Merge tag 'selinux-pr-20180403' of git://git.kernel.org/pub/scm/linux/kernel/git...
[muen/linux.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *      This program is free software; you can redistribute it and/or modify
23  *      it under the terms of the GNU General Public License version 2,
24  *      as published by the Free Software Foundation.
25  */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>             /* for local_port_range[] */
56 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>    /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h>           /* for Unix socket types */
74 #include <net/af_unix.h>        /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
91
92 #include "avc.h"
93 #include "objsec.h"
94 #include "netif.h"
95 #include "netnode.h"
96 #include "netport.h"
97 #include "ibpkey.h"
98 #include "xfrm.h"
99 #include "netlabel.h"
100 #include "audit.h"
101 #include "avc_ss.h"
102
103 struct selinux_state selinux_state;
104
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
107
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
110
111 static int __init enforcing_setup(char *str)
112 {
113         unsigned long enforcing;
114         if (!kstrtoul(str, 0, &enforcing))
115                 selinux_enforcing_boot = enforcing ? 1 : 0;
116         return 1;
117 }
118 __setup("enforcing=", enforcing_setup);
119 #else
120 #define selinux_enforcing_boot 1
121 #endif
122
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125
126 static int __init selinux_enabled_setup(char *str)
127 {
128         unsigned long enabled;
129         if (!kstrtoul(str, 0, &enabled))
130                 selinux_enabled = enabled ? 1 : 0;
131         return 1;
132 }
133 __setup("selinux=", selinux_enabled_setup);
134 #else
135 int selinux_enabled = 1;
136 #endif
137
138 static unsigned int selinux_checkreqprot_boot =
139         CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141 static int __init checkreqprot_setup(char *str)
142 {
143         unsigned long checkreqprot;
144
145         if (!kstrtoul(str, 0, &checkreqprot))
146                 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147         return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
153
154 /**
155  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156  *
157  * Description:
158  * This function checks the SECMARK reference counter to see if any SECMARK
159  * targets are currently configured, if the reference counter is greater than
160  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
161  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
162  * policy capability is enabled, SECMARK is always considered enabled.
163  *
164  */
165 static int selinux_secmark_enabled(void)
166 {
167         return (selinux_policycap_alwaysnetwork() ||
168                 atomic_read(&selinux_secmark_refcount));
169 }
170
171 /**
172  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173  *
174  * Description:
175  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
176  * (1) if any are enabled or false (0) if neither are enabled.  If the
177  * always_check_network policy capability is enabled, peer labeling
178  * is always considered enabled.
179  *
180  */
181 static int selinux_peerlbl_enabled(void)
182 {
183         return (selinux_policycap_alwaysnetwork() ||
184                 netlbl_enabled() || selinux_xfrm_enabled());
185 }
186
187 static int selinux_netcache_avc_callback(u32 event)
188 {
189         if (event == AVC_CALLBACK_RESET) {
190                 sel_netif_flush();
191                 sel_netnode_flush();
192                 sel_netport_flush();
193                 synchronize_net();
194         }
195         return 0;
196 }
197
198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200         if (event == AVC_CALLBACK_RESET) {
201                 sel_ib_pkey_flush();
202                 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203         }
204
205         return 0;
206 }
207
208 /*
209  * initialise the security for the init task
210  */
211 static void cred_init_security(void)
212 {
213         struct cred *cred = (struct cred *) current->real_cred;
214         struct task_security_struct *tsec;
215
216         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
217         if (!tsec)
218                 panic("SELinux:  Failed to initialize initial task.\n");
219
220         tsec->osid = tsec->sid = SECINITSID_KERNEL;
221         cred->security = tsec;
222 }
223
224 /*
225  * get the security ID of a set of credentials
226  */
227 static inline u32 cred_sid(const struct cred *cred)
228 {
229         const struct task_security_struct *tsec;
230
231         tsec = cred->security;
232         return tsec->sid;
233 }
234
235 /*
236  * get the objective security ID of a task
237  */
238 static inline u32 task_sid(const struct task_struct *task)
239 {
240         u32 sid;
241
242         rcu_read_lock();
243         sid = cred_sid(__task_cred(task));
244         rcu_read_unlock();
245         return sid;
246 }
247
248 /* Allocate and free functions for each kind of security blob. */
249
250 static int inode_alloc_security(struct inode *inode)
251 {
252         struct inode_security_struct *isec;
253         u32 sid = current_sid();
254
255         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
256         if (!isec)
257                 return -ENOMEM;
258
259         spin_lock_init(&isec->lock);
260         INIT_LIST_HEAD(&isec->list);
261         isec->inode = inode;
262         isec->sid = SECINITSID_UNLABELED;
263         isec->sclass = SECCLASS_FILE;
264         isec->task_sid = sid;
265         isec->initialized = LABEL_INVALID;
266         inode->i_security = isec;
267
268         return 0;
269 }
270
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
272
273 /*
274  * Try reloading inode security labels that have been marked as invalid.  The
275  * @may_sleep parameter indicates when sleeping and thus reloading labels is
276  * allowed; when set to false, returns -ECHILD when the label is
277  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
278  * when no dentry is available, set it to NULL instead.
279  */
280 static int __inode_security_revalidate(struct inode *inode,
281                                        struct dentry *opt_dentry,
282                                        bool may_sleep)
283 {
284         struct inode_security_struct *isec = inode->i_security;
285
286         might_sleep_if(may_sleep);
287
288         if (selinux_state.initialized &&
289             isec->initialized != LABEL_INITIALIZED) {
290                 if (!may_sleep)
291                         return -ECHILD;
292
293                 /*
294                  * Try reloading the inode security label.  This will fail if
295                  * @opt_dentry is NULL and no dentry for this inode can be
296                  * found; in that case, continue using the old label.
297                  */
298                 inode_doinit_with_dentry(inode, opt_dentry);
299         }
300         return 0;
301 }
302
303 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304 {
305         return inode->i_security;
306 }
307
308 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
309 {
310         int error;
311
312         error = __inode_security_revalidate(inode, NULL, !rcu);
313         if (error)
314                 return ERR_PTR(error);
315         return inode->i_security;
316 }
317
318 /*
319  * Get the security label of an inode.
320  */
321 static struct inode_security_struct *inode_security(struct inode *inode)
322 {
323         __inode_security_revalidate(inode, NULL, true);
324         return inode->i_security;
325 }
326
327 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328 {
329         struct inode *inode = d_backing_inode(dentry);
330
331         return inode->i_security;
332 }
333
334 /*
335  * Get the security label of a dentry's backing inode.
336  */
337 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338 {
339         struct inode *inode = d_backing_inode(dentry);
340
341         __inode_security_revalidate(inode, dentry, true);
342         return inode->i_security;
343 }
344
345 static void inode_free_rcu(struct rcu_head *head)
346 {
347         struct inode_security_struct *isec;
348
349         isec = container_of(head, struct inode_security_struct, rcu);
350         kmem_cache_free(sel_inode_cache, isec);
351 }
352
353 static void inode_free_security(struct inode *inode)
354 {
355         struct inode_security_struct *isec = inode->i_security;
356         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
357
358         /*
359          * As not all inode security structures are in a list, we check for
360          * empty list outside of the lock to make sure that we won't waste
361          * time taking a lock doing nothing.
362          *
363          * The list_del_init() function can be safely called more than once.
364          * It should not be possible for this function to be called with
365          * concurrent list_add(), but for better safety against future changes
366          * in the code, we use list_empty_careful() here.
367          */
368         if (!list_empty_careful(&isec->list)) {
369                 spin_lock(&sbsec->isec_lock);
370                 list_del_init(&isec->list);
371                 spin_unlock(&sbsec->isec_lock);
372         }
373
374         /*
375          * The inode may still be referenced in a path walk and
376          * a call to selinux_inode_permission() can be made
377          * after inode_free_security() is called. Ideally, the VFS
378          * wouldn't do this, but fixing that is a much harder
379          * job. For now, simply free the i_security via RCU, and
380          * leave the current inode->i_security pointer intact.
381          * The inode will be freed after the RCU grace period too.
382          */
383         call_rcu(&isec->rcu, inode_free_rcu);
384 }
385
386 static int file_alloc_security(struct file *file)
387 {
388         struct file_security_struct *fsec;
389         u32 sid = current_sid();
390
391         fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
392         if (!fsec)
393                 return -ENOMEM;
394
395         fsec->sid = sid;
396         fsec->fown_sid = sid;
397         file->f_security = fsec;
398
399         return 0;
400 }
401
402 static void file_free_security(struct file *file)
403 {
404         struct file_security_struct *fsec = file->f_security;
405         file->f_security = NULL;
406         kmem_cache_free(file_security_cache, fsec);
407 }
408
409 static int superblock_alloc_security(struct super_block *sb)
410 {
411         struct superblock_security_struct *sbsec;
412
413         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
414         if (!sbsec)
415                 return -ENOMEM;
416
417         mutex_init(&sbsec->lock);
418         INIT_LIST_HEAD(&sbsec->isec_head);
419         spin_lock_init(&sbsec->isec_lock);
420         sbsec->sb = sb;
421         sbsec->sid = SECINITSID_UNLABELED;
422         sbsec->def_sid = SECINITSID_FILE;
423         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
424         sb->s_security = sbsec;
425
426         return 0;
427 }
428
429 static void superblock_free_security(struct super_block *sb)
430 {
431         struct superblock_security_struct *sbsec = sb->s_security;
432         sb->s_security = NULL;
433         kfree(sbsec);
434 }
435
436 static inline int inode_doinit(struct inode *inode)
437 {
438         return inode_doinit_with_dentry(inode, NULL);
439 }
440
441 enum {
442         Opt_error = -1,
443         Opt_context = 1,
444         Opt_fscontext = 2,
445         Opt_defcontext = 3,
446         Opt_rootcontext = 4,
447         Opt_labelsupport = 5,
448         Opt_nextmntopt = 6,
449 };
450
451 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
452
453 static const match_table_t tokens = {
454         {Opt_context, CONTEXT_STR "%s"},
455         {Opt_fscontext, FSCONTEXT_STR "%s"},
456         {Opt_defcontext, DEFCONTEXT_STR "%s"},
457         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
458         {Opt_labelsupport, LABELSUPP_STR},
459         {Opt_error, NULL},
460 };
461
462 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
463
464 static int may_context_mount_sb_relabel(u32 sid,
465                         struct superblock_security_struct *sbsec,
466                         const struct cred *cred)
467 {
468         const struct task_security_struct *tsec = cred->security;
469         int rc;
470
471         rc = avc_has_perm(&selinux_state,
472                           tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473                           FILESYSTEM__RELABELFROM, NULL);
474         if (rc)
475                 return rc;
476
477         rc = avc_has_perm(&selinux_state,
478                           tsec->sid, sid, SECCLASS_FILESYSTEM,
479                           FILESYSTEM__RELABELTO, NULL);
480         return rc;
481 }
482
483 static int may_context_mount_inode_relabel(u32 sid,
484                         struct superblock_security_struct *sbsec,
485                         const struct cred *cred)
486 {
487         const struct task_security_struct *tsec = cred->security;
488         int rc;
489         rc = avc_has_perm(&selinux_state,
490                           tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
491                           FILESYSTEM__RELABELFROM, NULL);
492         if (rc)
493                 return rc;
494
495         rc = avc_has_perm(&selinux_state,
496                           sid, sbsec->sid, SECCLASS_FILESYSTEM,
497                           FILESYSTEM__ASSOCIATE, NULL);
498         return rc;
499 }
500
501 static int selinux_is_sblabel_mnt(struct super_block *sb)
502 {
503         struct superblock_security_struct *sbsec = sb->s_security;
504
505         return sbsec->behavior == SECURITY_FS_USE_XATTR ||
506                 sbsec->behavior == SECURITY_FS_USE_TRANS ||
507                 sbsec->behavior == SECURITY_FS_USE_TASK ||
508                 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
509                 /* Special handling. Genfs but also in-core setxattr handler */
510                 !strcmp(sb->s_type->name, "sysfs") ||
511                 !strcmp(sb->s_type->name, "pstore") ||
512                 !strcmp(sb->s_type->name, "debugfs") ||
513                 !strcmp(sb->s_type->name, "tracefs") ||
514                 !strcmp(sb->s_type->name, "rootfs") ||
515                 (selinux_policycap_cgroupseclabel() &&
516                  (!strcmp(sb->s_type->name, "cgroup") ||
517                   !strcmp(sb->s_type->name, "cgroup2")));
518 }
519
520 static int sb_finish_set_opts(struct super_block *sb)
521 {
522         struct superblock_security_struct *sbsec = sb->s_security;
523         struct dentry *root = sb->s_root;
524         struct inode *root_inode = d_backing_inode(root);
525         int rc = 0;
526
527         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
528                 /* Make sure that the xattr handler exists and that no
529                    error other than -ENODATA is returned by getxattr on
530                    the root directory.  -ENODATA is ok, as this may be
531                    the first boot of the SELinux kernel before we have
532                    assigned xattr values to the filesystem. */
533                 if (!(root_inode->i_opflags & IOP_XATTR)) {
534                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
535                                "xattr support\n", sb->s_id, sb->s_type->name);
536                         rc = -EOPNOTSUPP;
537                         goto out;
538                 }
539
540                 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
541                 if (rc < 0 && rc != -ENODATA) {
542                         if (rc == -EOPNOTSUPP)
543                                 printk(KERN_WARNING "SELinux: (dev %s, type "
544                                        "%s) has no security xattr handler\n",
545                                        sb->s_id, sb->s_type->name);
546                         else
547                                 printk(KERN_WARNING "SELinux: (dev %s, type "
548                                        "%s) getxattr errno %d\n", sb->s_id,
549                                        sb->s_type->name, -rc);
550                         goto out;
551                 }
552         }
553
554         sbsec->flags |= SE_SBINITIALIZED;
555
556         /*
557          * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
558          * leave the flag untouched because sb_clone_mnt_opts might be handing
559          * us a superblock that needs the flag to be cleared.
