]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
UBUNTU: Ubuntu-4.13.0-45.50
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
1da177e4
LT		 70#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */
73#include <linux/parser.h>
74#include <linux/nfs_mount.h>
75#include <net/ipv6.h>
76#include <linux/hugetlb.h>
77#include <linux/personality.h>
1da177e4 78#include <linux/audit.h>
6931dfc9 79#include <linux/string.h>
877ce7c1 80#include <linux/selinux.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
1da177e4
LT		 88
89#include "avc.h"
90#include "objsec.h"
91#include "netif.h"
224dfbd8 92#include "netnode.h"
3e112172 93#include "netport.h"
409dcf31 94#include "ibpkey.h"
d28d1e08 95#include "xfrm.h"
c60475bf 96#include "netlabel.h"
9d57a7f9 97#include "audit.h"
7b98a585 98#include "avc_ss.h"
1da177e4 99
d621d35e 100/* SECMARK reference count */
56a4ca99 101static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 102
1da177e4 103#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 104int selinux_enforcing;
1da177e4
LT		 105
106static int __init enforcing_setup(char *str)
107{
f5269710 108 unsigned long enforcing;
29707b20 109 if (!kstrtoul(str, 0, &enforcing))
f5269710 110 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 111 return 1;
112}
113__setup("enforcing=", enforcing_setup);
114#endif
115
116#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119static int __init selinux_enabled_setup(char *str)
120{
f5269710 121 unsigned long enabled;
29707b20 122 if (!kstrtoul(str, 0, &enabled))
f5269710 123 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 124 return 1;
125}
126__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 127#else
128int selinux_enabled = 1;
1da177e4
LT		 129#endif
130
33132849
JS		 131static struct kmem_cache *sel_inode_cache;
132
d621d35e
PM		 133/**
134 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 *
136 * Description:
137 * This function checks the SECMARK reference counter to see if any SECMARK
138 * targets are currently configured, if the reference counter is greater than
139 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 140 * enabled, false (0) if SECMARK is disabled. If the always_check_network
141 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 142 *
143 */
144static int selinux_secmark_enabled(void)
145{
2be4d74f
CP		 146 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
147}
148
149/**
150 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151 *
152 * Description:
153 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
154 * (1) if any are enabled or false (0) if neither are enabled. If the
155 * always_check_network policy capability is enabled, peer labeling
156 * is always considered enabled.
157 *
158 */
159static int selinux_peerlbl_enabled(void)
160{
161 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 162}
163
615e51fd
PM		 164static int selinux_netcache_avc_callback(u32 event)
165{
166 if (event == AVC_CALLBACK_RESET) {
167 sel_netif_flush();
168 sel_netnode_flush();
169 sel_netport_flush();
170 synchronize_net();
171 }
172 return 0;
173}
174
8f408ab6
DJ		 175static int selinux_lsm_notifier_avc_callback(u32 event)
176{
409dcf31
DJ		 177 if (event == AVC_CALLBACK_RESET) {
178 sel_ib_pkey_flush();
8f408ab6 179 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 180 }
8f408ab6
DJ		 181
182 return 0;
183}
184
d84f4f99
DH		 185/*
186 * initialise the security for the init task
187 */
188static void cred_init_security(void)
1da177e4 189{
3b11a1de 190 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 191 struct task_security_struct *tsec;
192
98738d70
CS		 193 lsm_early_cred(cred);
194 tsec = selinux_cred(cred);
d84f4f99 195 tsec->osid = tsec->sid = SECINITSID_KERNEL;
1da177e4
LT		 196}
197
88e67f3b
DH		 198/*
199 * get the security ID of a set of credentials
200 */
201static inline u32 cred_sid(const struct cred *cred)
202{
203 const struct task_security_struct *tsec;
204
98738d70 205 tsec = selinux_cred(cred);
88e67f3b
DH		 206 return tsec->sid;
207}
208
275bb41e 209/*
3b11a1de 210 * get the objective security ID of a task
275bb41e
DH		 211 */
212static inline u32 task_sid(const struct task_struct *task)
213{
275bb41e
DH		 214 u32 sid;
215
216 rcu_read_lock();
88e67f3b 217 sid = cred_sid(__task_cred(task));
275bb41e
DH		 218 rcu_read_unlock();
219 return sid;
220}
221
88e67f3b
DH		 222/* Allocate and free functions for each kind of security blob. */
223
1da177e4
LT		 224static int inode_alloc_security(struct inode *inode)
225{
33132849 226 struct inode_security_struct *isec;
275bb41e 227 u32 sid = current_sid();
1da177e4 228
33132849
JS		 229 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
230 if (!isec)
231 return -ENOMEM;
232
9287aed2 233 spin_lock_init(&isec->lock);
1da177e4 234 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 235 isec->inode = inode;
236 isec->sid = SECINITSID_UNLABELED;
237 isec->sclass = SECCLASS_FILE;
275bb41e 238 isec->task_sid = sid;
42059112 239 isec->initialized = LABEL_INVALID;
33132849 240 inode->i_security = isec;
1da177e4
LT		 241
242 return 0;
243}
244
5d226df4
AG		 245static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247/*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 250 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
253 */
254static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
256 bool may_sleep)
257{
33132849 258 struct inode_security_struct *isec = inode->i_security;
5d226df4
AG		 259
260 might_sleep_if(may_sleep);
261
1ac42476 262 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
271 inode_doinit_with_dentry(inode, opt_dentry);
272 }
273 return 0;
274}
275
5d226df4
AG		 276static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277{
33132849 278 return inode->i_security;
5d226df4
AG		 279}
280
281static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282{
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
33132849 288 return inode->i_security;
5d226df4
AG		 289}
290
83da53c5
AG		 291/*
292 * Get the security label of an inode.
293 */
294static struct inode_security_struct *inode_security(struct inode *inode)
295{
5d226df4 296 __inode_security_revalidate(inode, NULL, true);
33132849 297 return inode->i_security;
83da53c5
AG		 298}
299
2c97165b
PM		 300static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301{
302 struct inode *inode = d_backing_inode(dentry);
303
33132849 304 return inode->i_security;
2c97165b
PM		 305}
306
83da53c5
AG		 307/*
308 * Get the security label of a dentry's backing inode.
309 */
310static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311{
312 struct inode *inode = d_backing_inode(dentry);
313
5d226df4 314 __inode_security_revalidate(inode, dentry, true);
33132849
JS		 315 return inode->i_security;
316}
317
318static void inode_free_rcu(struct rcu_head *head)
319{
320 struct inode_security_struct *isec;
321
322 isec = container_of(head, struct inode_security_struct, rcu);
323 kmem_cache_free(sel_inode_cache, isec);
3dc91d43
SR		 324}
325
1da177e4
LT		 326static void inode_free_security(struct inode *inode)
327{
33132849
JS		 328 struct inode_security_struct *isec = inode->i_security;
329 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1da177e4 330
9629d04a
WL		 331 /*
332 * As not all inode security structures are in a list, we check for
333 * empty list outside of the lock to make sure that we won't waste
334 * time taking a lock doing nothing.
335 *
336 * The list_del_init() function can be safely called more than once.
337 * It should not be possible for this function to be called with
338 * concurrent list_add(), but for better safety against future changes
339 * in the code, we use list_empty_careful() here.
340 */
341 if (!list_empty_careful(&isec->list)) {
342 spin_lock(&sbsec->isec_lock);
1da177e4 343 list_del_init(&isec->list);
9629d04a
WL		 344 spin_unlock(&sbsec->isec_lock);
345 }
33132849
JS		 346
347 /*
348 * The inode may still be referenced in a path walk and
349 * a call to selinux_inode_permission() can be made
350 * after inode_free_security() is called. Ideally, the VFS
351 * wouldn't do this, but fixing that is a much harder
352 * job. For now, simply free the i_security via RCU, and
353 * leave the current inode->i_security pointer intact.
354 * The inode will be freed after the RCU grace period too.
355 */
356 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 357}
358
359static int file_alloc_security(struct file *file)
360{
004c5200 361 struct file_security_struct *fsec = selinux_file(file);
275bb41e 362 u32 sid = current_sid();
1da177e4 363
275bb41e
DH		 364 fsec->sid = sid;
365 fsec->fown_sid = sid;
1da177e4
LT		 366
367 return 0;
368}
369
1da177e4
LT		 370static int superblock_alloc_security(struct super_block *sb)
371{
33132849
JS		 372 struct superblock_security_struct *sbsec;
373
374 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
375 if (!sbsec)
376 return -ENOMEM;
1da177e4 377
bc7e982b 378 mutex_init(&sbsec->lock);
1da177e4
LT		 379 INIT_LIST_HEAD(&sbsec->isec_head);
380 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 381 sbsec->sb = sb;
382 sbsec->sid = SECINITSID_UNLABELED;
383 sbsec->def_sid = SECINITSID_FILE;
c312feb2 384 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
33132849 385 sb->s_security = sbsec;
1da177e4
LT		 386
387 return 0;
388}
389
33132849
JS		 390static void superblock_free_security(struct super_block *sb)
391{
392 struct superblock_security_struct *sbsec = sb->s_security;
393 sb->s_security = NULL;
394 kfree(sbsec);
395}
396
1da177e4
LT		 397static inline int inode_doinit(struct inode *inode)
398{
399 return inode_doinit_with_dentry(inode, NULL);
400}
401
402enum {
31e87930 403 Opt_error = -1,
1da177e4
LT		 404 Opt_context = 1,
405 Opt_fscontext = 2,
c9180a57
EP		 406 Opt_defcontext = 3,
407 Opt_rootcontext = 4,
11689d47 408 Opt_labelsupport = 5,
d355987f 409 Opt_nextmntopt = 6,
1da177e4
LT		 410};
411
d355987f
EP		 412#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
413
a447c093 414static const match_table_t tokens = {
832cbd9a
EP		 415 {Opt_context, CONTEXT_STR "%s"},
416 {Opt_fscontext, FSCONTEXT_STR "%s"},
417 {Opt_defcontext, DEFCONTEXT_STR "%s"},
418 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 419 {Opt_labelsupport, LABELSUPP_STR},
31e87930 420 {Opt_error, NULL},
1da177e4
LT		 421};
422
423#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
424
c312feb2
EP		 425static int may_context_mount_sb_relabel(u32 sid,
426 struct superblock_security_struct *sbsec,
275bb41e 427 const struct cred *cred)
c312feb2 428{
98738d70 429 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 430 int rc;
431
432 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
433 FILESYSTEM__RELABELFROM, NULL);
434 if (rc)
435 return rc;
436
437 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
438 FILESYSTEM__RELABELTO, NULL);
439 return rc;
440}
441
0808925e
EP		 442static int may_context_mount_inode_relabel(u32 sid,
443 struct superblock_security_struct *sbsec,
275bb41e 444 const struct cred *cred)
0808925e 445{
98738d70 446 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e
EP		 447 int rc;
448 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449 FILESYSTEM__RELABELFROM, NULL);
450 if (rc)
451 return rc;
452
453 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
454 FILESYSTEM__ASSOCIATE, NULL);
455 return rc;
456}
457
b43e725d
EP		 458static int selinux_is_sblabel_mnt(struct super_block *sb)
459{
33132849 460 struct superblock_security_struct *sbsec = sb->s_security;
b43e725d 461
d5f3a5f6
MS		 462 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
463 sbsec->behavior == SECURITY_FS_USE_TRANS ||
464 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 465 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 466 /* Special handling. Genfs but also in-core setxattr handler */
467 !strcmp(sb->s_type->name, "sysfs") ||
468 !strcmp(sb->s_type->name, "pstore") ||
469 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 470 !strcmp(sb->s_type->name, "tracefs") ||
2651225b
SS		 471 !strcmp(sb->s_type->name, "rootfs") ||
472 (selinux_policycap_cgroupseclabel &&
473 (!strcmp(sb->s_type->name, "cgroup") ||
474 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 475}
476
c9180a57 477static int sb_finish_set_opts(struct super_block *sb)
1da177e4 478{
33132849 479 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 480 struct dentry *root = sb->s_root;
c6f493d6 481 struct inode *root_inode = d_backing_inode(root);
c9180a57 482 int rc = 0;
1da177e4 483
c9180a57
EP		 484 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
485 /* Make sure that the xattr handler exists and that no
486 error other than -ENODATA is returned by getxattr on
487 the root directory. -ENODATA is ok, as this may be
488 the first boot of the SELinux kernel before we have
489 assigned xattr values to the filesystem. */
5d6c3191 490 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 491 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
492 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 493 rc = -EOPNOTSUPP;
494 goto out;
495 }
5d6c3191
AG		 496
497 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 498 if (rc < 0 && rc != -ENODATA) {
499 if (rc == -EOPNOTSUPP)
500 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 501 "%s) has no security xattr handler\n",
502 sb->s_id, sb->s_type->name);
c9180a57
EP		 503 else
504 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 505 "%s) getxattr errno %d\n", sb->s_id,
506 sb->s_type->name, -rc);
c9180a57
EP		 507 goto out;
508 }
509 }
1da177e4 510
eadcabc6 511 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 512
513 /*
514 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
515 * leave the flag untouched because sb_clone_mnt_opts might be handing
516 * us a superblock that needs the flag to be cleared.
517 */
b43e725d 518 if (selinux_is_sblabel_mnt(sb))
12f348b9 519 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 520 else
521 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 522
c9180a57
EP		 523 /* Initialize the root inode. */
524 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 525
c9180a57
EP		 526 /* Initialize any other inodes associated with the superblock, e.g.
527 inodes created prior to initial policy load or inodes created
528 during get_sb by a pseudo filesystem that directly
529 populates itself. */
530 spin_lock(&sbsec->isec_lock);
531next_inode:
532 if (!list_empty(&sbsec->isec_head)) {
533 struct inode_security_struct *isec =
534 list_entry(sbsec->isec_head.next,
535 struct inode_security_struct, list);
536 struct inode *inode = isec->inode;
923190d3 537 list_del_init(&isec->list);
c9180a57
EP		 538 spin_unlock(&sbsec->isec_lock);
539 inode = igrab(inode);
540 if (inode) {
541 if (!IS_PRIVATE(inode))
542 inode_doinit(inode);
543 iput(inode);
544 }
545 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 546 goto next_inode;
547 }
548 spin_unlock(&sbsec->isec_lock);
549out:
550 return rc;
551}
1da177e4 552
c9180a57
EP		 553/*
554 * This function should allow an FS to ask what it's mount security
555 * options were so it can use those later for submounts, displaying
556 * mount options, or whatever.
