Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
[muen/linux.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *      This program is free software; you can redistribute it and/or modify
23  *      it under the terms of the GNU General Public License version 2,
24  *      as published by the Free Software Foundation.
25  */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>             /* for local_port_range[] */
56 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>    /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h>           /* for Unix socket types */
74 #include <net/af_unix.h>        /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
91
92 #include "avc.h"
93 #include "objsec.h"
94 #include "netif.h"
95 #include "netnode.h"
96 #include "netport.h"
97 #include "ibpkey.h"
98 #include "xfrm.h"
99 #include "netlabel.h"
100 #include "audit.h"
101 #include "avc_ss.h"
102
103 struct selinux_state selinux_state;
104
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
107
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
110
111 static int __init enforcing_setup(char *str)
112 {
113         unsigned long enforcing;
114         if (!kstrtoul(str, 0, &enforcing))
115                 selinux_enforcing_boot = enforcing ? 1 : 0;
116         return 1;
117 }
118 __setup("enforcing=", enforcing_setup);
119 #else
120 #define selinux_enforcing_boot 1
121 #endif
122
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125
126 static int __init selinux_enabled_setup(char *str)
127 {
128         unsigned long enabled;
129         if (!kstrtoul(str, 0, &enabled))
130                 selinux_enabled = enabled ? 1 : 0;
131         return 1;
132 }
133 __setup("selinux=", selinux_enabled_setup);
134 #else
135 int selinux_enabled = 1;
136 #endif
137
138 static unsigned int selinux_checkreqprot_boot =
139         CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141 static int __init checkreqprot_setup(char *str)
142 {
143         unsigned long checkreqprot;
144
145         if (!kstrtoul(str, 0, &checkreqprot))
146                 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147         return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
153
154 /**
155  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156  *
157  * Description:
158  * This function checks the SECMARK reference counter to see if any SECMARK
159  * targets are currently configured, if the reference counter is greater than
160  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
161  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
162  * policy capability is enabled, SECMARK is always considered enabled.
163  *
164  */
165 static int selinux_secmark_enabled(void)
166 {
167         return (selinux_policycap_alwaysnetwork() ||
168                 atomic_read(&selinux_secmark_refcount));
169 }
170
171 /**
172  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173  *
174  * Description:
175  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
176  * (1) if any are enabled or false (0) if neither are enabled.  If the
177  * always_check_network policy capability is enabled, peer labeling
178  * is always considered enabled.
179  *
180  */
181 static int selinux_peerlbl_enabled(void)
182 {
183         return (selinux_policycap_alwaysnetwork() ||
184                 netlbl_enabled() || selinux_xfrm_enabled());
185 }
186
187 static int selinux_netcache_avc_callback(u32 event)
188 {
189         if (event == AVC_CALLBACK_RESET) {
190                 sel_netif_flush();
191                 sel_netnode_flush();
192                 sel_netport_flush();
193                 synchronize_net();
194         }
195         return 0;
196 }
197
198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200         if (event == AVC_CALLBACK_RESET) {
201                 sel_ib_pkey_flush();
202                 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203         }
204
205         return 0;
206 }
207
208 /*
209  * initialise the security for the init task
210  */
211 static void cred_init_security(void)
212 {
213         struct cred *cred = (struct cred *) current->real_cred;
214         struct task_security_struct *tsec;
215
216         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
217         if (!tsec)
218                 panic("SELinux:  Failed to initialize initial task.\n");
219
220         tsec->osid = tsec->sid = SECINITSID_KERNEL;
221         cred->security = tsec;
222 }
223
224 /*
225  * get the security ID of a set of credentials
226  */
227 static inline u32 cred_sid(const struct cred *cred)
228 {
229         const struct task_security_struct *tsec;
230
231         tsec = cred->security;
232         return tsec->sid;
233 }
234
235 /*
236  * get the objective security ID of a task
237  */
238 static inline u32 task_sid(const struct task_struct *task)
239 {
240         u32 sid;
241
242         rcu_read_lock();
243         sid = cred_sid(__task_cred(task));
244         rcu_read_unlock();
245         return sid;
246 }
247
248 /* Allocate and free functions for each kind of security blob. */
249
250 static int inode_alloc_security(struct inode *inode)
251 {
252         struct inode_security_struct *isec;
253         u32 sid = current_sid();
254
255         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
256         if (!isec)
257                 return -ENOMEM;
258
259         spin_lock_init(&isec->lock);
260         INIT_LIST_HEAD(&isec->list);
261         isec->inode = inode;
262         isec->sid = SECINITSID_UNLABELED;
263         isec->sclass = SECCLASS_FILE;
264         isec->task_sid = sid;
265         isec->initialized = LABEL_INVALID;
266         inode->i_security = isec;
267
268         return 0;
269 }
270
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
272
273 /*
274  * Try reloading inode security labels that have been marked as invalid.  The
275  * @may_sleep parameter indicates when sleeping and thus reloading labels is
276  * allowed; when set to false, returns -ECHILD when the label is
277  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
278  * when no dentry is available, set it to NULL instead.
279  */
280 static int __inode_security_revalidate(struct inode *inode,
281                                        struct dentry *opt_dentry,
282                                        bool may_sleep)
283 {
284         struct inode_security_struct *isec = inode->i_security;
285
286         might_sleep_if(may_sleep);
287
288         if (selinux_state.initialized &&
289             isec->initialized != LABEL_INITIALIZED) {
290                 if (!may_sleep)
291                         return -ECHILD;
292
293                 /*
294                  * Try reloading the inode security label.  This will fail if
295                  * @opt_dentry is NULL and no dentry for this inode can be
296                  * found; in that case, continue using the old label.
297                  */
298                 inode_doinit_with_dentry(inode, opt_dentry);
299         }
300         return 0;
301 }
302
303 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304 {
305         return inode->i_security;
306 }
307
308 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
309 {
310         int error;
311
312         error = __inode_security_revalidate(inode, NULL, !rcu);
313         if (error)
314                 return ERR_PTR(error);
315         return inode->i_security;
316 }
317
318 /*
319  * Get the security label of an inode.
320  */
321 static struct inode_security_struct *inode_security(struct inode *inode)
322 {
323         __inode_security_revalidate(inode, NULL, true);
324         return inode->i_security;
325 }
326
327 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328 {
329         struct inode *inode = d_backing_inode(dentry);
330
331         return inode->i_security;
332 }
333
334 /*
335  * Get the security label of a dentry's backing inode.
336  */
337 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338 {
339         struct inode *inode = d_backing_inode(dentry);
340
341         __inode_security_revalidate(inode, dentry, true);
342         return inode->i_security;
343 }
344
345 static void inode_free_rcu(struct rcu_head *head)
346 {
347         struct inode_security_struct *isec;
348
349         isec = container_of(head, struct inode_security_struct, rcu);
350         kmem_cache_free(sel_inode_cache, isec);
351 }
352
353 static void inode_free_security(struct inode *inode)
354 {
355         struct inode_security_struct *isec = inode->i_security;
356         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
357
358         /*
359          * As not all inode security structures are in a list, we check for
360          * empty list outside of the lock to make sure that we won't waste
361          * time taking a lock doing nothing.
362          *
363          * The list_del_init() function can be safely called more than once.
364          * It should not be possible for this function to be called with
365          * concurrent list_add(), but for better safety against future changes
366          * in the code, we use list_empty_careful() here.
367          */
368         if (!list_empty_careful(&isec->list)) {
369                 spin_lock(&sbsec->isec_lock);
370                 list_del_init(&isec->list);
371                 spin_unlock(&sbsec->isec_lock);
372         }
373
374         /*
375          * The inode may still be referenced in a path walk and
376          * a call to selinux_inode_permission() can be made
377          * after inode_free_security() is called. Ideally, the VFS
378          * wouldn't do this, but fixing that is a much harder
379          * job. For now, simply free the i_security via RCU, and
380          * leave the current inode->i_security pointer intact.
381          * The inode will be freed after the RCU grace period too.
382          */
383         call_rcu(&isec->rcu, inode_free_rcu);
384 }
385
386 static int file_alloc_security(struct file *file)
387 {
388         struct file_security_struct *fsec;
389         u32 sid = current_sid();
390
391         fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
392         if (!fsec)
393                 return -ENOMEM;
394
395         fsec->sid = sid;
396         fsec->fown_sid = sid;
397         file->f_security = fsec;
398
399         return 0;
400 }
401
402 static void file_free_security(struct file *file)
403 {
404         struct file_security_struct *fsec = file->f_security;
405         file->f_security = NULL;
406         kmem_cache_free(file_security_cache, fsec);
407 }
408
409 static int superblock_alloc_security(struct super_block *sb)
410 {
411         struct superblock_security_struct *sbsec;
412
413         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
414         if (!sbsec)
415                 return -ENOMEM;
416
417         mutex_init(&sbsec->lock);
418         INIT_LIST_HEAD(&sbsec->isec_head);
419         spin_lock_init(&sbsec->isec_lock);
420         sbsec->sb = sb;
421         sbsec->sid = SECINITSID_UNLABELED;
422         sbsec->def_sid = SECINITSID_FILE;
423         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
424         sb->s_security = sbsec;
425
426         return 0;
427 }
428
429 static void superblock_free_security(struct super_block *sb)
430 {
431         struct superblock_security_struct *sbsec = sb->s_security;
432         sb->s_security = NULL;
433         kfree(sbsec);
434 }
435
436 static inline int inode_doinit(struct inode *inode)
437 {
438         return inode_doinit_with_dentry(inode, NULL);
439 }
440
441 enum {
442         Opt_error = -1,
443         Opt_context = 1,
444         Opt_fscontext = 2,
445         Opt_defcontext = 3,
446         Opt_rootcontext = 4,
447         Opt_labelsupport = 5,
448         Opt_nextmntopt = 6,
449 };
450
451 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
452
453 static const match_table_t tokens = {
454         {Opt_context, CONTEXT_STR "%s"},
455         {Opt_fscontext, FSCONTEXT_STR "%s"},
456         {Opt_defcontext, DEFCONTEXT_STR "%s"},
457         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
458         {Opt_labelsupport, LABELSUPP_STR},
459         {Opt_error, NULL},
460 };
461
462 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
463
464 static int may_context_mount_sb_relabel(u32 sid,
465                         struct superblock_security_struct *sbsec,
466                         const struct cred *cred)
467 {
468         const struct task_security_struct *tsec = cred->security;
469         int rc;
470
471         rc = avc_has_perm(&selinux_state,
472                           tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473                           FILESYSTEM__RELABELFROM, NULL);
474         if (rc)
475                 return rc;
476
477         rc = avc_has_perm(&selinux_state,
478                           tsec->sid, sid, SECCLASS_FILESYSTEM,
479                           FILESYSTEM__RELABELTO, NULL);
480         return rc;
481 }
482
483 static int may_context_mount_inode_relabel(u32 sid,
484                         struct superblock_security_struct *sbsec,
485                         const struct cred *cred)
486 {
487         const struct task_security_struct *tsec = cred->security;
488         int rc;
489         rc = avc_has_perm(&selinux_state,
490                           tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
491                           FILESYSTEM__RELABELFROM, NULL);
492         if (rc)
493                 return rc;
494
495         rc = avc_has_perm(&selinux_state,
496                           sid, sbsec->sid, SECCLASS_FILESYSTEM,
497                           FILESYSTEM__ASSOCIATE, NULL);
498         return rc;
499 }
500
501 static int selinux_is_sblabel_mnt(struct super_block *sb)
502 {
503         struct superblock_security_struct *sbsec = sb->s_security;
504
505         return sbsec->behavior == SECURITY_FS_USE_XATTR ||
506                 sbsec->behavior == SECURITY_FS_USE_TRANS ||
507                 sbsec->behavior == SECURITY_FS_USE_TASK ||
508                 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
509                 /* Special handling. Genfs but also in-core setxattr handler */
510                 !strcmp(sb->s_type->name, "sysfs") ||
511                 !strcmp(sb->s_type->name, "pstore") ||
512                 !strcmp(sb->s_type->name, "debugfs") ||
513                 !strcmp(sb->s_type->name, "tracefs") ||
514                 !strcmp(sb->s_type->name, "rootfs") ||
515                 (selinux_policycap_cgroupseclabel() &&
516                  (!strcmp(sb->s_type->name, "cgroup") ||
517                   !strcmp(sb->s_type->name, "cgroup2")));
518 }
519
520 static int sb_finish_set_opts(struct super_block *sb)
521 {
522         struct superblock_security_struct *sbsec = sb->s_security;
523         struct dentry *root = sb->s_root;
524         struct inode *root_inode = d_backing_inode(root);
525         int rc = 0;
526
527         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
528                 /* Make sure that the xattr handler exists and that no
529                    error other than -ENODATA is returned by getxattr on
530                    the root directory.  -ENODATA is ok, as this may be
531                    the first boot of the SELinux kernel before we have
532                    assigned xattr values to the filesystem. */
533                 if (!(root_inode->i_opflags & IOP_XATTR)) {
534                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
535                                "xattr support\n", sb->s_id, sb->s_type->name);
536                         rc = -EOPNOTSUPP;
537                         goto out;
538                 }
539
540                 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
541                 if (rc < 0 && rc != -ENODATA) {
542                         if (rc == -EOPNOTSUPP)
543                                 printk(KERN_WARNING "SELinux: (dev %s, type "
544                                        "%s) has no security xattr handler\n",
545                                        sb->s_id, sb->s_type->name);
546                         else
547                                 printk(KERN_WARNING "SELinux: (dev %s, type "
548                                        "%s) getxattr errno %d\n", sb->s_id,
549                                        sb->s_type->name, -rc);
550                         goto out;
551                 }
552         }
553
554         sbsec->flags |= SE_SBINITIALIZED;
555
556         /*
557          * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
558          * leave the flag untouched because sb_clone_mnt_opts might be handing
559          * us a superblock that needs the flag to be cleared.