560          */
561         if (selinux_is_sblabel_mnt(sb))
562                 sbsec->flags |= SBLABEL_MNT;
563         else
564                 sbsec->flags &= ~SBLABEL_MNT;
565
566         /* Initialize the root inode. */
567         rc = inode_doinit_with_dentry(root_inode, root);
568
569         /* Initialize any other inodes associated with the superblock, e.g.
570            inodes created prior to initial policy load or inodes created
571            during get_sb by a pseudo filesystem that directly
572            populates itself. */
573         spin_lock(&sbsec->isec_lock);
574 next_inode:
575         if (!list_empty(&sbsec->isec_head)) {
576                 struct inode_security_struct *isec =
577                                 list_entry(sbsec->isec_head.next,
578                                            struct inode_security_struct, list);
579                 struct inode *inode = isec->inode;
580                 list_del_init(&isec->list);
581                 spin_unlock(&sbsec->isec_lock);
582                 inode = igrab(inode);
583                 if (inode) {
584                         if (!IS_PRIVATE(inode))
585                                 inode_doinit(inode);
586                         iput(inode);
587                 }
588                 spin_lock(&sbsec->isec_lock);
589                 goto next_inode;
590         }
591         spin_unlock(&sbsec->isec_lock);
592 out:
593         return rc;
594 }
595
596 /*
597  * This function should allow an FS to ask what it's mount security
598  * options were so it can use those later for submounts, displaying
599  * mount options, or whatever.
600  */
601 static int selinux_get_mnt_opts(const struct super_block *sb,
602                                 struct security_mnt_opts *opts)
603 {
604         int rc = 0, i;
605         struct superblock_security_struct *sbsec = sb->s_security;
606         char *context = NULL;
607         u32 len;
608         char tmp;
609
610         security_init_mnt_opts(opts);
611
612         if (!(sbsec->flags & SE_SBINITIALIZED))
613                 return -EINVAL;
614
615         if (!selinux_state.initialized)
616                 return -EINVAL;
617
618         /* make sure we always check enough bits to cover the mask */
619         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
620
621         tmp = sbsec->flags & SE_MNTMASK;
622         /* count the number of mount options for this sb */
623         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
624                 if (tmp & 0x01)
625                         opts->num_mnt_opts++;
626                 tmp >>= 1;
627         }
628         /* Check if the Label support flag is set */
629         if (sbsec->flags & SBLABEL_MNT)
630                 opts->num_mnt_opts++;
631
632         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
633         if (!opts->mnt_opts) {
634                 rc = -ENOMEM;
635                 goto out_free;
636         }
637
638         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
639         if (!opts->mnt_opts_flags) {
640                 rc = -ENOMEM;
641                 goto out_free;
642         }
643
644         i = 0;
645         if (sbsec->flags & FSCONTEXT_MNT) {
646                 rc = security_sid_to_context(&selinux_state, sbsec->sid,
647                                              &context, &len);
648                 if (rc)
649                         goto out_free;
650                 opts->mnt_opts[i] = context;
651                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
652         }
653         if (sbsec->flags & CONTEXT_MNT) {
654                 rc = security_sid_to_context(&selinux_state,
655                                              sbsec->mntpoint_sid,
656                                              &context, &len);
657                 if (rc)
658                         goto out_free;
659                 opts->mnt_opts[i] = context;
660                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
661         }
662         if (sbsec->flags & DEFCONTEXT_MNT) {
663                 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
664                                              &context, &len);
665                 if (rc)
666                         goto out_free;
667                 opts->mnt_opts[i] = context;
668                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
669         }
670         if (sbsec->flags & ROOTCONTEXT_MNT) {
671                 struct dentry *root = sbsec->sb->s_root;
672                 struct inode_security_struct *isec = backing_inode_security(root);
673
674                 rc = security_sid_to_context(&selinux_state, isec->sid,
675                                              &context, &len);
676                 if (rc)
677                         goto out_free;
678                 opts->mnt_opts[i] = context;
679                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
680         }
681         if (sbsec->flags & SBLABEL_MNT) {
682                 opts->mnt_opts[i] = NULL;
683                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
684         }
685
686         BUG_ON(i != opts->num_mnt_opts);
687
688         return 0;
689
690 out_free:
691         security_free_mnt_opts(opts);
692         return rc;
693 }
694
695 static int bad_option(struct superblock_security_struct *sbsec, char flag,
696                       u32 old_sid, u32 new_sid)
697 {
698         char mnt_flags = sbsec->flags & SE_MNTMASK;
699
700         /* check if the old mount command had the same options */
701         if (sbsec->flags & SE_SBINITIALIZED)
702                 if (!(sbsec->flags & flag) ||
703                     (old_sid != new_sid))
704                         return 1;
705
706         /* check if we were passed the same options twice,
707          * aka someone passed context=a,context=b
708          */
709         if (!(sbsec->flags & SE_SBINITIALIZED))
710                 if (mnt_flags & flag)
711                         return 1;
712         return 0;
713 }
714
715 /*
716  * Allow filesystems with binary mount data to explicitly set mount point
717  * labeling information.
718  */
719 static int selinux_set_mnt_opts(struct super_block *sb,
720                                 struct security_mnt_opts *opts,
721                                 unsigned long kern_flags,
722                                 unsigned long *set_kern_flags)
723 {
724         const struct cred *cred = current_cred();
725         int rc = 0, i;
726         struct superblock_security_struct *sbsec = sb->s_security;
727         const char *name = sb->s_type->name;
728         struct dentry *root = sbsec->sb->s_root;
729         struct inode_security_struct *root_isec;
730         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
731         u32 defcontext_sid = 0;
732         char **mount_options = opts->mnt_opts;
733         int *flags = opts->mnt_opts_flags;
734         int num_opts = opts->num_mnt_opts;
735
736         mutex_lock(&sbsec->lock);
737
738         if (!selinux_state.initialized) {
739                 if (!num_opts) {
740                         /* Defer initialization until selinux_complete_init,
741                            after the initial policy is loaded and the security
742                            server is ready to handle calls. */
743                         goto out;
744                 }
745                 rc = -EINVAL;
746                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
747                         "before the security server is initialized\n");
748                 goto out;
749         }
750         if (kern_flags && !set_kern_flags) {
751                 /* Specifying internal flags without providing a place to
752                  * place the results is not allowed */
753                 rc = -EINVAL;
754                 goto out;
755         }
756
757         /*
758          * Binary mount data FS will come through this function twice.  Once
759          * from an explicit call and once from the generic calls from the vfs.
760          * Since the generic VFS calls will not contain any security mount data
761          * we need to skip the double mount verification.
762          *
763          * This does open a hole in which we will not notice if the first
764          * mount using this sb set explict options and a second mount using
765          * this sb does not set any security options.  (The first options
766          * will be used for both mounts)
767          */
768         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
769             && (num_opts == 0))
770                 goto out;
771
772         root_isec = backing_inode_security_novalidate(root);
773
774         /*
775          * parse the mount options, check if they are valid sids.
776          * also check if someone is trying to mount the same sb more
777          * than once with different security options.
778          */
779         for (i = 0; i < num_opts; i++) {
780                 u32 sid;
781
782                 if (flags[i] == SBLABEL_MNT)
783                         continue;
784                 rc = security_context_str_to_sid(&selinux_state,
785                                                  mount_options[i], &sid,
786                                                  GFP_KERNEL);
787                 if (rc) {
788                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
789                                "(%s) failed for (dev %s, type %s) errno=%d\n",
790                                mount_options[i], sb->s_id, name, rc);
791                         goto out;
792                 }
793                 switch (flags[i]) {
794                 case FSCONTEXT_MNT:
795                         fscontext_sid = sid;
796
797                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
798                                         fscontext_sid))
799                                 goto out_double_mount;
800
801                         sbsec->flags |= FSCONTEXT_MNT;
802                         break;
803                 case CONTEXT_MNT:
804                         context_sid = sid;
805
806                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
807                                         context_sid))
808                                 goto out_double_mount;
809
810                         sbsec->flags |= CONTEXT_MNT;
811                         break;
812                 case ROOTCONTEXT_MNT:
813                         rootcontext_sid = sid;
814
815                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
816                                         rootcontext_sid))
817                                 goto out_double_mount;
818
819                         sbsec->flags |= ROOTCONTEXT_MNT;
820
821                         break;
822                 case DEFCONTEXT_MNT:
823                         defcontext_sid = sid;
824
825                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
826                                         defcontext_sid))
827                                 goto out_double_mount;
828
829                         sbsec->flags |= DEFCONTEXT_MNT;
830
831                         break;
832                 default:
833                         rc = -EINVAL;
834                         goto out;
835                 }
836         }
837
838         if (sbsec->flags & SE_SBINITIALIZED) {
839                 /* previously mounted with options, but not on this attempt? */
840                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
841                         goto out_double_mount;
842                 rc = 0;
843                 goto out;
844         }
845
846         if (strcmp(sb->s_type->name, "proc") == 0)
847                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
848
849         if (!strcmp(sb->s_type->name, "debugfs") ||
850             !strcmp(sb->s_type->name, "tracefs") ||
851             !strcmp(sb->s_type->name, "sysfs") ||
852             !strcmp(sb->s_type->name, "pstore") ||
853             !strcmp(sb->s_type->name, "cgroup") ||
854             !strcmp(sb->s_type->name, "cgroup2"))
855                 sbsec->flags |= SE_SBGENFS;
856
857         if (!sbsec->behavior) {
858                 /*
859                  * Determine the labeling behavior to use for this
860                  * filesystem type.
861                  */
862                 rc = security_fs_use(&selinux_state, sb);
863                 if (rc) {
864                         printk(KERN_WARNING
865                                 "%s: security_fs_use(%s) returned %d\n",
866                                         __func__, sb->s_type->name, rc);
867                         goto out;
868                 }
869         }
870
871         /*
872          * If this is a user namespace mount and the filesystem type is not
873          * explicitly whitelisted, then no contexts are allowed on the command
874          * line and security labels must be ignored.
875          */
876         if (sb->s_user_ns != &init_user_ns &&
877             strcmp(sb->s_type->name, "tmpfs") &&
878             strcmp(sb->s_type->name, "ramfs") &&
879             strcmp(sb->s_type->name, "devpts")) {
880                 if (context_sid || fscontext_sid || rootcontext_sid ||
881                     defcontext_sid) {
882                         rc = -EACCES;
883                         goto out;
884                 }
885                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
886                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
887                         rc = security_transition_sid(&selinux_state,
888                                                      current_sid(),
889                                                      current_sid(),
890                                                      SECCLASS_FILE, NULL,
891                                                      &sbsec->mntpoint_sid);
892                         if (rc)
893                                 goto out;
894                 }
895                 goto out_set_opts;
896         }
897
898         /* sets the context of the superblock for the fs being mounted. */
899         if (fscontext_sid) {
900                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
901                 if (rc)
902                         goto out;
903
904                 sbsec->sid = fscontext_sid;
905         }
906
907         /*
908          * Switch to using mount point labeling behavior.
909          * sets the label used on all file below the mountpoint, and will set
910          * the superblock context if not already set.
