Merge tag 'selinux-pr-20190305' of git://git.kernel.org/pub/scm/linux/kernel/git...
[muen/linux.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *      This program is free software; you can redistribute it and/or modify
23  *      it under the terms of the GNU General Public License version 2,
24  *      as published by the Free Software Foundation.
25  */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>             /* for local_port_range[] */
56 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>    /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h>           /* for Unix socket types */
74 #include <net/af_unix.h>        /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/mutex.h>
83 #include <linux/posix-timers.h>
84 #include <linux/syslog.h>
85 #include <linux/user_namespace.h>
86 #include <linux/export.h>
87 #include <linux/msg.h>
88 #include <linux/shm.h>
89 #include <linux/bpf.h>
90 #include <uapi/linux/mount.h>
91
92 #include "avc.h"
93 #include "objsec.h"
94 #include "netif.h"
95 #include "netnode.h"
96 #include "netport.h"
97 #include "ibpkey.h"
98 #include "xfrm.h"
99 #include "netlabel.h"
100 #include "audit.h"
101 #include "avc_ss.h"
102
103 struct selinux_state selinux_state;
104
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
107
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
110
111 static int __init enforcing_setup(char *str)
112 {
113         unsigned long enforcing;
114         if (!kstrtoul(str, 0, &enforcing))
115                 selinux_enforcing_boot = enforcing ? 1 : 0;
116         return 1;
117 }
118 __setup("enforcing=", enforcing_setup);
119 #else
120 #define selinux_enforcing_boot 1
121 #endif
122
123 int selinux_enabled __lsm_ro_after_init = 1;
124 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
125 static int __init selinux_enabled_setup(char *str)
126 {
127         unsigned long enabled;
128         if (!kstrtoul(str, 0, &enabled))
129                 selinux_enabled = enabled ? 1 : 0;
130         return 1;
131 }
132 __setup("selinux=", selinux_enabled_setup);
133 #endif
134
135 static unsigned int selinux_checkreqprot_boot =
136         CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
137
138 static int __init checkreqprot_setup(char *str)
139 {
140         unsigned long checkreqprot;
141
142         if (!kstrtoul(str, 0, &checkreqprot))
143                 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
144         return 1;
145 }
146 __setup("checkreqprot=", checkreqprot_setup);
147
148 /**
149  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
150  *
151  * Description:
152  * This function checks the SECMARK reference counter to see if any SECMARK
153  * targets are currently configured, if the reference counter is greater than
154  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
155  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
156  * policy capability is enabled, SECMARK is always considered enabled.
157  *
158  */
159 static int selinux_secmark_enabled(void)
160 {
161         return (selinux_policycap_alwaysnetwork() ||
162                 atomic_read(&selinux_secmark_refcount));
163 }
164
165 /**
166  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
167  *
168  * Description:
169  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
170  * (1) if any are enabled or false (0) if neither are enabled.  If the
171  * always_check_network policy capability is enabled, peer labeling
172  * is always considered enabled.
173  *
174  */
175 static int selinux_peerlbl_enabled(void)
176 {
177         return (selinux_policycap_alwaysnetwork() ||
178                 netlbl_enabled() || selinux_xfrm_enabled());
179 }
180
181 static int selinux_netcache_avc_callback(u32 event)
182 {
183         if (event == AVC_CALLBACK_RESET) {
184                 sel_netif_flush();
185                 sel_netnode_flush();
186                 sel_netport_flush();
187                 synchronize_net();
188         }
189         return 0;
190 }
191
192 static int selinux_lsm_notifier_avc_callback(u32 event)
193 {
194         if (event == AVC_CALLBACK_RESET) {
195                 sel_ib_pkey_flush();
196                 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
197         }
198
199         return 0;
200 }
201
202 /*
203  * initialise the security for the init task
204  */
205 static void cred_init_security(void)
206 {
207         struct cred *cred = (struct cred *) current->real_cred;
208         struct task_security_struct *tsec;
209
210         tsec = selinux_cred(cred);
211         tsec->osid = tsec->sid = SECINITSID_KERNEL;
212 }
213
214 /*
215  * get the security ID of a set of credentials
216  */
217 static inline u32 cred_sid(const struct cred *cred)
218 {
219         const struct task_security_struct *tsec;
220
221         tsec = selinux_cred(cred);
222         return tsec->sid;
223 }
224
225 /*
226  * get the objective security ID of a task
227  */
228 static inline u32 task_sid(const struct task_struct *task)
229 {
230         u32 sid;
231
232         rcu_read_lock();
233         sid = cred_sid(__task_cred(task));
234         rcu_read_unlock();
235         return sid;
236 }
237
238 /* Allocate and free functions for each kind of security blob. */
239
240 static int inode_alloc_security(struct inode *inode)
241 {
242         struct inode_security_struct *isec = selinux_inode(inode);
243         u32 sid = current_sid();
244
245         spin_lock_init(&isec->lock);
246         INIT_LIST_HEAD(&isec->list);
247         isec->inode = inode;
248         isec->sid = SECINITSID_UNLABELED;
249         isec->sclass = SECCLASS_FILE;
250         isec->task_sid = sid;
251         isec->initialized = LABEL_INVALID;
252
253         return 0;
254 }
255
256 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
257
258 /*
259  * Try reloading inode security labels that have been marked as invalid.  The
260  * @may_sleep parameter indicates when sleeping and thus reloading labels is
261  * allowed; when set to false, returns -ECHILD when the label is
262  * invalid.  The @dentry parameter should be set to a dentry of the inode.
263  */
264 static int __inode_security_revalidate(struct inode *inode,
265                                        struct dentry *dentry,
266                                        bool may_sleep)
267 {
268         struct inode_security_struct *isec = selinux_inode(inode);
269
270         might_sleep_if(may_sleep);
271
272         if (selinux_state.initialized &&
273             isec->initialized != LABEL_INITIALIZED) {
274                 if (!may_sleep)
275                         return -ECHILD;
276
277                 /*
278                  * Try reloading the inode security label.  This will fail if
279                  * @opt_dentry is NULL and no dentry for this inode can be
280                  * found; in that case, continue using the old label.
281                  */
282                 inode_doinit_with_dentry(inode, dentry);
283         }
284         return 0;
285 }
286
287 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
288 {
289         return selinux_inode(inode);
290 }
291
292 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
293 {
294         int error;
295
296         error = __inode_security_revalidate(inode, NULL, !rcu);
297         if (error)
298                 return ERR_PTR(error);
299         return selinux_inode(inode);
300 }
301
302 /*
303  * Get the security label of an inode.
304  */
305 static struct inode_security_struct *inode_security(struct inode *inode)
306 {
307         __inode_security_revalidate(inode, NULL, true);
308         return selinux_inode(inode);
309 }
310
311 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
312 {
313         struct inode *inode = d_backing_inode(dentry);
314
315         return selinux_inode(inode);
316 }
317
318 /*
319  * Get the security label of a dentry's backing inode.
320  */
321 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
322 {
323         struct inode *inode = d_backing_inode(dentry);
324
325         __inode_security_revalidate(inode, dentry, true);
326         return selinux_inode(inode);
327 }
328
329 static void inode_free_security(struct inode *inode)
330 {
331         struct inode_security_struct *isec = selinux_inode(inode);
332         struct superblock_security_struct *sbsec;
333
334         if (!isec)
335                 return;
336         sbsec = inode->i_sb->s_security;
337         /*
338          * As not all inode security structures are in a list, we check for
339          * empty list outside of the lock to make sure that we won't waste
340          * time taking a lock doing nothing.
341          *
342          * The list_del_init() function can be safely called more than once.
343          * It should not be possible for this function to be called with
344          * concurrent list_add(), but for better safety against future changes
345          * in the code, we use list_empty_careful() here.
346          */
347         if (!list_empty_careful(&isec->list)) {
348                 spin_lock(&sbsec->isec_lock);
349                 list_del_init(&isec->list);
350                 spin_unlock(&sbsec->isec_lock);
351         }
352 }
353
354 static int file_alloc_security(struct file *file)
355 {
356         struct file_security_struct *fsec = selinux_file(file);
357         u32 sid = current_sid();
358
359         fsec->sid = sid;
360         fsec->fown_sid = sid;
361
362         return 0;
363 }
364
365 static int superblock_alloc_security(struct super_block *sb)
366 {
367         struct superblock_security_struct *sbsec;
368
369         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
370         if (!sbsec)
371                 return -ENOMEM;
372
373         mutex_init(&sbsec->lock);
374         INIT_LIST_HEAD(&sbsec->isec_head);
375         spin_lock_init(&sbsec->isec_lock);
376         sbsec->sb = sb;
377         sbsec->sid = SECINITSID_UNLABELED;
378         sbsec->def_sid = SECINITSID_FILE;
379         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
380         sb->s_security = sbsec;
381
382         return 0;
383 }
384
385 static void superblock_free_security(struct super_block *sb)
386 {
387         struct superblock_security_struct *sbsec = sb->s_security;
388         sb->s_security = NULL;
389         kfree(sbsec);
390 }
391
392 struct selinux_mnt_opts {
393         const char *fscontext, *context, *rootcontext, *defcontext;
394 };
395
396 static void selinux_free_mnt_opts(void *mnt_opts)
397 {
398         struct selinux_mnt_opts *opts = mnt_opts;
399         kfree(opts->fscontext);
400         kfree(opts->context);
401         kfree(opts->rootcontext);
402         kfree(opts->defcontext);
403         kfree(opts);
404 }
405
406 static inline int inode_doinit(struct inode *inode)
407 {
408         return inode_doinit_with_dentry(inode, NULL);
409 }
410
411 enum {
412         Opt_error = -1,
413         Opt_context = 1,
414         Opt_fscontext = 2,
415         Opt_defcontext = 3,
416         Opt_rootcontext = 4,
417         Opt_seclabel = 5,
418 };
419
420 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
421 static struct {
422         const char *name;
423         int len;
424         int opt;
425         bool has_arg;
426 } tokens[] = {
427         A(context, true),
428         A(fscontext, true),
429         A(defcontext, true),
430         A(rootcontext, true),
431         A(seclabel, false),
432 };
433 #undef A
434
435 static int match_opt_prefix(char *s, int l, char **arg)
436 {
437         int i;
438
439         for (i = 0; i < ARRAY_SIZE(tokens); i++) {
440                 size_t len = tokens[i].len;
441                 if (len > l || memcmp(s, tokens[i].name, len))
442                         continue;
443                 if (tokens[i].has_arg) {
444                         if (len == l || s[len] != '=')
445                                 continue;
446                         *arg = s + len + 1;
447                 } else if (len != l)
448                         continue;
449                 return tokens[i].opt;
450         }
451         return Opt_error;
452 }
453
454 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
455
456 static int may_context_mount_sb_relabel(u32 sid,
457                         struct superblock_security_struct *sbsec,
458                         const struct cred *cred)
459 {
460         const struct task_security_struct *tsec = selinux_cred(cred);
461         int rc;
462
463         rc = avc_has_perm(&selinux_state,
464                           tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465                           FILESYSTEM__RELABELFROM, NULL);
466         if (rc)
467                 return rc;
468
469         rc = avc_has_perm(&selinux_state,
470                           tsec->sid, sid, SECCLASS_FILESYSTEM,
471                           FILESYSTEM__RELABELTO, NULL);
472         return rc;
473 }
474
475 static int may_context_mount_inode_relabel(u32 sid,
476                         struct superblock_security_struct *sbsec,
477                         const struct cred *cred)
478 {
479         const struct task_security_struct *tsec = selinux_cred(cred);
480         int rc;
481         rc = avc_has_perm(&selinux_state,
482                           tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
483                           FILESYSTEM__RELABELFROM, NULL);
484         if (rc)
485                 return rc;
486
487         rc = avc_has_perm(&selinux_state,
488                           sid, sbsec->sid, SECCLASS_FILESYSTEM,
489                           FILESYSTEM__ASSOCIATE, NULL);
490         return rc;
491 }
492
493 static int selinux_is_genfs_special_handling(struct super_block *sb)
494 {
495         /* Special handling. Genfs but also in-core setxattr handler */
496         return  !strcmp(sb->s_type->name, "sysfs") ||
497                 !strcmp(sb->s_type->name, "pstore") ||
498                 !strcmp(sb->s_type->name, "debugfs") ||
499                 !strcmp(sb->s_type->name, "tracefs") ||
500                 !strcmp(sb->s_type->name, "rootfs") ||
501                 (selinux_policycap_cgroupseclabel() &&
502                  (!strcmp(sb->s_type->name, "cgroup") ||
503                   !strcmp(sb->s_type->name, "cgroup2")));
504 }
505
506 static int selinux_is_sblabel_mnt(struct super_block *sb)
507 {
508         struct superblock_security_struct *sbsec = sb->s_security;
509
510         /*
511          * IMPORTANT: Double-check logic in this function when adding a new
512          * SECURITY_FS_USE_* definition!