560          */
561         if (selinux_is_sblabel_mnt(sb))
562                 sbsec->flags |= SBLABEL_MNT;
563         else
564                 sbsec->flags &= ~SBLABEL_MNT;
565
566         /* Initialize the root inode. */
567         rc = inode_doinit_with_dentry(root_inode, root);
568
569         /* Initialize any other inodes associated with the superblock, e.g.
570            inodes created prior to initial policy load or inodes created
571            during get_sb by a pseudo filesystem that directly
572            populates itself. */
573         spin_lock(&sbsec->isec_lock);
574 next_inode:
575         if (!list_empty(&sbsec->isec_head)) {
576                 struct inode_security_struct *isec =
577                                 list_entry(sbsec->isec_head.next,
578                                            struct inode_security_struct, list);
579                 struct inode *inode = isec->inode;
580                 list_del_init(&isec->list);
581                 spin_unlock(&sbsec->isec_lock);
582                 inode = igrab(inode);
583                 if (inode) {
584                         if (!IS_PRIVATE(inode))
585                                 inode_doinit(inode);
586                         iput(inode);
587                 }
588                 spin_lock(&sbsec->isec_lock);
589                 goto next_inode;
590         }
591         spin_unlock(&sbsec->isec_lock);
592 out:
593         return rc;
594 }
595
596 /*
597  * This function should allow an FS to ask what it's mount security
598  * options were so it can use those later for submounts, displaying
599  * mount options, or whatever.
600  */
601 static int selinux_get_mnt_opts(const struct super_block *sb,
602                                 struct security_mnt_opts *opts)
603 {
604         int rc = 0, i;
605         struct superblock_security_struct *sbsec = sb->s_security;
606         char *context = NULL;
607         u32 len;
608         char tmp;
609
610         security_init_mnt_opts(opts);
611
612         if (!(sbsec->flags & SE_SBINITIALIZED))
613                 return -EINVAL;
614
615         if (!selinux_state.initialized)
616                 return -EINVAL;
617
618         /* make sure we always check enough bits to cover the mask */
619         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
620
621         tmp = sbsec->flags & SE_MNTMASK;
622         /* count the number of mount options for this sb */
623         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
624                 if (tmp & 0x01)
625                         opts->num_mnt_opts++;
626                 tmp >>= 1;
627         }
628         /* Check if the Label support flag is set */
629         if (sbsec->flags & SBLABEL_MNT)
630                 opts->num_mnt_opts++;
631
632         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
633         if (!opts->mnt_opts) {
634                 rc = -ENOMEM;
635                 goto out_free;
636         }
637
638         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
639         if (!opts->mnt_opts_flags) {
640                 rc = -ENOMEM;
641                 goto out_free;
642         }
643
644         i = 0;
645         if (sbsec->flags & FSCONTEXT_MNT) {
646                 rc = security_sid_to_context(&selinux_state, sbsec->sid,
647                                              &context, &len);
648                 if (rc)
649                         goto out_free;
650                 opts->mnt_opts[i] = context;
651                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
652         }
653         if (sbsec->flags & CONTEXT_MNT) {
654                 rc = security_sid_to_context(&selinux_state,
655                                              sbsec->mntpoint_sid,
656                                              &context, &len);
657                 if (rc)
658                         goto out_free;
659                 opts->mnt_opts[i] = context;
660                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
661         }
662         if (sbsec->flags & DEFCONTEXT_MNT) {
663                 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
664                                              &context, &len);
665                 if (rc)
666                         goto out_free;
667                 opts->mnt_opts[i] = context;
668                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
669         }
670         if (sbsec->flags & ROOTCONTEXT_MNT) {
671                 struct dentry *root = sbsec->sb->s_root;
672                 struct inode_security_struct *isec = backing_inode_security(root);
673
674                 rc = security_sid_to_context(&selinux_state, isec->sid,
675                                              &context, &len);
676                 if (rc)
677                         goto out_free;
678                 opts->mnt_opts[i] = context;
679                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
680         }
681         if (sbsec->flags & SBLABEL_MNT) {
682                 opts->mnt_opts[i] = NULL;
683                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
684         }
685
686         BUG_ON(i != opts->num_mnt_opts);
687
688         return 0;
689
690 out_free:
691         security_free_mnt_opts(opts);
692         return rc;
693 }
694
695 static int bad_option(struct superblock_security_struct *sbsec, char flag,
696                       u32 old_sid, u32 new_sid)
697 {
698         char mnt_flags = sbsec->flags & SE_MNTMASK;
699
700         /* check if the old mount command had the same options */
701         if (sbsec->flags & SE_SBINITIALIZED)
702                 if (!(sbsec->flags & flag) ||
703                     (old_sid != new_sid))
704                         return 1;
705
706         /* check if we were passed the same options twice,
707          * aka someone passed context=a,context=b
708          */
709         if (!(sbsec->flags & SE_SBINITIALIZED))
710                 if (mnt_flags & flag)
711                         return 1;
712         return 0;
713 }
714
715 /*
716  * Allow filesystems with binary mount data to explicitly set mount point
717  * labeling information.
718  */
719 static int selinux_set_mnt_opts(struct super_block *sb,
720                                 struct security_mnt_opts *opts,
721                                 unsigned long kern_flags,
722                                 unsigned long *set_kern_flags)
723 {
724         const struct cred *cred = current_cred();
725         int rc = 0, i;
726         struct superblock_security_struct *sbsec = sb->s_security;
727         const char *name = sb->s_type->name;
728         struct dentry *root = sbsec->sb->s_root;
729         struct inode_security_struct *root_isec;
730         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
731         u32 defcontext_sid = 0;
732         char **mount_options = opts->mnt_opts;
733         int *flags = opts->mnt_opts_flags;
734         int num_opts = opts->num_mnt_opts;
735
736         mutex_lock(&sbsec->lock);
737
738         if (!selinux_state.initialized) {
739                 if (!num_opts) {
740                         /* Defer initialization until selinux_complete_init,
741                            after the initial policy is loaded and the security
742                            server is ready to handle calls. */
743                         goto out;
744                 }
745                 rc = -EINVAL;
746                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
747                         "before the security server is initialized\n");
748                 goto out;
749         }
750         if (kern_flags && !set_kern_flags) {
751                 /* Specifying internal flags without providing a place to
752                  * place the results is not allowed */
753                 rc = -EINVAL;
754                 goto out;
755         }
756
757         /*
758          * Binary mount data FS will come through this function twice.  Once
759          * from an explicit call and once from the generic calls from the vfs.
760          * Since the generic VFS calls will not contain any security mount data
761          * we need to skip the double mount verification.
762          *
763          * This does open a hole in which we will not notice if the first
764          * mount using this sb set explict options and a second mount using
765          * this sb does not set any security options.  (The first options
766          * will be used for both mounts)
767          */
768         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
769             && (num_opts == 0))
770                 goto out;
771
772         root_isec = backing_inode_security_novalidate(root);
773
774         /*
775          * parse the mount options, check if they are valid sids.
776          * also check if someone is trying to mount the same sb more
777          * than once with different security options.
778          */
779         for (i = 0; i < num_opts; i++) {
780                 u32 sid;
781
782                 if (flags[i] == SBLABEL_MNT)
783                         continue;
784                 rc = security_context_str_to_sid(&selinux_state,
785                                                  mount_options[i], &sid,
786                                                  GFP_KERNEL);
787                 if (rc) {
788                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
789                                "(%s) failed for (dev %s, type %s) errno=%d\n",
790                                mount_options[i], sb->s_id, name, rc);
791                         goto out;
792                 }
793                 switch (flags[i]) {
794                 case FSCONTEXT_MNT:
795                         fscontext_sid = sid;
796
797                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
798                                         fscontext_sid))
799                                 goto out_double_mount;
800
801                         sbsec->flags |= FSCONTEXT_MNT;
802                         break;
803                 case CONTEXT_MNT:
804                         context_sid = sid;
805
806                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
807                                         context_sid))
808                                 goto out_double_mount;
809
810                         sbsec->flags |= CONTEXT_MNT;
811                         break;
812                 case ROOTCONTEXT_MNT:
813                         rootcontext_sid = sid;
814
815                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
816                                         rootcontext_sid))
817                                 goto out_double_mount;
818
819                         sbsec->flags |= ROOTCONTEXT_MNT;
820
821                         break;
822                 case DEFCONTEXT_MNT:
823                         defcontext_sid = sid;
824
825                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
826                                         defcontext_sid))
827                                 goto out_double_mount;
828
829                         sbsec->flags |= DEFCONTEXT_MNT;
830
831                         break;
832                 default:
833                         rc = -EINVAL;
834                         goto out;
835                 }
836         }
837
838         if (sbsec->flags & SE_SBINITIALIZED) {
839                 /* previously mounted with options, but not on this attempt? */
840                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
841                         goto out_double_mount;
842                 rc = 0;
843                 goto out;
844         }
845
846         if (strcmp(sb->s_type->name, "proc") == 0)
847                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
848
849         if (!strcmp(sb->s_type->name, "debugfs") ||
850             !strcmp(sb->s_type->name, "tracefs") ||
851             !strcmp(sb->s_type->name, "sysfs") ||
852             !strcmp(sb->s_type->name, "pstore") ||
853             !strcmp(sb->s_type->name, "cgroup") ||
854             !strcmp(sb->s_type->name, "cgroup2"))
855                 sbsec->flags |= SE_SBGENFS;
856
857         if (!sbsec->behavior) {
858                 /*
859                  * Determine the labeling behavior to use for this
860                  * filesystem type.
861                  */
862                 rc = security_fs_use(&selinux_state, sb);
863                 if (rc) {
864                         printk(KERN_WARNING
865                                 "%s: security_fs_use(%s) returned %d\n",
866                                         __func__, sb->s_type->name, rc);
867                         goto out;
868                 }
869         }
870
871         /*
872          * If this is a user namespace mount and the filesystem type is not
873          * explicitly whitelisted, then no contexts are allowed on the command
874          * line and security labels must be ignored.
875          */
876         if (sb->s_user_ns != &init_user_ns &&
877             strcmp(sb->s_type->name, "tmpfs") &&
878             strcmp(sb->s_type->name, "ramfs") &&
879             strcmp(sb->s_type->name, "devpts")) {
880                 if (context_sid || fscontext_sid || rootcontext_sid ||
881                     defcontext_sid) {
882                         rc = -EACCES;
883                         goto out;
884                 }
885                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
886                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
887                         rc = security_transition_sid(&selinux_state,
888                                                      current_sid(),
889                                                      current_sid(),
890                                                      SECCLASS_FILE, NULL,
891                                                      &sbsec->mntpoint_sid);
892                         if (rc)
893                                 goto out;
894                 }
895                 goto out_set_opts;
896         }
897
898         /* sets the context of the superblock for the fs being mounted. */
899         if (fscontext_sid) {
900                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
901                 if (rc)
902                         goto out;
903
904                 sbsec->sid = fscontext_sid;
905         }
906
907         /*
908          * Switch to using mount point labeling behavior.
909          * sets the label used on all file below the mountpoint, and will set
910          * the superblock context if not already set.
