security: convert security hooks to use hlist
[muen/linux.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *      This program is free software; you can redistribute it and/or modify
23  *      it under the terms of the GNU General Public License version 2,
24  *      as published by the Free Software Foundation.
25  */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>             /* for local_port_range[] */
56 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>    /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h>           /* for Unix socket types */
72 #include <net/af_unix.h>        /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89
90 #include "avc.h"
91 #include "objsec.h"
92 #include "netif.h"
93 #include "netnode.h"
94 #include "netport.h"
95 #include "ibpkey.h"
96 #include "xfrm.h"
97 #include "netlabel.h"
98 #include "audit.h"
99 #include "avc_ss.h"
100
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing;
106
107 static int __init enforcing_setup(char *str)
108 {
109         unsigned long enforcing;
110         if (!kstrtoul(str, 0, &enforcing))
111                 selinux_enforcing = enforcing ? 1 : 0;
112         return 1;
113 }
114 __setup("enforcing=", enforcing_setup);
115 #endif
116
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119
120 static int __init selinux_enabled_setup(char *str)
121 {
122         unsigned long enabled;
123         if (!kstrtoul(str, 0, &enabled))
124                 selinux_enabled = enabled ? 1 : 0;
125         return 1;
126 }
127 __setup("selinux=", selinux_enabled_setup);
128 #else
129 int selinux_enabled = 1;
130 #endif
131
132 static struct kmem_cache *sel_inode_cache;
133 static struct kmem_cache *file_security_cache;
134
135 /**
136  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
137  *
138  * Description:
139  * This function checks the SECMARK reference counter to see if any SECMARK
140  * targets are currently configured, if the reference counter is greater than
141  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
142  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
143  * policy capability is enabled, SECMARK is always considered enabled.
144  *
145  */
146 static int selinux_secmark_enabled(void)
147 {
148         return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
149 }
150
151 /**
152  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
153  *
154  * Description:
155  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
156  * (1) if any are enabled or false (0) if neither are enabled.  If the
157  * always_check_network policy capability is enabled, peer labeling
158  * is always considered enabled.
159  *
160  */
161 static int selinux_peerlbl_enabled(void)
162 {
163         return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
164 }
165
166 static int selinux_netcache_avc_callback(u32 event)
167 {
168         if (event == AVC_CALLBACK_RESET) {
169                 sel_netif_flush();
170                 sel_netnode_flush();
171                 sel_netport_flush();
172                 synchronize_net();
173         }
174         return 0;
175 }
176
177 static int selinux_lsm_notifier_avc_callback(u32 event)
178 {
179         if (event == AVC_CALLBACK_RESET) {
180                 sel_ib_pkey_flush();
181                 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
182         }
183
184         return 0;
185 }
186
187 /*
188  * initialise the security for the init task
189  */
190 static void cred_init_security(void)
191 {
192         struct cred *cred = (struct cred *) current->real_cred;
193         struct task_security_struct *tsec;
194
195         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
196         if (!tsec)
197                 panic("SELinux:  Failed to initialize initial task.\n");
198
199         tsec->osid = tsec->sid = SECINITSID_KERNEL;
200         cred->security = tsec;
201 }
202
203 /*
204  * get the security ID of a set of credentials
205  */
206 static inline u32 cred_sid(const struct cred *cred)
207 {
208         const struct task_security_struct *tsec;
209
210         tsec = cred->security;
211         return tsec->sid;
212 }
213
214 /*
215  * get the objective security ID of a task
216  */
217 static inline u32 task_sid(const struct task_struct *task)
218 {
219         u32 sid;
220
221         rcu_read_lock();
222         sid = cred_sid(__task_cred(task));
223         rcu_read_unlock();
224         return sid;
225 }
226
227 /* Allocate and free functions for each kind of security blob. */
228
229 static int inode_alloc_security(struct inode *inode)
230 {
231         struct inode_security_struct *isec;
232         u32 sid = current_sid();
233
234         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
235         if (!isec)
236                 return -ENOMEM;
237
238         spin_lock_init(&isec->lock);
239         INIT_LIST_HEAD(&isec->list);
240         isec->inode = inode;
241         isec->sid = SECINITSID_UNLABELED;
242         isec->sclass = SECCLASS_FILE;
243         isec->task_sid = sid;
244         isec->initialized = LABEL_INVALID;
245         inode->i_security = isec;
246
247         return 0;
248 }
249
250 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
251
252 /*
253  * Try reloading inode security labels that have been marked as invalid.  The
254  * @may_sleep parameter indicates when sleeping and thus reloading labels is
255  * allowed; when set to false, returns -ECHILD when the label is
256  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
257  * when no dentry is available, set it to NULL instead.
258  */
259 static int __inode_security_revalidate(struct inode *inode,
260                                        struct dentry *opt_dentry,
261                                        bool may_sleep)
262 {
263         struct inode_security_struct *isec = inode->i_security;
264
265         might_sleep_if(may_sleep);
266
267         if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
268                 if (!may_sleep)
269                         return -ECHILD;
270
271                 /*
272                  * Try reloading the inode security label.  This will fail if
273                  * @opt_dentry is NULL and no dentry for this inode can be
274                  * found; in that case, continue using the old label.
275                  */
276                 inode_doinit_with_dentry(inode, opt_dentry);
277         }
278         return 0;
279 }
280
281 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
282 {
283         return inode->i_security;
284 }
285
286 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
287 {
288         int error;
289
290         error = __inode_security_revalidate(inode, NULL, !rcu);
291         if (error)
292                 return ERR_PTR(error);
293         return inode->i_security;
294 }
295
296 /*
297  * Get the security label of an inode.
298  */
299 static struct inode_security_struct *inode_security(struct inode *inode)
300 {
301         __inode_security_revalidate(inode, NULL, true);
302         return inode->i_security;
303 }
304
305 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
306 {
307         struct inode *inode = d_backing_inode(dentry);
308
309         return inode->i_security;
310 }
311
312 /*
313  * Get the security label of a dentry's backing inode.
314  */
315 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
316 {
317         struct inode *inode = d_backing_inode(dentry);
318
319         __inode_security_revalidate(inode, dentry, true);
320         return inode->i_security;
321 }
322
323 static void inode_free_rcu(struct rcu_head *head)
324 {
325         struct inode_security_struct *isec;
326
327         isec = container_of(head, struct inode_security_struct, rcu);
328         kmem_cache_free(sel_inode_cache, isec);
329 }
330
331 static void inode_free_security(struct inode *inode)
332 {
333         struct inode_security_struct *isec = inode->i_security;
334         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
335
336         /*
337          * As not all inode security structures are in a list, we check for
338          * empty list outside of the lock to make sure that we won't waste
339          * time taking a lock doing nothing.
340          *
341          * The list_del_init() function can be safely called more than once.
342          * It should not be possible for this function to be called with
343          * concurrent list_add(), but for better safety against future changes
344          * in the code, we use list_empty_careful() here.
345          */
346         if (!list_empty_careful(&isec->list)) {
347                 spin_lock(&sbsec->isec_lock);
348                 list_del_init(&isec->list);
349                 spin_unlock(&sbsec->isec_lock);
350         }
351
352         /*
353          * The inode may still be referenced in a path walk and
354          * a call to selinux_inode_permission() can be made
355          * after inode_free_security() is called. Ideally, the VFS
356          * wouldn't do this, but fixing that is a much harder
357          * job. For now, simply free the i_security via RCU, and
358          * leave the current inode->i_security pointer intact.
359          * The inode will be freed after the RCU grace period too.
360          */
361         call_rcu(&isec->rcu, inode_free_rcu);
362 }
363
364 static int file_alloc_security(struct file *file)
365 {
366         struct file_security_struct *fsec;
367         u32 sid = current_sid();
368
369         fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
370         if (!fsec)
371                 return -ENOMEM;
372
373         fsec->sid = sid;
374         fsec->fown_sid = sid;
375         file->f_security = fsec;
376
377         return 0;
378 }
379
380 static void file_free_security(struct file *file)
381 {
382         struct file_security_struct *fsec = file->f_security;
383         file->f_security = NULL;
384         kmem_cache_free(file_security_cache, fsec);
385 }
386
387 static int superblock_alloc_security(struct super_block *sb)
388 {
389         struct superblock_security_struct *sbsec;
390
391         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
392         if (!sbsec)
393                 return -ENOMEM;
394
395         mutex_init(&sbsec->lock);
396         INIT_LIST_HEAD(&sbsec->isec_head);
397         spin_lock_init(&sbsec->isec_lock);
398         sbsec->sb = sb;
399         sbsec->sid = SECINITSID_UNLABELED;
400         sbsec->def_sid = SECINITSID_FILE;
401         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
402         sb->s_security = sbsec;
403
404         return 0;
405 }
406
407 static void superblock_free_security(struct super_block *sb)
408 {
409         struct superblock_security_struct *sbsec = sb->s_security;
410         sb->s_security = NULL;
411         kfree(sbsec);
412 }
413
414 static inline int inode_doinit(struct inode *inode)
415 {
416         return inode_doinit_with_dentry(inode, NULL);
417 }
418
419 enum {
420         Opt_error = -1,
421         Opt_context = 1,
422         Opt_fscontext = 2,
423         Opt_defcontext = 3,
424         Opt_rootcontext = 4,
425         Opt_labelsupport = 5,
426         Opt_nextmntopt = 6,
427 };
428
429 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
430
431 static const match_table_t tokens = {
432         {Opt_context, CONTEXT_STR "%s"},
433         {Opt_fscontext, FSCONTEXT_STR "%s"},
434         {Opt_defcontext, DEFCONTEXT_STR "%s"},
435         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
436         {Opt_labelsupport, LABELSUPP_STR},
437         {Opt_error, NULL},
438 };
439
440 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
441
442 static int may_context_mount_sb_relabel(u32 sid,
443                         struct superblock_security_struct *sbsec,
444                         const struct cred *cred)
445 {
446         const struct task_security_struct *tsec = cred->security;
447         int rc;
448
449         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450                           FILESYSTEM__RELABELFROM, NULL);
451         if (rc)
452                 return rc;
453
454         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455                           FILESYSTEM__RELABELTO, NULL);
456         return rc;
457 }
458
459 static int may_context_mount_inode_relabel(u32 sid,
460                         struct superblock_security_struct *sbsec,
461                         const struct cred *cred)
462 {
463         const struct task_security_struct *tsec = cred->security;
464         int rc;
465         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466                           FILESYSTEM__RELABELFROM, NULL);
467         if (rc)
468                 return rc;
469
470         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
471                           FILESYSTEM__ASSOCIATE, NULL);
472         return rc;
473 }
474
475 static int selinux_is_sblabel_mnt(struct super_block *sb)
476 {
477         struct superblock_security_struct *sbsec = sb->s_security;
478
479         return sbsec->behavior == SECURITY_FS_USE_XATTR ||
480                 sbsec->behavior == SECURITY_FS_USE_TRANS ||
481                 sbsec->behavior == SECURITY_FS_USE_TASK ||
482                 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
483                 /* Special handling. Genfs but also in-core setxattr handler */
484                 !strcmp(sb->s_type->name, "sysfs") ||
485                 !strcmp(sb->s_type->name, "pstore") ||
486                 !strcmp(sb->s_type->name, "debugfs") ||
487                 !strcmp(sb->s_type->name, "tracefs") ||
488                 !strcmp(sb->s_type->name, "rootfs") ||
489                 (selinux_policycap_cgroupseclabel &&
490                  (!strcmp(sb->s_type->name, "cgroup") ||
491                   !strcmp(sb->s_type->name, "cgroup2")));
492 }
493
494 static int sb_finish_set_opts(struct super_block *sb)
495 {
496         struct superblock_security_struct *sbsec = sb->s_security;
497         struct dentry *root = sb->s_root;
498         struct inode *root_inode = d_backing_inode(root);
499         int rc = 0;
500
501         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
502                 /* Make sure that the xattr handler exists and that no
503                    error other than -ENODATA is returned by getxattr on
504                    the root directory.  -ENODATA is ok, as this may be
505                    the first boot of the SELinux kernel before we have
506                    assigned xattr values to the filesystem. */
507                 if (!(root_inode->i_opflags & IOP_XATTR)) {
508                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
509                                "xattr support\n", sb->s_id, sb->s_type->name);
510                         rc = -EOPNOTSUPP;
511                         goto out;
512                 }
513
514                 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
515                 if (rc < 0 && rc != -ENODATA) {
516                         if (rc == -EOPNOTSUPP)
517                                 printk(KERN_WARNING "SELinux: (dev %s, type "
518                                        "%s) has no security xattr handler\n",
519                                        sb->s_id, sb->s_type->name);
520                         else
521                                 printk(KERN_WARNING "SELinux: (dev %s, type "
522                                        "%s) getxattr errno %d\n", sb->s_id,
523                                        sb->s_type->name, -rc);
524                         goto out;
525                 }
526         }
527
528         sbsec->flags |= SE_SBINITIALIZED;
529
530         /*
531          * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
532          * leave the flag untouched because sb_clone_mnt_opts might be handing
533          * us a superblock that needs the flag to be cleared.