513          */
514         BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
515
516         switch (sbsec->behavior) {
517         case SECURITY_FS_USE_XATTR:
518         case SECURITY_FS_USE_TRANS:
519         case SECURITY_FS_USE_TASK:
520         case SECURITY_FS_USE_NATIVE:
521                 return 1;
522
523         case SECURITY_FS_USE_GENFS:
524                 return selinux_is_genfs_special_handling(sb);
525
526         /* Never allow relabeling on context mounts */
527         case SECURITY_FS_USE_MNTPOINT:
528         case SECURITY_FS_USE_NONE:
529         default:
530                 return 0;
531         }
532 }
533
534 static int sb_finish_set_opts(struct super_block *sb)
535 {
536         struct superblock_security_struct *sbsec = sb->s_security;
537         struct dentry *root = sb->s_root;
538         struct inode *root_inode = d_backing_inode(root);
539         int rc = 0;
540
541         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
542                 /* Make sure that the xattr handler exists and that no
543                    error other than -ENODATA is returned by getxattr on
544                    the root directory.  -ENODATA is ok, as this may be
545                    the first boot of the SELinux kernel before we have
546                    assigned xattr values to the filesystem. */
547                 if (!(root_inode->i_opflags & IOP_XATTR)) {
548                         pr_warn("SELinux: (dev %s, type %s) has no "
549                                "xattr support\n", sb->s_id, sb->s_type->name);
550                         rc = -EOPNOTSUPP;
551                         goto out;
552                 }
553
554                 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
555                 if (rc < 0 && rc != -ENODATA) {
556                         if (rc == -EOPNOTSUPP)
557                                 pr_warn("SELinux: (dev %s, type "
558                                        "%s) has no security xattr handler\n",
559                                        sb->s_id, sb->s_type->name);
560                         else
561                                 pr_warn("SELinux: (dev %s, type "
562                                        "%s) getxattr errno %d\n", sb->s_id,
563                                        sb->s_type->name, -rc);
564                         goto out;
565                 }
566         }
567
568         sbsec->flags |= SE_SBINITIALIZED;
569
570         /*
571          * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
572          * leave the flag untouched because sb_clone_mnt_opts might be handing
573          * us a superblock that needs the flag to be cleared.
574          */
575         if (selinux_is_sblabel_mnt(sb))
576                 sbsec->flags |= SBLABEL_MNT;
577         else
578                 sbsec->flags &= ~SBLABEL_MNT;
579
580         /* Initialize the root inode. */
581         rc = inode_doinit_with_dentry(root_inode, root);
582
583         /* Initialize any other inodes associated with the superblock, e.g.
584            inodes created prior to initial policy load or inodes created
585            during get_sb by a pseudo filesystem that directly
586            populates itself. */
587         spin_lock(&sbsec->isec_lock);
588         while (!list_empty(&sbsec->isec_head)) {
589                 struct inode_security_struct *isec =
590                                 list_first_entry(&sbsec->isec_head,
591                                            struct inode_security_struct, list);
592                 struct inode *inode = isec->inode;
593                 list_del_init(&isec->list);
594                 spin_unlock(&sbsec->isec_lock);
595                 inode = igrab(inode);
596                 if (inode) {
597                         if (!IS_PRIVATE(inode))
598                                 inode_doinit(inode);
599                         iput(inode);
600                 }
601                 spin_lock(&sbsec->isec_lock);
602         }
603         spin_unlock(&sbsec->isec_lock);
604 out:
605         return rc;
606 }
607
608 static int bad_option(struct superblock_security_struct *sbsec, char flag,
609                       u32 old_sid, u32 new_sid)
610 {
611         char mnt_flags = sbsec->flags & SE_MNTMASK;
612
613         /* check if the old mount command had the same options */
614         if (sbsec->flags & SE_SBINITIALIZED)
615                 if (!(sbsec->flags & flag) ||
616                     (old_sid != new_sid))
617                         return 1;
618
619         /* check if we were passed the same options twice,
620          * aka someone passed context=a,context=b
621          */
622         if (!(sbsec->flags & SE_SBINITIALIZED))
623                 if (mnt_flags & flag)
624                         return 1;
625         return 0;
626 }
627
628 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
629 {
630         int rc = security_context_str_to_sid(&selinux_state, s,
631                                              sid, GFP_KERNEL);
632         if (rc)
633                 pr_warn("SELinux: security_context_str_to_sid"
634                        "(%s) failed for (dev %s, type %s) errno=%d\n",
635                        s, sb->s_id, sb->s_type->name, rc);
636         return rc;
637 }
638
639 /*
640  * Allow filesystems with binary mount data to explicitly set mount point
641  * labeling information.
642  */
643 static int selinux_set_mnt_opts(struct super_block *sb,
644                                 void *mnt_opts,
645                                 unsigned long kern_flags,
646                                 unsigned long *set_kern_flags)
647 {
648         const struct cred *cred = current_cred();
649         struct superblock_security_struct *sbsec = sb->s_security;
650         struct dentry *root = sbsec->sb->s_root;
651         struct selinux_mnt_opts *opts = mnt_opts;
652         struct inode_security_struct *root_isec;
653         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
654         u32 defcontext_sid = 0;
655         int rc = 0;
656
657         mutex_lock(&sbsec->lock);
658
659         if (!selinux_state.initialized) {
660                 if (!opts) {
661                         /* Defer initialization until selinux_complete_init,
662                            after the initial policy is loaded and the security
663                            server is ready to handle calls. */
664                         goto out;
665                 }
666                 rc = -EINVAL;
667                 pr_warn("SELinux: Unable to set superblock options "
668                         "before the security server is initialized\n");
669                 goto out;
670         }
671         if (kern_flags && !set_kern_flags) {
672                 /* Specifying internal flags without providing a place to
673                  * place the results is not allowed */
674                 rc = -EINVAL;
675                 goto out;
676         }
677
678         /*
679          * Binary mount data FS will come through this function twice.  Once
680          * from an explicit call and once from the generic calls from the vfs.
681          * Since the generic VFS calls will not contain any security mount data
682          * we need to skip the double mount verification.
683          *
684          * This does open a hole in which we will not notice if the first
685          * mount using this sb set explict options and a second mount using
686          * this sb does not set any security options.  (The first options
687          * will be used for both mounts)
688          */
689         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
690             && !opts)
691                 goto out;
692
693         root_isec = backing_inode_security_novalidate(root);
694
695         /*
696          * parse the mount options, check if they are valid sids.
697          * also check if someone is trying to mount the same sb more
698          * than once with different security options.
699          */
700         if (opts) {
701                 if (opts->fscontext) {
702                         rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
703                         if (rc)
704                                 goto out;
705                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
706                                         fscontext_sid))
707                                 goto out_double_mount;
708                         sbsec->flags |= FSCONTEXT_MNT;
709                 }
710                 if (opts->context) {
711                         rc = parse_sid(sb, opts->context, &context_sid);
712                         if (rc)
713                                 goto out;
714                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
715                                         context_sid))
716                                 goto out_double_mount;
717                         sbsec->flags |= CONTEXT_MNT;
718                 }
719                 if (opts->rootcontext) {
720                         rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
721                         if (rc)
722                                 goto out;
723                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
724                                         rootcontext_sid))
725                                 goto out_double_mount;
726                         sbsec->flags |= ROOTCONTEXT_MNT;
727                 }
728                 if (opts->defcontext) {
729                         rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
730                         if (rc)
731                                 goto out;
732                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
733                                         defcontext_sid))
734                                 goto out_double_mount;
735                         sbsec->flags |= DEFCONTEXT_MNT;
736                 }
737         }
738
739         if (sbsec->flags & SE_SBINITIALIZED) {
740                 /* previously mounted with options, but not on this attempt? */
741                 if ((sbsec->flags & SE_MNTMASK) && !opts)
742                         goto out_double_mount;
743                 rc = 0;
744                 goto out;
745         }
746
747         if (strcmp(sb->s_type->name, "proc") == 0)
748                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
749
750         if (!strcmp(sb->s_type->name, "debugfs") ||
751             !strcmp(sb->s_type->name, "tracefs") ||
752             !strcmp(sb->s_type->name, "sysfs") ||
753             !strcmp(sb->s_type->name, "pstore") ||
754             !strcmp(sb->s_type->name, "cgroup") ||
755             !strcmp(sb->s_type->name, "cgroup2"))
756                 sbsec->flags |= SE_SBGENFS;
757
758         if (!sbsec->behavior) {
759                 /*
760                  * Determine the labeling behavior to use for this
761                  * filesystem type.
762                  */
763                 rc = security_fs_use(&selinux_state, sb);
764                 if (rc) {
765                         pr_warn("%s: security_fs_use(%s) returned %d\n",
766                                         __func__, sb->s_type->name, rc);
767                         goto out;
768                 }
769         }
770
771         /*
772          * If this is a user namespace mount and the filesystem type is not
773          * explicitly whitelisted, then no contexts are allowed on the command
774          * line and security labels must be ignored.
775          */
776         if (sb->s_user_ns != &init_user_ns &&
777             strcmp(sb->s_type->name, "tmpfs") &&
778             strcmp(sb->s_type->name, "ramfs") &&
779             strcmp(sb->s_type->name, "devpts")) {
780                 if (context_sid || fscontext_sid || rootcontext_sid ||
781                     defcontext_sid) {
782                         rc = -EACCES;
783                         goto out;
784                 }
785                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
786                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
787                         rc = security_transition_sid(&selinux_state,
788                                                      current_sid(),
789                                                      current_sid(),
790                                                      SECCLASS_FILE, NULL,
791                                                      &sbsec->mntpoint_sid);
792                         if (rc)
793                                 goto out;
794                 }
795                 goto out_set_opts;
796         }
797
798         /* sets the context of the superblock for the fs being mounted. */
799         if (fscontext_sid) {
800                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
801                 if (rc)
802                         goto out;
803
804                 sbsec->sid = fscontext_sid;
805         }
806
807         /*
808          * Switch to using mount point labeling behavior.
809          * sets the label used on all file below the mountpoint, and will set
810          * the superblock context if not already set.
811          */
812         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
813                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
814                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
815         }
816
817         if (context_sid) {
818                 if (!fscontext_sid) {
819                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
820                                                           cred);
821                         if (rc)
822                                 goto out;
823                         sbsec->sid = context_sid;
824                 } else {
825                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
826                                                              cred);
827                         if (rc)
828                                 goto out;
829                 }
830                 if (!rootcontext_sid)
831                         rootcontext_sid = context_sid;
832
833                 sbsec->mntpoint_sid = context_sid;
834                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
835         }
836
837         if (rootcontext_sid) {
838                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
839                                                      cred);
840                 if (rc)
841                         goto out;
842
843                 root_isec->sid = rootcontext_sid;
844                 root_isec->initialized = LABEL_INITIALIZED;
845         }
846
847         if (defcontext_sid) {
848                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
849                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
850                         rc = -EINVAL;
851                         pr_warn("SELinux: defcontext option is "
852                                "invalid for this filesystem type\n");
853                         goto out;
854                 }
855
856                 if (defcontext_sid != sbsec->def_sid) {
857                         rc = may_context_mount_inode_relabel(defcontext_sid,
858                                                              sbsec, cred);
859                         if (rc)
860                                 goto out;
861                 }
862
863                 sbsec->def_sid = defcontext_sid;
864         }
865
866 out_set_opts:
867         rc = sb_finish_set_opts(sb);
868 out:
869         mutex_unlock(&sbsec->lock);
870         return rc;
871 out_double_mount:
872         rc = -EINVAL;
873         pr_warn("SELinux: mount invalid.  Same superblock, different "
874                "security settings for (dev %s, type %s)\n", sb->s_id,
875                sb->s_type->name);
876         goto out;
877 }
878
879 static int selinux_cmp_sb_context(const struct super_block *oldsb,
880                                     const struct super_block *newsb)
881 {
882         struct superblock_security_struct *old = oldsb->s_security;
883         struct superblock_security_struct *new = newsb->s_security;
884         char oldflags = old->flags & SE_MNTMASK;
885         char newflags = new->flags & SE_MNTMASK;
886
887         if (oldflags != newflags)
888                 goto mismatch;
889         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
890                 goto mismatch;
891         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
892                 goto mismatch;
893         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
894                 goto mismatch;
895         if (oldflags & ROOTCONTEXT_MNT) {
896                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
897                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
898                 if (oldroot->sid != newroot->sid)
899                         goto mismatch;
900         }
901         return 0;
902 mismatch:
903         pr_warn("SELinux: mount invalid.  Same superblock, "
904                             "different security settings for (dev %s, "
905                             "type %s)\n", newsb->s_id, newsb->s_type->name);
906         return -EBUSY;
907 }
908
909 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
910                                         struct super_block *newsb,
911                                         unsigned long kern_flags,
912                                         unsigned long *set_kern_flags)
913 {
914         int rc = 0;
915         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
916         struct superblock_security_struct *newsbsec = newsb->s_security;
917
918         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
919         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
920         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
921
922         /*
923          * if the parent was able to be mounted it clearly had no special lsm
924          * mount options.  thus we can safely deal with this superblock later
925          */
926         if (!selinux_state.initialized)
927                 return 0;
928
929         /*
930          * Specifying internal flags without providing a place to
931          * place the results is not allowed.
