0; i < 3; i++)
2569 do_setitimer(i, &itimer, NULL);
2570 }
1da177e4 2571 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2572 if (!fatal_signal_pending(current)) {
2573 flush_sigqueue(&current->pending);
2574 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2575 flush_signal_handlers(current, 1);
2576 sigemptyset(&current->blocked);
9e7c8f8c 2577 recalc_sigpending();
3bcac026 2578 }
1da177e4
LT		 2579 spin_unlock_irq(&current->sighand->siglock);
2580 }
2581
a6f76f23
DH		 2582 /* Wake up the parent if it is waiting so that it can recheck
2583 * wait permission to the new task SID. */
ecd6de3c 2584 read_lock(&tasklist_lock);
0b7570e7 2585 __wake_up_parent(current, current->real_parent);
ecd6de3c 2586 read_unlock(&tasklist_lock);
1da177e4
LT		 2587}
2588
2589/* superblock security operations */
2590
2591static int selinux_sb_alloc_security(struct super_block *sb)
2592{
2593 return superblock_alloc_security(sb);
2594}
2595
2596static void selinux_sb_free_security(struct super_block *sb)
2597{
2598 superblock_free_security(sb);
2599}
2600
2601static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2602{
2603 if (plen > olen)
2604 return 0;
2605
2606 return !memcmp(prefix, option, plen);
2607}
2608
2609static inline int selinux_option(char *option, int len)
2610{
832cbd9a
EP		 2611 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2612 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2613 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2614 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2615 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2616}
2617
2618static inline void take_option(char **to, char *from, int *first, int len)
2619{
2620 if (!*first) {
2621 **to = ',';
2622 *to += 1;
3528a953 2623 } else
1da177e4
LT		 2624 *first = 0;
2625 memcpy(*to, from, len);
2626 *to += len;
2627}
2628
828dfe1d
EP		 2629static inline void take_selinux_option(char **to, char *from, int *first,
2630 int len)
3528a953
CO		 2631{
2632 int current_size = 0;
2633
2634 if (!*first) {
2635 **to = '|';
2636 *to += 1;
828dfe1d 2637 } else
3528a953
CO		 2638 *first = 0;
2639
2640 while (current_size < len) {
2641 if (*from != '"') {
2642 **to = *from;
2643 *to += 1;
2644 }
2645 from += 1;
2646 current_size += 1;
2647 }
2648}
2649
e0007529 2650static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2651{
2652 int fnosec, fsec, rc = 0;
2653 char *in_save, *in_curr, *in_end;
2654 char *sec_curr, *nosec_save, *nosec;
3528a953 2655 int open_quote = 0;
1da177e4
LT		 2656
2657 in_curr = orig;
2658 sec_curr = copy;
2659
1da177e4
LT		 2660 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2661 if (!nosec) {
2662 rc = -ENOMEM;
2663 goto out;
2664 }
2665
2666 nosec_save = nosec;
2667 fnosec = fsec = 1;
2668 in_save = in_end = orig;
2669
2670 do {
3528a953
CO		 2671 if (*in_end == '"')
2672 open_quote = !open_quote;
2673 if ((*in_end == ',' && open_quote == 0) ||
2674 *in_end == '\0') {
1da177e4
LT		 2675 int len = in_end - in_curr;
2676
2677 if (selinux_option(in_curr, len))
3528a953 2678 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2679 else
2680 take_option(&nosec, in_curr, &fnosec, len);
2681
2682 in_curr = in_end + 1;
2683 }
2684 } while (*in_end++);
2685
6931dfc9 2686 strcpy(in_save, nosec_save);
da3caa20 2687 free_page((unsigned long)nosec_save);
1da177e4
LT		 2688out:
2689 return rc;
2690}
2691
026eb167
EP		 2692static int selinux_sb_remount(struct super_block *sb, void *data)
2693{
2694 int rc, i, *flags;
2695 struct security_mnt_opts opts;
2696 char *secdata, **mount_options;
2697 struct superblock_security_struct *sbsec = sb->s_security;
2698
2699 if (!(sbsec->flags & SE_SBINITIALIZED))
2700 return 0;
2701
2702 if (!data)
2703 return 0;
2704
2705 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2706 return 0;
2707
2708 security_init_mnt_opts(&opts);
2709 secdata = alloc_secdata();
2710 if (!secdata)
2711 return -ENOMEM;
2712 rc = selinux_sb_copy_data(data, secdata);
