]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - security/selinux/hooks.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: do not override context on context mounts
[mirror_ubuntu-bionic-kernel.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
7efbb60b 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <dgoeddel@trustedcs.com>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <paul@paul-moore.com>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
3a976fa6 20 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
828dfe1d 24 * as published by the Free Software Foundation.
1da177e4
LT		 25 */
26
1da177e4 27#include <linux/init.h>
0b24dcb7 28#include <linux/kd.h>
1da177e4 29#include <linux/kernel.h>
0d094efe 30#include <linux/tracehook.h>
1da177e4 31#include <linux/errno.h>
3f07c014 32#include <linux/sched/signal.h>
29930025 33#include <linux/sched/task.h>
3c4ed7bd 34#include <linux/lsm_hooks.h>
1da177e4
LT		 35#include <linux/xattr.h>
36#include <linux/capability.h>
37#include <linux/unistd.h>
38#include <linux/mm.h>
39#include <linux/mman.h>
40#include <linux/slab.h>
41#include <linux/pagemap.h>
0b24dcb7 42#include <linux/proc_fs.h>
1da177e4 43#include <linux/swap.h>
1da177e4
LT		 44#include <linux/spinlock.h>
45#include <linux/syscalls.h>
2a7dba39 46#include <linux/dcache.h>
1da177e4 47#include <linux/file.h>
9f3acc31 48#include <linux/fdtable.h>
1da177e4
LT		 49#include <linux/namei.h>
50#include <linux/mount.h>
1da177e4
LT		 51#include <linux/netfilter_ipv4.h>
52#include <linux/netfilter_ipv6.h>
53#include <linux/tty.h>
54#include <net/icmp.h>
227b60f5 55#include <net/ip.h> /* for local_port_range[] */
1da177e4 56#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 57#include <net/inet_connection_sock.h>
220deb96 58#include <net/net_namespace.h>
d621d35e 59#include <net/netlabel.h>
f5269710 60#include <linux/uaccess.h>
1da177e4 61#include <asm/ioctls.h>
60063497 62#include <linux/atomic.h>
1da177e4
LT		 63#include <linux/bitops.h>
64#include <linux/interrupt.h>
65#include <linux/netdevice.h> /* for network interface checks */
77954983 66#include <net/netlink.h>
1da177e4
LT		 67#include <linux/tcp.h>
68#include <linux/udp.h>
2ee92d46 69#include <linux/dccp.h>
1da177e4
LT		 70#include <linux/quota.h>
71#include <linux/un.h> /* for Unix socket types */
72#include <net/af_unix.h> /* for Unix socket types */
73#include <linux/parser.h>
74#include <linux/nfs_mount.h>
75#include <net/ipv6.h>
76#include <linux/hugetlb.h>
77#include <linux/personality.h>
1da177e4 78#include <linux/audit.h>
6931dfc9 79#include <linux/string.h>
877ce7c1 80#include <linux/selinux.h>
23970741 81#include <linux/mutex.h>
f06febc9 82#include <linux/posix-timers.h>
00234592 83#include <linux/syslog.h>
3486740a 84#include <linux/user_namespace.h>
44fc7ea0 85#include <linux/export.h>
40401530
AV		 86#include <linux/msg.h>
87#include <linux/shm.h>
ec27c356 88#include <linux/bpf.h>
1da177e4
LT		 89
90#include "avc.h"
91#include "objsec.h"
92#include "netif.h"
224dfbd8 93#include "netnode.h"
3e112172 94#include "netport.h"
409dcf31 95#include "ibpkey.h"
d28d1e08 96#include "xfrm.h"
c60475bf 97#include "netlabel.h"
9d57a7f9 98#include "audit.h"
7b98a585 99#include "avc_ss.h"
1da177e4 100
d621d35e 101/* SECMARK reference count */
56a4ca99 102static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 103
1da177e4 104#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 105int selinux_enforcing;
1da177e4
LT		 106
107static int __init enforcing_setup(char *str)
108{
f5269710 109 unsigned long enforcing;
29707b20 110 if (!kstrtoul(str, 0, &enforcing))
f5269710 111 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 112 return 1;
113}
114__setup("enforcing=", enforcing_setup);
115#endif
116
117#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119
120static int __init selinux_enabled_setup(char *str)
121{
f5269710 122 unsigned long enabled;
29707b20 123 if (!kstrtoul(str, 0, &enabled))
f5269710 124 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 125 return 1;
126}
127__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 128#else
129int selinux_enabled = 1;
1da177e4
LT		 130#endif
131
d621d35e
PM		 132/**
133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
134 *
135 * Description:
136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 139 * enabled, false (0) if SECMARK is disabled. If the always_check_network
140 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 141 *
142 */
143static int selinux_secmark_enabled(void)
144{
2be4d74f
CP		 145 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
146}
147
148/**
149 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
150 *
151 * Description:
152 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
153 * (1) if any are enabled or false (0) if neither are enabled. If the
154 * always_check_network policy capability is enabled, peer labeling
155 * is always considered enabled.
156 *
157 */
158static int selinux_peerlbl_enabled(void)
159{
160 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 161}
162
615e51fd
PM		 163static int selinux_netcache_avc_callback(u32 event)
164{
165 if (event == AVC_CALLBACK_RESET) {
166 sel_netif_flush();
167 sel_netnode_flush();
168 sel_netport_flush();
169 synchronize_net();
170 }
171 return 0;
172}
173
8f408ab6
DJ		 174static int selinux_lsm_notifier_avc_callback(u32 event)
175{
409dcf31
DJ		 176 if (event == AVC_CALLBACK_RESET) {
177 sel_ib_pkey_flush();
8f408ab6 178 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
409dcf31 179 }
8f408ab6
DJ		 180
181 return 0;
182}
183
d84f4f99
DH		 184/*
185 * initialise the security for the init task
186 */
187static void cred_init_security(void)
1da177e4 188{
3b11a1de 189 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 190 struct task_security_struct *tsec;
191
f1efc8c4
CS		 192 lsm_early_cred(cred);
193 tsec = selinux_cred(cred);
d84f4f99 194 tsec->osid = tsec->sid = SECINITSID_KERNEL;
1da177e4
LT		 195}
196
88e67f3b
DH		 197/*
198 * get the security ID of a set of credentials
199 */
200static inline u32 cred_sid(const struct cred *cred)
201{
202 const struct task_security_struct *tsec;
203
f1efc8c4 204 tsec = selinux_cred(cred);
88e67f3b
DH		 205 return tsec->sid;
206}
207
275bb41e 208/*
3b11a1de 209 * get the objective security ID of a task
275bb41e
DH		 210 */
211static inline u32 task_sid(const struct task_struct *task)
212{
275bb41e
DH		 213 u32 sid;
214
215 rcu_read_lock();
88e67f3b 216 sid = cred_sid(__task_cred(task));
275bb41e
DH		 217 rcu_read_unlock();
218 return sid;
219}
220
88e67f3b
DH		 221/* Allocate and free functions for each kind of security blob. */
222
1da177e4
LT		 223static int inode_alloc_security(struct inode *inode)
224{
7a90fc39 225 struct inode_security_struct *isec = selinux_inode(inode);
275bb41e 226 u32 sid = current_sid();
1da177e4 227
9287aed2 228 spin_lock_init(&isec->lock);
1da177e4 229 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 230 isec->inode = inode;
231 isec->sid = SECINITSID_UNLABELED;
232 isec->sclass = SECCLASS_FILE;
275bb41e 233 isec->task_sid = sid;
42059112 234 isec->initialized = LABEL_INVALID;
1da177e4
LT		 235
236 return 0;
237}
238
5d226df4
AG		 239static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
240
241/*
242 * Try reloading inode security labels that have been marked as invalid. The
243 * @may_sleep parameter indicates when sleeping and thus reloading labels is
42059112 244 * allowed; when set to false, returns -ECHILD when the label is
5d226df4
AG		 245 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
246 * when no dentry is available, set it to NULL instead.
247 */
248static int __inode_security_revalidate(struct inode *inode,
249 struct dentry *opt_dentry,
250 bool may_sleep)
251{
7a90fc39 252 struct inode_security_struct *isec = selinux_inode(inode);
5d226df4
AG		 253
254 might_sleep_if(may_sleep);
255
1ac42476 256 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 257 if (!may_sleep)
258 return -ECHILD;
259
260 /*
261 * Try reloading the inode security label. This will fail if
262 * @opt_dentry is NULL and no dentry for this inode can be
263 * found; in that case, continue using the old label.
264 */
265 inode_doinit_with_dentry(inode, opt_dentry);
266 }
267 return 0;
268}
269
5d226df4
AG		 270static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
271{
7a90fc39 272 return selinux_inode(inode);
5d226df4
AG		 273}
274
275static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
276{
277 int error;
278
279 error = __inode_security_revalidate(inode, NULL, !rcu);
280 if (error)
281 return ERR_PTR(error);
7a90fc39 282 return selinux_inode(inode);
5d226df4
AG		 283}
284
83da53c5
AG		 285/*
286 * Get the security label of an inode.
287 */
288static struct inode_security_struct *inode_security(struct inode *inode)
289{
5d226df4 290 __inode_security_revalidate(inode, NULL, true);
7a90fc39 291 return selinux_inode(inode);
83da53c5
AG		 292}
293
2c97165b
PM		 294static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
295{
296 struct inode *inode = d_backing_inode(dentry);
297
7a90fc39 298 return selinux_inode(inode);
2c97165b
PM		 299}
300
83da53c5
AG		 301/*
302 * Get the security label of a dentry's backing inode.
303 */
304static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
305{
306 struct inode *inode = d_backing_inode(dentry);
307
5d226df4 308 __inode_security_revalidate(inode, dentry, true);
7a90fc39 309 return selinux_inode(inode);
3dc91d43
SR		 310}
311
1da177e4
LT		 312static void inode_free_security(struct inode *inode)
313{
7a90fc39
CS		 314 struct inode_security_struct *isec = selinux_inode(inode);
315 struct superblock_security_struct *sbsec =
316 selinux_superblock(inode->i_sb);
1da177e4 317
9629d04a
WL		 318 /*
319 * As not all inode security structures are in a list, we check for
320 * empty list outside of the lock to make sure that we won't waste
321 * time taking a lock doing nothing.
322 *
323 * The list_del_init() function can be safely called more than once.
324 * It should not be possible for this function to be called with
325 * concurrent list_add(), but for better safety against future changes
326 * in the code, we use list_empty_careful() here.
327 */
328 if (!list_empty_careful(&isec->list)) {
329 spin_lock(&sbsec->isec_lock);
1da177e4 330 list_del_init(&isec->list);
9629d04a
WL		 331 spin_unlock(&sbsec->isec_lock);
332 }
1da177e4
LT		 333}
334
335static int file_alloc_security(struct file *file)
336{
ab9b110b 337 struct file_security_struct *fsec = selinux_file(file);
275bb41e 338 u32 sid = current_sid();
1da177e4 339
275bb41e
DH		 340 fsec->sid = sid;
341 fsec->fown_sid = sid;
1da177e4
LT		 342
343 return 0;
344}
345
1da177e4
LT		 346static int superblock_alloc_security(struct super_block *sb)
347{
7a90fc39 348 struct superblock_security_struct *sbsec = selinux_superblock(sb);
1da177e4 349
bc7e982b 350 mutex_init(&sbsec->lock);
1da177e4
LT		 351 INIT_LIST_HEAD(&sbsec->isec_head);
352 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 353 sbsec->sb = sb;
354 sbsec->sid = SECINITSID_UNLABELED;
355 sbsec->def_sid = SECINITSID_FILE;
c312feb2 356 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 357
358 return 0;
359}
360
1da177e4
LT		 361static inline int inode_doinit(struct inode *inode)
362{
363 return inode_doinit_with_dentry(inode, NULL);
364}
365
366enum {
31e87930 367 Opt_error = -1,
1da177e4
LT		 368 Opt_context = 1,
369 Opt_fscontext = 2,
c9180a57
EP		 370 Opt_defcontext = 3,
371 Opt_rootcontext = 4,
11689d47 372 Opt_labelsupport = 5,
d355987f 373 Opt_nextmntopt = 6,
1da177e4
LT		 374};
375
d355987f
EP		 376#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
377
a447c093 378static const match_table_t tokens = {
832cbd9a
EP		 379 {Opt_context, CONTEXT_STR "%s"},
380 {Opt_fscontext, FSCONTEXT_STR "%s"},
381 {Opt_defcontext, DEFCONTEXT_STR "%s"},
382 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 383 {Opt_labelsupport, LABELSUPP_STR},
31e87930 384 {Opt_error, NULL},
1da177e4
LT		 385};
386
387#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
388
c312feb2
EP		 389static int may_context_mount_sb_relabel(u32 sid,
390 struct superblock_security_struct *sbsec,
275bb41e 391 const struct cred *cred)
c312feb2 392{
f1efc8c4 393 const struct task_security_struct *tsec = selinux_cred(cred);
c312feb2
EP		 394 int rc;
395
396 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__RELABELFROM, NULL);
398 if (rc)
399 return rc;
400
401 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
402 FILESYSTEM__RELABELTO, NULL);
403 return rc;
404}
405
0808925e
EP		 406static int may_context_mount_inode_relabel(u32 sid,
407 struct superblock_security_struct *sbsec,
275bb41e 408 const struct cred *cred)
0808925e 409{
f1efc8c4 410 const struct task_security_struct *tsec = selinux_cred(cred);
0808925e
EP		 411 int rc;
412 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
413 FILESYSTEM__RELABELFROM, NULL);
414 if (rc)
415 return rc;
416
417 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
418 FILESYSTEM__ASSOCIATE, NULL);
419 return rc;
420}
421
b43e725d
EP		 422static int selinux_is_sblabel_mnt(struct super_block *sb)
423{
7a90fc39 424 struct superblock_security_struct *sbsec = selinux_superblock(sb);
b43e725d 425
d5f3a5f6
MS		 426 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
427 sbsec->behavior == SECURITY_FS_USE_TRANS ||
428 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 429 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 430 /* Special handling. Genfs but also in-core setxattr handler */
431 !strcmp(sb->s_type->name, "sysfs") ||
432 !strcmp(sb->s_type->name, "pstore") ||
433 !strcmp(sb->s_type->name, "debugfs") ||
a2c7c6fb 434 !strcmp(sb->s_type->name, "tracefs") ||
2651225b
SS		 435 !strcmp(sb->s_type->name, "rootfs") ||
436 (selinux_policycap_cgroupseclabel &&
437 (!strcmp(sb->s_type->name, "cgroup") ||
438 !strcmp(sb->s_type->name, "cgroup2")));
b43e725d
EP		 439}
440
c9180a57 441static int sb_finish_set_opts(struct super_block *sb)
1da177e4 442{
7a90fc39 443 struct superblock_security_struct *sbsec = selinux_superblock(sb);
c9180a57 444 struct dentry *root = sb->s_root;
c6f493d6 445 struct inode *root_inode = d_backing_inode(root);
c9180a57 446 int rc = 0;
1da177e4 447
c9180a57
EP		 448 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
449 /* Make sure that the xattr handler exists and that no
450 error other than -ENODATA is returned by getxattr on
451 the root directory. -ENODATA is ok, as this may be
452 the first boot of the SELinux kernel before we have
453 assigned xattr values to the filesystem. */
5d6c3191 454 if (!(root_inode->i_opflags & IOP_XATTR)) {
29b1deb2
LT		 455 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
456 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 457 rc = -EOPNOTSUPP;
458 goto out;
459 }
5d6c3191
AG		 460
461 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
c9180a57
EP		 462 if (rc < 0 && rc != -ENODATA) {
463 if (rc == -EOPNOTSUPP)
464 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 465 "%s) has no security xattr handler\n",
466 sb->s_id, sb->s_type->name);
c9180a57
EP		 467 else
468 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 469 "%s) getxattr errno %d\n", sb->s_id,
470 sb->s_type->name, -rc);
c9180a57
EP		 471 goto out;
472 }
473 }
1da177e4 474
eadcabc6 475 sbsec->flags |= SE_SBINITIALIZED;
0b4d3452
SM		 476
477 /*
478 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
479 * leave the flag untouched because sb_clone_mnt_opts might be handing
480 * us a superblock that needs the flag to be cleared.