932          */
933         if (kern_flags && !set_kern_flags)
934                 return -EINVAL;
935
936         /* how can we clone if the old one wasn't set up?? */
937         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
938
939         /* if fs is reusing a sb, make sure that the contexts match */
940         if (newsbsec->flags & SE_SBINITIALIZED)
941                 return selinux_cmp_sb_context(oldsb, newsb);
942
943         mutex_lock(&newsbsec->lock);
944
945         newsbsec->flags = oldsbsec->flags;
946
947         newsbsec->sid = oldsbsec->sid;
948         newsbsec->def_sid = oldsbsec->def_sid;
949         newsbsec->behavior = oldsbsec->behavior;
950
951         if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
952                 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
953                 rc = security_fs_use(&selinux_state, newsb);
954                 if (rc)
955                         goto out;
956         }
957
958         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
959                 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
960                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
961         }
962
963         if (set_context) {
964                 u32 sid = oldsbsec->mntpoint_sid;
965
966                 if (!set_fscontext)
967                         newsbsec->sid = sid;
968                 if (!set_rootcontext) {
969                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
970                         newisec->sid = sid;
971                 }
972                 newsbsec->mntpoint_sid = sid;
973         }
974         if (set_rootcontext) {
975                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
976                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
977
978                 newisec->sid = oldisec->sid;
979         }
980
981         sb_finish_set_opts(newsb);
982 out:
983         mutex_unlock(&newsbsec->lock);
984         return rc;
985 }
986
987 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
988 {
989         struct selinux_mnt_opts *opts = *mnt_opts;
990
991         if (token == Opt_seclabel)      /* eaten and completely ignored */
992                 return 0;
993
994         if (!opts) {
995                 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
996                 if (!opts)
997                         return -ENOMEM;
998                 *mnt_opts = opts;
999         }
1000         if (!s)
1001                 return -ENOMEM;
1002         switch (token) {
1003         case Opt_context:
1004                 if (opts->context || opts->defcontext)
1005                         goto Einval;
1006                 opts->context = s;
1007                 break;
1008         case Opt_fscontext:
1009                 if (opts->fscontext)
1010                         goto Einval;
1011                 opts->fscontext = s;
1012                 break;
1013         case Opt_rootcontext:
1014                 if (opts->rootcontext)
1015                         goto Einval;
1016                 opts->rootcontext = s;
1017                 break;
1018         case Opt_defcontext:
1019                 if (opts->context || opts->defcontext)
1020                         goto Einval;
1021                 opts->defcontext = s;
1022                 break;
1023         }
1024         return 0;
1025 Einval:
1026         pr_warn(SEL_MOUNT_FAIL_MSG);
1027         return -EINVAL;
1028 }
1029
1030 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1031                                void **mnt_opts)
1032 {
1033         int token = Opt_error;
1034         int rc, i;
1035
1036         for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1037                 if (strcmp(option, tokens[i].name) == 0) {
1038                         token = tokens[i].opt;
1039                         break;
1040                 }
1041         }
1042
1043         if (token == Opt_error)
1044                 return -EINVAL;
1045
1046         if (token != Opt_seclabel)
1047                 val = kmemdup_nul(val, len, GFP_KERNEL);
1048         rc = selinux_add_opt(token, val, mnt_opts);
1049         if (unlikely(rc)) {
1050                 kfree(val);
1051                 if (*mnt_opts) {
1052                         selinux_free_mnt_opts(*mnt_opts);
1053                         *mnt_opts = NULL;
1054                 }
1055         }
1056         return rc;
1057 }
1058
1059 static int show_sid(struct seq_file *m, u32 sid)
1060 {
1061         char *context = NULL;
1062         u32 len;
1063         int rc;
1064
1065         rc = security_sid_to_context(&selinux_state, sid,
1066                                              &context, &len);
1067         if (!rc) {
1068                 bool has_comma = context && strchr(context, ',');
1069
1070                 if (has_comma)
1071                         seq_putc(m, '\"');
1072                 seq_escape(m, context, "\"\n\\");
1073                 if (has_comma)
1074                         seq_putc(m, '\"');
1075         }
1076         kfree(context);
1077         return rc;
1078 }
1079
1080 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1081 {
1082         struct superblock_security_struct *sbsec = sb->s_security;
1083         int rc;
1084
1085         if (!(sbsec->flags & SE_SBINITIALIZED))
1086                 return 0;
1087
1088         if (!selinux_state.initialized)
1089                 return 0;
1090
1091         if (sbsec->flags & FSCONTEXT_MNT) {
1092                 seq_putc(m, ',');
1093                 seq_puts(m, FSCONTEXT_STR);
1094                 rc = show_sid(m, sbsec->sid);
1095                 if (rc)
1096                         return rc;
1097         }
1098         if (sbsec->flags & CONTEXT_MNT) {
1099                 seq_putc(m, ',');
1100                 seq_puts(m, CONTEXT_STR);
1101                 rc = show_sid(m, sbsec->mntpoint_sid);
1102                 if (rc)
1103                         return rc;
1104         }
1105         if (sbsec->flags & DEFCONTEXT_MNT) {
1106                 seq_putc(m, ',');
1107                 seq_puts(m, DEFCONTEXT_STR);
1108                 rc = show_sid(m, sbsec->def_sid);
1109                 if (rc)
1110                         return rc;
1111         }
1112         if (sbsec->flags & ROOTCONTEXT_MNT) {
1113                 struct dentry *root = sbsec->sb->s_root;
1114                 struct inode_security_struct *isec = backing_inode_security(root);
1115                 seq_putc(m, ',');
1116                 seq_puts(m, ROOTCONTEXT_STR);
1117                 rc = show_sid(m, isec->sid);
1118                 if (rc)
1119                         return rc;
1120         }
1121         if (sbsec->flags & SBLABEL_MNT) {
1122                 seq_putc(m, ',');
1123                 seq_puts(m, LABELSUPP_STR);
1124         }
1125         return 0;
1126 }
1127
1128 static inline u16 inode_mode_to_security_class(umode_t mode)
1129 {
1130         switch (mode & S_IFMT) {
1131         case S_IFSOCK:
1132                 return SECCLASS_SOCK_FILE;
1133         case S_IFLNK:
1134                 return SECCLASS_LNK_FILE;
1135         case S_IFREG:
1136                 return SECCLASS_FILE;
1137         case S_IFBLK:
1138                 return SECCLASS_BLK_FILE;
1139         case S_IFDIR:
1140                 return SECCLASS_DIR;
1141         case S_IFCHR:
1142                 return SECCLASS_CHR_FILE;
1143         case S_IFIFO:
1144                 return SECCLASS_FIFO_FILE;
1145
1146         }
1147
1148         return SECCLASS_FILE;
1149 }
1150
1151 static inline int default_protocol_stream(int protocol)
1152 {
1153         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1154 }
1155
1156 static inline int default_protocol_dgram(int protocol)
1157 {
1158         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1159 }
1160
1161 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1162 {
1163         int extsockclass = selinux_policycap_extsockclass();
1164
1165         switch (family) {
1166         case PF_UNIX:
1167                 switch (type) {
1168                 case SOCK_STREAM:
1169                 case SOCK_SEQPACKET:
1170                         return SECCLASS_UNIX_STREAM_SOCKET;
1171                 case SOCK_DGRAM:
1172                 case SOCK_RAW:
1173                         return SECCLASS_UNIX_DGRAM_SOCKET;
1174                 }
1175                 break;
1176         case PF_INET:
1177         case PF_INET6:
1178                 switch (type) {
1179                 case SOCK_STREAM:
1180                 case SOCK_SEQPACKET:
1181                         if (default_protocol_stream(protocol))
1182                                 return SECCLASS_TCP_SOCKET;
1183                         else if (extsockclass && protocol == IPPROTO_SCTP)
1184                                 return SECCLASS_SCTP_SOCKET;
1185                         else
1186                                 return SECCLASS_RAWIP_SOCKET;
1187                 case SOCK_DGRAM:
1188                         if (default_protocol_dgram(protocol))
1189                                 return SECCLASS_UDP_SOCKET;
1190                         else if (extsockclass && (protocol == IPPROTO_ICMP ||
1191                                                   protocol == IPPROTO_ICMPV6))
1192                                 return SECCLASS_ICMP_SOCKET;
1193                         else
1194                                 return SECCLASS_RAWIP_SOCKET;
1195                 case SOCK_DCCP:
1196                         return SECCLASS_DCCP_SOCKET;
1197                 default:
1198                         return SECCLASS_RAWIP_SOCKET;
1199                 }
1200                 break;
1201         case PF_NETLINK:
1202                 switch (protocol) {
1203                 case NETLINK_ROUTE:
1204                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1205                 case NETLINK_SOCK_DIAG:
1206                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1207                 case NETLINK_NFLOG:
1208                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1209                 case NETLINK_XFRM:
1210                         return SECCLASS_NETLINK_XFRM_SOCKET;
1211                 case NETLINK_SELINUX:
1212                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1213                 case NETLINK_ISCSI:
1214                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1215                 case NETLINK_AUDIT:
1216                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1217                 case NETLINK_FIB_LOOKUP:
1218                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1219                 case NETLINK_CONNECTOR:
1220                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1221                 case NETLINK_NETFILTER:
1222                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1223                 case NETLINK_DNRTMSG:
1224                         return SECCLASS_NETLINK_DNRT_SOCKET;
1225                 case NETLINK_KOBJECT_UEVENT:
1226                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1227                 case NETLINK_GENERIC:
1228                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1229                 case NETLINK_SCSITRANSPORT:
1230                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1231                 case NETLINK_RDMA:
1232                         return SECCLASS_NETLINK_RDMA_SOCKET;
1233                 case NETLINK_CRYPTO:
1234                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1235                 default:
1236                         return SECCLASS_NETLINK_SOCKET;
1237                 }
1238         case PF_PACKET:
1239                 return SECCLASS_PACKET_SOCKET;
1240         case PF_KEY:
1241                 return SECCLASS_KEY_SOCKET;
1242         case PF_APPLETALK:
1243                 return SECCLASS_APPLETALK_SOCKET;
1244         }
1245
1246         if (extsockclass) {
1247                 switch (family) {
1248                 case PF_AX25:
1249                         return SECCLASS_AX25_SOCKET;
1250                 case PF_IPX:
1251                         return SECCLASS_IPX_SOCKET;
1252                 case PF_NETROM:
1253                         return SECCLASS_NETROM_SOCKET;
1254                 case PF_ATMPVC:
1255                         return SECCLASS_ATMPVC_SOCKET;
1256                 case PF_X25:
1257                         return SECCLASS_X25_SOCKET;
1258                 case PF_ROSE:
1259                         return SECCLASS_ROSE_SOCKET;
1260                 case PF_DECnet:
1261                         return SECCLASS_DECNET_SOCKET;
1262                 case PF_ATMSVC:
1263                         return SECCLASS_ATMSVC_SOCKET;
1264                 case PF_RDS:
1265                         return SECCLASS_RDS_SOCKET;
1266                 case PF_IRDA:
1267                         return SECCLASS_IRDA_SOCKET;
1268                 case PF_PPPOX:
1269                         return SECCLASS_PPPOX_SOCKET;
1270                 case PF_LLC:
1271                         return SECCLASS_LLC_SOCKET;
1272                 case PF_CAN:
1273                         return SECCLASS_CAN_SOCKET;
1274                 case PF_TIPC:
1275                         return SECCLASS_TIPC_SOCKET;
1276                 case PF_BLUETOOTH:
1277                         return SECCLASS_BLUETOOTH_SOCKET;
1278                 case PF_IUCV:
1279                         return SECCLASS_IUCV_SOCKET;
1280                 case PF_RXRPC:
1281                         return SECCLASS_RXRPC_SOCKET;
1282                 case PF_ISDN:
1283                         return SECCLASS_ISDN_SOCKET;
1284                 case PF_PHONET:
1285                         return SECCLASS_PHONET_SOCKET;
1286                 case PF_IEEE802154:
1287                         return SECCLASS_IEEE802154_SOCKET;
1288                 case PF_CAIF:
1289                         return SECCLASS_CAIF_SOCKET;
1290                 case PF_ALG:
1291                         return SECCLASS_ALG_SOCKET;
1292                 case PF_NFC:
1293                         return SECCLASS_NFC_SOCKET;
1294                 case PF_VSOCK:
1295                         return SECCLASS_VSOCK_SOCKET;
1296                 case PF_KCM:
1297                         return SECCLASS_KCM_SOCKET;
1298                 case PF_QIPCRTR:
1299                         return SECCLASS_QIPCRTR_SOCKET;
1300                 case PF_SMC:
1301                         return SECCLASS_SMC_SOCKET;
1302                 case PF_XDP:
1303                         return SECCLASS_XDP_SOCKET;
1304 #if PF_MAX > 45
1305 #error New address family defined, please update this function.