2713 if (rc)
2714 goto out_free_secdata;
2715
2716 rc = selinux_parse_opts_str(secdata, &opts);
2717 if (rc)
2718 goto out_free_secdata;
2719
2720 mount_options = opts.mnt_opts;
2721 flags = opts.mnt_opts_flags;
2722
2723 for (i = 0; i < opts.num_mnt_opts; i++) {
2724 u32 sid;
026eb167 2725
12f348b9 2726 if (flags[i] == SBLABEL_MNT)
026eb167 2727 continue;
44be2f65 2728 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2729 if (rc) {
44be2f65 2730 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2731 "(%s) failed for (dev %s, type %s) errno=%d\n",
2732 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2733 goto out_free_opts;
2734 }
2735 rc = -EINVAL;
2736 switch (flags[i]) {
2737 case FSCONTEXT_MNT:
2738 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2739 goto out_bad_option;
2740 break;
2741 case CONTEXT_MNT:
2742 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2743 goto out_bad_option;
2744 break;
2745 case ROOTCONTEXT_MNT: {
2746 struct inode_security_struct *root_isec;
83da53c5 2747 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2748
2749 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2750 goto out_bad_option;
2751 break;
2752 }
2753 case DEFCONTEXT_MNT:
2754 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2755 goto out_bad_option;
2756 break;
2757 default:
2758 goto out_free_opts;
2759 }
2760 }
2761
2762 rc = 0;
2763out_free_opts:
2764 security_free_mnt_opts(&opts);
2765out_free_secdata:
2766 free_secdata(secdata);
2767 return rc;
2768out_bad_option:
2769 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2770 "during remount (dev %s, type=%s)\n", sb->s_id,
2771 sb->s_type->name);
026eb167
EP		 2772 goto out_free_opts;
2773}
2774
12204e24 2775static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2776{
88e67f3b 2777 const struct cred *cred = current_cred();
2bf49690 2778 struct common_audit_data ad;
1da177e4
LT		 2779 int rc;
2780
2781 rc = superblock_doinit(sb, data);
2782 if (rc)
2783 return rc;
2784
74192246
JM		 2785 /* Allow all mounts performed by the kernel */
2786 if (flags & MS_KERNMOUNT)
2787 return 0;
2788
50c205f5 2789 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2790 ad.u.dentry = sb->s_root;
88e67f3b 2791 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2792}
2793
726c3342 2794static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2795{
88e67f3b 2796 const struct cred *cred = current_cred();
2bf49690 2797 struct common_audit_data ad;
1da177e4 2798
50c205f5 2799 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2800 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2801 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2802}
2803
808d4e3c 2804static int selinux_mount(const char *dev_name,
8a04c43b 2805 const struct path *path,
808d4e3c 2806 const char *type,
828dfe1d
EP		 2807 unsigned long flags,
2808 void *data)
1da177e4 2809{
88e67f3b 2810 const struct cred *cred = current_cred();
1da177e4
LT		 2811
2812 if (flags & MS_REMOUNT)
d8c9584e 2813 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2814 FILESYSTEM__REMOUNT, NULL);
1da177e4 2815 else
2875fa00 2816 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2817}
2818
2819static int selinux_umount(struct vfsmount *mnt, int flags)
2820{
88e67f3b 2821 const struct cred *cred = current_cred();
1da177e4 2822
88e67f3b 2823 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2824 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2825}
2826
2827/* inode security operations */
2828
2829static int selinux_inode_alloc_security(struct inode *inode)
2830{
2831 return inode_alloc_security(inode);
2832}
2833
2834static void selinux_inode_free_security(struct inode *inode)
2835{
2836 inode_free_security(inode);
2837}
2838
d47be3df 2839static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2840 const struct qstr *name, void **ctx,
d47be3df
DQ		 2841 u32 *ctxlen)
2842{
d47be3df
DQ		 2843 u32 newsid;
2844 int rc;
2845
c957f6df