481 */
b43e725d 482 if (selinux_is_sblabel_mnt(sb))
12f348b9 483 sbsec->flags |= SBLABEL_MNT;
0b4d3452
SM		 484 else
485 sbsec->flags &= ~SBLABEL_MNT;
ddd29ec6 486
c9180a57
EP		 487 /* Initialize the root inode. */
488 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 489
c9180a57
EP		 490 /* Initialize any other inodes associated with the superblock, e.g.
491 inodes created prior to initial policy load or inodes created
492 during get_sb by a pseudo filesystem that directly
493 populates itself. */
494 spin_lock(&sbsec->isec_lock);
495next_inode:
496 if (!list_empty(&sbsec->isec_head)) {
497 struct inode_security_struct *isec =
498 list_entry(sbsec->isec_head.next,
499 struct inode_security_struct, list);
500 struct inode *inode = isec->inode;
923190d3 501 list_del_init(&isec->list);
c9180a57
EP		 502 spin_unlock(&sbsec->isec_lock);
503 inode = igrab(inode);
504 if (inode) {
505 if (!IS_PRIVATE(inode))
506 inode_doinit(inode);
507 iput(inode);
508 }
509 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 510 goto next_inode;
511 }
512 spin_unlock(&sbsec->isec_lock);
513out:
514 return rc;
515}
1da177e4 516
c9180a57
EP		 517/*
518 * This function should allow an FS to ask what it's mount security
519 * options were so it can use those later for submounts, displaying
520 * mount options, or whatever.
521 */
522static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 523 struct security_mnt_opts *opts)
c9180a57
EP		 524{
525 int rc = 0, i;
7a90fc39 526 struct superblock_security_struct *sbsec = selinux_superblock(sb);
c9180a57
EP		 527 char *context = NULL;
528 u32 len;
529 char tmp;
1da177e4 530
e0007529 531 security_init_mnt_opts(opts);
1da177e4 532
0d90a7ec 533 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 534 return -EINVAL;
1da177e4 535
c9180a57
EP		 536 if (!ss_initialized)
537 return -EINVAL;
1da177e4 538
af8e50cc
EP		 539 /* make sure we always check enough bits to cover the mask */
540 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
541
0d90a7ec 542 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 543 /* count the number of mount options for this sb */
af8e50cc 544 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 545 if (tmp & 0x01)
e0007529 546 opts->num_mnt_opts++;
c9180a57
EP		 547 tmp >>= 1;
548 }
11689d47 549 /* Check if the Label support flag is set */
0b4bdb35 550 if (sbsec->flags & SBLABEL_MNT)
11689d47 551 opts->num_mnt_opts++;
1da177e4 552
e0007529
EP		 553 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
554 if (!opts->mnt_opts) {
c9180a57
EP		 555 rc = -ENOMEM;
556 goto out_free;
557 }
1da177e4 558
e0007529
EP		 559 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
560 if (!opts->mnt_opts_flags) {
c9180a57
EP		 561 rc = -ENOMEM;
562 goto out_free;
563 }
1da177e4 564
c9180a57
EP		 565 i = 0;
566 if (sbsec->flags & FSCONTEXT_MNT) {
567 rc = security_sid_to_context(sbsec->sid, &context, &len);
568 if (rc)
569 goto out_free;
e0007529
EP		 570 opts->mnt_opts[i] = context;
571 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 572 }
573 if (sbsec->flags & CONTEXT_MNT) {
574 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
575 if (rc)
576 goto out_free;
e0007529
EP		 577 opts->mnt_opts[i] = context;
578 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 579 }
580 if (sbsec->flags & DEFCONTEXT_MNT) {
581 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
582 if (rc)
583 goto out_free;
e0007529
EP		 584 opts->mnt_opts[i] = context;
585 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 586 }
587 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5 588 struct dentry *root = sbsec->sb->s_root;
7a90fc39
CS		 589 struct inode_security_struct *isec =
590 backing_inode_security(root);
0808925e 591
c9180a57
EP		 592 rc = security_sid_to_context(isec->sid, &context, &len);
593 if (rc)
594 goto out_free;
e0007529
EP		 595 opts->mnt_opts[i] = context;
596 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 597 }
12f348b9 598 if (sbsec->flags & SBLABEL_MNT) {
11689d47 599 opts->mnt_opts[i] = NULL;
12f348b9 600 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 601 }
1da177e4 602
e0007529 603 BUG_ON(i != opts->num_mnt_opts);
1da177e4 604
c9180a57
EP		 605 return 0;
606
607out_free:
e0007529 608 security_free_mnt_opts(opts);
c9180a57
EP		 609 return rc;
610}
1da177e4 611
c9180a57
EP		 612static int bad_option(struct superblock_security_struct *sbsec, char flag,
613 u32 old_sid, u32 new_sid)
614{
0d90a7ec
DQ		 615 char mnt_flags = sbsec->flags & SE_MNTMASK;
616
c9180a57 617 /* check if the old mount command had the same options */
0d90a7ec 618 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 619 if (!(sbsec->flags & flag) ||
620 (old_sid != new_sid))
621 return 1;
622
623 /* check if we were passed the same options twice,
624 * aka someone passed context=a,context=b
625 */
0d90a7ec
DQ		 626 if (!(sbsec->flags & SE_SBINITIALIZED))
627 if (mnt_flags & flag)
c9180a57
EP		 628 return 1;
629 return 0;
630}
e0007529 631
c9180a57
EP		 632/*
633 * Allow filesystems with binary mount data to explicitly set mount point
634 * labeling information.
635 */
e0007529 636static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 637 struct security_mnt_opts *opts,
638 unsigned long kern_flags,
639 unsigned long *set_kern_flags)
c9180a57 640{
275bb41e 641 const struct cred *cred = current_cred();
c9180a57 642 int rc = 0, i;
7a90fc39 643 struct superblock_security_struct *sbsec = selinux_superblock(sb);
29b1deb2 644 const char *name = sb->s_type->name;
83da53c5 645 struct dentry *root = sbsec->sb->s_root;
2c97165b 646 struct inode_security_struct *root_isec;
c9180a57
EP		 647 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
648 u32 defcontext_sid = 0;
e0007529
EP		 649 char **mount_options = opts->mnt_opts;
650 int *flags = opts->mnt_opts_flags;
651 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 652
653 mutex_lock(&sbsec->lock);
654
655 if (!ss_initialized) {
656 if (!num_opts) {
657 /* Defer initialization until selinux_complete_init,
658 after the initial policy is loaded and the security
659 server is ready to handle calls. */
c9180a57
EP		 660 goto out;
661 }
662 rc = -EINVAL;
744ba35e
EP		 663 printk(KERN_WARNING "SELinux: Unable to set superblock options "
664 "before the security server is initialized\n");
1da177e4 665 goto out;
c9180a57 666 }
649f6e77
DQ		 667 if (kern_flags && !set_kern_flags) {
668 /* Specifying internal flags without providing a place to
669 * place the results is not allowed */
670 rc = -EINVAL;
671 goto out;
672 }
1da177e4 673
e0007529
EP		 674 /*
675 * Binary mount data FS will come through this function twice. Once
676 * from an explicit call and once from the generic calls from the vfs.
677 * Since the generic VFS calls will not contain any security mount data
678 * we need to skip the double mount verification.
679 *
680 * This does open a hole in which we will not notice if the first
681 * mount using this sb set explict options and a second mount using
682 * this sb does not set any security options. (The first options
683 * will be used for both mounts)
684 */
0d90a7ec 685 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 686 && (num_opts == 0))
f5269710 687 goto out;
e0007529 688
2c97165b
PM		 689 root_isec = backing_inode_security_novalidate(root);
690
c9180a57
EP		 691 /*
692 * parse the mount options, check if they are valid sids.
693 * also check if someone is trying to mount the same sb more
694 * than once with different security options.
695 */
696 for (i = 0; i < num_opts; i++) {
697 u32 sid;
11689d47 698
12f348b9 699 if (flags[i] == SBLABEL_MNT)
11689d47 700 continue;
44be2f65 701 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 702 if (rc) {
44be2f65 703 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 704 "(%s) failed for (dev %s, type %s) errno=%d\n",
705 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 706 goto out;
707 }
708 switch (flags[i]) {
709 case FSCONTEXT_MNT:
710 fscontext_sid = sid;
711
712 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
713 fscontext_sid))
714 goto out_double_mount;
715
716 sbsec->flags |= FSCONTEXT_MNT;
717 break;
718 case CONTEXT_MNT:
719 context_sid = sid;
720
721 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
722 context_sid))
723 goto out_double_mount;
724
725 sbsec->flags |= CONTEXT_MNT;
726 break;
727 case ROOTCONTEXT_MNT:
728 rootcontext_sid = sid;
729
730 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
731 rootcontext_sid))
732 goto out_double_mount;
733
734 sbsec->flags |= ROOTCONTEXT_MNT;
735
736 break;
737 case DEFCONTEXT_MNT:
738 defcontext_sid = sid;
739
740 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
741 defcontext_sid))
742 goto out_double_mount;
743
744 sbsec->flags |= DEFCONTEXT_MNT;
745
746 break;
747 default:
748 rc = -EINVAL;
749 goto out;
1da177e4 750 }
c9180a57
EP		 751 }
752
0d90a7ec 753 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 754 /* previously mounted with options, but not on this attempt? */
0d90a7ec 755 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 756 goto out_double_mount;
757 rc = 0;
758 goto out;
759 }
760
089be43e 761 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 762 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
763
8e014720 764 if (!strcmp(sb->s_type->name, "debugfs") ||
6a391183 765 !strcmp(sb->s_type->name, "tracefs") ||
8e014720 766 !strcmp(sb->s_type->name, "sysfs") ||
901ef845
AM		 767 !strcmp(sb->s_type->name, "pstore") ||
768 !strcmp(sb->s_type->name, "cgroup") ||
769 !strcmp(sb->s_type->name, "cgroup2"))
134509d5 770 sbsec->flags |= SE_SBGENFS;
c9180a57 771
eb9ae686
DQ		 772 if (!sbsec->behavior) {
773 /*
774 * Determine the labeling behavior to use for this
775 * filesystem type.
776 */
98f700f3 777 rc = security_fs_use(sb);
eb9ae686
DQ		 778 if (rc) {
779 printk(KERN_WARNING
780 "%s: security_fs_use(%s) returned %d\n",
781 __func__, sb->s_type->name, rc);
782 goto out;
783 }
c9180a57 784 }
aad82892
SF		 785
786 /*
01593d32
SS		 787 * If this is a user namespace mount and the filesystem type is not
788 * explicitly whitelisted, then no contexts are allowed on the command
789 * line and security labels must be ignored.
aad82892 790 */
01593d32
SS		 791 if (sb->s_user_ns != &init_user_ns &&
792 strcmp(sb->s_type->name, "tmpfs") &&
793 strcmp(sb->s_type->name, "ramfs") &&
794 strcmp(sb->s_type->name, "devpts")) {
aad82892
SF		 795 if (context_sid || fscontext_sid || rootcontext_sid ||
796 defcontext_sid) {
797 rc = -EACCES;
798 goto out;
799 }
800 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
801 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
802 rc = security_transition_sid(current_sid(), current_sid(),
803 SECCLASS_FILE, NULL,
804 &sbsec->mntpoint_sid);
805 if (rc)
806 goto out;
807 }
808 goto out_set_opts;
809 }
810
c9180a57
EP		 811 /* sets the context of the superblock for the fs being mounted. */
812 if (fscontext_sid) {
275bb41e 813 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 814 if (rc)
c9180a57 815 goto out;
1da177e4 816
c9180a57 817 sbsec->sid = fscontext_sid;
c312feb2
EP		 818 }
819
820 /*
821 * Switch to using mount point labeling behavior.
822 * sets the label used on all file below the mountpoint, and will set
823 * the superblock context if not already set.
824 */
eb9ae686
DQ		 825 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
826 sbsec->behavior = SECURITY_FS_USE_NATIVE;
827 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
828 }
829
c9180a57
EP		 830 if (context_sid) {
831 if (!fscontext_sid) {
275bb41e
DH		 832 rc = may_context_mount_sb_relabel(context_sid, sbsec,
833 cred);
b04ea3ce 834 if (rc)
c9180a57
EP		 835 goto out;
836 sbsec->sid = context_sid;
b04ea3ce 837 } else {
275bb41e
DH		 838 rc = may_context_mount_inode_relabel(context_sid, sbsec,
839 cred);
b04ea3ce 840 if (rc)
c9180a57 841 goto out;
b04ea3ce 842 }
c9180a57
EP		 843 if (!rootcontext_sid)
844 rootcontext_sid = context_sid;
1da177e4 845
c9180a57 846 sbsec->mntpoint_sid = context_sid;
c312feb2 847 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 848 }
849
c9180a57 850 if (rootcontext_sid) {
275bb41e
DH		 851 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
852 cred);
0808925e 853 if (rc)
c9180a57 854 goto out;
0808925e 855
c9180a57 856 root_isec->sid = rootcontext_sid;
6f3be9f5 857 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 858 }
859
c9180a57 860 if (defcontext_sid) {
eb9ae686
DQ		 861 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
862 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 863 rc = -EINVAL;
864 printk(KERN_WARNING "SELinux: defcontext option is "
865 "invalid for this filesystem type\n");
866 goto out;
1da177e4
LT		 867 }
868
c9180a57
EP		 869 if (defcontext_sid != sbsec->def_sid) {
870 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 871 sbsec, cred);
c9180a57
EP		 872 if (rc)
873 goto out;
874 }
1da177e4 875
c9180a57 876 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 877 }
878
aad82892 879out_set_opts:
c9180a57 880 rc = sb_finish_set_opts(sb);
1da177e4 881out:
c9180a57 882 mutex_unlock(&sbsec->lock);
1da177e4 883 return rc;
c9180a57
EP		 884out_double_mount:
885 rc = -EINVAL;
886 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 887 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 888 goto out;
1da177e4
LT		 889}
890
094f7b69
JL		 891static int selinux_cmp_sb_context(const struct super_block *oldsb,
892 const struct super_block *newsb)
893{
7a90fc39
CS		 894 struct superblock_security_struct *old = selinux_superblock(oldsb);
895 struct superblock_security_struct *new = selinux_superblock(newsb);
094f7b69
JL		 896 char oldflags = old->flags & SE_MNTMASK;
897 char newflags = new->flags & SE_MNTMASK;
898
899 if (oldflags != newflags)
900 goto mismatch;
901 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
902 goto mismatch;
903 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
904 goto mismatch;
905 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
906 goto mismatch;
907 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 908 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
909 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 910 if (oldroot->sid != newroot->sid)
911 goto mismatch;
912 }
913 return 0;
914mismatch:
915 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
916 "different security settings for (dev %s, "
917 "type %s)\n", newsb->s_id, newsb->s_type->name);
918 return -EBUSY;
919}
920
921static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 922 struct super_block *newsb,
923 unsigned long kern_flags,
924 unsigned long *set_kern_flags)
1da177e4 925{
0b4d3452 926 int rc = 0;
7a90fc39
CS		 927 const struct superblock_security_struct *oldsbsec =
928 selinux_superblock(oldsb);
929 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
1da177e4 930
c9180a57
EP		 931 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
932 int set_context = (oldsbsec->flags & CONTEXT_MNT);
933 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 934
0f5e6420
EP		 935 /*
936 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 937 * mount options. thus we can safely deal with this superblock later
0f5e6420 938 */
e8c26255 939 if (!ss_initialized)
094f7b69 940 return 0;
c9180a57 941
0b4d3452
SM		 942 /*
943 * Specifying internal flags without providing a place to
944 * place the results is not allowed.