1306 #endif
1307                 }
1308         }
1309
1310         return SECCLASS_SOCKET;
1311 }
1312
1313 static int selinux_genfs_get_sid(struct dentry *dentry,
1314                                  u16 tclass,
1315                                  u16 flags,
1316                                  u32 *sid)
1317 {
1318         int rc;
1319         struct super_block *sb = dentry->d_sb;
1320         char *buffer, *path;
1321
1322         buffer = (char *)__get_free_page(GFP_KERNEL);
1323         if (!buffer)
1324                 return -ENOMEM;
1325
1326         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1327         if (IS_ERR(path))
1328                 rc = PTR_ERR(path);
1329         else {
1330                 if (flags & SE_SBPROC) {
1331                         /* each process gets a /proc/PID/ entry. Strip off the
1332                          * PID part to get a valid selinux labeling.
1333                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1334                         while (path[1] >= '0' && path[1] <= '9') {
1335                                 path[1] = '/';
1336                                 path++;
1337                         }
1338                 }
1339                 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1340                                         path, tclass, sid);
1341                 if (rc == -ENOENT) {
1342                         /* No match in policy, mark as unlabeled. */
1343                         *sid = SECINITSID_UNLABELED;
1344                         rc = 0;
1345                 }
1346         }
1347         free_page((unsigned long)buffer);
1348         return rc;
1349 }
1350
1351 /* The inode's security attributes must be initialized before first use. */
1352 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1353 {
1354         struct superblock_security_struct *sbsec = NULL;
1355         struct inode_security_struct *isec = selinux_inode(inode);
1356         u32 task_sid, sid = 0;
1357         u16 sclass;
1358         struct dentry *dentry;
1359 #define INITCONTEXTLEN 255
1360         char *context = NULL;
1361         unsigned len = 0;
1362         int rc = 0;
1363
1364         if (isec->initialized == LABEL_INITIALIZED)
1365                 return 0;
1366
1367         spin_lock(&isec->lock);
1368         if (isec->initialized == LABEL_INITIALIZED)
1369                 goto out_unlock;
1370
1371         if (isec->sclass == SECCLASS_FILE)
1372                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1373
1374         sbsec = inode->i_sb->s_security;
1375         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1376                 /* Defer initialization until selinux_complete_init,
1377                    after the initial policy is loaded and the security
1378                    server is ready to handle calls. */
1379                 spin_lock(&sbsec->isec_lock);
1380                 if (list_empty(&isec->list))
1381                         list_add(&isec->list, &sbsec->isec_head);
1382                 spin_unlock(&sbsec->isec_lock);
1383                 goto out_unlock;
1384         }
1385
1386         sclass = isec->sclass;
1387         task_sid = isec->task_sid;
1388         sid = isec->sid;
1389         isec->initialized = LABEL_PENDING;
1390         spin_unlock(&isec->lock);
1391
1392         switch (sbsec->behavior) {
1393         case SECURITY_FS_USE_NATIVE:
1394                 break;
1395         case SECURITY_FS_USE_XATTR:
1396                 if (!(inode->i_opflags & IOP_XATTR)) {
1397                         sid = sbsec->def_sid;
1398                         break;
1399                 }
1400                 /* Need a dentry, since the xattr API requires one.
1401                    Life would be simpler if we could just pass the inode. */
1402                 if (opt_dentry) {
1403                         /* Called from d_instantiate or d_splice_alias. */
1404                         dentry = dget(opt_dentry);
1405                 } else {
1406                         /*
1407                          * Called from selinux_complete_init, try to find a dentry.
1408                          * Some filesystems really want a connected one, so try
1409                          * that first.  We could split SECURITY_FS_USE_XATTR in
1410                          * two, depending upon that...
1411                          */
1412                         dentry = d_find_alias(inode);
1413                         if (!dentry)
1414                                 dentry = d_find_any_alias(inode);
1415                 }
1416                 if (!dentry) {
1417                         /*
1418                          * this is can be hit on boot when a file is accessed
1419                          * before the policy is loaded.  When we load policy we
1420                          * may find inodes that have no dentry on the
1421                          * sbsec->isec_head list.  No reason to complain as these
1422                          * will get fixed up the next time we go through
1423                          * inode_doinit with a dentry, before these inodes could
1424                          * be used again by userspace.
1425                          */
1426                         goto out;
1427                 }
1428
1429                 len = INITCONTEXTLEN;
1430                 context = kmalloc(len+1, GFP_NOFS);
1431                 if (!context) {
1432                         rc = -ENOMEM;
1433                         dput(dentry);
1434                         goto out;
1435                 }
1436                 context[len] = '\0';
1437                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1438                 if (rc == -ERANGE) {
1439                         kfree(context);
1440
1441                         /* Need a larger buffer.  Query for the right size. */
1442                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1443                         if (rc < 0) {
1444                                 dput(dentry);
1445                                 goto out;
1446                         }
1447                         len = rc;
1448                         context = kmalloc(len+1, GFP_NOFS);
1449                         if (!context) {
1450                                 rc = -ENOMEM;
1451                                 dput(dentry);
1452                                 goto out;
1453                         }
1454                         context[len] = '\0';
1455                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1456                 }
1457                 dput(dentry);
1458                 if (rc < 0) {
1459                         if (rc != -ENODATA) {
1460                                 pr_warn("SELinux: %s:  getxattr returned "
1461                                        "%d for dev=%s ino=%ld\n", __func__,
1462                                        -rc, inode->i_sb->s_id, inode->i_ino);
1463                                 kfree(context);
1464                                 goto out;
1465                         }
1466                         /* Map ENODATA to the default file SID */
1467                         sid = sbsec->def_sid;
1468                         rc = 0;
1469                 } else {
1470                         rc = security_context_to_sid_default(&selinux_state,
1471                                                              context, rc, &sid,
1472                                                              sbsec->def_sid,
1473                                                              GFP_NOFS);
1474                         if (rc) {
1475                                 char *dev = inode->i_sb->s_id;
1476                                 unsigned long ino = inode->i_ino;
1477
1478                                 if (rc == -EINVAL) {
1479                                         if (printk_ratelimit())
1480                                                 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1481                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1482                                                         "filesystem in question.\n", ino, dev, context);
1483                                 } else {
1484                                         pr_warn("SELinux: %s:  context_to_sid(%s) "
1485                                                "returned %d for dev=%s ino=%ld\n",
1486                                                __func__, context, -rc, dev, ino);
1487                                 }
1488                                 kfree(context);
1489                                 /* Leave with the unlabeled SID */
1490                                 rc = 0;
1491                                 break;
1492                         }
1493                 }
1494                 kfree(context);
1495                 break;
1496         case SECURITY_FS_USE_TASK:
1497                 sid = task_sid;
1498                 break;
1499         case SECURITY_FS_USE_TRANS:
1500                 /* Default to the fs SID. */
1501                 sid = sbsec->sid;
1502
1503                 /* Try to obtain a transition SID. */
1504                 rc = security_transition_sid(&selinux_state, task_sid, sid,
1505                                              sclass, NULL, &sid);
1506                 if (rc)
1507                         goto out;
1508                 break;
1509         case SECURITY_FS_USE_MNTPOINT:
1510                 sid = sbsec->mntpoint_sid;
1511                 break;
1512         default:
1513                 /* Default to the fs superblock SID. */
1514                 sid = sbsec->sid;
1515
1516                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1517                         /* We must have a dentry to determine the label on
1518                          * procfs inodes */
1519                         if (opt_dentry) {
1520                                 /* Called from d_instantiate or
1521                                  * d_splice_alias. */
1522                                 dentry = dget(opt_dentry);
1523                         } else {
1524                                 /* Called from selinux_complete_init, try to
1525                                  * find a dentry.  Some filesystems really want
1526                                  * a connected one, so try that first.
1527                                  */
1528                                 dentry = d_find_alias(inode);
1529                                 if (!dentry)
1530                                         dentry = d_find_any_alias(inode);
1531                         }
1532                         /*
1533                          * This can be hit on boot when a file is accessed
1534                          * before the policy is loaded.  When we load policy we
1535                          * may find inodes that have no dentry on the
1536                          * sbsec->isec_head list.  No reason to complain as
1537                          * these will get fixed up the next time we go through
1538                          * inode_doinit() with a dentry, before these inodes
1539                          * could be used again by userspace.
1540                          */
1541                         if (!dentry)
1542                                 goto out;
1543                         rc = selinux_genfs_get_sid(dentry, sclass,
1544                                                    sbsec->flags, &sid);
1545                         dput(dentry);
1546                         if (rc)
1547                                 goto out;
1548                 }
1549                 break;
1550         }
1551
1552 out:
1553         spin_lock(&isec->lock);
1554         if (isec->initialized == LABEL_PENDING) {
1555                 if (!sid || rc) {
1556                         isec->initialized = LABEL_INVALID;
1557                         goto out_unlock;
1558                 }
1559
1560                 isec->initialized = LABEL_INITIALIZED;
1561                 isec->sid = sid;
1562         }
1563
1564 out_unlock:
1565         spin_unlock(&isec->lock);
1566         return rc;
1567 }
1568
1569 /* Convert a Linux signal to an access vector. */
1570 static inline u32 signal_to_av(int sig)
1571 {
1572         u32 perm = 0;
1573
1574         switch (sig) {
1575         case SIGCHLD:
1576                 /* Commonly granted from child to parent. */
1577                 perm = PROCESS__SIGCHLD;
1578                 break;
1579         case SIGKILL:
1580                 /* Cannot be caught or ignored */
1581                 perm = PROCESS__SIGKILL;
1582                 break;
1583         case SIGSTOP:
1584                 /* Cannot be caught or ignored */
1585                 perm = PROCESS__SIGSTOP;
1586                 break;
1587         default:
1588                 /* All other signals. */
1589                 perm = PROCESS__SIGNAL;
1590                 break;
1591         }
1592
1593         return perm;
1594 }
1595
1596 #if CAP_LAST_CAP > 63
1597 #error Fix SELinux to handle capabilities > 63.
1598 #endif
1599
1600 /* Check whether a task is allowed to use a capability. */
1601 static int cred_has_capability(const struct cred *cred,
1602                                int cap, unsigned int opts, bool initns)
1603 {
1604         struct common_audit_data ad;
1605         struct av_decision avd;
1606         u16 sclass;
1607         u32 sid = cred_sid(cred);
1608         u32 av = CAP_TO_MASK(cap);
1609         int rc;
1610
1611         ad.type = LSM_AUDIT_DATA_CAP;
1612         ad.u.cap = cap;
1613
1614         switch (CAP_TO_INDEX(cap)) {
1615         case 0:
1616                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1617                 break;
1618         case 1:
1619                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1620                 break;
1621         default:
1622                 pr_err("SELinux:  out of range capability %d\n", cap);
1623                 BUG();
1624                 return -EINVAL;
1625         }
1626
1627         rc = avc_has_perm_noaudit(&selinux_state,
1628                                   sid, sid, sclass, av, 0, &avd);
1629         if (!(opts & CAP_OPT_NOAUDIT)) {
1630                 int rc2 = avc_audit(&selinux_state,
1631                                     sid, sid, sclass, av, &avd, rc, &ad, 0);
1632                 if (rc2)
1633                         return rc2;
1634         }
1635         return rc;
1636 }
1637
1638 /* Check whether a task has a particular permission to an inode.