557 */
558static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 559 struct security_mnt_opts *opts)
c9180a57
EP		 560{
561 int rc = 0, i;
33132849 562 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 563 char *context = NULL;
564 u32 len;
565 char tmp;
1da177e4 566
e0007529 567 security_init_mnt_opts(opts);
1da177e4 568
0d90a7ec 569 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 570 return -EINVAL;
1da177e4 571
c9180a57
EP		 572 if (!ss_initialized)
573 return -EINVAL;
1da177e4 574
af8e50cc
EP		 575 /* make sure we always check enough bits to cover the mask */
576 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
577
0d90a7ec 578 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 579 /* count the number of mount options for this sb */
af8e50cc 580 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 581 if (tmp & 0x01)
e0007529 582 opts->num_mnt_opts++;
c9180a57
EP		 583 tmp >>= 1;
584 }
11689d47 585 /* Check if the Label support flag is set */
0b4bdb35 586 if (sbsec->flags & SBLABEL_MNT)
11689d47 587 opts->num_mnt_opts++;
1da177e4 588
e0007529
EP		 589 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
590 if (!opts->mnt_opts) {
c9180a57
EP		 591 rc = -ENOMEM;
592 goto out_free;
593 }
1da177e4 594
e0007529
EP		 595 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
596 if (!opts->mnt_opts_flags) {
c9180a57
EP		 597 rc = -ENOMEM;
598 goto out_free;
599 }
1da177e4 600
c9180a57
EP		 601 i = 0;
602 if (sbsec->flags & FSCONTEXT_MNT) {
603 rc = security_sid_to_context(sbsec->sid, &context, &len);
604 if (rc)
605 goto out_free;
e0007529
EP		 606 opts->mnt_opts[i] = context;
607 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 608 }
609 if (sbsec->flags & CONTEXT_MNT) {
610 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
611 if (rc)
612 goto out_free;
e0007529
EP		 613 opts->mnt_opts[i] = context;
614 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 615 }
616 if (sbsec->flags & DEFCONTEXT_MNT) {
617 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
618 if (rc)
619 goto out_free;
e0007529
EP		 620 opts->mnt_opts[i] = context;
621 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 622 }
623 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5 624 struct dentry *root = sbsec->sb->s_root;
33132849 625 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 626
c9180a57
EP		 627 rc = security_sid_to_context(isec->sid, &context, &len);
628 if (rc)
629 goto out_free;
e0007529
EP		 630 opts->mnt_opts[i] = context;
631 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 632 }
12f348b9 633 if (sbsec->flags & SBLABEL_MNT) {
11689d47 634 opts->mnt_opts[i] = NULL;
12f348b9 635 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 636 }
1da177e4 637
e0007529 638 BUG_ON(i != opts->num_mnt_opts);
1da177e4 639
c9180a57
EP		 640 return 0;
641
642out_free:
e0007529 643 security_free_mnt_opts(opts);
c9180a57
EP		 644 return rc;
645}
1da177e4 646
c9180a57
EP		 647static int bad_option(struct superblock_security_struct *sbsec, char flag,
648 u32 old_sid, u32 new_sid)
649{
0d90a7ec
DQ		 650 char mnt_flags = sbsec->flags & SE_MNTMASK;
651
c9180a57 652 /* check if the old mount command had the same options */
0d90a7ec 653 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 654 if (!(sbsec->flags & flag) ||
655 (old_sid != new_sid))
656 return 1;
657
658 /* check if we were passed the same options twice,
659 * aka someone passed context=a,context=b
660 */
0d90a7ec
DQ		 661 if (!(sbsec->flags & SE_SBINITIALIZED))
662 if (mnt_flags & flag)
c9180a57
EP		 663 return 1;
664 return 0;
665}
e0007529 666
c9180a57
EP		 667/*
668 * Allow filesystems with binary mount data to explicitly set mount point
669 * labeling information.
670 */
e0007529 671static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 672 struct security_mnt_opts *opts,
673 unsigned long kern_flags,
674 unsigned long *set_kern_flags)
c9180a57 675{
275bb41e 676 const struct cred *cred = current_cred();
c9180a57 677 int rc = 0, i;
33132849 678 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 679 const char *name = sb->s_type->name;
83da53c5 680 struct dentry *root = sbsec->sb->s_root;
2c97165b 681 struct inode_security_struct *root_isec;
c9180a57
EP		 682 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
683 u32 defcontext_sid = 0;
e0007529
EP		 684 char **mount_options = opts->mnt_opts;
685 int *flags = opts->mnt_opts_flags;
686 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 687
688 mutex_lock(&sbsec->lock);
689
690 if (!ss_initialized) {
691 if (!num_opts) {
692 /* Defer initialization until selinux_complete_init,
693 after the initial policy is loaded and the security
694 server is ready to handle calls. */
c9180a57
EP		 695 goto out;
696 }
697 rc = -EINVAL;
744ba35e
EP		 698 printk(KERN_WARNING "SELinux: Unable to set superblock options "
699 "before the security server is initialized\n");
1da177e4 700 goto out;
c9180a57 701 }
649f6e77
DQ		 702 if (kern_flags && !set_kern_flags) {
703 /* Specifying internal flags without providing a place to
704 * place the results is not allowed */
705 rc = -EINVAL;
706 goto out;
707 }
1da177e4 708
e0007529
EP		 709 /*
710 * Binary mount data FS will come through this function twice. Once
711 * from an explicit call and once from the generic calls from the vfs.
712 * Since the generic VFS calls will not contain any security mount data
713 * we need to skip the double mount verification.
714 *
715 * This does open a hole in which we will not notice if the first
716 * mount using this sb set explict options and a second mount using
717 * this sb does not set any security options. (The first options
718 * will be used for both mounts)
719 */
0d90a7ec 720 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 721 && (num_opts == 0))
f5269710 722 goto out;
e0007529 723
2c97165b
PM		 724 root_isec = backing_inode_security_novalidate(root);
725
c9180a57
EP		 726 /*
727 * parse the mount options, check if they are valid sids.
728 * also check if someone is trying to mount the same sb more
729 * than once with different security options.
730 */
731 for (i = 0; i < num_opts; i++) {
732 u32 sid;
11689d47 733
12f348b9 734 if (flags[i] == SBLABEL_MNT)
11689d47 735 continue;
44be2f65 736 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 737 if (rc) {
44be2f65 738 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 739 "(%s) failed for (dev %s, type %s) errno=%d\n",
740 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 741 goto out;
742 }
743 switch (flags[i]) {
744 case FSCONTEXT_MNT:
745 fscontext_sid = sid;
746
747 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
748 fscontext_sid))
749 goto out_double_mount;
750
751 sbsec->flags |= FSCONTEXT_MNT;
752 break;
753 case CONTEXT_MNT:
754 context_sid = sid;
755
756 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
757 context_sid))
758 goto out_double_mount;
759
760 sbsec->flags |= CONTEXT_MNT;
761 break;
762 case ROOTCONTEXT_MNT:
763 rootcontext_sid = sid;
764
765 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
766 rootcontext_sid))
767 goto out_double_mount;
768
769 sbsec->flags |= ROOTCONTEXT_MNT;
770
771 break;
772 case DEFCONTEXT_MNT:
773 defcontext_sid = sid;
774
775 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
776 defcontext_sid))
777 goto out_double_mount;
778
779 sbsec->flags |= DEFCONTEXT_MNT;
780
781 break;
782 default:
783 rc = -EINVAL;
784 goto out;
1da177e4 785 }
c9180a57
EP		 786 }
787
0d90a7ec 788 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 789 /* previously mounted with options, but not on this attempt? */
0d90a7ec 790 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 791 goto out_double_mount;
792 rc = 0;
793 goto out;
794 }
795
089be43e 796 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 797 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
798
8e014720 799 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 800 !strcmp(sb->s_type->name, "tracefs") ||
8e014720
SS		 801 !strcmp(sb->s_type->name, "sysfs") ||
802 !strcmp(sb->s_type->name, "pstore"))
134509d5 803 sbsec->flags |= SE_SBGENFS;
c9180a57 804
eb9ae686
DQ		 805 if (!sbsec->behavior) {
806 /*
807 * Determine the labeling behavior to use for this
808 * filesystem type.
809 */
98f700f3 810 rc = security_fs_use(sb);
eb9ae686
DQ		 811 if (rc) {
812 printk(KERN_WARNING
813 "%s: security_fs_use(%s) returned %d\n",
814 __func__, sb->s_type->name, rc);
815 goto out;
816 }
c9180a57 817 }
aad82892
SF		 818
819 /*
01593d32
SS		 820 * If this is a user namespace mount and the filesystem type is not
821 * explicitly whitelisted, then no contexts are allowed on the command
822 * line and security labels must be ignored.
aad82892 823 */
01593d32
SS		 824 if (sb->s_user_ns != &init_user_ns &&
825 strcmp(sb->s_type->name, "tmpfs") &&
826 strcmp(sb->s_type->name, "ramfs") &&
827 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 828 if (context_sid || fscontext_sid || rootcontext_sid ||
829 defcontext_sid) {
830 rc = -EACCES;
831 goto out;
832 }
833 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
834 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
835 rc = security_transition_sid(current_sid(), current_sid(),
836 SECCLASS_FILE, NULL,
837 &sbsec->mntpoint_sid);
838 if (rc)
839 goto out;
840 }
841 goto out_set_opts;
842 }
843
c9180a57
EP		 844 /* sets the context of the superblock for the fs being mounted. */
845 if (fscontext_sid) {
275bb41e 846 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 847 if (rc)
c9180a57 848 goto out;
1da177e4 849
c9180a57 850 sbsec->sid = fscontext_sid;
c312feb2
EP		 851 }
852
853 /*
854 * Switch to using mount point labeling behavior.
855 * sets the label used on all file below the mountpoint, and will set
856 * the superblock context if not already set.
857 */
eb9ae686
DQ		 858 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
859 sbsec->behavior = SECURITY_FS_USE_NATIVE;
860 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
861 }
862
c9180a57
EP		 863 if (context_sid) {
864 if (!fscontext_sid) {
275bb41e
DH		 865 rc = may_context_mount_sb_relabel(context_sid, sbsec,
866 cred);
b04ea3ce 867 if (rc)
c9180a57
EP		 868 goto out;
869 sbsec->sid = context_sid;
b04ea3ce 870 } else {
275bb41e
DH		 871 rc = may_context_mount_inode_relabel(context_sid, sbsec,
872 cred);
b04ea3ce 873 if (rc)
c9180a57 874 goto out;
b04ea3ce 875 }
c9180a57
EP		 876 if (!rootcontext_sid)
877 rootcontext_sid = context_sid;
1da177e4 878
c9180a57 879 sbsec->mntpoint_sid = context_sid;
c312feb2 880 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 881 }
882
c9180a57 883 if (rootcontext_sid) {
275bb41e
DH		 884 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
885 cred);
0808925e 886 if (rc)
c9180a57 887 goto out;
0808925e 888
c9180a57 889 root_isec->sid = rootcontext_sid;
6f3be9f5 890 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 891 }
892
c9180a57 893 if (defcontext_sid) {
eb9ae686
DQ		 894 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
895 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 896 rc = -EINVAL;
897 printk(KERN_WARNING "SELinux: defcontext option is "
898 "invalid for this filesystem type\n");
899 goto out;
1da177e4
LT		 900 }
901
c9180a57
EP		 902 if (defcontext_sid != sbsec->def_sid) {
903 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 904 sbsec, cred);
c9180a57
EP		 905 if (rc)
906 goto out;
907 }
1da177e4 908
c9180a57 909 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 910 }
911
aad82892 912out_set_opts:
c9180a57 913 rc = sb_finish_set_opts(sb);
1da177e4 914out:
c9180a57 915 mutex_unlock(&sbsec->lock);
1da177e4 916 return rc;
c9180a57
EP		 917out_double_mount:
918 rc = -EINVAL;
919 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 920 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 921 goto out;
1da177e4
LT		 922}
923
094f7b69
JL		 924static int selinux_cmp_sb_context(const struct super_block *oldsb,
925 const struct super_block *newsb)
926{
33132849
JS		 927 struct superblock_security_struct *old = oldsb->s_security;
928 struct superblock_security_struct *new = newsb->s_security;
094f7b69
JL		 929 char oldflags = old->flags & SE_MNTMASK;
930 char newflags = new->flags & SE_MNTMASK;
931
932 if (oldflags != newflags)
933 goto mismatch;
934 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
935 goto mismatch;
936 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
937 goto mismatch;
938 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
939 goto mismatch;
940 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 941 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
942 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 943 if (oldroot->sid != newroot->sid)
944 goto mismatch;
945 }
946 return 0;
947mismatch:
948 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
949 "different security settings for (dev %s, "
950 "type %s)\n", newsb->s_id, newsb->s_type->name);
951 return -EBUSY;
952}
953
954static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 955 struct super_block *newsb,
956 unsigned long kern_flags,
957 unsigned long *set_kern_flags)
1da177e4 958{
0b4d3452 959 int rc = 0;
33132849
JS		 960 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
961 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 962
c9180a57
EP		 963 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
964 int set_context = (oldsbsec->flags & CONTEXT_MNT);
965 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 966
0f5e6420
EP		 967 /*
968 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 969 * mount options. thus we can safely deal with this superblock later
0f5e6420 970 */
e8c26255 971 if (!ss_initialized)
094f7b69 972 return 0;
c9180a57 973
0b4d3452
SM		 974 /*
975 * Specifying internal flags without providing a place to
976 * place the results is not allowed.