534          */
535         if (selinux_is_sblabel_mnt(sb))
536                 sbsec->flags |= SBLABEL_MNT;
537         else
538                 sbsec->flags &= ~SBLABEL_MNT;
539
540         /* Initialize the root inode. */
541         rc = inode_doinit_with_dentry(root_inode, root);
542
543         /* Initialize any other inodes associated with the superblock, e.g.
544            inodes created prior to initial policy load or inodes created
545            during get_sb by a pseudo filesystem that directly
546            populates itself. */
547         spin_lock(&sbsec->isec_lock);
548 next_inode:
549         if (!list_empty(&sbsec->isec_head)) {
550                 struct inode_security_struct *isec =
551                                 list_entry(sbsec->isec_head.next,
552                                            struct inode_security_struct, list);
553                 struct inode *inode = isec->inode;
554                 list_del_init(&isec->list);
555                 spin_unlock(&sbsec->isec_lock);
556                 inode = igrab(inode);
557                 if (inode) {
558                         if (!IS_PRIVATE(inode))
559                                 inode_doinit(inode);
560                         iput(inode);
561                 }
562                 spin_lock(&sbsec->isec_lock);
563                 goto next_inode;
564         }
565         spin_unlock(&sbsec->isec_lock);
566 out:
567         return rc;
568 }
569
570 /*
571  * This function should allow an FS to ask what it's mount security
572  * options were so it can use those later for submounts, displaying
573  * mount options, or whatever.
574  */
575 static int selinux_get_mnt_opts(const struct super_block *sb,
576                                 struct security_mnt_opts *opts)
577 {
578         int rc = 0, i;
579         struct superblock_security_struct *sbsec = sb->s_security;
580         char *context = NULL;
581         u32 len;
582         char tmp;
583
584         security_init_mnt_opts(opts);
585
586         if (!(sbsec->flags & SE_SBINITIALIZED))
587                 return -EINVAL;
588
589         if (!ss_initialized)
590                 return -EINVAL;
591
592         /* make sure we always check enough bits to cover the mask */
593         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
594
595         tmp = sbsec->flags & SE_MNTMASK;
596         /* count the number of mount options for this sb */
597         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
598                 if (tmp & 0x01)
599                         opts->num_mnt_opts++;
600                 tmp >>= 1;
601         }
602         /* Check if the Label support flag is set */
603         if (sbsec->flags & SBLABEL_MNT)
604                 opts->num_mnt_opts++;
605
606         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
607         if (!opts->mnt_opts) {
608                 rc = -ENOMEM;
609                 goto out_free;
610         }
611
612         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
613         if (!opts->mnt_opts_flags) {
614                 rc = -ENOMEM;
615                 goto out_free;
616         }
617
618         i = 0;
619         if (sbsec->flags & FSCONTEXT_MNT) {
620                 rc = security_sid_to_context(sbsec->sid, &context, &len);
621                 if (rc)
622                         goto out_free;
623                 opts->mnt_opts[i] = context;
624                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
625         }
626         if (sbsec->flags & CONTEXT_MNT) {
627                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
628                 if (rc)
629                         goto out_free;
630                 opts->mnt_opts[i] = context;
631                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
632         }
633         if (sbsec->flags & DEFCONTEXT_MNT) {
634                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
635                 if (rc)
636                         goto out_free;
637                 opts->mnt_opts[i] = context;
638                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
639         }
640         if (sbsec->flags & ROOTCONTEXT_MNT) {
641                 struct dentry *root = sbsec->sb->s_root;
642                 struct inode_security_struct *isec = backing_inode_security(root);
643
644                 rc = security_sid_to_context(isec->sid, &context, &len);
645                 if (rc)
646                         goto out_free;
647                 opts->mnt_opts[i] = context;
648                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
649         }
650         if (sbsec->flags & SBLABEL_MNT) {
651                 opts->mnt_opts[i] = NULL;
652                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
653         }
654
655         BUG_ON(i != opts->num_mnt_opts);
656
657         return 0;
658
659 out_free:
660         security_free_mnt_opts(opts);
661         return rc;
662 }
663
664 static int bad_option(struct superblock_security_struct *sbsec, char flag,
665                       u32 old_sid, u32 new_sid)
666 {
667         char mnt_flags = sbsec->flags & SE_MNTMASK;
668
669         /* check if the old mount command had the same options */
670         if (sbsec->flags & SE_SBINITIALIZED)
671                 if (!(sbsec->flags & flag) ||
672                     (old_sid != new_sid))
673                         return 1;
674
675         /* check if we were passed the same options twice,
676          * aka someone passed context=a,context=b
677          */
678         if (!(sbsec->flags & SE_SBINITIALIZED))
679                 if (mnt_flags & flag)
680                         return 1;
681         return 0;
682 }
683
684 /*
685  * Allow filesystems with binary mount data to explicitly set mount point
686  * labeling information.
687  */
688 static int selinux_set_mnt_opts(struct super_block *sb,
689                                 struct security_mnt_opts *opts,
690                                 unsigned long kern_flags,
691                                 unsigned long *set_kern_flags)
692 {
693         const struct cred *cred = current_cred();
694         int rc = 0, i;
695         struct superblock_security_struct *sbsec = sb->s_security;
696         const char *name = sb->s_type->name;
697         struct dentry *root = sbsec->sb->s_root;
698         struct inode_security_struct *root_isec;
699         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
700         u32 defcontext_sid = 0;
701         char **mount_options = opts->mnt_opts;
702         int *flags = opts->mnt_opts_flags;
703         int num_opts = opts->num_mnt_opts;
704
705         mutex_lock(&sbsec->lock);
706
707         if (!ss_initialized) {
708                 if (!num_opts) {
709                         /* Defer initialization until selinux_complete_init,
710                            after the initial policy is loaded and the security
711                            server is ready to handle calls. */
712                         goto out;
713                 }
714                 rc = -EINVAL;
715                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
716                         "before the security server is initialized\n");
717                 goto out;
718         }
719         if (kern_flags && !set_kern_flags) {
720                 /* Specifying internal flags without providing a place to
721                  * place the results is not allowed */
722                 rc = -EINVAL;
723                 goto out;
724         }
725
726         /*
727          * Binary mount data FS will come through this function twice.  Once
728          * from an explicit call and once from the generic calls from the vfs.
729          * Since the generic VFS calls will not contain any security mount data
730          * we need to skip the double mount verification.
731          *
732          * This does open a hole in which we will not notice if the first
733          * mount using this sb set explict options and a second mount using
734          * this sb does not set any security options.  (The first options
735          * will be used for both mounts)
736          */
737         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
738             && (num_opts == 0))
739                 goto out;
740
741         root_isec = backing_inode_security_novalidate(root);
742
743         /*
744          * parse the mount options, check if they are valid sids.
745          * also check if someone is trying to mount the same sb more
746          * than once with different security options.
747          */
748         for (i = 0; i < num_opts; i++) {
749                 u32 sid;
750
751                 if (flags[i] == SBLABEL_MNT)
752                         continue;
753                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
754                 if (rc) {
755                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
756                                "(%s) failed for (dev %s, type %s) errno=%d\n",
757                                mount_options[i], sb->s_id, name, rc);
758                         goto out;
759                 }
760                 switch (flags[i]) {
761                 case FSCONTEXT_MNT:
762                         fscontext_sid = sid;
763
764                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
765                                         fscontext_sid))
766                                 goto out_double_mount;
767
768                         sbsec->flags |= FSCONTEXT_MNT;
769                         break;
770                 case CONTEXT_MNT:
771                         context_sid = sid;
772
773                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
774                                         context_sid))
775                                 goto out_double_mount;
776
777                         sbsec->flags |= CONTEXT_MNT;
778                         break;
779                 case ROOTCONTEXT_MNT:
780                         rootcontext_sid = sid;
781
782                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
783                                         rootcontext_sid))
784                                 goto out_double_mount;
785
786                         sbsec->flags |= ROOTCONTEXT_MNT;
787
788                         break;
789                 case DEFCONTEXT_MNT:
790                         defcontext_sid = sid;
791
792                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
793                                         defcontext_sid))
794                                 goto out_double_mount;
795
796                         sbsec->flags |= DEFCONTEXT_MNT;
797
798                         break;
799                 default:
800                         rc = -EINVAL;
801                         goto out;
802                 }
803         }
804
805         if (sbsec->flags & SE_SBINITIALIZED) {
806                 /* previously mounted with options, but not on this attempt? */
807                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
808                         goto out_double_mount;
809                 rc = 0;
810                 goto out;
811         }
812
813         if (strcmp(sb->s_type->name, "proc") == 0)
814                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
815
816         if (!strcmp(sb->s_type->name, "debugfs") ||
817             !strcmp(sb->s_type->name, "tracefs") ||
818             !strcmp(sb->s_type->name, "sysfs") ||
819             !strcmp(sb->s_type->name, "pstore") ||
820             !strcmp(sb->s_type->name, "cgroup") ||
821             !strcmp(sb->s_type->name, "cgroup2"))
822                 sbsec->flags |= SE_SBGENFS;
823
824         if (!sbsec->behavior) {
825                 /*
826                  * Determine the labeling behavior to use for this
827                  * filesystem type.
828                  */
829                 rc = security_fs_use(sb);
830                 if (rc) {
831                         printk(KERN_WARNING
832                                 "%s: security_fs_use(%s) returned %d\n",
833                                         __func__, sb->s_type->name, rc);
834                         goto out;
835                 }
836         }
837
838         /*
839          * If this is a user namespace mount and the filesystem type is not
840          * explicitly whitelisted, then no contexts are allowed on the command
841          * line and security labels must be ignored.
842          */
843         if (sb->s_user_ns != &init_user_ns &&
844             strcmp(sb->s_type->name, "tmpfs") &&
845             strcmp(sb->s_type->name, "ramfs") &&
846             strcmp(sb->s_type->name, "devpts")) {
847                 if (context_sid || fscontext_sid || rootcontext_sid ||
848                     defcontext_sid) {
849                         rc = -EACCES;
850                         goto out;
851                 }
852                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
853                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
854                         rc = security_transition_sid(current_sid(), current_sid(),
855                                                      SECCLASS_FILE, NULL,
856                                                      &sbsec->mntpoint_sid);
857                         if (rc)
858                                 goto out;
859                 }
860                 goto out_set_opts;
861         }
862
863         /* sets the context of the superblock for the fs being mounted. */
864         if (fscontext_sid) {
865                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
866                 if (rc)
867                         goto out;
868
869                 sbsec->sid = fscontext_sid;
870         }
871
872         /*
873          * Switch to using mount point labeling behavior.
874          * sets the label used on all file below the mountpoint, and will set
875          * the superblock context if not already set.
