Merge tag 'selinux-pr-20190312' of git://git.kernel.org/pub/scm/linux/kernel/git...
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *      This program is free software; you can redistribute it and/or modify
23  *      it under the terms of the GNU General Public License version 2,
24  *      as published by the Free Software Foundation.
25  */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/fs_context.h>
52 #include <linux/fs_parser.h>
53 #include <linux/netfilter_ipv4.h>
54 #include <linux/netfilter_ipv6.h>
55 #include <linux/tty.h>
56 #include <net/icmp.h>
57 #include <net/ip.h>             /* for local_port_range[] */
58 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
59 #include <net/inet_connection_sock.h>
60 #include <net/net_namespace.h>
61 #include <net/netlabel.h>
62 #include <linux/uaccess.h>
63 #include <asm/ioctls.h>
64 #include <linux/atomic.h>
65 #include <linux/bitops.h>
66 #include <linux/interrupt.h>
67 #include <linux/netdevice.h>    /* for network interface checks */
68 #include <net/netlink.h>
69 #include <linux/tcp.h>
70 #include <linux/udp.h>
71 #include <linux/dccp.h>
72 #include <linux/sctp.h>
73 #include <net/sctp/structs.h>
74 #include <linux/quota.h>
75 #include <linux/un.h>           /* for Unix socket types */
76 #include <net/af_unix.h>        /* for Unix socket types */
77 #include <linux/parser.h>
78 #include <linux/nfs_mount.h>
79 #include <net/ipv6.h>
80 #include <linux/hugetlb.h>
81 #include <linux/personality.h>
82 #include <linux/audit.h>
83 #include <linux/string.h>
84 #include <linux/mutex.h>
85 #include <linux/posix-timers.h>
86 #include <linux/syslog.h>
87 #include <linux/user_namespace.h>
88 #include <linux/export.h>
89 #include <linux/msg.h>
90 #include <linux/shm.h>
91 #include <linux/bpf.h>
92 #include <uapi/linux/mount.h>
93
94 #include "avc.h"
95 #include "objsec.h"
96 #include "netif.h"
97 #include "netnode.h"
98 #include "netport.h"
99 #include "ibpkey.h"
100 #include "xfrm.h"
101 #include "netlabel.h"
102 #include "audit.h"
103 #include "avc_ss.h"
104
105 struct selinux_state selinux_state;
106
107 /* SECMARK reference count */
108 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
109
110 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
111 static int selinux_enforcing_boot;
112
113 static int __init enforcing_setup(char *str)
114 {
115         unsigned long enforcing;
116         if (!kstrtoul(str, 0, &enforcing))
117                 selinux_enforcing_boot = enforcing ? 1 : 0;
118         return 1;
119 }
120 __setup("enforcing=", enforcing_setup);
121 #else
122 #define selinux_enforcing_boot 1
123 #endif
124
125 int selinux_enabled __lsm_ro_after_init = 1;
126 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
127 static int __init selinux_enabled_setup(char *str)
128 {
129         unsigned long enabled;
130         if (!kstrtoul(str, 0, &enabled))
131                 selinux_enabled = enabled ? 1 : 0;
132         return 1;
133 }
134 __setup("selinux=", selinux_enabled_setup);
135 #endif
136
137 static unsigned int selinux_checkreqprot_boot =
138         CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
139
140 static int __init checkreqprot_setup(char *str)
141 {
142         unsigned long checkreqprot;
143
144         if (!kstrtoul(str, 0, &checkreqprot))
145                 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
146         return 1;
147 }
148 __setup("checkreqprot=", checkreqprot_setup);
149
150 /**
151  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
152  *
153  * Description:
154  * This function checks the SECMARK reference counter to see if any SECMARK
155  * targets are currently configured, if the reference counter is greater than
156  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
157  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
158  * policy capability is enabled, SECMARK is always considered enabled.
159  *
160  */
161 static int selinux_secmark_enabled(void)
162 {
163         return (selinux_policycap_alwaysnetwork() ||
164                 atomic_read(&selinux_secmark_refcount));
165 }
166
167 /**
168  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
169  *
170  * Description:
171  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
172  * (1) if any are enabled or false (0) if neither are enabled.  If the
173  * always_check_network policy capability is enabled, peer labeling
174  * is always considered enabled.