977 */
978 if (kern_flags && !set_kern_flags)
979 return -EINVAL;
980
c9180a57 981 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 982 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 983
094f7b69 984 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 985 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 986 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 987
c9180a57
EP		 988 mutex_lock(&newsbsec->lock);
989
990 newsbsec->flags = oldsbsec->flags;
991
992 newsbsec->sid = oldsbsec->sid;
993 newsbsec->def_sid = oldsbsec->def_sid;
994 newsbsec->behavior = oldsbsec->behavior;
995
0b4d3452
SM		 996 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
997 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
998 rc = security_fs_use(newsb);
999 if (rc)
1000 goto out;
1001 }
1002
1003 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1004 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1005 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1006 }
1007
c9180a57
EP		 1008 if (set_context) {
1009 u32 sid = oldsbsec->mntpoint_sid;
1010
1011 if (!set_fscontext)
1012 newsbsec->sid = sid;
1013 if (!set_rootcontext) {
33132849 1014 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 1015 newisec->sid = sid;
1016 }
1017 newsbsec->mntpoint_sid = sid;
1da177e4 1018 }
c9180a57 1019 if (set_rootcontext) {
33132849
JS		 1020 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1021 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 1022
c9180a57 1023 newisec->sid = oldisec->sid;
1da177e4
LT		 1024 }
1025
c9180a57 1026 sb_finish_set_opts(newsb);
0b4d3452 1027out:
c9180a57 1028 mutex_unlock(&newsbsec->lock);
0b4d3452 1029 return rc;
c9180a57
EP		 1030}
1031
2e1479d9
AB		 1032static int selinux_parse_opts_str(char *options,
1033 struct security_mnt_opts *opts)
c9180a57 1034{
e0007529 1035 char *p;
c9180a57
EP		 1036 char *context = NULL, *defcontext = NULL;
1037 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1038 int rc, num_mnt_opts = 0;
1da177e4 1039
e0007529 1040 opts->num_mnt_opts = 0;
1da177e4 1041
c9180a57
EP		 1042 /* Standard string-based options. */
1043 while ((p = strsep(&options, "|")) != NULL) {
1044 int token;
1045 substring_t args[MAX_OPT_ARGS];
1da177e4 1046
c9180a57
EP		 1047 if (!*p)
1048 continue;
1da177e4 1049
c9180a57 1050 token = match_token(p, tokens, args);
1da177e4 1051
c9180a57
EP		 1052 switch (token) {
1053 case Opt_context:
1054 if (context || defcontext) {
1055 rc = -EINVAL;
1056 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1057 goto out_err;
1058 }
1059 context = match_strdup(&args[0]);
1060 if (!context) {
1061 rc = -ENOMEM;
1062 goto out_err;
1063 }
1064 break;
1065
1066 case Opt_fscontext:
1067 if (fscontext) {
1068 rc = -EINVAL;
1069 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1070 goto out_err;
1071 }
1072 fscontext = match_strdup(&args[0]);
1073 if (!fscontext) {
1074 rc = -ENOMEM;
1075 goto out_err;
1076 }
1077 break;
1078
1079 case Opt_rootcontext:
1080 if (rootcontext) {
1081 rc = -EINVAL;
1082 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1083 goto out_err;
1084 }
1085 rootcontext = match_strdup(&args[0]);
1086 if (!rootcontext) {
1087 rc = -ENOMEM;
1088 goto out_err;
1089 }
1090 break;
1091
1092 case Opt_defcontext:
1093 if (context || defcontext) {
1094 rc = -EINVAL;
1095 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1096 goto out_err;
1097 }
1098 defcontext = match_strdup(&args[0]);
1099 if (!defcontext) {
1100 rc = -ENOMEM;
1101 goto out_err;
1102 }
1103 break;
11689d47
DQ		 1104 case Opt_labelsupport:
1105 break;
c9180a57
EP		 1106 default:
1107 rc = -EINVAL;
1108 printk(KERN_WARNING "SELinux: unknown mount option\n");
1109 goto out_err;
1da177e4 1110
1da177e4 1111 }
1da177e4 1112 }
c9180a57 1113
e0007529 1114 rc = -ENOMEM;
8931c3bd 1115 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1116 if (!opts->mnt_opts)
1117 goto out_err;
1118
8931c3bd
TH		 1119 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1120 GFP_KERNEL);
023f108d 1121 if (!opts->mnt_opts_flags)
e0007529 1122 goto out_err;
e0007529 1123
c9180a57 1124 if (fscontext) {
e0007529
EP		 1125 opts->mnt_opts[num_mnt_opts] = fscontext;
1126 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1127 }
1128 if (context) {
e0007529
EP		 1129 opts->mnt_opts[num_mnt_opts] = context;
1130 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1131 }
1132 if (rootcontext) {
e0007529
EP		 1133 opts->mnt_opts[num_mnt_opts] = rootcontext;
1134 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1135 }
1136 if (defcontext) {
e0007529
EP		 1137 opts->mnt_opts[num_mnt_opts] = defcontext;
1138 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1139 }
1140
e0007529
EP		 1141 opts->num_mnt_opts = num_mnt_opts;
1142 return 0;
1143
c9180a57 1144out_err:
023f108d 1145 security_free_mnt_opts(opts);
c9180a57
EP		 1146 kfree(context);
1147 kfree(defcontext);
1148 kfree(fscontext);
1149 kfree(rootcontext);
1da177e4
LT		 1150 return rc;
1151}
e0007529
EP		 1152/*
1153 * string mount options parsing and call set the sbsec
1154 */
1155static int superblock_doinit(struct super_block *sb, void *data)
1156{
1157 int rc = 0;
1158 char *options = data;
1159 struct security_mnt_opts opts;
1160
1161 security_init_mnt_opts(&opts);
1162
1163 if (!data)
1164 goto out;
1165
1166 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1167
1168 rc = selinux_parse_opts_str(options, &opts);
1169 if (rc)
1170 goto out_err;
1171
1172out:
649f6e77 1173 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1174
1175out_err:
1176 security_free_mnt_opts(&opts);
1177 return rc;
1178}
1da177e4 1179
3583a711
AB		 1180static void selinux_write_opts(struct seq_file *m,
1181 struct security_mnt_opts *opts)
2069f457
EP		 1182{
1183 int i;
1184 char *prefix;
1185
1186 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1187 char *has_comma;
1188
1189 if (opts->mnt_opts[i])
1190 has_comma = strchr(opts->mnt_opts[i], ',');
1191 else
1192 has_comma = NULL;
2069f457
EP		 1193
1194 switch (opts->mnt_opts_flags[i]) {
1195 case CONTEXT_MNT:
1196 prefix = CONTEXT_STR;
1197 break;
1198 case FSCONTEXT_MNT:
1199 prefix = FSCONTEXT_STR;
1200 break;
1201 case ROOTCONTEXT_MNT:
1202 prefix = ROOTCONTEXT_STR;
1203 break;
1204 case DEFCONTEXT_MNT:
1205 prefix = DEFCONTEXT_STR;
1206 break;
12f348b9 1207 case SBLABEL_MNT:
11689d47
DQ		 1208 seq_putc(m, ',');
1209 seq_puts(m, LABELSUPP_STR);
1210 continue;
2069f457
EP		 1211 default:
1212 BUG();
a35c6c83 1213 return;
2069f457
EP		 1214 };
1215 /* we need a comma before each option */
1216 seq_putc(m, ',');
1217 seq_puts(m, prefix);
1218 if (has_comma)
1219 seq_putc(m, '\"');
a068acf2 1220 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1221 if (has_comma)
1222 seq_putc(m, '\"');
1223 }
1224}
1225
1226static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1227{
1228 struct security_mnt_opts opts;
1229 int rc;
1230
1231 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1232 if (rc) {
1233 /* before policy load we may get EINVAL, don't show anything */
1234 if (rc == -EINVAL)
1235 rc = 0;
2069f457 1236 return rc;
383795c2 1237 }
2069f457
EP		 1238
1239 selinux_write_opts(m, &opts);
1240
1241 security_free_mnt_opts(&opts);
1242
1243 return rc;
1244}
1245
1da177e4
LT		 1246static inline u16 inode_mode_to_security_class(umode_t mode)
1247{
1248 switch (mode & S_IFMT) {
1249 case S_IFSOCK:
1250 return SECCLASS_SOCK_FILE;
1251 case S_IFLNK:
1252 return SECCLASS_LNK_FILE;
1253 case S_IFREG:
1254 return SECCLASS_FILE;
1255 case S_IFBLK:
1256 return SECCLASS_BLK_FILE;
1257 case S_IFDIR:
1258 return SECCLASS_DIR;
1259 case S_IFCHR:
1260 return SECCLASS_CHR_FILE;
1261 case S_IFIFO:
1262 return SECCLASS_FIFO_FILE;
1263
1264 }
1265
1266 return SECCLASS_FILE;
1267}
1268
13402580
JM		 1269static inline int default_protocol_stream(int protocol)
1270{
1271 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1272}
1273
1274static inline int default_protocol_dgram(int protocol)
1275{
1276 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1277}
1278
1da177e4
LT		 1279static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1280{
da69a530
SS		 1281 int extsockclass = selinux_policycap_extsockclass;
1282
1da177e4
LT		 1283 switch (family) {
1284 case PF_UNIX:
1285 switch (type) {
1286 case SOCK_STREAM:
1287 case SOCK_SEQPACKET:
1288 return SECCLASS_UNIX_STREAM_SOCKET;
1289 case SOCK_DGRAM:
1290 return SECCLASS_UNIX_DGRAM_SOCKET;
1291 }
1292 break;
1293 case PF_INET:
1294 case PF_INET6:
1295 switch (type) {
1296 case SOCK_STREAM:
da69a530 1297 case SOCK_SEQPACKET:
13402580
JM		 1298 if (default_protocol_stream(protocol))
1299 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1300 else if (extsockclass && protocol == IPPROTO_SCTP)
1301 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1302 else
1303 return SECCLASS_RAWIP_SOCKET;
1da177e4 1304 case SOCK_DGRAM:
13402580
JM		 1305 if (default_protocol_dgram(protocol))
1306 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1307 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1308 protocol == IPPROTO_ICMPV6))
da69a530 1309 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1310 else
1311 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1312 case SOCK_DCCP:
1313 return SECCLASS_DCCP_SOCKET;
13402580 1314 default:
1da177e4
LT		 1315 return SECCLASS_RAWIP_SOCKET;
1316 }
1317 break;
1318 case PF_NETLINK:
1319 switch (protocol) {
1320 case NETLINK_ROUTE:
1321 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1322 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1323 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1324 case NETLINK_NFLOG:
1325 return SECCLASS_NETLINK_NFLOG_SOCKET;
1326 case NETLINK_XFRM:
1327 return SECCLASS_NETLINK_XFRM_SOCKET;
1328 case NETLINK_SELINUX:
1329 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1330 case NETLINK_ISCSI:
1331 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1332 case NETLINK_AUDIT:
1333 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1334 case NETLINK_FIB_LOOKUP:
1335 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1336 case NETLINK_CONNECTOR:
1337 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1338 case NETLINK_NETFILTER:
1339 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1340 case NETLINK_DNRTMSG:
1341 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1342 case NETLINK_KOBJECT_UEVENT:
1343 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1344 case NETLINK_GENERIC:
1345 return SECCLASS_NETLINK_GENERIC_SOCKET;
1346 case NETLINK_SCSITRANSPORT:
1347 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1348 case NETLINK_RDMA:
1349 return SECCLASS_NETLINK_RDMA_SOCKET;
1350 case NETLINK_CRYPTO:
1351 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1352 default:
1353 return SECCLASS_NETLINK_SOCKET;
1354 }
1355 case PF_PACKET:
1356 return SECCLASS_PACKET_SOCKET;
1357 case PF_KEY:
1358 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1359 case PF_APPLETALK:
1360 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1361 }
1362
da69a530
SS		 1363 if (extsockclass) {
1364 switch (family) {
1365 case PF_AX25:
1366 return SECCLASS_AX25_SOCKET;
1367 case PF_IPX:
1368 return SECCLASS_IPX_SOCKET;
1369 case PF_NETROM:
1370 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1371 case PF_ATMPVC:
1372 return SECCLASS_ATMPVC_SOCKET;
1373 case PF_X25:
1374 return SECCLASS_X25_SOCKET;
1375 case PF_ROSE:
1376 return SECCLASS_ROSE_SOCKET;
1377 case PF_DECnet:
1378 return SECCLASS_DECNET_SOCKET;
1379 case PF_ATMSVC:
1380 return SECCLASS_ATMSVC_SOCKET;
1381 case PF_RDS:
1382 return SECCLASS_RDS_SOCKET;
1383 case PF_IRDA:
1384 return SECCLASS_IRDA_SOCKET;
1385 case PF_PPPOX:
1386 return SECCLASS_PPPOX_SOCKET;
1387 case PF_LLC:
1388 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1389 case PF_CAN:
1390 return SECCLASS_CAN_SOCKET;
1391 case PF_TIPC:
1392 return SECCLASS_TIPC_SOCKET;
1393 case PF_BLUETOOTH:
1394 return SECCLASS_BLUETOOTH_SOCKET;
1395 case PF_IUCV:
1396 return SECCLASS_IUCV_SOCKET;
1397 case PF_RXRPC:
1398 return SECCLASS_RXRPC_SOCKET;
1399 case PF_ISDN:
1400 return SECCLASS_ISDN_SOCKET;
1401 case PF_PHONET:
1402 return SECCLASS_PHONET_SOCKET;
1403 case PF_IEEE802154:
1404 return SECCLASS_IEEE802154_SOCKET;
1405 case PF_CAIF:
1406 return SECCLASS_CAIF_SOCKET;
1407 case PF_ALG:
1408 return SECCLASS_ALG_SOCKET;
1409 case PF_NFC:
1410 return SECCLASS_NFC_SOCKET;
1411 case PF_VSOCK:
1412 return SECCLASS_VSOCK_SOCKET;
1413 case PF_KCM:
1414 return SECCLASS_KCM_SOCKET;
1415 case PF_QIPCRTR:
1416 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1417 case PF_SMC:
1418 return SECCLASS_SMC_SOCKET;
1419#if PF_MAX > 44
da69a530
SS		 1420#error New address family defined, please update this function.