911          */
912         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
913                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
914                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
915         }
916
917         if (context_sid) {
918                 if (!fscontext_sid) {
919                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
920                                                           cred);
921                         if (rc)
922                                 goto out;
923                         sbsec->sid = context_sid;
924                 } else {
925                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
926                                                              cred);
927                         if (rc)
928                                 goto out;
929                 }
930                 if (!rootcontext_sid)
931                         rootcontext_sid = context_sid;
932
933                 sbsec->mntpoint_sid = context_sid;
934                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
935         }
936
937         if (rootcontext_sid) {
938                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
939                                                      cred);
940                 if (rc)
941                         goto out;
942
943                 root_isec->sid = rootcontext_sid;
944                 root_isec->initialized = LABEL_INITIALIZED;
945         }
946
947         if (defcontext_sid) {
948                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
949                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
950                         rc = -EINVAL;
951                         printk(KERN_WARNING "SELinux: defcontext option is "
952                                "invalid for this filesystem type\n");
953                         goto out;
954                 }
955
956                 if (defcontext_sid != sbsec->def_sid) {
957                         rc = may_context_mount_inode_relabel(defcontext_sid,
958                                                              sbsec, cred);
959                         if (rc)
960                                 goto out;
961                 }
962
963                 sbsec->def_sid = defcontext_sid;
964         }
965
966 out_set_opts:
967         rc = sb_finish_set_opts(sb);
968 out:
969         mutex_unlock(&sbsec->lock);
970         return rc;
971 out_double_mount:
972         rc = -EINVAL;
973         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
974                "security settings for (dev %s, type %s)\n", sb->s_id, name);
975         goto out;
976 }
977
978 static int selinux_cmp_sb_context(const struct super_block *oldsb,
979                                     const struct super_block *newsb)
980 {
981         struct superblock_security_struct *old = oldsb->s_security;
982         struct superblock_security_struct *new = newsb->s_security;
983         char oldflags = old->flags & SE_MNTMASK;
984         char newflags = new->flags & SE_MNTMASK;
985
986         if (oldflags != newflags)
987                 goto mismatch;
988         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
989                 goto mismatch;
990         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
991                 goto mismatch;
992         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
993                 goto mismatch;
994         if (oldflags & ROOTCONTEXT_MNT) {
995                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
996                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
997                 if (oldroot->sid != newroot->sid)
998                         goto mismatch;
999         }
1000         return 0;
1001 mismatch:
1002         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
1003                             "different security settings for (dev %s, "
1004                             "type %s)\n", newsb->s_id, newsb->s_type->name);
1005         return -EBUSY;
1006 }
1007
1008 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1009                                         struct super_block *newsb,
1010                                         unsigned long kern_flags,
1011                                         unsigned long *set_kern_flags)
1012 {
1013         int rc = 0;
1014         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1015         struct superblock_security_struct *newsbsec = newsb->s_security;
1016
1017         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
1018         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
1019         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
1020
1021         /*
1022          * if the parent was able to be mounted it clearly had no special lsm
1023          * mount options.  thus we can safely deal with this superblock later
1024          */
1025         if (!selinux_state.initialized)
1026                 return 0;
1027
1028         /*
1029          * Specifying internal flags without providing a place to
1030          * place the results is not allowed.
1031          */
1032         if (kern_flags && !set_kern_flags)
1033                 return -EINVAL;
1034
1035         /* how can we clone if the old one wasn't set up?? */
1036         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1037
1038         /* if fs is reusing a sb, make sure that the contexts match */
1039         if (newsbsec->flags & SE_SBINITIALIZED)
1040                 return selinux_cmp_sb_context(oldsb, newsb);
1041
1042         mutex_lock(&newsbsec->lock);
1043
1044         newsbsec->flags = oldsbsec->flags;
1045
1046         newsbsec->sid = oldsbsec->sid;
1047         newsbsec->def_sid = oldsbsec->def_sid;
1048         newsbsec->behavior = oldsbsec->behavior;
1049
1050         if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1051                 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1052                 rc = security_fs_use(&selinux_state, newsb);
1053                 if (rc)
1054                         goto out;
1055         }
1056
1057         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1058                 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1059                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1060         }
1061
1062         if (set_context) {
1063                 u32 sid = oldsbsec->mntpoint_sid;
1064
1065                 if (!set_fscontext)
1066                         newsbsec->sid = sid;
1067                 if (!set_rootcontext) {
1068                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1069                         newisec->sid = sid;
1070                 }
1071                 newsbsec->mntpoint_sid = sid;
1072         }
1073         if (set_rootcontext) {
1074                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1075                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1076
1077                 newisec->sid = oldisec->sid;
1078         }
1079
1080         sb_finish_set_opts(newsb);
1081 out:
1082         mutex_unlock(&newsbsec->lock);
1083         return rc;
1084 }
1085
1086 static int selinux_parse_opts_str(char *options,
1087                                   struct security_mnt_opts *opts)
1088 {
1089         char *p;
1090         char *context = NULL, *defcontext = NULL;
1091         char *fscontext = NULL, *rootcontext = NULL;
1092         int rc, num_mnt_opts = 0;
1093
1094         opts->num_mnt_opts = 0;
1095
1096         /* Standard string-based options. */
1097         while ((p = strsep(&options, "|")) != NULL) {
1098                 int token;
1099                 substring_t args[MAX_OPT_ARGS];
1100
1101                 if (!*p)
1102                         continue;
1103
1104                 token = match_token(p, tokens, args);
1105
1106                 switch (token) {
1107                 case Opt_context:
1108                         if (context || defcontext) {
1109                                 rc = -EINVAL;
1110                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1111                                 goto out_err;
1112                         }
1113                         context = match_strdup(&args[0]);
1114                         if (!context) {
1115                                 rc = -ENOMEM;
1116                                 goto out_err;
1117                         }
1118                         break;
1119
1120                 case Opt_fscontext:
1121                         if (fscontext) {
1122                                 rc = -EINVAL;
1123                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1124                                 goto out_err;
1125                         }
1126                         fscontext = match_strdup(&args[0]);
1127                         if (!fscontext) {
1128                                 rc = -ENOMEM;
1129                                 goto out_err;
1130                         }
1131                         break;
1132
1133                 case Opt_rootcontext:
1134                         if (rootcontext) {
1135                                 rc = -EINVAL;
1136                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1137                                 goto out_err;
1138                         }
1139                         rootcontext = match_strdup(&args[0]);
1140                         if (!rootcontext) {
1141                                 rc = -ENOMEM;
1142                                 goto out_err;
1143                         }
1144                         break;
1145
1146                 case Opt_defcontext:
1147                         if (context || defcontext) {
1148                                 rc = -EINVAL;
1149                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1150                                 goto out_err;
1151                         }
1152                         defcontext = match_strdup(&args[0]);
1153                         if (!defcontext) {
1154                                 rc = -ENOMEM;
1155                                 goto out_err;
1156                         }
1157                         break;
1158                 case Opt_labelsupport:
1159                         break;
1160                 default:
1161                         rc = -EINVAL;
1162                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
1163                         goto out_err;
1164
1165                 }
1166         }
1167
1168         rc = -ENOMEM;
1169         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1170         if (!opts->mnt_opts)
1171                 goto out_err;
1172
1173         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1174                                        GFP_KERNEL);
1175         if (!opts->mnt_opts_flags)
1176                 goto out_err;
1177
1178         if (fscontext) {
1179                 opts->mnt_opts[num_mnt_opts] = fscontext;
1180                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1181         }
1182         if (context) {
1183                 opts->mnt_opts[num_mnt_opts] = context;
1184                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1185         }
1186         if (rootcontext) {
1187                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1188                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1189         }
1190         if (defcontext) {
1191                 opts->mnt_opts[num_mnt_opts] = defcontext;
1192                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1193         }
1194
1195         opts->num_mnt_opts = num_mnt_opts;
1196         return 0;
1197
1198 out_err:
1199         security_free_mnt_opts(opts);
1200         kfree(context);
1201         kfree(defcontext);
1202         kfree(fscontext);
1203         kfree(rootcontext);
1204         return rc;
1205 }
1206 /*
1207  * string mount options parsing and call set the sbsec
1208  */
1209 static int superblock_doinit(struct super_block *sb, void *data)
1210 {
1211         int rc = 0;
1212         char *options = data;
1213         struct security_mnt_opts opts;
1214
1215         security_init_mnt_opts(&opts);
1216
1217         if (!data)
1218                 goto out;
1219
1220         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1221
1222         rc = selinux_parse_opts_str(options, &opts);
1223         if (rc)
1224                 goto out_err;
1225
1226 out:
1227         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1228
1229 out_err:
1230         security_free_mnt_opts(&opts);
1231         return rc;
1232 }
1233
1234 static void selinux_write_opts(struct seq_file *m,
1235                                struct security_mnt_opts *opts)
1236 {
1237         int i;
1238         char *prefix;
1239
1240         for (i = 0; i < opts->num_mnt_opts; i++) {
1241                 char *has_comma;
1242
1243                 if (opts->mnt_opts[i])
1244                         has_comma = strchr(opts->mnt_opts[i], ',');
1245                 else
1246                         has_comma = NULL;
1247
1248                 switch (opts->mnt_opts_flags[i]) {
1249                 case CONTEXT_MNT:
1250                         prefix = CONTEXT_STR;
1251                         break;
1252                 case FSCONTEXT_MNT:
1253                         prefix = FSCONTEXT_STR;
1254                         break;
1255                 case ROOTCONTEXT_MNT:
1256                         prefix = ROOTCONTEXT_STR;
1257                         break;
1258                 case DEFCONTEXT_MNT:
1259                         prefix = DEFCONTEXT_STR;
1260                         break;
1261                 case SBLABEL_MNT:
1262                         seq_putc(m, ',');
1263                         seq_puts(m, LABELSUPP_STR);
1264                         continue;
1265                 default:
1266                         BUG();
1267                         return;
1268                 };
1269                 /* we need a comma before each option */
1270                 seq_putc(m, ',');
1271                 seq_puts(m, prefix);
1272                 if (has_comma)
1273                         seq_putc(m, '\"');
1274                 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1275                 if (has_comma)
1276                         seq_putc(m, '\"');
1277         }
1278 }
1279
1280 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1281 {
1282         struct security_mnt_opts opts;
1283         int rc;
1284
1285         rc = selinux_get_mnt_opts(sb, &opts);
1286         if (rc) {
1287                 /* before policy load we may get EINVAL, don't show anything */
1288                 if (rc == -EINVAL)
1289                         rc = 0;
1290                 return rc;
1291         }
1292
1293         selinux_write_opts(m, &opts);
1294
1295         security_free_mnt_opts(&opts);
1296
1297         return rc;
1298 }
1299
1300 static inline u16 inode_mode_to_security_class(umode_t mode)
1301 {
1302         switch (mode & S_IFMT) {
1303         case S_IFSOCK:
1304                 return SECCLASS_SOCK_FILE;
1305         case S_IFLNK:
1306                 return SECCLASS_LNK_FILE;
1307         case S_IFREG:
1308                 return SECCLASS_FILE;
1309         case S_IFBLK:
1310                 return SECCLASS_BLK_FILE;
1311         case S_IFDIR:
1312                 return SECCLASS_DIR;
1313         case S_IFCHR:
1314                 return SECCLASS_CHR_FILE;
1315         case S_IFIFO:
1316                 return SECCLASS_FIFO_FILE;
1317
1318         }
1319
1320         return SECCLASS_FILE;
1321 }
1322
1323 static inline int default_protocol_stream(int protocol)
1324 {
1325         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1326 }
1327
1328 static inline int default_protocol_dgram(int protocol)
1329 {
1330         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1331 }
1332
1333 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1334 {
1335         int extsockclass = selinux_policycap_extsockclass();
1336
1337         switch (family) {
1338         case PF_UNIX:
1339                 switch (type) {
1340                 case SOCK_STREAM:
1341                 case SOCK_SEQPACKET:
1342                         return SECCLASS_UNIX_STREAM_SOCKET;
1343                 case SOCK_DGRAM:
1344                 case SOCK_RAW:
1345                         return SECCLASS_UNIX_DGRAM_SOCKET;
1346                 }