1639    The 'adp' parameter is optional and allows other audit
1640    data to be passed (e.g. the dentry). */
1641 static int inode_has_perm(const struct cred *cred,
1642                           struct inode *inode,
1643                           u32 perms,
1644                           struct common_audit_data *adp)
1645 {
1646         struct inode_security_struct *isec;
1647         u32 sid;
1648
1649         validate_creds(cred);
1650
1651         if (unlikely(IS_PRIVATE(inode)))
1652                 return 0;
1653
1654         sid = cred_sid(cred);
1655         isec = selinux_inode(inode);
1656
1657         return avc_has_perm(&selinux_state,
1658                             sid, isec->sid, isec->sclass, perms, adp);
1659 }
1660
1661 /* Same as inode_has_perm, but pass explicit audit data containing
1662    the dentry to help the auditing code to more easily generate the
1663    pathname if needed. */
1664 static inline int dentry_has_perm(const struct cred *cred,
1665                                   struct dentry *dentry,
1666                                   u32 av)
1667 {
1668         struct inode *inode = d_backing_inode(dentry);
1669         struct common_audit_data ad;
1670
1671         ad.type = LSM_AUDIT_DATA_DENTRY;
1672         ad.u.dentry = dentry;
1673         __inode_security_revalidate(inode, dentry, true);
1674         return inode_has_perm(cred, inode, av, &ad);
1675 }
1676
1677 /* Same as inode_has_perm, but pass explicit audit data containing
1678    the path to help the auditing code to more easily generate the
1679    pathname if needed. */
1680 static inline int path_has_perm(const struct cred *cred,
1681                                 const struct path *path,
1682                                 u32 av)
1683 {
1684         struct inode *inode = d_backing_inode(path->dentry);
1685         struct common_audit_data ad;
1686
1687         ad.type = LSM_AUDIT_DATA_PATH;
1688         ad.u.path = *path;
1689         __inode_security_revalidate(inode, path->dentry, true);
1690         return inode_has_perm(cred, inode, av, &ad);
1691 }
1692
1693 /* Same as path_has_perm, but uses the inode from the file struct. */
1694 static inline int file_path_has_perm(const struct cred *cred,
1695                                      struct file *file,
1696                                      u32 av)
1697 {
1698         struct common_audit_data ad;
1699
1700         ad.type = LSM_AUDIT_DATA_FILE;
1701         ad.u.file = file;
1702         return inode_has_perm(cred, file_inode(file), av, &ad);
1703 }
1704
1705 #ifdef CONFIG_BPF_SYSCALL
1706 static int bpf_fd_pass(struct file *file, u32 sid);
1707 #endif
1708
1709 /* Check whether a task can use an open file descriptor to
1710    access an inode in a given way.  Check access to the
1711    descriptor itself, and then use dentry_has_perm to
1712    check a particular permission to the file.
1713    Access to the descriptor is implicitly granted if it
1714    has the same SID as the process.  If av is zero, then
1715    access to the file is not checked, e.g. for cases
1716    where only the descriptor is affected like seek. */
1717 static int file_has_perm(const struct cred *cred,
1718                          struct file *file,
1719                          u32 av)
1720 {
1721         struct file_security_struct *fsec = selinux_file(file);
1722         struct inode *inode = file_inode(file);
1723         struct common_audit_data ad;
1724         u32 sid = cred_sid(cred);
1725         int rc;
1726
1727         ad.type = LSM_AUDIT_DATA_FILE;
1728         ad.u.file = file;
1729
1730         if (sid != fsec->sid) {
1731                 rc = avc_has_perm(&selinux_state,
1732                                   sid, fsec->sid,
1733                                   SECCLASS_FD,
1734                                   FD__USE,
1735                                   &ad);
1736                 if (rc)
1737                         goto out;
1738         }
1739
1740 #ifdef CONFIG_BPF_SYSCALL
1741         rc = bpf_fd_pass(file, cred_sid(cred));
1742         if (rc)
1743                 return rc;
1744 #endif
1745
1746         /* av is zero if only checking access to the descriptor. */
1747         rc = 0;
1748         if (av)
1749                 rc = inode_has_perm(cred, inode, av, &ad);
1750
1751 out:
1752         return rc;
1753 }
1754
1755 /*
1756  * Determine the label for an inode that might be unioned.
1757  */
1758 static int
1759 selinux_determine_inode_label(const struct task_security_struct *tsec,
1760                                  struct inode *dir,
1761                                  const struct qstr *name, u16 tclass,
1762                                  u32 *_new_isid)
1763 {
1764         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1765
1766         if ((sbsec->flags & SE_SBINITIALIZED) &&
1767             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1768                 *_new_isid = sbsec->mntpoint_sid;
1769         } else if ((sbsec->flags & SBLABEL_MNT) &&
1770                    tsec->create_sid) {
1771                 *_new_isid = tsec->create_sid;
1772         } else {
1773                 const struct inode_security_struct *dsec = inode_security(dir);
1774                 return security_transition_sid(&selinux_state, tsec->sid,
1775                                                dsec->sid, tclass,
1776                                                name, _new_isid);
1777         }
1778
1779         return 0;
1780 }
1781
1782 /* Check whether a task can create a file. */
1783 static int may_create(struct inode *dir,
1784                       struct dentry *dentry,
1785                       u16 tclass)
1786 {
1787         const struct task_security_struct *tsec = selinux_cred(current_cred());
1788         struct inode_security_struct *dsec;
1789         struct superblock_security_struct *sbsec;
1790         u32 sid, newsid;
1791         struct common_audit_data ad;
1792         int rc;
1793
1794         dsec = inode_security(dir);
1795         sbsec = dir->i_sb->s_security;
1796
1797         sid = tsec->sid;
1798
1799         ad.type = LSM_AUDIT_DATA_DENTRY;
1800         ad.u.dentry = dentry;
1801
1802         rc = avc_has_perm(&selinux_state,
1803                           sid, dsec->sid, SECCLASS_DIR,
1804                           DIR__ADD_NAME | DIR__SEARCH,
1805                           &ad);
1806         if (rc)
1807                 return rc;
1808
1809         rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1810                                            &dentry->d_name, tclass, &newsid);
1811         if (rc)
1812                 return rc;
1813
1814         rc = avc_has_perm(&selinux_state,
1815                           sid, newsid, tclass, FILE__CREATE, &ad);
1816         if (rc)
1817                 return rc;
1818
1819         return avc_has_perm(&selinux_state,
1820                             newsid, sbsec->sid,
1821                             SECCLASS_FILESYSTEM,
1822                             FILESYSTEM__ASSOCIATE, &ad);
1823 }
1824
1825 #define MAY_LINK        0
1826 #define MAY_UNLINK      1
1827 #define MAY_RMDIR       2
1828
1829 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1830 static int may_link(struct inode *dir,
1831                     struct dentry *dentry,
1832                     int kind)
1833
1834 {
1835         struct inode_security_struct *dsec, *isec;
1836         struct common_audit_data ad;
1837         u32 sid = current_sid();
1838         u32 av;
1839         int rc;
1840
1841         dsec = inode_security(dir);
1842         isec = backing_inode_security(dentry);
1843
1844         ad.type = LSM_AUDIT_DATA_DENTRY;
1845         ad.u.dentry = dentry;
1846
1847         av = DIR__SEARCH;
1848         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1849         rc = avc_has_perm(&selinux_state,
1850                           sid, dsec->sid, SECCLASS_DIR, av, &ad);
1851         if (rc)
1852                 return rc;
1853
1854         switch (kind) {
1855         case MAY_LINK:
1856                 av = FILE__LINK;
1857                 break;
1858         case MAY_UNLINK:
1859                 av = FILE__UNLINK;
1860                 break;
1861         case MAY_RMDIR:
1862                 av = DIR__RMDIR;
1863                 break;
1864         default:
1865                 pr_warn("SELinux: %s:  unrecognized kind %d\n",
1866                         __func__, kind);
1867                 return 0;
1868         }
1869
1870         rc = avc_has_perm(&selinux_state,
1871                           sid, isec->sid, isec->sclass, av, &ad);
1872         return rc;
1873 }
1874
1875 static inline int may_rename(struct inode *old_dir,
1876                              struct dentry *old_dentry,
1877                              struct inode *new_dir,
1878                              struct dentry *new_dentry)
1879 {
1880         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1881         struct common_audit_data ad;
1882         u32 sid = current_sid();
1883         u32 av;
1884         int old_is_dir, new_is_dir;
1885         int rc;
1886
1887         old_dsec = inode_security(old_dir);
1888         old_isec = backing_inode_security(old_dentry);
1889         old_is_dir = d_is_dir(old_dentry);
1890         new_dsec = inode_security(new_dir);
1891
1892         ad.type = LSM_AUDIT_DATA_DENTRY;
1893
1894         ad.u.dentry = old_dentry;
1895         rc = avc_has_perm(&selinux_state,
1896                           sid, old_dsec->sid, SECCLASS_DIR,
1897                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1898         if (rc)
1899                 return rc;
1900         rc = avc_has_perm(&selinux_state,
1901                           sid, old_isec->sid,
1902                           old_isec->sclass, FILE__RENAME, &ad);
1903         if (rc)
1904                 return rc;
1905         if (old_is_dir && new_dir != old_dir) {
1906                 rc = avc_has_perm(&selinux_state,
1907                                   sid, old_isec->sid,
1908                                   old_isec->sclass, DIR__REPARENT, &ad);
1909                 if (rc)
1910                         return rc;
1911         }
1912
1913         ad.u.dentry = new_dentry;
1914         av = DIR__ADD_NAME | DIR__SEARCH;
1915         if (d_is_positive(new_dentry))
1916                 av |= DIR__REMOVE_NAME;
1917         rc = avc_has_perm(&selinux_state,
1918                           sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1919         if (rc)
1920                 return rc;
1921         if (d_is_positive(new_dentry)) {
1922                 new_isec = backing_inode_security(new_dentry);
1923                 new_is_dir = d_is_dir(new_dentry);
1924                 rc = avc_has_perm(&selinux_state,
1925                                   sid, new_isec->sid,
1926                                   new_isec->sclass,
1927                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1928                 if (rc)
1929                         return rc;
1930         }
1931
1932         return 0;
1933 }
1934
1935 /* Check whether a task can perform a filesystem operation. */
1936 static int superblock_has_perm(const struct cred *cred,
1937                                struct super_block *sb,
1938                                u32 perms,
1939                                struct common_audit_data *ad)
1940 {
1941         struct superblock_security_struct *sbsec;
1942         u32 sid = cred_sid(cred);
1943
1944         sbsec = sb->s_security;
1945         return avc_has_perm(&selinux_state,
1946                             sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1947 }
1948
1949 /* Convert a Linux mode and permission mask to an access vector. */
1950 static inline u32 file_mask_to_av(int mode, int mask)
1951 {
1952         u32 av = 0;
1953
1954         if (!S_ISDIR(mode)) {
1955                 if (mask & MAY_EXEC)
1956                         av |= FILE__EXECUTE;
1957                 if (mask & MAY_READ)
1958                         av |= FILE__READ;
1959
1960                 if (mask & MAY_APPEND)
1961                         av |= FILE__APPEND;
1962                 else if (mask & MAY_WRITE)
1963                         av |= FILE__WRITE;
1964
1965         } else {
1966                 if (mask & MAY_EXEC)
1967                         av |= DIR__SEARCH;
1968                 if (mask & MAY_WRITE)
1969                         av |= DIR__WRITE;
1970                 if (mask & MAY_READ)
1971                         av |= DIR__READ;
1972         }
1973
1974         return av;
1975 }
1976
1977 /* Convert a Linux file to an access vector. */
1978 static inline u32 file_to_av(struct file *file)
1979 {
1980         u32 av = 0;
1981
1982         if (file->f_mode & FMODE_READ)
1983                 av |= FILE__READ;
1984         if (file->f_mode & FMODE_WRITE) {
1985                 if (file->f_flags & O_APPEND)
1986                         av |= FILE__APPEND;
1987                 else
1988                         av |= FILE__WRITE;
1989         }
1990         if (!av) {
1991                 /*
1992                  * Special file opened with flags 3 for ioctl-only use.
1993                  */
1994                 av = FILE__IOCTL;
1995         }
1996
1997         return av;
1998 }
1999
2000 /*
2001  * Convert a file to an access vector and include the correct open
2002  * open permission.