911          */
912         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
913                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
914                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
915         }
916
917         if (context_sid) {
918                 if (!fscontext_sid) {
919                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
920                                                           cred);
921                         if (rc)
922                                 goto out;
923                         sbsec->sid = context_sid;
924                 } else {
925                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
926                                                              cred);
927                         if (rc)
928                                 goto out;
929                 }
930                 if (!rootcontext_sid)
931                         rootcontext_sid = context_sid;
932
933                 sbsec->mntpoint_sid = context_sid;
934                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
935         }
936
937         if (rootcontext_sid) {
938                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
939                                                      cred);
940                 if (rc)
941                         goto out;
942
943                 root_isec->sid = rootcontext_sid;
944                 root_isec->initialized = LABEL_INITIALIZED;
945         }
946
947         if (defcontext_sid) {
948                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
949                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
950                         rc = -EINVAL;
951                         printk(KERN_WARNING "SELinux: defcontext option is "
952                                "invalid for this filesystem type\n");
953                         goto out;
954                 }
955
956                 if (defcontext_sid != sbsec->def_sid) {
957                         rc = may_context_mount_inode_relabel(defcontext_sid,
958                                                              sbsec, cred);
959                         if (rc)
960                                 goto out;
961                 }
962
963                 sbsec->def_sid = defcontext_sid;
964         }
965
966 out_set_opts:
967         rc = sb_finish_set_opts(sb);
968 out:
969         mutex_unlock(&sbsec->lock);
970         return rc;
971 out_double_mount:
972         rc = -EINVAL;
973         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
974                "security settings for (dev %s, type %s)\n", sb->s_id, name);
975         goto out;
976 }
977
978 static int selinux_cmp_sb_context(const struct super_block *oldsb,
979                                     const struct super_block *newsb)
980 {
981         struct superblock_security_struct *old = oldsb->s_security;
982         struct superblock_security_struct *new = newsb->s_security;
983         char oldflags = old->flags & SE_MNTMASK;
984         char newflags = new->flags & SE_MNTMASK;
985
986         if (oldflags != newflags)
987                 goto mismatch;
988         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
989                 goto mismatch;
990         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
991                 goto mismatch;
992         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
993                 goto mismatch;
994         if (oldflags & ROOTCONTEXT_MNT) {
995                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
996                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
997                 if (oldroot->sid != newroot->sid)
998                         goto mismatch;
999         }
1000         return 0;
1001 mismatch:
1002         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
1003                             "different security settings for (dev %s, "
1004                             "type %s)\n", newsb->s_id, newsb->s_type->name);
1005         return -EBUSY;
1006 }
1007
1008 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1009                                         struct super_block *newsb,
1010                                         unsigned long kern_flags,
1011                                         unsigned long *set_kern_flags)
1012 {
1013         int rc = 0;
1014         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1015         struct superblock_security_struct *newsbsec = newsb->s_security;
1016
1017         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
1018         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
1019         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
1020
1021         /*
1022          * if the parent was able to be mounted it clearly had no special lsm
1023          * mount options.  thus we can safely deal with this superblock later
1024          */
1025         if (!selinux_state.initialized)
1026                 return 0;
1027
1028         /*
1029          * Specifying internal flags without providing a place to
1030          * place the results is not allowed.
1031          */
1032         if (kern_flags && !set_kern_flags)
1033                 return -EINVAL;
1034
1035         /* how can we clone if the old one wasn't set up?? */
1036         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1037
1038         /* if fs is reusing a sb, make sure that the contexts match */
1039         if (newsbsec->flags & SE_SBINITIALIZED)
1040                 return selinux_cmp_sb_context(oldsb, newsb);
1041
1042         mutex_lock(&newsbsec->lock);
1043
1044         newsbsec->flags = oldsbsec->flags;
1045
1046         newsbsec->sid = oldsbsec->sid;
1047         newsbsec->def_sid = oldsbsec->def_sid;
1048         newsbsec->behavior = oldsbsec->behavior;
1049
1050         if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1051                 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1052                 rc = security_fs_use(&selinux_state, newsb);
1053                 if (rc)
1054                         goto out;
1055         }
1056
1057         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1058                 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1059                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1060         }
1061
1062         if (set_context) {
1063                 u32 sid = oldsbsec->mntpoint_sid;
1064
1065                 if (!set_fscontext)
1066                         newsbsec->sid = sid;
1067                 if (!set_rootcontext) {
1068                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1069                         newisec->sid = sid;
1070                 }
1071                 newsbsec->mntpoint_sid = sid;
1072         }
1073         if (set_rootcontext) {
1074                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1075                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1076
1077                 newisec->sid = oldisec->sid;
1078         }
1079
1080         sb_finish_set_opts(newsb);
1081 out:
1082         mutex_unlock(&newsbsec->lock);
1083         return rc;
1084 }
1085
1086 static int selinux_parse_opts_str(char *options,
1087                                   struct security_mnt_opts *opts)
1088 {
1089         char *p;
1090         char *context = NULL, *defcontext = NULL;
1091         char *fscontext = NULL, *rootcontext = NULL;
1092         int rc, num_mnt_opts = 0;
1093
1094         opts->num_mnt_opts = 0;
1095
1096         /* Standard string-based options. */
1097         while ((p = strsep(&options, "|")) != NULL) {
1098                 int token;
1099                 substring_t args[MAX_OPT_ARGS];
1100
1101                 if (!*p)
1102                         continue;
1103
1104                 token = match_token(p, tokens, args);
1105
1106                 switch (token) {
1107                 case Opt_context:
1108                         if (context || defcontext) {
1109                                 rc = -EINVAL;
1110                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1111                                 goto out_err;
1112                         }
1113                         context = match_strdup(&args[0]);
1114                         if (!context) {
1115                                 rc = -ENOMEM;
1116                                 goto out_err;
1117                         }
1118                         break;
1119
1120                 case Opt_fscontext:
1121                         if (fscontext) {
1122                                 rc = -EINVAL;
1123                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1124                                 goto out_err;
1125                         }
1126                         fscontext = match_strdup(&args[0]);
1127                         if (!fscontext) {
1128                                 rc = -ENOMEM;
1129                                 goto out_err;
1130                         }
1131                         break;
1132
1133                 case Opt_rootcontext:
1134                         if (rootcontext) {
1135                                 rc = -EINVAL;
1136                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1137                                 goto out_err;
1138                         }
1139                         rootcontext = match_strdup(&args[0]);
1140                         if (!rootcontext) {
1141                                 rc = -ENOMEM;
1142                                 goto out_err;
1143                         }
1144                         break;
1145
1146                 case Opt_defcontext:
1147                         if (context || defcontext) {
1148                                 rc = -EINVAL;
1149                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1150                                 goto out_err;
1151                         }
1152                         defcontext = match_strdup(&args[0]);
1153                         if (!defcontext) {
1154                                 rc = -ENOMEM;
1155                                 goto out_err;
1156                         }
1157                         break;
1158                 case Opt_labelsupport:
1159                         break;
1160                 default:
1161                         rc = -EINVAL;
1162                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
1163                         goto out_err;
1164
1165                 }
1166         }
1167
1168         rc = -ENOMEM;
1169         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1170         if (!opts->mnt_opts)
1171                 goto out_err;
1172
1173         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1174                                        GFP_KERNEL);
1175         if (!opts->mnt_opts_flags)
1176                 goto out_err;
1177
1178         if (fscontext) {
1179                 opts->mnt_opts[num_mnt_opts] = fscontext;
1180                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1181         }
1182         if (context) {
1183                 opts->mnt_opts[num_mnt_opts] = context;
1184                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1185         }
1186         if (rootcontext) {
1187                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1188                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1189         }
1190         if (defcontext) {
1191                 opts->mnt_opts[num_mnt_opts] = defcontext;
1192                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1193         }
1194
1195         opts->num_mnt_opts = num_mnt_opts;
1196         return 0;
1197
1198 out_err:
1199         security_free_mnt_opts(opts);
1200         kfree(context);
1201         kfree(defcontext);
1202         kfree(fscontext);
1203         kfree(rootcontext);
1204         return rc;
1205 }
1206 /*
1207  * string mount options parsing and call set the sbsec
1208  */
1209 static int superblock_doinit(struct super_block *sb, void *data)
1210 {
1211         int rc = 0;
1212         char *options = data;
1213         struct security_mnt_opts opts;
1214
1215         security_init_mnt_opts(&opts);
1216
1217         if (!data)
1218                 goto out;
1219
1220         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1221
1222         rc = selinux_parse_opts_str(options, &opts);
1223         if (rc)
1224                 goto out_err;
1225
1226 out:
1227         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1228
1229 out_err:
1230         security_free_mnt_opts(&opts);
1231         return rc;
1232 }
1233
1234 static void selinux_write_opts(struct seq_file *m,
1235                                struct security_mnt_opts *opts)
1236 {
1237         int i;
1238         char *prefix;
1239
1240         for (i = 0; i < opts->num_mnt_opts; i++) {
1241                 char *has_comma;
1242
1243                 if (opts->mnt_opts[i])
1244                         has_comma = strchr(opts->mnt_opts[i], ',');
1245                 else
1246                         has_comma = NULL;
1247
1248                 switch (opts->mnt_opts_flags[i]) {
1249                 case CONTEXT_MNT:
1250                         prefix = CONTEXT_STR;
1251                         break;
1252                 case FSCONTEXT_MNT:
1253                         prefix = FSCONTEXT_STR;
1254                         break;
1255                 case ROOTCONTEXT_MNT:
1256                         prefix = ROOTCONTEXT_STR;
1257                         break;
1258                 case DEFCONTEXT_MNT:
1259                         prefix = DEFCONTEXT_STR;
1260                         break;
1261                 case SBLABEL_MNT:
1262                         seq_putc(m, ',');
1263                         seq_puts(m, LABELSUPP_STR);
1264                         continue;
1265                 default:
1266                         BUG();
1267                         return;
1268                 };
1269                 /* we need a comma before each option */
1270                 seq_putc(m, ',');
1271                 seq_puts(m, prefix);
1272                 if (has_comma)
1273                         seq_putc(m, '\"');
1274                 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1275                 if (has_comma)
1276                         seq_putc(m, '\"');
1277         }
1278 }
1279
1280 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1281 {
1282         struct security_mnt_opts opts;
1283         int rc;
1284
1285         rc = selinux_get_mnt_opts(sb, &opts);
1286         if (rc) {
1287                 /* before policy load we may get EINVAL, don't show anything */
1288                 if (rc == -EINVAL)
1289                         rc = 0;
1290                 return rc;
1291         }
1292
1293         selinux_write_opts(m, &opts);
1294
1295         security_free_mnt_opts(&opts);
1296
1297         return rc;
1298 }
1299
1300 static inline u16 inode_mode_to_security_class(umode_t mode)
1301 {
1302         switch (mode & S_IFMT) {
1303         case S_IFSOCK:
1304                 return SECCLASS_SOCK_FILE;
1305         case S_IFLNK:
1306                 return SECCLASS_LNK_FILE;
1307         case S_IFREG:
1308                 return SECCLASS_FILE;
1309         case S_IFBLK:
1310                 return SECCLASS_BLK_FILE;
1311         case S_IFDIR:
1312                 return SECCLASS_DIR;
1313         case S_IFCHR:
1314                 return SECCLASS_CHR_FILE;
1315         case S_IFIFO:
1316                 return SECCLASS_FIFO_FILE;
1317
1318         }
1319
1320         return SECCLASS_FILE;
1321 }
1322
1323 static inline int default_protocol_stream(int protocol)
1324 {
1325         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1326 }
1327
1328 static inline int default_protocol_dgram(int protocol)
1329 {
1330         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1331 }
1332
1333 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1334 {
1335         int extsockclass = selinux_policycap_extsockclass();
1336
1337         switch (family) {
1338         case PF_UNIX:
1339                 switch (type) {
1340                 case SOCK_STREAM:
1341                 case SOCK_SEQPACKET:
1342                         return SECCLASS_UNIX_STREAM_SOCKET;
1343                 case SOCK_DGRAM:
1344                 case SOCK_RAW:
1345                         return SECCLASS_UNIX_DGRAM_SOCKET;
1346                 }
1347                 break;
1348         case PF_INET:
1349         case PF_INET6:
1350                 switch (type) {
1351                 case SOCK_STREAM:
1352                 case SOCK_SEQPACKET:
1353                         if (default_protocol_stream(protocol))
1354                                 return SECCLASS_TCP_SOCKET;
1355                         else if (extsockclass && protocol == IPPROTO_SCTP)
1356                                 return SECCLASS_SCTP_SOCKET;
1357                         else
1358                                 return SECCLASS_RAWIP_SOCKET;
1359                 case SOCK_DGRAM:
1360                         if (default_protocol_dgram(protocol))
1361                                 return SECCLASS_UDP_SOCKET;
1362                         else if (extsockclass && (protocol == IPPROTO_ICMP ||
1363                                                   protocol == IPPROTO_ICMPV6))
1364                                 return SECCLASS_ICMP_SOCKET;
1365                         else
1366                                 return SECCLASS_RAWIP_SOCKET;
1367                 case SOCK_DCCP:
1368                         return SECCLASS_DCCP_SOCKET;
1369                 default:
1370                         return SECCLASS_RAWIP_SOCKET;
1371                 }
1372                 break;
1373         case PF_NETLINK:
1374                 switch (protocol) {
1375                 case NETLINK_ROUTE:
1376                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1377                 case NETLINK_SOCK_DIAG:
1378                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1379                 case NETLINK_NFLOG:
1380                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1381                 case NETLINK_XFRM:
1382                         return SECCLASS_NETLINK_XFRM_SOCKET;
1383                 case NETLINK_SELINUX:
1384                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1385                 case NETLINK_ISCSI:
1386                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1387                 case NETLINK_AUDIT:
1388                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1389                 case NETLINK_FIB_LOOKUP:
1390                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1391                 case NETLINK_CONNECTOR:
1392                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1393                 case NETLINK_NETFILTER:
1394                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1395                 case NETLINK_DNRTMSG:
1396                         return SECCLASS_NETLINK_DNRT_SOCKET;
1397                 case NETLINK_KOBJECT_UEVENT:
1398                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1399                 case NETLINK_GENERIC:
1400                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1401                 case NETLINK_SCSITRANSPORT:
1402                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1403                 case NETLINK_RDMA:
1404                         return SECCLASS_NETLINK_RDMA_SOCKET;
1405                 case NETLINK_CRYPTO:
1406                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1407                 default:
1408                         return SECCLASS_NETLINK_SOCKET;
1409                 }
1410         case PF_PACKET:
1411                 return SECCLASS_PACKET_SOCKET;
1412         case PF_KEY:
1413                 return SECCLASS_KEY_SOCKET;
1414         case PF_APPLETALK:
1415                 return SECCLASS_APPLETALK_SOCKET;
1416         }
1417
1418         if (extsockclass) {
1419                 switch (family) {
1420                 case PF_AX25:
1421                         return SECCLASS_AX25_SOCKET;
1422                 case PF_IPX:
1423                         return SECCLASS_IPX_SOCKET;
1424                 case PF_NETROM:
1425                         return SECCLASS_NETROM_SOCKET;
1426                 case PF_ATMPVC:
1427                         return SECCLASS_ATMPVC_SOCKET;
1428                 case PF_X25:
1429                         return SECCLASS_X25_SOCKET;
1430                 case PF_ROSE:
1431                         return SECCLASS_ROSE_SOCKET;
1432                 case PF_DECnet:
1433                         return SECCLASS_DECNET_SOCKET;
1434                 case PF_ATMSVC:
1435                         return SECCLASS_ATMSVC_SOCKET;
1436                 case PF_RDS:
1437                         return SECCLASS_RDS_SOCKET;
1438                 case PF_IRDA:
1439                         return SECCLASS_IRDA_SOCKET;
1440                 case PF_PPPOX:
1441                         return SECCLASS_PPPOX_SOCKET;
1442                 case PF_LLC:
1443                         return SECCLASS_LLC_SOCKET;
1444                 case PF_CAN:
1445                         return SECCLASS_CAN_SOCKET;
1446                 case PF_TIPC:
1447                         return SECCLASS_TIPC_SOCKET;
1448                 case PF_BLUETOOTH:
1449                         return SECCLASS_BLUETOOTH_SOCKET;
1450                 case PF_IUCV:
1451                         return SECCLASS_IUCV_SOCKET;
1452                 case PF_RXRPC:
1453                         return SECCLASS_RXRPC_SOCKET;
1454                 case PF_ISDN:
1455                         return SECCLASS_ISDN_SOCKET;
1456                 case PF_PHONET:
1457                         return SECCLASS_PHONET_SOCKET;
1458                 case PF_IEEE802154:
1459                         return SECCLASS_IEEE802154_SOCKET;
1460                 case PF_CAIF:
1461                         return SECCLASS_CAIF_SOCKET;
1462                 case PF_ALG:
1463                         return SECCLASS_ALG_SOCKET;
1464                 case PF_NFC:
1465                         return SECCLASS_NFC_SOCKET;
1466                 case PF_VSOCK:
1467                         return SECCLASS_VSOCK_SOCKET;
1468                 case PF_KCM:
1469                         return SECCLASS_KCM_SOCKET;
1470                 case PF_QIPCRTR:
1471                         return SECCLASS_QIPCRTR_SOCKET;
1472                 case PF_SMC:
1473                         return SECCLASS_SMC_SOCKET;
1474 #if PF_MAX > 44
1475 #error New address family defined, please update this function.
1476 #endif
1477                 }
1478         }
1479
1480         return SECCLASS_SOCKET;
1481 }
1482
1483 static int selinux_genfs_get_sid(struct dentry *dentry,
1484                                  u16 tclass,
1485                                  u16 flags,
1486                                  u32 *sid)
1487 {
1488         int rc;
1489         struct super_block *sb = dentry->d_sb;
1490         char *buffer, *path;
1491
1492         buffer = (char *)__get_free_page(GFP_KERNEL);
1493         if (!buffer)
1494                 return -ENOMEM;
1495
1496         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1497         if (IS_ERR(path))
1498                 rc = PTR_ERR(path);
1499         else {
1500                 if (flags & SE_SBPROC) {
1501                         /* each process gets a /proc/PID/ entry. Strip off the
1502                          * PID part to get a valid selinux labeling.
1503                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1504                         while (path[1] >= '0' && path[1] <= '9') {
1505                                 path[1] = '/';
1506                                 path++;
1507                         }
1508                 }
1509                 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510                                         path, tclass, sid);
1511         }
1512         free_page((unsigned long)buffer);
1513         return rc;
1514 }
1515
1516 /* The inode's security attributes must be initialized before first use. */
1517 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1518 {
1519         struct superblock_security_struct *sbsec = NULL;
1520         struct inode_security_struct *isec = inode->i_security;
1521         u32 task_sid, sid = 0;
1522         u16 sclass;
1523         struct dentry *dentry;
1524 #define INITCONTEXTLEN 255
1525         char *context = NULL;
1526         unsigned len = 0;
1527         int rc = 0;
1528
1529         if (isec->initialized == LABEL_INITIALIZED)
1530                 return 0;
1531
1532         spin_lock(&isec->lock);
1533         if (isec->initialized == LABEL_INITIALIZED)
1534                 goto out_unlock;
1535
1536         if (isec->sclass == SECCLASS_FILE)
1537                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1538
1539         sbsec = inode->i_sb->s_security;
1540         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1541                 /* Defer initialization until selinux_complete_init,
1542                    after the initial policy is loaded and the security
1543                    server is ready to handle calls. */
1544                 spin_lock(&sbsec->isec_lock);
1545                 if (list_empty(&isec->list))
1546                         list_add(&isec->list, &sbsec->isec_head);
1547                 spin_unlock(&sbsec->isec_lock);
1548                 goto out_unlock;
1549         }
1550
1551         sclass = isec->sclass;
1552         task_sid = isec->task_sid;
1553         sid = isec->sid;
1554         isec->initialized = LABEL_PENDING;
1555         spin_unlock(&isec->lock);
1556
1557         switch (sbsec->behavior) {
1558         case SECURITY_FS_USE_NATIVE:
1559                 break;
1560         case SECURITY_FS_USE_XATTR:
1561                 if (!(inode->i_opflags & IOP_XATTR)) {
1562                         sid = sbsec->def_sid;
1563                         break;
1564                 }
1565                 /* Need a dentry, since the xattr API requires one.
1566                    Life would be simpler if we could just pass the inode. */
1567                 if (opt_dentry) {
1568                         /* Called from d_instantiate or d_splice_alias. */
1569                         dentry = dget(opt_dentry);
1570                 } else {
1571                         /*
1572                          * Called from selinux_complete_init, try to find a dentry.
1573                          * Some filesystems really want a connected one, so try
1574                          * that first.  We could split SECURITY_FS_USE_XATTR in
1575                          * two, depending upon that...
1576                          */
1577                         dentry = d_find_alias(inode);
1578                         if (!dentry)
1579                                 dentry = d_find_any_alias(inode);
1580                 }
1581                 if (!dentry) {
1582                         /*
1583                          * this is can be hit on boot when a file is accessed
1584                          * before the policy is loaded.  When we load policy we
1585                          * may find inodes that have no dentry on the
1586                          * sbsec->isec_head list.  No reason to complain as these
1587                          * will get fixed up the next time we go through
1588                          * inode_doinit with a dentry, before these inodes could
1589                          * be used again by userspace.
1590                          */
1591                         goto out;
1592                 }
1593
1594                 len = INITCONTEXTLEN;
1595                 context = kmalloc(len+1, GFP_NOFS);
1596                 if (!context) {
1597                         rc = -ENOMEM;
1598                         dput(dentry);
1599                         goto out;
1600                 }
1601                 context[len] = '\0';
1602                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1603                 if (rc == -ERANGE) {
1604                         kfree(context);
1605
1606                         /* Need a larger buffer.  Query for the right size. */
1607                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1608                         if (rc < 0) {
1609                                 dput(dentry);
1610                                 goto out;
1611                         }
1612                         len = rc;
1613                         context = kmalloc(len+1, GFP_NOFS);
1614                         if (!context) {
1615                                 rc = -ENOMEM;
1616                                 dput(dentry);
1617                                 goto out;
1618                         }
1619                         context[len] = '\0';
1620                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1621                 }
1622                 dput(dentry);
1623                 if (rc < 0) {
1624                         if (rc != -ENODATA) {
1625                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1626                                        "%d for dev=%s ino=%ld\n", __func__,
1627                                        -rc, inode->i_sb->s_id, inode->i_ino);
1628                                 kfree(context);
1629                                 goto out;
1630                         }
1631                         /* Map ENODATA to the default file SID */
1632                         sid = sbsec->def_sid;
1633                         rc = 0;
1634                 } else {
1635                         rc = security_context_to_sid_default(&selinux_state,
1636                                                              context, rc, &sid,
1637                                                              sbsec->def_sid,
1638                                                              GFP_NOFS);
1639                         if (rc) {
1640                                 char *dev = inode->i_sb->s_id;
1641                                 unsigned long ino = inode->i_ino;
1642
1643                                 if (rc == -EINVAL) {
1644                                         if (printk_ratelimit())
1645                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1646                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1647                                                         "filesystem in question.\n", ino, dev, context);
1648                                 } else {
1649                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1650                                                "returned %d for dev=%s ino=%ld\n",
1651                                                __func__, context, -rc, dev, ino);
1652                                 }
1653                                 kfree(context);
1654                                 /* Leave with the unlabeled SID */
1655                                 rc = 0;
1656                                 break;
1657                         }
1658                 }
1659                 kfree(context);
1660                 break;
1661         case SECURITY_FS_USE_TASK:
1662                 sid = task_sid;
1663                 break;
1664         case SECURITY_FS_USE_TRANS:
1665                 /* Default to the fs SID. */
1666                 sid = sbsec->sid;
1667
1668                 /* Try to obtain a transition SID. */
1669                 rc = security_transition_sid(&selinux_state, task_sid, sid,
1670                                              sclass, NULL, &sid);
1671                 if (rc)
1672                         goto out;
1673                 break;
1674         case SECURITY_FS_USE_MNTPOINT:
1675                 sid = sbsec->mntpoint_sid;
1676                 break;
1677         default:
1678                 /* Default to the fs superblock SID. */
1679                 sid = sbsec->sid;
1680
1681                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1682                         /* We must have a dentry to determine the label on
1683                          * procfs inodes */
1684                         if (opt_dentry) {
1685                                 /* Called from d_instantiate or
1686                                  * d_splice_alias. */
1687                                 dentry = dget(opt_dentry);
1688                         } else {
1689                                 /* Called from selinux_complete_init, try to
1690                                  * find a dentry.  Some filesystems really want
1691                                  * a connected one, so try that first.