1347                 break;
1348         case PF_INET:
1349         case PF_INET6:
1350                 switch (type) {
1351                 case SOCK_STREAM:
1352                 case SOCK_SEQPACKET:
1353                         if (default_protocol_stream(protocol))
1354                                 return SECCLASS_TCP_SOCKET;
1355                         else if (extsockclass && protocol == IPPROTO_SCTP)
1356                                 return SECCLASS_SCTP_SOCKET;
1357                         else
1358                                 return SECCLASS_RAWIP_SOCKET;
1359                 case SOCK_DGRAM:
1360                         if (default_protocol_dgram(protocol))
1361                                 return SECCLASS_UDP_SOCKET;
1362                         else if (extsockclass && (protocol == IPPROTO_ICMP ||
1363                                                   protocol == IPPROTO_ICMPV6))
1364                                 return SECCLASS_ICMP_SOCKET;
1365                         else
1366                                 return SECCLASS_RAWIP_SOCKET;
1367                 case SOCK_DCCP:
1368                         return SECCLASS_DCCP_SOCKET;
1369                 default:
1370                         return SECCLASS_RAWIP_SOCKET;
1371                 }
1372                 break;
1373         case PF_NETLINK:
1374                 switch (protocol) {
1375                 case NETLINK_ROUTE:
1376                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1377                 case NETLINK_SOCK_DIAG:
1378                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1379                 case NETLINK_NFLOG:
1380                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1381                 case NETLINK_XFRM:
1382                         return SECCLASS_NETLINK_XFRM_SOCKET;
1383                 case NETLINK_SELINUX:
1384                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1385                 case NETLINK_ISCSI:
1386                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1387                 case NETLINK_AUDIT:
1388                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1389                 case NETLINK_FIB_LOOKUP:
1390                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1391                 case NETLINK_CONNECTOR:
1392                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1393                 case NETLINK_NETFILTER:
1394                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1395                 case NETLINK_DNRTMSG:
1396                         return SECCLASS_NETLINK_DNRT_SOCKET;
1397                 case NETLINK_KOBJECT_UEVENT:
1398                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1399                 case NETLINK_GENERIC:
1400                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1401                 case NETLINK_SCSITRANSPORT:
1402                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1403                 case NETLINK_RDMA:
1404                         return SECCLASS_NETLINK_RDMA_SOCKET;
1405                 case NETLINK_CRYPTO:
1406                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1407                 default:
1408                         return SECCLASS_NETLINK_SOCKET;
1409                 }
1410         case PF_PACKET:
1411                 return SECCLASS_PACKET_SOCKET;
1412         case PF_KEY:
1413                 return SECCLASS_KEY_SOCKET;
1414         case PF_APPLETALK:
1415                 return SECCLASS_APPLETALK_SOCKET;
1416         }
1417
1418         if (extsockclass) {
1419                 switch (family) {
1420                 case PF_AX25:
1421                         return SECCLASS_AX25_SOCKET;
1422                 case PF_IPX:
1423                         return SECCLASS_IPX_SOCKET;
1424                 case PF_NETROM:
1425                         return SECCLASS_NETROM_SOCKET;
1426                 case PF_ATMPVC:
1427                         return SECCLASS_ATMPVC_SOCKET;
1428                 case PF_X25:
1429                         return SECCLASS_X25_SOCKET;
1430                 case PF_ROSE:
1431                         return SECCLASS_ROSE_SOCKET;
1432                 case PF_DECnet:
1433                         return SECCLASS_DECNET_SOCKET;
1434                 case PF_ATMSVC:
1435                         return SECCLASS_ATMSVC_SOCKET;
1436                 case PF_RDS:
1437                         return SECCLASS_RDS_SOCKET;
1438                 case PF_IRDA:
1439                         return SECCLASS_IRDA_SOCKET;
1440                 case PF_PPPOX:
1441                         return SECCLASS_PPPOX_SOCKET;
1442                 case PF_LLC:
1443                         return SECCLASS_LLC_SOCKET;
1444                 case PF_CAN:
1445                         return SECCLASS_CAN_SOCKET;
1446                 case PF_TIPC:
1447                         return SECCLASS_TIPC_SOCKET;
1448                 case PF_BLUETOOTH:
1449                         return SECCLASS_BLUETOOTH_SOCKET;
1450                 case PF_IUCV:
1451                         return SECCLASS_IUCV_SOCKET;
1452                 case PF_RXRPC:
1453                         return SECCLASS_RXRPC_SOCKET;
1454                 case PF_ISDN:
1455                         return SECCLASS_ISDN_SOCKET;
1456                 case PF_PHONET:
1457                         return SECCLASS_PHONET_SOCKET;
1458                 case PF_IEEE802154:
1459                         return SECCLASS_IEEE802154_SOCKET;
1460                 case PF_CAIF:
1461                         return SECCLASS_CAIF_SOCKET;
1462                 case PF_ALG:
1463                         return SECCLASS_ALG_SOCKET;
1464                 case PF_NFC:
1465                         return SECCLASS_NFC_SOCKET;
1466                 case PF_VSOCK:
1467                         return SECCLASS_VSOCK_SOCKET;
1468                 case PF_KCM:
1469                         return SECCLASS_KCM_SOCKET;
1470                 case PF_QIPCRTR:
1471                         return SECCLASS_QIPCRTR_SOCKET;
1472                 case PF_SMC:
1473                         return SECCLASS_SMC_SOCKET;
1474 #if PF_MAX > 44
1475 #error New address family defined, please update this function.
1476 #endif
1477                 }
1478         }
1479
1480         return SECCLASS_SOCKET;
1481 }
1482
1483 static int selinux_genfs_get_sid(struct dentry *dentry,
1484                                  u16 tclass,
1485                                  u16 flags,
1486                                  u32 *sid)
1487 {
1488         int rc;
1489         struct super_block *sb = dentry->d_sb;
1490         char *buffer, *path;
1491
1492         buffer = (char *)__get_free_page(GFP_KERNEL);
1493         if (!buffer)
1494                 return -ENOMEM;
1495
1496         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1497         if (IS_ERR(path))
1498                 rc = PTR_ERR(path);
1499         else {
1500                 if (flags & SE_SBPROC) {
1501                         /* each process gets a /proc/PID/ entry. Strip off the
1502                          * PID part to get a valid selinux labeling.
1503                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1504                         while (path[1] >= '0' && path[1] <= '9') {
1505                                 path[1] = '/';
1506                                 path++;
1507                         }
1508                 }
1509                 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510                                         path, tclass, sid);
1511         }
1512         free_page((unsigned long)buffer);
1513         return rc;
1514 }
1515
1516 /* The inode's security attributes must be initialized before first use. */
1517 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1518 {
1519         struct superblock_security_struct *sbsec = NULL;
1520         struct inode_security_struct *isec = inode->i_security;
1521         u32 task_sid, sid = 0;
1522         u16 sclass;
1523         struct dentry *dentry;
1524 #define INITCONTEXTLEN 255
1525         char *context = NULL;
1526         unsigned len = 0;
1527         int rc = 0;
1528
1529         if (isec->initialized == LABEL_INITIALIZED)
1530                 return 0;
1531
1532         spin_lock(&isec->lock);
1533         if (isec->initialized == LABEL_INITIALIZED)
1534                 goto out_unlock;
1535
1536         if (isec->sclass == SECCLASS_FILE)
1537                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1538
1539         sbsec = inode->i_sb->s_security;
1540         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1541                 /* Defer initialization until selinux_complete_init,
1542                    after the initial policy is loaded and the security
1543                    server is ready to handle calls. */
1544                 spin_lock(&sbsec->isec_lock);
1545                 if (list_empty(&isec->list))
1546                         list_add(&isec->list, &sbsec->isec_head);
1547                 spin_unlock(&sbsec->isec_lock);
1548                 goto out_unlock;
1549         }
1550
1551         sclass = isec->sclass;
1552         task_sid = isec->task_sid;
1553         sid = isec->sid;
1554         isec->initialized = LABEL_PENDING;
1555         spin_unlock(&isec->lock);
1556
1557         switch (sbsec->behavior) {
1558         case SECURITY_FS_USE_NATIVE:
1559                 break;
1560         case SECURITY_FS_USE_XATTR:
1561                 if (!(inode->i_opflags & IOP_XATTR)) {
1562                         sid = sbsec->def_sid;
1563                         break;
1564                 }
1565                 /* Need a dentry, since the xattr API requires one.
1566                    Life would be simpler if we could just pass the inode. */
1567                 if (opt_dentry) {
1568                         /* Called from d_instantiate or d_splice_alias. */
1569                         dentry = dget(opt_dentry);
1570                 } else {
1571                         /* Called from selinux_complete_init, try to find a dentry. */
1572                         dentry = d_find_alias(inode);
1573                 }
1574                 if (!dentry) {
1575                         /*
1576                          * this is can be hit on boot when a file is accessed
1577                          * before the policy is loaded.  When we load policy we
1578                          * may find inodes that have no dentry on the
1579                          * sbsec->isec_head list.  No reason to complain as these
1580                          * will get fixed up the next time we go through
1581                          * inode_doinit with a dentry, before these inodes could
1582                          * be used again by userspace.
1583                          */
1584                         goto out;
1585                 }
1586
1587                 len = INITCONTEXTLEN;
1588                 context = kmalloc(len+1, GFP_NOFS);
1589                 if (!context) {
1590                         rc = -ENOMEM;
1591                         dput(dentry);
1592                         goto out;
1593                 }
1594                 context[len] = '\0';
1595                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1596                 if (rc == -ERANGE) {
1597                         kfree(context);
1598
1599                         /* Need a larger buffer.  Query for the right size. */
1600                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1601                         if (rc < 0) {
1602                                 dput(dentry);
1603                                 goto out;
1604                         }
1605                         len = rc;
1606                         context = kmalloc(len+1, GFP_NOFS);
1607                         if (!context) {
1608                                 rc = -ENOMEM;
1609                                 dput(dentry);
1610                                 goto out;
1611                         }
1612                         context[len] = '\0';
1613                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1614                 }
1615                 dput(dentry);
1616                 if (rc < 0) {
1617                         if (rc != -ENODATA) {
1618                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1619                                        "%d for dev=%s ino=%ld\n", __func__,
1620                                        -rc, inode->i_sb->s_id, inode->i_ino);
1621                                 kfree(context);
1622                                 goto out;
1623                         }
1624                         /* Map ENODATA to the default file SID */
1625                         sid = sbsec->def_sid;
1626                         rc = 0;
1627                 } else {
1628                         rc = security_context_to_sid_default(&selinux_state,
1629                                                              context, rc, &sid,
1630                                                              sbsec->def_sid,
1631                                                              GFP_NOFS);
1632                         if (rc) {
1633                                 char *dev = inode->i_sb->s_id;
1634                                 unsigned long ino = inode->i_ino;
1635
1636                                 if (rc == -EINVAL) {
1637                                         if (printk_ratelimit())
1638                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1639                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1640                                                         "filesystem in question.\n", ino, dev, context);
1641                                 } else {
1642                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1643                                                "returned %d for dev=%s ino=%ld\n",
1644                                                __func__, context, -rc, dev, ino);
1645                                 }
1646                                 kfree(context);
1647                                 /* Leave with the unlabeled SID */
1648                                 rc = 0;
1649                                 break;
1650                         }
1651                 }
1652                 kfree(context);
1653                 break;
1654         case SECURITY_FS_USE_TASK:
1655                 sid = task_sid;
1656                 break;
1657         case SECURITY_FS_USE_TRANS:
1658                 /* Default to the fs SID. */
1659                 sid = sbsec->sid;
1660
1661                 /* Try to obtain a transition SID. */
1662                 rc = security_transition_sid(&selinux_state, task_sid, sid,
1663                                              sclass, NULL, &sid);
1664                 if (rc)
1665                         goto out;
1666                 break;
1667         case SECURITY_FS_USE_MNTPOINT:
1668                 sid = sbsec->mntpoint_sid;
1669                 break;
1670         default:
1671                 /* Default to the fs superblock SID. */
1672                 sid = sbsec->sid;
1673
1674                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1675                         /* We must have a dentry to determine the label on
1676                          * procfs inodes */
1677                         if (opt_dentry)
1678                                 /* Called from d_instantiate or
1679                                  * d_splice_alias. */
1680                                 dentry = dget(opt_dentry);
1681                         else
1682                                 /* Called from selinux_complete_init, try to
1683                                  * find a dentry. */
1684                                 dentry = d_find_alias(inode);
1685                         /*
1686                          * This can be hit on boot when a file is accessed
1687                          * before the policy is loaded.  When we load policy we
1688                          * may find inodes that have no dentry on the
1689                          * sbsec->isec_head list.  No reason to complain as
1690                          * these will get fixed up the next time we go through
1691                          * inode_doinit() with a dentry, before these inodes
1692                          * could be used again by userspace.