175  *
176  */
177 static int selinux_peerlbl_enabled(void)
178 {
179         return (selinux_policycap_alwaysnetwork() ||
180                 netlbl_enabled() || selinux_xfrm_enabled());
181 }
182
183 static int selinux_netcache_avc_callback(u32 event)
184 {
185         if (event == AVC_CALLBACK_RESET) {
186                 sel_netif_flush();
187                 sel_netnode_flush();
188                 sel_netport_flush();
189                 synchronize_net();
190         }
191         return 0;
192 }
193
194 static int selinux_lsm_notifier_avc_callback(u32 event)
195 {
196         if (event == AVC_CALLBACK_RESET) {
197                 sel_ib_pkey_flush();
198                 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
199         }
200
201         return 0;
202 }
203
204 /*
205  * initialise the security for the init task
206  */
207 static void cred_init_security(void)
208 {
209         struct cred *cred = (struct cred *) current->real_cred;
210         struct task_security_struct *tsec;
211
212         tsec = selinux_cred(cred);
213         tsec->osid = tsec->sid = SECINITSID_KERNEL;
214 }
215
216 /*
217  * get the security ID of a set of credentials
218  */
219 static inline u32 cred_sid(const struct cred *cred)
220 {
221         const struct task_security_struct *tsec;
222
223         tsec = selinux_cred(cred);
224         return tsec->sid;
225 }
226
227 /*
228  * get the objective security ID of a task
229  */
230 static inline u32 task_sid(const struct task_struct *task)
231 {
232         u32 sid;
233
234         rcu_read_lock();
235         sid = cred_sid(__task_cred(task));
236         rcu_read_unlock();
237         return sid;
238 }
239
240 /* Allocate and free functions for each kind of security blob. */
241
242 static int inode_alloc_security(struct inode *inode)
243 {
244         struct inode_security_struct *isec = selinux_inode(inode);
245         u32 sid = current_sid();
246
247         spin_lock_init(&isec->lock);
248         INIT_LIST_HEAD(&isec->list);
249         isec->inode = inode;
250         isec->sid = SECINITSID_UNLABELED;
251         isec->sclass = SECCLASS_FILE;
252         isec->task_sid = sid;
253         isec->initialized = LABEL_INVALID;
254
255         return 0;
256 }
257
258 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
259
260 /*
261  * Try reloading inode security labels that have been marked as invalid.  The
262  * @may_sleep parameter indicates when sleeping and thus reloading labels is
263  * allowed; when set to false, returns -ECHILD when the label is
264  * invalid.  The @dentry parameter should be set to a dentry of the inode.
265  */
266 static int __inode_security_revalidate(struct inode *inode,
267                                        struct dentry *dentry,
268                                        bool may_sleep)
269 {
270         struct inode_security_struct *isec = selinux_inode(inode);
271
272         might_sleep_if(may_sleep);
273
274         if (selinux_state.initialized &&
275             isec->initialized != LABEL_INITIALIZED) {
276                 if (!may_sleep)
277                         return -ECHILD;
278
279                 /*
280                  * Try reloading the inode security label.  This will fail if
281                  * @opt_dentry is NULL and no dentry for this inode can be
282                  * found; in that case, continue using the old label.
283                  */
284                 inode_doinit_with_dentry(inode, dentry);
285         }
286         return 0;
287 }
288
289 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
290 {
291         return selinux_inode(inode);
292 }
293
294 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
295 {
296         int error;
297
298         error = __inode_security_revalidate(inode, NULL, !rcu);
299         if (error)
300                 return ERR_PTR(error);
301         return selinux_inode(inode);
302 }
303
304 /*
305  * Get the security label of an inode.
306  */
307 static struct inode_security_struct *inode_security(struct inode *inode)
308 {
309         __inode_security_revalidate(inode, NULL, true);
310         return selinux_inode(inode);
311 }
312
313 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
314 {
315         struct inode *inode = d_backing_inode(dentry);
316
317         return selinux_inode(inode);
318 }
319
320 /*
321  * Get the security label of a dentry's backing inode.
322  */
323 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
324 {
325         struct inode *inode = d_backing_inode(dentry);
326
327         __inode_security_revalidate(inode, dentry, true);
328         return selinux_inode(inode);
329 }
330
331 static void inode_free_security(struct inode *inode)
332 {
333         struct inode_security_struct *isec = selinux_inode(inode);
334         struct superblock_security_struct *sbsec;
335
336         if (!isec)
337                 return;
338         sbsec = inode->i_sb->s_security;
339         /*
340          * As not all inode security structures are in a list, we check for
341          * empty list outside of the lock to make sure that we won't waste
342          * time taking a lock doing nothing.
343          *
344          * The list_del_init() function can be safely called more than once.