876          */
877         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
878                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
879                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
880         }
881
882         if (context_sid) {
883                 if (!fscontext_sid) {
884                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
885                                                           cred);
886                         if (rc)
887                                 goto out;
888                         sbsec->sid = context_sid;
889                 } else {
890                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
891                                                              cred);
892                         if (rc)
893                                 goto out;
894                 }
895                 if (!rootcontext_sid)
896                         rootcontext_sid = context_sid;
897
898                 sbsec->mntpoint_sid = context_sid;
899                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
900         }
901
902         if (rootcontext_sid) {
903                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
904                                                      cred);
905                 if (rc)
906                         goto out;
907
908                 root_isec->sid = rootcontext_sid;
909                 root_isec->initialized = LABEL_INITIALIZED;
910         }
911
912         if (defcontext_sid) {
913                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
914                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
915                         rc = -EINVAL;
916                         printk(KERN_WARNING "SELinux: defcontext option is "
917                                "invalid for this filesystem type\n");
918                         goto out;
919                 }
920
921                 if (defcontext_sid != sbsec->def_sid) {
922                         rc = may_context_mount_inode_relabel(defcontext_sid,
923                                                              sbsec, cred);
924                         if (rc)
925                                 goto out;
926                 }
927
928                 sbsec->def_sid = defcontext_sid;
929         }
930
931 out_set_opts:
932         rc = sb_finish_set_opts(sb);
933 out:
934         mutex_unlock(&sbsec->lock);
935         return rc;
936 out_double_mount:
937         rc = -EINVAL;
938         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
939                "security settings for (dev %s, type %s)\n", sb->s_id, name);
940         goto out;
941 }
942
943 static int selinux_cmp_sb_context(const struct super_block *oldsb,
944                                     const struct super_block *newsb)
945 {
946         struct superblock_security_struct *old = oldsb->s_security;
947         struct superblock_security_struct *new = newsb->s_security;
948         char oldflags = old->flags & SE_MNTMASK;
949         char newflags = new->flags & SE_MNTMASK;
950
951         if (oldflags != newflags)
952                 goto mismatch;
953         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
954                 goto mismatch;
955         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
956                 goto mismatch;
957         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
958                 goto mismatch;
959         if (oldflags & ROOTCONTEXT_MNT) {
960                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
961                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
962                 if (oldroot->sid != newroot->sid)
963                         goto mismatch;
964         }
965         return 0;
966 mismatch:
967         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
968                             "different security settings for (dev %s, "
969                             "type %s)\n", newsb->s_id, newsb->s_type->name);
970         return -EBUSY;
971 }
972
973 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
974                                         struct super_block *newsb,
975                                         unsigned long kern_flags,
976                                         unsigned long *set_kern_flags)
977 {
978         int rc = 0;
979         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
980         struct superblock_security_struct *newsbsec = newsb->s_security;
981
982         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
983         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
984         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
985
986         /*
987          * if the parent was able to be mounted it clearly had no special lsm
988          * mount options.  thus we can safely deal with this superblock later
989          */
990         if (!ss_initialized)
991                 return 0;
992
993         /*
994          * Specifying internal flags without providing a place to
995          * place the results is not allowed.
996          */
997         if (kern_flags && !set_kern_flags)
998                 return -EINVAL;
999
1000         /* how can we clone if the old one wasn't set up?? */
1001         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1002
1003         /* if fs is reusing a sb, make sure that the contexts match */
1004         if (newsbsec->flags & SE_SBINITIALIZED)
1005                 return selinux_cmp_sb_context(oldsb, newsb);
1006
1007         mutex_lock(&newsbsec->lock);
1008
1009         newsbsec->flags = oldsbsec->flags;
1010
1011         newsbsec->sid = oldsbsec->sid;
1012         newsbsec->def_sid = oldsbsec->def_sid;
1013         newsbsec->behavior = oldsbsec->behavior;
1014
1015         if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1016                 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1017                 rc = security_fs_use(newsb);
1018                 if (rc)
1019                         goto out;
1020         }
1021
1022         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1023                 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1024                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1025         }
1026
1027         if (set_context) {
1028                 u32 sid = oldsbsec->mntpoint_sid;
1029
1030                 if (!set_fscontext)
1031                         newsbsec->sid = sid;
1032                 if (!set_rootcontext) {
1033                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1034                         newisec->sid = sid;
1035                 }
1036                 newsbsec->mntpoint_sid = sid;
1037         }
1038         if (set_rootcontext) {
1039                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1040                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1041
1042                 newisec->sid = oldisec->sid;
1043         }
1044
1045         sb_finish_set_opts(newsb);
1046 out:
1047         mutex_unlock(&newsbsec->lock);
1048         return rc;
1049 }
1050
1051 static int selinux_parse_opts_str(char *options,
1052                                   struct security_mnt_opts *opts)
1053 {
1054         char *p;
1055         char *context = NULL, *defcontext = NULL;
1056         char *fscontext = NULL, *rootcontext = NULL;
1057         int rc, num_mnt_opts = 0;
1058
1059         opts->num_mnt_opts = 0;
1060
1061         /* Standard string-based options. */
1062         while ((p = strsep(&options, "|")) != NULL) {
1063                 int token;
1064                 substring_t args[MAX_OPT_ARGS];
1065
1066                 if (!*p)
1067                         continue;
1068
1069                 token = match_token(p, tokens, args);
1070
1071                 switch (token) {
1072                 case Opt_context:
1073                         if (context || defcontext) {
1074                                 rc = -EINVAL;
1075                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1076                                 goto out_err;
1077                         }
1078                         context = match_strdup(&args[0]);
1079                         if (!context) {
1080                                 rc = -ENOMEM;
1081                                 goto out_err;
1082                         }
1083                         break;
1084
1085                 case Opt_fscontext:
1086                         if (fscontext) {
1087                                 rc = -EINVAL;
1088                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1089                                 goto out_err;
1090                         }
1091                         fscontext = match_strdup(&args[0]);
1092                         if (!fscontext) {
1093                                 rc = -ENOMEM;
1094                                 goto out_err;
1095                         }
1096                         break;
1097
1098                 case Opt_rootcontext:
1099                         if (rootcontext) {
1100                                 rc = -EINVAL;
1101                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1102                                 goto out_err;
1103                         }
1104                         rootcontext = match_strdup(&args[0]);
1105                         if (!rootcontext) {
1106                                 rc = -ENOMEM;
1107                                 goto out_err;
1108                         }
1109                         break;
1110
1111                 case Opt_defcontext:
1112                         if (context || defcontext) {
1113                                 rc = -EINVAL;
1114                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1115                                 goto out_err;
1116                         }
1117                         defcontext = match_strdup(&args[0]);
1118                         if (!defcontext) {
1119                                 rc = -ENOMEM;
1120                                 goto out_err;
1121                         }
1122                         break;
1123                 case Opt_labelsupport:
1124                         break;
1125                 default:
1126                         rc = -EINVAL;
1127                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
1128                         goto out_err;
1129
1130                 }
1131         }
1132
1133         rc = -ENOMEM;
1134         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1135         if (!opts->mnt_opts)
1136                 goto out_err;
1137
1138         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1139                                        GFP_KERNEL);
1140         if (!opts->mnt_opts_flags)
1141                 goto out_err;
1142
1143         if (fscontext) {
1144                 opts->mnt_opts[num_mnt_opts] = fscontext;
1145                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1146         }
1147         if (context) {
1148                 opts->mnt_opts[num_mnt_opts] = context;
1149                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1150         }
1151         if (rootcontext) {
1152                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1153                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1154         }
1155         if (defcontext) {
1156                 opts->mnt_opts[num_mnt_opts] = defcontext;
1157                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1158         }
1159
1160         opts->num_mnt_opts = num_mnt_opts;
1161         return 0;
1162
1163 out_err:
1164         security_free_mnt_opts(opts);
1165         kfree(context);
1166         kfree(defcontext);
1167         kfree(fscontext);
1168         kfree(rootcontext);
1169         return rc;
1170 }
1171 /*
1172  * string mount options parsing and call set the sbsec
1173  */
1174 static int superblock_doinit(struct super_block *sb, void *data)
1175 {
1176         int rc = 0;
1177         char *options = data;
1178         struct security_mnt_opts opts;
1179
1180         security_init_mnt_opts(&opts);
1181
1182         if (!data)
1183                 goto out;
1184
1185         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1186
1187         rc = selinux_parse_opts_str(options, &opts);
1188         if (rc)
1189                 goto out_err;
1190
1191 out:
1192         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1193
1194 out_err:
1195         security_free_mnt_opts(&opts);
1196         return rc;
1197 }
1198
1199 static void selinux_write_opts(struct seq_file *m,
1200                                struct security_mnt_opts *opts)
1201 {
1202         int i;
1203         char *prefix;
1204
1205         for (i = 0; i < opts->num_mnt_opts; i++) {
1206                 char *has_comma;
1207
1208                 if (opts->mnt_opts[i])
1209                         has_comma = strchr(opts->mnt_opts[i], ',');
1210                 else
1211                         has_comma = NULL;
1212
1213                 switch (opts->mnt_opts_flags[i]) {
1214                 case CONTEXT_MNT:
1215                         prefix = CONTEXT_STR;
1216                         break;
1217                 case FSCONTEXT_MNT:
1218                         prefix = FSCONTEXT_STR;
1219                         break;
1220                 case ROOTCONTEXT_MNT:
1221                         prefix = ROOTCONTEXT_STR;
1222                         break;
1223                 case DEFCONTEXT_MNT:
1224                         prefix = DEFCONTEXT_STR;
1225                         break;
1226                 case SBLABEL_MNT:
1227                         seq_putc(m, ',');
1228                         seq_puts(m, LABELSUPP_STR);
1229                         continue;
1230                 default:
1231                         BUG();
1232                         return;
1233                 };
1234                 /* we need a comma before each option */
1235                 seq_putc(m, ',');
1236                 seq_puts(m, prefix);
1237                 if (has_comma)
1238                         seq_putc(m, '\"');
1239                 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1240                 if (has_comma)
1241                         seq_putc(m, '\"');
1242         }
1243 }
1244
1245 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1246 {
1247         struct security_mnt_opts opts;
1248         int rc;
1249
1250         rc = selinux_get_mnt_opts(sb, &opts);
1251         if (rc) {
1252                 /* before policy load we may get EINVAL, don't show anything */
1253                 if (rc == -EINVAL)
1254                         rc = 0;
1255                 return rc;
1256         }
1257
1258         selinux_write_opts(m, &opts);
1259
1260         security_free_mnt_opts(&opts);
1261
1262         return rc;
1263 }
1264
1265 static inline u16 inode_mode_to_security_class(umode_t mode)
1266 {
1267         switch (mode & S_IFMT) {
1268         case S_IFSOCK:
1269                 return SECCLASS_SOCK_FILE;
1270         case S_IFLNK:
1271                 return SECCLASS_LNK_FILE;
1272         case S_IFREG:
1273                 return SECCLASS_FILE;
1274         case S_IFBLK:
1275                 return SECCLASS_BLK_FILE;
1276         case S_IFDIR:
1277                 return SECCLASS_DIR;
1278         case S_IFCHR:
1279                 return SECCLASS_CHR_FILE;
1280         case S_IFIFO:
1281                 return SECCLASS_FIFO_FILE;
1282
1283         }
1284
1285         return SECCLASS_FILE;
1286 }
1287
1288 static inline int default_protocol_stream(int protocol)
1289 {
1290         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1291 }
1292
1293 static inline int default_protocol_dgram(int protocol)
1294 {
1295         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1296 }
1297
1298 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1299 {
1300         int extsockclass = selinux_policycap_extsockclass;
1301
1302         switch (family) {
1303         case PF_UNIX:
1304                 switch (type) {
1305                 case SOCK_STREAM:
1306                 case SOCK_SEQPACKET:
1307                         return SECCLASS_UNIX_STREAM_SOCKET;
1308                 case SOCK_DGRAM:
1309                 case SOCK_RAW:
1310                         return SECCLASS_UNIX_DGRAM_SOCKET;
1311                 }
1312                 break;
1313         case PF_INET:
1314         case PF_INET6:
1315                 switch (type) {
1316                 case SOCK_STREAM:
1317                 case SOCK_SEQPACKET:
1318                         if (default_protocol_stream(protocol))
1319                                 return SECCLASS_TCP_SOCKET;
1320                         else if (extsockclass && protocol == IPPROTO_SCTP)
1321                                 return SECCLASS_SCTP_SOCKET;
1322                         else
1323                                 return SECCLASS_RAWIP_SOCKET;
1324                 case SOCK_DGRAM:
1325                         if (default_protocol_dgram(protocol))
1326                                 return SECCLASS_UDP_SOCKET;
1327                         else if (extsockclass && (protocol == IPPROTO_ICMP ||
1328                                                   protocol == IPPROTO_ICMPV6))
1329                                 return SECCLASS_ICMP_SOCKET;
1330                         else
1331                                 return SECCLASS_RAWIP_SOCKET;
1332                 case SOCK_DCCP:
1333                         return SECCLASS_DCCP_SOCKET;
1334                 default:
1335                         return SECCLASS_RAWIP_SOCKET;
1336                 }
1337                 break;
1338         case PF_NETLINK:
1339                 switch (protocol) {
1340                 case NETLINK_ROUTE:
1341                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1342                 case NETLINK_SOCK_DIAG:
1343                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1344                 case NETLINK_NFLOG:
1345                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1346                 case NETLINK_XFRM:
1347                         return SECCLASS_NETLINK_XFRM_SOCKET;
1348                 case NETLINK_SELINUX:
1349                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1350                 case NETLINK_ISCSI:
1351                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1352                 case NETLINK_AUDIT:
1353                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1354                 case NETLINK_FIB_LOOKUP:
1355                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1356                 case NETLINK_CONNECTOR:
1357                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1358                 case NETLINK_NETFILTER:
1359                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1360                 case NETLINK_DNRTMSG:
1361                         return SECCLASS_NETLINK_DNRT_SOCKET;
1362                 case NETLINK_KOBJECT_UEVENT:
1363                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1364                 case NETLINK_GENERIC:
1365                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1366                 case NETLINK_SCSITRANSPORT:
1367                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1368                 case NETLINK_RDMA:
1369                         return SECCLASS_NETLINK_RDMA_SOCKET;
1370                 case NETLINK_CRYPTO:
1371                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1372                 default:
1373                         return SECCLASS_NETLINK_SOCKET;
1374                 }
1375         case PF_PACKET:
1376                 return SECCLASS_PACKET_SOCKET;
1377         case PF_KEY:
1378                 return SECCLASS_KEY_SOCKET;
1379         case PF_APPLETALK:
1380                 return SECCLASS_APPLETALK_SOCKET;
1381         }
1382
1383         if (extsockclass) {
1384                 switch (family) {
1385                 case PF_AX25:
1386                         return SECCLASS_AX25_SOCKET;
1387                 case PF_IPX:
1388                         return SECCLASS_IPX_SOCKET;
1389                 case PF_NETROM:
1390                         return SECCLASS_NETROM_SOCKET;
1391                 case PF_ATMPVC:
1392                         return SECCLASS_ATMPVC_SOCKET;
1393                 case PF_X25:
1394                         return SECCLASS_X25_SOCKET;
1395                 case PF_ROSE:
1396                         return SECCLASS_ROSE_SOCKET;
1397                 case PF_DECnet:
1398                         return SECCLASS_DECNET_SOCKET;
1399                 case PF_ATMSVC:
1400                         return SECCLASS_ATMSVC_SOCKET;
1401                 case PF_RDS:
1402                         return SECCLASS_RDS_SOCKET;
1403                 case PF_IRDA:
1404                         return SECCLASS_IRDA_SOCKET;
1405                 case PF_PPPOX:
1406                         return SECCLASS_PPPOX_SOCKET;
1407                 case PF_LLC:
1408                         return SECCLASS_LLC_SOCKET;
1409                 case PF_CAN:
1410                         return SECCLASS_CAN_SOCKET;
1411                 case PF_TIPC:
1412                         return SECCLASS_TIPC_SOCKET;
1413                 case PF_BLUETOOTH:
1414                         return SECCLASS_BLUETOOTH_SOCKET;
1415                 case PF_IUCV:
1416                         return SECCLASS_IUCV_SOCKET;
1417                 case PF_RXRPC:
1418                         return SECCLASS_RXRPC_SOCKET;
1419                 case PF_ISDN:
1420                         return SECCLASS_ISDN_SOCKET;
1421                 case PF_PHONET:
1422                         return SECCLASS_PHONET_SOCKET;
1423                 case PF_IEEE802154:
1424                         return SECCLASS_IEEE802154_SOCKET;
1425                 case PF_CAIF:
1426                         return SECCLASS_CAIF_SOCKET;
1427                 case PF_ALG:
1428                         return SECCLASS_ALG_SOCKET;
1429                 case PF_NFC:
1430                         return SECCLASS_NFC_SOCKET;
1431                 case PF_VSOCK:
1432                         return SECCLASS_VSOCK_SOCKET;
1433                 case PF_KCM:
1434                         return SECCLASS_KCM_SOCKET;
1435                 case PF_QIPCRTR:
1436                         return SECCLASS_QIPCRTR_SOCKET;
1437                 case PF_SMC:
1438                         return SECCLASS_SMC_SOCKET;
1439 #if PF_MAX > 44
1440 #error New address family defined, please update this function.
1441 #endif
1442                 }
1443         }
1444
1445         return SECCLASS_SOCKET;
1446 }
1447
1448 static int selinux_genfs_get_sid(struct dentry *dentry,
1449                                  u16 tclass,
1450                                  u16 flags,
1451                                  u32 *sid)
1452 {
1453         int rc;
1454         struct super_block *sb = dentry->d_sb;
1455         char *buffer, *path;
1456
1457         buffer = (char *)__get_free_page(GFP_KERNEL);
1458         if (!buffer)
1459                 return -ENOMEM;
1460
1461         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1462         if (IS_ERR(path))
1463                 rc = PTR_ERR(path);
1464         else {
1465                 if (flags & SE_SBPROC) {
1466                         /* each process gets a /proc/PID/ entry. Strip off the
1467                          * PID part to get a valid selinux labeling.
1468                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1469                         while (path[1] >= '0' && path[1] <= '9') {
1470                                 path[1] = '/';
1471                                 path++;
1472                         }
1473                 }
1474                 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1475         }
1476         free_page((unsigned long)buffer);
1477         return rc;
1478 }
1479
1480 /* The inode's security attributes must be initialized before first use. */
1481 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1482 {
1483         struct superblock_security_struct *sbsec = NULL;
1484         struct inode_security_struct *isec = inode->i_security;
1485         u32 task_sid, sid = 0;
1486         u16 sclass;
1487         struct dentry *dentry;
1488 #define INITCONTEXTLEN 255
1489         char *context = NULL;
1490         unsigned len = 0;
1491         int rc = 0;
1492
1493         if (isec->initialized == LABEL_INITIALIZED)
1494                 return 0;
1495
1496         spin_lock(&isec->lock);
1497         if (isec->initialized == LABEL_INITIALIZED)
1498                 goto out_unlock;
1499
1500         if (isec->sclass == SECCLASS_FILE)
1501                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1502
1503         sbsec = inode->i_sb->s_security;
1504         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1505                 /* Defer initialization until selinux_complete_init,
1506                    after the initial policy is loaded and the security
1507                    server is ready to handle calls. */
1508                 spin_lock(&sbsec->isec_lock);
1509                 if (list_empty(&isec->list))
1510                         list_add(&isec->list, &sbsec->isec_head);
1511                 spin_unlock(&sbsec->isec_lock);
1512                 goto out_unlock;
1513         }
1514
1515         sclass = isec->sclass;
1516         task_sid = isec->task_sid;
1517         sid = isec->sid;
1518         isec->initialized = LABEL_PENDING;
1519         spin_unlock(&isec->lock);
1520
1521         switch (sbsec->behavior) {
1522         case SECURITY_FS_USE_NATIVE:
1523                 break;
1524         case SECURITY_FS_USE_XATTR:
1525                 if (!(inode->i_opflags & IOP_XATTR)) {
1526                         sid = sbsec->def_sid;
1527                         break;
1528                 }
1529                 /* Need a dentry, since the xattr API requires one.
1530                    Life would be simpler if we could just pass the inode. */
1531                 if (opt_dentry) {
1532                         /* Called from d_instantiate or d_splice_alias. */
1533                         dentry = dget(opt_dentry);
1534                 } else {
1535                         /* Called from selinux_complete_init, try to find a dentry. */
1536                         dentry = d_find_alias(inode);
1537                 }
1538                 if (!dentry) {
1539                         /*
1540                          * this is can be hit on boot when a file is accessed
1541                          * before the policy is loaded.  When we load policy we
1542                          * may find inodes that have no dentry on the
1543                          * sbsec->isec_head list.  No reason to complain as these
1544                          * will get fixed up the next time we go through
1545                          * inode_doinit with a dentry, before these inodes could
1546                          * be used again by userspace.
1547                          */
1548                         goto out;
1549                 }
1550
1551                 len = INITCONTEXTLEN;
1552                 context = kmalloc(len+1, GFP_NOFS);
1553                 if (!context) {
1554                         rc = -ENOMEM;
1555                         dput(dentry);
1556                         goto out;
1557                 }
1558                 context[len] = '\0';
1559                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1560                 if (rc == -ERANGE) {
1561                         kfree(context);
1562
1563                         /* Need a larger buffer.  Query for the right size. */
1564                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1565                         if (rc < 0) {
1566                                 dput(dentry);
1567                                 goto out;
1568                         }
1569                         len = rc;
1570                         context = kmalloc(len+1, GFP_NOFS);
1571                         if (!context) {
1572                                 rc = -ENOMEM;
1573                                 dput(dentry);
1574                                 goto out;
1575                         }
1576                         context[len] = '\0';
1577                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1578                 }
1579                 dput(dentry);
1580                 if (rc < 0) {
1581                         if (rc != -ENODATA) {
1582                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1583                                        "%d for dev=%s ino=%ld\n", __func__,
1584                                        -rc, inode->i_sb->s_id, inode->i_ino);
1585                                 kfree(context);
1586                                 goto out;
1587                         }
1588                         /* Map ENODATA to the default file SID */
1589                         sid = sbsec->def_sid;
1590                         rc = 0;
1591                 } else {
1592                         rc = security_context_to_sid_default(context, rc, &sid,
1593                                                              sbsec->def_sid,
1594                                                              GFP_NOFS);
1595                         if (rc) {
1596                                 char *dev = inode->i_sb->s_id;
1597                                 unsigned long ino = inode->i_ino;
1598
1599                                 if (rc == -EINVAL) {
1600                                         if (printk_ratelimit())
1601                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1602                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1603                                                         "filesystem in question.\n", ino, dev, context);
1604                                 } else {
1605                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1606                                                "returned %d for dev=%s ino=%ld\n",
1607                                                __func__, context, -rc, dev, ino);
1608                                 }
1609                                 kfree(context);
1610                                 /* Leave with the unlabeled SID */
1611                                 rc = 0;
1612                                 break;
1613                         }
1614                 }
1615                 kfree(context);
1616                 break;
1617         case SECURITY_FS_USE_TASK:
1618                 sid = task_sid;
1619                 break;
1620         case SECURITY_FS_USE_TRANS:
1621                 /* Default to the fs SID. */
1622                 sid = sbsec->sid;
1623
1624                 /* Try to obtain a transition SID. */
1625                 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1626                 if (rc)
1627                         goto out;
1628                 break;
1629         case SECURITY_FS_USE_MNTPOINT:
1630                 sid = sbsec->mntpoint_sid;
1631                 break;
1632         default:
1633                 /* Default to the fs superblock SID. */
1634                 sid = sbsec->sid;
1635
1636                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1637                         /* We must have a dentry to determine the label on
1638                          * procfs inodes */
1639                         if (opt_dentry)
1640                                 /* Called from d_instantiate or
1641                                  * d_splice_alias. */
1642                                 dentry = dget(opt_dentry);
1643                         else
1644                                 /* Called from selinux_complete_init, try to
1645                                  * find a dentry. */
1646                                 dentry = d_find_alias(inode);
1647                         /*
1648                          * This can be hit on boot when a file is accessed
1649                          * before the policy is loaded.  When we load policy we
1650                          * may find inodes that have no dentry on the
1651                          * sbsec->isec_head list.  No reason to complain as
1652                          * these will get fixed up the next time we go through
1653                          * inode_doinit() with a dentry, before these inodes
1654                          * could be used again by userspace.