1693                          */
1694                         if (!dentry)
1695                                 goto out;
1696                         rc = selinux_genfs_get_sid(dentry, sclass,
1697                                                    sbsec->flags, &sid);
1698                         dput(dentry);
1699                         if (rc)
1700                                 goto out;
1701                 }
1702                 break;
1703         }
1704
1705 out:
1706         spin_lock(&isec->lock);
1707         if (isec->initialized == LABEL_PENDING) {
1708                 if (!sid || rc) {
1709                         isec->initialized = LABEL_INVALID;
1710                         goto out_unlock;
1711                 }
1712
1713                 isec->initialized = LABEL_INITIALIZED;
1714                 isec->sid = sid;
1715         }
1716
1717 out_unlock:
1718         spin_unlock(&isec->lock);
1719         return rc;
1720 }
1721
1722 /* Convert a Linux signal to an access vector. */
1723 static inline u32 signal_to_av(int sig)
1724 {
1725         u32 perm = 0;
1726
1727         switch (sig) {
1728         case SIGCHLD:
1729                 /* Commonly granted from child to parent. */
1730                 perm = PROCESS__SIGCHLD;
1731                 break;
1732         case SIGKILL:
1733                 /* Cannot be caught or ignored */
1734                 perm = PROCESS__SIGKILL;
1735                 break;
1736         case SIGSTOP:
1737                 /* Cannot be caught or ignored */
1738                 perm = PROCESS__SIGSTOP;
1739                 break;
1740         default:
1741                 /* All other signals. */
1742                 perm = PROCESS__SIGNAL;
1743                 break;
1744         }
1745
1746         return perm;
1747 }
1748
1749 #if CAP_LAST_CAP > 63
1750 #error Fix SELinux to handle capabilities > 63.
1751 #endif
1752
1753 /* Check whether a task is allowed to use a capability. */
1754 static int cred_has_capability(const struct cred *cred,
1755                                int cap, int audit, bool initns)
1756 {
1757         struct common_audit_data ad;
1758         struct av_decision avd;
1759         u16 sclass;
1760         u32 sid = cred_sid(cred);
1761         u32 av = CAP_TO_MASK(cap);
1762         int rc;
1763
1764         ad.type = LSM_AUDIT_DATA_CAP;
1765         ad.u.cap = cap;
1766
1767         switch (CAP_TO_INDEX(cap)) {
1768         case 0:
1769                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1770                 break;
1771         case 1:
1772                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1773                 break;
1774         default:
1775                 printk(KERN_ERR
1776                        "SELinux:  out of range capability %d\n", cap);
1777                 BUG();
1778                 return -EINVAL;
1779         }
1780
1781         rc = avc_has_perm_noaudit(&selinux_state,
1782                                   sid, sid, sclass, av, 0, &avd);
1783         if (audit == SECURITY_CAP_AUDIT) {
1784                 int rc2 = avc_audit(&selinux_state,
1785                                     sid, sid, sclass, av, &avd, rc, &ad, 0);
1786                 if (rc2)
1787                         return rc2;
1788         }
1789         return rc;
1790 }
1791
1792 /* Check whether a task has a particular permission to an inode.
1793    The 'adp' parameter is optional and allows other audit
1794    data to be passed (e.g. the dentry). */
1795 static int inode_has_perm(const struct cred *cred,
1796                           struct inode *inode,
1797                           u32 perms,
1798                           struct common_audit_data *adp)
1799 {
1800         struct inode_security_struct *isec;
1801         u32 sid;
1802
1803         validate_creds(cred);
1804
1805         if (unlikely(IS_PRIVATE(inode)))
1806                 return 0;
1807
1808         sid = cred_sid(cred);
1809         isec = inode->i_security;
1810
1811         return avc_has_perm(&selinux_state,
1812                             sid, isec->sid, isec->sclass, perms, adp);
1813 }
1814
1815 /* Same as inode_has_perm, but pass explicit audit data containing
1816    the dentry to help the auditing code to more easily generate the
1817    pathname if needed. */
1818 static inline int dentry_has_perm(const struct cred *cred,
1819                                   struct dentry *dentry,
1820                                   u32 av)
1821 {
1822         struct inode *inode = d_backing_inode(dentry);
1823         struct common_audit_data ad;
1824
1825         ad.type = LSM_AUDIT_DATA_DENTRY;
1826         ad.u.dentry = dentry;
1827         __inode_security_revalidate(inode, dentry, true);
1828         return inode_has_perm(cred, inode, av, &ad);
1829 }
1830
1831 /* Same as inode_has_perm, but pass explicit audit data containing
1832    the path to help the auditing code to more easily generate the
1833    pathname if needed. */
1834 static inline int path_has_perm(const struct cred *cred,
1835                                 const struct path *path,
1836                                 u32 av)
1837 {
1838         struct inode *inode = d_backing_inode(path->dentry);
1839         struct common_audit_data ad;
1840
1841         ad.type = LSM_AUDIT_DATA_PATH;
1842         ad.u.path = *path;
1843         __inode_security_revalidate(inode, path->dentry, true);
1844         return inode_has_perm(cred, inode, av, &ad);
1845 }
1846
1847 /* Same as path_has_perm, but uses the inode from the file struct. */
1848 static inline int file_path_has_perm(const struct cred *cred,
1849                                      struct file *file,
1850                                      u32 av)
1851 {
1852         struct common_audit_data ad;
1853
1854         ad.type = LSM_AUDIT_DATA_FILE;
1855         ad.u.file = file;
1856         return inode_has_perm(cred, file_inode(file), av, &ad);
1857 }
1858
1859 #ifdef CONFIG_BPF_SYSCALL
1860 static int bpf_fd_pass(struct file *file, u32 sid);
1861 #endif
1862
1863 /* Check whether a task can use an open file descriptor to
1864    access an inode in a given way.  Check access to the
1865    descriptor itself, and then use dentry_has_perm to
1866    check a particular permission to the file.
1867    Access to the descriptor is implicitly granted if it
1868    has the same SID as the process.  If av is zero, then
1869    access to the file is not checked, e.g. for cases
1870    where only the descriptor is affected like seek. */
1871 static int file_has_perm(const struct cred *cred,
1872                          struct file *file,
1873                          u32 av)
1874 {
1875         struct file_security_struct *fsec = file->f_security;
1876         struct inode *inode = file_inode(file);
1877         struct common_audit_data ad;
1878         u32 sid = cred_sid(cred);
1879         int rc;
1880
1881         ad.type = LSM_AUDIT_DATA_FILE;
1882         ad.u.file = file;
1883
1884         if (sid != fsec->sid) {
1885                 rc = avc_has_perm(&selinux_state,
1886                                   sid, fsec->sid,
1887                                   SECCLASS_FD,
1888                                   FD__USE,
1889                                   &ad);
1890                 if (rc)
1891                         goto out;
1892         }
1893
1894 #ifdef CONFIG_BPF_SYSCALL
1895         rc = bpf_fd_pass(file, cred_sid(cred));
1896         if (rc)
1897                 return rc;
1898 #endif
1899
1900         /* av is zero if only checking access to the descriptor. */
1901         rc = 0;
1902         if (av)
1903                 rc = inode_has_perm(cred, inode, av, &ad);
1904
1905 out:
1906         return rc;
1907 }
1908
1909 /*
1910  * Determine the label for an inode that might be unioned.
1911  */
1912 static int
1913 selinux_determine_inode_label(const struct task_security_struct *tsec,
1914                                  struct inode *dir,
1915                                  const struct qstr *name, u16 tclass,
1916                                  u32 *_new_isid)
1917 {
1918         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1919
1920         if ((sbsec->flags & SE_SBINITIALIZED) &&
1921             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1922                 *_new_isid = sbsec->mntpoint_sid;
1923         } else if ((sbsec->flags & SBLABEL_MNT) &&
1924                    tsec->create_sid) {
1925                 *_new_isid = tsec->create_sid;
1926         } else {
1927                 const struct inode_security_struct *dsec = inode_security(dir);
1928                 return security_transition_sid(&selinux_state, tsec->sid,
1929                                                dsec->sid, tclass,
1930                                                name, _new_isid);
1931         }
1932
1933         return 0;
1934 }
1935
1936 /* Check whether a task can create a file. */
1937 static int may_create(struct inode *dir,
1938                       struct dentry *dentry,
1939                       u16 tclass)
1940 {
1941         const struct task_security_struct *tsec = current_security();
1942         struct inode_security_struct *dsec;
1943         struct superblock_security_struct *sbsec;
1944         u32 sid, newsid;
1945         struct common_audit_data ad;
1946         int rc;
1947
1948         dsec = inode_security(dir);
1949         sbsec = dir->i_sb->s_security;
1950
1951         sid = tsec->sid;
1952
1953         ad.type = LSM_AUDIT_DATA_DENTRY;
1954         ad.u.dentry = dentry;
1955
1956         rc = avc_has_perm(&selinux_state,
1957                           sid, dsec->sid, SECCLASS_DIR,
1958                           DIR__ADD_NAME | DIR__SEARCH,
1959                           &ad);
1960         if (rc)
1961                 return rc;
1962
1963         rc = selinux_determine_inode_label(current_security(), dir,
1964                                            &dentry->d_name, tclass, &newsid);
1965         if (rc)
1966                 return rc;
1967
1968         rc = avc_has_perm(&selinux_state,
1969                           sid, newsid, tclass, FILE__CREATE, &ad);
1970         if (rc)
1971                 return rc;
1972
1973         return avc_has_perm(&selinux_state,
1974                             newsid, sbsec->sid,
1975                             SECCLASS_FILESYSTEM,
1976                             FILESYSTEM__ASSOCIATE, &ad);
1977 }
1978
1979 #define MAY_LINK        0
1980 #define MAY_UNLINK      1
1981 #define MAY_RMDIR       2
1982
1983 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1984 static int may_link(struct inode *dir,
1985                     struct dentry *dentry,
1986                     int kind)
1987
1988 {
1989         struct inode_security_struct *dsec, *isec;
1990         struct common_audit_data ad;
1991         u32 sid = current_sid();
1992         u32 av;
1993         int rc;
1994
1995         dsec = inode_security(dir);
1996         isec = backing_inode_security(dentry);
1997
1998         ad.type = LSM_AUDIT_DATA_DENTRY;
1999         ad.u.dentry = dentry;
2000
2001         av = DIR__SEARCH;
2002         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2003         rc = avc_has_perm(&selinux_state,
2004                           sid, dsec->sid, SECCLASS_DIR, av, &ad);
2005         if (rc)
2006                 return rc;
2007
2008         switch (kind) {
2009         case MAY_LINK:
2010                 av = FILE__LINK;
2011                 break;
2012         case MAY_UNLINK:
2013                 av = FILE__UNLINK;
2014                 break;
2015         case MAY_RMDIR:
2016                 av = DIR__RMDIR;
2017                 break;
2018         default:
2019                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
2020                         __func__, kind);
2021                 return 0;
2022         }
2023
2024         rc = avc_has_perm(&selinux_state,
2025                           sid, isec->sid, isec->sclass, av, &ad);
2026         return rc;
2027 }
2028
2029 static inline int may_rename(struct inode *old_dir,
2030                              struct dentry *old_dentry,
2031                              struct inode *new_dir,
2032                              struct dentry *new_dentry)
2033 {
2034         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2035         struct common_audit_data ad;
2036         u32 sid = current_sid();
2037         u32 av;
2038         int old_is_dir, new_is_dir;
2039         int rc;
2040
2041         old_dsec = inode_security(old_dir);
2042         old_isec = backing_inode_security(old_dentry);
2043         old_is_dir = d_is_dir(old_dentry);
2044         new_dsec = inode_security(new_dir);
2045
2046         ad.type = LSM_AUDIT_DATA_DENTRY;
2047
2048         ad.u.dentry = old_dentry;
2049         rc = avc_has_perm(&selinux_state,
2050                           sid, old_dsec->sid, SECCLASS_DIR,
2051                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2052         if (rc)
2053                 return rc;
2054         rc = avc_has_perm(&selinux_state,
2055                           sid, old_isec->sid,
2056                           old_isec->sclass, FILE__RENAME, &ad);
2057         if (rc)
2058                 return rc;
2059         if (old_is_dir && new_dir != old_dir) {
2060                 rc = avc_has_perm(&selinux_state,
2061                                   sid, old_isec->sid,
2062                                   old_isec->sclass, DIR__REPARENT, &ad);
2063                 if (rc)
2064                         return rc;
2065         }
2066
2067         ad.u.dentry = new_dentry;
2068         av = DIR__ADD_NAME | DIR__SEARCH;
2069         if (d_is_positive(new_dentry))
2070                 av |= DIR__REMOVE_NAME;
2071         rc = avc_has_perm(&selinux_state,
2072                           sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2073         if (rc)
2074                 return rc;
2075         if (d_is_positive(new_dentry)) {
2076                 new_isec = backing_inode_security(new_dentry);
2077                 new_is_dir = d_is_dir(new_dentry);
2078                 rc = avc_has_perm(&selinux_state,
2079                                   sid, new_isec->sid,
2080                                   new_isec->sclass,
2081                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2082                 if (rc)
2083                         return rc;
2084         }
2085
2086         return 0;
2087 }
2088
2089 /* Check whether a task can perform a filesystem operation. */
2090 static int superblock_has_perm(const struct cred *cred,
2091                                struct super_block *sb,
2092                                u32 perms,
2093                                struct common_audit_data *ad)
2094 {
2095         struct superblock_security_struct *sbsec;
2096         u32 sid = cred_sid(cred);
2097
2098         sbsec = sb->s_security;
2099         return avc_has_perm(&selinux_state,
2100                             sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2101 }
2102
2103 /* Convert a Linux mode and permission mask to an access vector. */
2104 static inline u32 file_mask_to_av(int mode, int mask)
2105 {
2106         u32 av = 0;
2107
2108         if (!S_ISDIR(mode)) {
2109                 if (mask & MAY_EXEC)
2110                         av |= FILE__EXECUTE;
2111                 if (mask & MAY_READ)
2112                         av |= FILE__READ;
2113
2114                 if (mask & MAY_APPEND)
2115                         av |= FILE__APPEND;
2116                 else if (mask & MAY_WRITE)
2117                         av |= FILE__WRITE;
2118
2119         } else {
2120                 if (mask & MAY_EXEC)
2121                         av |= DIR__SEARCH;
2122                 if (mask & MAY_WRITE)
2123                         av |= DIR__WRITE;
2124                 if (mask & MAY_READ)
2125                         av |= DIR__READ;
2126         }
2127
2128         return av;
2129 }
2130
2131 /* Convert a Linux file to an access vector. */
2132 static inline u32 file_to_av(struct file *file)
2133 {
2134         u32 av = 0;
2135
2136         if (file->f_mode & FMODE_READ)
2137                 av |= FILE__READ;
2138         if (file->f_mode & FMODE_WRITE) {
2139                 if (file->f_flags & O_APPEND)
2140                         av |= FILE__APPEND;
2141                 else
2142                         av |= FILE__WRITE;
2143         }
2144         if (!av) {
2145                 /*
2146                  * Special file opened with flags 3 for ioctl-only use.