2003  */
2004 static inline u32 open_file_to_av(struct file *file)
2005 {
2006         u32 av = file_to_av(file);
2007         struct inode *inode = file_inode(file);
2008
2009         if (selinux_policycap_openperm() &&
2010             inode->i_sb->s_magic != SOCKFS_MAGIC)
2011                 av |= FILE__OPEN;
2012
2013         return av;
2014 }
2015
2016 /* Hook functions begin here. */
2017
2018 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2019 {
2020         u32 mysid = current_sid();
2021         u32 mgrsid = task_sid(mgr);
2022
2023         return avc_has_perm(&selinux_state,
2024                             mysid, mgrsid, SECCLASS_BINDER,
2025                             BINDER__SET_CONTEXT_MGR, NULL);
2026 }
2027
2028 static int selinux_binder_transaction(struct task_struct *from,
2029                                       struct task_struct *to)
2030 {
2031         u32 mysid = current_sid();
2032         u32 fromsid = task_sid(from);
2033         u32 tosid = task_sid(to);
2034         int rc;
2035
2036         if (mysid != fromsid) {
2037                 rc = avc_has_perm(&selinux_state,
2038                                   mysid, fromsid, SECCLASS_BINDER,
2039                                   BINDER__IMPERSONATE, NULL);
2040                 if (rc)
2041                         return rc;
2042         }
2043
2044         return avc_has_perm(&selinux_state,
2045                             fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2046                             NULL);
2047 }
2048
2049 static int selinux_binder_transfer_binder(struct task_struct *from,
2050                                           struct task_struct *to)
2051 {
2052         u32 fromsid = task_sid(from);
2053         u32 tosid = task_sid(to);
2054
2055         return avc_has_perm(&selinux_state,
2056                             fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2057                             NULL);
2058 }
2059
2060 static int selinux_binder_transfer_file(struct task_struct *from,
2061                                         struct task_struct *to,
2062                                         struct file *file)
2063 {
2064         u32 sid = task_sid(to);
2065         struct file_security_struct *fsec = selinux_file(file);
2066         struct dentry *dentry = file->f_path.dentry;
2067         struct inode_security_struct *isec;
2068         struct common_audit_data ad;
2069         int rc;
2070
2071         ad.type = LSM_AUDIT_DATA_PATH;
2072         ad.u.path = file->f_path;
2073
2074         if (sid != fsec->sid) {
2075                 rc = avc_has_perm(&selinux_state,
2076                                   sid, fsec->sid,
2077                                   SECCLASS_FD,
2078                                   FD__USE,
2079                                   &ad);
2080                 if (rc)
2081                         return rc;
2082         }
2083
2084 #ifdef CONFIG_BPF_SYSCALL
2085         rc = bpf_fd_pass(file, sid);
2086         if (rc)
2087                 return rc;
2088 #endif
2089
2090         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2091                 return 0;
2092
2093         isec = backing_inode_security(dentry);
2094         return avc_has_perm(&selinux_state,
2095                             sid, isec->sid, isec->sclass, file_to_av(file),
2096                             &ad);
2097 }
2098
2099 static int selinux_ptrace_access_check(struct task_struct *child,
2100                                      unsigned int mode)
2101 {
2102         u32 sid = current_sid();
2103         u32 csid = task_sid(child);
2104
2105         if (mode & PTRACE_MODE_READ)
2106                 return avc_has_perm(&selinux_state,
2107                                     sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2108
2109         return avc_has_perm(&selinux_state,
2110                             sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2111 }
2112
2113 static int selinux_ptrace_traceme(struct task_struct *parent)
2114 {
2115         return avc_has_perm(&selinux_state,
2116                             task_sid(parent), current_sid(), SECCLASS_PROCESS,
2117                             PROCESS__PTRACE, NULL);
2118 }
2119
2120 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2121                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2122 {
2123         return avc_has_perm(&selinux_state,
2124                             current_sid(), task_sid(target), SECCLASS_PROCESS,
2125                             PROCESS__GETCAP, NULL);
2126 }
2127
2128 static int selinux_capset(struct cred *new, const struct cred *old,
2129                           const kernel_cap_t *effective,
2130                           const kernel_cap_t *inheritable,
2131                           const kernel_cap_t *permitted)
2132 {
2133         return avc_has_perm(&selinux_state,
2134                             cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2135                             PROCESS__SETCAP, NULL);
2136 }
2137
2138 /*
2139  * (This comment used to live with the selinux_task_setuid hook,
2140  * which was removed).
2141  *
2142  * Since setuid only affects the current process, and since the SELinux
2143  * controls are not based on the Linux identity attributes, SELinux does not
2144  * need to control this operation.  However, SELinux does control the use of
2145  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2146  */
2147
2148 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2149                            int cap, unsigned int opts)
2150 {
2151         return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2152 }
2153
2154 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2155 {
2156         const struct cred *cred = current_cred();
2157         int rc = 0;
2158
2159         if (!sb)
2160                 return 0;
2161
2162         switch (cmds) {
2163         case Q_SYNC:
2164         case Q_QUOTAON:
2165         case Q_QUOTAOFF:
2166         case Q_SETINFO:
2167         case Q_SETQUOTA:
2168                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2169                 break;
2170         case Q_GETFMT:
2171         case Q_GETINFO:
2172         case Q_GETQUOTA:
2173                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2174                 break;
2175         default:
2176                 rc = 0;  /* let the kernel handle invalid cmds */
2177                 break;
2178         }
2179         return rc;
2180 }
2181
2182 static int selinux_quota_on(struct dentry *dentry)
2183 {
2184         const struct cred *cred = current_cred();
2185
2186         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2187 }
2188
2189 static int selinux_syslog(int type)
2190 {
2191         switch (type) {
2192         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2193         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2194                 return avc_has_perm(&selinux_state,
2195                                     current_sid(), SECINITSID_KERNEL,
2196                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2197         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2198         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2199         /* Set level of messages printed to console */
2200         case SYSLOG_ACTION_CONSOLE_LEVEL:
2201                 return avc_has_perm(&selinux_state,
2202                                     current_sid(), SECINITSID_KERNEL,
2203                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2204                                     NULL);
2205         }
2206         /* All other syslog types */
2207         return avc_has_perm(&selinux_state,
2208                             current_sid(), SECINITSID_KERNEL,
2209                             SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2210 }
2211
2212 /*
2213  * Check that a process has enough memory to allocate a new virtual
2214  * mapping. 0 means there is enough memory for the allocation to
2215  * succeed and -ENOMEM implies there is not.
2216  *
2217  * Do not audit the selinux permission check, as this is applied to all
2218  * processes that allocate mappings.
2219  */
2220 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2221 {
2222         int rc, cap_sys_admin = 0;
2223
2224         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2225                                  CAP_OPT_NOAUDIT, true);
2226         if (rc == 0)
2227                 cap_sys_admin = 1;
2228
2229         return cap_sys_admin;
2230 }
2231
2232 /* binprm security operations */
2233
2234 static u32 ptrace_parent_sid(void)
2235 {
2236         u32 sid = 0;
2237         struct task_struct *tracer;
2238
2239         rcu_read_lock();
2240         tracer = ptrace_parent(current);
2241         if (tracer)
2242                 sid = task_sid(tracer);
2243         rcu_read_unlock();
2244
2245         return sid;
2246 }
2247
2248 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2249                             const struct task_security_struct *old_tsec,
2250                             const struct task_security_struct *new_tsec)
2251 {
2252         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2253         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2254         int rc;
2255         u32 av;
2256
2257         if (!nnp && !nosuid)
2258                 return 0; /* neither NNP nor nosuid */
2259
2260         if (new_tsec->sid == old_tsec->sid)
2261                 return 0; /* No change in credentials */
2262
2263         /*
2264          * If the policy enables the nnp_nosuid_transition policy capability,
2265          * then we permit transitions under NNP or nosuid if the
2266          * policy allows the corresponding permission between
2267          * the old and new contexts.
2268          */
2269         if (selinux_policycap_nnp_nosuid_transition()) {
2270                 av = 0;
2271                 if (nnp)
2272                         av |= PROCESS2__NNP_TRANSITION;
2273                 if (nosuid)
2274                         av |= PROCESS2__NOSUID_TRANSITION;
2275                 rc = avc_has_perm(&selinux_state,
2276                                   old_tsec->sid, new_tsec->sid,
2277                                   SECCLASS_PROCESS2, av, NULL);
2278                 if (!rc)
2279                         return 0;
2280         }
2281
2282         /*
2283          * We also permit NNP or nosuid transitions to bounded SIDs,
2284          * i.e. SIDs that are guaranteed to only be allowed a subset
2285          * of the permissions of the current SID.
2286          */
2287         rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2288                                          new_tsec->sid);
2289         if (!rc)
2290                 return 0;
2291
2292         /*
2293          * On failure, preserve the errno values for NNP vs nosuid.
2294          * NNP:  Operation not permitted for caller.
2295          * nosuid:  Permission denied to file.
2296          */
2297         if (nnp)
2298                 return -EPERM;
2299         return -EACCES;
2300 }
2301
2302 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2303 {
2304         const struct task_security_struct *old_tsec;
2305         struct task_security_struct *new_tsec;
2306         struct inode_security_struct *isec;
2307         struct common_audit_data ad;
2308         struct inode *inode = file_inode(bprm->file);
2309         int rc;
2310
2311         /* SELinux context only depends on initial program or script and not
2312          * the script interpreter */
2313         if (bprm->called_set_creds)
2314                 return 0;
2315
2316         old_tsec = selinux_cred(current_cred());
2317         new_tsec = selinux_cred(bprm->cred);
2318         isec = inode_security(inode);
2319
2320         /* Default to the current task SID. */
2321         new_tsec->sid = old_tsec->sid;
2322         new_tsec->osid = old_tsec->sid;
2323
2324         /* Reset fs, key, and sock SIDs on execve. */
2325         new_tsec->create_sid = 0;
2326         new_tsec->keycreate_sid = 0;
2327         new_tsec->sockcreate_sid = 0;
2328
2329         if (old_tsec->exec_sid) {
2330                 new_tsec->sid = old_tsec->exec_sid;
2331                 /* Reset exec SID on execve. */
2332                 new_tsec->exec_sid = 0;
2333
2334                 /* Fail on NNP or nosuid if not an allowed transition. */
2335                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2336                 if (rc)
2337                         return rc;
2338         } else {
2339                 /* Check for a default transition on this program. */
2340                 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2341                                              isec->sid, SECCLASS_PROCESS, NULL,
2342                                              &new_tsec->sid);
2343                 if (rc)
2344                         return rc;
2345
2346                 /*
2347                  * Fallback to old SID on NNP or nosuid if not an allowed
2348                  * transition.
2349                  */
2350                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2351                 if (rc)
2352                         new_tsec->sid = old_tsec->sid;
2353         }
2354
2355         ad.type = LSM_AUDIT_DATA_FILE;
2356         ad.u.file = bprm->file;
2357
2358         if (new_tsec->sid == old_tsec->sid) {
2359                 rc = avc_has_perm(&selinux_state,
2360                                   old_tsec->sid, isec->sid,
2361                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2362                 if (rc)
2363                         return rc;
2364         } else {
2365                 /* Check permissions for the transition. */
2366                 rc = avc_has_perm(&selinux_state,
2367                                   old_tsec->sid, new_tsec->sid,
2368                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2369                 if (rc)
2370                         return rc;
2371
2372                 rc = avc_has_perm(&selinux_state,
2373                                   new_tsec->sid, isec->sid,
2374                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2375                 if (rc)
2376                         return rc;
2377
2378                 /* Check for shared state */
2379                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2380                         rc = avc_has_perm(&selinux_state,
2381                                           old_tsec->sid, new_tsec->sid,
2382                                           SECCLASS_PROCESS, PROCESS__SHARE,
2383                                           NULL);
2384                         if (rc)
2385                                 return -EPERM;
2386                 }
2387
2388                 /* Make sure that anyone attempting to ptrace over a task that
2389                  * changes its SID has the appropriate permit */
2390                 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2391                         u32 ptsid = ptrace_parent_sid();
2392                         if (ptsid != 0) {
2393                                 rc = avc_has_perm(&selinux_state,
2394                                                   ptsid, new_tsec->sid,
2395                                                   SECCLASS_PROCESS,
2396                                                   PROCESS__PTRACE, NULL);
2397                                 if (rc)
2398                                         return -EPERM;
2399                         }
2400                 }
2401
2402                 /* Clear any possibly unsafe personality bits on exec: */
2403                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2404
2405                 /* Enable secure mode for SIDs transitions unless
2406                    the noatsecure permission is granted between
2407                    the two SIDs, i.e. ahp returns 0. */
2408                 rc = avc_has_perm(&selinux_state,
2409                                   old_tsec->sid, new_tsec->sid,
2410                                   SECCLASS_PROCESS, PROCESS__NOATSECURE,
2411                                   NULL);
2412                 bprm->secureexec |= !!rc;
2413         }
2414
2415         return 0;
2416 }
2417
2418 static int match_file(const void *p, struct file *file, unsigned fd)
2419 {
2420         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2421 }
2422
2423 /* Derived from fs/exec.c:flush_old_files. */
2424 static inline void flush_unauthorized_files(const struct cred *cred,
2425                                             struct files_struct *files)
2426 {
2427         struct file *file, *devnull = NULL;
2428         struct tty_struct *tty;
2429         int drop_tty = 0;
2430         unsigned n;
2431
2432         tty = get_current_tty();
2433         if (tty) {
2434                 spin_lock(&tty->files_lock);
2435                 if (!list_empty(&tty->tty_files)) {
2436                         struct tty_file_private *file_priv;
2437
2438                         /* Revalidate access to controlling tty.