1655                          */
1656                         if (!dentry)
1657                                 goto out;
1658                         rc = selinux_genfs_get_sid(dentry, sclass,
1659                                                    sbsec->flags, &sid);
1660                         dput(dentry);
1661                         if (rc)
1662                                 goto out;
1663                 }
1664                 break;
1665         }
1666
1667 out:
1668         spin_lock(&isec->lock);
1669         if (isec->initialized == LABEL_PENDING) {
1670                 if (!sid || rc) {
1671                         isec->initialized = LABEL_INVALID;
1672                         goto out_unlock;
1673                 }
1674
1675                 isec->initialized = LABEL_INITIALIZED;
1676                 isec->sid = sid;
1677         }
1678
1679 out_unlock:
1680         spin_unlock(&isec->lock);
1681         return rc;
1682 }
1683
1684 /* Convert a Linux signal to an access vector. */
1685 static inline u32 signal_to_av(int sig)
1686 {
1687         u32 perm = 0;
1688
1689         switch (sig) {
1690         case SIGCHLD:
1691                 /* Commonly granted from child to parent. */
1692                 perm = PROCESS__SIGCHLD;
1693                 break;
1694         case SIGKILL:
1695                 /* Cannot be caught or ignored */
1696                 perm = PROCESS__SIGKILL;
1697                 break;
1698         case SIGSTOP:
1699                 /* Cannot be caught or ignored */
1700                 perm = PROCESS__SIGSTOP;
1701                 break;
1702         default:
1703                 /* All other signals. */
1704                 perm = PROCESS__SIGNAL;
1705                 break;
1706         }
1707
1708         return perm;
1709 }
1710
1711 #if CAP_LAST_CAP > 63
1712 #error Fix SELinux to handle capabilities > 63.
1713 #endif
1714
1715 /* Check whether a task is allowed to use a capability. */
1716 static int cred_has_capability(const struct cred *cred,
1717                                int cap, int audit, bool initns)
1718 {
1719         struct common_audit_data ad;
1720         struct av_decision avd;
1721         u16 sclass;
1722         u32 sid = cred_sid(cred);
1723         u32 av = CAP_TO_MASK(cap);
1724         int rc;
1725
1726         ad.type = LSM_AUDIT_DATA_CAP;
1727         ad.u.cap = cap;
1728
1729         switch (CAP_TO_INDEX(cap)) {
1730         case 0:
1731                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1732                 break;
1733         case 1:
1734                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1735                 break;
1736         default:
1737                 printk(KERN_ERR
1738                        "SELinux:  out of range capability %d\n", cap);
1739                 BUG();
1740                 return -EINVAL;
1741         }
1742
1743         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1744         if (audit == SECURITY_CAP_AUDIT) {
1745                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1746                 if (rc2)
1747                         return rc2;
1748         }
1749         return rc;
1750 }
1751
1752 /* Check whether a task has a particular permission to an inode.
1753    The 'adp' parameter is optional and allows other audit
1754    data to be passed (e.g. the dentry). */
1755 static int inode_has_perm(const struct cred *cred,
1756                           struct inode *inode,
1757                           u32 perms,
1758                           struct common_audit_data *adp)
1759 {
1760         struct inode_security_struct *isec;
1761         u32 sid;
1762
1763         validate_creds(cred);
1764
1765         if (unlikely(IS_PRIVATE(inode)))
1766                 return 0;
1767
1768         sid = cred_sid(cred);
1769         isec = inode->i_security;
1770
1771         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1772 }
1773
1774 /* Same as inode_has_perm, but pass explicit audit data containing
1775    the dentry to help the auditing code to more easily generate the
1776    pathname if needed. */
1777 static inline int dentry_has_perm(const struct cred *cred,
1778                                   struct dentry *dentry,
1779                                   u32 av)
1780 {
1781         struct inode *inode = d_backing_inode(dentry);
1782         struct common_audit_data ad;
1783
1784         ad.type = LSM_AUDIT_DATA_DENTRY;
1785         ad.u.dentry = dentry;
1786         __inode_security_revalidate(inode, dentry, true);
1787         return inode_has_perm(cred, inode, av, &ad);
1788 }
1789
1790 /* Same as inode_has_perm, but pass explicit audit data containing
1791    the path to help the auditing code to more easily generate the
1792    pathname if needed. */
1793 static inline int path_has_perm(const struct cred *cred,
1794                                 const struct path *path,
1795                                 u32 av)
1796 {
1797         struct inode *inode = d_backing_inode(path->dentry);
1798         struct common_audit_data ad;
1799
1800         ad.type = LSM_AUDIT_DATA_PATH;
1801         ad.u.path = *path;
1802         __inode_security_revalidate(inode, path->dentry, true);
1803         return inode_has_perm(cred, inode, av, &ad);
1804 }
1805
1806 /* Same as path_has_perm, but uses the inode from the file struct. */
1807 static inline int file_path_has_perm(const struct cred *cred,
1808                                      struct file *file,
1809                                      u32 av)
1810 {
1811         struct common_audit_data ad;
1812
1813         ad.type = LSM_AUDIT_DATA_FILE;
1814         ad.u.file = file;
1815         return inode_has_perm(cred, file_inode(file), av, &ad);
1816 }
1817
1818 #ifdef CONFIG_BPF_SYSCALL
1819 static int bpf_fd_pass(struct file *file, u32 sid);
1820 #endif
1821
1822 /* Check whether a task can use an open file descriptor to
1823    access an inode in a given way.  Check access to the
1824    descriptor itself, and then use dentry_has_perm to
1825    check a particular permission to the file.
1826    Access to the descriptor is implicitly granted if it
1827    has the same SID as the process.  If av is zero, then
1828    access to the file is not checked, e.g. for cases
1829    where only the descriptor is affected like seek. */
1830 static int file_has_perm(const struct cred *cred,
1831                          struct file *file,
1832                          u32 av)
1833 {
1834         struct file_security_struct *fsec = file->f_security;
1835         struct inode *inode = file_inode(file);
1836         struct common_audit_data ad;
1837         u32 sid = cred_sid(cred);
1838         int rc;
1839
1840         ad.type = LSM_AUDIT_DATA_FILE;
1841         ad.u.file = file;
1842
1843         if (sid != fsec->sid) {
1844                 rc = avc_has_perm(sid, fsec->sid,
1845                                   SECCLASS_FD,
1846                                   FD__USE,
1847                                   &ad);
1848                 if (rc)
1849                         goto out;
1850         }
1851
1852 #ifdef CONFIG_BPF_SYSCALL
1853         rc = bpf_fd_pass(file, cred_sid(cred));
1854         if (rc)
1855                 return rc;
1856 #endif
1857
1858         /* av is zero if only checking access to the descriptor. */
1859         rc = 0;
1860         if (av)
1861                 rc = inode_has_perm(cred, inode, av, &ad);
1862
1863 out:
1864         return rc;
1865 }
1866
1867 /*
1868  * Determine the label for an inode that might be unioned.
1869  */
1870 static int
1871 selinux_determine_inode_label(const struct task_security_struct *tsec,
1872                                  struct inode *dir,
1873                                  const struct qstr *name, u16 tclass,
1874                                  u32 *_new_isid)
1875 {
1876         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1877
1878         if ((sbsec->flags & SE_SBINITIALIZED) &&
1879             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1880                 *_new_isid = sbsec->mntpoint_sid;
1881         } else if ((sbsec->flags & SBLABEL_MNT) &&
1882                    tsec->create_sid) {
1883                 *_new_isid = tsec->create_sid;
1884         } else {
1885                 const struct inode_security_struct *dsec = inode_security(dir);
1886                 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1887                                                name, _new_isid);
1888         }
1889
1890         return 0;
1891 }
1892
1893 /* Check whether a task can create a file. */
1894 static int may_create(struct inode *dir,
1895                       struct dentry *dentry,
1896                       u16 tclass)
1897 {
1898         const struct task_security_struct *tsec = current_security();
1899         struct inode_security_struct *dsec;
1900         struct superblock_security_struct *sbsec;
1901         u32 sid, newsid;
1902         struct common_audit_data ad;
1903         int rc;
1904
1905         dsec = inode_security(dir);
1906         sbsec = dir->i_sb->s_security;
1907
1908         sid = tsec->sid;
1909
1910         ad.type = LSM_AUDIT_DATA_DENTRY;
1911         ad.u.dentry = dentry;
1912
1913         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1914                           DIR__ADD_NAME | DIR__SEARCH,
1915                           &ad);
1916         if (rc)
1917                 return rc;
1918
1919         rc = selinux_determine_inode_label(current_security(), dir,
1920                                            &dentry->d_name, tclass, &newsid);
1921         if (rc)
1922                 return rc;
1923
1924         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1925         if (rc)
1926                 return rc;
1927
1928         return avc_has_perm(newsid, sbsec->sid,
1929                             SECCLASS_FILESYSTEM,
1930                             FILESYSTEM__ASSOCIATE, &ad);
1931 }
1932
1933 #define MAY_LINK        0
1934 #define MAY_UNLINK      1
1935 #define MAY_RMDIR       2
1936
1937 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1938 static int may_link(struct inode *dir,
1939                     struct dentry *dentry,
1940                     int kind)
1941
1942 {
1943         struct inode_security_struct *dsec, *isec;
1944         struct common_audit_data ad;
1945         u32 sid = current_sid();
1946         u32 av;
1947         int rc;
1948
1949         dsec = inode_security(dir);
1950         isec = backing_inode_security(dentry);
1951
1952         ad.type = LSM_AUDIT_DATA_DENTRY;
1953         ad.u.dentry = dentry;
1954
1955         av = DIR__SEARCH;
1956         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1957         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1958         if (rc)
1959                 return rc;
1960
1961         switch (kind) {
1962         case MAY_LINK:
1963                 av = FILE__LINK;
1964                 break;
1965         case MAY_UNLINK:
1966                 av = FILE__UNLINK;
1967                 break;
1968         case MAY_RMDIR:
1969                 av = DIR__RMDIR;
1970                 break;
1971         default:
1972                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1973                         __func__, kind);
1974                 return 0;
1975         }
1976
1977         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1978         return rc;
1979 }
1980
1981 static inline int may_rename(struct inode *old_dir,
1982                              struct dentry *old_dentry,
1983                              struct inode *new_dir,
1984                              struct dentry *new_dentry)
1985 {
1986         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1987         struct common_audit_data ad;
1988         u32 sid = current_sid();
1989         u32 av;
1990         int old_is_dir, new_is_dir;
1991         int rc;
1992
1993         old_dsec = inode_security(old_dir);
1994         old_isec = backing_inode_security(old_dentry);
1995         old_is_dir = d_is_dir(old_dentry);
1996         new_dsec = inode_security(new_dir);
1997
1998         ad.type = LSM_AUDIT_DATA_DENTRY;
1999
2000         ad.u.dentry = old_dentry;
2001         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
2002                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2003         if (rc)
2004                 return rc;
2005         rc = avc_has_perm(sid, old_isec->sid,
2006                           old_isec->sclass, FILE__RENAME, &ad);
2007         if (rc)
2008                 return rc;
2009         if (old_is_dir && new_dir != old_dir) {
2010                 rc = avc_has_perm(sid, old_isec->sid,
2011                                   old_isec->sclass, DIR__REPARENT, &ad);
2012                 if (rc)
2013                         return rc;
2014         }
2015
2016         ad.u.dentry = new_dentry;
2017         av = DIR__ADD_NAME | DIR__SEARCH;
2018         if (d_is_positive(new_dentry))
2019                 av |= DIR__REMOVE_NAME;
2020         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2021         if (rc)
2022                 return rc;
2023         if (d_is_positive(new_dentry)) {
2024                 new_isec = backing_inode_security(new_dentry);
2025                 new_is_dir = d_is_dir(new_dentry);
2026                 rc = avc_has_perm(sid, new_isec->sid,
2027                                   new_isec->sclass,
2028                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2029                 if (rc)
2030                         return rc;
2031         }
2032
2033         return 0;
2034 }
2035
2036 /* Check whether a task can perform a filesystem operation. */
2037 static int superblock_has_perm(const struct cred *cred,
2038                                struct super_block *sb,
2039                                u32 perms,
2040                                struct common_audit_data *ad)
2041 {
2042         struct superblock_security_struct *sbsec;
2043         u32 sid = cred_sid(cred);
2044
2045         sbsec = sb->s_security;
2046         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2047 }
2048
2049 /* Convert a Linux mode and permission mask to an access vector. */
2050 static inline u32 file_mask_to_av(int mode, int mask)
2051 {
2052         u32 av = 0;
2053
2054         if (!S_ISDIR(mode)) {
2055                 if (mask & MAY_EXEC)
2056                         av |= FILE__EXECUTE;
2057                 if (mask & MAY_READ)
2058                         av |= FILE__READ;
2059
2060                 if (mask & MAY_APPEND)
2061                         av |= FILE__APPEND;
2062                 else if (mask & MAY_WRITE)
2063                         av |= FILE__WRITE;
2064
2065         } else {
2066                 if (mask & MAY_EXEC)
2067                         av |= DIR__SEARCH;
2068                 if (mask & MAY_WRITE)
2069                         av |= DIR__WRITE;
2070                 if (mask & MAY_READ)
2071                         av |= DIR__READ;
2072         }
2073
2074         return av;
2075 }
2076
2077 /* Convert a Linux file to an access vector. */
2078 static inline u32 file_to_av(struct file *file)
2079 {
2080         u32 av = 0;
2081
2082         if (file->f_mode & FMODE_READ)
2083                 av |= FILE__READ;
2084         if (file->f_mode & FMODE_WRITE) {
2085                 if (file->f_flags & O_APPEND)
2086                         av |= FILE__APPEND;
2087                 else
2088                         av |= FILE__WRITE;
2089         }
2090         if (!av) {
2091                 /*
2092                  * Special file opened with flags 3 for ioctl-only use.