1421#endif
1422 }
1423 }
1424
1da177e4
LT		 1425 return SECCLASS_SOCKET;
1426}
1427
134509d5
SS		 1428static int selinux_genfs_get_sid(struct dentry *dentry,
1429 u16 tclass,
1430 u16 flags,
1431 u32 *sid)
1da177e4 1432{
8e6c9693 1433 int rc;
fc64005c 1434 struct super_block *sb = dentry->d_sb;
8e6c9693 1435 char *buffer, *path;
1da177e4 1436
828dfe1d 1437 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1438 if (!buffer)
1439 return -ENOMEM;
1440
8e6c9693
LAG		 1441 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1442 if (IS_ERR(path))
1443 rc = PTR_ERR(path);
1444 else {
134509d5
SS		 1445 if (flags & SE_SBPROC) {
1446 /* each process gets a /proc/PID/ entry. Strip off the
1447 * PID part to get a valid selinux labeling.
1448 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1449 while (path[1] >= '0' && path[1] <= '9') {
1450 path[1] = '/';
1451 path++;
1452 }
8e6c9693 1453 }
134509d5 1454 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1455 }
1da177e4
LT		 1456 free_page((unsigned long)buffer);
1457 return rc;
1458}
1da177e4
LT		 1459
1460/* The inode's security attributes must be initialized before first use. */
1461static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1462{
1463 struct superblock_security_struct *sbsec = NULL;
33132849 1464 struct inode_security_struct *isec = inode->i_security;
9287aed2
AG		 1465 u32 task_sid, sid = 0;
1466 u16 sclass;
1da177e4
LT		 1467 struct dentry *dentry;
1468#define INITCONTEXTLEN 255
1469 char *context = NULL;
1470 unsigned len = 0;
1471 int rc = 0;
1da177e4 1472
6f3be9f5 1473 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1474 return 0;
1da177e4 1475
9287aed2 1476 spin_lock(&isec->lock);
6f3be9f5 1477 if (isec->initialized == LABEL_INITIALIZED)
23970741 1478 goto out_unlock;
1da177e4 1479
13457d07
AG		 1480 if (isec->sclass == SECCLASS_FILE)
1481 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1482
33132849 1483 sbsec = inode->i_sb->s_security;
0d90a7ec 1484 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1485 /* Defer initialization until selinux_complete_init,
1486 after the initial policy is loaded and the security
1487 server is ready to handle calls. */
1488 spin_lock(&sbsec->isec_lock);
1489 if (list_empty(&isec->list))
1490 list_add(&isec->list, &sbsec->isec_head);
1491 spin_unlock(&sbsec->isec_lock);
23970741 1492 goto out_unlock;
1da177e4
LT		 1493 }
1494
9287aed2
AG		 1495 sclass = isec->sclass;
1496 task_sid = isec->task_sid;
1497 sid = isec->sid;
1498 isec->initialized = LABEL_PENDING;
1499 spin_unlock(&isec->lock);
1500
1da177e4 1501 switch (sbsec->behavior) {
eb9ae686
DQ		 1502 case SECURITY_FS_USE_NATIVE:
1503 break;
1da177e4 1504 case SECURITY_FS_USE_XATTR:
5d6c3191 1505 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1506 sid = sbsec->def_sid;
1da177e4
LT		 1507 break;
1508 }
1da177e4
LT		 1509 /* Need a dentry, since the xattr API requires one.
1510 Life would be simpler if we could just pass the inode. */
1511 if (opt_dentry) {
1512 /* Called from d_instantiate or d_splice_alias. */
1513 dentry = dget(opt_dentry);
1514 } else {
1515 /* Called from selinux_complete_init, try to find a dentry. */
1516 dentry = d_find_alias(inode);
1517 }
1518 if (!dentry) {
df7f54c0
EP		 1519 /*
1520 * this is can be hit on boot when a file is accessed
1521 * before the policy is loaded. When we load policy we
1522 * may find inodes that have no dentry on the
1523 * sbsec->isec_head list. No reason to complain as these
1524 * will get fixed up the next time we go through
1525 * inode_doinit with a dentry, before these inodes could
1526 * be used again by userspace.
1527 */
9287aed2 1528 goto out;
1da177e4
LT		 1529 }
1530
1531 len = INITCONTEXTLEN;
4cb912f1 1532 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1533 if (!context) {
1534 rc = -ENOMEM;
1535 dput(dentry);
9287aed2 1536 goto out;
1da177e4 1537 }
4cb912f1 1538 context[len] = '\0';
5d6c3191 1539 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1540 if (rc == -ERANGE) {
314dabb8
JM		 1541 kfree(context);
1542
1da177e4 1543 /* Need a larger buffer. Query for the right size. */
5d6c3191 1544 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1545 if (rc < 0) {
1546 dput(dentry);
9287aed2 1547 goto out;
1da177e4 1548 }
1da177e4 1549 len = rc;
4cb912f1 1550 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1551 if (!context) {
1552 rc = -ENOMEM;
1553 dput(dentry);
9287aed2 1554 goto out;
1da177e4 1555 }
4cb912f1 1556 context[len] = '\0';
5d6c3191 1557 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1558 }
1559 dput(dentry);
1560 if (rc < 0) {
1561 if (rc != -ENODATA) {
744ba35e 1562 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1563 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1564 -rc, inode->i_sb->s_id, inode->i_ino);
1565 kfree(context);
9287aed2 1566 goto out;
1da177e4
LT		 1567 }
1568 /* Map ENODATA to the default file SID */
1569 sid = sbsec->def_sid;
1570 rc = 0;
1571 } else {
f5c1d5b2 1572 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1573 sbsec->def_sid,
1574 GFP_NOFS);
1da177e4 1575 if (rc) {
4ba0a8ad
EP		 1576 char *dev = inode->i_sb->s_id;
1577 unsigned long ino = inode->i_ino;
1578
1579 if (rc == -EINVAL) {
1580 if (printk_ratelimit())
1581 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1582 "context=%s. This indicates you may need to relabel the inode or the "
1583 "filesystem in question.\n", ino, dev, context);
1584 } else {
1585 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1586 "returned %d for dev=%s ino=%ld\n",
1587 __func__, context, -rc, dev, ino);
1588 }
1da177e4
LT		 1589 kfree(context);
1590 /* Leave with the unlabeled SID */
1591 rc = 0;
1592 break;
1593 }
1594 }
1595 kfree(context);
1da177e4
LT		 1596 break;
1597 case SECURITY_FS_USE_TASK:
9287aed2 1598 sid = task_sid;
1da177e4
LT		 1599 break;
1600 case SECURITY_FS_USE_TRANS:
1601 /* Default to the fs SID. */
9287aed2 1602 sid = sbsec->sid;
1da177e4
LT		 1603
1604 /* Try to obtain a transition SID. */
9287aed2 1605 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1da177e4 1606 if (rc)
9287aed2 1607 goto out;
1da177e4 1608 break;
c312feb2 1609 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1610 sid = sbsec->mntpoint_sid;
c312feb2 1611 break;
1da177e4 1612 default:
c312feb2 1613 /* Default to the fs superblock SID. */
9287aed2 1614 sid = sbsec->sid;
1da177e4 1615
134509d5 1616 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1617 /* We must have a dentry to determine the label on
1618 * procfs inodes */
1619 if (opt_dentry)
1620 /* Called from d_instantiate or
1621 * d_splice_alias. */
1622 dentry = dget(opt_dentry);
1623 else
1624 /* Called from selinux_complete_init, try to
1625 * find a dentry. */
1626 dentry = d_find_alias(inode);
1627 /*
1628 * This can be hit on boot when a file is accessed
1629 * before the policy is loaded. When we load policy we
1630 * may find inodes that have no dentry on the
1631 * sbsec->isec_head list. No reason to complain as
1632 * these will get fixed up the next time we go through
1633 * inode_doinit() with a dentry, before these inodes
1634 * could be used again by userspace.
1635 */
1636 if (!dentry)
9287aed2
AG		 1637 goto out;
1638 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1639 sbsec->flags, &sid);
f64410ec
PM		 1640 dput(dentry);
1641 if (rc)
9287aed2 1642 goto out;
1da177e4
LT		 1643 }
1644 break;
1645 }
1646
9287aed2
AG		 1647out:
1648 spin_lock(&isec->lock);
1649 if (isec->initialized == LABEL_PENDING) {
1650 if (!sid || rc) {
1651 isec->initialized = LABEL_INVALID;
1652 goto out_unlock;
1653 }
1654
1655 isec->initialized = LABEL_INITIALIZED;
1656 isec->sid = sid;
1657 }
1da177e4 1658
23970741 1659out_unlock:
9287aed2 1660 spin_unlock(&isec->lock);
1da177e4
LT		 1661 return rc;
1662}
1663
1664/* Convert a Linux signal to an access vector. */
1665static inline u32 signal_to_av(int sig)
1666{
1667 u32 perm = 0;
1668
1669 switch (sig) {
1670 case SIGCHLD:
1671 /* Commonly granted from child to parent. */
1672 perm = PROCESS__SIGCHLD;
1673 break;
1674 case SIGKILL:
1675 /* Cannot be caught or ignored */
1676 perm = PROCESS__SIGKILL;
1677 break;
1678 case SIGSTOP:
1679 /* Cannot be caught or ignored */
1680 perm = PROCESS__SIGSTOP;
1681 break;
1682 default:
1683 /* All other signals. */
1684 perm = PROCESS__SIGNAL;
1685 break;
1686 }
1687
1688 return perm;
1689}
1690
b68e418c
SS		 1691#if CAP_LAST_CAP > 63
1692#error Fix SELinux to handle capabilities > 63.
1693#endif
1694
1da177e4 1695/* Check whether a task is allowed to use a capability. */
6a9de491 1696static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1697 int cap, int audit, bool initns)
1da177e4 1698{
2bf49690 1699 struct common_audit_data ad;
06112163 1700 struct av_decision avd;
b68e418c 1701 u16 sclass;
3699c53c 1702 u32 sid = cred_sid(cred);
b68e418c 1703 u32 av = CAP_TO_MASK(cap);
06112163 1704 int rc;
1da177e4 1705
50c205f5 1706 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1707 ad.u.cap = cap;
1708
b68e418c
SS		 1709 switch (CAP_TO_INDEX(cap)) {
1710 case 0:
8e4ff6f2 1711 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1712 break;
1713 case 1:
8e4ff6f2 1714 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1715 break;
1716 default:
1717 printk(KERN_ERR
1718 "SELinux: out of range capability %d\n", cap);
1719 BUG();
a35c6c83 1720 return -EINVAL;
b68e418c 1721 }
06112163 1722
275bb41e 1723 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1724 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1725 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1726 if (rc2)
1727 return rc2;
1728 }
06112163 1729 return rc;
1da177e4
LT		 1730}
1731
1da177e4
LT		 1732/* Check whether a task has a particular permission to an inode.
1733 The 'adp' parameter is optional and allows other audit
1734 data to be passed (e.g. the dentry). */
88e67f3b 1735static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1736 struct inode *inode,
1737 u32 perms,
19e49834 1738 struct common_audit_data *adp)
1da177e4 1739{
1da177e4 1740 struct inode_security_struct *isec;
275bb41e 1741 u32 sid;
1da177e4 1742
e0e81739
DH		 1743 validate_creds(cred);
1744
828dfe1d 1745 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1746 return 0;
1747
88e67f3b 1748 sid = cred_sid(cred);
33132849 1749 isec = inode->i_security;
1da177e4 1750
19e49834 1751 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1752}
1753
1754/* Same as inode_has_perm, but pass explicit audit data containing
1755 the dentry to help the auditing code to more easily generate the
1756 pathname if needed. */
88e67f3b 1757static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1758 struct dentry *dentry,
1759 u32 av)
1760{
c6f493d6 1761 struct inode *inode = d_backing_inode(dentry);
2bf49690 1762 struct common_audit_data ad;
88e67f3b 1763
50c205f5 1764 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1765 ad.u.dentry = dentry;
5d226df4 1766 __inode_security_revalidate(inode, dentry, true);
19e49834 1767 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1768}
1769
1770/* Same as inode_has_perm, but pass explicit audit data containing
1771 the path to help the auditing code to more easily generate the
1772 pathname if needed. */
1773static inline int path_has_perm(const struct cred *cred,
3f7036a0 1774 const struct path *path,
2875fa00
EP		 1775 u32 av)
1776{
c6f493d6 1777 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1778 struct common_audit_data ad;
1779
50c205f5 1780 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1781 ad.u.path = *path;
5d226df4 1782 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1783 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1784}
1785
13f8e981
DH		 1786/* Same as path_has_perm, but uses the inode from the file struct. */
1787static inline int file_path_has_perm(const struct cred *cred,
1788 struct file *file,
1789 u32 av)
1790{
1791 struct common_audit_data ad;
1792
43af5de7
VG		 1793 ad.type = LSM_AUDIT_DATA_FILE;
1794 ad.u.file = file;
19e49834 1795 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1796}
1797
1da177e4
LT		 1798/* Check whether a task can use an open file descriptor to
1799 access an inode in a given way. Check access to the
1800 descriptor itself, and then use dentry_has_perm to
1801 check a particular permission to the file.
1802 Access to the descriptor is implicitly granted if it
1803 has the same SID as the process. If av is zero, then
1804 access to the file is not checked, e.g. for cases
1805 where only the descriptor is affected like seek. */
88e67f3b
DH		 1806static int file_has_perm(const struct cred *cred,
1807 struct file *file,
1808 u32 av)
1da177e4 1809{
004c5200 1810 struct file_security_struct *fsec = selinux_file(file);
496ad9aa 1811 struct inode *inode = file_inode(file);
2bf49690 1812 struct common_audit_data ad;
88e67f3b 1813 u32 sid = cred_sid(cred);
1da177e4
LT		 1814 int rc;
1815
43af5de7
VG		 1816 ad.type = LSM_AUDIT_DATA_FILE;
1817 ad.u.file = file;
1da177e4 1818
275bb41e
DH		 1819 if (sid != fsec->sid) {
1820 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1821 SECCLASS_FD,
1822 FD__USE,
1823 &ad);
1824 if (rc)
88e67f3b 1825 goto out;
1da177e4
LT		 1826 }
1827
1828 /* av is zero if only checking access to the descriptor. */
88e67f3b 1829 rc = 0;
1da177e4 1830 if (av)
19e49834 1831 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1832
88e67f3b
DH		 1833out:
1834 return rc;
1da177e4
LT		 1835}
1836
c3c188b2
DH		 1837/*
1838 * Determine the label for an inode that might be unioned.