VG		 2846 rc = selinux_determine_inode_label(current_security(),
2847 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2848 inode_mode_to_security_class(mode),
2849 &newsid);
2850 if (rc)
2851 return rc;
d47be3df
DQ		 2852
2853 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2854}
2855
a518b0a5
VG		 2856static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2857 struct qstr *name,
2858 const struct cred *old,
2859 struct cred *new)
2860{
2861 u32 newsid;
2862 int rc;
2863 struct task_security_struct *tsec;
2864
2865 rc = selinux_determine_inode_label(old->security,
2866 d_inode(dentry->d_parent), name,
2867 inode_mode_to_security_class(mode),
2868 &newsid);
2869 if (rc)
2870 return rc;
2871
2872 tsec = new->security;
2873 tsec->create_sid = newsid;
2874 return 0;
2875}
2876
5e41ff9e 2877static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2878 const struct qstr *qstr,
2879 const char **name,
2a7dba39 2880 void **value, size_t *len)
5e41ff9e 2881{
5fb49870 2882 const struct task_security_struct *tsec = current_security();
5e41ff9e 2883 struct superblock_security_struct *sbsec;
275bb41e 2884 u32 sid, newsid, clen;
5e41ff9e 2885 int rc;
9548906b 2886 char *context;
5e41ff9e 2887
5e41ff9e 2888 sbsec = dir->i_sb->s_security;
5e41ff9e 2889
275bb41e
DH		 2890 sid = tsec->sid;
2891 newsid = tsec->create_sid;
2892
c957f6df 2893 rc = selinux_determine_inode_label(current_security(),
c3c188b2
DH		 2894 dir, qstr,
2895 inode_mode_to_security_class(inode->i_mode),
2896 &newsid);
2897 if (rc)
2898 return rc;
5e41ff9e 2899
296fddf7 2900 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2901 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2902 struct inode_security_struct *isec = inode->i_security;
2903 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2904 isec->sid = newsid;
6f3be9f5 2905 isec->initialized = LABEL_INITIALIZED;
296fddf7 2906 }
5e41ff9e 2907
12f348b9 2908 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2909 return -EOPNOTSUPP;
2910
9548906b
TH		 2911 if (name)
2912 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2913
570bc1c2 2914 if (value && len) {
12b29f34 2915 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2916 if (rc)
570bc1c2 2917 return rc;
570bc1c2
SS		 2918 *value = context;
2919 *len = clen;
5e41ff9e 2920 }
5e41ff9e 2921
5e41ff9e
SS		 2922 return 0;
2923}
2924
4acdaf27 2925static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2926{
2927 return may_create(dir, dentry, SECCLASS_FILE);
2928}
2929
1da177e4
LT		 2930static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2931{
1da177e4
LT		 2932 return may_link(dir, old_dentry, MAY_LINK);
2933}
2934
1da177e4
LT		 2935static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2936{
1da177e4
LT		 2937 return may_link(dir, dentry, MAY_UNLINK);
2938}
2939
2940static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2941{
2942 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2943}
2944
18bb1db3 2945static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2946{
2947 return may_create(dir, dentry, SECCLASS_DIR);
2948}
2949
1da177e4
LT		 2950static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2951{
2952 return may_link(dir, dentry, MAY_RMDIR);
2953}
2954
1a67aafb 2955static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2956{
1da177e4
LT		 2957 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2958}
2959
1da177e4 2960static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2961 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2962{
2963 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2964}
2965
1da177e4
LT		 2966static int selinux_inode_readlink(struct dentry *dentry)
2967{
88e67f3b
DH		 2968 const struct cred *cred = current_cred();
2969
2875fa00 2970 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2971}
2972
bda0be7a
N		 2973static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2974 bool rcu)
1da177e4 2975{
88e67f3b 2976 const struct cred *cred = current_cred();
bda0be7a