945 */
946 if (kern_flags && !set_kern_flags)
947 return -EINVAL;
948
c9180a57 949 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 950 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 951
094f7b69 952 /* if fs is reusing a sb, make sure that the contexts match */
9a61bc5a
BF		 953 if (newsbsec->flags & SE_SBINITIALIZED) {
954 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
955 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
094f7b69 956 return selinux_cmp_sb_context(oldsb, newsb);
9a61bc5a 957 }
5a552617 958
c9180a57
EP		 959 mutex_lock(&newsbsec->lock);
960
961 newsbsec->flags = oldsbsec->flags;
962
963 newsbsec->sid = oldsbsec->sid;
964 newsbsec->def_sid = oldsbsec->def_sid;
965 newsbsec->behavior = oldsbsec->behavior;
966
0b4d3452
SM		 967 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
968 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
969 rc = security_fs_use(newsb);
970 if (rc)
971 goto out;
972 }
973
974 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
975 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
976 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
977 }
978
c9180a57
EP		 979 if (set_context) {
980 u32 sid = oldsbsec->mntpoint_sid;
981
982 if (!set_fscontext)
983 newsbsec->sid = sid;
984 if (!set_rootcontext) {
7a90fc39
CS		 985 struct inode_security_struct *newisec =
986 backing_inode_security(newsb->s_root);
c9180a57
EP		 987 newisec->sid = sid;
988 }
989 newsbsec->mntpoint_sid = sid;
1da177e4 990 }
c9180a57 991 if (set_rootcontext) {
7a90fc39
CS		 992 const struct inode_security_struct *oldisec =
993 backing_inode_security(oldsb->s_root);
994 struct inode_security_struct *newisec =
995 backing_inode_security(newsb->s_root);
1da177e4 996
c9180a57 997 newisec->sid = oldisec->sid;
1da177e4
LT		 998 }
999
c9180a57 1000 sb_finish_set_opts(newsb);
0b4d3452 1001out:
c9180a57 1002 mutex_unlock(&newsbsec->lock);
0b4d3452 1003 return rc;
c9180a57
EP		 1004}
1005
2e1479d9
AB		 1006static int selinux_parse_opts_str(char *options,
1007 struct security_mnt_opts *opts)
c9180a57 1008{
e0007529 1009 char *p;
c9180a57
EP		 1010 char *context = NULL, *defcontext = NULL;
1011 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1012 int rc, num_mnt_opts = 0;
1da177e4 1013
e0007529 1014 opts->num_mnt_opts = 0;
1da177e4 1015
c9180a57
EP		 1016 /* Standard string-based options. */
1017 while ((p = strsep(&options, "|")) != NULL) {
1018 int token;
1019 substring_t args[MAX_OPT_ARGS];
1da177e4 1020
c9180a57
EP		 1021 if (!*p)
1022 continue;
1da177e4 1023
c9180a57 1024 token = match_token(p, tokens, args);
1da177e4 1025
c9180a57
EP		 1026 switch (token) {
1027 case Opt_context:
1028 if (context || defcontext) {
1029 rc = -EINVAL;
1030 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1031 goto out_err;
1032 }
1033 context = match_strdup(&args[0]);
1034 if (!context) {
1035 rc = -ENOMEM;
1036 goto out_err;
1037 }
1038 break;
1039
1040 case Opt_fscontext:
1041 if (fscontext) {
1042 rc = -EINVAL;
1043 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1044 goto out_err;
1045 }
1046 fscontext = match_strdup(&args[0]);
1047 if (!fscontext) {
1048 rc = -ENOMEM;
1049 goto out_err;
1050 }
1051 break;
1052
1053 case Opt_rootcontext:
1054 if (rootcontext) {
1055 rc = -EINVAL;
1056 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1057 goto out_err;
1058 }
1059 rootcontext = match_strdup(&args[0]);
1060 if (!rootcontext) {
1061 rc = -ENOMEM;
1062 goto out_err;
1063 }
1064 break;
1065
1066 case Opt_defcontext:
1067 if (context || defcontext) {
1068 rc = -EINVAL;
1069 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1070 goto out_err;
1071 }
1072 defcontext = match_strdup(&args[0]);
1073 if (!defcontext) {
1074 rc = -ENOMEM;
1075 goto out_err;
1076 }
1077 break;
11689d47
DQ		 1078 case Opt_labelsupport:
1079 break;
c9180a57
EP		 1080 default:
1081 rc = -EINVAL;
1082 printk(KERN_WARNING "SELinux: unknown mount option\n");
1083 goto out_err;
1da177e4 1084
1da177e4 1085 }
1da177e4 1086 }
c9180a57 1087
e0007529 1088 rc = -ENOMEM;
8931c3bd 1089 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
e0007529
EP		 1090 if (!opts->mnt_opts)
1091 goto out_err;
1092
8931c3bd
TH		 1093 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1094 GFP_KERNEL);
023f108d 1095 if (!opts->mnt_opts_flags)
e0007529 1096 goto out_err;
e0007529 1097
c9180a57 1098 if (fscontext) {
e0007529
EP		 1099 opts->mnt_opts[num_mnt_opts] = fscontext;
1100 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1101 }
1102 if (context) {
e0007529
EP		 1103 opts->mnt_opts[num_mnt_opts] = context;
1104 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1105 }
1106 if (rootcontext) {
e0007529
EP		 1107 opts->mnt_opts[num_mnt_opts] = rootcontext;
1108 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1109 }
1110 if (defcontext) {
e0007529
EP		 1111 opts->mnt_opts[num_mnt_opts] = defcontext;
1112 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1113 }
1114
e0007529
EP		 1115 opts->num_mnt_opts = num_mnt_opts;
1116 return 0;
1117
c9180a57 1118out_err:
023f108d 1119 security_free_mnt_opts(opts);
c9180a57
EP		 1120 kfree(context);
1121 kfree(defcontext);
1122 kfree(fscontext);
1123 kfree(rootcontext);
1da177e4
LT		 1124 return rc;
1125}
e0007529
EP		 1126/*
1127 * string mount options parsing and call set the sbsec
1128 */
1129static int superblock_doinit(struct super_block *sb, void *data)
1130{
1131 int rc = 0;
1132 char *options = data;
1133 struct security_mnt_opts opts;
1134
1135 security_init_mnt_opts(&opts);
1136
1137 if (!data)
1138 goto out;
1139
1140 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1141
1142 rc = selinux_parse_opts_str(options, &opts);
1143 if (rc)
1144 goto out_err;
1145
1146out:
649f6e77 1147 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1148
1149out_err:
1150 security_free_mnt_opts(&opts);
1151 return rc;
1152}
1da177e4 1153
3583a711
AB		 1154static void selinux_write_opts(struct seq_file *m,
1155 struct security_mnt_opts *opts)
2069f457
EP		 1156{
1157 int i;
1158 char *prefix;
1159
1160 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1161 char *has_comma;
1162
1163 if (opts->mnt_opts[i])
1164 has_comma = strchr(opts->mnt_opts[i], ',');
1165 else
1166 has_comma = NULL;
2069f457
EP		 1167
1168 switch (opts->mnt_opts_flags[i]) {
1169 case CONTEXT_MNT:
1170 prefix = CONTEXT_STR;
1171 break;
1172 case FSCONTEXT_MNT:
1173 prefix = FSCONTEXT_STR;
1174 break;
1175 case ROOTCONTEXT_MNT:
1176 prefix = ROOTCONTEXT_STR;
1177 break;
1178 case DEFCONTEXT_MNT:
1179 prefix = DEFCONTEXT_STR;
1180 break;
12f348b9 1181 case SBLABEL_MNT:
11689d47
DQ		 1182 seq_putc(m, ',');
1183 seq_puts(m, LABELSUPP_STR);
1184 continue;
2069f457
EP		 1185 default:
1186 BUG();
a35c6c83 1187 return;
2069f457
EP		 1188 };
1189 /* we need a comma before each option */
1190 seq_putc(m, ',');
1191 seq_puts(m, prefix);
1192 if (has_comma)
1193 seq_putc(m, '\"');
a068acf2 1194 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1195 if (has_comma)
1196 seq_putc(m, '\"');
1197 }
1198}
1199
1200static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1201{
1202 struct security_mnt_opts opts;
1203 int rc;
1204
1205 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1206 if (rc) {
1207 /* before policy load we may get EINVAL, don't show anything */
1208 if (rc == -EINVAL)
1209 rc = 0;
2069f457 1210 return rc;
383795c2 1211 }
2069f457
EP		 1212
1213 selinux_write_opts(m, &opts);
1214
1215 security_free_mnt_opts(&opts);
1216
1217 return rc;
1218}
1219
1da177e4
LT		 1220static inline u16 inode_mode_to_security_class(umode_t mode)
1221{
1222 switch (mode & S_IFMT) {
1223 case S_IFSOCK:
1224 return SECCLASS_SOCK_FILE;
1225 case S_IFLNK:
1226 return SECCLASS_LNK_FILE;
1227 case S_IFREG:
1228 return SECCLASS_FILE;
1229 case S_IFBLK:
1230 return SECCLASS_BLK_FILE;
1231 case S_IFDIR:
1232 return SECCLASS_DIR;
1233 case S_IFCHR:
1234 return SECCLASS_CHR_FILE;
1235 case S_IFIFO:
1236 return SECCLASS_FIFO_FILE;
1237
1238 }
1239
1240 return SECCLASS_FILE;
1241}
1242
13402580
JM		 1243static inline int default_protocol_stream(int protocol)
1244{
1245 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1246}
1247
1248static inline int default_protocol_dgram(int protocol)
1249{
1250 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1251}
1252
1da177e4
LT		 1253static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1254{
da69a530
SS		 1255 int extsockclass = selinux_policycap_extsockclass;
1256
1da177e4
LT		 1257 switch (family) {
1258 case PF_UNIX:
1259 switch (type) {
1260 case SOCK_STREAM:
1261 case SOCK_SEQPACKET:
1262 return SECCLASS_UNIX_STREAM_SOCKET;
1263 case SOCK_DGRAM:
2a764b52 1264 case SOCK_RAW:
1da177e4
LT		 1265 return SECCLASS_UNIX_DGRAM_SOCKET;
1266 }
1267 break;
1268 case PF_INET:
1269 case PF_INET6:
1270 switch (type) {
1271 case SOCK_STREAM:
da69a530 1272 case SOCK_SEQPACKET:
13402580
JM		 1273 if (default_protocol_stream(protocol))
1274 return SECCLASS_TCP_SOCKET;
da69a530
SS		 1275 else if (extsockclass && protocol == IPPROTO_SCTP)
1276 return SECCLASS_SCTP_SOCKET;
13402580
JM		 1277 else
1278 return SECCLASS_RAWIP_SOCKET;
1da177e4 1279 case SOCK_DGRAM:
13402580
JM		 1280 if (default_protocol_dgram(protocol))
1281 return SECCLASS_UDP_SOCKET;
ef37979a
SS		 1282 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1283 protocol == IPPROTO_ICMPV6))
da69a530 1284 return SECCLASS_ICMP_SOCKET;
13402580
JM		 1285 else
1286 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1287 case SOCK_DCCP:
1288 return SECCLASS_DCCP_SOCKET;
13402580 1289 default:
1da177e4
LT		 1290 return SECCLASS_RAWIP_SOCKET;
1291 }
1292 break;
1293 case PF_NETLINK:
1294 switch (protocol) {
1295 case NETLINK_ROUTE:
1296 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1297 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1298 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1299 case NETLINK_NFLOG:
1300 return SECCLASS_NETLINK_NFLOG_SOCKET;
1301 case NETLINK_XFRM:
1302 return SECCLASS_NETLINK_XFRM_SOCKET;
1303 case NETLINK_SELINUX:
1304 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1305 case NETLINK_ISCSI:
1306 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1307 case NETLINK_AUDIT:
1308 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1309 case NETLINK_FIB_LOOKUP:
1310 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1311 case NETLINK_CONNECTOR:
1312 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1313 case NETLINK_NETFILTER:
1314 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1315 case NETLINK_DNRTMSG:
1316 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1317 case NETLINK_KOBJECT_UEVENT:
1318 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1319 case NETLINK_GENERIC:
1320 return SECCLASS_NETLINK_GENERIC_SOCKET;
1321 case NETLINK_SCSITRANSPORT:
1322 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1323 case NETLINK_RDMA:
1324 return SECCLASS_NETLINK_RDMA_SOCKET;
1325 case NETLINK_CRYPTO:
1326 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1327 default:
1328 return SECCLASS_NETLINK_SOCKET;
1329 }
1330 case PF_PACKET:
1331 return SECCLASS_PACKET_SOCKET;
1332 case PF_KEY:
1333 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1334 case PF_APPLETALK:
1335 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1336 }
1337
da69a530
SS		 1338 if (extsockclass) {
1339 switch (family) {
1340 case PF_AX25:
1341 return SECCLASS_AX25_SOCKET;
1342 case PF_IPX:
1343 return SECCLASS_IPX_SOCKET;
1344 case PF_NETROM:
1345 return SECCLASS_NETROM_SOCKET;
da69a530
SS		 1346 case PF_ATMPVC:
1347 return SECCLASS_ATMPVC_SOCKET;
1348 case PF_X25:
1349 return SECCLASS_X25_SOCKET;
1350 case PF_ROSE:
1351 return SECCLASS_ROSE_SOCKET;
1352 case PF_DECnet:
1353 return SECCLASS_DECNET_SOCKET;
1354 case PF_ATMSVC:
1355 return SECCLASS_ATMSVC_SOCKET;
1356 case PF_RDS:
1357 return SECCLASS_RDS_SOCKET;
1358 case PF_IRDA:
1359 return SECCLASS_IRDA_SOCKET;
1360 case PF_PPPOX:
1361 return SECCLASS_PPPOX_SOCKET;
1362 case PF_LLC:
1363 return SECCLASS_LLC_SOCKET;
da69a530
SS		 1364 case PF_CAN:
1365 return SECCLASS_CAN_SOCKET;
1366 case PF_TIPC:
1367 return SECCLASS_TIPC_SOCKET;
1368 case PF_BLUETOOTH:
1369 return SECCLASS_BLUETOOTH_SOCKET;
1370 case PF_IUCV:
1371 return SECCLASS_IUCV_SOCKET;
1372 case PF_RXRPC:
1373 return SECCLASS_RXRPC_SOCKET;
1374 case PF_ISDN:
1375 return SECCLASS_ISDN_SOCKET;
1376 case PF_PHONET:
1377 return SECCLASS_PHONET_SOCKET;
1378 case PF_IEEE802154:
1379 return SECCLASS_IEEE802154_SOCKET;
1380 case PF_CAIF:
1381 return SECCLASS_CAIF_SOCKET;
1382 case PF_ALG:
1383 return SECCLASS_ALG_SOCKET;
1384 case PF_NFC:
1385 return SECCLASS_NFC_SOCKET;
1386 case PF_VSOCK:
1387 return SECCLASS_VSOCK_SOCKET;
1388 case PF_KCM:
1389 return SECCLASS_KCM_SOCKET;
1390 case PF_QIPCRTR:
1391 return SECCLASS_QIPCRTR_SOCKET;
3051bf36
LT		 1392 case PF_SMC:
1393 return SECCLASS_SMC_SOCKET;
1394#if PF_MAX > 44
da69a530
SS		 1395#error New address family defined, please update this function.