2093                  */
2094                 av = FILE__IOCTL;
2095         }
2096
2097         return av;
2098 }
2099
2100 /*
2101  * Convert a file to an access vector and include the correct open
2102  * open permission.
2103  */
2104 static inline u32 open_file_to_av(struct file *file)
2105 {
2106         u32 av = file_to_av(file);
2107         struct inode *inode = file_inode(file);
2108
2109         if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2110                 av |= FILE__OPEN;
2111
2112         return av;
2113 }
2114
2115 /* Hook functions begin here. */
2116
2117 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2118 {
2119         u32 mysid = current_sid();
2120         u32 mgrsid = task_sid(mgr);
2121
2122         return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2123                             BINDER__SET_CONTEXT_MGR, NULL);
2124 }
2125
2126 static int selinux_binder_transaction(struct task_struct *from,
2127                                       struct task_struct *to)
2128 {
2129         u32 mysid = current_sid();
2130         u32 fromsid = task_sid(from);
2131         u32 tosid = task_sid(to);
2132         int rc;
2133
2134         if (mysid != fromsid) {
2135                 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2136                                   BINDER__IMPERSONATE, NULL);
2137                 if (rc)
2138                         return rc;
2139         }
2140
2141         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2142                             NULL);
2143 }
2144
2145 static int selinux_binder_transfer_binder(struct task_struct *from,
2146                                           struct task_struct *to)
2147 {
2148         u32 fromsid = task_sid(from);
2149         u32 tosid = task_sid(to);
2150
2151         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2152                             NULL);
2153 }
2154
2155 static int selinux_binder_transfer_file(struct task_struct *from,
2156                                         struct task_struct *to,
2157                                         struct file *file)
2158 {
2159         u32 sid = task_sid(to);
2160         struct file_security_struct *fsec = file->f_security;
2161         struct dentry *dentry = file->f_path.dentry;
2162         struct inode_security_struct *isec;
2163         struct common_audit_data ad;
2164         int rc;
2165
2166         ad.type = LSM_AUDIT_DATA_PATH;
2167         ad.u.path = file->f_path;
2168
2169         if (sid != fsec->sid) {
2170                 rc = avc_has_perm(sid, fsec->sid,
2171                                   SECCLASS_FD,
2172                                   FD__USE,
2173                                   &ad);
2174                 if (rc)
2175                         return rc;
2176         }
2177
2178 #ifdef CONFIG_BPF_SYSCALL
2179         rc = bpf_fd_pass(file, sid);
2180         if (rc)
2181                 return rc;
2182 #endif
2183
2184         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2185                 return 0;
2186
2187         isec = backing_inode_security(dentry);
2188         return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2189                             &ad);
2190 }
2191
2192 static int selinux_ptrace_access_check(struct task_struct *child,
2193                                      unsigned int mode)
2194 {
2195         u32 sid = current_sid();
2196         u32 csid = task_sid(child);
2197
2198         if (mode & PTRACE_MODE_READ)
2199                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2200
2201         return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2202 }
2203
2204 static int selinux_ptrace_traceme(struct task_struct *parent)
2205 {
2206         return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2207                             PROCESS__PTRACE, NULL);
2208 }
2209
2210 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2211                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2212 {
2213         return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2214                             PROCESS__GETCAP, NULL);
2215 }
2216
2217 static int selinux_capset(struct cred *new, const struct cred *old,
2218                           const kernel_cap_t *effective,
2219                           const kernel_cap_t *inheritable,
2220                           const kernel_cap_t *permitted)
2221 {
2222         return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2223                             PROCESS__SETCAP, NULL);
2224 }
2225
2226 /*
2227  * (This comment used to live with the selinux_task_setuid hook,
2228  * which was removed).
2229  *
2230  * Since setuid only affects the current process, and since the SELinux
2231  * controls are not based on the Linux identity attributes, SELinux does not
2232  * need to control this operation.  However, SELinux does control the use of
2233  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2234  */
2235
2236 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2237                            int cap, int audit)
2238 {
2239         return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2240 }
2241
2242 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2243 {
2244         const struct cred *cred = current_cred();
2245         int rc = 0;
2246
2247         if (!sb)
2248                 return 0;
2249
2250         switch (cmds) {
2251         case Q_SYNC:
2252         case Q_QUOTAON:
2253         case Q_QUOTAOFF:
2254         case Q_SETINFO:
2255         case Q_SETQUOTA:
2256                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2257                 break;
2258         case Q_GETFMT:
2259         case Q_GETINFO:
2260         case Q_GETQUOTA:
2261                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2262                 break;
2263         default:
2264                 rc = 0;  /* let the kernel handle invalid cmds */
2265                 break;
2266         }
2267         return rc;
2268 }
2269
2270 static int selinux_quota_on(struct dentry *dentry)
2271 {
2272         const struct cred *cred = current_cred();
2273
2274         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2275 }
2276
2277 static int selinux_syslog(int type)
2278 {
2279         switch (type) {
2280         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2281         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2282                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2283                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2284         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2285         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2286         /* Set level of messages printed to console */
2287         case SYSLOG_ACTION_CONSOLE_LEVEL:
2288                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2289                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2290                                     NULL);
2291         }
2292         /* All other syslog types */
2293         return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2294                             SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2295 }
2296
2297 /*
2298  * Check that a process has enough memory to allocate a new virtual
2299  * mapping. 0 means there is enough memory for the allocation to
2300  * succeed and -ENOMEM implies there is not.
2301  *
2302  * Do not audit the selinux permission check, as this is applied to all
2303  * processes that allocate mappings.
2304  */
2305 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2306 {
2307         int rc, cap_sys_admin = 0;
2308
2309         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2310                                  SECURITY_CAP_NOAUDIT, true);
2311         if (rc == 0)
2312                 cap_sys_admin = 1;
2313
2314         return cap_sys_admin;
2315 }
2316
2317 /* binprm security operations */
2318
2319 static u32 ptrace_parent_sid(void)
2320 {
2321         u32 sid = 0;
2322         struct task_struct *tracer;
2323
2324         rcu_read_lock();
2325         tracer = ptrace_parent(current);
2326         if (tracer)
2327                 sid = task_sid(tracer);
2328         rcu_read_unlock();
2329
2330         return sid;
2331 }
2332
2333 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2334                             const struct task_security_struct *old_tsec,
2335                             const struct task_security_struct *new_tsec)
2336 {
2337         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2338         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2339         int rc;
2340         u32 av;
2341
2342         if (!nnp && !nosuid)
2343                 return 0; /* neither NNP nor nosuid */
2344
2345         if (new_tsec->sid == old_tsec->sid)
2346                 return 0; /* No change in credentials */
2347
2348         /*
2349          * If the policy enables the nnp_nosuid_transition policy capability,
2350          * then we permit transitions under NNP or nosuid if the
2351          * policy allows the corresponding permission between
2352          * the old and new contexts.
2353          */
2354         if (selinux_policycap_nnp_nosuid_transition) {
2355                 av = 0;
2356                 if (nnp)
2357                         av |= PROCESS2__NNP_TRANSITION;
2358                 if (nosuid)
2359                         av |= PROCESS2__NOSUID_TRANSITION;
2360                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2361                                   SECCLASS_PROCESS2, av, NULL);
2362                 if (!rc)
2363                         return 0;
2364         }
2365
2366         /*
2367          * We also permit NNP or nosuid transitions to bounded SIDs,
2368          * i.e. SIDs that are guaranteed to only be allowed a subset
2369          * of the permissions of the current SID.
2370          */
2371         rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2372         if (!rc)
2373                 return 0;
2374
2375         /*
2376          * On failure, preserve the errno values for NNP vs nosuid.
2377          * NNP:  Operation not permitted for caller.
2378          * nosuid:  Permission denied to file.
2379          */
2380         if (nnp)
2381                 return -EPERM;
2382         return -EACCES;
2383 }
2384
2385 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2386 {
2387         const struct task_security_struct *old_tsec;
2388         struct task_security_struct *new_tsec;
2389         struct inode_security_struct *isec;
2390         struct common_audit_data ad;
2391         struct inode *inode = file_inode(bprm->file);
2392         int rc;
2393
2394         /* SELinux context only depends on initial program or script and not
2395          * the script interpreter */
2396         if (bprm->called_set_creds)
2397                 return 0;
2398
2399         old_tsec = current_security();
2400         new_tsec = bprm->cred->security;
2401         isec = inode_security(inode);
2402
2403         /* Default to the current task SID. */
2404         new_tsec->sid = old_tsec->sid;
2405         new_tsec->osid = old_tsec->sid;
2406
2407         /* Reset fs, key, and sock SIDs on execve. */
2408         new_tsec->create_sid = 0;
2409         new_tsec->keycreate_sid = 0;
2410         new_tsec->sockcreate_sid = 0;
2411
2412         if (old_tsec->exec_sid) {
2413                 new_tsec->sid = old_tsec->exec_sid;
2414                 /* Reset exec SID on execve. */
2415                 new_tsec->exec_sid = 0;
2416
2417                 /* Fail on NNP or nosuid if not an allowed transition. */
2418                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2419                 if (rc)
2420                         return rc;
2421         } else {
2422                 /* Check for a default transition on this program. */
2423                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2424                                              SECCLASS_PROCESS, NULL,
2425                                              &new_tsec->sid);
2426                 if (rc)
2427                         return rc;
2428
2429                 /*
2430                  * Fallback to old SID on NNP or nosuid if not an allowed
2431                  * transition.
2432                  */
2433                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2434                 if (rc)
2435                         new_tsec->sid = old_tsec->sid;
2436         }
2437
2438         ad.type = LSM_AUDIT_DATA_FILE;
2439         ad.u.file = bprm->file;
2440
2441         if (new_tsec->sid == old_tsec->sid) {
2442                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2443                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2444                 if (rc)
2445                         return rc;
2446         } else {
2447                 /* Check permissions for the transition. */
2448                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2449                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2450                 if (rc)
2451                         return rc;
2452
2453                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2454                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2455                 if (rc)
2456                         return rc;
2457
2458                 /* Check for shared state */
2459                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2460                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2461                                           SECCLASS_PROCESS, PROCESS__SHARE,
2462                                           NULL);
2463                         if (rc)
2464                                 return -EPERM;
2465                 }
2466
2467                 /* Make sure that anyone attempting to ptrace over a task that
2468                  * changes its SID has the appropriate permit */
2469                 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2470                         u32 ptsid = ptrace_parent_sid();
2471                         if (ptsid != 0) {
2472                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2473                                                   SECCLASS_PROCESS,
2474                                                   PROCESS__PTRACE, NULL);
2475                                 if (rc)
2476                                         return -EPERM;
2477                         }
2478                 }
2479
2480                 /* Clear any possibly unsafe personality bits on exec: */
2481                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2482
2483                 /* Enable secure mode for SIDs transitions unless
2484                    the noatsecure permission is granted between
2485                    the two SIDs, i.e. ahp returns 0. */
2486                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2487                                   SECCLASS_PROCESS, PROCESS__NOATSECURE,
2488                                   NULL);
2489                 bprm->secureexec |= !!rc;
2490         }
2491
2492         return 0;
2493 }
2494
2495 static int match_file(const void *p, struct file *file, unsigned fd)
2496 {
2497         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2498 }
2499
2500 /* Derived from fs/exec.c:flush_old_files. */
2501 static inline void flush_unauthorized_files(const struct cred *cred,
2502                                             struct files_struct *files)
2503 {
2504         struct file *file, *devnull = NULL;
2505         struct tty_struct *tty;
2506         int drop_tty = 0;
2507         unsigned n;
2508
2509         tty = get_current_tty();
2510         if (tty) {
2511                 spin_lock(&tty->files_lock);
2512                 if (!list_empty(&tty->tty_files)) {
2513                         struct tty_file_private *file_priv;
2514
2515                         /* Revalidate access to controlling tty.