1692                                  */
1693                                 dentry = d_find_alias(inode);
1694                                 if (!dentry)
1695                                         dentry = d_find_any_alias(inode);
1696                         }
1697                         /*
1698                          * This can be hit on boot when a file is accessed
1699                          * before the policy is loaded.  When we load policy we
1700                          * may find inodes that have no dentry on the
1701                          * sbsec->isec_head list.  No reason to complain as
1702                          * these will get fixed up the next time we go through
1703                          * inode_doinit() with a dentry, before these inodes
1704                          * could be used again by userspace.
1705                          */
1706                         if (!dentry)
1707                                 goto out;
1708                         rc = selinux_genfs_get_sid(dentry, sclass,
1709                                                    sbsec->flags, &sid);
1710                         dput(dentry);
1711                         if (rc)
1712                                 goto out;
1713                 }
1714                 break;
1715         }
1716
1717 out:
1718         spin_lock(&isec->lock);
1719         if (isec->initialized == LABEL_PENDING) {
1720                 if (!sid || rc) {
1721                         isec->initialized = LABEL_INVALID;
1722                         goto out_unlock;
1723                 }
1724
1725                 isec->initialized = LABEL_INITIALIZED;
1726                 isec->sid = sid;
1727         }
1728
1729 out_unlock:
1730         spin_unlock(&isec->lock);
1731         return rc;
1732 }
1733
1734 /* Convert a Linux signal to an access vector. */
1735 static inline u32 signal_to_av(int sig)
1736 {
1737         u32 perm = 0;
1738
1739         switch (sig) {
1740         case SIGCHLD:
1741                 /* Commonly granted from child to parent. */
1742                 perm = PROCESS__SIGCHLD;
1743                 break;
1744         case SIGKILL:
1745                 /* Cannot be caught or ignored */
1746                 perm = PROCESS__SIGKILL;
1747                 break;
1748         case SIGSTOP:
1749                 /* Cannot be caught or ignored */
1750                 perm = PROCESS__SIGSTOP;
1751                 break;
1752         default:
1753                 /* All other signals. */
1754                 perm = PROCESS__SIGNAL;
1755                 break;
1756         }
1757
1758         return perm;
1759 }
1760
1761 #if CAP_LAST_CAP > 63
1762 #error Fix SELinux to handle capabilities > 63.
1763 #endif
1764
1765 /* Check whether a task is allowed to use a capability. */
1766 static int cred_has_capability(const struct cred *cred,
1767                                int cap, int audit, bool initns)
1768 {
1769         struct common_audit_data ad;
1770         struct av_decision avd;
1771         u16 sclass;
1772         u32 sid = cred_sid(cred);
1773         u32 av = CAP_TO_MASK(cap);
1774         int rc;
1775
1776         ad.type = LSM_AUDIT_DATA_CAP;
1777         ad.u.cap = cap;
1778
1779         switch (CAP_TO_INDEX(cap)) {
1780         case 0:
1781                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1782                 break;
1783         case 1:
1784                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1785                 break;
1786         default:
1787                 printk(KERN_ERR
1788                        "SELinux:  out of range capability %d\n", cap);
1789                 BUG();
1790                 return -EINVAL;
1791         }
1792
1793         rc = avc_has_perm_noaudit(&selinux_state,
1794                                   sid, sid, sclass, av, 0, &avd);
1795         if (audit == SECURITY_CAP_AUDIT) {
1796                 int rc2 = avc_audit(&selinux_state,
1797                                     sid, sid, sclass, av, &avd, rc, &ad, 0);
1798                 if (rc2)
1799                         return rc2;
1800         }
1801         return rc;
1802 }
1803
1804 /* Check whether a task has a particular permission to an inode.
1805    The 'adp' parameter is optional and allows other audit
1806    data to be passed (e.g. the dentry). */
1807 static int inode_has_perm(const struct cred *cred,
1808                           struct inode *inode,
1809                           u32 perms,
1810                           struct common_audit_data *adp)
1811 {
1812         struct inode_security_struct *isec;
1813         u32 sid;
1814
1815         validate_creds(cred);
1816
1817         if (unlikely(IS_PRIVATE(inode)))
1818                 return 0;
1819
1820         sid = cred_sid(cred);
1821         isec = inode->i_security;
1822
1823         return avc_has_perm(&selinux_state,
1824                             sid, isec->sid, isec->sclass, perms, adp);
1825 }
1826
1827 /* Same as inode_has_perm, but pass explicit audit data containing
1828    the dentry to help the auditing code to more easily generate the
1829    pathname if needed. */
1830 static inline int dentry_has_perm(const struct cred *cred,
1831                                   struct dentry *dentry,
1832                                   u32 av)
1833 {
1834         struct inode *inode = d_backing_inode(dentry);
1835         struct common_audit_data ad;
1836
1837         ad.type = LSM_AUDIT_DATA_DENTRY;
1838         ad.u.dentry = dentry;
1839         __inode_security_revalidate(inode, dentry, true);
1840         return inode_has_perm(cred, inode, av, &ad);
1841 }
1842
1843 /* Same as inode_has_perm, but pass explicit audit data containing
1844    the path to help the auditing code to more easily generate the
1845    pathname if needed. */
1846 static inline int path_has_perm(const struct cred *cred,
1847                                 const struct path *path,
1848                                 u32 av)
1849 {
1850         struct inode *inode = d_backing_inode(path->dentry);
1851         struct common_audit_data ad;
1852
1853         ad.type = LSM_AUDIT_DATA_PATH;
1854         ad.u.path = *path;
1855         __inode_security_revalidate(inode, path->dentry, true);
1856         return inode_has_perm(cred, inode, av, &ad);
1857 }
1858
1859 /* Same as path_has_perm, but uses the inode from the file struct. */
1860 static inline int file_path_has_perm(const struct cred *cred,
1861                                      struct file *file,
1862                                      u32 av)
1863 {
1864         struct common_audit_data ad;
1865
1866         ad.type = LSM_AUDIT_DATA_FILE;
1867         ad.u.file = file;
1868         return inode_has_perm(cred, file_inode(file), av, &ad);
1869 }
1870
1871 #ifdef CONFIG_BPF_SYSCALL
1872 static int bpf_fd_pass(struct file *file, u32 sid);
1873 #endif
1874
1875 /* Check whether a task can use an open file descriptor to
1876    access an inode in a given way.  Check access to the
1877    descriptor itself, and then use dentry_has_perm to
1878    check a particular permission to the file.
1879    Access to the descriptor is implicitly granted if it
1880    has the same SID as the process.  If av is zero, then
1881    access to the file is not checked, e.g. for cases
1882    where only the descriptor is affected like seek. */
1883 static int file_has_perm(const struct cred *cred,
1884                          struct file *file,
1885                          u32 av)
1886 {
1887         struct file_security_struct *fsec = file->f_security;
1888         struct inode *inode = file_inode(file);
1889         struct common_audit_data ad;
1890         u32 sid = cred_sid(cred);
1891         int rc;
1892
1893         ad.type = LSM_AUDIT_DATA_FILE;
1894         ad.u.file = file;
1895
1896         if (sid != fsec->sid) {
1897                 rc = avc_has_perm(&selinux_state,
1898                                   sid, fsec->sid,
1899                                   SECCLASS_FD,
1900                                   FD__USE,
1901                                   &ad);
1902                 if (rc)
1903                         goto out;
1904         }
1905
1906 #ifdef CONFIG_BPF_SYSCALL
1907         rc = bpf_fd_pass(file, cred_sid(cred));
1908         if (rc)
1909                 return rc;
1910 #endif
1911
1912         /* av is zero if only checking access to the descriptor. */
1913         rc = 0;
1914         if (av)
1915                 rc = inode_has_perm(cred, inode, av, &ad);
1916
1917 out:
1918         return rc;
1919 }
1920
1921 /*
1922  * Determine the label for an inode that might be unioned.
1923  */
1924 static int
1925 selinux_determine_inode_label(const struct task_security_struct *tsec,
1926                                  struct inode *dir,
1927                                  const struct qstr *name, u16 tclass,
1928                                  u32 *_new_isid)
1929 {
1930         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1931
1932         if ((sbsec->flags & SE_SBINITIALIZED) &&
1933             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1934                 *_new_isid = sbsec->mntpoint_sid;
1935         } else if ((sbsec->flags & SBLABEL_MNT) &&
1936                    tsec->create_sid) {
1937                 *_new_isid = tsec->create_sid;
1938         } else {
1939                 const struct inode_security_struct *dsec = inode_security(dir);
1940                 return security_transition_sid(&selinux_state, tsec->sid,
1941                                                dsec->sid, tclass,
1942                                                name, _new_isid);
1943         }
1944
1945         return 0;
1946 }
1947
1948 /* Check whether a task can create a file. */
1949 static int may_create(struct inode *dir,
1950                       struct dentry *dentry,
1951                       u16 tclass)
1952 {
1953         const struct task_security_struct *tsec = current_security();
1954         struct inode_security_struct *dsec;
1955         struct superblock_security_struct *sbsec;
1956         u32 sid, newsid;
1957         struct common_audit_data ad;
1958         int rc;
1959
1960         dsec = inode_security(dir);
1961         sbsec = dir->i_sb->s_security;
1962
1963         sid = tsec->sid;
1964
1965         ad.type = LSM_AUDIT_DATA_DENTRY;
1966         ad.u.dentry = dentry;
1967
1968         rc = avc_has_perm(&selinux_state,
1969                           sid, dsec->sid, SECCLASS_DIR,
1970                           DIR__ADD_NAME | DIR__SEARCH,
1971                           &ad);
1972         if (rc)
1973                 return rc;
1974
1975         rc = selinux_determine_inode_label(current_security(), dir,
1976                                            &dentry->d_name, tclass, &newsid);
1977         if (rc)
1978                 return rc;
1979
1980         rc = avc_has_perm(&selinux_state,
1981                           sid, newsid, tclass, FILE__CREATE, &ad);
1982         if (rc)
1983                 return rc;
1984
1985         return avc_has_perm(&selinux_state,
1986                             newsid, sbsec->sid,
1987                             SECCLASS_FILESYSTEM,
1988                             FILESYSTEM__ASSOCIATE, &ad);
1989 }
1990
1991 #define MAY_LINK        0
1992 #define MAY_UNLINK      1
1993 #define MAY_RMDIR       2
1994
1995 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1996 static int may_link(struct inode *dir,
1997                     struct dentry *dentry,
1998                     int kind)
1999
2000 {
2001         struct inode_security_struct *dsec, *isec;
2002         struct common_audit_data ad;
2003         u32 sid = current_sid();
2004         u32 av;
2005         int rc;
2006
2007         dsec = inode_security(dir);
2008         isec = backing_inode_security(dentry);
2009
2010         ad.type = LSM_AUDIT_DATA_DENTRY;
2011         ad.u.dentry = dentry;
2012
2013         av = DIR__SEARCH;
2014         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2015         rc = avc_has_perm(&selinux_state,
2016                           sid, dsec->sid, SECCLASS_DIR, av, &ad);
2017         if (rc)
2018                 return rc;
2019
2020         switch (kind) {
2021         case MAY_LINK:
2022                 av = FILE__LINK;
2023                 break;
2024         case MAY_UNLINK:
2025                 av = FILE__UNLINK;
2026                 break;
2027         case MAY_RMDIR:
2028                 av = DIR__RMDIR;
2029                 break;
2030         default:
2031                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
2032                         __func__, kind);
2033                 return 0;
2034         }
2035
2036         rc = avc_has_perm(&selinux_state,
2037                           sid, isec->sid, isec->sclass, av, &ad);
2038         return rc;
2039 }
2040
2041 static inline int may_rename(struct inode *old_dir,
2042                              struct dentry *old_dentry,
2043                              struct inode *new_dir,
2044                              struct dentry *new_dentry)
2045 {
2046         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2047         struct common_audit_data ad;
2048         u32 sid = current_sid();
2049         u32 av;
2050         int old_is_dir, new_is_dir;
2051         int rc;
2052
2053         old_dsec = inode_security(old_dir);
2054         old_isec = backing_inode_security(old_dentry);
2055         old_is_dir = d_is_dir(old_dentry);
2056         new_dsec = inode_security(new_dir);
2057
2058         ad.type = LSM_AUDIT_DATA_DENTRY;
2059
2060         ad.u.dentry = old_dentry;
2061         rc = avc_has_perm(&selinux_state,
2062                           sid, old_dsec->sid, SECCLASS_DIR,
2063                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2064         if (rc)
2065                 return rc;
2066         rc = avc_has_perm(&selinux_state,
2067                           sid, old_isec->sid,
2068                           old_isec->sclass, FILE__RENAME, &ad);
2069         if (rc)
2070                 return rc;
2071         if (old_is_dir && new_dir != old_dir) {
2072                 rc = avc_has_perm(&selinux_state,
2073                                   sid, old_isec->sid,
2074                                   old_isec->sclass, DIR__REPARENT, &ad);
2075                 if (rc)
2076                         return rc;
2077         }
2078
2079         ad.u.dentry = new_dentry;
2080         av = DIR__ADD_NAME | DIR__SEARCH;
2081         if (d_is_positive(new_dentry))
2082                 av |= DIR__REMOVE_NAME;
2083         rc = avc_has_perm(&selinux_state,
2084                           sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2085         if (rc)
2086                 return rc;
2087         if (d_is_positive(new_dentry)) {
2088                 new_isec = backing_inode_security(new_dentry);
2089                 new_is_dir = d_is_dir(new_dentry);
2090                 rc = avc_has_perm(&selinux_state,
2091                                   sid, new_isec->sid,
2092                                   new_isec->sclass,
2093                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2094                 if (rc)
2095                         return rc;
2096         }
2097
2098         return 0;
2099 }
2100
2101 /* Check whether a task can perform a filesystem operation. */
2102 static int superblock_has_perm(const struct cred *cred,
2103                                struct super_block *sb,
2104                                u32 perms,
2105                                struct common_audit_data *ad)
2106 {
2107         struct superblock_security_struct *sbsec;
2108         u32 sid = cred_sid(cred);
2109
2110         sbsec = sb->s_security;
2111         return avc_has_perm(&selinux_state,
2112                             sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2113 }
2114
2115 /* Convert a Linux mode and permission mask to an access vector. */
2116 static inline u32 file_mask_to_av(int mode, int mask)
2117 {
2118         u32 av = 0;
2119
2120         if (!S_ISDIR(mode)) {
2121                 if (mask & MAY_EXEC)
2122                         av |= FILE__EXECUTE;
2123                 if (mask & MAY_READ)
2124                         av |= FILE__READ;
2125
2126                 if (mask & MAY_APPEND)
2127                         av |= FILE__APPEND;
2128                 else if (mask & MAY_WRITE)
2129                         av |= FILE__WRITE;
2130
2131         } else {
2132                 if (mask & MAY_EXEC)
2133                         av |= DIR__SEARCH;
2134                 if (mask & MAY_WRITE)
2135                         av |= DIR__WRITE;
2136                 if (mask & MAY_READ)
2137                         av |= DIR__READ;
2138         }
2139
2140         return av;
2141 }
2142
2143 /* Convert a Linux file to an access vector. */
2144 static inline u32 file_to_av(struct file *file)
2145 {
2146         u32 av = 0;
2147
2148         if (file->f_mode & FMODE_READ)
2149                 av |= FILE__READ;
2150         if (file->f_mode & FMODE_WRITE) {
2151                 if (file->f_flags & O_APPEND)
2152                         av |= FILE__APPEND;
2153                 else
2154                         av |= FILE__WRITE;
2155         }
2156         if (!av) {
2157                 /*
2158                  * Special file opened with flags 3 for ioctl-only use.