1396#endif
1397 }
1398 }
1399
1da177e4
LT		 1400 return SECCLASS_SOCKET;
1401}
1402
134509d5
SS		 1403static int selinux_genfs_get_sid(struct dentry *dentry,
1404 u16 tclass,
1405 u16 flags,
1406 u32 *sid)
1da177e4 1407{
8e6c9693 1408 int rc;
fc64005c 1409 struct super_block *sb = dentry->d_sb;
8e6c9693 1410 char *buffer, *path;
1da177e4 1411
828dfe1d 1412 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1413 if (!buffer)
1414 return -ENOMEM;
1415
8e6c9693
LAG		 1416 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1417 if (IS_ERR(path))
1418 rc = PTR_ERR(path);
1419 else {
134509d5
SS		 1420 if (flags & SE_SBPROC) {
1421 /* each process gets a /proc/PID/ entry. Strip off the
1422 * PID part to get a valid selinux labeling.
1423 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1424 while (path[1] >= '0' && path[1] <= '9') {
1425 path[1] = '/';
1426 path++;
1427 }
8e6c9693 1428 }
134509d5 1429 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
7c5f3445
SS		 1430 if (rc == -ENOENT) {
1431 /* No match in policy, mark as unlabeled. */
1432 *sid = SECINITSID_UNLABELED;
1433 rc = 0;
1434 }
1da177e4 1435 }
1da177e4
LT		 1436 free_page((unsigned long)buffer);
1437 return rc;
1438}
1da177e4
LT		 1439
1440/* The inode's security attributes must be initialized before first use. */
1441static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1442{
1443 struct superblock_security_struct *sbsec = NULL;
7a90fc39 1444 struct inode_security_struct *isec = selinux_inode(inode);
9287aed2
AG		 1445 u32 task_sid, sid = 0;
1446 u16 sclass;
1da177e4
LT		 1447 struct dentry *dentry;
1448#define INITCONTEXTLEN 255
1449 char *context = NULL;
1450 unsigned len = 0;
1451 int rc = 0;
1da177e4 1452
6f3be9f5 1453 if (isec->initialized == LABEL_INITIALIZED)
13457d07 1454 return 0;
1da177e4 1455
9287aed2 1456 spin_lock(&isec->lock);
6f3be9f5 1457 if (isec->initialized == LABEL_INITIALIZED)
23970741 1458 goto out_unlock;
1da177e4 1459
13457d07
AG		 1460 if (isec->sclass == SECCLASS_FILE)
1461 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1462
7a90fc39 1463 sbsec = selinux_superblock(inode->i_sb);
0d90a7ec 1464 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1465 /* Defer initialization until selinux_complete_init,
1466 after the initial policy is loaded and the security
1467 server is ready to handle calls. */
1468 spin_lock(&sbsec->isec_lock);
1469 if (list_empty(&isec->list))
1470 list_add(&isec->list, &sbsec->isec_head);
1471 spin_unlock(&sbsec->isec_lock);
23970741 1472 goto out_unlock;
1da177e4
LT		 1473 }
1474
9287aed2
AG		 1475 sclass = isec->sclass;
1476 task_sid = isec->task_sid;
1477 sid = isec->sid;
1478 isec->initialized = LABEL_PENDING;
1479 spin_unlock(&isec->lock);
1480
1da177e4 1481 switch (sbsec->behavior) {
eb9ae686
DQ		 1482 case SECURITY_FS_USE_NATIVE:
1483 break;
1da177e4 1484 case SECURITY_FS_USE_XATTR:
5d6c3191 1485 if (!(inode->i_opflags & IOP_XATTR)) {
9287aed2 1486 sid = sbsec->def_sid;
1da177e4
LT		 1487 break;
1488 }
1da177e4
LT		 1489 /* Need a dentry, since the xattr API requires one.
1490 Life would be simpler if we could just pass the inode. */
1491 if (opt_dentry) {
1492 /* Called from d_instantiate or d_splice_alias. */
1493 dentry = dget(opt_dentry);
1494 } else {
26b45d71
AV		 1495 /*
1496 * Called from selinux_complete_init, try to find a dentry.
1497 * Some filesystems really want a connected one, so try
1498 * that first. We could split SECURITY_FS_USE_XATTR in
1499 * two, depending upon that...
1500 */
1da177e4 1501 dentry = d_find_alias(inode);
26b45d71
AV		 1502 if (!dentry)
1503 dentry = d_find_any_alias(inode);
1da177e4
LT		 1504 }
1505 if (!dentry) {
df7f54c0
EP		 1506 /*
1507 * this is can be hit on boot when a file is accessed
1508 * before the policy is loaded. When we load policy we
1509 * may find inodes that have no dentry on the
1510 * sbsec->isec_head list. No reason to complain as these
1511 * will get fixed up the next time we go through
1512 * inode_doinit with a dentry, before these inodes could
1513 * be used again by userspace.
1514 */
9287aed2 1515 goto out;
1da177e4
LT		 1516 }
1517
1518 len = INITCONTEXTLEN;
4cb912f1 1519 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1520 if (!context) {
1521 rc = -ENOMEM;
1522 dput(dentry);
9287aed2 1523 goto out;
1da177e4 1524 }
4cb912f1 1525 context[len] = '\0';
5d6c3191 1526 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4 1527 if (rc == -ERANGE) {
314dabb8
JM		 1528 kfree(context);
1529
1da177e4 1530 /* Need a larger buffer. Query for the right size. */
5d6c3191 1531 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1da177e4
LT		 1532 if (rc < 0) {
1533 dput(dentry);
9287aed2 1534 goto out;
1da177e4 1535 }
1da177e4 1536 len = rc;
4cb912f1 1537 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1538 if (!context) {
1539 rc = -ENOMEM;
1540 dput(dentry);
9287aed2 1541 goto out;
1da177e4 1542 }
4cb912f1 1543 context[len] = '\0';
5d6c3191 1544 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1da177e4
LT		 1545 }
1546 dput(dentry);
1547 if (rc < 0) {
1548 if (rc != -ENODATA) {
744ba35e 1549 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1550 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1551 -rc, inode->i_sb->s_id, inode->i_ino);
1552 kfree(context);
9287aed2 1553 goto out;
1da177e4
LT		 1554 }
1555 /* Map ENODATA to the default file SID */
1556 sid = sbsec->def_sid;
1557 rc = 0;
1558 } else {
f5c1d5b2 1559 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1560 sbsec->def_sid,
1561 GFP_NOFS);
1da177e4 1562 if (rc) {
4ba0a8ad
EP		 1563 char *dev = inode->i_sb->s_id;
1564 unsigned long ino = inode->i_ino;
1565
1566 if (rc == -EINVAL) {
1567 if (printk_ratelimit())
1568 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1569 "context=%s. This indicates you may need to relabel the inode or the "
1570 "filesystem in question.\n", ino, dev, context);
1571 } else {
1572 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1573 "returned %d for dev=%s ino=%ld\n",
1574 __func__, context, -rc, dev, ino);
1575 }
1da177e4
LT		 1576 kfree(context);
1577 /* Leave with the unlabeled SID */
1578 rc = 0;
1579 break;
1580 }
1581 }
1582 kfree(context);
1da177e4
LT		 1583 break;
1584 case SECURITY_FS_USE_TASK:
9287aed2 1585 sid = task_sid;
1da177e4
LT		 1586 break;
1587 case SECURITY_FS_USE_TRANS:
1588 /* Default to the fs SID. */
9287aed2 1589 sid = sbsec->sid;
1da177e4
LT		 1590
1591 /* Try to obtain a transition SID. */
9287aed2 1592 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1da177e4 1593 if (rc)
9287aed2 1594 goto out;
1da177e4 1595 break;
c312feb2 1596 case SECURITY_FS_USE_MNTPOINT:
9287aed2 1597 sid = sbsec->mntpoint_sid;
c312feb2 1598 break;
1da177e4 1599 default:
c312feb2 1600 /* Default to the fs superblock SID. */
9287aed2 1601 sid = sbsec->sid;
1da177e4 1602
134509d5 1603 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1604 /* We must have a dentry to determine the label on
1605 * procfs inodes */
26b45d71 1606 if (opt_dentry) {
f64410ec
PM		 1607 /* Called from d_instantiate or
1608 * d_splice_alias. */
1609 dentry = dget(opt_dentry);
26b45d71 1610 } else {
f64410ec 1611 /* Called from selinux_complete_init, try to
26b45d71
AV		 1612 * find a dentry. Some filesystems really want
1613 * a connected one, so try that first.
1614 */
f64410ec 1615 dentry = d_find_alias(inode);
26b45d71
AV		 1616 if (!dentry)
1617 dentry = d_find_any_alias(inode);
1618 }
f64410ec
PM		 1619 /*
1620 * This can be hit on boot when a file is accessed
1621 * before the policy is loaded. When we load policy we
1622 * may find inodes that have no dentry on the
1623 * sbsec->isec_head list. No reason to complain as
1624 * these will get fixed up the next time we go through
1625 * inode_doinit() with a dentry, before these inodes
1626 * could be used again by userspace.
1627 */
1628 if (!dentry)
9287aed2
AG		 1629 goto out;
1630 rc = selinux_genfs_get_sid(dentry, sclass,
134509d5 1631 sbsec->flags, &sid);
f64410ec
PM		 1632 dput(dentry);
1633 if (rc)
9287aed2 1634 goto out;
1da177e4
LT		 1635 }
1636 break;
1637 }
1638
9287aed2
AG		 1639out:
1640 spin_lock(&isec->lock);
1641 if (isec->initialized == LABEL_PENDING) {
1642 if (!sid || rc) {
1643 isec->initialized = LABEL_INVALID;
1644 goto out_unlock;
1645 }
1646
1647 isec->initialized = LABEL_INITIALIZED;
1648 isec->sid = sid;
1649 }
1da177e4 1650
23970741 1651out_unlock:
9287aed2 1652 spin_unlock(&isec->lock);
1da177e4
LT		 1653 return rc;
1654}
1655
1656/* Convert a Linux signal to an access vector. */
1657static inline u32 signal_to_av(int sig)
1658{
1659 u32 perm = 0;
1660
1661 switch (sig) {
1662 case SIGCHLD:
1663 /* Commonly granted from child to parent. */
1664 perm = PROCESS__SIGCHLD;
1665 break;
1666 case SIGKILL:
1667 /* Cannot be caught or ignored */
1668 perm = PROCESS__SIGKILL;
1669 break;
1670 case SIGSTOP:
1671 /* Cannot be caught or ignored */
1672 perm = PROCESS__SIGSTOP;
1673 break;
1674 default:
1675 /* All other signals. */
1676 perm = PROCESS__SIGNAL;
1677 break;
1678 }
1679
1680 return perm;
1681}
1682
b68e418c
SS		 1683#if CAP_LAST_CAP > 63
1684#error Fix SELinux to handle capabilities > 63.
1685#endif
1686
1da177e4 1687/* Check whether a task is allowed to use a capability. */
6a9de491 1688static int cred_has_capability(const struct cred *cred,
8e4ff6f2 1689 int cap, int audit, bool initns)
1da177e4 1690{
2bf49690 1691 struct common_audit_data ad;
06112163 1692 struct av_decision avd;
b68e418c 1693 u16 sclass;
3699c53c 1694 u32 sid = cred_sid(cred);
b68e418c 1695 u32 av = CAP_TO_MASK(cap);
06112163 1696 int rc;
1da177e4 1697
50c205f5 1698 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1699 ad.u.cap = cap;
1700
b68e418c
SS		 1701 switch (CAP_TO_INDEX(cap)) {
1702 case 0:
8e4ff6f2 1703 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
b68e418c
SS		 1704 break;
1705 case 1:
8e4ff6f2 1706 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
b68e418c
SS		 1707 break;
1708 default:
1709 printk(KERN_ERR
1710 "SELinux: out of range capability %d\n", cap);
1711 BUG();
a35c6c83 1712 return -EINVAL;
b68e418c 1713 }
06112163 1714
275bb41e 1715 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1716 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1717 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1718 if (rc2)
1719 return rc2;
1720 }
06112163 1721 return rc;
1da177e4
LT		 1722}
1723
1da177e4
LT		 1724/* Check whether a task has a particular permission to an inode.
1725 The 'adp' parameter is optional and allows other audit
1726 data to be passed (e.g. the dentry). */
88e67f3b 1727static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1728 struct inode *inode,
1729 u32 perms,
19e49834 1730 struct common_audit_data *adp)
1da177e4 1731{
1da177e4 1732 struct inode_security_struct *isec;
275bb41e 1733 u32 sid;
1da177e4 1734
e0e81739
DH		 1735 validate_creds(cred);
1736
828dfe1d 1737 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1738 return 0;
1739
88e67f3b 1740 sid = cred_sid(cred);
7a90fc39 1741 isec = selinux_inode(inode);
1da177e4 1742
19e49834 1743 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1744}
1745
1746/* Same as inode_has_perm, but pass explicit audit data containing
1747 the dentry to help the auditing code to more easily generate the
1748 pathname if needed. */
88e67f3b 1749static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1750 struct dentry *dentry,
1751 u32 av)
1752{
c6f493d6 1753 struct inode *inode = d_backing_inode(dentry);
2bf49690 1754 struct common_audit_data ad;
88e67f3b 1755
50c205f5 1756 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1757 ad.u.dentry = dentry;
5d226df4 1758 __inode_security_revalidate(inode, dentry, true);
19e49834 1759 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1760}
1761
1762/* Same as inode_has_perm, but pass explicit audit data containing
1763 the path to help the auditing code to more easily generate the
1764 pathname if needed. */
1765static inline int path_has_perm(const struct cred *cred,
3f7036a0 1766 const struct path *path,
2875fa00
EP		 1767 u32 av)
1768{
c6f493d6 1769 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1770 struct common_audit_data ad;
1771
50c205f5 1772 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1773 ad.u.path = *path;
5d226df4 1774 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1775 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1776}
1777
13f8e981
DH		 1778/* Same as path_has_perm, but uses the inode from the file struct. */
1779static inline int file_path_has_perm(const struct cred *cred,
1780 struct file *file,
1781 u32 av)
1782{
1783 struct common_audit_data ad;
1784
43af5de7
VG		 1785 ad.type = LSM_AUDIT_DATA_FILE;
1786 ad.u.file = file;
19e49834 1787 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1788}
1789
f66e448c
CF		 1790#ifdef CONFIG_BPF_SYSCALL
1791static int bpf_fd_pass(struct file *file, u32 sid);
1792#endif
1793
1da177e4
LT		 1794/* Check whether a task can use an open file descriptor to
1795 access an inode in a given way. Check access to the
1796 descriptor itself, and then use dentry_has_perm to
1797 check a particular permission to the file.