N		 2977 struct common_audit_data ad;
2978 struct inode_security_struct *isec;
2979 u32 sid;
1da177e4 2980
bda0be7a
N		 2981 validate_creds(cred);
2982
2983 ad.type = LSM_AUDIT_DATA_DENTRY;
2984 ad.u.dentry = dentry;
2985 sid = cred_sid(cred);
5d226df4
AG		 2986 isec = inode_security_rcu(inode, rcu);
2987 if (IS_ERR(isec))
2988 return PTR_ERR(isec);
bda0be7a
N		 2989
2990 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2991 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2992}
2993
d4cf970d
EP		 2994static noinline int audit_inode_permission(struct inode *inode,
2995 u32 perms, u32 audited, u32 denied,
626b9740 2996 int result,
d4cf970d 2997 unsigned flags)
1da177e4 2998{
b782e0a6 2999 struct common_audit_data ad;
d4cf970d
EP		 3000 struct inode_security_struct *isec = inode->i_security;
3001 int rc;
3002
50c205f5 3003 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3004 ad.u.inode = inode;
3005
3006 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 3007 audited, denied, result, &ad, flags);
d4cf970d
EP		 3008 if (rc)
3009 return rc;
3010 return 0;
3011}
3012
e74f71eb 3013static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3014{
88e67f3b 3015 const struct cred *cred = current_cred();
b782e0a6
EP		 3016 u32 perms;
3017 bool from_access;
cf1dd1da 3018 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3019 struct inode_security_struct *isec;
3020 u32 sid;
3021 struct av_decision avd;
3022 int rc, rc2;
3023 u32 audited, denied;
1da177e4 3024
b782e0a6 3025 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3026 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3027
b782e0a6
EP		 3028 /* No permission to check. Existence test. */
3029 if (!mask)
1da177e4 3030 return 0;
1da177e4 3031
2e334057 3032 validate_creds(cred);
b782e0a6 3033
2e334057
EP		 3034 if (unlikely(IS_PRIVATE(inode)))
3035 return 0;
b782e0a6
EP		 3036
3037 perms = file_mask_to_av(inode->i_mode, mask);
3038
2e334057 3039 sid = cred_sid(cred);
5d226df4
AG		 3040 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3041 if (IS_ERR(isec))
3042 return PTR_ERR(isec);
2e334057
EP		 3043
3044 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3045 audited = avc_audit_required(perms, &avd, rc,
3046 from_access ? FILE__AUDIT_ACCESS : 0,
3047 &denied);
3048 if (likely(!audited))
3049 return rc;
3050
626b9740 3051 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3052 if (rc2)
3053 return rc2;
3054 return rc;
1da177e4
LT		 3055}
3056
3057static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3058{
88e67f3b 3059 const struct cred *cred = current_cred();
bc6a6008 3060 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3061 __u32 av = FILE__WRITE;
1da177e4 3062
bc6a6008
AW		 3063 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3064 if (ia_valid & ATTR_FORCE) {
3065 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3066 ATTR_FORCE);
3067 if (!ia_valid)
3068 return 0;
3069 }
1da177e4 3070
bc6a6008
AW		 3071 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3072 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3073 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3074
44d37ad3
JVS		 3075 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3076 && !(ia_valid & ATTR_FILE))
95dbf739
EP		 3077 av |= FILE__OPEN;
3078
3079 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3080}
3081
3f7036a0 3082static int selinux_inode_getattr(const struct path *path)
1da177e4 3083{
3f7036a0 3084 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3085}
3086
8f0cfa52 3087static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3088{
88e67f3b
DH		 3089 const struct cred *cred = current_cred();
3090
b5376771
SH		 3091 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3092 sizeof XATTR_SECURITY_PREFIX - 1)) {
3093 if (!strcmp(name, XATTR_NAME_CAPS)) {
3094 if (!capable(CAP_SETFCAP))
3095 return -EPERM;
3096 } else if (!capable(CAP_SYS_ADMIN)) {
3097 /* A different attribute in the security namespace.