2147                  */
2148                 av = FILE__IOCTL;
2149         }
2150
2151         return av;
2152 }
2153
2154 /*
2155  * Convert a file to an access vector and include the correct open
2156  * open permission.
2157  */
2158 static inline u32 open_file_to_av(struct file *file)
2159 {
2160         u32 av = file_to_av(file);
2161         struct inode *inode = file_inode(file);
2162
2163         if (selinux_policycap_openperm() &&
2164             inode->i_sb->s_magic != SOCKFS_MAGIC)
2165                 av |= FILE__OPEN;
2166
2167         return av;
2168 }
2169
2170 /* Hook functions begin here. */
2171
2172 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2173 {
2174         u32 mysid = current_sid();
2175         u32 mgrsid = task_sid(mgr);
2176
2177         return avc_has_perm(&selinux_state,
2178                             mysid, mgrsid, SECCLASS_BINDER,
2179                             BINDER__SET_CONTEXT_MGR, NULL);
2180 }
2181
2182 static int selinux_binder_transaction(struct task_struct *from,
2183                                       struct task_struct *to)
2184 {
2185         u32 mysid = current_sid();
2186         u32 fromsid = task_sid(from);
2187         u32 tosid = task_sid(to);
2188         int rc;
2189
2190         if (mysid != fromsid) {
2191                 rc = avc_has_perm(&selinux_state,
2192                                   mysid, fromsid, SECCLASS_BINDER,
2193                                   BINDER__IMPERSONATE, NULL);
2194                 if (rc)
2195                         return rc;
2196         }
2197
2198         return avc_has_perm(&selinux_state,
2199                             fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2200                             NULL);
2201 }
2202
2203 static int selinux_binder_transfer_binder(struct task_struct *from,
2204                                           struct task_struct *to)
2205 {
2206         u32 fromsid = task_sid(from);
2207         u32 tosid = task_sid(to);
2208
2209         return avc_has_perm(&selinux_state,
2210                             fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2211                             NULL);
2212 }
2213
2214 static int selinux_binder_transfer_file(struct task_struct *from,
2215                                         struct task_struct *to,
2216                                         struct file *file)
2217 {
2218         u32 sid = task_sid(to);
2219         struct file_security_struct *fsec = file->f_security;
2220         struct dentry *dentry = file->f_path.dentry;
2221         struct inode_security_struct *isec;
2222         struct common_audit_data ad;
2223         int rc;
2224
2225         ad.type = LSM_AUDIT_DATA_PATH;
2226         ad.u.path = file->f_path;
2227
2228         if (sid != fsec->sid) {
2229                 rc = avc_has_perm(&selinux_state,
2230                                   sid, fsec->sid,
2231                                   SECCLASS_FD,
2232                                   FD__USE,
2233                                   &ad);
2234                 if (rc)
2235                         return rc;
2236         }
2237
2238 #ifdef CONFIG_BPF_SYSCALL
2239         rc = bpf_fd_pass(file, sid);
2240         if (rc)
2241                 return rc;
2242 #endif
2243
2244         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2245                 return 0;
2246
2247         isec = backing_inode_security(dentry);
2248         return avc_has_perm(&selinux_state,
2249                             sid, isec->sid, isec->sclass, file_to_av(file),
2250                             &ad);
2251 }
2252
2253 static int selinux_ptrace_access_check(struct task_struct *child,
2254                                      unsigned int mode)
2255 {
2256         u32 sid = current_sid();
2257         u32 csid = task_sid(child);
2258
2259         if (mode & PTRACE_MODE_READ)
2260                 return avc_has_perm(&selinux_state,
2261                                     sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2262
2263         return avc_has_perm(&selinux_state,
2264                             sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2265 }
2266
2267 static int selinux_ptrace_traceme(struct task_struct *parent)
2268 {
2269         return avc_has_perm(&selinux_state,
2270                             task_sid(parent), current_sid(), SECCLASS_PROCESS,
2271                             PROCESS__PTRACE, NULL);
2272 }
2273
2274 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2275                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2276 {
2277         return avc_has_perm(&selinux_state,
2278                             current_sid(), task_sid(target), SECCLASS_PROCESS,
2279                             PROCESS__GETCAP, NULL);
2280 }
2281
2282 static int selinux_capset(struct cred *new, const struct cred *old,
2283                           const kernel_cap_t *effective,
2284                           const kernel_cap_t *inheritable,
2285                           const kernel_cap_t *permitted)
2286 {
2287         return avc_has_perm(&selinux_state,
2288                             cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2289                             PROCESS__SETCAP, NULL);
2290 }
2291
2292 /*
2293  * (This comment used to live with the selinux_task_setuid hook,
2294  * which was removed).
2295  *
2296  * Since setuid only affects the current process, and since the SELinux
2297  * controls are not based on the Linux identity attributes, SELinux does not
2298  * need to control this operation.  However, SELinux does control the use of
2299  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2300  */
2301
2302 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2303                            int cap, int audit)
2304 {
2305         return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2306 }
2307
2308 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2309 {
2310         const struct cred *cred = current_cred();
2311         int rc = 0;
2312
2313         if (!sb)
2314                 return 0;
2315
2316         switch (cmds) {
2317         case Q_SYNC:
2318         case Q_QUOTAON:
2319         case Q_QUOTAOFF:
2320         case Q_SETINFO:
2321         case Q_SETQUOTA:
2322                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2323                 break;
2324         case Q_GETFMT:
2325         case Q_GETINFO:
2326         case Q_GETQUOTA:
2327                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2328                 break;
2329         default:
2330                 rc = 0;  /* let the kernel handle invalid cmds */
2331                 break;
2332         }
2333         return rc;
2334 }
2335
2336 static int selinux_quota_on(struct dentry *dentry)
2337 {
2338         const struct cred *cred = current_cred();
2339
2340         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2341 }
2342
2343 static int selinux_syslog(int type)
2344 {
2345         switch (type) {
2346         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2347         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2348                 return avc_has_perm(&selinux_state,
2349                                     current_sid(), SECINITSID_KERNEL,
2350                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2351         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2352         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2353         /* Set level of messages printed to console */
2354         case SYSLOG_ACTION_CONSOLE_LEVEL:
2355                 return avc_has_perm(&selinux_state,
2356                                     current_sid(), SECINITSID_KERNEL,
2357                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2358                                     NULL);
2359         }
2360         /* All other syslog types */
2361         return avc_has_perm(&selinux_state,
2362                             current_sid(), SECINITSID_KERNEL,
2363                             SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2364 }
2365
2366 /*
2367  * Check that a process has enough memory to allocate a new virtual
2368  * mapping. 0 means there is enough memory for the allocation to
2369  * succeed and -ENOMEM implies there is not.
2370  *
2371  * Do not audit the selinux permission check, as this is applied to all
2372  * processes that allocate mappings.
2373  */
2374 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2375 {
2376         int rc, cap_sys_admin = 0;
2377
2378         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2379                                  SECURITY_CAP_NOAUDIT, true);
2380         if (rc == 0)
2381                 cap_sys_admin = 1;
2382
2383         return cap_sys_admin;
2384 }
2385
2386 /* binprm security operations */
2387
2388 static u32 ptrace_parent_sid(void)
2389 {
2390         u32 sid = 0;
2391         struct task_struct *tracer;
2392
2393         rcu_read_lock();
2394         tracer = ptrace_parent(current);
2395         if (tracer)
2396                 sid = task_sid(tracer);
2397         rcu_read_unlock();
2398
2399         return sid;
2400 }
2401
2402 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2403                             const struct task_security_struct *old_tsec,
2404                             const struct task_security_struct *new_tsec)
2405 {
2406         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2407         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2408         int rc;
2409         u32 av;
2410
2411         if (!nnp && !nosuid)
2412                 return 0; /* neither NNP nor nosuid */
2413
2414         if (new_tsec->sid == old_tsec->sid)
2415                 return 0; /* No change in credentials */
2416
2417         /*
2418          * If the policy enables the nnp_nosuid_transition policy capability,
2419          * then we permit transitions under NNP or nosuid if the
2420          * policy allows the corresponding permission between
2421          * the old and new contexts.
2422          */
2423         if (selinux_policycap_nnp_nosuid_transition()) {
2424                 av = 0;
2425                 if (nnp)
2426                         av |= PROCESS2__NNP_TRANSITION;
2427                 if (nosuid)
2428                         av |= PROCESS2__NOSUID_TRANSITION;
2429                 rc = avc_has_perm(&selinux_state,
2430                                   old_tsec->sid, new_tsec->sid,
2431                                   SECCLASS_PROCESS2, av, NULL);
2432                 if (!rc)
2433                         return 0;
2434         }
2435
2436         /*
2437          * We also permit NNP or nosuid transitions to bounded SIDs,
2438          * i.e. SIDs that are guaranteed to only be allowed a subset
2439          * of the permissions of the current SID.
2440          */
2441         rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2442                                          new_tsec->sid);
2443         if (!rc)
2444                 return 0;
2445
2446         /*
2447          * On failure, preserve the errno values for NNP vs nosuid.
2448          * NNP:  Operation not permitted for caller.
2449          * nosuid:  Permission denied to file.