1798 Access to the descriptor is implicitly granted if it
1799 has the same SID as the process. If av is zero, then
1800 access to the file is not checked, e.g. for cases
1801 where only the descriptor is affected like seek. */
88e67f3b
DH		 1802static int file_has_perm(const struct cred *cred,
1803 struct file *file,
1804 u32 av)
1da177e4 1805{
ab9b110b 1806 struct file_security_struct *fsec = selinux_file(file);
496ad9aa 1807 struct inode *inode = file_inode(file);
2bf49690 1808 struct common_audit_data ad;
88e67f3b 1809 u32 sid = cred_sid(cred);
1da177e4
LT		 1810 int rc;
1811
43af5de7
VG		 1812 ad.type = LSM_AUDIT_DATA_FILE;
1813 ad.u.file = file;
1da177e4 1814
275bb41e
DH		 1815 if (sid != fsec->sid) {
1816 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1817 SECCLASS_FD,
1818 FD__USE,
1819 &ad);
1820 if (rc)
88e67f3b 1821 goto out;
1da177e4
LT		 1822 }
1823
f66e448c
CF		 1824#ifdef CONFIG_BPF_SYSCALL
1825 rc = bpf_fd_pass(file, cred_sid(cred));
1826 if (rc)
1827 return rc;
1828#endif
1829
1da177e4 1830 /* av is zero if only checking access to the descriptor. */
88e67f3b 1831 rc = 0;
1da177e4 1832 if (av)
19e49834 1833 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1834
88e67f3b
DH		 1835out:
1836 return rc;
1da177e4
LT		 1837}
1838
c3c188b2
DH		 1839/*
1840 * Determine the label for an inode that might be unioned.
1841 */
c957f6df
VG		 1842static int
1843selinux_determine_inode_label(const struct task_security_struct *tsec,
1844 struct inode *dir,
1845 const struct qstr *name, u16 tclass,
1846 u32 *_new_isid)
c3c188b2 1847{
7a90fc39
CS		 1848 const struct superblock_security_struct *sbsec =
1849 selinux_superblock(dir->i_sb);
c3c188b2
DH		 1850
1851 if ((sbsec->flags & SE_SBINITIALIZED) &&
1852 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1853 *_new_isid = sbsec->mntpoint_sid;
1854 } else if ((sbsec->flags & SBLABEL_MNT) &&
1855 tsec->create_sid) {
1856 *_new_isid = tsec->create_sid;
1857 } else {
20cdef8d 1858 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1859 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1860 name, _new_isid);
1861 }
1862
1863 return 0;
1864}
1865
1da177e4
LT		 1866/* Check whether a task can create a file. */
1867static int may_create(struct inode *dir,
1868 struct dentry *dentry,
1869 u16 tclass)
1870{
f1efc8c4 1871 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4
LT		 1872 struct inode_security_struct *dsec;
1873 struct superblock_security_struct *sbsec;
275bb41e 1874 u32 sid, newsid;
2bf49690 1875 struct common_audit_data ad;
1da177e4
LT		 1876 int rc;
1877
83da53c5 1878 dsec = inode_security(dir);
7a90fc39 1879 sbsec = selinux_superblock(dir->i_sb);
1da177e4 1880
275bb41e 1881 sid = tsec->sid;
275bb41e 1882
50c205f5 1883 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1884 ad.u.dentry = dentry;
1da177e4 1885
275bb41e 1886 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1887 DIR__ADD_NAME | DIR__SEARCH,
1888 &ad);
1889 if (rc)
1890 return rc;
1891
f1efc8c4 1892 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
c957f6df 1893 &dentry->d_name, tclass, &newsid);
c3c188b2
DH		 1894 if (rc)
1895 return rc;
1da177e4 1896
275bb41e 1897 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1898 if (rc)
1899 return rc;
1900
1901 return avc_has_perm(newsid, sbsec->sid,
1902 SECCLASS_FILESYSTEM,
1903 FILESYSTEM__ASSOCIATE, &ad);
1904}
1905
828dfe1d
EP		 1906#define MAY_LINK 0
1907#define MAY_UNLINK 1
1908#define MAY_RMDIR 2
1da177e4
LT		 1909
1910/* Check whether a task can link, unlink, or rmdir a file/directory. */
1911static int may_link(struct inode *dir,
1912 struct dentry *dentry,
1913 int kind)
1914
1915{
1da177e4 1916 struct inode_security_struct *dsec, *isec;
2bf49690 1917 struct common_audit_data ad;
275bb41e 1918 u32 sid = current_sid();
1da177e4
LT		 1919 u32 av;
1920 int rc;
1921
83da53c5
AG		 1922 dsec = inode_security(dir);
1923 isec = backing_inode_security(dentry);
1da177e4 1924
50c205f5 1925 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1926 ad.u.dentry = dentry;
1da177e4
LT		 1927
1928 av = DIR__SEARCH;
1929 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1930 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1931 if (rc)
1932 return rc;
1933
1934 switch (kind) {
1935 case MAY_LINK:
1936 av = FILE__LINK;
1937 break;
1938 case MAY_UNLINK:
1939 av = FILE__UNLINK;
1940 break;
1941 case MAY_RMDIR:
1942 av = DIR__RMDIR;
1943 break;
1944 default:
744ba35e
EP		 1945 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1946 __func__, kind);
1da177e4
LT		 1947 return 0;
1948 }
1949
275bb41e 1950 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1951 return rc;
1952}
1953
1954static inline int may_rename(struct inode *old_dir,
1955 struct dentry *old_dentry,
1956 struct inode *new_dir,
1957 struct dentry *new_dentry)
1958{
1da177e4 1959 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1960 struct common_audit_data ad;
275bb41e 1961 u32 sid = current_sid();
1da177e4
LT		 1962 u32 av;
1963 int old_is_dir, new_is_dir;
1964 int rc;
1965
83da53c5
AG		 1966 old_dsec = inode_security(old_dir);
1967 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1968 old_is_dir = d_is_dir(old_dentry);
83da53c5 1969 new_dsec = inode_security(new_dir);
1da177e4 1970
50c205f5 1971 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1972
a269434d 1973 ad.u.dentry = old_dentry;
275bb41e 1974 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1975 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1976 if (rc)
1977 return rc;
275bb41e 1978 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1979 old_isec->sclass, FILE__RENAME, &ad);
1980 if (rc)
1981 return rc;
1982 if (old_is_dir && new_dir != old_dir) {
275bb41e 1983 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1984 old_isec->sclass, DIR__REPARENT, &ad);
1985 if (rc)
1986 return rc;
1987 }
1988
a269434d 1989 ad.u.dentry = new_dentry;
1da177e4 1990 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1991 if (d_is_positive(new_dentry))
1da177e4 1992 av |= DIR__REMOVE_NAME;
275bb41e 1993 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1994 if (rc)
1995 return rc;
2c616d4d 1996 if (d_is_positive(new_dentry)) {
83da53c5 1997 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1998 new_is_dir = d_is_dir(new_dentry);
275bb41e 1999 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 2000 new_isec->sclass,
2001 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2002 if (rc)
2003 return rc;
2004 }
2005
2006 return 0;
2007}
2008
2009/* Check whether a task can perform a filesystem operation. */
88e67f3b 2010static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 2011 struct super_block *sb,
2012 u32 perms,
2bf49690 2013 struct common_audit_data *ad)
1da177e4 2014{
1da177e4 2015 struct superblock_security_struct *sbsec;
88e67f3b 2016 u32 sid = cred_sid(cred);
1da177e4 2017
7a90fc39 2018 sbsec = selinux_superblock(sb);
275bb41e 2019 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 2020}
2021
2022/* Convert a Linux mode and permission mask to an access vector. */
2023static inline u32 file_mask_to_av(int mode, int mask)
2024{
2025 u32 av = 0;
2026
dba19c60 2027 if (!S_ISDIR(mode)) {
1da177e4
LT		 2028 if (mask & MAY_EXEC)
2029 av |= FILE__EXECUTE;
2030 if (mask & MAY_READ)
2031 av |= FILE__READ;
2032
2033 if (mask & MAY_APPEND)
2034 av |= FILE__APPEND;
2035 else if (mask & MAY_WRITE)
2036 av |= FILE__WRITE;
2037
2038 } else {
2039 if (mask & MAY_EXEC)
2040 av |= DIR__SEARCH;
2041 if (mask & MAY_WRITE)
2042 av |= DIR__WRITE;
2043 if (mask & MAY_READ)
2044 av |= DIR__READ;
2045 }
2046
2047 return av;
2048}
2049
8b6a5a37
EP		 2050/* Convert a Linux file to an access vector. */
2051static inline u32 file_to_av(struct file *file)
2052{
2053 u32 av = 0;
2054
2055 if (file->f_mode & FMODE_READ)
2056 av |= FILE__READ;
2057 if (file->f_mode & FMODE_WRITE) {
2058 if (file->f_flags & O_APPEND)
2059 av |= FILE__APPEND;
2060 else
2061 av |= FILE__WRITE;
2062 }
2063 if (!av) {
2064 /*
2065 * Special file opened with flags 3 for ioctl-only use.
2066 */
2067 av = FILE__IOCTL;
2068 }
2069
2070 return av;
2071}
2072
b0c636b9 2073/*
8b6a5a37 2074 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2075 * open permission.
2076 */
8b6a5a37 2077static inline u32 open_file_to_av(struct file *file)
b0c636b9 2078{
8b6a5a37 2079 u32 av = file_to_av(file);
ccb54478 2080 struct inode *inode = file_inode(file);
b0c636b9 2081
ccb54478 2082 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
49b7b8de
EP		 2083 av |= FILE__OPEN;
2084
b0c636b9
EP		 2085 return av;
2086}
2087
1da177e4
LT		 2088/* Hook functions begin here. */
2089
79af7307
SS		 2090static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2091{
2092 u32 mysid = current_sid();
2093 u32 mgrsid = task_sid(mgr);
2094
2095 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2096 BINDER__SET_CONTEXT_MGR, NULL);
2097}
2098
2099static int selinux_binder_transaction(struct task_struct *from,
2100 struct task_struct *to)
2101{
2102 u32 mysid = current_sid();
2103 u32 fromsid = task_sid(from);
2104 u32 tosid = task_sid(to);
2105 int rc;
2106
2107 if (mysid != fromsid) {
2108 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2109 BINDER__IMPERSONATE, NULL);
2110 if (rc)
2111 return rc;
2112 }
2113
2114 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2115 NULL);
2116}
2117
2118static int selinux_binder_transfer_binder(struct task_struct *from,
2119 struct task_struct *to)
2120{
2121 u32 fromsid = task_sid(from);
2122 u32 tosid = task_sid(to);
2123
2124 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2125 NULL);
2126}
2127
2128static int selinux_binder_transfer_file(struct task_struct *from,
2129 struct task_struct *to,
2130 struct file *file)
2131{
2132 u32 sid = task_sid(to);
ab9b110b 2133 struct file_security_struct *fsec = selinux_file(file);
83da53c5 2134 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2135 struct inode_security_struct *isec;
79af7307
SS		 2136 struct common_audit_data ad;
2137 int rc;
2138
2139 ad.type = LSM_AUDIT_DATA_PATH;
2140 ad.u.path = file->f_path;
2141
2142 if (sid != fsec->sid) {
2143 rc = avc_has_perm(sid, fsec->sid,
2144 SECCLASS_FD,
2145 FD__USE,
2146 &ad);
2147 if (rc)
2148 return rc;
2149 }
2150
f66e448c
CF		 2151#ifdef CONFIG_BPF_SYSCALL
2152 rc = bpf_fd_pass(file, sid);
2153 if (rc)
2154 return rc;
2155#endif
2156
83da53c5 2157 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2158 return 0;
2159
20cdef8d 2160 isec = backing_inode_security(dentry);
79af7307
SS		 2161 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2162 &ad);
2163}
2164
9e48858f 2165static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2166 unsigned int mode)
1da177e4 2167{
be0554c9
SS		 2168 u32 sid = current_sid();
2169 u32 csid = task_sid(child);
2170
2171 if (mode & PTRACE_MODE_READ)
275bb41e 2172 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40 2173
be0554c9 2174 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
5cd9c58f
DH		 2175}
2176
2177static int selinux_ptrace_traceme(struct task_struct *parent)
2178{
be0554c9
SS		 2179 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2180 PROCESS__PTRACE, NULL);
1da177e4
LT		 2181}
2182
2183static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2184 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2185{
be0554c9
SS		 2186 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2187 PROCESS__GETCAP, NULL);
1da177e4
LT		 2188}
2189
d84f4f99
DH		 2190static int selinux_capset(struct cred *new, const struct cred *old,
2191 const kernel_cap_t *effective,
2192 const kernel_cap_t *inheritable,
2193 const kernel_cap_t *permitted)
1da177e4 2194{
be0554c9
SS		 2195 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2196 PROCESS__SETCAP, NULL);
1da177e4
LT		 2197}
2198
5626d3e8
JM		 2199/*
2200 * (This comment used to live with the selinux_task_setuid hook,
2201 * which was removed).
2202 *
2203 * Since setuid only affects the current process, and since the SELinux
2204 * controls are not based on the Linux identity attributes, SELinux does not
2205 * need to control this operation. However, SELinux does control the use of
2206 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2207 */
2208
6a9de491
EP		 2209static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2210 int cap, int audit)
1da177e4 2211{
8e4ff6f2 2212 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
1da177e4
LT		 2213}
2214
1da177e4
LT		 2215static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2216{
88e67f3b 2217 const struct cred *cred = current_cred();
1da177e4
LT		 2218 int rc = 0;
2219
2220 if (!sb)
2221 return 0;
2222
2223 switch (cmds) {
828dfe1d
EP		 2224 case Q_SYNC:
2225 case Q_QUOTAON:
2226 case Q_QUOTAOFF:
2227 case Q_SETINFO:
2228 case Q_SETQUOTA:
88e67f3b 2229 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2230 break;
2231 case Q_GETFMT:
2232 case Q_GETINFO:
2233 case Q_GETQUOTA:
88e67f3b 2234 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2235 break;
2236 default:
2237 rc = 0; /* let the kernel handle invalid cmds */
2238 break;
1da177e4
LT		 2239 }
2240 return rc;
2241}
2242
2243static int selinux_quota_on(struct dentry *dentry)
2244{
88e67f3b
DH		 2245 const struct cred *cred = current_cred();
2246
2875fa00 2247 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2248}
2249
12b3052c 2250static int selinux_syslog(int type)
1da177e4 2251{
1da177e4 2252 switch (type) {
d78ca3cd
KC		 2253 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2254 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
be0554c9
SS		 2255 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2256 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
d78ca3cd
KC		 2257 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2258 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2259 /* Set level of messages printed to console */
2260 case SYSLOG_ACTION_CONSOLE_LEVEL:
be0554c9
SS		 2261 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2262 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2263 NULL);
1da177e4 2264 }
be0554c9
SS		 2265 /* All other syslog types */
2266 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2267 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
1da177e4
LT		 2268}
2269
2270/*
2271 * Check that a process has enough memory to allocate a new virtual
2272 * mapping. 0 means there is enough memory for the allocation to
2273 * succeed and -ENOMEM implies there is not.