2439                            Use file_path_has_perm on the tty path directly
2440                            rather than using file_has_perm, as this particular
2441                            open file may belong to another process and we are
2442                            only interested in the inode-based check here. */
2443                         file_priv = list_first_entry(&tty->tty_files,
2444                                                 struct tty_file_private, list);
2445                         file = file_priv->file;
2446                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2447                                 drop_tty = 1;
2448                 }
2449                 spin_unlock(&tty->files_lock);
2450                 tty_kref_put(tty);
2451         }
2452         /* Reset controlling tty. */
2453         if (drop_tty)
2454                 no_tty();
2455
2456         /* Revalidate access to inherited open files. */
2457         n = iterate_fd(files, 0, match_file, cred);
2458         if (!n) /* none found? */
2459                 return;
2460
2461         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2462         if (IS_ERR(devnull))
2463                 devnull = NULL;
2464         /* replace all the matching ones with this */
2465         do {
2466                 replace_fd(n - 1, devnull, 0);
2467         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2468         if (devnull)
2469                 fput(devnull);
2470 }
2471
2472 /*
2473  * Prepare a process for imminent new credential changes due to exec
2474  */
2475 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2476 {
2477         struct task_security_struct *new_tsec;
2478         struct rlimit *rlim, *initrlim;
2479         int rc, i;
2480
2481         new_tsec = selinux_cred(bprm->cred);
2482         if (new_tsec->sid == new_tsec->osid)
2483                 return;
2484
2485         /* Close files for which the new task SID is not authorized. */
2486         flush_unauthorized_files(bprm->cred, current->files);
2487
2488         /* Always clear parent death signal on SID transitions. */
2489         current->pdeath_signal = 0;
2490
2491         /* Check whether the new SID can inherit resource limits from the old
2492          * SID.  If not, reset all soft limits to the lower of the current
2493          * task's hard limit and the init task's soft limit.
2494          *
2495          * Note that the setting of hard limits (even to lower them) can be
2496          * controlled by the setrlimit check.  The inclusion of the init task's
2497          * soft limit into the computation is to avoid resetting soft limits
2498          * higher than the default soft limit for cases where the default is
2499          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2500          */
2501         rc = avc_has_perm(&selinux_state,
2502                           new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2503                           PROCESS__RLIMITINH, NULL);
2504         if (rc) {
2505                 /* protect against do_prlimit() */
2506                 task_lock(current);
2507                 for (i = 0; i < RLIM_NLIMITS; i++) {
2508                         rlim = current->signal->rlim + i;
2509                         initrlim = init_task.signal->rlim + i;
2510                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2511                 }
2512                 task_unlock(current);
2513                 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2514                         update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2515         }
2516 }
2517
2518 /*
2519  * Clean up the process immediately after the installation of new credentials
2520  * due to exec
2521  */
2522 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2523 {
2524         const struct task_security_struct *tsec = selinux_cred(current_cred());
2525         struct itimerval itimer;
2526         u32 osid, sid;
2527         int rc, i;
2528
2529         osid = tsec->osid;
2530         sid = tsec->sid;
2531
2532         if (sid == osid)
2533                 return;
2534
2535         /* Check whether the new SID can inherit signal state from the old SID.
2536          * If not, clear itimers to avoid subsequent signal generation and
2537          * flush and unblock signals.
2538          *
2539          * This must occur _after_ the task SID has been updated so that any
2540          * kill done after the flush will be checked against the new SID.
2541          */
2542         rc = avc_has_perm(&selinux_state,
2543                           osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2544         if (rc) {
2545                 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2546                         memset(&itimer, 0, sizeof itimer);
2547                         for (i = 0; i < 3; i++)
2548                                 do_setitimer(i, &itimer, NULL);
2549                 }
2550                 spin_lock_irq(&current->sighand->siglock);
2551                 if (!fatal_signal_pending(current)) {
2552                         flush_sigqueue(&current->pending);
2553                         flush_sigqueue(&current->signal->shared_pending);
2554                         flush_signal_handlers(current, 1);
2555                         sigemptyset(&current->blocked);
2556                         recalc_sigpending();
2557                 }
2558                 spin_unlock_irq(&current->sighand->siglock);
2559         }
2560
2561         /* Wake up the parent if it is waiting so that it can recheck
2562          * wait permission to the new task SID. */
2563         read_lock(&tasklist_lock);
2564         __wake_up_parent(current, current->real_parent);
2565         read_unlock(&tasklist_lock);
2566 }
2567
2568 /* superblock security operations */
2569
2570 static int selinux_sb_alloc_security(struct super_block *sb)
2571 {
2572         return superblock_alloc_security(sb);
2573 }
2574
2575 static void selinux_sb_free_security(struct super_block *sb)
2576 {
2577         superblock_free_security(sb);
2578 }
2579
2580 static inline int opt_len(const char *s)
2581 {
2582         bool open_quote = false;
2583         int len;
2584         char c;
2585
2586         for (len = 0; (c = s[len]) != '\0'; len++) {
2587                 if (c == '"')
2588                         open_quote = !open_quote;
2589                 if (c == ',' && !open_quote)
2590                         break;
2591         }
2592         return len;
2593 }
2594
2595 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2596 {
2597         char *from = options;
2598         char *to = options;
2599         bool first = true;
2600
2601         while (1) {
2602                 int len = opt_len(from);
2603                 int token, rc;
2604                 char *arg = NULL;
2605
2606                 token = match_opt_prefix(from, len, &arg);
2607
2608                 if (token != Opt_error) {
2609                         char *p, *q;
2610
2611                         /* strip quotes */
2612                         if (arg) {
2613                                 for (p = q = arg; p < from + len; p++) {
2614                                         char c = *p;
2615                                         if (c != '"')
2616                                                 *q++ = c;
2617                                 }
2618                                 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2619                         }
2620                         rc = selinux_add_opt(token, arg, mnt_opts);
2621                         if (unlikely(rc)) {
2622                                 kfree(arg);
2623                                 if (*mnt_opts) {
2624                                         selinux_free_mnt_opts(*mnt_opts);
2625                                         *mnt_opts = NULL;
2626                                 }
2627                                 return rc;
2628                         }
2629                 } else {
2630                         if (!first) {   // copy with preceding comma
2631                                 from--;
2632                                 len++;
2633                         }
2634                         if (to != from)
2635                                 memmove(to, from, len);
2636                         to += len;
2637                         first = false;
2638                 }
2639                 if (!from[len])
2640                         break;
2641                 from += len + 1;
2642         }
2643         *to = '\0';
2644         return 0;
2645 }
2646
2647 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2648 {
2649         struct selinux_mnt_opts *opts = mnt_opts;
2650         struct superblock_security_struct *sbsec = sb->s_security;
2651         u32 sid;
2652         int rc;
2653
2654         if (!(sbsec->flags & SE_SBINITIALIZED))
2655                 return 0;
2656
2657         if (!opts)
2658                 return 0;
2659
2660         if (opts->fscontext) {
2661                 rc = parse_sid(sb, opts->fscontext, &sid);
2662                 if (rc)
2663                         return rc;
2664                 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2665                         goto out_bad_option;
2666         }
2667         if (opts->context) {
2668                 rc = parse_sid(sb, opts->context, &sid);
2669                 if (rc)
2670                         return rc;
2671                 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2672                         goto out_bad_option;
2673         }
2674         if (opts->rootcontext) {
2675                 struct inode_security_struct *root_isec;
2676                 root_isec = backing_inode_security(sb->s_root);
2677                 rc = parse_sid(sb, opts->rootcontext, &sid);
2678                 if (rc)
2679                         return rc;
2680                 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2681                         goto out_bad_option;
2682         }
2683         if (opts->defcontext) {
2684                 rc = parse_sid(sb, opts->defcontext, &sid);
2685                 if (rc)
2686                         return rc;
2687                 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2688                         goto out_bad_option;
2689         }
2690         return 0;
2691
2692 out_bad_option:
2693         pr_warn("SELinux: unable to change security options "
2694                "during remount (dev %s, type=%s)\n", sb->s_id,
2695                sb->s_type->name);
2696         return -EINVAL;
2697 }
2698
2699 static int selinux_sb_kern_mount(struct super_block *sb)
2700 {
2701         const struct cred *cred = current_cred();
2702         struct common_audit_data ad;
2703
2704         ad.type = LSM_AUDIT_DATA_DENTRY;
2705         ad.u.dentry = sb->s_root;
2706         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2707 }
2708
2709 static int selinux_sb_statfs(struct dentry *dentry)
2710 {
2711         const struct cred *cred = current_cred();
2712         struct common_audit_data ad;
2713
2714         ad.type = LSM_AUDIT_DATA_DENTRY;
2715         ad.u.dentry = dentry->d_sb->s_root;
2716         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2717 }
2718
2719 static int selinux_mount(const char *dev_name,
2720                          const struct path *path,
2721                          const char *type,
2722                          unsigned long flags,
2723                          void *data)
2724 {
2725         const struct cred *cred = current_cred();
2726
2727         if (flags & MS_REMOUNT)
2728                 return superblock_has_perm(cred, path->dentry->d_sb,
2729                                            FILESYSTEM__REMOUNT, NULL);
2730         else
2731                 return path_has_perm(cred, path, FILE__MOUNTON);
2732 }
2733
2734 static int selinux_umount(struct vfsmount *mnt, int flags)
2735 {
2736         const struct cred *cred = current_cred();
2737
2738         return superblock_has_perm(cred, mnt->mnt_sb,
2739                                    FILESYSTEM__UNMOUNT, NULL);
2740 }
2741
2742 /* inode security operations */
2743
2744 static int selinux_inode_alloc_security(struct inode *inode)
2745 {
2746         return inode_alloc_security(inode);
2747 }
2748
2749 static void selinux_inode_free_security(struct inode *inode)
2750 {
2751         inode_free_security(inode);
2752 }
2753
2754 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2755                                         const struct qstr *name, void **ctx,
2756                                         u32 *ctxlen)
2757 {
2758         u32 newsid;
2759         int rc;
2760
2761         rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2762                                            d_inode(dentry->d_parent), name,
2763                                            inode_mode_to_security_class(mode),
2764                                            &newsid);
2765         if (rc)
2766                 return rc;
2767
2768         return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2769                                        ctxlen);
2770 }
2771
2772 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2773                                           struct qstr *name,
2774                                           const struct cred *old,
2775                                           struct cred *new)
2776 {
2777         u32 newsid;
2778         int rc;
2779         struct task_security_struct *tsec;
2780
2781         rc = selinux_determine_inode_label(selinux_cred(old),
2782                                            d_inode(dentry->d_parent), name,
2783                                            inode_mode_to_security_class(mode),
2784                                            &newsid);
2785         if (rc)
2786                 return rc;
2787
2788         tsec = selinux_cred(new);
2789         tsec->create_sid = newsid;
2790         return 0;
2791 }
2792
2793 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2794                                        const struct qstr *qstr,
2795                                        const char **name,
2796                                        void **value, size_t *len)
2797 {
2798         const struct task_security_struct *tsec = selinux_cred(current_cred());
2799         struct superblock_security_struct *sbsec;
2800         u32 newsid, clen;
2801         int rc;
2802         char *context;
2803
2804         sbsec = dir->i_sb->s_security;
2805
2806         newsid = tsec->create_sid;
2807
2808         rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2809                 dir, qstr,
2810                 inode_mode_to_security_class(inode->i_mode),
2811                 &newsid);
2812         if (rc)
2813                 return rc;
2814
2815         /* Possibly defer initialization to selinux_complete_init. */
2816         if (sbsec->flags & SE_SBINITIALIZED) {
2817                 struct inode_security_struct *isec = selinux_inode(inode);
2818                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2819                 isec->sid = newsid;
2820                 isec->initialized = LABEL_INITIALIZED;
2821         }
2822
2823         if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2824                 return -EOPNOTSUPP;
2825
2826         if (name)
2827                 *name = XATTR_SELINUX_SUFFIX;
2828
2829         if (value && len) {
2830                 rc = security_sid_to_context_force(&selinux_state, newsid,
2831                                                    &context, &clen);
2832                 if (rc)
2833                         return rc;
2834                 *value = context;
2835                 *len = clen;
2836         }
2837
2838         return 0;
2839 }
2840
2841 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2842 {
2843         return may_create(dir, dentry, SECCLASS_FILE);
2844 }
2845
2846 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2847 {
2848         return may_link(dir, old_dentry, MAY_LINK);
2849 }
2850
2851 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2852 {
2853         return may_link(dir, dentry, MAY_UNLINK);
2854 }
2855
2856 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2857 {
2858         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2859 }
2860