1839 */
c957f6df
VG		 1840static int
1841selinux_determine_inode_label(const struct task_security_struct *tsec,
1842 struct inode *dir,
1843 const struct qstr *name, u16 tclass,
1844 u32 *_new_isid)
c3c188b2 1845{
33132849 1846 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1847
1848 if ((sbsec->flags & SE_SBINITIALIZED) &&
1849 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1850 *_new_isid = sbsec->mntpoint_sid;
1851 } else if ((sbsec->flags & SBLABEL_MNT) &&
1852 tsec->create_sid) {
1853 *_new_isid = tsec->create_sid;
1854 } else {
20cdef8d 1855 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1856 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1857 name, _new_isid);
1858 }
1859
1860 return 0;
1861}
1862
1da177e4
LT		 1863/* Check whether a task can create a file. */
1864static int may_create(struct inode *dir,
1865 struct dentry *dentry,
1866 u16 tclass)
1867{
98738d70 1868 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1869 struct inode_security_struct *dsec;
1870 struct superblock_security_struct *sbsec;
275bb41e 1871 u32 sid, newsid;
2bf49690 1872 struct common_audit_data ad;
1da177e4
LT		 1873 int rc;
1874
83da53c5 1875 dsec = inode_security(dir);
33132849 1876 sbsec = dir->i_sb->s_security;
1da177e4 1877
275bb41e 1878 sid = tsec->sid;
275bb41e 1879
50c205f5 1880 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1881 ad.u.dentry = dentry;
1da177e4 1882
275bb41e 1883 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1884 DIR__ADD_NAME | DIR__SEARCH,
1885 &ad);
1886 if (rc)
1887 return rc;
1888
98738d70 1889 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
c957f6df 1890 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1891 if (rc)
1892 return rc;
1da177e4 1893
275bb41e 1894 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1895 if (rc)
1896 return rc;
1897
1898 return avc_has_perm(newsid, sbsec->sid,
1899 SECCLASS_FILESYSTEM,
1900 FILESYSTEM__ASSOCIATE, &ad);
1901}
1902
828dfe1d
EP		 1903#define MAY_LINK 0
1904#define MAY_UNLINK 1
1905#define MAY_RMDIR 2
1da177e4
LT		 1906
1907/* Check whether a task can link, unlink, or rmdir a file/directory. */
1908static int may_link(struct inode *dir,
1909 struct dentry *dentry,
1910 int kind)
1911
1912{
1da177e4 1913 struct inode_security_struct *dsec, *isec;
2bf49690 1914 struct common_audit_data ad;
275bb41e 1915 u32 sid = current_sid();
1da177e4
LT		 1916 u32 av;
1917 int rc;
1918
83da53c5
AG		 1919 dsec = inode_security(dir);
1920 isec = backing_inode_security(dentry);
1da177e4 1921
50c205f5 1922 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1923 ad.u.dentry = dentry;
1da177e4
LT		 1924
1925 av = DIR__SEARCH;
1926 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1927 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1928 if (rc)
1929 return rc;
1930
1931 switch (kind) {
1932 case MAY_LINK:
1933 av = FILE__LINK;
1934 break;
1935 case MAY_UNLINK:
1936 av = FILE__UNLINK;
1937 break;
1938 case MAY_RMDIR:
1939 av = DIR__RMDIR;
1940 break;
1941 default:
744ba35e
EP		 1942 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1943 __func__, kind);
1da177e4
LT		 1944 return 0;
1945 }
1946
275bb41e 1947 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1948 return rc;
1949}
1950
1951static inline int may_rename(struct inode *old_dir,
1952 struct dentry *old_dentry,
1953 struct inode *new_dir,
1954 struct dentry *new_dentry)
1955{
1da177e4 1956 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1957 struct common_audit_data ad;
275bb41e 1958 u32 sid = current_sid();
1da177e4
LT		 1959 u32 av;
1960 int old_is_dir, new_is_dir;
1961 int rc;
1962
83da53c5
AG		 1963 old_dsec = inode_security(old_dir);
1964 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1965 old_is_dir = d_is_dir(old_dentry);
83da53c5 1966 new_dsec = inode_security(new_dir);
1da177e4 1967
50c205f5 1968 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1969
a269434d 1970 ad.u.dentry = old_dentry;
275bb41e 1971 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1972 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1973 if (rc)
1974 return rc;
275bb41e 1975 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1976 old_isec->sclass, FILE__RENAME, &ad);
1977 if (rc)
1978 return rc;
1979 if (old_is_dir && new_dir != old_dir) {
275bb41e 1980 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1981 old_isec->sclass, DIR__REPARENT, &ad);
1982 if (rc)
1983 return rc;
1984 }
1985
a269434d 1986 ad.u.dentry = new_dentry;
1da177e4 1987 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1988 if (d_is_positive(new_dentry))
1da177e4 1989 av |= DIR__REMOVE_NAME;
275bb41e 1990 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1991 if (rc)
1992 return rc;
2c616d4d 1993 if (d_is_positive(new_dentry)) {
83da53c5 1994 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1995 new_is_dir = d_is_dir(new_dentry);
275bb41e 1996 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1997 new_isec->sclass,
1998 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1999 if (rc)
2000 return rc;
2001 }
2002
2003 return 0;
2004}
2005
2006/* Check whether a task can perform a filesystem operation. */
88e67f3b 2007static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2008 struct super_block *sb,
2009 u32 perms,
2bf49690 2010 struct common_audit_data *ad)
1da177e4 2011{
1da177e4 2012 struct superblock_security_struct *sbsec;
88e67f3b 2013 u32 sid = cred_sid(cred);
1da177e4 2014
33132849 2015 sbsec = sb->s_security;
275bb41e 2016 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2017}
2018
2019/* Convert a Linux mode and permission mask to an access vector. */
2020static inline u32 file_mask_to_av(int mode, int mask)
2021{
2022 u32 av = 0;
2023
dba19c60 2024 if (!S_ISDIR(mode)) {
1da177e4
LT		 2025 if (mask & MAY_EXEC)
2026 av |= FILE__EXECUTE;
2027 if (mask & MAY_READ)
2028 av |= FILE__READ;
2029
2030 if (mask & MAY_APPEND)
2031 av |= FILE__APPEND;
2032 else if (mask & MAY_WRITE)
2033 av |= FILE__WRITE;
2034
2035 } else {
2036 if (mask & MAY_EXEC)
2037 av |= DIR__SEARCH;
2038 if (mask & MAY_WRITE)
2039 av |= DIR__WRITE;
2040 if (mask & MAY_READ)
2041 av |= DIR__READ;
2042 }
2043
2044 return av;
2045}
2046
8b6a5a37
EP		 2047/* Convert a Linux file to an access vector. */
2048static inline u32 file_to_av(struct file *file)
2049{
2050 u32 av = 0;
2051
2052 if (file->f_mode & FMODE_READ)
2053 av |= FILE__READ;
2054 if (file->f_mode & FMODE_WRITE) {
2055 if (file->f_flags & O_APPEND)
2056 av |= FILE__APPEND;
2057 else
2058 av |= FILE__WRITE;
2059 }
2060 if (!av) {
2061 /*
2062 * Special file opened with flags 3 for ioctl-only use.
2063 */
2064 av = FILE__IOCTL;
2065 }
2066
2067 return av;
2068}
2069
b0c636b9 2070/*
8b6a5a37 2071 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2072 * open permission.
2073 */
8b6a5a37 2074static inline u32 open_file_to_av(struct file *file)
b0c636b9 2075{
8b6a5a37 2076 u32 av = file_to_av(file);
ccb54478 2077 struct inode *inode = file_inode(file);
b0c636b9 2078
ccb54478 2079 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2080 av |= FILE__OPEN;
2081
b0c636b9
EP		 2082 return av;
2083}
2084
1da177e4
LT		 2085/* Hook functions begin here. */
2086
79af7307
SS		 2087static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2088{
2089 u32 mysid = current_sid();
2090 u32 mgrsid = task_sid(mgr);
2091
2092 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2093 BINDER__SET_CONTEXT_MGR, NULL);
2094}
2095
2096static int selinux_binder_transaction(struct task_struct *from,
2097 struct task_struct *to)
2098{
2099 u32 mysid = current_sid();
2100 u32 fromsid = task_sid(from);
2101 u32 tosid = task_sid(to);
2102 int rc;
2103
2104 if (mysid != fromsid) {
2105 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2106 BINDER__IMPERSONATE, NULL);
2107 if (rc)
2108 return rc;
2109 }
2110
2111 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2112 NULL);
2113}
2114
2115static int selinux_binder_transfer_binder(struct task_struct *from,
2116 struct task_struct *to)
2117{
2118 u32 fromsid = task_sid(from);
2119 u32 tosid = task_sid(to);
2120
2121 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2122 NULL);
2123}
2124
2125static int selinux_binder_transfer_file(struct task_struct *from,
2126 struct task_struct *to,
2127 struct file *file)
2128{
2129 u32 sid = task_sid(to);
004c5200 2130 struct file_security_struct *fsec = selinux_file(file);
83da53c5 2131 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2132 struct inode_security_struct *isec;
79af7307
SS		 2133 struct common_audit_data ad;
2134 int rc;
2135
2136 ad.type = LSM_AUDIT_DATA_PATH;
2137 ad.u.path = file->f_path;
2138
2139 if (sid != fsec->sid) {
2140 rc = avc_has_perm(sid, fsec->sid,
2141 SECCLASS_FD,
2142 FD__USE,
2143 &ad);
2144 if (rc)
2145 return rc;
2146 }
2147
83da53c5 2148 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2149 return 0;
2150
20cdef8d 2151 isec = backing_inode_security(dentry);
79af7307
SS		 2152 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2153 &ad);
2154}
2155
9e48858f 2156static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2157 unsigned int mode)
1da177e4 2158{
be0554c9
SS		 2159 u32 sid = current_sid();
2160 u32 csid = task_sid(child);
2161
2162 if (mode & PTRACE_MODE_READ)
275bb41e 2163 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2164
be0554c9 2165 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2166}
2167
2168static int selinux_ptrace_traceme(struct task_struct *parent)
2169{
be0554c9
SS		 2170 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2171 PROCESS__PTRACE, NULL);
1da177e4
LT		 2172}
2173
2174static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2175 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2176{
be0554c9
SS		 2177 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2178 PROCESS__GETCAP, NULL);
1da177e4
LT		 2179}
2180
d84f4f99
DH		 2181static int selinux_capset(struct cred *new, const struct cred *old,
2182 const kernel_cap_t *effective,
2183 const kernel_cap_t *inheritable,
2184 const kernel_cap_t *permitted)
1da177e4 2185{
be0554c9
SS		 2186 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2187 PROCESS__SETCAP, NULL);
1da177e4
LT		 2188}
2189
5626d3e8
JM		 2190/*
2191 * (This comment used to live with the selinux_task_setuid hook,
2192 * which was removed).
2193 *
2194 * Since setuid only affects the current process, and since the SELinux
2195 * controls are not based on the Linux identity attributes, SELinux does not
2196 * need to control this operation. However, SELinux does control the use of
2197 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2198 */
2199
6a9de491
EP		 2200static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2201 int cap, int audit)
1da177e4 2202{
8e4ff6f2 2203 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2204}
2205
1da177e4
LT		 2206static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2207{
88e67f3b 2208 const struct cred *cred = current_cred();
1da177e4
LT		 2209 int rc = 0;
2210
2211 if (!sb)
2212 return 0;
2213
2214 switch (cmds) {
828dfe1d
EP		 2215 case Q_SYNC:
2216 case Q_QUOTAON:
2217 case Q_QUOTAOFF:
2218 case Q_SETINFO:
2219 case Q_SETQUOTA:
88e67f3b 2220 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2221 break;
2222 case Q_GETFMT:
2223 case Q_GETINFO:
2224 case Q_GETQUOTA:
88e67f3b 2225 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2226 break;
2227 default:
2228 rc = 0; /* let the kernel handle invalid cmds */
2229 break;
1da177e4
LT		 2230 }
2231 return rc;
2232}
2233
2234static int selinux_quota_on(struct dentry *dentry)
2235{
88e67f3b
DH		 2236 const struct cred *cred = current_cred();
2237
2875fa00 2238 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2239}
2240
12b3052c 2241static int selinux_syslog(int type)
1da177e4 2242{
1da177e4 2243 switch (type) {
d78ca3cd
KC		 2244 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2245 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
be0554c9
SS		 2246 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2247 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2248 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2249 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2250 /* Set level of messages printed to console */
2251 case SYSLOG_ACTION_CONSOLE_LEVEL:
be0554c9
SS		 2252 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2253 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2254 NULL);
1da177e4 2255 }
be0554c9
SS		 2256 /* All other syslog types */
2257 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2258 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2259}
2260
2261/*
2262 * Check that a process has enough memory to allocate a new virtual
2263 * mapping. 0 means there is enough memory for the allocation to
2264 * succeed and -ENOMEM implies there is not.
2265 *
1da177e4
LT		 2266 * Do not audit the selinux permission check, as this is applied to all
2267 * processes that allocate mappings.