2274 *
1da177e4
LT		 2275 * Do not audit the selinux permission check, as this is applied to all
2276 * processes that allocate mappings.
2277 */
34b4e4aa 2278static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2279{
2280 int rc, cap_sys_admin = 0;
1da177e4 2281
b1d9e6b0 2282 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
8e4ff6f2 2283 SECURITY_CAP_NOAUDIT, true);
1da177e4
LT		 2284 if (rc == 0)
2285 cap_sys_admin = 1;
2286
b1d9e6b0 2287 return cap_sys_admin;
1da177e4
LT		 2288}
2289
2290/* binprm security operations */
2291
be0554c9 2292static u32 ptrace_parent_sid(void)
0c6181cb
PM		 2293{
2294 u32 sid = 0;
2295 struct task_struct *tracer;
2296
2297 rcu_read_lock();
be0554c9 2298 tracer = ptrace_parent(current);
0c6181cb
PM		 2299 if (tracer)
2300 sid = task_sid(tracer);
2301 rcu_read_unlock();
2302
2303 return sid;
2304}
2305
7b0d0b40
SS		 2306static int check_nnp_nosuid(const struct linux_binprm *bprm,
2307 const struct task_security_struct *old_tsec,
2308 const struct task_security_struct *new_tsec)
2309{
2310 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
bf31f6b5 2311 int nosuid = path_nosuid(&bprm->file->f_path);
7b0d0b40 2312 int rc;
af63f419 2313 u32 av;
7b0d0b40
SS		 2314
2315 if (!nnp && !nosuid)
2316 return 0; /* neither NNP nor nosuid */
2317
2318 if (new_tsec->sid == old_tsec->sid)
2319 return 0; /* No change in credentials */
2320
2321 /*
af63f419
SS		 2322 * If the policy enables the nnp_nosuid_transition policy capability,
2323 * then we permit transitions under NNP or nosuid if the
2324 * policy allows the corresponding permission between
2325 * the old and new contexts.
7b0d0b40 2326 */
af63f419
SS		 2327 if (selinux_policycap_nnp_nosuid_transition) {
2328 av = 0;
7b0d0b40 2329 if (nnp)
af63f419
SS		 2330 av |= PROCESS2__NNP_TRANSITION;
2331 if (nosuid)
2332 av |= PROCESS2__NOSUID_TRANSITION;
2333 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2334 SECCLASS_PROCESS2, av, NULL);
2335 if (!rc)
2336 return 0;
7b0d0b40 2337 }
af63f419
SS		 2338
2339 /*
2340 * We also permit NNP or nosuid transitions to bounded SIDs,
2341 * i.e. SIDs that are guaranteed to only be allowed a subset
2342 * of the permissions of the current SID.
2343 */
2344 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2345 if (!rc)
2346 return 0;
2347
2348 /*
2349 * On failure, preserve the errno values for NNP vs nosuid.
2350 * NNP: Operation not permitted for caller.
2351 * nosuid: Permission denied to file.
2352 */
2353 if (nnp)
2354 return -EPERM;
2355 return -EACCES;
7b0d0b40
SS		 2356}
2357
a6f76f23 2358static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2359{
a6f76f23
DH		 2360 const struct task_security_struct *old_tsec;
2361 struct task_security_struct *new_tsec;
1da177e4 2362 struct inode_security_struct *isec;
2bf49690 2363 struct common_audit_data ad;
496ad9aa 2364 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2365 int rc;
2366
a6f76f23
DH		 2367 /* SELinux context only depends on initial program or script and not
2368 * the script interpreter */
ddb4a144 2369 if (bprm->called_set_creds)
1da177e4
LT		 2370 return 0;
2371
f1efc8c4
CS		 2372 old_tsec = selinux_cred(current_cred());
2373 new_tsec = selinux_cred(bprm->cred);
83da53c5 2374 isec = inode_security(inode);
1da177e4
LT		 2375
2376 /* Default to the current task SID. */
a6f76f23
DH		 2377 new_tsec->sid = old_tsec->sid;
2378 new_tsec->osid = old_tsec->sid;
1da177e4 2379
28eba5bf 2380 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2381 new_tsec->create_sid = 0;
2382 new_tsec->keycreate_sid = 0;
2383 new_tsec->sockcreate_sid = 0;
1da177e4 2384
a6f76f23
DH		 2385 if (old_tsec->exec_sid) {
2386 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2387 /* Reset exec SID on execve. */
a6f76f23 2388 new_tsec->exec_sid = 0;
259e5e6c 2389
7b0d0b40
SS		 2390 /* Fail on NNP or nosuid if not an allowed transition. */
2391 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2392 if (rc)
2393 return rc;
1da177e4
LT		 2394 } else {
2395 /* Check for a default transition on this program. */
a6f76f23 2396 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2397 SECCLASS_PROCESS, NULL,
2398 &new_tsec->sid);
1da177e4
LT		 2399 if (rc)
2400 return rc;
7b0d0b40
SS		 2401
2402 /*
2403 * Fallback to old SID on NNP or nosuid if not an allowed
2404 * transition.
2405 */
2406 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2407 if (rc)
2408 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2409 }
2410
43af5de7
VG		 2411 ad.type = LSM_AUDIT_DATA_FILE;
2412 ad.u.file = bprm->file;
1da177e4 2413
a6f76f23
DH		 2414 if (new_tsec->sid == old_tsec->sid) {
2415 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2416 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2417 if (rc)
2418 return rc;
2419 } else {
2420 /* Check permissions for the transition. */
a6f76f23 2421 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2422 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2423 if (rc)
2424 return rc;
2425
a6f76f23 2426 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2427 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2428 if (rc)
2429 return rc;
2430
a6f76f23
DH		 2431 /* Check for shared state */
2432 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2433 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2434 SECCLASS_PROCESS, PROCESS__SHARE,
2435 NULL);
2436 if (rc)
2437 return -EPERM;
2438 }
2439
2440 /* Make sure that anyone attempting to ptrace over a task that
2441 * changes its SID has the appropriate permit */
9227dd2a 2442 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
be0554c9 2443 u32 ptsid = ptrace_parent_sid();
a6f76f23
DH		 2444 if (ptsid != 0) {
2445 rc = avc_has_perm(ptsid, new_tsec->sid,
2446 SECCLASS_PROCESS,
2447 PROCESS__PTRACE, NULL);
2448 if (rc)
2449 return -EPERM;
2450 }
2451 }
1da177e4 2452
a6f76f23
DH		 2453 /* Clear any possibly unsafe personality bits on exec: */
2454 bprm->per_clear |= PER_CLEAR_ON_SETID;
275bb41e 2455
1da177e4
LT		 2456 /* Enable secure mode for SIDs transitions unless
2457 the noatsecure permission is granted between
2458 the two SIDs, i.e. ahp returns 0. */
62874c3a
KC		 2459 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2460 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2461 NULL);
2462 bprm->secureexec |= !!rc;
1da177e4
LT		 2463 }
2464
62874c3a 2465 return 0;
1da177e4
LT		 2466}
2467
c3c073f8
AV		 2468static int match_file(const void *p, struct file *file, unsigned fd)
2469{
2470 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2471}
2472
1da177e4 2473/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2474static inline void flush_unauthorized_files(const struct cred *cred,
2475 struct files_struct *files)
1da177e4 2476{
1da177e4 2477 struct file *file, *devnull = NULL;
b20c8122 2478 struct tty_struct *tty;
24ec839c 2479 int drop_tty = 0;
c3c073f8 2480 unsigned n;
1da177e4 2481
24ec839c 2482 tty = get_current_tty();
1da177e4 2483 if (tty) {
4a510969 2484 spin_lock(&tty->files_lock);
37dd0bd0 2485 if (!list_empty(&tty->tty_files)) {
d996b62a 2486 struct tty_file_private *file_priv;
37dd0bd0 2487
1da177e4 2488 /* Revalidate access to controlling tty.
13f8e981
DH		 2489 Use file_path_has_perm on the tty path directly
2490 rather than using file_has_perm, as this particular
2491 open file may belong to another process and we are
2492 only interested in the inode-based check here. */
d996b62a
NP		 2493 file_priv = list_first_entry(&tty->tty_files,
2494 struct tty_file_private, list);
2495 file = file_priv->file;
13f8e981 2496 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2497 drop_tty = 1;
1da177e4 2498 }
4a510969 2499 spin_unlock(&tty->files_lock);
452a00d2 2500 tty_kref_put(tty);
1da177e4 2501 }
98a27ba4
EB		 2502 /* Reset controlling tty. */
2503 if (drop_tty)
2504 no_tty();
1da177e4
LT		 2505
2506 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2507 n = iterate_fd(files, 0, match_file, cred);
2508 if (!n) /* none found? */
2509 return;
1da177e4 2510
c3c073f8 2511 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2512 if (IS_ERR(devnull))
2513 devnull = NULL;
2514 /* replace all the matching ones with this */
2515 do {
2516 replace_fd(n - 1, devnull, 0);
2517 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2518 if (devnull)
c3c073f8 2519 fput(devnull);
1da177e4
LT		 2520}
2521
a6f76f23
DH		 2522/*
2523 * Prepare a process for imminent new credential changes due to exec
2524 */
2525static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2526{
a6f76f23
DH		 2527 struct task_security_struct *new_tsec;
2528 struct rlimit *rlim, *initrlim;
2529 int rc, i;
d84f4f99 2530
f1efc8c4 2531 new_tsec = selinux_cred(bprm->cred);
a6f76f23
DH		 2532 if (new_tsec->sid == new_tsec->osid)
2533 return;
1da177e4 2534
a6f76f23
DH		 2535 /* Close files for which the new task SID is not authorized. */
2536 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2537
a6f76f23
DH		 2538 /* Always clear parent death signal on SID transitions. */
2539 current->pdeath_signal = 0;
0356357c 2540
a6f76f23
DH		 2541 /* Check whether the new SID can inherit resource limits from the old
2542 * SID. If not, reset all soft limits to the lower of the current
2543 * task's hard limit and the init task's soft limit.
2544 *
2545 * Note that the setting of hard limits (even to lower them) can be
2546 * controlled by the setrlimit check. The inclusion of the init task's
2547 * soft limit into the computation is to avoid resetting soft limits
2548 * higher than the default soft limit for cases where the default is
2549 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2550 */
2551 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2552 PROCESS__RLIMITINH, NULL);
2553 if (rc) {
eb2d55a3
ON		 2554 /* protect against do_prlimit() */
2555 task_lock(current);
a6f76f23
DH		 2556 for (i = 0; i < RLIM_NLIMITS; i++) {
2557 rlim = current->signal->rlim + i;
2558 initrlim = init_task.signal->rlim + i;
2559 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2560 }
eb2d55a3 2561 task_unlock(current);
baa73d9e
NP		 2562 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2563 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2564 }
2565}
2566
2567/*
a6f76f23
DH		 2568 * Clean up the process immediately after the installation of new credentials
2569 * due to exec
1da177e4 2570 */
a6f76f23 2571static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2572{
f1efc8c4 2573 const struct task_security_struct *tsec = selinux_cred(current_cred());
1da177e4 2574 struct itimerval itimer;
a6f76f23 2575 u32 osid, sid;
1da177e4
LT		 2576 int rc, i;
2577
a6f76f23
DH		 2578 osid = tsec->osid;
2579 sid = tsec->sid;
2580
2581 if (sid == osid)
1da177e4
LT		 2582 return;
2583
a6f76f23
DH		 2584 /* Check whether the new SID can inherit signal state from the old SID.
2585 * If not, clear itimers to avoid subsequent signal generation and
2586 * flush and unblock signals.
2587 *
2588 * This must occur _after_ the task SID has been updated so that any
2589 * kill done after the flush will be checked against the new SID.