3098 Restrict to administrator. */
3099 return -EPERM;
3100 }
3101 }
3102
3103 /* Not an attribute we recognize, so just check the
3104 ordinary setattr permission. */
2875fa00 3105 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3106}
3107
8f0cfa52
DH		 3108static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3109 const void *value, size_t size, int flags)
1da177e4 3110{
c6f493d6 3111 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3112 struct inode_security_struct *isec;
1da177e4 3113 struct superblock_security_struct *sbsec;
2bf49690 3114 struct common_audit_data ad;
275bb41e 3115 u32 newsid, sid = current_sid();
1da177e4
LT		 3116 int rc = 0;
3117
b5376771
SH		 3118 if (strcmp(name, XATTR_NAME_SELINUX))
3119 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3120
3121 sbsec = inode->i_sb->s_security;
12f348b9 3122 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3123 return -EOPNOTSUPP;
3124
2e149670 3125 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3126 return -EPERM;
3127
50c205f5 3128 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3129 ad.u.dentry = dentry;
1da177e4 3130
20cdef8d 3131 isec = backing_inode_security(dentry);
275bb41e 3132 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3133 FILE__RELABELFROM, &ad);
3134 if (rc)
3135 return rc;
3136
52a4c640 3137 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3138 if (rc == -EINVAL) {
d6ea83ec
EP		 3139 if (!capable(CAP_MAC_ADMIN)) {
3140 struct audit_buffer *ab;
3141 size_t audit_size;
3142 const char *str;
3143
3144 /* We strip a nul only if it is at the end, otherwise the
3145 * context contains a nul and we should audit that */
e3fea3f7
AV		 3146 if (value) {
3147 str = value;
3148 if (str[size - 1] == '\0')
3149 audit_size = size - 1;
3150 else
3151 audit_size = size;
3152 } else {
3153 str = "";
3154 audit_size = 0;
3155 }
d6ea83ec
EP		 3156 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3157 audit_log_format(ab, "op=setxattr invalid_context=");
3158 audit_log_n_untrustedstring(ab, value, audit_size);
3159 audit_log_end(ab);
3160
12b29f34 3161 return rc;
d6ea83ec 3162 }
12b29f34
SS		 3163 rc = security_context_to_sid_force(value, size, &newsid);
3164 }
1da177e4
LT		 3165 if (rc)
3166 return rc;
3167
275bb41e 3168 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3169 FILE__RELABELTO, &ad);
3170 if (rc)
3171 return rc;
3172
275bb41e 3173 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3174 isec->sclass);
1da177e4
LT		 3175 if (rc)
3176 return rc;
3177
3178 return avc_has_perm(newsid,
3179 sbsec->sid,
3180 SECCLASS_FILESYSTEM,
3181 FILESYSTEM__ASSOCIATE,
3182 &ad);
3183}
3184
8f0cfa52 3185static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3186 const void *value, size_t size,
8f0cfa52 3187 int flags)
1da177e4 3188{
c6f493d6 3189 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3190 struct inode_security_struct *isec;
1da177e4
LT		 3191 u32 newsid;
3192 int rc;
3193
3194 if (strcmp(name, XATTR_NAME_SELINUX)) {
3195 /* Not an attribute we recognize, so nothing to do. */
3196 return;
3197 }
3198
12b29f34 3199 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3200 if (rc) {
12b29f34
SS		 3201 printk(KERN_ERR "SELinux: unable to map context to SID"
3202 "for (%s, %lu), rc=%d\n",
3203 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3204 return;
3205 }
3206
20cdef8d 3207 isec = backing_inode_security(dentry);
9287aed2 3208 spin_lock(&isec->lock);
aa9c2669 3209 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3210 isec->sid = newsid;
6f3be9f5 3211 isec->initialized = LABEL_INITIALIZED;
9287aed2 3212 spin_unlock(&isec->lock);
aa9c2669 3213
1da177e4
LT		 3214 return;
3215}
3216
8f0cfa52 3217static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3218{
88e67f3b
DH		 3219 const struct cred *cred = current_cred();
3220
2875fa00 3221 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3222}
3223
828dfe1d 3224static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3225{
88e67f3b
DH		 3226 const struct cred *cred = current_cred();
3227
2875fa00 3228 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3229}
3230
8f0cfa52 3231static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3232{
b5376771
SH		 3233 if (strcmp(name, XATTR_NAME_SELINUX))
3234 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3235
3236 /* No one is allowed to remove a SELinux security label.