2268 */
34b4e4aa 2269static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2270{
2271 int rc, cap_sys_admin = 0;
1da177e4 2272
b1d9e6b0 2273 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2274 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2275 if (rc == 0)
2276 cap_sys_admin = 1;
2277
b1d9e6b0 2278 return cap_sys_admin;
1da177e4
LT		 2279}
2280
2281/* binprm security operations */
2282
be0554c9 2283static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2284{
2285 u32 sid = 0;
2286 struct task_struct *tracer;
2287
2288 rcu_read_lock();
be0554c9 2289 tracer = ptrace_parent(current);
0c6181cb
PM		 2290 if (tracer)
2291 sid = task_sid(tracer);
2292 rcu_read_unlock();
2293
2294 return sid;
2295}
2296
7b0d0b40
SS		 2297static int check_nnp_nosuid(const struct linux_binprm *bprm,
2298 const struct task_security_struct *old_tsec,
2299 const struct task_security_struct *new_tsec)
2300{
2301 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
0dc04886 2302 int nosuid = path_nosuid(&bprm->file->f_path);
7b0d0b40
SS		 2303 int rc;
2304
2305 if (!nnp && !nosuid)
2306 return 0; /* neither NNP nor nosuid */
2307
2308 if (new_tsec->sid == old_tsec->sid)
2309 return 0; /* No change in credentials */
2310
2311 /*
2312 * The only transitions we permit under NNP or nosuid
2313 * are transitions to bounded SIDs, i.e. SIDs that are
2314 * guaranteed to only be allowed a subset of the permissions
2315 * of the current SID.
2316 */
2317 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2318 if (rc) {
2319 /*
2320 * On failure, preserve the errno values for NNP vs nosuid.
2321 * NNP: Operation not permitted for caller.
2322 * nosuid: Permission denied to file.
2323 */
2324 if (nnp)
2325 return -EPERM;
2326 else
2327 return -EACCES;
2328 }
2329 return 0;
2330}
2331
a6f76f23 2332static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2333{
a6f76f23
DH		 2334 const struct task_security_struct *old_tsec;
2335 struct task_security_struct *new_tsec;
1da177e4 2336 struct inode_security_struct *isec;
2bf49690 2337 struct common_audit_data ad;
496ad9aa 2338 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2339 int rc;
2340
a6f76f23
DH		 2341 /* SELinux context only depends on initial program or script and not
2342 * the script interpreter */
2343 if (bprm->cred_prepared)
1da177e4
LT		 2344 return 0;
2345
98738d70
CS		 2346 old_tsec = selinux_cred(current_cred());
2347 new_tsec = selinux_cred(bprm->cred);
83da53c5 2348 isec = inode_security(inode);
1da177e4
LT		 2349
2350 /* Default to the current task SID. */
a6f76f23
DH		 2351 new_tsec->sid = old_tsec->sid;
2352 new_tsec->osid = old_tsec->sid;
1da177e4 2353
28eba5bf 2354 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2355 new_tsec->create_sid = 0;
2356 new_tsec->keycreate_sid = 0;
2357 new_tsec->sockcreate_sid = 0;
1da177e4 2358
a6f76f23
DH		 2359 if (old_tsec->exec_sid) {
2360 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2361 /* Reset exec SID on execve. */
a6f76f23 2362 new_tsec->exec_sid = 0;
259e5e6c 2363
7b0d0b40
SS		 2364 /* Fail on NNP or nosuid if not an allowed transition. */
2365 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2366 if (rc)
2367 return rc;
1da177e4
LT		 2368 } else {
2369 /* Check for a default transition on this program. */
a6f76f23 2370 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2371 SECCLASS_PROCESS, NULL,
2372 &new_tsec->sid);
1da177e4
LT		 2373 if (rc)
2374 return rc;
7b0d0b40
SS		 2375
2376 /*
2377 * Fallback to old SID on NNP or nosuid if not an allowed
2378 * transition.
2379 */
2380 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2381 if (rc)
2382 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2383 }
2384
43af5de7
VG		 2385 ad.type = LSM_AUDIT_DATA_FILE;
2386 ad.u.file = bprm->file;
1da177e4 2387
a6f76f23
DH		 2388 if (new_tsec->sid == old_tsec->sid) {
2389 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2390 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2391 if (rc)
2392 return rc;
2393 } else {
2394 /* Check permissions for the transition. */
a6f76f23 2395 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2396 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2397 if (rc)
2398 return rc;
2399
a6f76f23 2400 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2401 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2402 if (rc)
2403 return rc;
2404
a6f76f23
DH		 2405 /* Check for shared state */
2406 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2407 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2408 SECCLASS_PROCESS, PROCESS__SHARE,
2409 NULL);
2410 if (rc)
2411 return -EPERM;
2412 }
2413
2414 /* Make sure that anyone attempting to ptrace over a task that
2415 * changes its SID has the appropriate permit */
9227dd2a 2416 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2417 u32 ptsid = ptrace_parent_sid();
a6f76f23
DH		 2418 if (ptsid != 0) {
2419 rc = avc_has_perm(ptsid, new_tsec->sid,
2420 SECCLASS_PROCESS,
2421 PROCESS__PTRACE, NULL);
2422 if (rc)
2423 return -EPERM;
2424 }
2425 }
1da177e4 2426
a6f76f23
DH		 2427 /* Clear any possibly unsafe personality bits on exec: */
2428 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2429 }
2430
1da177e4
LT		 2431 return 0;
2432}
2433
828dfe1d 2434static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2435{
98738d70 2436 const struct task_security_struct *tsec = selinux_cred(current_cred());
275bb41e 2437 u32 sid, osid;
1da177e4
LT		 2438 int atsecure = 0;
2439
275bb41e
DH		 2440 sid = tsec->sid;
2441 osid = tsec->osid;
2442
2443 if (osid != sid) {
1da177e4
LT		 2444 /* Enable secure mode for SIDs transitions unless
2445 the noatsecure permission is granted between
2446 the two SIDs, i.e. ahp returns 0. */
275bb41e 2447 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2448 SECCLASS_PROCESS,
2449 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2450 }
2451
b1d9e6b0 2452 return !!atsecure;
1da177e4
LT		 2453}
2454
c3c073f8
AV		 2455static int match_file(const void *p, struct file *file, unsigned fd)
2456{
2457 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2458}
2459
1da177e4 2460/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2461static inline void flush_unauthorized_files(const struct cred *cred,
2462 struct files_struct *files)
1da177e4 2463{
1da177e4 2464 struct file *file, *devnull = NULL;
b20c8122 2465 struct tty_struct *tty;
24ec839c 2466 int drop_tty = 0;
c3c073f8 2467 unsigned n;
1da177e4 2468
24ec839c 2469 tty = get_current_tty();
1da177e4 2470 if (tty) {
4a510969 2471 spin_lock(&tty->files_lock);
37dd0bd0 2472 if (!list_empty(&tty->tty_files)) {
d996b62a 2473 struct tty_file_private *file_priv;
37dd0bd0 2474
1da177e4 2475 /* Revalidate access to controlling tty.
13f8e981
DH		 2476 Use file_path_has_perm on the tty path directly
2477 rather than using file_has_perm, as this particular
2478 open file may belong to another process and we are
2479 only interested in the inode-based check here. */
d996b62a
NP		 2480 file_priv = list_first_entry(&tty->tty_files,
2481 struct tty_file_private, list);
2482 file = file_priv->file;
13f8e981 2483 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2484 drop_tty = 1;
1da177e4 2485 }
4a510969 2486 spin_unlock(&tty->files_lock);
452a00d2 2487 tty_kref_put(tty);
1da177e4 2488 }
98a27ba4
EB		 2489 /* Reset controlling tty. */
2490 if (drop_tty)
2491 no_tty();
1da177e4
LT		 2492
2493 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2494 n = iterate_fd(files, 0, match_file, cred);
2495 if (!n) /* none found? */
2496 return;
1da177e4 2497
c3c073f8 2498 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2499 if (IS_ERR(devnull))
2500 devnull = NULL;
2501 /* replace all the matching ones with this */
2502 do {
2503 replace_fd(n - 1, devnull, 0);
2504 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2505 if (devnull)
c3c073f8 2506 fput(devnull);
1da177e4
LT		 2507}
2508
a6f76f23
DH		 2509/*
2510 * Prepare a process for imminent new credential changes due to exec
2511 */
2512static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2513{
a6f76f23
DH		 2514 struct task_security_struct *new_tsec;
2515 struct rlimit *rlim, *initrlim;
2516 int rc, i;
d84f4f99 2517
98738d70 2518 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2519 if (new_tsec->sid == new_tsec->osid)
2520 return;
1da177e4 2521
a6f76f23
DH		 2522 /* Close files for which the new task SID is not authorized. */
2523 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2524
a6f76f23
DH		 2525 /* Always clear parent death signal on SID transitions. */
2526 current->pdeath_signal = 0;
0356357c 2527
a6f76f23
DH		 2528 /* Check whether the new SID can inherit resource limits from the old
2529 * SID. If not, reset all soft limits to the lower of the current
2530 * task's hard limit and the init task's soft limit.
2531 *
2532 * Note that the setting of hard limits (even to lower them) can be
2533 * controlled by the setrlimit check. The inclusion of the init task's
2534 * soft limit into the computation is to avoid resetting soft limits
2535 * higher than the default soft limit for cases where the default is
2536 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2537 */
2538 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2539 PROCESS__RLIMITINH, NULL);
2540 if (rc) {
eb2d55a3
ON		 2541 /* protect against do_prlimit() */
2542 task_lock(current);
a6f76f23
DH		 2543 for (i = 0; i < RLIM_NLIMITS; i++) {
2544 rlim = current->signal->rlim + i;
2545 initrlim = init_task.signal->rlim + i;
2546 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2547 }
eb2d55a3 2548 task_unlock(current);
baa73d9e
NP		 2549 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2550 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2551 }
2552}
2553
2554/*
a6f76f23
DH		 2555 * Clean up the process immediately after the installation of new credentials
2556 * due to exec
1da177e4 2557 */
a6f76f23 2558static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2559{
98738d70 2560 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4 2561 struct itimerval itimer;
a6f76f23 2562 u32 osid, sid;
1da177e4
LT		 2563 int rc, i;
2564
a6f76f23
DH		 2565 osid = tsec->osid;
2566 sid = tsec->sid;
2567
2568 if (sid == osid)
1da177e4
LT		 2569 return;
2570
a6f76f23
DH		 2571 /* Check whether the new SID can inherit signal state from the old SID.
2572 * If not, clear itimers to avoid subsequent signal generation and
2573 * flush and unblock signals.
2574 *
2575 * This must occur _after_ the task SID has been updated so that any
2576 * kill done after the flush will be checked against the new SID.