345          * It should not be possible for this function to be called with
346          * concurrent list_add(), but for better safety against future changes
347          * in the code, we use list_empty_careful() here.
348          */
349         if (!list_empty_careful(&isec->list)) {
350                 spin_lock(&sbsec->isec_lock);
351                 list_del_init(&isec->list);
352                 spin_unlock(&sbsec->isec_lock);
353         }
354 }
355
356 static int file_alloc_security(struct file *file)
357 {
358         struct file_security_struct *fsec = selinux_file(file);
359         u32 sid = current_sid();
360
361         fsec->sid = sid;
362         fsec->fown_sid = sid;
363
364         return 0;
365 }
366
367 static int superblock_alloc_security(struct super_block *sb)
368 {
369         struct superblock_security_struct *sbsec;
370
371         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
372         if (!sbsec)
373                 return -ENOMEM;
374
375         mutex_init(&sbsec->lock);
376         INIT_LIST_HEAD(&sbsec->isec_head);
377         spin_lock_init(&sbsec->isec_lock);
378         sbsec->sb = sb;
379         sbsec->sid = SECINITSID_UNLABELED;
380         sbsec->def_sid = SECINITSID_FILE;
381         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
382         sb->s_security = sbsec;
383
384         return 0;
385 }
386
387 static void superblock_free_security(struct super_block *sb)
388 {
389         struct superblock_security_struct *sbsec = sb->s_security;
390         sb->s_security = NULL;
391         kfree(sbsec);
392 }
393
394 struct selinux_mnt_opts {
395         const char *fscontext, *context, *rootcontext, *defcontext;
396 };
397
398 static void selinux_free_mnt_opts(void *mnt_opts)
399 {
400         struct selinux_mnt_opts *opts = mnt_opts;
401         kfree(opts->fscontext);
402         kfree(opts->context);
403         kfree(opts->rootcontext);
404         kfree(opts->defcontext);
405         kfree(opts);
406 }
407
408 static inline int inode_doinit(struct inode *inode)
409 {
410         return inode_doinit_with_dentry(inode, NULL);
411 }
412
413 enum {
414         Opt_error = -1,
415         Opt_context = 0,
416         Opt_defcontext = 1,
417         Opt_fscontext = 2,
418         Opt_rootcontext = 3,
419         Opt_seclabel = 4,
420 };
421
422 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
423 static struct {
424         const char *name;
425         int len;
426         int opt;
427         bool has_arg;
428 } tokens[] = {
429         A(context, true),
430         A(fscontext, true),
431         A(defcontext, true),
432         A(rootcontext, true),
433         A(seclabel, false),
434 };
435 #undef A
436
437 static int match_opt_prefix(char *s, int l, char **arg)
438 {
439         int i;
440
441         for (i = 0; i < ARRAY_SIZE(tokens); i++) {
442                 size_t len = tokens[i].len;
443                 if (len > l || memcmp(s, tokens[i].name, len))
444                         continue;
445                 if (tokens[i].has_arg) {
446                         if (len == l || s[len] != '=')
447                                 continue;
448                         *arg = s + len + 1;
449                 } else if (len != l)
450                         continue;
451                 return tokens[i].opt;
452         }
453         return Opt_error;
454 }
455
456 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
457
458 static int may_context_mount_sb_relabel(u32 sid,
459                         struct superblock_security_struct *sbsec,
460                         const struct cred *cred)
461 {
462         const struct task_security_struct *tsec = selinux_cred(cred);
463         int rc;
464
465         rc = avc_has_perm(&selinux_state,
466                           tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
467                           FILESYSTEM__RELABELFROM, NULL);
468         if (rc)
469                 return rc;
470
471         rc = avc_has_perm(&selinux_state,
472                           tsec->sid, sid, SECCLASS_FILESYSTEM,
473                           FILESYSTEM__RELABELTO, NULL);
474         return rc;
475 }
476
477 static int may_context_mount_inode_relabel(u32 sid,
478                         struct superblock_security_struct *sbsec,
479                         const struct cred *cred)
480 {
481         const struct task_security_struct *tsec = selinux_cred(cred);
482         int rc;
483         rc = avc_has_perm(&selinux_state,
484                           tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
485                           FILESYSTEM__RELABELFROM, NULL);
486         if (rc)
487                 return rc;
488
489         rc = avc_has_perm(&selinux_state,
490                           sid, sbsec->sid, SECCLASS_FILESYSTEM,
491                           FILESYSTEM__ASSOCIATE, NULL);
492         return rc;
493 }
494
495 static int selinux_is_genfs_special_handling(struct super_block *sb)
496 {
497         /* Special handling. Genfs but also in-core setxattr handler */
498         return  !strcmp(sb->s_type->name, "sysfs") ||
499                 !strcmp(sb->s_type->name, "pstore") ||
500                 !strcmp(sb->s_type->name, "debugfs") ||
501                 !strcmp(sb->s_type->name, "tracefs") ||
502                 !strcmp(sb->s_type->name, "rootfs") ||
503                 (selinux_policycap_cgroupseclabel() &&
504                  (!strcmp(sb->s_type->name, "cgroup") ||
505                   !strcmp(sb->s_type->name, "cgroup2")));
506 }
507
508 static int selinux_is_sblabel_mnt(struct super_block *sb)
509 {
510         struct superblock_security_struct *sbsec = sb->s_security;
511
512         /*
513          * IMPORTANT: Double-check logic in this function when adding a new
514          * SECURITY_FS_USE_* definition!