2450          */
2451         if (nnp)
2452                 return -EPERM;
2453         return -EACCES;
2454 }
2455
2456 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2457 {
2458         const struct task_security_struct *old_tsec;
2459         struct task_security_struct *new_tsec;
2460         struct inode_security_struct *isec;
2461         struct common_audit_data ad;
2462         struct inode *inode = file_inode(bprm->file);
2463         int rc;
2464
2465         /* SELinux context only depends on initial program or script and not
2466          * the script interpreter */
2467         if (bprm->called_set_creds)
2468                 return 0;
2469
2470         old_tsec = current_security();
2471         new_tsec = bprm->cred->security;
2472         isec = inode_security(inode);
2473
2474         /* Default to the current task SID. */
2475         new_tsec->sid = old_tsec->sid;
2476         new_tsec->osid = old_tsec->sid;
2477
2478         /* Reset fs, key, and sock SIDs on execve. */
2479         new_tsec->create_sid = 0;
2480         new_tsec->keycreate_sid = 0;
2481         new_tsec->sockcreate_sid = 0;
2482
2483         if (old_tsec->exec_sid) {
2484                 new_tsec->sid = old_tsec->exec_sid;
2485                 /* Reset exec SID on execve. */
2486                 new_tsec->exec_sid = 0;
2487
2488                 /* Fail on NNP or nosuid if not an allowed transition. */
2489                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2490                 if (rc)
2491                         return rc;
2492         } else {
2493                 /* Check for a default transition on this program. */
2494                 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2495                                              isec->sid, SECCLASS_PROCESS, NULL,
2496                                              &new_tsec->sid);
2497                 if (rc)
2498                         return rc;
2499
2500                 /*
2501                  * Fallback to old SID on NNP or nosuid if not an allowed
2502                  * transition.
2503                  */
2504                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2505                 if (rc)
2506                         new_tsec->sid = old_tsec->sid;
2507         }
2508
2509         ad.type = LSM_AUDIT_DATA_FILE;
2510         ad.u.file = bprm->file;
2511
2512         if (new_tsec->sid == old_tsec->sid) {
2513                 rc = avc_has_perm(&selinux_state,
2514                                   old_tsec->sid, isec->sid,
2515                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2516                 if (rc)
2517                         return rc;
2518         } else {
2519                 /* Check permissions for the transition. */
2520                 rc = avc_has_perm(&selinux_state,
2521                                   old_tsec->sid, new_tsec->sid,
2522                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2523                 if (rc)
2524                         return rc;
2525
2526                 rc = avc_has_perm(&selinux_state,
2527                                   new_tsec->sid, isec->sid,
2528                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2529                 if (rc)
2530                         return rc;
2531
2532                 /* Check for shared state */
2533                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2534                         rc = avc_has_perm(&selinux_state,
2535                                           old_tsec->sid, new_tsec->sid,
2536                                           SECCLASS_PROCESS, PROCESS__SHARE,
2537                                           NULL);
2538                         if (rc)
2539                                 return -EPERM;
2540                 }
2541
2542                 /* Make sure that anyone attempting to ptrace over a task that
2543                  * changes its SID has the appropriate permit */
2544                 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2545                         u32 ptsid = ptrace_parent_sid();
2546                         if (ptsid != 0) {
2547                                 rc = avc_has_perm(&selinux_state,
2548                                                   ptsid, new_tsec->sid,
2549                                                   SECCLASS_PROCESS,
2550                                                   PROCESS__PTRACE, NULL);
2551                                 if (rc)
2552                                         return -EPERM;
2553                         }
2554                 }
2555
2556                 /* Clear any possibly unsafe personality bits on exec: */
2557                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2558
2559                 /* Enable secure mode for SIDs transitions unless
2560                    the noatsecure permission is granted between
2561                    the two SIDs, i.e. ahp returns 0. */
2562                 rc = avc_has_perm(&selinux_state,
2563                                   old_tsec->sid, new_tsec->sid,
2564                                   SECCLASS_PROCESS, PROCESS__NOATSECURE,
2565                                   NULL);
2566                 bprm->secureexec |= !!rc;
2567         }
2568
2569         return 0;
2570 }
2571
2572 static int match_file(const void *p, struct file *file, unsigned fd)
2573 {
2574         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2575 }
2576
2577 /* Derived from fs/exec.c:flush_old_files. */
2578 static inline void flush_unauthorized_files(const struct cred *cred,
2579                                             struct files_struct *files)
2580 {
2581         struct file *file, *devnull = NULL;
2582         struct tty_struct *tty;
2583         int drop_tty = 0;
2584         unsigned n;
2585
2586         tty = get_current_tty();
2587         if (tty) {
2588                 spin_lock(&tty->files_lock);
2589                 if (!list_empty(&tty->tty_files)) {
2590                         struct tty_file_private *file_priv;
2591
2592                         /* Revalidate access to controlling tty.
2593                            Use file_path_has_perm on the tty path directly
2594                            rather than using file_has_perm, as this particular
2595                            open file may belong to another process and we are
2596                            only interested in the inode-based check here. */
2597                         file_priv = list_first_entry(&tty->tty_files,
2598                                                 struct tty_file_private, list);
2599                         file = file_priv->file;
2600                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2601                                 drop_tty = 1;
2602                 }
2603                 spin_unlock(&tty->files_lock);
2604                 tty_kref_put(tty);
2605         }
2606         /* Reset controlling tty. */
2607         if (drop_tty)
2608                 no_tty();
2609
2610         /* Revalidate access to inherited open files. */
2611         n = iterate_fd(files, 0, match_file, cred);
2612         if (!n) /* none found? */
2613                 return;
2614
2615         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2616         if (IS_ERR(devnull))
2617                 devnull = NULL;
2618         /* replace all the matching ones with this */
2619         do {
2620                 replace_fd(n - 1, devnull, 0);
2621         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2622         if (devnull)
2623                 fput(devnull);
2624 }
2625
2626 /*
2627  * Prepare a process for imminent new credential changes due to exec
2628  */
2629 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2630 {
2631         struct task_security_struct *new_tsec;
2632         struct rlimit *rlim, *initrlim;
2633         int rc, i;
2634
2635         new_tsec = bprm->cred->security;
2636         if (new_tsec->sid == new_tsec->osid)
2637                 return;
2638
2639         /* Close files for which the new task SID is not authorized. */
2640         flush_unauthorized_files(bprm->cred, current->files);
2641
2642         /* Always clear parent death signal on SID transitions. */
2643         current->pdeath_signal = 0;
2644
2645         /* Check whether the new SID can inherit resource limits from the old
2646          * SID.  If not, reset all soft limits to the lower of the current
2647          * task's hard limit and the init task's soft limit.
2648          *
2649          * Note that the setting of hard limits (even to lower them) can be
2650          * controlled by the setrlimit check.  The inclusion of the init task's
2651          * soft limit into the computation is to avoid resetting soft limits
2652          * higher than the default soft limit for cases where the default is
2653          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2654          */
2655         rc = avc_has_perm(&selinux_state,
2656                           new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2657                           PROCESS__RLIMITINH, NULL);
2658         if (rc) {
2659                 /* protect against do_prlimit() */
2660                 task_lock(current);
2661                 for (i = 0; i < RLIM_NLIMITS; i++) {
2662                         rlim = current->signal->rlim + i;
2663                         initrlim = init_task.signal->rlim + i;
2664                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2665                 }
2666                 task_unlock(current);
2667                 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2668                         update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2669         }
2670 }
2671
2672 /*
2673  * Clean up the process immediately after the installation of new credentials
2674  * due to exec
2675  */
2676 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2677 {
2678         const struct task_security_struct *tsec = current_security();
2679         struct itimerval itimer;
2680         u32 osid, sid;
2681         int rc, i;
2682
2683         osid = tsec->osid;
2684         sid = tsec->sid;
2685
2686         if (sid == osid)
2687                 return;
2688
2689         /* Check whether the new SID can inherit signal state from the old SID.
2690          * If not, clear itimers to avoid subsequent signal generation and
2691          * flush and unblock signals.
2692          *
2693          * This must occur _after_ the task SID has been updated so that any
2694          * kill done after the flush will be checked against the new SID.
2695          */
2696         rc = avc_has_perm(&selinux_state,
2697                           osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2698         if (rc) {
2699                 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2700                         memset(&itimer, 0, sizeof itimer);
2701                         for (i = 0; i < 3; i++)
2702                                 do_setitimer(i, &itimer, NULL);
2703                 }
2704                 spin_lock_irq(&current->sighand->siglock);
2705                 if (!fatal_signal_pending(current)) {
2706                         flush_sigqueue(&current->pending);
2707                         flush_sigqueue(&current->signal->shared_pending);
2708                         flush_signal_handlers(current, 1);
2709                         sigemptyset(&current->blocked);
2710                         recalc_sigpending();
2711                 }
2712                 spin_unlock_irq(&current->sighand->siglock);
2713         }
2714
2715         /* Wake up the parent if it is waiting so that it can recheck
2716          * wait permission to the new task SID. */
2717         read_lock(&tasklist_lock);
2718         __wake_up_parent(current, current->real_parent);
2719         read_unlock(&tasklist_lock);
2720 }
2721
2722 /* superblock security operations */
2723
2724 static int selinux_sb_alloc_security(struct super_block *sb)
2725 {
2726         return superblock_alloc_security(sb);
2727 }
2728
2729 static void selinux_sb_free_security(struct super_block *sb)
2730 {
2731         superblock_free_security(sb);
2732 }
2733
2734 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2735 {
2736         if (plen > olen)
2737                 return 0;
2738
2739         return !memcmp(prefix, option, plen);
2740 }
2741
2742 static inline int selinux_option(char *option, int len)
2743 {
2744         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2745                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2746                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2747                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2748                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2749 }
2750
2751 static inline void take_option(char **to, char *from, int *first, int len)
2752 {
2753         if (!*first) {
2754                 **to = ',';
2755                 *to += 1;
2756         } else
2757                 *first = 0;
2758         memcpy(*to, from, len);
2759         *to += len;
2760 }
2761
2762 static inline void take_selinux_option(char **to, char *from, int *first,
2763                                        int len)
2764 {
2765         int current_size = 0;
2766
2767         if (!*first) {
2768                 **to = '|';
2769                 *to += 1;
2770         } else
2771                 *first = 0;
2772
2773         while (current_size < len) {
2774                 if (*from != '"') {
2775                         **to = *from;
2776                         *to += 1;
2777                 }
2778                 from += 1;
2779                 current_size += 1;
2780         }
2781 }
2782
2783 static int selinux_sb_copy_data(char *orig, char *copy)
2784 {
2785         int fnosec, fsec, rc = 0;
2786         char *in_save, *in_curr, *in_end;
2787         char *sec_curr, *nosec_save, *nosec;
2788         int open_quote = 0;
2789
2790         in_curr = orig;
2791         sec_curr = copy;
2792
2793         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2794         if (!nosec) {
2795                 rc = -ENOMEM;
2796                 goto out;
2797         }
2798
2799         nosec_save = nosec;
2800         fnosec = fsec = 1;
2801         in_save = in_end = orig;
2802
2803         do {
2804                 if (*in_end == '"')
2805                         open_quote = !open_quote;
2806                 if ((*in_end == ',' && open_quote == 0) ||
2807                                 *in_end == '\0') {
2808                         int len = in_end - in_curr;
2809
2810                         if (selinux_option(in_curr, len))
2811                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2812                         else
2813                                 take_option(&nosec, in_curr, &fnosec, len);
2814
2815                         in_curr = in_end + 1;
2816                 }
2817         } while (*in_end++);
2818
2819         strcpy(in_save, nosec_save);
2820         free_page((unsigned long)nosec_save);
2821 out:
2822         return rc;
2823 }
2824
2825 static int selinux_sb_remount(struct super_block *sb, void *data)
2826 {
2827         int rc, i, *flags;
2828         struct security_mnt_opts opts;
2829         char *secdata, **mount_options;
2830         struct superblock_security_struct *sbsec = sb->s_security;
2831
2832         if (!(sbsec->flags & SE_SBINITIALIZED))
2833                 return 0;
2834
2835         if (!data)
2836                 return 0;
2837
2838         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2839                 return 0;
2840
2841         security_init_mnt_opts(&opts);
2842         secdata = alloc_secdata();
2843         if (!secdata)
2844                 return -ENOMEM;
2845         rc = selinux_sb_copy_data(data, secdata);
2846         if (rc)
2847                 goto out_free_secdata;
2848
2849         rc = selinux_parse_opts_str(secdata, &opts);
2850         if (rc)
2851                 goto out_free_secdata;
2852
2853         mount_options = opts.mnt_opts;
2854         flags = opts.mnt_opts_flags;
2855
2856         for (i = 0; i < opts.num_mnt_opts; i++) {
2857                 u32 sid;
2858
2859                 if (flags[i] == SBLABEL_MNT)
2860                         continue;