2159                  */
2160                 av = FILE__IOCTL;
2161         }
2162
2163         return av;
2164 }
2165
2166 /*
2167  * Convert a file to an access vector and include the correct open
2168  * open permission.
2169  */
2170 static inline u32 open_file_to_av(struct file *file)
2171 {
2172         u32 av = file_to_av(file);
2173         struct inode *inode = file_inode(file);
2174
2175         if (selinux_policycap_openperm() &&
2176             inode->i_sb->s_magic != SOCKFS_MAGIC)
2177                 av |= FILE__OPEN;
2178
2179         return av;
2180 }
2181
2182 /* Hook functions begin here. */
2183
2184 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2185 {
2186         u32 mysid = current_sid();
2187         u32 mgrsid = task_sid(mgr);
2188
2189         return avc_has_perm(&selinux_state,
2190                             mysid, mgrsid, SECCLASS_BINDER,
2191                             BINDER__SET_CONTEXT_MGR, NULL);
2192 }
2193
2194 static int selinux_binder_transaction(struct task_struct *from,
2195                                       struct task_struct *to)
2196 {
2197         u32 mysid = current_sid();
2198         u32 fromsid = task_sid(from);
2199         u32 tosid = task_sid(to);
2200         int rc;
2201
2202         if (mysid != fromsid) {
2203                 rc = avc_has_perm(&selinux_state,
2204                                   mysid, fromsid, SECCLASS_BINDER,
2205                                   BINDER__IMPERSONATE, NULL);
2206                 if (rc)
2207                         return rc;
2208         }
2209
2210         return avc_has_perm(&selinux_state,
2211                             fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2212                             NULL);
2213 }
2214
2215 static int selinux_binder_transfer_binder(struct task_struct *from,
2216                                           struct task_struct *to)
2217 {
2218         u32 fromsid = task_sid(from);
2219         u32 tosid = task_sid(to);
2220
2221         return avc_has_perm(&selinux_state,
2222                             fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2223                             NULL);
2224 }
2225
2226 static int selinux_binder_transfer_file(struct task_struct *from,
2227                                         struct task_struct *to,
2228                                         struct file *file)
2229 {
2230         u32 sid = task_sid(to);
2231         struct file_security_struct *fsec = file->f_security;
2232         struct dentry *dentry = file->f_path.dentry;
2233         struct inode_security_struct *isec;
2234         struct common_audit_data ad;
2235         int rc;
2236
2237         ad.type = LSM_AUDIT_DATA_PATH;
2238         ad.u.path = file->f_path;
2239
2240         if (sid != fsec->sid) {
2241                 rc = avc_has_perm(&selinux_state,
2242                                   sid, fsec->sid,
2243                                   SECCLASS_FD,
2244                                   FD__USE,
2245                                   &ad);
2246                 if (rc)
2247                         return rc;
2248         }
2249
2250 #ifdef CONFIG_BPF_SYSCALL
2251         rc = bpf_fd_pass(file, sid);
2252         if (rc)
2253                 return rc;
2254 #endif
2255
2256         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2257                 return 0;
2258
2259         isec = backing_inode_security(dentry);
2260         return avc_has_perm(&selinux_state,
2261                             sid, isec->sid, isec->sclass, file_to_av(file),
2262                             &ad);
2263 }
2264
2265 static int selinux_ptrace_access_check(struct task_struct *child,
2266                                      unsigned int mode)
2267 {
2268         u32 sid = current_sid();
2269         u32 csid = task_sid(child);
2270
2271         if (mode & PTRACE_MODE_READ)
2272                 return avc_has_perm(&selinux_state,
2273                                     sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2274
2275         return avc_has_perm(&selinux_state,
2276                             sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2277 }
2278
2279 static int selinux_ptrace_traceme(struct task_struct *parent)
2280 {
2281         return avc_has_perm(&selinux_state,
2282                             task_sid(parent), current_sid(), SECCLASS_PROCESS,
2283                             PROCESS__PTRACE, NULL);
2284 }
2285
2286 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2287                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2288 {
2289         return avc_has_perm(&selinux_state,
2290                             current_sid(), task_sid(target), SECCLASS_PROCESS,
2291                             PROCESS__GETCAP, NULL);
2292 }
2293
2294 static int selinux_capset(struct cred *new, const struct cred *old,
2295                           const kernel_cap_t *effective,
2296                           const kernel_cap_t *inheritable,
2297                           const kernel_cap_t *permitted)
2298 {
2299         return avc_has_perm(&selinux_state,
2300                             cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2301                             PROCESS__SETCAP, NULL);
2302 }
2303
2304 /*
2305  * (This comment used to live with the selinux_task_setuid hook,
2306  * which was removed).
2307  *
2308  * Since setuid only affects the current process, and since the SELinux
2309  * controls are not based on the Linux identity attributes, SELinux does not
2310  * need to control this operation.  However, SELinux does control the use of
2311  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2312  */
2313
2314 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2315                            int cap, int audit)
2316 {
2317         return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2318 }
2319
2320 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2321 {
2322         const struct cred *cred = current_cred();
2323         int rc = 0;
2324
2325         if (!sb)
2326                 return 0;
2327
2328         switch (cmds) {
2329         case Q_SYNC:
2330         case Q_QUOTAON:
2331         case Q_QUOTAOFF:
2332         case Q_SETINFO:
2333         case Q_SETQUOTA:
2334                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2335                 break;
2336         case Q_GETFMT:
2337         case Q_GETINFO:
2338         case Q_GETQUOTA:
2339                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2340                 break;
2341         default:
2342                 rc = 0;  /* let the kernel handle invalid cmds */
2343                 break;
2344         }
2345         return rc;
2346 }
2347
2348 static int selinux_quota_on(struct dentry *dentry)
2349 {
2350         const struct cred *cred = current_cred();
2351
2352         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2353 }
2354
2355 static int selinux_syslog(int type)
2356 {
2357         switch (type) {
2358         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2359         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2360                 return avc_has_perm(&selinux_state,
2361                                     current_sid(), SECINITSID_KERNEL,
2362                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2363         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2364         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2365         /* Set level of messages printed to console */
2366         case SYSLOG_ACTION_CONSOLE_LEVEL:
2367                 return avc_has_perm(&selinux_state,
2368                                     current_sid(), SECINITSID_KERNEL,
2369                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2370                                     NULL);
2371         }
2372         /* All other syslog types */
2373         return avc_has_perm(&selinux_state,
2374                             current_sid(), SECINITSID_KERNEL,
2375                             SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2376 }
2377
2378 /*
2379  * Check that a process has enough memory to allocate a new virtual
2380  * mapping. 0 means there is enough memory for the allocation to
2381  * succeed and -ENOMEM implies there is not.
2382  *
2383  * Do not audit the selinux permission check, as this is applied to all
2384  * processes that allocate mappings.
2385  */
2386 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2387 {
2388         int rc, cap_sys_admin = 0;
2389
2390         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2391                                  SECURITY_CAP_NOAUDIT, true);
2392         if (rc == 0)
2393                 cap_sys_admin = 1;
2394
2395         return cap_sys_admin;
2396 }
2397
2398 /* binprm security operations */
2399
2400 static u32 ptrace_parent_sid(void)
2401 {
2402         u32 sid = 0;
2403         struct task_struct *tracer;
2404
2405         rcu_read_lock();
2406         tracer = ptrace_parent(current);
2407         if (tracer)
2408                 sid = task_sid(tracer);
2409         rcu_read_unlock();
2410
2411         return sid;
2412 }
2413
2414 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2415                             const struct task_security_struct *old_tsec,
2416                             const struct task_security_struct *new_tsec)
2417 {
2418         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2419         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2420         int rc;
2421         u32 av;
2422
2423         if (!nnp && !nosuid)
2424                 return 0; /* neither NNP nor nosuid */
2425
2426         if (new_tsec->sid == old_tsec->sid)
2427                 return 0; /* No change in credentials */
2428
2429         /*
2430          * If the policy enables the nnp_nosuid_transition policy capability,
2431          * then we permit transitions under NNP or nosuid if the
2432          * policy allows the corresponding permission between
2433          * the old and new contexts.
2434          */
2435         if (selinux_policycap_nnp_nosuid_transition()) {
2436                 av = 0;
2437                 if (nnp)
2438                         av |= PROCESS2__NNP_TRANSITION;
2439                 if (nosuid)
2440                         av |= PROCESS2__NOSUID_TRANSITION;
2441                 rc = avc_has_perm(&selinux_state,
2442                                   old_tsec->sid, new_tsec->sid,
2443                                   SECCLASS_PROCESS2, av, NULL);
2444                 if (!rc)
2445                         return 0;
2446         }
2447
2448         /*
2449          * We also permit NNP or nosuid transitions to bounded SIDs,
2450          * i.e. SIDs that are guaranteed to only be allowed a subset
2451          * of the permissions of the current SID.
2452          */
2453         rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2454                                          new_tsec->sid);
2455         if (!rc)
2456                 return 0;
2457
2458         /*
2459          * On failure, preserve the errno values for NNP vs nosuid.
2460          * NNP:  Operation not permitted for caller.
2461          * nosuid:  Permission denied to file.