3237 You can change the label, but all data must be labeled. */
3238 return -EACCES;
3239}
3240
d381d8a9 3241/*
abc69bb6 3242 * Copy the inode security context value to the user.
d381d8a9
JM		 3243 *
3244 * Permission check is handled by selinux_inode_getxattr hook.
3245 */
ea861dfd 3246static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3247{
42492594
DQ		 3248 u32 size;
3249 int error;
3250 char *context = NULL;
20cdef8d 3251 struct inode_security_struct *isec;
d381d8a9 3252
8c8570fb
DK		 3253 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3254 return -EOPNOTSUPP;
d381d8a9 3255
abc69bb6
SS		 3256 /*
3257 * If the caller has CAP_MAC_ADMIN, then get the raw context
3258 * value even if it is not defined by current policy; otherwise,
3259 * use the in-core value under current policy.
3260 * Use the non-auditing forms of the permission checks since
3261 * getxattr may be called by unprivileged processes commonly
3262 * and lack of permission just means that we fall back to the
3263 * in-core context value, not a denial.
3264 */
b1d9e6b0
CS		 3265 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3266 SECURITY_CAP_NOAUDIT);
3267 if (!error)
3268 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
8e4ff6f2 3269 SECURITY_CAP_NOAUDIT, true);
20cdef8d 3270 isec = inode_security(inode);
abc69bb6
SS		 3271 if (!error)
3272 error = security_sid_to_context_force(isec->sid, &context,
3273 &size);
3274 else
3275 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3276 if (error)
3277 return error;
3278 error = size;
3279 if (alloc) {
3280 *buffer = context;
3281 goto out_nofree;
3282 }
3283 kfree(context);
3284out_nofree:
3285 return error;
1da177e4
LT		 3286}
3287
3288static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3289 const void *value, size_t size, int flags)
1da177e4 3290{
2c97165b 3291 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3292 u32 newsid;
3293 int rc;
3294
3295 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3296 return -EOPNOTSUPP;
3297
3298 if (!value || !size)
3299 return -EACCES;
3300
20ba96ae 3301 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3302 if (rc)
3303 return rc;
3304
9287aed2 3305 spin_lock(&isec->lock);
aa9c2669 3306 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3307 isec->sid = newsid;
6f3be9f5 3308 isec->initialized = LABEL_INITIALIZED;
9287aed2 3309 spin_unlock(&isec->lock);
1da177e4
LT		 3310 return 0;
3311}
3312
3313static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3314{
3315 const int len = sizeof(XATTR_NAME_SELINUX);
3316 if (buffer && len <= buffer_size)
3317 memcpy(buffer, XATTR_NAME_SELINUX, len);
3318 return len;
3319}
3320
d6335d77 3321static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3322{
e817c2f3 3323 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3324 *secid = isec->sid;
3325}
3326
56909eb3
VG		 3327static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3328{
3329 u32 sid;
3330 struct task_security_struct *tsec;
3331 struct cred *new_creds = *new;
3332
3333 if (new_creds == NULL) {
3334 new_creds = prepare_creds();
3335 if (!new_creds)
3336 return -ENOMEM;
3337 }
3338
3339 tsec = new_creds->security;
3340 /* Get label from overlay inode and set it in create_sid */
3341 selinux_inode_getsecid(d_inode(src), &sid);
3342 tsec->create_sid = sid;
3343 *new = new_creds;
3344 return 0;
3345}
3346
19472b69
VG		 3347static int selinux_inode_copy_up_xattr(const char *name)
3348{
3349 /* The copy_up hook above sets the initial context on an inode, but we
3350 * don't then want to overwrite it by blindly copying all the lower
3351 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3352 */
3353 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3354 return 1; /* Discard */
3355 /*
3356 * Any other attribute apart from SELINUX is not claimed, supported
3357 * by selinux.