2590 */
2591 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4 2592 if (rc) {
baa73d9e
NP		 2593 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2594 memset(&itimer, 0, sizeof itimer);
2595 for (i = 0; i < 3; i++)
2596 do_setitimer(i, &itimer, NULL);
2597 }
1da177e4 2598 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2599 if (!fatal_signal_pending(current)) {
2600 flush_sigqueue(&current->pending);
2601 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2602 flush_signal_handlers(current, 1);
2603 sigemptyset(&current->blocked);
9e7c8f8c 2604 recalc_sigpending();
3bcac026 2605 }
1da177e4
LT		 2606 spin_unlock_irq(&current->sighand->siglock);
2607 }
2608
a6f76f23
DH		 2609 /* Wake up the parent if it is waiting so that it can recheck
2610 * wait permission to the new task SID. */
ecd6de3c 2611 read_lock(&tasklist_lock);
0b7570e7 2612 __wake_up_parent(current, current->real_parent);
ecd6de3c 2613 read_unlock(&tasklist_lock);
1da177e4
LT		 2614}
2615
2616/* superblock security operations */
2617
2618static int selinux_sb_alloc_security(struct super_block *sb)
2619{
2620 return superblock_alloc_security(sb);
2621}
2622
1da177e4
LT		 2623static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2624{
2625 if (plen > olen)
2626 return 0;
2627
2628 return !memcmp(prefix, option, plen);
2629}
2630
2631static inline int selinux_option(char *option, int len)
2632{
832cbd9a
EP		 2633 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2634 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2635 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2636 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2637 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2638}
2639
2640static inline void take_option(char **to, char *from, int *first, int len)
2641{
2642 if (!*first) {
2643 **to = ',';
2644 *to += 1;
3528a953 2645 } else
1da177e4
LT		 2646 *first = 0;
2647 memcpy(*to, from, len);
2648 *to += len;
2649}
2650
828dfe1d
EP		 2651static inline void take_selinux_option(char **to, char *from, int *first,
2652 int len)
3528a953
CO		 2653{
2654 int current_size = 0;
2655
2656 if (!*first) {
2657 **to = '|';
2658 *to += 1;
828dfe1d 2659 } else
3528a953
CO		 2660 *first = 0;
2661
2662 while (current_size < len) {
2663 if (*from != '"') {
2664 **to = *from;
2665 *to += 1;
2666 }
2667 from += 1;
2668 current_size += 1;
2669 }
2670}
2671
e0007529 2672static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2673{
2674 int fnosec, fsec, rc = 0;
2675 char *in_save, *in_curr, *in_end;
2676 char *sec_curr, *nosec_save, *nosec;
3528a953 2677 int open_quote = 0;
1da177e4
LT		 2678
2679 in_curr = orig;
2680 sec_curr = copy;
2681
1da177e4
LT		 2682 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2683 if (!nosec) {
2684 rc = -ENOMEM;
2685 goto out;
2686 }
2687
2688 nosec_save = nosec;
2689 fnosec = fsec = 1;
2690 in_save = in_end = orig;
2691
2692 do {
3528a953
CO		 2693 if (*in_end == '"')
2694 open_quote = !open_quote;
2695 if ((*in_end == ',' && open_quote == 0) ||
2696 *in_end == '\0') {
1da177e4
LT		 2697 int len = in_end - in_curr;
2698
2699 if (selinux_option(in_curr, len))
3528a953 2700 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2701 else
2702 take_option(&nosec, in_curr, &fnosec, len);
2703
2704 in_curr = in_end + 1;
2705 }
2706 } while (*in_end++);
2707
6931dfc9 2708 strcpy(in_save, nosec_save);
da3caa20 2709 free_page((unsigned long)nosec_save);
1da177e4
LT		 2710out:
2711 return rc;
2712}
2713
026eb167
EP		 2714static int selinux_sb_remount(struct super_block *sb, void *data)
2715{
2716 int rc, i, *flags;
2717 struct security_mnt_opts opts;
2718 char *secdata, **mount_options;
7a90fc39 2719 struct superblock_security_struct *sbsec = selinux_superblock(sb);
026eb167
EP		 2720
2721 if (!(sbsec->flags & SE_SBINITIALIZED))
2722 return 0;
2723
2724 if (!data)
2725 return 0;
2726
2727 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2728 return 0;
2729
2730 security_init_mnt_opts(&opts);
2731 secdata = alloc_secdata();
2732 if (!secdata)
2733 return -ENOMEM;
2734 rc = selinux_sb_copy_data(data, secdata);
2735 if (rc)
2736 goto out_free_secdata;
2737
2738 rc = selinux_parse_opts_str(secdata, &opts);
2739 if (rc)
2740 goto out_free_secdata;
2741
2742 mount_options = opts.mnt_opts;
2743 flags = opts.mnt_opts_flags;
2744
2745 for (i = 0; i < opts.num_mnt_opts; i++) {
2746 u32 sid;
026eb167 2747
12f348b9 2748 if (flags[i] == SBLABEL_MNT)
026eb167 2749 continue;
44be2f65 2750 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2751 if (rc) {
44be2f65 2752 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2753 "(%s) failed for (dev %s, type %s) errno=%d\n",
2754 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2755 goto out_free_opts;
2756 }
2757 rc = -EINVAL;
2758 switch (flags[i]) {
2759 case FSCONTEXT_MNT:
2760 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2761 goto out_bad_option;
2762 break;
2763 case CONTEXT_MNT:
2764 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2765 goto out_bad_option;
2766 break;
2767 case ROOTCONTEXT_MNT: {
2768 struct inode_security_struct *root_isec;
83da53c5 2769 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2770
2771 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2772 goto out_bad_option;
2773 break;
2774 }
2775 case DEFCONTEXT_MNT:
2776 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2777 goto out_bad_option;
2778 break;
2779 default:
2780 goto out_free_opts;
2781 }
2782 }
2783
2784 rc = 0;
2785out_free_opts:
2786 security_free_mnt_opts(&opts);
2787out_free_secdata:
2788 free_secdata(secdata);
2789 return rc;
2790out_bad_option:
2791 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2792 "during remount (dev %s, type=%s)\n", sb->s_id,
2793 sb->s_type->name);
026eb167
EP		 2794 goto out_free_opts;
2795}
2796
12204e24 2797static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2798{
88e67f3b 2799 const struct cred *cred = current_cred();
2bf49690 2800 struct common_audit_data ad;
1da177e4
LT		 2801 int rc;
2802
2803 rc = superblock_doinit(sb, data);
2804 if (rc)
2805 return rc;
2806
74192246 2807 /* Allow all mounts performed by the kernel */
1d036091 2808 if (flags & (MS_KERNMOUNT | MS_SUBMOUNT))
74192246
JM		 2809 return 0;
2810
50c205f5 2811 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2812 ad.u.dentry = sb->s_root;
88e67f3b 2813 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2814}
2815
726c3342 2816static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2817{
88e67f3b 2818 const struct cred *cred = current_cred();
2bf49690 2819 struct common_audit_data ad;
1da177e4 2820
50c205f5 2821 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2822 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2823 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2824}
2825
808d4e3c 2826static int selinux_mount(const char *dev_name,
8a04c43b 2827 const struct path *path,
808d4e3c 2828 const char *type,
828dfe1d
EP		 2829 unsigned long flags,
2830 void *data)
1da177e4 2831{
88e67f3b 2832 const struct cred *cred = current_cred();
1da177e4
LT		 2833
2834 if (flags & MS_REMOUNT)
d8c9584e 2835 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2836 FILESYSTEM__REMOUNT, NULL);
1da177e4 2837 else
2875fa00 2838 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2839}
2840
2841static int selinux_umount(struct vfsmount *mnt, int flags)
2842{
88e67f3b 2843 const struct cred *cred = current_cred();
1da177e4 2844
88e67f3b 2845 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2846 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2847}
2848
2849/* inode security operations */
2850
2851static int selinux_inode_alloc_security(struct inode *inode)
2852{
2853 return inode_alloc_security(inode);
2854}
2855
2856static void selinux_inode_free_security(struct inode *inode)
2857{
2858 inode_free_security(inode);
2859}
2860
d47be3df 2861static int selinux_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 2862 const struct qstr *name, void **ctx,
d47be3df
DQ		 2863 u32 *ctxlen)
2864{
d47be3df
DQ		 2865 u32 newsid;
2866 int rc;
2867
f1efc8c4 2868 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c957f6df 2869 d_inode(dentry->d_parent), name,
c3c188b2
DH		 2870 inode_mode_to_security_class(mode),
2871 &newsid);
2872 if (rc)
2873 return rc;
d47be3df
DQ		 2874
2875 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2876}
2877
a518b0a5
VG		 2878static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2879 struct qstr *name,
2880 const struct cred *old,
2881 struct cred *new)
2882{
2883 u32 newsid;
2884 int rc;
2885 struct task_security_struct *tsec;
2886
f1efc8c4 2887 rc = selinux_determine_inode_label(selinux_cred(old),
a518b0a5
VG		 2888 d_inode(dentry->d_parent), name,
2889 inode_mode_to_security_class(mode),
2890 &newsid);
2891 if (rc)
2892 return rc;
2893
f1efc8c4 2894 tsec = selinux_cred(new);
a518b0a5
VG		 2895 tsec->create_sid = newsid;
2896 return 0;
2897}
2898
5e41ff9e 2899static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2900 const struct qstr *qstr,
2901 const char **name,
2a7dba39 2902 void **value, size_t *len)
5e41ff9e 2903{
f1efc8c4 2904 const struct task_security_struct *tsec = selinux_cred(current_cred());
5e41ff9e 2905 struct superblock_security_struct *sbsec;
c0d4f464 2906 u32 newsid, clen;
5e41ff9e 2907 int rc;
9548906b 2908 char *context;
5e41ff9e 2909
7a90fc39 2910 sbsec = selinux_superblock(dir->i_sb);
5e41ff9e 2911
275bb41e
DH		 2912 newsid = tsec->create_sid;
2913
f1efc8c4 2914 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
c3c188b2
DH		 2915 dir, qstr,
2916 inode_mode_to_security_class(inode->i_mode),
2917 &newsid);
2918 if (rc)
2919 return rc;
5e41ff9e 2920
296fddf7 2921 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2922 if (sbsec->flags & SE_SBINITIALIZED) {
7a90fc39 2923 struct inode_security_struct *isec = selinux_inode(inode);
296fddf7
EP		 2924 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2925 isec->sid = newsid;
6f3be9f5 2926 isec->initialized = LABEL_INITIALIZED;
296fddf7 2927 }
5e41ff9e 2928
12f348b9 2929 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2930 return -EOPNOTSUPP;
2931
9548906b
TH		 2932 if (name)
2933 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2934
570bc1c2 2935 if (value && len) {
12b29f34 2936 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2937 if (rc)
570bc1c2 2938 return rc;
570bc1c2
SS		 2939 *value = context;
2940 *len = clen;
5e41ff9e 2941 }
5e41ff9e 2942
5e41ff9e
SS		 2943 return 0;
2944}
2945
4acdaf27 2946static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2947{
2948 return may_create(dir, dentry, SECCLASS_FILE);
2949}
2950
1da177e4
LT		 2951static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2952{
1da177e4
LT		 2953 return may_link(dir, old_dentry, MAY_LINK);
2954}
2955
1da177e4
LT		 2956static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2957{
1da177e4
LT		 2958 return may_link(dir, dentry, MAY_UNLINK);
2959}
2960
2961static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2962{
2963 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2964}
2965
18bb1db3 2966static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2967{
2968 return may_create(dir, dentry, SECCLASS_DIR);
2969}
2970
1da177e4
LT		 2971static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2972{
2973 return may_link(dir, dentry, MAY_RMDIR);
2974}
2975
1a67aafb 2976static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2977{
1da177e4
LT		 2978 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2979}
2980
1da177e4 2981static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2982 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2983{
2984 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2985}
2986
1da177e4
LT		 2987static int selinux_inode_readlink(struct dentry *dentry)
2988{
88e67f3b
DH		 2989 const struct cred *cred = current_cred();
2990
2875fa00 2991 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2992}
2993
bda0be7a
N		 2994static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2995 bool rcu)
1da177e4 2996{
88e67f3b 2997 const struct cred *cred = current_cred();
bda0be7a
N		 2998 struct common_audit_data ad;
2999 struct inode_security_struct *isec;
3000 u32 sid;
1da177e4 3001
bda0be7a
N		 3002 validate_creds(cred);
3003
3004 ad.type = LSM_AUDIT_DATA_DENTRY;
3005 ad.u.dentry = dentry;
3006 sid = cred_sid(cred);
5d226df4
AG		 3007 isec = inode_security_rcu(inode, rcu);
3008 if (IS_ERR(isec))
3009 return PTR_ERR(isec);
bda0be7a
N		 3010
3011 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3012 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 3013}
3014
d4cf970d
EP		 3015static noinline int audit_inode_permission(struct inode *inode,
3016 u32 perms, u32 audited, u32 denied,
626b9740 3017 int result,
d4cf970d 3018 unsigned flags)
1da177e4 3019{
b782e0a6 3020 struct common_audit_data ad;
7a90fc39 3021 struct inode_security_struct *isec = selinux_inode(inode);
d4cf970d
EP		 3022 int rc;
3023
50c205f5 3024 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 3025 ad.u.inode = inode;
3026
3027 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 3028 audited, denied, result, &ad, flags);
d4cf970d
EP		 3029 if (rc)
3030 return rc;
3031 return 0;
3032}
3033
e74f71eb 3034static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 3035{
88e67f3b 3036 const struct cred *cred = current_cred();
b782e0a6
EP		 3037 u32 perms;
3038 bool from_access;
cf1dd1da 3039 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 3040 struct inode_security_struct *isec;
3041 u32 sid;
3042 struct av_decision avd;
3043 int rc, rc2;
3044 u32 audited, denied;
1da177e4 3045
b782e0a6 3046 from_access = mask & MAY_ACCESS;
d09ca739
EP		 3047 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3048
b782e0a6
EP		 3049 /* No permission to check. Existence test. */
3050 if (!mask)
1da177e4 3051 return 0;
1da177e4 3052
2e334057 3053 validate_creds(cred);
b782e0a6 3054
2e334057
EP		 3055 if (unlikely(IS_PRIVATE(inode)))
3056 return 0;
b782e0a6
EP		 3057
3058 perms = file_mask_to_av(inode->i_mode, mask);
3059
2e334057 3060 sid = cred_sid(cred);
5d226df4
AG		 3061 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3062 if (IS_ERR(isec))
3063 return PTR_ERR(isec);
2e334057
EP		 3064
3065 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3066 audited = avc_audit_required(perms, &avd, rc,
3067 from_access ? FILE__AUDIT_ACCESS : 0,
3068 &denied);
3069 if (likely(!audited))
3070 return rc;
3071
626b9740 3072 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3073 if (rc2)
3074 return rc2;
3075 return rc;
1da177e4
LT		 3076}
3077
3078static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3079{
88e67f3b 3080 const struct cred *cred = current_cred();
ccb54478 3081 struct inode *inode = d_backing_inode(dentry);
bc6a6008 3082 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3083 __u32 av = FILE__WRITE;
1da177e4 3084
bc6a6008
AW		 3085 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3086 if (ia_valid & ATTR_FORCE) {
3087 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3088 ATTR_FORCE);
3089 if (!ia_valid)
3090 return 0;
3091 }
1da177e4 3092
bc6a6008
AW		 3093 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3094 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3095 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3096
ccb54478
SS		 3097 if (selinux_policycap_openperm &&
3098 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3099 (ia_valid & ATTR_SIZE) &&
3100 !(ia_valid & ATTR_FILE))
95dbf739
EP		 3101 av |= FILE__OPEN;
3102
3103 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3104}
3105
3f7036a0 3106static int selinux_inode_getattr(const struct path *path)
1da177e4 3107{
3f7036a0 3108 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3109}
3110
db59000a
SS		 3111static bool has_cap_mac_admin(bool audit)
3112{
3113 const struct cred *cred = current_cred();
3114 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3115
3116 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3117 return false;
3118 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3119 return false;
3120 return true;
3121}
3122
8f0cfa52
DH		 3123static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3124 const void *value, size_t size, int flags)
1da177e4 3125{
c6f493d6 3126 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3127 struct inode_security_struct *isec;
1da177e4 3128 struct superblock_security_struct *sbsec;
2bf49690 3129 struct common_audit_data ad;
275bb41e 3130 u32 newsid, sid = current_sid();
1da177e4
LT		 3131 int rc = 0;
3132
6b240306
EB		 3133 if (strcmp(name, XATTR_NAME_SELINUX)) {
3134 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3135 if (rc)
3136 return rc;
3137
3138 /* Not an attribute we recognize, so just check the
3139 ordinary setattr permission. */
3140 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3141 }
1da177e4 3142
7a90fc39 3143 sbsec = selinux_superblock(inode->i_sb);
12f348b9 3144 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3145 return -EOPNOTSUPP;
3146
2e149670 3147 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3148 return -EPERM;
3149
50c205f5 3150 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3151 ad.u.dentry = dentry;
1da177e4 3152
20cdef8d 3153 isec = backing_inode_security(dentry);
275bb41e 3154 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3155 FILE__RELABELFROM, &ad);
3156 if (rc)
3157 return rc;
3158
52a4c640 3159 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3160 if (rc == -EINVAL) {
db59000a 3161 if (!has_cap_mac_admin(true)) {
d6ea83ec
EP		 3162 struct audit_buffer *ab;
3163 size_t audit_size;
d6ea83ec
EP		 3164
3165 /* We strip a nul only if it is at the end, otherwise the
3166 * context contains a nul and we should audit that */
e3fea3f7 3167 if (value) {
add24372
CIK		 3168 const char *str = value;
3169
e3fea3f7
AV		 3170 if (str[size - 1] == '\0')
3171 audit_size = size - 1;
3172 else
3173 audit_size = size;
3174 } else {
e3fea3f7
AV		 3175 audit_size = 0;
3176 }
d6ea83ec
EP		 3177 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3178 audit_log_format(ab, "op=setxattr invalid_context=");
3179 audit_log_n_untrustedstring(ab, value, audit_size);
3180 audit_log_end(ab);
3181
12b29f34 3182 return rc;
d6ea83ec 3183 }
12b29f34
SS		 3184 rc = security_context_to_sid_force(value, size, &newsid);
3185 }
1da177e4
LT		 3186 if (rc)
3187 return rc;
3188
275bb41e 3189 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3190 FILE__RELABELTO, &ad);
3191 if (rc)
3192 return rc;
3193
275bb41e 3194 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3195 isec->sclass);
1da177e4
LT		 3196 if (rc)
3197 return rc;
3198
3199 return avc_has_perm(newsid,
3200 sbsec->sid,
3201 SECCLASS_FILESYSTEM,
3202 FILESYSTEM__ASSOCIATE,
3203 &ad);
3204}
3205
8f0cfa52 3206static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3207 const void *value, size_t size,
8f0cfa52 3208 int flags)
1da177e4 3209{
c6f493d6 3210 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3211 struct inode_security_struct *isec;
1da177e4
LT		 3212 u32 newsid;
3213 int rc;
3214
3215 if (strcmp(name, XATTR_NAME_SELINUX)) {
3216 /* Not an attribute we recognize, so nothing to do. */
3217 return;
3218 }
3219
12b29f34 3220 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3221 if (rc) {
12b29f34
SS		 3222 printk(KERN_ERR "SELinux: unable to map context to SID"
3223 "for (%s, %lu), rc=%d\n",
3224 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3225 return;
3226 }
3227
20cdef8d 3228 isec = backing_inode_security(dentry);
9287aed2 3229 spin_lock(&isec->lock);
aa9c2669 3230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3231 isec->sid = newsid;
6f3be9f5 3232 isec->initialized = LABEL_INITIALIZED;
9287aed2 3233 spin_unlock(&isec->lock);
aa9c2669 3234
1da177e4
LT		 3235 return;
3236}
3237
8f0cfa52 3238static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3239{
88e67f3b
DH		 3240 const struct cred *cred = current_cred();
3241
2875fa00 3242 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3243}
3244
828dfe1d 3245static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3246{
88e67f3b
DH		 3247 const struct cred *cred = current_cred();
3248
2875fa00 3249 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3250}
3251
8f0cfa52 3252static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3253{
6b240306
EB		 3254 if (strcmp(name, XATTR_NAME_SELINUX)) {
3255 int rc = cap_inode_removexattr(dentry, name);
3256 if (rc)
3257 return rc;
3258
3259 /* Not an attribute we recognize, so just check the
3260 ordinary setattr permission. */
3261 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3262 }
1da177e4
LT		 3263
3264 /* No one is allowed to remove a SELinux security label.