2861 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2862 {
2863         return may_create(dir, dentry, SECCLASS_DIR);
2864 }
2865
2866 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2867 {
2868         return may_link(dir, dentry, MAY_RMDIR);
2869 }
2870
2871 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2872 {
2873         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2874 }
2875
2876 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2877                                 struct inode *new_inode, struct dentry *new_dentry)
2878 {
2879         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2880 }
2881
2882 static int selinux_inode_readlink(struct dentry *dentry)
2883 {
2884         const struct cred *cred = current_cred();
2885
2886         return dentry_has_perm(cred, dentry, FILE__READ);
2887 }
2888
2889 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2890                                      bool rcu)
2891 {
2892         const struct cred *cred = current_cred();
2893         struct common_audit_data ad;
2894         struct inode_security_struct *isec;
2895         u32 sid;
2896
2897         validate_creds(cred);
2898
2899         ad.type = LSM_AUDIT_DATA_DENTRY;
2900         ad.u.dentry = dentry;
2901         sid = cred_sid(cred);
2902         isec = inode_security_rcu(inode, rcu);
2903         if (IS_ERR(isec))
2904                 return PTR_ERR(isec);
2905
2906         return avc_has_perm(&selinux_state,
2907                             sid, isec->sid, isec->sclass, FILE__READ, &ad);
2908 }
2909
2910 static noinline int audit_inode_permission(struct inode *inode,
2911                                            u32 perms, u32 audited, u32 denied,
2912                                            int result,
2913                                            unsigned flags)
2914 {
2915         struct common_audit_data ad;
2916         struct inode_security_struct *isec = selinux_inode(inode);
2917         int rc;
2918
2919         ad.type = LSM_AUDIT_DATA_INODE;
2920         ad.u.inode = inode;
2921
2922         rc = slow_avc_audit(&selinux_state,
2923                             current_sid(), isec->sid, isec->sclass, perms,
2924                             audited, denied, result, &ad, flags);
2925         if (rc)
2926                 return rc;
2927         return 0;
2928 }
2929
2930 static int selinux_inode_permission(struct inode *inode, int mask)
2931 {
2932         const struct cred *cred = current_cred();
2933         u32 perms;
2934         bool from_access;
2935         unsigned flags = mask & MAY_NOT_BLOCK;
2936         struct inode_security_struct *isec;
2937         u32 sid;
2938         struct av_decision avd;
2939         int rc, rc2;
2940         u32 audited, denied;
2941
2942         from_access = mask & MAY_ACCESS;
2943         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2944
2945         /* No permission to check.  Existence test. */
2946         if (!mask)
2947                 return 0;
2948
2949         validate_creds(cred);
2950
2951         if (unlikely(IS_PRIVATE(inode)))
2952                 return 0;
2953
2954         perms = file_mask_to_av(inode->i_mode, mask);
2955
2956         sid = cred_sid(cred);
2957         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2958         if (IS_ERR(isec))
2959                 return PTR_ERR(isec);
2960
2961         rc = avc_has_perm_noaudit(&selinux_state,
2962                                   sid, isec->sid, isec->sclass, perms,
2963                                   (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
2964                                   &avd);
2965         audited = avc_audit_required(perms, &avd, rc,
2966                                      from_access ? FILE__AUDIT_ACCESS : 0,
2967                                      &denied);
2968         if (likely(!audited))
2969                 return rc;
2970
2971         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2972         if (rc2)
2973                 return rc2;
2974         return rc;
2975 }
2976
2977 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2978 {
2979         const struct cred *cred = current_cred();
2980         struct inode *inode = d_backing_inode(dentry);
2981         unsigned int ia_valid = iattr->ia_valid;
2982         __u32 av = FILE__WRITE;
2983
2984         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2985         if (ia_valid & ATTR_FORCE) {
2986                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2987                               ATTR_FORCE);
2988                 if (!ia_valid)
2989                         return 0;
2990         }
2991
2992         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2993                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2994                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2995
2996         if (selinux_policycap_openperm() &&
2997             inode->i_sb->s_magic != SOCKFS_MAGIC &&
2998             (ia_valid & ATTR_SIZE) &&
2999             !(ia_valid & ATTR_FILE))
3000                 av |= FILE__OPEN;
3001
3002         return dentry_has_perm(cred, dentry, av);
3003 }
3004
3005 static int selinux_inode_getattr(const struct path *path)
3006 {
3007         return path_has_perm(current_cred(), path, FILE__GETATTR);
3008 }
3009
3010 static bool has_cap_mac_admin(bool audit)
3011 {
3012         const struct cred *cred = current_cred();
3013         unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3014
3015         if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3016                 return false;
3017         if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3018                 return false;
3019         return true;
3020 }
3021
3022 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3023                                   const void *value, size_t size, int flags)
3024 {
3025         struct inode *inode = d_backing_inode(dentry);
3026         struct inode_security_struct *isec;
3027         struct superblock_security_struct *sbsec;
3028         struct common_audit_data ad;
3029         u32 newsid, sid = current_sid();
3030         int rc = 0;
3031
3032         if (strcmp(name, XATTR_NAME_SELINUX)) {
3033                 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3034                 if (rc)
3035                         return rc;
3036
3037                 /* Not an attribute we recognize, so just check the
3038                    ordinary setattr permission. */
3039                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3040         }
3041
3042         sbsec = inode->i_sb->s_security;
3043         if (!(sbsec->flags & SBLABEL_MNT))
3044                 return -EOPNOTSUPP;
3045
3046         if (!inode_owner_or_capable(inode))
3047                 return -EPERM;
3048
3049         ad.type = LSM_AUDIT_DATA_DENTRY;
3050         ad.u.dentry = dentry;
3051
3052         isec = backing_inode_security(dentry);
3053         rc = avc_has_perm(&selinux_state,
3054                           sid, isec->sid, isec->sclass,
3055                           FILE__RELABELFROM, &ad);
3056         if (rc)
3057                 return rc;
3058
3059         rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3060                                      GFP_KERNEL);
3061         if (rc == -EINVAL) {
3062                 if (!has_cap_mac_admin(true)) {
3063                         struct audit_buffer *ab;
3064                         size_t audit_size;
3065
3066                         /* We strip a nul only if it is at the end, otherwise the
3067                          * context contains a nul and we should audit that */
3068                         if (value) {
3069                                 const char *str = value;
3070
3071                                 if (str[size - 1] == '\0')
3072                                         audit_size = size - 1;
3073                                 else
3074                                         audit_size = size;
3075                         } else {
3076                                 audit_size = 0;
3077                         }
3078                         ab = audit_log_start(audit_context(),
3079                                              GFP_ATOMIC, AUDIT_SELINUX_ERR);
3080                         audit_log_format(ab, "op=setxattr invalid_context=");
3081                         audit_log_n_untrustedstring(ab, value, audit_size);
3082                         audit_log_end(ab);
3083
3084                         return rc;
3085                 }
3086                 rc = security_context_to_sid_force(&selinux_state, value,
3087                                                    size, &newsid);
3088         }
3089         if (rc)
3090                 return rc;
3091
3092         rc = avc_has_perm(&selinux_state,
3093                           sid, newsid, isec->sclass,
3094                           FILE__RELABELTO, &ad);
3095         if (rc)
3096                 return rc;
3097
3098         rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3099                                           sid, isec->sclass);
3100         if (rc)
3101                 return rc;
3102
3103         return avc_has_perm(&selinux_state,
3104                             newsid,
3105                             sbsec->sid,
3106                             SECCLASS_FILESYSTEM,
3107                             FILESYSTEM__ASSOCIATE,
3108                             &ad);
3109 }
3110
3111 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3112                                         const void *value, size_t size,
3113                                         int flags)
3114 {
3115         struct inode *inode = d_backing_inode(dentry);
3116         struct inode_security_struct *isec;
3117         u32 newsid;
3118         int rc;
3119
3120         if (strcmp(name, XATTR_NAME_SELINUX)) {
3121                 /* Not an attribute we recognize, so nothing to do. */
3122                 return;
3123         }
3124
3125         rc = security_context_to_sid_force(&selinux_state, value, size,
3126                                            &newsid);
3127         if (rc) {
3128                 pr_err("SELinux:  unable to map context to SID"
3129                        "for (%s, %lu), rc=%d\n",
3130                        inode->i_sb->s_id, inode->i_ino, -rc);
3131                 return;
3132         }
3133
3134         isec = backing_inode_security(dentry);
3135         spin_lock(&isec->lock);
3136         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3137         isec->sid = newsid;
3138         isec->initialized = LABEL_INITIALIZED;
3139         spin_unlock(&isec->lock);
3140
3141         return;
3142 }
3143
3144 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3145 {
3146         const struct cred *cred = current_cred();
3147
3148         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3149 }
3150
3151 static int selinux_inode_listxattr(struct dentry *dentry)
3152 {
3153         const struct cred *cred = current_cred();
3154
3155         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3156 }
3157
3158 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3159 {
3160         if (strcmp(name, XATTR_NAME_SELINUX)) {
3161                 int rc = cap_inode_removexattr(dentry, name);
3162                 if (rc)
3163                         return rc;
3164
3165                 /* Not an attribute we recognize, so just check the
3166                    ordinary setattr permission. */
3167                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3168         }
3169
3170         /* No one is allowed to remove a SELinux security label.
3171            You can change the label, but all data must be labeled. */
3172         return -EACCES;
3173 }
3174
3175 /*
3176  * Copy the inode security context value to the user.
3177  *
3178  * Permission check is handled by selinux_inode_getxattr hook.
3179  */
3180 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3181 {
3182         u32 size;
3183         int error;
3184         char *context = NULL;
3185         struct inode_security_struct *isec;
3186
3187         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3188                 return -EOPNOTSUPP;
3189
3190         /*
3191          * If the caller has CAP_MAC_ADMIN, then get the raw context
3192          * value even if it is not defined by current policy; otherwise,
3193          * use the in-core value under current policy.
3194          * Use the non-auditing forms of the permission checks since
3195          * getxattr may be called by unprivileged processes commonly
3196          * and lack of permission just means that we fall back to the
3197          * in-core context value, not a denial.
3198          */
3199         isec = inode_security(inode);
3200         if (has_cap_mac_admin(false))
3201                 error = security_sid_to_context_force(&selinux_state,
3202                                                       isec->sid, &context,
3203                                                       &size);
3204         else
3205                 error = security_sid_to_context(&selinux_state, isec->sid,
3206                                                 &context, &size);
3207         if (error)
3208                 return error;
3209         error = size;
3210         if (alloc) {
3211                 *buffer = context;
3212                 goto out_nofree;
3213         }
3214         kfree(context);
3215 out_nofree:
3216         return error;
3217 }
3218
3219 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3220                                      const void *value, size_t size, int flags)
3221 {
3222         struct inode_security_struct *isec = inode_security_novalidate(inode);
3223         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3224         u32 newsid;
3225         int rc;
3226
3227         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3228                 return -EOPNOTSUPP;
3229
3230         if (!(sbsec->flags & SBLABEL_MNT))
3231                 return -EOPNOTSUPP;
3232
3233         if (!value || !size)
3234                 return -EACCES;
3235
3236         rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3237                                      GFP_KERNEL);
3238         if (rc)
3239                 return rc;
3240
3241         spin_lock(&isec->lock);
3242         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3243         isec->sid = newsid;
3244         isec->initialized = LABEL_INITIALIZED;
3245         spin_unlock(&isec->lock);
3246         return 0;
3247 }
3248
3249 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3250 {
3251         const int len = sizeof(XATTR_NAME_SELINUX);
3252         if (buffer && len <= buffer_size)
3253                 memcpy(buffer, XATTR_NAME_SELINUX, len);
3254         return len;
3255 }
3256
3257 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3258 {
3259         struct inode_security_struct *isec = inode_security_novalidate(inode);
3260         *secid = isec->sid;
3261 }
3262
3263 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3264 {
3265         u32 sid;
3266         struct task_security_struct *tsec;
3267         struct cred *new_creds = *new;
3268
3269         if (new_creds == NULL) {
3270                 new_creds = prepare_creds();
3271                 if (!new_creds)
3272                         return -ENOMEM;
3273         }
3274
3275         tsec = selinux_cred(new_creds);
3276         /* Get label from overlay inode and set it in create_sid */
3277         selinux_inode_getsecid(d_inode(src), &sid);
3278         tsec->create_sid = sid;
3279         *new = new_creds;
3280         return 0;
3281 }
3282
3283 static int selinux_inode_copy_up_xattr(const char *name)
3284 {
3285         /* The copy_up hook above sets the initial context on an inode, but we
3286          * don't then want to overwrite it by blindly copying all the lower
3287          * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3288          */
3289         if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3290                 return 1; /* Discard */
3291         /*
3292          * Any other attribute apart from SELINUX is not claimed, supported
3293          * by selinux.
3294          */
3295         return -EOPNOTSUPP;
3296 }
3297
3298 /* file security operations */
3299
3300 static int selinux_revalidate_file_permission(struct file *file, int mask)
3301 {