3358 */
3359 return -EOPNOTSUPP;
3360}
3361
1da177e4
LT		 3362/* file security operations */
3363
788e7dd4 3364static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3365{
88e67f3b 3366 const struct cred *cred = current_cred();
496ad9aa 3367 struct inode *inode = file_inode(file);
1da177e4 3368
1da177e4
LT		 3369 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3370 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3371 mask |= MAY_APPEND;
3372
389fb800
PM		 3373 return file_has_perm(cred, file,
3374 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3375}
3376
788e7dd4
YN		 3377static int selinux_file_permission(struct file *file, int mask)
3378{
496ad9aa 3379 struct inode *inode = file_inode(file);
20dda18b 3380 struct file_security_struct *fsec = file->f_security;
b197367e 3381 struct inode_security_struct *isec;
20dda18b
SS		 3382 u32 sid = current_sid();
3383
389fb800 3384 if (!mask)
788e7dd4
YN		 3385 /* No permission to check. Existence test. */
3386 return 0;
788e7dd4 3387
b197367e 3388 isec = inode_security(inode);
20dda18b
SS		 3389 if (sid == fsec->sid && fsec->isid == isec->sid &&
3390 fsec->pseqno == avc_policy_seqno())
83d49856 3391 /* No change since file_open check. */
20dda18b
SS		 3392 return 0;
3393
788e7dd4
YN		 3394 return selinux_revalidate_file_permission(file, mask);
3395}
3396
1da177e4
LT		 3397static int selinux_file_alloc_security(struct file *file)
3398{
3399 return file_alloc_security(file);
3400}
3401
3402static void selinux_file_free_security(struct file *file)
3403{
3404 file_free_security(file);
3405}
3406
fa1aa143
JVS		 3407/*
3408 * Check whether a task has the ioctl permission and cmd
3409 * operation to an inode.
3410 */
1d2a168a 3411static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3412 u32 requested, u16 cmd)
3413{
3414 struct common_audit_data ad;
3415 struct file_security_struct *fsec = file->f_security;
3416 struct inode *inode = file_inode(file);
20cdef8d 3417 struct inode_security_struct *isec;
fa1aa143
JVS		 3418 struct lsm_ioctlop_audit ioctl;
3419 u32 ssid = cred_sid(cred);
3420 int rc;
3421 u8 driver = cmd >> 8;
3422 u8 xperm = cmd & 0xff;
3423
3424 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3425 ad.u.op = &ioctl;
3426 ad.u.op->cmd = cmd;
3427 ad.u.op->path = file->f_path;
3428
3429 if (ssid != fsec->sid) {
3430 rc = avc_has_perm(ssid, fsec->sid,
3431 SECCLASS_FD,
3432 FD__USE,
3433 &ad);
3434 if (rc)
3435 goto out;
3436 }
3437
3438 if (unlikely(IS_PRIVATE(inode)))
3439 return 0;
3440
20cdef8d 3441 isec = inode_security(inode);
fa1aa143
JVS		 3442 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3443 requested, driver, xperm, &ad);
3444out:
3445 return rc;
3446}
3447
1da177e4
LT		 3448static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3449 unsigned long arg)
3450{
88e67f3b 3451 const struct cred *cred = current_cred();
0b24dcb7 3452 int error = 0;
1da177e4 3453
0b24dcb7
EP		 3454 switch (cmd) {
3455 case FIONREAD:
3456 /* fall through */
3457 case FIBMAP:
3458 /* fall through */
3459 case FIGETBSZ:
3460 /* fall through */
2f99c369 3461 case FS_IOC_GETFLAGS:
0b24dcb7 3462 /* fall through */
2f99c369 3463 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3464 error = file_has_perm(cred, file, FILE__GETATTR);
3465 break;
1da177e4 3466
2f99c369 3467 case FS_IOC_SETFLAGS:
0b24dcb7 3468 /* fall through */
2f99c369 3469 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3470 error = file_has_perm(cred, file, FILE__SETATTR);
3471 break;
3472
3473 /* sys_ioctl() checks */
3474 case FIONBIO:
3475 /* fall through */
3476 case FIOASYNC:
3477 error = file_has_perm(cred, file, 0);
3478 break;
1da177e4 3479
0b24dcb7
EP		 3480 case KDSKBENT:
3481 case KDSKBSENT:
6a9de491 3482 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3483 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3484 break;
3485
3486 /* default case assumes that the command will go
3487 * to the file's ioctl() function.