2577 */
2578 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2579 if (rc) {
baa73d9e
NP		 2580 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2581 memset(&itimer, 0, sizeof itimer);
2582 for (i = 0; i < 3; i++)
2583 do_setitimer(i, &itimer, NULL);
2584 }
1da177e4 2585 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2586 if (!fatal_signal_pending(current)) {
2587 flush_sigqueue(&current->pending);
2588 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2589 flush_signal_handlers(current, 1);
2590 sigemptyset(&current->blocked);
9e7c8f8c 2591 recalc_sigpending();
3bcac026 2592 }
1da177e4
LT		 2593 spin_unlock_irq(&current->sighand->siglock);
2594 }
2595
a6f76f23
DH		 2596 /* Wake up the parent if it is waiting so that it can recheck
2597 * wait permission to the new task SID. */
ecd6de3c 2598 read_lock(&tasklist_lock);
0b7570e7 2599 __wake_up_parent(current, current->real_parent);
ecd6de3c 2600 read_unlock(&tasklist_lock);
1da177e4
LT		 2601}
2602
2603/* superblock security operations */
2604
2605static int selinux_sb_alloc_security(struct super_block *sb)
2606{
2607 return superblock_alloc_security(sb);
2608}
2609
33132849
JS		 2610static void selinux_sb_free_security(struct super_block *sb)
2611{
2612 superblock_free_security(sb);
2613}
2614
1da177e4
LT		 2615static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2616{
2617 if (plen > olen)
2618 return 0;
2619
2620 return !memcmp(prefix, option, plen);
2621}
2622
2623static inline int selinux_option(char *option, int len)
2624{
832cbd9a
EP		 2625 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2626 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2627 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2628 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2629 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2630}
2631
2632static inline void take_option(char **to, char *from, int *first, int len)
2633{
2634 if (!*first) {
2635 **to = ',';
2636 *to += 1;
3528a953 2637 } else
1da177e4
LT		 2638 *first = 0;
2639 memcpy(*to, from, len);
2640 *to += len;
2641}
2642
828dfe1d
EP		 2643static inline void take_selinux_option(char **to, char *from, int *first,
2644 int len)
3528a953
CO		 2645{
2646 int current_size = 0;
2647
2648 if (!*first) {
2649 **to = '|';
2650 *to += 1;
828dfe1d 2651 } else
3528a953
CO		 2652 *first = 0;
2653
2654 while (current_size < len) {
2655 if (*from != '"') {
2656 **to = *from;
2657 *to += 1;
2658 }
2659 from += 1;
2660 current_size += 1;
2661 }
2662}
2663
e0007529 2664static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2665{
2666 int fnosec, fsec, rc = 0;
2667 char *in_save, *in_curr, *in_end;
2668 char *sec_curr, *nosec_save, *nosec;
3528a953 2669 int open_quote = 0;
1da177e4
LT		 2670
2671 in_curr = orig;
2672 sec_curr = copy;
2673
1da177e4
LT		 2674 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2675 if (!nosec) {
2676 rc = -ENOMEM;
2677 goto out;
2678 }
2679
2680 nosec_save = nosec;
2681 fnosec = fsec = 1;
2682 in_save = in_end = orig;
2683
2684 do {
3528a953
CO		 2685 if (*in_end == '"')
2686 open_quote = !open_quote;
2687 if ((*in_end == ',' && open_quote == 0) ||
2688 *in_end == '\0') {
1da177e4
LT		 2689 int len = in_end - in_curr;
2690
2691 if (selinux_option(in_curr, len))
3528a953 2692 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2693 else
2694 take_option(&nosec, in_curr, &fnosec, len);
2695
2696 in_curr = in_end + 1;
2697 }
2698 } while (*in_end++);
2699
6931dfc9 2700 strcpy(in_save, nosec_save);
da3caa20 2701 free_page((unsigned long)nosec_save);
1da177e4
LT		 2702out:
2703 return rc;
2704}
2705
026eb167
EP		 2706static int selinux_sb_remount(struct super_block *sb, void *data)
2707{
2708 int rc, i, *flags;
2709 struct security_mnt_opts opts;
2710 char *secdata, **mount_options;
33132849 2711 struct superblock_security_struct *sbsec = sb->s_security;
026eb167
EP		 2712
2713 if (!(sbsec->flags & SE_SBINITIALIZED))
2714 return 0;
2715
2716 if (!data)
2717 return 0;
2718
2719 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2720 return 0;
2721
2722 security_init_mnt_opts(&opts);
2723 secdata = alloc_secdata();
2724 if (!secdata)
2725 return -ENOMEM;
2726 rc = selinux_sb_copy_data(data, secdata);
2727 if (rc)
2728 goto out_free_secdata;
2729
2730 rc = selinux_parse_opts_str(secdata, &opts);
2731 if (rc)
2732 goto out_free_secdata;
2733
2734 mount_options = opts.mnt_opts;
2735 flags = opts.mnt_opts_flags;
2736
2737 for (i = 0; i < opts.num_mnt_opts; i++) {
2738 u32 sid;
026eb167 2739
12f348b9 2740 if (flags[i] == SBLABEL_MNT)
026eb167 2741 continue;
44be2f65 2742 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2743 if (rc) {
44be2f65 2744 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2745 "(%s) failed for (dev %s, type %s) errno=%d\n",
2746 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2747 goto out_free_opts;
2748 }
2749 rc = -EINVAL;
2750 switch (flags[i]) {
2751 case FSCONTEXT_MNT:
2752 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2753 goto out_bad_option;
2754 break;
2755 case CONTEXT_MNT:
2756 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2757 goto out_bad_option;
2758 break;
2759 case ROOTCONTEXT_MNT: {
2760 struct inode_security_struct *root_isec;
83da53c5 2761 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2762
2763 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2764 goto out_bad_option;
2765 break;
2766 }
2767 case DEFCONTEXT_MNT:
2768 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2769 goto out_bad_option;
2770 break;
2771 default:
2772 goto out_free_opts;
2773 }
2774 }
2775
2776 rc = 0;
2777out_free_opts:
2778 security_free_mnt_opts(&opts);
2779out_free_secdata:
2780 free_secdata(secdata);
2781 return rc;
2782out_bad_option:
2783 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2784 "during remount (dev %s, type=%s)\n", sb->s_id,
2785 sb->s_type->name);
026eb167
EP		 2786 goto out_free_opts;
2787}
2788
12204e24 2789static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2790{
88e67f3b 2791 const struct cred *cred = current_cred();
2bf49690 2792 struct common_audit_data ad;
1da177e4
LT		 2793 int rc;
2794
2795 rc = superblock_doinit(sb, data);
2796 if (rc)
2797 return rc;
2798
74192246
JM		 2799 /* Allow all mounts performed by the kernel */
2800 if (flags & MS_KERNMOUNT)
2801 return 0;
2802
50c205f5 2803 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2804 ad.u.dentry = sb->s_root;
88e67f3b 2805 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2806}
2807
726c3342 2808static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2809{
88e67f3b 2810 const struct cred *cred = current_cred();
2bf49690 2811 struct common_audit_data ad;
1da177e4 2812
50c205f5 2813 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2814 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2815 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2816}
2817
808d4e3c 2818static int selinux_mount(const char *dev_name,
8a04c43b 2819 const struct path *path,
808d4e3c 2820 const char *type,
828dfe1d
EP		 2821 unsigned long flags,
2822 void *data)
1da177e4 2823{
88e67f3b 2824 const struct cred *cred = current_cred();
1da177e4
LT		 2825
2826 if (flags & MS_REMOUNT)
d8c9584e 2827 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2828 FILESYSTEM__REMOUNT, NULL);
1da177e4 2829 else
2875fa00 2830 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2831}
2832
2833static int selinux_umount(struct vfsmount *mnt, int flags)
2834{
88e67f3b 2835 const struct cred *cred = current_cred();
1da177e4 2836
88e67f3b 2837 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2838 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2839}
2840
2841/* inode security operations */
2842
2843static int selinux_inode_alloc_security(struct inode *inode)
2844{
2845 return inode_alloc_security(inode);
2846}
2847
2848static void selinux_inode_free_security(struct inode *inode)
2849{
2850 inode_free_security(inode);
2851}
2852
d47be3df 2853static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2854 const struct qstr *name, void **ctx,
d47be3df
DQ		 2855 u32 *ctxlen)
2856{
d47be3df
DQ		 2857 u32 newsid;
2858 int rc;
2859
98738d70 2860 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2861 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2862 inode_mode_to_security_class(mode),
2863 &newsid);
2864 if (rc)
2865 return rc;
d47be3df
DQ		 2866
2867 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2868}
2869
a518b0a5
VG		 2870static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2871 struct qstr *name,
2872 const struct cred *old,
2873 struct cred *new)
2874{
2875 u32 newsid;
2876 int rc;
2877 struct task_security_struct *tsec;
2878
98738d70 2879 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2880 d_inode(dentry->d_parent), name,
2881 inode_mode_to_security_class(mode),
2882 &newsid);
2883 if (rc)
2884 return rc;
2885
98738d70 2886 tsec = selinux_cred(new);
a518b0a5
VG		 2887 tsec->create_sid = newsid;
2888 return 0;
2889}
2890
5e41ff9e 2891static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2892 const struct qstr *qstr,
2893 const char **name,
2a7dba39 2894 void **value, size_t *len)
5e41ff9e 2895{
98738d70 2896 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2897 struct superblock_security_struct *sbsec;
275bb41e 2898 u32 sid, newsid, clen;
5e41ff9e 2899 int rc;
9548906b 2900 char *context;
5e41ff9e 2901
33132849 2902 sbsec = dir->i_sb->s_security;
5e41ff9e 2903
275bb41e
DH		 2904 sid = tsec->sid;
2905 newsid = tsec->create_sid;
2906
98738d70 2907 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c3c188b2
DH		 2908 dir, qstr,
2909 inode_mode_to_security_class(inode->i_mode),
2910 &newsid);
2911 if (rc)
2912 return rc;
5e41ff9e 2913
296fddf7 2914 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2915 if (sbsec->flags & SE_SBINITIALIZED) {
33132849 2916 struct inode_security_struct *isec = inode->i_security;
296fddf7
EP		 2917 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2918 isec->sid = newsid;
6f3be9f5 2919 isec->initialized = LABEL_INITIALIZED;
296fddf7 2920 }
5e41ff9e 2921
12f348b9 2922 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2923 return -EOPNOTSUPP;
2924
9548906b
TH		 2925 if (name)
2926 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2927
570bc1c2 2928 if (value && len) {
12b29f34 2929 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2930 if (rc)
570bc1c2 2931 return rc;
570bc1c2
SS		 2932 *value = context;
2933 *len = clen;
5e41ff9e 2934 }
5e41ff9e 2935
5e41ff9e
SS		 2936 return 0;
2937}
2938
4acdaf27 2939static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2940{
2941 return may_create(dir, dentry, SECCLASS_FILE);
2942}
2943
1da177e4
LT		 2944static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2945{
1da177e4
LT		 2946 return may_link(dir, old_dentry, MAY_LINK);
2947}
2948
1da177e4
LT		 2949static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2950{
1da177e4
LT		 2951 return may_link(dir, dentry, MAY_UNLINK);
2952}
2953
2954static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2955{
2956 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2957}
2958
18bb1db3 2959static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2960{
2961 return may_create(dir, dentry, SECCLASS_DIR);
2962}
2963
1da177e4
LT		 2964static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2965{
2966 return may_link(dir, dentry, MAY_RMDIR);
2967}
2968
1a67aafb 2969static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2970{
1da177e4
LT		 2971 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2972}
2973
1da177e4 2974static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2975 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2976{
2977 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2978}
2979
1da177e4
LT		 2980static int selinux_inode_readlink(struct dentry *dentry)
2981{
88e67f3b
DH		 2982 const struct cred *cred = current_cred();
2983
2875fa00 2984 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2985}
2986
bda0be7a
N		 2987static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2988 bool rcu)
1da177e4 2989{
88e67f3b 2990 const struct cred *cred = current_cred();
bda0be7a
N		 2991 struct common_audit_data ad;
2992 struct inode_security_struct *isec;
2993 u32 sid;
1da177e4 2994
bda0be7a
N		 2995 validate_creds(cred);
2996
2997 ad.type = LSM_AUDIT_DATA_DENTRY;
2998 ad.u.dentry = dentry;
2999 sid = cred_sid(cred);
5d226df4
AG		 3000 isec = inode_security_rcu(inode, rcu);
3001 if (IS_ERR(isec))
3002 return PTR_ERR(isec);
bda0be7a
N		 3003
3004 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3005 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3006}
3007
d4cf970d
EP		 3008static noinline int audit_inode_permission(struct inode *inode,
3009 u32 perms, u32 audited, u32 denied,
626b9740 3010 int result,
d4cf970d 3011 unsigned flags)
1da177e4 3012{
b782e0a6 3013 struct common_audit_data ad;
33132849 3014 struct inode_security_struct *isec = inode->i_security;
d4cf970d
EP		 3015 int rc;
3016
50c205f5 3017 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3018 ad.u.inode = inode;
3019
3020 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 3021 audited, denied, result, &ad, flags);
d4cf970d
EP		 3022 if (rc)
3023 return rc;
3024 return 0;
3025}
3026
e74f71eb 3027static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3028{
88e67f3b 3029 const struct cred *cred = current_cred();
b782e0a6
EP		 3030 u32 perms;
3031 bool from_access;
cf1dd1da 3032 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3033 struct inode_security_struct *isec;
3034 u32 sid;
3035 struct av_decision avd;
3036 int rc, rc2;
3037 u32 audited, denied;
1da177e4 3038
b782e0a6 3039 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3040 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3041
b782e0a6
EP		 3042 /* No permission to check. Existence test. */
3043 if (!mask)
1da177e4 3044 return 0;
1da177e4 3045
2e334057 3046 validate_creds(cred);
b782e0a6 3047
2e334057
EP		 3048 if (unlikely(IS_PRIVATE(inode)))
3049 return 0;
b782e0a6
EP		 3050
3051 perms = file_mask_to_av(inode->i_mode, mask);
3052
2e334057 3053 sid = cred_sid(cred);
5d226df4
AG		 3054 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3055 if (IS_ERR(isec))
3056 return PTR_ERR(isec);
2e334057
EP		 3057
3058 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3059 audited = avc_audit_required(perms, &avd, rc,
3060 from_access ? FILE__AUDIT_ACCESS : 0,
3061 &denied);
3062 if (likely(!audited))
3063 return rc;
3064
626b9740 3065 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3066 if (rc2)
3067 return rc2;
3068 return rc;
1da177e4
LT		 3069}
3070
3071static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3072{
88e67f3b 3073 const struct cred *cred = current_cred();
ccb54478 3074 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3075 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3076 __u32 av = FILE__WRITE;
1da177e4 3077
bc6a6008
AW		 3078 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3079 if (ia_valid & ATTR_FORCE) {
3080 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3081 ATTR_FORCE);
3082 if (!ia_valid)
3083 return 0;
3084 }
1da177e4 3085
bc6a6008
AW		 3086 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3087 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3088 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3089
ccb54478
SS		 3090 if (selinux_policycap_openperm &&
3091 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3092 (ia_valid & ATTR_SIZE) &&
3093 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3094 av |= FILE__OPEN;
3095
3096 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3097}
3098
3f7036a0 3099static int selinux_inode_getattr(const struct path *path)
1da177e4 3100{
3f7036a0 3101 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3102}
3103
8f0cfa52 3104static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3105{
88e67f3b
DH		 3106 const struct cred *cred = current_cred();
3107
b5376771
SH		 3108 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3109 sizeof XATTR_SECURITY_PREFIX - 1)) {
3110 if (!strcmp(name, XATTR_NAME_CAPS)) {
3111 if (!capable(CAP_SETFCAP))
3112 return -EPERM;
3113 } else if (!capable(CAP_SYS_ADMIN)) {
3114 /* A different attribute in the security namespace.