2516                            Use file_path_has_perm on the tty path directly
2517                            rather than using file_has_perm, as this particular
2518                            open file may belong to another process and we are
2519                            only interested in the inode-based check here. */
2520                         file_priv = list_first_entry(&tty->tty_files,
2521                                                 struct tty_file_private, list);
2522                         file = file_priv->file;
2523                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2524                                 drop_tty = 1;
2525                 }
2526                 spin_unlock(&tty->files_lock);
2527                 tty_kref_put(tty);
2528         }
2529         /* Reset controlling tty. */
2530         if (drop_tty)
2531                 no_tty();
2532
2533         /* Revalidate access to inherited open files. */
2534         n = iterate_fd(files, 0, match_file, cred);
2535         if (!n) /* none found? */
2536                 return;
2537
2538         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2539         if (IS_ERR(devnull))
2540                 devnull = NULL;
2541         /* replace all the matching ones with this */
2542         do {
2543                 replace_fd(n - 1, devnull, 0);
2544         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2545         if (devnull)
2546                 fput(devnull);
2547 }
2548
2549 /*
2550  * Prepare a process for imminent new credential changes due to exec
2551  */
2552 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2553 {
2554         struct task_security_struct *new_tsec;
2555         struct rlimit *rlim, *initrlim;
2556         int rc, i;
2557
2558         new_tsec = bprm->cred->security;
2559         if (new_tsec->sid == new_tsec->osid)
2560                 return;
2561
2562         /* Close files for which the new task SID is not authorized. */
2563         flush_unauthorized_files(bprm->cred, current->files);
2564
2565         /* Always clear parent death signal on SID transitions. */
2566         current->pdeath_signal = 0;
2567
2568         /* Check whether the new SID can inherit resource limits from the old
2569          * SID.  If not, reset all soft limits to the lower of the current
2570          * task's hard limit and the init task's soft limit.
2571          *
2572          * Note that the setting of hard limits (even to lower them) can be
2573          * controlled by the setrlimit check.  The inclusion of the init task's
2574          * soft limit into the computation is to avoid resetting soft limits
2575          * higher than the default soft limit for cases where the default is
2576          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2577          */
2578         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2579                           PROCESS__RLIMITINH, NULL);
2580         if (rc) {
2581                 /* protect against do_prlimit() */
2582                 task_lock(current);
2583                 for (i = 0; i < RLIM_NLIMITS; i++) {
2584                         rlim = current->signal->rlim + i;
2585                         initrlim = init_task.signal->rlim + i;
2586                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2587                 }
2588                 task_unlock(current);
2589                 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2590                         update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2591         }
2592 }
2593
2594 /*
2595  * Clean up the process immediately after the installation of new credentials
2596  * due to exec
2597  */
2598 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2599 {
2600         const struct task_security_struct *tsec = current_security();
2601         struct itimerval itimer;
2602         u32 osid, sid;
2603         int rc, i;
2604
2605         osid = tsec->osid;
2606         sid = tsec->sid;
2607
2608         if (sid == osid)
2609                 return;
2610
2611         /* Check whether the new SID can inherit signal state from the old SID.
2612          * If not, clear itimers to avoid subsequent signal generation and
2613          * flush and unblock signals.
2614          *
2615          * This must occur _after_ the task SID has been updated so that any
2616          * kill done after the flush will be checked against the new SID.
2617          */
2618         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2619         if (rc) {
2620                 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2621                         memset(&itimer, 0, sizeof itimer);
2622                         for (i = 0; i < 3; i++)
2623                                 do_setitimer(i, &itimer, NULL);
2624                 }
2625                 spin_lock_irq(&current->sighand->siglock);
2626                 if (!fatal_signal_pending(current)) {
2627                         flush_sigqueue(&current->pending);
2628                         flush_sigqueue(&current->signal->shared_pending);
2629                         flush_signal_handlers(current, 1);
2630                         sigemptyset(&current->blocked);
2631                         recalc_sigpending();
2632                 }
2633                 spin_unlock_irq(&current->sighand->siglock);
2634         }
2635
2636         /* Wake up the parent if it is waiting so that it can recheck
2637          * wait permission to the new task SID. */
2638         read_lock(&tasklist_lock);
2639         __wake_up_parent(current, current->real_parent);
2640         read_unlock(&tasklist_lock);
2641 }
2642
2643 /* superblock security operations */
2644
2645 static int selinux_sb_alloc_security(struct super_block *sb)
2646 {
2647         return superblock_alloc_security(sb);
2648 }
2649
2650 static void selinux_sb_free_security(struct super_block *sb)
2651 {
2652         superblock_free_security(sb);
2653 }
2654
2655 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2656 {
2657         if (plen > olen)
2658                 return 0;
2659
2660         return !memcmp(prefix, option, plen);
2661 }
2662
2663 static inline int selinux_option(char *option, int len)
2664 {
2665         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2666                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2667                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2668                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2669                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2670 }
2671
2672 static inline void take_option(char **to, char *from, int *first, int len)
2673 {
2674         if (!*first) {
2675                 **to = ',';
2676                 *to += 1;
2677         } else
2678                 *first = 0;
2679         memcpy(*to, from, len);
2680         *to += len;
2681 }
2682
2683 static inline void take_selinux_option(char **to, char *from, int *first,
2684                                        int len)
2685 {
2686         int current_size = 0;
2687
2688         if (!*first) {
2689                 **to = '|';
2690                 *to += 1;
2691         } else
2692                 *first = 0;
2693
2694         while (current_size < len) {
2695                 if (*from != '"') {
2696                         **to = *from;
2697                         *to += 1;
2698                 }
2699                 from += 1;
2700                 current_size += 1;
2701         }
2702 }
2703
2704 static int selinux_sb_copy_data(char *orig, char *copy)
2705 {
2706         int fnosec, fsec, rc = 0;
2707         char *in_save, *in_curr, *in_end;
2708         char *sec_curr, *nosec_save, *nosec;
2709         int open_quote = 0;
2710
2711         in_curr = orig;
2712         sec_curr = copy;
2713
2714         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2715         if (!nosec) {
2716                 rc = -ENOMEM;
2717                 goto out;
2718         }
2719
2720         nosec_save = nosec;
2721         fnosec = fsec = 1;
2722         in_save = in_end = orig;
2723
2724         do {
2725                 if (*in_end == '"')
2726                         open_quote = !open_quote;
2727                 if ((*in_end == ',' && open_quote == 0) ||
2728                                 *in_end == '\0') {
2729                         int len = in_end - in_curr;
2730
2731                         if (selinux_option(in_curr, len))
2732                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2733                         else
2734                                 take_option(&nosec, in_curr, &fnosec, len);
2735
2736                         in_curr = in_end + 1;
2737                 }
2738         } while (*in_end++);
2739
2740         strcpy(in_save, nosec_save);
2741         free_page((unsigned long)nosec_save);
2742 out:
2743         return rc;
2744 }
2745
2746 static int selinux_sb_remount(struct super_block *sb, void *data)
2747 {
2748         int rc, i, *flags;
2749         struct security_mnt_opts opts;
2750         char *secdata, **mount_options;
2751         struct superblock_security_struct *sbsec = sb->s_security;
2752
2753         if (!(sbsec->flags & SE_SBINITIALIZED))
2754                 return 0;
2755
2756         if (!data)
2757                 return 0;
2758
2759         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2760                 return 0;
2761
2762         security_init_mnt_opts(&opts);
2763         secdata = alloc_secdata();
2764         if (!secdata)
2765                 return -ENOMEM;
2766         rc = selinux_sb_copy_data(data, secdata);
2767         if (rc)
2768                 goto out_free_secdata;
2769
2770         rc = selinux_parse_opts_str(secdata, &opts);
2771         if (rc)
2772                 goto out_free_secdata;
2773
2774         mount_options = opts.mnt_opts;
2775         flags = opts.mnt_opts_flags;
2776
2777         for (i = 0; i < opts.num_mnt_opts; i++) {
2778                 u32 sid;
2779
2780                 if (flags[i] == SBLABEL_MNT)
2781                         continue;
2782                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2783                 if (rc) {
2784                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2785                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2786                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2787                         goto out_free_opts;
2788                 }
2789                 rc = -EINVAL;
2790                 switch (flags[i]) {
2791                 case FSCONTEXT_MNT:
2792                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2793                                 goto out_bad_option;
2794                         break;
2795                 case CONTEXT_MNT:
2796                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2797                                 goto out_bad_option;
2798                         break;
2799                 case ROOTCONTEXT_MNT: {
2800                         struct inode_security_struct *root_isec;
2801                         root_isec = backing_inode_security(sb->s_root);
2802
2803                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2804                                 goto out_bad_option;
2805                         break;
2806                 }
2807                 case DEFCONTEXT_MNT:
2808                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2809                                 goto out_bad_option;
2810                         break;
2811                 default:
2812                         goto out_free_opts;
2813                 }
2814         }
2815
2816         rc = 0;
2817 out_free_opts:
2818         security_free_mnt_opts(&opts);
2819 out_free_secdata:
2820         free_secdata(secdata);
2821         return rc;
2822 out_bad_option:
2823         printk(KERN_WARNING "SELinux: unable to change security options "
2824                "during remount (dev %s, type=%s)\n", sb->s_id,
2825                sb->s_type->name);
2826         goto out_free_opts;
2827 }
2828
2829 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2830 {
2831         const struct cred *cred = current_cred();
2832         struct common_audit_data ad;
2833         int rc;
2834
2835         rc = superblock_doinit(sb, data);
2836         if (rc)
2837                 return rc;
2838
2839         /* Allow all mounts performed by the kernel */
2840         if (flags & MS_KERNMOUNT)
2841                 return 0;
2842
2843         ad.type = LSM_AUDIT_DATA_DENTRY;
2844         ad.u.dentry = sb->s_root;
2845         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2846 }
2847
2848 static int selinux_sb_statfs(struct dentry *dentry)
2849 {
2850         const struct cred *cred = current_cred();
2851         struct common_audit_data ad;
2852
2853         ad.type = LSM_AUDIT_DATA_DENTRY;
2854         ad.u.dentry = dentry->d_sb->s_root;
2855         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2856 }
2857
2858 static int selinux_mount(const char *dev_name,
2859                          const struct path *path,
2860                          const char *type,
2861                          unsigned long flags,
2862                          void *data)
2863 {
2864         const struct cred *cred = current_cred();
2865
2866         if (flags & MS_REMOUNT)
2867                 return superblock_has_perm(cred, path->dentry->d_sb,
2868                                            FILESYSTEM__REMOUNT, NULL);
2869         else
2870                 return path_has_perm(cred, path, FILE__MOUNTON);
2871 }
2872
2873 static int selinux_umount(struct vfsmount *mnt, int flags)
2874 {
2875         const struct cred *cred = current_cred();
2876
2877         return superblock_has_perm(cred, mnt->mnt_sb,
2878                                    FILESYSTEM__UNMOUNT, NULL);
2879 }
2880
2881 /* inode security operations */
2882
2883 static int selinux_inode_alloc_security(struct inode *inode)
2884 {
2885         return inode_alloc_security(inode);
2886 }
2887
2888 static void selinux_inode_free_security(struct inode *inode)
2889 {
2890         inode_free_security(inode);
2891 }
2892
2893 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2894                                         const struct qstr *name, void **ctx,
2895                                         u32 *ctxlen)
2896 {
2897         u32 newsid;
2898         int rc;
2899
2900         rc = selinux_determine_inode_label(current_security(),
2901                                            d_inode(dentry->d_parent), name,
2902                                            inode_mode_to_security_class(mode),
2903                                            &newsid);
2904         if (rc)
2905                 return rc;
2906
2907         return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2908 }
2909
2910 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2911                                           struct qstr *name,
2912                                           const struct cred *old,