3488 */
3489 default:
fa1aa143 3490 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3491 }
3492 return error;
1da177e4
LT		 3493}
3494
fcaaade1
SS		 3495static int default_noexec;
3496
1da177e4
LT		 3497static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3498{
88e67f3b 3499 const struct cred *cred = current_cred();
be0554c9 3500 u32 sid = cred_sid(cred);
d84f4f99 3501 int rc = 0;
88e67f3b 3502
fcaaade1 3503 if (default_noexec &&
892e8cac
SS		 3504 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3505 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3506 /*
3507 * We are making executable an anonymous mapping or a
3508 * private file mapping that will also be writable.
3509 * This has an additional check.
3510 */
be0554c9
SS		 3511 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3512 PROCESS__EXECMEM, NULL);
1da177e4 3513 if (rc)
d84f4f99 3514 goto error;
1da177e4 3515 }
1da177e4
LT		 3516
3517 if (file) {
3518 /* read access is always possible with a mapping */
3519 u32 av = FILE__READ;
3520
3521 /* write access only matters if the mapping is shared */
3522 if (shared && (prot & PROT_WRITE))
3523 av |= FILE__WRITE;
3524
3525 if (prot & PROT_EXEC)
3526 av |= FILE__EXECUTE;
3527
88e67f3b 3528 return file_has_perm(cred, file, av);
1da177e4 3529 }
d84f4f99
DH		 3530
3531error:
3532 return rc;
1da177e4
LT		 3533}
3534
e5467859 3535static int selinux_mmap_addr(unsigned long addr)
1da177e4 3536{
b1d9e6b0 3537 int rc = 0;
1da177e4 3538
a2551df7 3539 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3540 u32 sid = current_sid();
ed032189
EP		 3541 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3542 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3543 }
3544
98883bfd 3545 return rc;
e5467859 3546}
1da177e4 3547
e5467859
AV		 3548static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3549 unsigned long prot, unsigned long flags)
3550{
1da177e4
LT		 3551 if (selinux_checkreqprot)
3552 prot = reqprot;
3553
3554 return file_map_prot_check(file, prot,
3555 (flags & MAP_TYPE) == MAP_SHARED);
3556}
3557
3558static int selinux_file_mprotect(struct vm_area_struct *vma,
3559 unsigned long reqprot,
3560 unsigned long prot)
3561{
88e67f3b 3562 const struct cred *cred = current_cred();
be0554c9 3563 u32 sid = cred_sid(cred);
1da177e4
LT		 3564
3565 if (selinux_checkreqprot)
3566 prot = reqprot;
3567
fcaaade1
SS		 3568 if (default_noexec &&
3569 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3570 int rc = 0;
db4c9641
SS		 3571 if (vma->vm_start >= vma->vm_mm->start_brk &&
3572 vma->vm_end <= vma->vm_mm->brk) {
be0554c9
SS		 3573 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3574 PROCESS__EXECHEAP, NULL);
db4c9641 3575 } else if (!vma->vm_file &&
c2316dbf
SS		 3576 ((vma->vm_start <= vma->vm_mm->start_stack &&
3577 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3578 vma_is_stack_for_current(vma))) {
be0554c9
SS		 3579 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3580 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3581 } else if (vma->vm_file && vma->anon_vma) {
3582 /*
3583 * We are making executable a file mapping that has
3584 * had some COW done. Since pages might have been
3585 * written, check ability to execute the possibly
3586 * modified content. This typically should only
3587 * occur for text relocations.
3588 */
d84f4f99 3589 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3590 }