2462          */
2463         if (nnp)
2464                 return -EPERM;
2465         return -EACCES;
2466 }
2467
2468 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2469 {
2470         const struct task_security_struct *old_tsec;
2471         struct task_security_struct *new_tsec;
2472         struct inode_security_struct *isec;
2473         struct common_audit_data ad;
2474         struct inode *inode = file_inode(bprm->file);
2475         int rc;
2476
2477         /* SELinux context only depends on initial program or script and not
2478          * the script interpreter */
2479         if (bprm->called_set_creds)
2480                 return 0;
2481
2482         old_tsec = current_security();
2483         new_tsec = bprm->cred->security;
2484         isec = inode_security(inode);
2485
2486         /* Default to the current task SID. */
2487         new_tsec->sid = old_tsec->sid;
2488         new_tsec->osid = old_tsec->sid;
2489
2490         /* Reset fs, key, and sock SIDs on execve. */
2491         new_tsec->create_sid = 0;
2492         new_tsec->keycreate_sid = 0;
2493         new_tsec->sockcreate_sid = 0;
2494
2495         if (old_tsec->exec_sid) {
2496                 new_tsec->sid = old_tsec->exec_sid;
2497                 /* Reset exec SID on execve. */
2498                 new_tsec->exec_sid = 0;
2499
2500                 /* Fail on NNP or nosuid if not an allowed transition. */
2501                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2502                 if (rc)
2503                         return rc;
2504         } else {
2505                 /* Check for a default transition on this program. */
2506                 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2507                                              isec->sid, SECCLASS_PROCESS, NULL,
2508                                              &new_tsec->sid);
2509                 if (rc)
2510                         return rc;
2511
2512                 /*
2513                  * Fallback to old SID on NNP or nosuid if not an allowed
2514                  * transition.
2515                  */
2516                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2517                 if (rc)
2518                         new_tsec->sid = old_tsec->sid;
2519         }
2520
2521         ad.type = LSM_AUDIT_DATA_FILE;
2522         ad.u.file = bprm->file;
2523
2524         if (new_tsec->sid == old_tsec->sid) {
2525                 rc = avc_has_perm(&selinux_state,
2526                                   old_tsec->sid, isec->sid,
2527                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2528                 if (rc)
2529                         return rc;
2530         } else {
2531                 /* Check permissions for the transition. */
2532                 rc = avc_has_perm(&selinux_state,
2533                                   old_tsec->sid, new_tsec->sid,
2534                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2535                 if (rc)
2536                         return rc;
2537
2538                 rc = avc_has_perm(&selinux_state,
2539                                   new_tsec->sid, isec->sid,
2540                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2541                 if (rc)
2542                         return rc;
2543
2544                 /* Check for shared state */
2545                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2546                         rc = avc_has_perm(&selinux_state,
2547                                           old_tsec->sid, new_tsec->sid,
2548                                           SECCLASS_PROCESS, PROCESS__SHARE,
2549                                           NULL);
2550                         if (rc)
2551                                 return -EPERM;
2552                 }
2553
2554                 /* Make sure that anyone attempting to ptrace over a task that
2555                  * changes its SID has the appropriate permit */
2556                 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2557                         u32 ptsid = ptrace_parent_sid();
2558                         if (ptsid != 0) {
2559                                 rc = avc_has_perm(&selinux_state,
2560                                                   ptsid, new_tsec->sid,
2561                                                   SECCLASS_PROCESS,
2562                                                   PROCESS__PTRACE, NULL);
2563                                 if (rc)
2564                                         return -EPERM;
2565                         }
2566                 }
2567
2568                 /* Clear any possibly unsafe personality bits on exec: */
2569                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2570
2571                 /* Enable secure mode for SIDs transitions unless
2572                    the noatsecure permission is granted between
2573                    the two SIDs, i.e. ahp returns 0. */
2574                 rc = avc_has_perm(&selinux_state,
2575                                   old_tsec->sid, new_tsec->sid,
2576                                   SECCLASS_PROCESS, PROCESS__NOATSECURE,
2577                                   NULL);
2578                 bprm->secureexec |= !!rc;
2579         }
2580
2581         return 0;
2582 }
2583
2584 static int match_file(const void *p, struct file *file, unsigned fd)
2585 {
2586         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2587 }
2588
2589 /* Derived from fs/exec.c:flush_old_files. */
2590 static inline void flush_unauthorized_files(const struct cred *cred,
2591                                             struct files_struct *files)
2592 {
2593         struct file *file, *devnull = NULL;
2594         struct tty_struct *tty;
2595         int drop_tty = 0;
2596         unsigned n;
2597
2598         tty = get_current_tty();
2599         if (tty) {
2600                 spin_lock(&tty->files_lock);
2601                 if (!list_empty(&tty->tty_files)) {
2602                         struct tty_file_private *file_priv;
2603
2604                         /* Revalidate access to controlling tty.
2605                            Use file_path_has_perm on the tty path directly
2606                            rather than using file_has_perm, as this particular
2607                            open file may belong to another process and we are
2608                            only interested in the inode-based check here. */
2609                         file_priv = list_first_entry(&tty->tty_files,
2610                                                 struct tty_file_private, list);
2611                         file = file_priv->file;
2612                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2613                                 drop_tty = 1;
2614                 }
2615                 spin_unlock(&tty->files_lock);
2616                 tty_kref_put(tty);
2617         }
2618         /* Reset controlling tty. */
2619         if (drop_tty)
2620                 no_tty();
2621
2622         /* Revalidate access to inherited open files. */
2623         n = iterate_fd(files, 0, match_file, cred);
2624         if (!n) /* none found? */
2625                 return;
2626
2627         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2628         if (IS_ERR(devnull))
2629                 devnull = NULL;
2630         /* replace all the matching ones with this */
2631         do {
2632                 replace_fd(n - 1, devnull, 0);
2633         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2634         if (devnull)
2635                 fput(devnull);
2636 }
2637
2638 /*
2639  * Prepare a process for imminent new credential changes due to exec
2640  */
2641 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2642 {
2643         struct task_security_struct *new_tsec;
2644         struct rlimit *rlim, *initrlim;
2645         int rc, i;
2646
2647         new_tsec = bprm->cred->security;
2648         if (new_tsec->sid == new_tsec->osid)
2649                 return;
2650
2651         /* Close files for which the new task SID is not authorized. */
2652         flush_unauthorized_files(bprm->cred, current->files);
2653
2654         /* Always clear parent death signal on SID transitions. */
2655         current->pdeath_signal = 0;
2656
2657         /* Check whether the new SID can inherit resource limits from the old
2658          * SID.  If not, reset all soft limits to the lower of the current
2659          * task's hard limit and the init task's soft limit.
2660          *
2661          * Note that the setting of hard limits (even to lower them) can be
2662          * controlled by the setrlimit check.  The inclusion of the init task's
2663          * soft limit into the computation is to avoid resetting soft limits
2664          * higher than the default soft limit for cases where the default is
2665          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2666          */
2667         rc = avc_has_perm(&selinux_state,
2668                           new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2669                           PROCESS__RLIMITINH, NULL);
2670         if (rc) {
2671                 /* protect against do_prlimit() */
2672                 task_lock(current);
2673                 for (i = 0; i < RLIM_NLIMITS; i++) {
2674                         rlim = current->signal->rlim + i;
2675                         initrlim = init_task.signal->rlim + i;
2676                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2677                 }
2678                 task_unlock(current);
2679                 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2680                         update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2681         }
2682 }
2683
2684 /*
2685  * Clean up the process immediately after the installation of new credentials
2686  * due to exec
2687  */
2688 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2689 {
2690         const struct task_security_struct *tsec = current_security();
2691         struct itimerval itimer;
2692         u32 osid, sid;
2693         int rc, i;
2694
2695         osid = tsec->osid;
2696         sid = tsec->sid;
2697
2698         if (sid == osid)
2699                 return;
2700
2701         /* Check whether the new SID can inherit signal state from the old SID.
2702          * If not, clear itimers to avoid subsequent signal generation and
2703          * flush and unblock signals.
2704          *
2705          * This must occur _after_ the task SID has been updated so that any
2706          * kill done after the flush will be checked against the new SID.
2707          */
2708         rc = avc_has_perm(&selinux_state,
2709                           osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2710         if (rc) {
2711                 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2712                         memset(&itimer, 0, sizeof itimer);
2713                         for (i = 0; i < 3; i++)
2714                                 do_setitimer(i, &itimer, NULL);
2715                 }
2716                 spin_lock_irq(&current->sighand->siglock);
2717                 if (!fatal_signal_pending(current)) {
2718                         flush_sigqueue(&current->pending);
2719                         flush_sigqueue(&current->signal->shared_pending);
2720                         flush_signal_handlers(current, 1);
2721                         sigemptyset(&current->blocked);
2722                         recalc_sigpending();
2723                 }
2724                 spin_unlock_irq(&current->sighand->siglock);
2725         }
2726
2727         /* Wake up the parent if it is waiting so that it can recheck
2728          * wait permission to the new task SID. */
2729         read_lock(&tasklist_lock);
2730         __wake_up_parent(current, current->real_parent);
2731         read_unlock(&tasklist_lock);
2732 }
2733
2734 /* superblock security operations */
2735
2736 static int selinux_sb_alloc_security(struct super_block *sb)
2737 {
2738         return superblock_alloc_security(sb);
2739 }
2740
2741 static void selinux_sb_free_security(struct super_block *sb)
2742 {
2743         superblock_free_security(sb);
2744 }
2745
2746 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2747 {
2748         if (plen > olen)
2749                 return 0;
2750
2751         return !memcmp(prefix, option, plen);
2752 }
2753
2754 static inline int selinux_option(char *option, int len)
2755 {
2756         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2757                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2758                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2759                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2760                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2761 }
2762
2763 static inline void take_option(char **to, char *from, int *first, int len)
2764 {
2765         if (!*first) {
2766                 **to = ',';
2767                 *to += 1;
2768         } else
2769                 *first = 0;
2770         memcpy(*to, from, len);
2771         *to += len;
2772 }
2773
2774 static inline void take_selinux_option(char **to, char *from, int *first,
2775                                        int len)
2776 {
2777         int current_size = 0;
2778
2779         if (!*first) {
2780                 **to = '|';
2781                 *to += 1;
2782         } else
2783                 *first = 0;
2784
2785         while (current_size < len) {
2786                 if (*from != '"') {
2787                         **to = *from;
2788                         *to += 1;
2789                 }
2790                 from += 1;
2791                 current_size += 1;
2792         }
2793 }
2794
2795 static int selinux_sb_copy_data(char *orig, char *copy)
2796 {
2797         int fnosec, fsec, rc = 0;
2798         char *in_save, *in_curr, *in_end;
2799         char *sec_curr, *nosec_save, *nosec;
2800         int open_quote = 0;
2801
2802         in_curr = orig;
2803         sec_curr = copy;
2804
2805         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2806         if (!nosec) {
2807                 rc = -ENOMEM;
2808                 goto out;
2809         }
2810
2811         nosec_save = nosec;
2812         fnosec = fsec = 1;
2813         in_save = in_end = orig;
2814
2815         do {
2816                 if (*in_end == '"')
2817                         open_quote = !open_quote;
2818                 if ((*in_end == ',' && open_quote == 0) ||
2819                                 *in_end == '\0') {
2820                         int len = in_end - in_curr;
2821
2822                         if (selinux_option(in_curr, len))
2823                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2824                         else
2825                                 take_option(&nosec, in_curr, &fnosec, len);
2826
2827                         in_curr = in_end + 1;
2828                 }
2829         } while (*in_end++);
2830
2831         strcpy(in_save, nosec_save);
2832         free_page((unsigned long)nosec_save);
2833 out:
2834         return rc;
2835 }
2836
2837 static int selinux_sb_remount(struct super_block *sb, void *data)
2838 {
2839         int rc, i, *flags;
2840         struct security_mnt_opts opts;
2841         char *secdata, **mount_options;
2842         struct superblock_security_struct *sbsec = sb->s_security;
2843
2844         if (!(sbsec->flags & SE_SBINITIALIZED))
2845                 return 0;
2846
2847         if (!data)
2848                 return 0;
2849
2850         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2851                 return 0;
2852
2853         security_init_mnt_opts(&opts);
2854         secdata = alloc_secdata();
2855         if (!secdata)
2856                 return -ENOMEM;
2857         rc = selinux_sb_copy_data(data, secdata);
2858         if (rc)
2859                 goto out_free_secdata;
2860
2861         rc = selinux_parse_opts_str(secdata, &opts);
2862         if (rc)