2861                 rc = security_context_str_to_sid(&selinux_state,
2862                                                  mount_options[i], &sid,
2863                                                  GFP_KERNEL);
2864                 if (rc) {
2865                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2866                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2867                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2868                         goto out_free_opts;
2869                 }
2870                 rc = -EINVAL;
2871                 switch (flags[i]) {
2872                 case FSCONTEXT_MNT:
2873                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2874                                 goto out_bad_option;
2875                         break;
2876                 case CONTEXT_MNT:
2877                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2878                                 goto out_bad_option;
2879                         break;
2880                 case ROOTCONTEXT_MNT: {
2881                         struct inode_security_struct *root_isec;
2882                         root_isec = backing_inode_security(sb->s_root);
2883
2884                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2885                                 goto out_bad_option;
2886                         break;
2887                 }
2888                 case DEFCONTEXT_MNT:
2889                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2890                                 goto out_bad_option;
2891                         break;
2892                 default:
2893                         goto out_free_opts;
2894                 }
2895         }
2896
2897         rc = 0;
2898 out_free_opts:
2899         security_free_mnt_opts(&opts);
2900 out_free_secdata:
2901         free_secdata(secdata);
2902         return rc;
2903 out_bad_option:
2904         printk(KERN_WARNING "SELinux: unable to change security options "
2905                "during remount (dev %s, type=%s)\n", sb->s_id,
2906                sb->s_type->name);
2907         goto out_free_opts;
2908 }
2909
2910 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2911 {
2912         const struct cred *cred = current_cred();
2913         struct common_audit_data ad;
2914         int rc;
2915
2916         rc = superblock_doinit(sb, data);
2917         if (rc)
2918                 return rc;
2919
2920         /* Allow all mounts performed by the kernel */
2921         if (flags & MS_KERNMOUNT)
2922                 return 0;
2923
2924         ad.type = LSM_AUDIT_DATA_DENTRY;
2925         ad.u.dentry = sb->s_root;
2926         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2927 }
2928
2929 static int selinux_sb_statfs(struct dentry *dentry)
2930 {
2931         const struct cred *cred = current_cred();
2932         struct common_audit_data ad;
2933
2934         ad.type = LSM_AUDIT_DATA_DENTRY;
2935         ad.u.dentry = dentry->d_sb->s_root;
2936         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2937 }
2938
2939 static int selinux_mount(const char *dev_name,
2940                          const struct path *path,
2941                          const char *type,
2942                          unsigned long flags,
2943                          void *data)
2944 {
2945         const struct cred *cred = current_cred();
2946
2947         if (flags & MS_REMOUNT)
2948                 return superblock_has_perm(cred, path->dentry->d_sb,
2949                                            FILESYSTEM__REMOUNT, NULL);
2950         else
2951                 return path_has_perm(cred, path, FILE__MOUNTON);
2952 }
2953
2954 static int selinux_umount(struct vfsmount *mnt, int flags)
2955 {
2956         const struct cred *cred = current_cred();
2957
2958         return superblock_has_perm(cred, mnt->mnt_sb,
2959                                    FILESYSTEM__UNMOUNT, NULL);
2960 }
2961
2962 /* inode security operations */
2963
2964 static int selinux_inode_alloc_security(struct inode *inode)
2965 {
2966         return inode_alloc_security(inode);
2967 }
2968
2969 static void selinux_inode_free_security(struct inode *inode)
2970 {
2971         inode_free_security(inode);
2972 }
2973
2974 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2975                                         const struct qstr *name, void **ctx,
2976                                         u32 *ctxlen)
2977 {
2978         u32 newsid;
2979         int rc;
2980
2981         rc = selinux_determine_inode_label(current_security(),
2982                                            d_inode(dentry->d_parent), name,
2983                                            inode_mode_to_security_class(mode),
2984                                            &newsid);
2985         if (rc)
2986                 return rc;
2987
2988         return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2989                                        ctxlen);
2990 }
2991
2992 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2993                                           struct qstr *name,
2994                                           const struct cred *old,
2995                                           struct cred *new)
2996 {
2997         u32 newsid;
2998         int rc;
2999         struct task_security_struct *tsec;
3000
3001         rc = selinux_determine_inode_label(old->security,
3002                                            d_inode(dentry->d_parent), name,
3003                                            inode_mode_to_security_class(mode),
3004                                            &newsid);
3005         if (rc)
3006                 return rc;
3007
3008         tsec = new->security;
3009         tsec->create_sid = newsid;
3010         return 0;
3011 }
3012
3013 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3014                                        const struct qstr *qstr,
3015                                        const char **name,
3016                                        void **value, size_t *len)
3017 {
3018         const struct task_security_struct *tsec = current_security();
3019         struct superblock_security_struct *sbsec;
3020         u32 newsid, clen;
3021         int rc;
3022         char *context;
3023
3024         sbsec = dir->i_sb->s_security;
3025
3026         newsid = tsec->create_sid;
3027
3028         rc = selinux_determine_inode_label(current_security(),
3029                 dir, qstr,
3030                 inode_mode_to_security_class(inode->i_mode),
3031                 &newsid);
3032         if (rc)
3033                 return rc;
3034
3035         /* Possibly defer initialization to selinux_complete_init. */
3036         if (sbsec->flags & SE_SBINITIALIZED) {
3037                 struct inode_security_struct *isec = inode->i_security;
3038                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3039                 isec->sid = newsid;
3040                 isec->initialized = LABEL_INITIALIZED;
3041         }
3042
3043         if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3044                 return -EOPNOTSUPP;
3045
3046         if (name)
3047                 *name = XATTR_SELINUX_SUFFIX;
3048
3049         if (value && len) {
3050                 rc = security_sid_to_context_force(&selinux_state, newsid,
3051                                                    &context, &clen);
3052                 if (rc)
3053                         return rc;
3054                 *value = context;
3055                 *len = clen;
3056         }
3057
3058         return 0;
3059 }
3060
3061 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3062 {
3063         return may_create(dir, dentry, SECCLASS_FILE);
3064 }
3065
3066 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3067 {
3068         return may_link(dir, old_dentry, MAY_LINK);
3069 }
3070
3071 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3072 {
3073         return may_link(dir, dentry, MAY_UNLINK);
3074 }
3075
3076 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3077 {
3078         return may_create(dir, dentry, SECCLASS_LNK_FILE);
3079 }
3080
3081 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3082 {
3083         return may_create(dir, dentry, SECCLASS_DIR);
3084 }
3085
3086 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3087 {
3088         return may_link(dir, dentry, MAY_RMDIR);
3089 }
3090
3091 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3092 {
3093         return may_create(dir, dentry, inode_mode_to_security_class(mode));
3094 }
3095
3096 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3097                                 struct inode *new_inode, struct dentry *new_dentry)
3098 {
3099         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3100 }
3101
3102 static int selinux_inode_readlink(struct dentry *dentry)
3103 {
3104         const struct cred *cred = current_cred();
3105
3106         return dentry_has_perm(cred, dentry, FILE__READ);
3107 }
3108
3109 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3110                                      bool rcu)
3111 {
3112         const struct cred *cred = current_cred();
3113         struct common_audit_data ad;
3114         struct inode_security_struct *isec;
3115         u32 sid;
3116
3117         validate_creds(cred);
3118
3119         ad.type = LSM_AUDIT_DATA_DENTRY;
3120         ad.u.dentry = dentry;
3121         sid = cred_sid(cred);
3122         isec = inode_security_rcu(inode, rcu);
3123         if (IS_ERR(isec))
3124                 return PTR_ERR(isec);
3125
3126         return avc_has_perm_flags(&selinux_state,
3127                                   sid, isec->sid, isec->sclass, FILE__READ, &ad,
3128                                   rcu ? MAY_NOT_BLOCK : 0);
3129 }
3130
3131 static noinline int audit_inode_permission(struct inode *inode,
3132                                            u32 perms, u32 audited, u32 denied,
3133                                            int result,
3134                                            unsigned flags)
3135 {
3136         struct common_audit_data ad;
3137         struct inode_security_struct *isec = inode->i_security;
3138         int rc;
3139
3140         ad.type = LSM_AUDIT_DATA_INODE;
3141         ad.u.inode = inode;
3142
3143         rc = slow_avc_audit(&selinux_state,
3144                             current_sid(), isec->sid, isec->sclass, perms,
3145                             audited, denied, result, &ad, flags);
3146         if (rc)
3147                 return rc;
3148         return 0;
3149 }
3150
3151 static int selinux_inode_permission(struct inode *inode, int mask)
3152 {
3153         const struct cred *cred = current_cred();
3154         u32 perms;
3155         bool from_access;
3156         unsigned flags = mask & MAY_NOT_BLOCK;
3157         struct inode_security_struct *isec;
3158         u32 sid;
3159         struct av_decision avd;
3160         int rc, rc2;
3161         u32 audited, denied;
3162
3163         from_access = mask & MAY_ACCESS;
3164         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3165
3166         /* No permission to check.  Existence test. */
3167         if (!mask)
3168                 return 0;
3169
3170         validate_creds(cred);
3171
3172         if (unlikely(IS_PRIVATE(inode)))
3173                 return 0;
3174
3175         perms = file_mask_to_av(inode->i_mode, mask);
3176
3177         sid = cred_sid(cred);
3178         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3179         if (IS_ERR(isec))
3180                 return PTR_ERR(isec);
3181
3182         rc = avc_has_perm_noaudit(&selinux_state,
3183                                   sid, isec->sid, isec->sclass, perms, 0, &avd);
3184         audited = avc_audit_required(perms, &avd, rc,
3185                                      from_access ? FILE__AUDIT_ACCESS : 0,
3186                                      &denied);
3187         if (likely(!audited))
3188                 return rc;
3189
3190         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3191         if (rc2)
3192                 return rc2;
3193         return rc;
3194 }
3195
3196 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3197 {
3198         const struct cred *cred = current_cred();
3199         struct inode *inode = d_backing_inode(dentry);
3200         unsigned int ia_valid = iattr->ia_valid;
3201         __u32 av = FILE__WRITE;
3202
3203         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3204         if (ia_valid & ATTR_FORCE) {
3205                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3206                               ATTR_FORCE);
3207                 if (!ia_valid)
3208                         return 0;
3209         }
3210
3211         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3212                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3213                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3214
3215         if (selinux_policycap_openperm() &&
3216             inode->i_sb->s_magic != SOCKFS_MAGIC &&
3217             (ia_valid & ATTR_SIZE) &&
3218             !(ia_valid & ATTR_FILE))
3219                 av |= FILE__OPEN;
3220
3221         return dentry_has_perm(cred, dentry, av);
3222 }
3223
3224 static int selinux_inode_getattr(const struct path *path)
3225 {
3226         return path_has_perm(current_cred(), path, FILE__GETATTR);
3227 }
3228
3229 static bool has_cap_mac_admin(bool audit)
3230 {
3231         const struct cred *cred = current_cred();
3232         int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3233
3234         if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3235                 return false;
3236         if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3237                 return false;
3238         return true;
3239 }
3240
3241 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3242                                   const void *value, size_t size, int flags)
3243 {
3244         struct inode *inode = d_backing_inode(dentry);
3245         struct inode_security_struct *isec;
3246         struct superblock_security_struct *sbsec;
3247         struct common_audit_data ad;
3248         u32 newsid, sid = current_sid();
3249         int rc = 0;
3250
3251         if (strcmp(name, XATTR_NAME_SELINUX)) {
3252                 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3253                 if (rc)
3254                         return rc;
3255
3256                 /* Not an attribute we recognize, so just check the
3257                    ordinary setattr permission. */
3258                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3259         }
3260
3261         sbsec = inode->i_sb->s_security;
3262         if (!(sbsec->flags & SBLABEL_MNT))
3263                 return -EOPNOTSUPP;
3264
3265         if (!inode_owner_or_capable(inode))
3266                 return -EPERM;
3267
3268         ad.type = LSM_AUDIT_DATA_DENTRY;
3269         ad.u.dentry = dentry;
3270
3271         isec = backing_inode_security(dentry);
3272         rc = avc_has_perm(&selinux_state,
3273                           sid, isec->sid, isec->sclass,
3274                           FILE__RELABELFROM, &ad);
3275         if (rc)
3276                 return rc;
3277
3278         rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3279                                      GFP_KERNEL);
3280         if (rc == -EINVAL) {
3281                 if (!has_cap_mac_admin(true)) {
3282                         struct audit_buffer *ab;
3283                         size_t audit_size;
3284
3285                         /* We strip a nul only if it is at the end, otherwise the
3286                          * context contains a nul and we should audit that */
3287                         if (value) {
3288                                 const char *str = value;
3289
3290                                 if (str[size - 1] == '\0')
3291                                         audit_size = size - 1;
3292                                 else
3293                                         audit_size = size;
3294                         } else {
3295                                 audit_size = 0;
3296                         }
3297                         ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3298                         audit_log_format(ab, "op=setxattr invalid_context=");