515          */
516         BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
517
518         switch (sbsec->behavior) {
519         case SECURITY_FS_USE_XATTR:
520         case SECURITY_FS_USE_TRANS:
521         case SECURITY_FS_USE_TASK:
522         case SECURITY_FS_USE_NATIVE:
523                 return 1;
524
525         case SECURITY_FS_USE_GENFS:
526                 return selinux_is_genfs_special_handling(sb);
527
528         /* Never allow relabeling on context mounts */
529         case SECURITY_FS_USE_MNTPOINT:
530         case SECURITY_FS_USE_NONE:
531         default:
532                 return 0;
533         }
534 }
535
536 static int sb_finish_set_opts(struct super_block *sb)
537 {
538         struct superblock_security_struct *sbsec = sb->s_security;
539         struct dentry *root = sb->s_root;
540         struct inode *root_inode = d_backing_inode(root);
541         int rc = 0;
542
543         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
544                 /* Make sure that the xattr handler exists and that no
545                    error other than -ENODATA is returned by getxattr on
546                    the root directory.  -ENODATA is ok, as this may be
547                    the first boot of the SELinux kernel before we have
548                    assigned xattr values to the filesystem. */
549                 if (!(root_inode->i_opflags & IOP_XATTR)) {
550                         pr_warn("SELinux: (dev %s, type %s) has no "
551                                "xattr support\n", sb->s_id, sb->s_type->name);
552                         rc = -EOPNOTSUPP;
553                         goto out;
554                 }
555
556                 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
557                 if (rc < 0 && rc != -ENODATA) {
558                         if (rc == -EOPNOTSUPP)
559                                 pr_warn("SELinux: (dev %s, type "
560                                        "%s) has no security xattr handler\n",
561                                        sb->s_id, sb->s_type->name);
562                         else
563                                 pr_warn("SELinux: (dev %s, type "
564                                        "%s) getxattr errno %d\n", sb->s_id,
565                                        sb->s_type->name, -rc);
566                         goto out;
567                 }
568         }
569
570         sbsec->flags |= SE_SBINITIALIZED;
571
572         /*
573          * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
574          * leave the flag untouched because sb_clone_mnt_opts might be handing
575          * us a superblock that needs the flag to be cleared.
576          */
577         if (selinux_is_sblabel_mnt(sb))
578                 sbsec->flags |= SBLABEL_MNT;
579         else
580                 sbsec->flags &= ~SBLABEL_MNT;
581
582         /* Initialize the root inode. */
583         rc = inode_doinit_with_dentry(root_inode, root);
584
585         /* Initialize any other inodes associated with the superblock, e.g.