3115 Restrict to administrator. */
3116 return -EPERM;
3117 }
3118 }
3119
3120 /* Not an attribute we recognize, so just check the
3121 ordinary setattr permission. */
2875fa00 3122 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3123}
3124
db59000a
SS		 3125static bool has_cap_mac_admin(bool audit)
3126{
3127 const struct cred *cred = current_cred();
3128 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3129
3130 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3131 return false;
3132 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3133 return false;
3134 return true;
3135}
3136
8f0cfa52
DH		 3137static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3138 const void *value, size_t size, int flags)
1da177e4 3139{
c6f493d6 3140 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3141 struct inode_security_struct *isec;
1da177e4 3142 struct superblock_security_struct *sbsec;
2bf49690 3143 struct common_audit_data ad;
275bb41e 3144 u32 newsid, sid = current_sid();
1da177e4
LT		 3145 int rc = 0;
3146
b5376771
SH		 3147 if (strcmp(name, XATTR_NAME_SELINUX))
3148 return selinux_inode_setotherxattr(dentry, name);
1da177e4 3149
33132849 3150 sbsec = inode->i_sb->s_security;
12f348b9 3151 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3152 return -EOPNOTSUPP;
3153
2e149670 3154 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3155 return -EPERM;
3156
50c205f5 3157 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3158 ad.u.dentry = dentry;
1da177e4 3159
20cdef8d 3160 isec = backing_inode_security(dentry);
275bb41e 3161 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3162 FILE__RELABELFROM, &ad);
3163 if (rc)
3164 return rc;
3165
52a4c640 3166 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3167 if (rc == -EINVAL) {
db59000a 3168 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3169 struct audit_buffer *ab;
3170 size_t audit_size;
3171 const char *str;
3172
3173 /* We strip a nul only if it is at the end, otherwise the
3174 * context contains a nul and we should audit that */
e3fea3f7
AV		 3175 if (value) {
3176 str = value;
3177 if (str[size - 1] == '\0')
3178 audit_size = size - 1;
3179 else
3180 audit_size = size;
3181 } else {
3182 str = "";
3183 audit_size = 0;
3184 }
d6ea83ec
EP		 3185 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3186 audit_log_format(ab, "op=setxattr invalid_context=");
3187 audit_log_n_untrustedstring(ab, value, audit_size);
3188 audit_log_end(ab);
3189
12b29f34 3190 return rc;
d6ea83ec 3191 }
12b29f34
SS		 3192 rc = security_context_to_sid_force(value, size, &newsid);
3193 }
1da177e4
LT		 3194 if (rc)
3195 return rc;
3196
275bb41e 3197 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3198 FILE__RELABELTO, &ad);
3199 if (rc)
3200 return rc;
3201
275bb41e 3202 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3203 isec->sclass);
1da177e4
LT		 3204 if (rc)
3205 return rc;
3206
3207 return avc_has_perm(newsid,
3208 sbsec->sid,
3209 SECCLASS_FILESYSTEM,
3210 FILESYSTEM__ASSOCIATE,
3211 &ad);
3212}
3213
8f0cfa52 3214static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3215 const void *value, size_t size,
8f0cfa52 3216 int flags)
1da177e4 3217{
c6f493d6 3218 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3219 struct inode_security_struct *isec;
1da177e4
LT		 3220 u32 newsid;
3221 int rc;
3222
3223 if (strcmp(name, XATTR_NAME_SELINUX)) {
3224 /* Not an attribute we recognize, so nothing to do. */
3225 return;
3226 }
3227
12b29f34 3228 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3229 if (rc) {
12b29f34
SS		 3230 printk(KERN_ERR "SELinux: unable to map context to SID"
3231 "for (%s, %lu), rc=%d\n",
3232 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3233 return;
3234 }
3235
20cdef8d 3236 isec = backing_inode_security(dentry);
9287aed2 3237 spin_lock(&isec->lock);
aa9c2669 3238 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3239 isec->sid = newsid;
6f3be9f5 3240 isec->initialized = LABEL_INITIALIZED;
9287aed2 3241 spin_unlock(&isec->lock);
aa9c2669 3242
1da177e4
LT		 3243 return;
3244}
3245
8f0cfa52 3246static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3247{
88e67f3b
DH		 3248 const struct cred *cred = current_cred();
3249
2875fa00 3250 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3251}
3252
828dfe1d 3253static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3254{
88e67f3b
DH		 3255 const struct cred *cred = current_cred();
3256
2875fa00 3257 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3258}
3259
8f0cfa52 3260static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3261{
b5376771
SH		 3262 if (strcmp(name, XATTR_NAME_SELINUX))
3263 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3264
3265 /* No one is allowed to remove a SELinux security label.
3266 You can change the label, but all data must be labeled. */
3267 return -EACCES;
3268}
3269
d381d8a9 3270/*
abc69bb6 3271 * Copy the inode security context value to the user.
d381d8a9
JM		 3272 *
3273 * Permission check is handled by selinux_inode_getxattr hook.
3274 */
ea861dfd 3275static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3276{
42492594
DQ		 3277 u32 size;
3278 int error;
3279 char *context = NULL;
20cdef8d 3280 struct inode_security_struct *isec;
d381d8a9 3281
8c8570fb
DK		 3282 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3283 return -EOPNOTSUPP;
d381d8a9 3284
abc69bb6
SS		 3285 /*
3286 * If the caller has CAP_MAC_ADMIN, then get the raw context
3287 * value even if it is not defined by current policy; otherwise,
3288 * use the in-core value under current policy.
3289 * Use the non-auditing forms of the permission checks since
3290 * getxattr may be called by unprivileged processes commonly
3291 * and lack of permission just means that we fall back to the
3292 * in-core context value, not a denial.
3293 */
20cdef8d 3294 isec = inode_security(inode);
db59000a 3295 if (has_cap_mac_admin(false))
abc69bb6
SS		 3296 error = security_sid_to_context_force(isec->sid, &context,
3297 &size);
3298 else
3299 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3300 if (error)
3301 return error;
3302 error = size;
3303 if (alloc) {
3304 *buffer = context;
3305 goto out_nofree;
3306 }
3307 kfree(context);
3308out_nofree:
3309 return error;
1da177e4
LT		 3310}
3311
3312static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3313 const void *value, size_t size, int flags)
1da177e4 3314{
2c97165b 3315 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3316 u32 newsid;
3317 int rc;
3318
3319 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3320 return -EOPNOTSUPP;
3321
3322 if (!value || !size)
3323 return -EACCES;
3324
20ba96ae 3325 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3326 if (rc)
3327 return rc;
3328
9287aed2 3329 spin_lock(&isec->lock);
aa9c2669 3330 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3331 isec->sid = newsid;
6f3be9f5 3332 isec->initialized = LABEL_INITIALIZED;
9287aed2 3333 spin_unlock(&isec->lock);
1da177e4
LT		 3334 return 0;
3335}
3336
3337static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3338{
3339 const int len = sizeof(XATTR_NAME_SELINUX);
3340 if (buffer && len <= buffer_size)
3341 memcpy(buffer, XATTR_NAME_SELINUX, len);
3342 return len;
3343}
3344
d6335d77 3345static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3346{
e817c2f3 3347 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3348 *secid = isec->sid;
3349}
3350
56909eb3
VG		 3351static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3352{
3353 u32 sid;
3354 struct task_security_struct *tsec;
3355 struct cred *new_creds = *new;
3356
3357 if (new_creds == NULL) {
3358 new_creds = prepare_creds();
3359 if (!new_creds)
3360 return -ENOMEM;
3361 }
3362
98738d70 3363 tsec = selinux_cred(new_creds);
56909eb3
VG		 3364 /* Get label from overlay inode and set it in create_sid */
3365 selinux_inode_getsecid(d_inode(src), &sid);
3366 tsec->create_sid = sid;
3367 *new = new_creds;
3368 return 0;
3369}
3370
19472b69
VG		 3371static int selinux_inode_copy_up_xattr(const char *name)
3372{
3373 /* The copy_up hook above sets the initial context on an inode, but we
3374 * don't then want to overwrite it by blindly copying all the lower
3375 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3376 */
3377 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3378 return 1; /* Discard */
3379 /*
3380 * Any other attribute apart from SELINUX is not claimed, supported
3381 * by selinux.
3382 */
3383 return -EOPNOTSUPP;
3384}
3385
1da177e4
LT		 3386/* file security operations */
3387
788e7dd4 3388static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3389{
88e67f3b 3390 const struct cred *cred = current_cred();
496ad9aa 3391 struct inode *inode = file_inode(file);
1da177e4 3392
1da177e4
LT		 3393 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3394 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3395 mask |= MAY_APPEND;
3396
389fb800
PM		 3397 return file_has_perm(cred, file,
3398 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3399}
3400
788e7dd4
YN		 3401static int selinux_file_permission(struct file *file, int mask)
3402{
496ad9aa 3403 struct inode *inode = file_inode(file);
004c5200 3404 struct file_security_struct *fsec = selinux_file(file);
b197367e 3405 struct inode_security_struct *isec;
20dda18b
SS		 3406 u32 sid = current_sid();
3407
389fb800 3408 if (!mask)
788e7dd4
YN		 3409 /* No permission to check. Existence test. */
3410 return 0;
788e7dd4 3411
b197367e 3412 isec = inode_security(inode);
20dda18b
SS		 3413 if (sid == fsec->sid && fsec->isid == isec->sid &&
3414 fsec->pseqno == avc_policy_seqno())
83d49856 3415 /* No change since file_open check. */
20dda18b
SS		 3416 return 0;
3417
788e7dd4
YN		 3418 return selinux_revalidate_file_permission(file, mask);
3419}
3420
1da177e4
LT		 3421static int selinux_file_alloc_security(struct file *file)
3422{
3423 return file_alloc_security(file);
3424}
3425
fa1aa143
JVS		 3426/*
3427 * Check whether a task has the ioctl permission and cmd
3428 * operation to an inode.
3429 */
1d2a168a 3430static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3431 u32 requested, u16 cmd)
3432{
3433 struct common_audit_data ad;
004c5200 3434 struct file_security_struct *fsec = selinux_file(file);
fa1aa143 3435 struct inode *inode = file_inode(file);
20cdef8d 3436 struct inode_security_struct *isec;
fa1aa143
JVS		 3437 struct lsm_ioctlop_audit ioctl;
3438 u32 ssid = cred_sid(cred);
3439 int rc;
3440 u8 driver = cmd >> 8;
3441 u8 xperm = cmd & 0xff;
3442
3443 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3444 ad.u.op = &ioctl;
3445 ad.u.op->cmd = cmd;
3446 ad.u.op->path = file->f_path;
3447
3448 if (ssid != fsec->sid) {
3449 rc = avc_has_perm(ssid, fsec->sid,
3450 SECCLASS_FD,
3451 FD__USE,
3452 &ad);
3453 if (rc)
3454 goto out;
3455 }
3456
3457 if (unlikely(IS_PRIVATE(inode)))
3458 return 0;
3459
20cdef8d 3460 isec = inode_security(inode);
fa1aa143
JVS		 3461 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3462 requested, driver, xperm, &ad);
3463out:
3464 return rc;
3465}
3466
1da177e4
LT		 3467static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3468 unsigned long arg)
3469{
88e67f3b 3470 const struct cred *cred = current_cred();
0b24dcb7 3471 int error = 0;
1da177e4 3472
0b24dcb7
EP		 3473 switch (cmd) {
3474 case FIONREAD:
3475 /* fall through */
3476 case FIBMAP:
3477 /* fall through */
3478 case FIGETBSZ:
3479 /* fall through */
2f99c369 3480 case FS_IOC_GETFLAGS:
0b24dcb7 3481 /* fall through */
2f99c369 3482 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3483 error = file_has_perm(cred, file, FILE__GETATTR);
3484 break;
1da177e4 3485
2f99c369 3486 case FS_IOC_SETFLAGS:
0b24dcb7 3487 /* fall through */
2f99c369 3488 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3489 error = file_has_perm(cred, file, FILE__SETATTR);
3490 break;
3491
3492 /* sys_ioctl() checks */
3493 case FIONBIO:
3494 /* fall through */
3495 case FIOASYNC:
3496 error = file_has_perm(cred, file, 0);
3497 break;
1da177e4 3498
0b24dcb7
EP		 3499 case KDSKBENT:
3500 case KDSKBSENT:
6a9de491 3501 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3502 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3503 break;
3504
3505 /* default case assumes that the command will go
3506 * to the file's ioctl() function.
3507 */
3508 default:
fa1aa143 3509 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3510 }
3511 return error;
1da177e4
LT		 3512}
3513
fcaaade1
SS		 3514static int default_noexec;
3515
1da177e4
LT		 3516static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3517{
88e67f3b 3518 const struct cred *cred = current_cred();
be0554c9 3519 u32 sid = cred_sid(cred);
d84f4f99 3520 int rc = 0;
88e67f3b 3521
fcaaade1 3522 if (default_noexec &&
892e8cac
SS		 3523 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3524 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3525 /*
3526 * We are making executable an anonymous mapping or a
3527 * private file mapping that will also be writable.
3528 * This has an additional check.
3529 */
be0554c9
SS		 3530 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3531 PROCESS__EXECMEM, NULL);
1da177e4 3532 if (rc)
d84f4f99 3533 goto error;
1da177e4 3534 }
1da177e4
LT		 3535
3536 if (file) {
3537 /* read access is always possible with a mapping */
3538 u32 av = FILE__READ;
3539
3540 /* write access only matters if the mapping is shared */
3541 if (shared && (prot & PROT_WRITE))
3542 av |= FILE__WRITE;
3543
3544 if (prot & PROT_EXEC)
3545 av |= FILE__EXECUTE;
3546
88e67f3b 3547 return file_has_perm(cred, file, av);
1da177e4 3548 }
d84f4f99
DH		 3549
3550error:
3551 return rc;
1da177e4
LT		 3552}
3553
e5467859 3554static int selinux_mmap_addr(unsigned long addr)
1da177e4 3555{
b1d9e6b0 3556 int rc = 0;
1da177e4 3557
a2551df7 3558 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3559 u32 sid = current_sid();
ed032189
EP		 3560 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3561 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3562 }
3563
98883bfd 3564 return rc;
e5467859 3565}
1da177e4 3566
e5467859
AV		 3567static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3568 unsigned long prot, unsigned long flags)
3569{
3ba4bf5f
SS		 3570 struct common_audit_data ad;
3571 int rc;
3572
3573 if (file) {
3574 ad.type = LSM_AUDIT_DATA_FILE;
3575 ad.u.file = file;
3576 rc = inode_has_perm(current_cred(), file_inode(file),
3577 FILE__MAP, &ad);
3578 if (rc)
3579 return rc;
3580 }
3581
1da177e4
LT		 3582 if (selinux_checkreqprot)
3583 prot = reqprot;
3584
3585 return file_map_prot_check(file, prot,
3586 (flags & MAP_TYPE) == MAP_SHARED);
3587}
3588
3589static int selinux_file_mprotect(struct vm_area_struct *vma,
3590 unsigned long reqprot,
3591 unsigned long prot)
3592{
88e67f3b 3593 const struct cred *cred = current_cred();
be0554c9 3594 u32 sid = cred_sid(cred);
1da177e4
LT		 3595
3596 if (selinux_checkreqprot)
3597 prot = reqprot;
3598
fcaaade1
SS		 3599 if (default_noexec &&
3600 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3601 int rc = 0;
db4c9641
SS		 3602 if (vma->vm_start >= vma->vm_mm->start_brk &&
3603 vma->vm_end <= vma->vm_mm->brk) {
be0554c9
SS		 3604 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3605 PROCESS__EXECHEAP, NULL);
db4c9641 3606 } else if (!vma->vm_file &&
c2316dbf
SS		 3607 ((vma->vm_start <= vma->vm_mm->start_stack &&
3608 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3609 vma_is_stack_for_current(vma))) {
be0554c9
SS		 3610 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3611 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3612 } else if (vma->vm_file && vma->anon_vma) {
3613 /*
3614 * We are making executable a file mapping that has
3615 * had some COW done. Since pages might have been
3616 * written, check ability to execute the possibly
3617 * modified content. This typically should only
3618 * occur for text relocations.
3619 */
d84f4f99 3620 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3621 }