3265 You can change the label, but all data must be labeled. */
3266 return -EACCES;
3267}
3268
d381d8a9 3269/*
abc69bb6 3270 * Copy the inode security context value to the user.
d381d8a9
JM		 3271 *
3272 * Permission check is handled by selinux_inode_getxattr hook.
3273 */
ea861dfd 3274static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3275{
42492594
DQ		 3276 u32 size;
3277 int error;
3278 char *context = NULL;
20cdef8d 3279 struct inode_security_struct *isec;
d381d8a9 3280
8c8570fb
DK		 3281 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3282 return -EOPNOTSUPP;
d381d8a9 3283
abc69bb6
SS		 3284 /*
3285 * If the caller has CAP_MAC_ADMIN, then get the raw context
3286 * value even if it is not defined by current policy; otherwise,
3287 * use the in-core value under current policy.
3288 * Use the non-auditing forms of the permission checks since
3289 * getxattr may be called by unprivileged processes commonly
3290 * and lack of permission just means that we fall back to the
3291 * in-core context value, not a denial.
3292 */
20cdef8d 3293 isec = inode_security(inode);
db59000a 3294 if (has_cap_mac_admin(false))
abc69bb6
SS		 3295 error = security_sid_to_context_force(isec->sid, &context,
3296 &size);
3297 else
3298 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3299 if (error)
3300 return error;
3301 error = size;
3302 if (alloc) {
3303 *buffer = context;
3304 goto out_nofree;
3305 }
3306 kfree(context);
3307out_nofree:
3308 return error;
1da177e4
LT		 3309}
3310
3311static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3312 const void *value, size_t size, int flags)
1da177e4 3313{
2c97165b 3314 struct inode_security_struct *isec = inode_security_novalidate(inode);
30d23388 3315 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1da177e4
LT		 3316 u32 newsid;
3317 int rc;
3318
3319 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3320 return -EOPNOTSUPP;
3321
30d23388
OM		 3322 if (!(sbsec->flags & SBLABEL_MNT))
3323 return -EOPNOTSUPP;
3324
1da177e4
LT		 3325 if (!value || !size)
3326 return -EACCES;
3327
20ba96ae 3328 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3329 if (rc)
3330 return rc;
3331
9287aed2 3332 spin_lock(&isec->lock);
aa9c2669 3333 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3334 isec->sid = newsid;
6f3be9f5 3335 isec->initialized = LABEL_INITIALIZED;
9287aed2 3336 spin_unlock(&isec->lock);
1da177e4
LT		 3337 return 0;
3338}
3339
3340static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3341{
3342 const int len = sizeof(XATTR_NAME_SELINUX);
3343 if (buffer && len <= buffer_size)
3344 memcpy(buffer, XATTR_NAME_SELINUX, len);
3345 return len;
3346}
3347
d6335d77 3348static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3349{
e817c2f3 3350 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3351 *secid = isec->sid;
3352}
3353
56909eb3
VG		 3354static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3355{
3356 u32 sid;
3357 struct task_security_struct *tsec;
3358 struct cred *new_creds = *new;
3359
3360 if (new_creds == NULL) {
3361 new_creds = prepare_creds();
3362 if (!new_creds)
3363 return -ENOMEM;
3364 }
3365
f1efc8c4 3366 tsec = selinux_cred(new_creds);
56909eb3
VG		 3367 /* Get label from overlay inode and set it in create_sid */
3368 selinux_inode_getsecid(d_inode(src), &sid);
3369 tsec->create_sid = sid;
3370 *new = new_creds;
3371 return 0;
3372}
3373
19472b69
VG		 3374static int selinux_inode_copy_up_xattr(const char *name)
3375{
3376 /* The copy_up hook above sets the initial context on an inode, but we
3377 * don't then want to overwrite it by blindly copying all the lower
3378 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3379 */
3380 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3381 return 1; /* Discard */
3382 /*
3383 * Any other attribute apart from SELINUX is not claimed, supported
3384 * by selinux.
3385 */
3386 return -EOPNOTSUPP;
3387}
3388
1da177e4
LT		 3389/* file security operations */
3390
788e7dd4 3391static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3392{
88e67f3b 3393 const struct cred *cred = current_cred();
496ad9aa 3394 struct inode *inode = file_inode(file);
1da177e4 3395
1da177e4
LT		 3396 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3397 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3398 mask |= MAY_APPEND;
3399
389fb800
PM		 3400 return file_has_perm(cred, file,
3401 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3402}
3403
788e7dd4
YN		 3404static int selinux_file_permission(struct file *file, int mask)
3405{
496ad9aa 3406 struct inode *inode = file_inode(file);
ab9b110b 3407 struct file_security_struct *fsec = selinux_file(file);
b197367e 3408 struct inode_security_struct *isec;
20dda18b
SS		 3409 u32 sid = current_sid();
3410
389fb800 3411 if (!mask)
788e7dd4
YN		 3412 /* No permission to check. Existence test. */
3413 return 0;
788e7dd4 3414
b197367e 3415 isec = inode_security(inode);
20dda18b
SS		 3416 if (sid == fsec->sid && fsec->isid == isec->sid &&
3417 fsec->pseqno == avc_policy_seqno())
83d49856 3418 /* No change since file_open check. */
20dda18b
SS		 3419 return 0;
3420
788e7dd4
YN		 3421 return selinux_revalidate_file_permission(file, mask);
3422}
3423
1da177e4
LT		 3424static int selinux_file_alloc_security(struct file *file)
3425{
3426 return file_alloc_security(file);
3427}
3428
fa1aa143
JVS		 3429/*
3430 * Check whether a task has the ioctl permission and cmd
3431 * operation to an inode.
3432 */
1d2a168a 3433static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3434 u32 requested, u16 cmd)
3435{
3436 struct common_audit_data ad;
ab9b110b 3437 struct file_security_struct *fsec = selinux_file(file);
fa1aa143 3438 struct inode *inode = file_inode(file);
20cdef8d 3439 struct inode_security_struct *isec;
fa1aa143
JVS		 3440 struct lsm_ioctlop_audit ioctl;
3441 u32 ssid = cred_sid(cred);
3442 int rc;
3443 u8 driver = cmd >> 8;
3444 u8 xperm = cmd & 0xff;
3445
3446 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3447 ad.u.op = &ioctl;
3448 ad.u.op->cmd = cmd;
3449 ad.u.op->path = file->f_path;
3450
3451 if (ssid != fsec->sid) {
3452 rc = avc_has_perm(ssid, fsec->sid,
3453 SECCLASS_FD,
3454 FD__USE,
3455 &ad);
3456 if (rc)
3457 goto out;
3458 }
3459
3460 if (unlikely(IS_PRIVATE(inode)))
3461 return 0;
3462
20cdef8d 3463 isec = inode_security(inode);
fa1aa143
JVS		 3464 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3465 requested, driver, xperm, &ad);
3466out:
3467 return rc;
3468}
3469
1da177e4
LT		 3470static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3471 unsigned long arg)
3472{
88e67f3b 3473 const struct cred *cred = current_cred();
0b24dcb7 3474 int error = 0;
1da177e4 3475
0b24dcb7
EP		 3476 switch (cmd) {
3477 case FIONREAD:
3478 /* fall through */
3479 case FIBMAP:
3480 /* fall through */
3481 case FIGETBSZ:
3482 /* fall through */
2f99c369 3483 case FS_IOC_GETFLAGS:
0b24dcb7 3484 /* fall through */
2f99c369 3485 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3486 error = file_has_perm(cred, file, FILE__GETATTR);
3487 break;
1da177e4 3488
2f99c369 3489 case FS_IOC_SETFLAGS:
0b24dcb7 3490 /* fall through */
2f99c369 3491 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3492 error = file_has_perm(cred, file, FILE__SETATTR);
3493 break;
3494
3495 /* sys_ioctl() checks */
3496 case FIONBIO:
3497 /* fall through */
3498 case FIOASYNC:
3499 error = file_has_perm(cred, file, 0);
3500 break;
1da177e4 3501
0b24dcb7
EP		 3502 case KDSKBENT:
3503 case KDSKBSENT:
6a9de491 3504 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
8e4ff6f2 3505 SECURITY_CAP_AUDIT, true);
0b24dcb7
EP		 3506 break;
3507
3508 /* default case assumes that the command will go
3509 * to the file's ioctl() function.
3510 */
3511 default:
fa1aa143 3512 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3513 }
3514 return error;
1da177e4
LT		 3515}
3516
fcaaade1
SS		 3517static int default_noexec;
3518
1da177e4
LT		 3519static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3520{
88e67f3b 3521 const struct cred *cred = current_cred();
be0554c9 3522 u32 sid = cred_sid(cred);
d84f4f99 3523 int rc = 0;
88e67f3b 3524
fcaaade1 3525 if (default_noexec &&
892e8cac
SS		 3526 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3527 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3528 /*
3529 * We are making executable an anonymous mapping or a
3530 * private file mapping that will also be writable.
3531 * This has an additional check.
3532 */
be0554c9
SS		 3533 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3534 PROCESS__EXECMEM, NULL);
1da177e4 3535 if (rc)
d84f4f99 3536 goto error;
1da177e4 3537 }
1da177e4
LT		 3538
3539 if (file) {
3540 /* read access is always possible with a mapping */
3541 u32 av = FILE__READ;
3542
3543 /* write access only matters if the mapping is shared */
3544 if (shared && (prot & PROT_WRITE))
3545 av |= FILE__WRITE;
3546
3547 if (prot & PROT_EXEC)
3548 av |= FILE__EXECUTE;
3549
88e67f3b 3550 return file_has_perm(cred, file, av);
1da177e4 3551 }
d84f4f99
DH		 3552
3553error:
3554 return rc;
1da177e4
LT		 3555}
3556
e5467859 3557static int selinux_mmap_addr(unsigned long addr)
1da177e4 3558{
b1d9e6b0 3559 int rc = 0;
1da177e4 3560
a2551df7 3561 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3562 u32 sid = current_sid();
ed032189
EP		 3563 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3564 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3565 }
3566
98883bfd 3567 return rc;
e5467859 3568}
1da177e4 3569
e5467859
AV		 3570static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3571 unsigned long prot, unsigned long flags)
3572{
3ba4bf5f
SS		 3573 struct common_audit_data ad;
3574 int rc;
3575
3576 if (file) {
3577 ad.type = LSM_AUDIT_DATA_FILE;
3578 ad.u.file = file;
3579 rc = inode_has_perm(current_cred(), file_inode(file),
3580 FILE__MAP, &ad);
3581 if (rc)
3582 return rc;
3583 }
3584
1da177e4
LT		 3585 if (selinux_checkreqprot)
3586 prot = reqprot;
3587
3588 return file_map_prot_check(file, prot,
3589 (flags & MAP_TYPE) == MAP_SHARED);
3590}
3591
3592static int selinux_file_mprotect(struct vm_area_struct *vma,
3593 unsigned long reqprot,
3594 unsigned long prot)
3595{
88e67f3b 3596 const struct cred *cred = current_cred();
be0554c9 3597 u32 sid = cred_sid(cred);
1da177e4
LT		 3598
3599 if (selinux_checkreqprot)
3600 prot = reqprot;
3601
fcaaade1
SS		 3602 if (default_noexec &&
3603 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3604 int rc = 0;
db4c9641
SS		 3605 if (vma->vm_start >= vma->vm_mm->start_brk &&
3606 vma->vm_end <= vma->vm_mm->brk) {
be0554c9
SS		 3607 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3608 PROCESS__EXECHEAP, NULL);
db4c9641 3609 } else if (!vma->vm_file &&
c2316dbf
SS		 3610 ((vma->vm_start <= vma->vm_mm->start_stack &&
3611 vma->vm_end >= vma->vm_mm->start_stack) ||
d17af505 3612 vma_is_stack_for_current(vma))) {
be0554c9
SS		 3613 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3614 PROCESS__EXECSTACK, NULL);
db4c9641
SS		 3615 } else if (vma->vm_file && vma->anon_vma) {
3616 /*
3617 * We are making executable a file mapping that has
3618 * had some COW done. Since pages might have been
3619 * written, check ability to execute the possibly
3620 * modified content. This typically should only
3621 * occur for text relocations.
3622 */
d84f4f99 3623 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3624 }