2863                 goto out_free_secdata;
2864
2865         mount_options = opts.mnt_opts;
2866         flags = opts.mnt_opts_flags;
2867
2868         for (i = 0; i < opts.num_mnt_opts; i++) {
2869                 u32 sid;
2870
2871                 if (flags[i] == SBLABEL_MNT)
2872                         continue;
2873                 rc = security_context_str_to_sid(&selinux_state,
2874                                                  mount_options[i], &sid,
2875                                                  GFP_KERNEL);
2876                 if (rc) {
2877                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2878                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2879                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2880                         goto out_free_opts;
2881                 }
2882                 rc = -EINVAL;
2883                 switch (flags[i]) {
2884                 case FSCONTEXT_MNT:
2885                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2886                                 goto out_bad_option;
2887                         break;
2888                 case CONTEXT_MNT:
2889                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2890                                 goto out_bad_option;
2891                         break;
2892                 case ROOTCONTEXT_MNT: {
2893                         struct inode_security_struct *root_isec;
2894                         root_isec = backing_inode_security(sb->s_root);
2895
2896                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2897                                 goto out_bad_option;
2898                         break;
2899                 }
2900                 case DEFCONTEXT_MNT:
2901                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2902                                 goto out_bad_option;
2903                         break;
2904                 default:
2905                         goto out_free_opts;
2906                 }
2907         }
2908
2909         rc = 0;
2910 out_free_opts:
2911         security_free_mnt_opts(&opts);
2912 out_free_secdata:
2913         free_secdata(secdata);
2914         return rc;
2915 out_bad_option:
2916         printk(KERN_WARNING "SELinux: unable to change security options "
2917                "during remount (dev %s, type=%s)\n", sb->s_id,
2918                sb->s_type->name);
2919         goto out_free_opts;
2920 }
2921
2922 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2923 {
2924         const struct cred *cred = current_cred();
2925         struct common_audit_data ad;
2926         int rc;
2927
2928         rc = superblock_doinit(sb, data);
2929         if (rc)
2930                 return rc;
2931
2932         /* Allow all mounts performed by the kernel */
2933         if (flags & MS_KERNMOUNT)
2934                 return 0;
2935
2936         ad.type = LSM_AUDIT_DATA_DENTRY;
2937         ad.u.dentry = sb->s_root;
2938         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2939 }
2940
2941 static int selinux_sb_statfs(struct dentry *dentry)
2942 {
2943         const struct cred *cred = current_cred();
2944         struct common_audit_data ad;
2945
2946         ad.type = LSM_AUDIT_DATA_DENTRY;
2947         ad.u.dentry = dentry->d_sb->s_root;
2948         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2949 }
2950
2951 static int selinux_mount(const char *dev_name,
2952                          const struct path *path,
2953                          const char *type,
2954                          unsigned long flags,
2955                          void *data)
2956 {
2957         const struct cred *cred = current_cred();
2958
2959         if (flags & MS_REMOUNT)
2960                 return superblock_has_perm(cred, path->dentry->d_sb,
2961                                            FILESYSTEM__REMOUNT, NULL);
2962         else
2963                 return path_has_perm(cred, path, FILE__MOUNTON);
2964 }
2965
2966 static int selinux_umount(struct vfsmount *mnt, int flags)
2967 {
2968         const struct cred *cred = current_cred();
2969
2970         return superblock_has_perm(cred, mnt->mnt_sb,
2971                                    FILESYSTEM__UNMOUNT, NULL);
2972 }
2973
2974 /* inode security operations */
2975
2976 static int selinux_inode_alloc_security(struct inode *inode)
2977 {
2978         return inode_alloc_security(inode);
2979 }
2980
2981 static void selinux_inode_free_security(struct inode *inode)
2982 {
2983         inode_free_security(inode);
2984 }
2985
2986 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2987                                         const struct qstr *name, void **ctx,
2988                                         u32 *ctxlen)
2989 {
2990         u32 newsid;
2991         int rc;
2992
2993         rc = selinux_determine_inode_label(current_security(),
2994                                            d_inode(dentry->d_parent), name,
2995                                            inode_mode_to_security_class(mode),
2996                                            &newsid);
2997         if (rc)
2998                 return rc;
2999
3000         return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3001                                        ctxlen);
3002 }
3003
3004 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3005                                           struct qstr *name,
3006                                           const struct cred *old,
3007                                           struct cred *new)
3008 {
3009         u32 newsid;
3010         int rc;
3011         struct task_security_struct *tsec;
3012
3013         rc = selinux_determine_inode_label(old->security,
3014                                            d_inode(dentry->d_parent), name,
3015                                            inode_mode_to_security_class(mode),
3016                                            &newsid);
3017         if (rc)
3018                 return rc;
3019
3020         tsec = new->security;
3021         tsec->create_sid = newsid;
3022         return 0;
3023 }
3024
3025 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3026                                        const struct qstr *qstr,
3027                                        const char **name,
3028                                        void **value, size_t *len)
3029 {
3030         const struct task_security_struct *tsec = current_security();
3031         struct superblock_security_struct *sbsec;
3032         u32 newsid, clen;
3033         int rc;
3034         char *context;
3035
3036         sbsec = dir->i_sb->s_security;
3037
3038         newsid = tsec->create_sid;
3039
3040         rc = selinux_determine_inode_label(current_security(),
3041                 dir, qstr,
3042                 inode_mode_to_security_class(inode->i_mode),
3043                 &newsid);
3044         if (rc)
3045                 return rc;
3046
3047         /* Possibly defer initialization to selinux_complete_init. */
3048         if (sbsec->flags & SE_SBINITIALIZED) {
3049                 struct inode_security_struct *isec = inode->i_security;
3050                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3051                 isec->sid = newsid;
3052                 isec->initialized = LABEL_INITIALIZED;
3053         }
3054
3055         if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3056                 return -EOPNOTSUPP;
3057
3058         if (name)
3059                 *name = XATTR_SELINUX_SUFFIX;
3060
3061         if (value && len) {
3062                 rc = security_sid_to_context_force(&selinux_state, newsid,
3063                                                    &context, &clen);
3064                 if (rc)
3065                         return rc;
3066                 *value = context;
3067                 *len = clen;
3068         }
3069
3070         return 0;
3071 }
3072
3073 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3074 {
3075         return may_create(dir, dentry, SECCLASS_FILE);
3076 }
3077
3078 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3079 {
3080         return may_link(dir, old_dentry, MAY_LINK);
3081 }
3082
3083 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3084 {
3085         return may_link(dir, dentry, MAY_UNLINK);
3086 }
3087
3088 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3089 {
3090         return may_create(dir, dentry, SECCLASS_LNK_FILE);
3091 }
3092
3093 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3094 {
3095         return may_create(dir, dentry, SECCLASS_DIR);
3096 }
3097
3098 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3099 {
3100         return may_link(dir, dentry, MAY_RMDIR);
3101 }
3102
3103 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3104 {
3105         return may_create(dir, dentry, inode_mode_to_security_class(mode));
3106 }
3107
3108 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3109                                 struct inode *new_inode, struct dentry *new_dentry)
3110 {
3111         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3112 }
3113
3114 static int selinux_inode_readlink(struct dentry *dentry)
3115 {
3116         const struct cred *cred = current_cred();
3117
3118         return dentry_has_perm(cred, dentry, FILE__READ);
3119 }
3120
3121 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3122                                      bool rcu)
3123 {
3124         const struct cred *cred = current_cred();
3125         struct common_audit_data ad;
3126         struct inode_security_struct *isec;
3127         u32 sid;
3128
3129         validate_creds(cred);
3130
3131         ad.type = LSM_AUDIT_DATA_DENTRY;
3132         ad.u.dentry = dentry;
3133         sid = cred_sid(cred);
3134         isec = inode_security_rcu(inode, rcu);
3135         if (IS_ERR(isec))
3136                 return PTR_ERR(isec);
3137
3138         return avc_has_perm_flags(&selinux_state,
3139                                   sid, isec->sid, isec->sclass, FILE__READ, &ad,
3140                                   rcu ? MAY_NOT_BLOCK : 0);
3141 }
3142
3143 static noinline int audit_inode_permission(struct inode *inode,
3144                                            u32 perms, u32 audited, u32 denied,
3145                                            int result,
3146                                            unsigned flags)
3147 {
3148         struct common_audit_data ad;
3149         struct inode_security_struct *isec = inode->i_security;
3150         int rc;
3151
3152         ad.type = LSM_AUDIT_DATA_INODE;
3153         ad.u.inode = inode;
3154
3155         rc = slow_avc_audit(&selinux_state,
3156                             current_sid(), isec->sid, isec->sclass, perms,
3157                             audited, denied, result, &ad, flags);
3158         if (rc)
3159                 return rc;
3160         return 0;
3161 }
3162
3163 static int selinux_inode_permission(struct inode *inode, int mask)
3164 {
3165         const struct cred *cred = current_cred();
3166         u32 perms;
3167         bool from_access;
3168         unsigned flags = mask & MAY_NOT_BLOCK;
3169         struct inode_security_struct *isec;
3170         u32 sid;
3171         struct av_decision avd;
3172         int rc, rc2;
3173         u32 audited, denied;
3174
3175         from_access = mask & MAY_ACCESS;
3176         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3177
3178         /* No permission to check.  Existence test. */
3179         if (!mask)
3180                 return 0;
3181
3182         validate_creds(cred);
3183
3184         if (unlikely(IS_PRIVATE(inode)))
3185                 return 0;
3186
3187         perms = file_mask_to_av(inode->i_mode, mask);
3188
3189         sid = cred_sid(cred);
3190         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3191         if (IS_ERR(isec))
3192                 return PTR_ERR(isec);
3193
3194         rc = avc_has_perm_noaudit(&selinux_state,
3195                                   sid, isec->sid, isec->sclass, perms, 0, &avd);
3196         audited = avc_audit_required(perms, &avd, rc,
3197                                      from_access ? FILE__AUDIT_ACCESS : 0,
3198                                      &denied);
3199         if (likely(!audited))
3200                 return rc;
3201
3202         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3203         if (rc2)
3204                 return rc2;
3205         return rc;
3206 }
3207
3208 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3209 {
3210         const struct cred *cred = current_cred();
3211         struct inode *inode = d_backing_inode(dentry);
3212         unsigned int ia_valid = iattr->ia_valid;
3213         __u32 av = FILE__WRITE;
3214
3215         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3216         if (ia_valid & ATTR_FORCE) {
3217                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3218                               ATTR_FORCE);
3219                 if (!ia_valid)
3220                         return 0;
3221         }
3222
3223         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3224                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3225                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3226
3227         if (selinux_policycap_openperm() &&
3228             inode->i_sb->s_magic != SOCKFS_MAGIC &&
3229             (ia_valid & ATTR_SIZE) &&
3230             !(ia_valid & ATTR_FILE))
3231                 av |= FILE__OPEN;
3232
3233         return dentry_has_perm(cred, dentry, av);
3234 }
3235
3236 static int selinux_inode_getattr(const struct path *path)
3237 {
3238         return path_has_perm(current_cred(), path, FILE__GETATTR);
3239 }
3240
3241 static bool has_cap_mac_admin(bool audit)
3242 {
3243         const struct cred *cred = current_cred();
3244         int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3245
3246         if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3247                 return false;
3248         if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3249                 return false;
3250         return true;
3251 }
3252
3253 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3254                                   const void *value, size_t size, int flags)
3255 {
3256         struct inode *inode = d_backing_inode(dentry);
3257         struct inode_security_struct *isec;
3258         struct superblock_security_struct *sbsec;
3259         struct common_audit_data ad;
3260         u32 newsid, sid = current_sid();
3261         int rc = 0;
3262
3263         if (strcmp(name, XATTR_NAME_SELINUX)) {
3264                 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3265                 if (rc)
3266                         return rc;
3267
3268                 /* Not an attribute we recognize, so just check the
3269                    ordinary setattr permission. */
3270                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3271         }
3272
3273         sbsec = inode->i_sb->s_security;
3274         if (!(sbsec->flags & SBLABEL_MNT))
3275                 return -EOPNOTSUPP;
3276
3277         if (!inode_owner_or_capable(inode))
3278                 return -EPERM;
3279
3280         ad.type = LSM_AUDIT_DATA_DENTRY;
3281         ad.u.dentry = dentry;
3282
3283         isec = backing_inode_security(dentry);
3284         rc = avc_has_perm(&selinux_state,
3285                           sid, isec->sid, isec->sclass,
3286                           FILE__RELABELFROM, &ad);
3287         if (rc)
3288                 return rc;
3289
3290         rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3291                                      GFP_KERNEL);
3292         if (rc == -EINVAL) {
3293                 if (!has_cap_mac_admin(true)) {
3294                         struct audit_buffer *ab;
3295                         size_t audit_size;
3296
3297                         /* We strip a nul only if it is at the end, otherwise the
3298                          * context contains a nul and we should audit