2913                                           struct cred *new)
2914 {
2915         u32 newsid;
2916         int rc;
2917         struct task_security_struct *tsec;
2918
2919         rc = selinux_determine_inode_label(old->security,
2920                                            d_inode(dentry->d_parent), name,
2921                                            inode_mode_to_security_class(mode),
2922                                            &newsid);
2923         if (rc)
2924                 return rc;
2925
2926         tsec = new->security;
2927         tsec->create_sid = newsid;
2928         return 0;
2929 }
2930
2931 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2932                                        const struct qstr *qstr,
2933                                        const char **name,
2934                                        void **value, size_t *len)
2935 {
2936         const struct task_security_struct *tsec = current_security();
2937         struct superblock_security_struct *sbsec;
2938         u32 newsid, clen;
2939         int rc;
2940         char *context;
2941
2942         sbsec = dir->i_sb->s_security;
2943
2944         newsid = tsec->create_sid;
2945
2946         rc = selinux_determine_inode_label(current_security(),
2947                 dir, qstr,
2948                 inode_mode_to_security_class(inode->i_mode),
2949                 &newsid);
2950         if (rc)
2951                 return rc;
2952
2953         /* Possibly defer initialization to selinux_complete_init. */
2954         if (sbsec->flags & SE_SBINITIALIZED) {
2955                 struct inode_security_struct *isec = inode->i_security;
2956                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2957                 isec->sid = newsid;
2958                 isec->initialized = LABEL_INITIALIZED;
2959         }
2960
2961         if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2962                 return -EOPNOTSUPP;
2963
2964         if (name)
2965                 *name = XATTR_SELINUX_SUFFIX;
2966
2967         if (value && len) {
2968                 rc = security_sid_to_context_force(newsid, &context, &clen);
2969                 if (rc)
2970                         return rc;
2971                 *value = context;
2972                 *len = clen;
2973         }
2974
2975         return 0;
2976 }
2977
2978 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2979 {
2980         return may_create(dir, dentry, SECCLASS_FILE);
2981 }
2982
2983 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2984 {
2985         return may_link(dir, old_dentry, MAY_LINK);
2986 }
2987
2988 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2989 {
2990         return may_link(dir, dentry, MAY_UNLINK);
2991 }
2992
2993 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2994 {
2995         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2996 }
2997
2998 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2999 {
3000         return may_create(dir, dentry, SECCLASS_DIR);
3001 }
3002
3003 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3004 {
3005         return may_link(dir, dentry, MAY_RMDIR);
3006 }
3007
3008 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3009 {
3010         return may_create(dir, dentry, inode_mode_to_security_class(mode));
3011 }
3012
3013 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3014                                 struct inode *new_inode, struct dentry *new_dentry)
3015 {
3016         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3017 }
3018
3019 static int selinux_inode_readlink(struct dentry *dentry)
3020 {
3021         const struct cred *cred = current_cred();
3022
3023         return dentry_has_perm(cred, dentry, FILE__READ);
3024 }
3025
3026 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3027                                      bool rcu)
3028 {
3029         const struct cred *cred = current_cred();
3030         struct common_audit_data ad;
3031         struct inode_security_struct *isec;
3032         u32 sid;
3033
3034         validate_creds(cred);
3035
3036         ad.type = LSM_AUDIT_DATA_DENTRY;
3037         ad.u.dentry = dentry;
3038         sid = cred_sid(cred);
3039         isec = inode_security_rcu(inode, rcu);
3040         if (IS_ERR(isec))
3041                 return PTR_ERR(isec);
3042
3043         return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3044                                   rcu ? MAY_NOT_BLOCK : 0);
3045 }
3046
3047 static noinline int audit_inode_permission(struct inode *inode,
3048                                            u32 perms, u32 audited, u32 denied,
3049                                            int result,
3050                                            unsigned flags)
3051 {
3052         struct common_audit_data ad;
3053         struct inode_security_struct *isec = inode->i_security;
3054         int rc;
3055
3056         ad.type = LSM_AUDIT_DATA_INODE;
3057         ad.u.inode = inode;
3058
3059         rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3060                             audited, denied, result, &ad, flags);
3061         if (rc)
3062                 return rc;
3063         return 0;
3064 }
3065
3066 static int selinux_inode_permission(struct inode *inode, int mask)
3067 {
3068         const struct cred *cred = current_cred();
3069         u32 perms;
3070         bool from_access;
3071         unsigned flags = mask & MAY_NOT_BLOCK;
3072         struct inode_security_struct *isec;
3073         u32 sid;
3074         struct av_decision avd;
3075         int rc, rc2;
3076         u32 audited, denied;
3077
3078         from_access = mask & MAY_ACCESS;
3079         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3080
3081         /* No permission to check.  Existence test. */
3082         if (!mask)
3083                 return 0;
3084
3085         validate_creds(cred);
3086
3087         if (unlikely(IS_PRIVATE(inode)))
3088                 return 0;
3089
3090         perms = file_mask_to_av(inode->i_mode, mask);
3091
3092         sid = cred_sid(cred);
3093         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3094         if (IS_ERR(isec))
3095                 return PTR_ERR(isec);
3096
3097         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3098         audited = avc_audit_required(perms, &avd, rc,
3099                                      from_access ? FILE__AUDIT_ACCESS : 0,
3100                                      &denied);
3101         if (likely(!audited))
3102                 return rc;
3103
3104         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3105         if (rc2)
3106                 return rc2;
3107         return rc;
3108 }
3109
3110 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3111 {
3112         const struct cred *cred = current_cred();
3113         struct inode *inode = d_backing_inode(dentry);
3114         unsigned int ia_valid = iattr->ia_valid;
3115         __u32 av = FILE__WRITE;
3116
3117         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3118         if (ia_valid & ATTR_FORCE) {
3119                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3120                               ATTR_FORCE);
3121                 if (!ia_valid)
3122                         return 0;
3123         }
3124
3125         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3126                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3127                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3128
3129         if (selinux_policycap_openperm &&
3130             inode->i_sb->s_magic != SOCKFS_MAGIC &&
3131             (ia_valid & ATTR_SIZE) &&
3132             !(ia_valid & ATTR_FILE))
3133                 av |= FILE__OPEN;
3134
3135         return dentry_has_perm(cred, dentry, av);
3136 }
3137
3138 static int selinux_inode_getattr(const struct path *path)
3139 {
3140         return path_has_perm(current_cred(), path, FILE__GETATTR);
3141 }
3142
3143 static bool has_cap_mac_admin(bool audit)
3144 {
3145         const struct cred *cred = current_cred();
3146         int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3147
3148         if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3149                 return false;
3150         if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3151                 return false;
3152         return true;
3153 }
3154
3155 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3156                                   const void *value, size_t size, int flags)
3157 {
3158         struct inode *inode = d_backing_inode(dentry);
3159         struct inode_security_struct *isec;
3160         struct superblock_security_struct *sbsec;
3161         struct common_audit_data ad;
3162         u32 newsid, sid = current_sid();
3163         int rc = 0;
3164
3165         if (strcmp(name, XATTR_NAME_SELINUX)) {
3166                 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3167                 if (rc)
3168                         return rc;
3169
3170                 /* Not an attribute we recognize, so just check the
3171                    ordinary setattr permission. */
3172                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3173         }
3174
3175         sbsec = inode->i_sb->s_security;
3176         if (!(sbsec->flags & SBLABEL_MNT))
3177                 return -EOPNOTSUPP;
3178
3179         if (!inode_owner_or_capable(inode))
3180                 return -EPERM;
3181
3182         ad.type = LSM_AUDIT_DATA_DENTRY;
3183         ad.u.dentry = dentry;
3184
3185         isec = backing_inode_security(dentry);
3186         rc = avc_has_perm(sid, isec->sid, isec->sclass,
3187                           FILE__RELABELFROM, &ad);
3188         if (rc)
3189                 return rc;
3190
3191         rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3192         if (rc == -EINVAL) {
3193                 if (!has_cap_mac_admin(true)) {
3194                         struct audit_buffer *ab;
3195                         size_t audit_size;
3196
3197                         /* We strip a nul only if it is at the end, otherwise the
3198                          * context contains a nul and we should audit that */
3199                         if (value) {
3200                                 const char *str = value;
3201
3202                                 if (str[size - 1] == '\0')
3203                                         audit_size = size - 1;
3204                                 else
3205                                         audit_size = size;
3206                         } else {
3207                                 audit_size = 0;
3208                         }
3209                         ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3210                         audit_log_format(ab, "op=setxattr invalid_context=");
3211                         audit_log_n_untrustedstring(ab, value, audit_size);
3212                         audit_log_end(ab);
3213
3214                         return rc;
3215                 }
3216                 rc = security_context_to_sid_force(value, size, &newsid);
3217         }
3218         if (rc)
3219                 return rc;
3220
3221         rc = avc_has_perm(sid, newsid, isec->sclass,
3222                           FILE__RELABELTO, &ad);
3223         if (rc)
3224                 return rc;
3225
3226         rc = security_validate_transition(isec->sid, newsid, sid,
3227                                           isec->sclass);
3228         if (rc)
3229                 return rc;
3230
3231         return avc_has_perm(newsid,
3232                             sbsec->sid,
3233                             SECCLASS_FILESYSTEM,
3234                             FILESYSTEM__ASSOCIATE,
3235                             &ad);
3236 }
3237
3238 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3239                                         const void *value, size_t size,
3240                                         int flags)
3241 {
3242         struct inode *inode = d_backing_inode(dentry);
3243         struct inode_security_struct *isec;
3244         u32 newsid;
3245         int rc;
3246
3247         if (strcmp(name, XATTR_NAME_SELINUX)) {
3248                 /* Not an attribute we recognize, so nothing to do. */
3249                 return;
3250         }
3251
3252         rc = security_context_to_sid_force(value, size, &newsid);
3253         if (rc) {
3254                 printk(KERN_ERR "SELinux:  unable to map context to SID"
3255                        "for (%s, %lu), rc=%d\n",
3256                        inode->i_sb->s_id, inode->i_ino, -rc);
3257                 return;
3258         }
3259
3260         isec = backing_inode_security(dentry);
3261         spin_lock(&isec->lock);
3262         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3263         isec->sid = newsid;
3264         isec->initialized = LABEL_INITIALIZED;
3265         spin_unlock(&isec->lock);
3266
3267         return;
3268 }
3269
3270 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3271 {
3272         const struct cred *cred = current_cred();
3273
3274         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3275 }
3276
3277 static int selinux_inode_listxattr(struct dentry *dentry)
3278 {
3279         const struct cred *cred = current_cred();
3280
3281         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3282 }
3283
3284 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3285 {
3286         if (strcmp(name, XATTR_NAME_SELINUX)) {
3287                 int rc = cap_inode_removexattr(dentry, name);
3288                 if (rc)
3289                         return rc;
3290
3291                 /* Not an attribute we recognize, so just check the
3292                    ordinary setattr permission. */
3293                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3294         }
3295
3296         /* No one is allowed to remove a SELinux security label.
3297            You can change the label, but all data must be labeled. */
3298         return -EACCES;
3299 }
3300
3301 /*
3302  * Copy the inode security context value to the user.
3303  *
3304  * Permission check is handled by selinux_inode_getxattr hook.
3305  */
3306 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3307 {
3308         u32 size;
3309         int error;
3310         char *context = NULL;
3311         struct inode_security_struct *isec;
3312
3313         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3314                 return -EOPNOTSUPP;
3315
3316         /*
3317          * If the caller has CAP_MAC_ADMIN, then get the raw context
3318          * value even if it is not defined by current policy; otherwise,
3319          * use the in-core value under current policy.
3320          * Use the non-auditing forms of the permission checks since
3321          * getxattr may be called by unprivileged processes commonly
3322          * and lack of permission just means that we fall back to the
3323          * in-core context value, not a denial.
3324          */
3325         isec = inode_security(inode);
3326         if (has_cap_mac_admin(false))