586            inodes created prior to initial policy load or inodes created
587            during get_sb by a pseudo filesystem that directly
588            populates itself. */
589         spin_lock(&sbsec->isec_lock);
590         while (!list_empty(&sbsec->isec_head)) {
591                 struct inode_security_struct *isec =
592                                 list_first_entry(&sbsec->isec_head,
593                                            struct inode_security_struct, list);
594                 struct inode *inode = isec->inode;
595                 list_del_init(&isec->list);
596                 spin_unlock(&sbsec->isec_lock);
597                 inode = igrab(inode);
598                 if (inode) {
599                         if (!IS_PRIVATE(inode))
600                                 inode_doinit(inode);
601                         iput(inode);
602                 }
603                 spin_lock(&sbsec->isec_lock);
604         }
605         spin_unlock(&sbsec->isec_lock);
606 out:
607         return rc;
608 }
609
610 static int bad_option(struct superblock_security_struct *sbsec, char flag,
611                       u32 old_sid, u32 new_sid)
612 {
613         char mnt_flags = sbsec->flags & SE_MNTMASK;
614
615         /* check if the old mount command had the same options */
616         if (sbsec->flags & SE_SBINITIALIZED)
617                 if (!(sbsec->flags & flag) ||
618                     (old_sid != new_sid))
619                         return 1;
620
621         /* check if we were passed the same options twice,
622          * aka someone passed context=a,context=b
623          */
624         if (!(sbsec->flags & SE_SBINITIALIZED))
625                 if (mnt_flags & flag)
626                         return 1;
627         return 0;
628 }
629
630 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
631 {
632         int rc = security_context_str_to_sid(&selinux_state, s,
633                                              sid, GFP_KERNEL);
634         if (rc)
635                 pr_warn("SELinux: security_context_str_to_sid"
636                        "(%s) failed for (dev %s, type %s) errno=%d\n",
637                        s, sb->s_id, sb->s_type->name, rc);
638         return rc;
639 }
640
641 /*
642  * Allow filesystems with binary mount data to explicitly set mount point
643  * labeling information.
644  */
645 static int selinux_set_mnt_opts(struct super_block *sb,
646                                 void *mnt_opts,
647                                 unsigned long kern_flags,
648                                 unsigned long *set_kern_flags)
649 {
650         const struct cred *cred = current_cred();
651         struct superblock_security_struct *sbsec = sb->s_security;
652         struct dentry *root = sbsec->sb->s_root;
653         struct selinux_mnt_opts *opts = mnt_opts;
654         struct inode_security_struct *root_isec;
655         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
656         u32 defcontext_sid = 0;
657         int rc = 0;
658
659         mutex_lock(&sbsec->lock);
660
661         if (!selinux_state.initialized) {
662                 if (!opts) {
663                         /* Defer initialization until selinux_complete_init,
664                            after the initial policy is loaded and the security
665                            server is ready to handle calls. */
666                         goto out;
667                 }
668                 rc = -EINVAL;
669                 pr_warn("SELinux: Unable to set superblock options "
670                         "before the security server is initialized\n");
671                 goto out;
672         }
673         if (kern_flags && !set_kern_flags) {
674                 /* Specifying internal flags without providing a place to
675                  * place the results is not allowed */
676                 rc = -EINVAL;
677                 goto out;
678         }
679
680         /*
681          * Binary mount data FS will come through this function twice.  Once
682          * from an explicit call and once from the generic calls from the vfs.
683          * Since the generic VFS calls will not contain any security mount data
684          * we need to skip the double mount verification.
685          *
686          * This does open a hole in which we will not notice if the first
687          * mount using this sb set explict options and a second mount using
688          * this sb does not set any security options.  (The first options
689          * will be used for both mounts)
690          */
691         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
692             && !opts)
693                 goto out;
694
695         root_isec = backing_inode_security_novalidate(root);
696
697         /*
698          * parse the mount options, check if they are valid sids.
699          * also check if someone is trying to mount the same sb more
700          * than once with different security options.
701          */
702         if (opts) {
703                 if (opts->fscontext) {
704                         rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
705                         if (rc)
706                                 goto out;
707                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
708                                         fscontext_sid))
709                                 goto out_double_mount;
710                         sbsec->flags |= FSCONTEXT_MNT;
711                 }
712                 if (opts->context) {
713                         rc = parse_sid(sb, opts->context, &context_sid);
714                         if (rc)
715                                 goto out;
716                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
717                                         context_sid))
718                                 goto out_double_mount;
719                         sbsec->flags |= CONTEXT_MNT;
720                 }
721                 if (opts->rootcontext) {
722                         rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
723                         if (rc)
724                                 goto out;
725                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
726                                         rootcontext_sid))
727                                 goto out_double_mount;
728                         sbsec->flags |= ROOTCONTEXT_MNT;
729                 }
730                 if (opts->defcontext) {
731                         rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
732                         if (rc)
733                                 goto out;
734                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
735                                         defcontext_sid))
736                                 goto out_double_mount;
737                         sbsec->flags |= DEFCONTEXT_MNT;
738                 }
739         }
740
741         if (sbsec->flags & SE_SBINITIALIZED) {
742                 /* previously mounted with options, but not on this attempt? */
743                 if ((sbsec->flags & SE_MNTMASK) && !opts)
744                         goto out_double_mount;
745                 rc = 0;
746                 goto out;
747         }
748
749         if (strcmp(sb->s_type->name, "proc") == 0)
750                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
751
752         if (!strcmp(sb->s_type->name, "debugfs") ||
753             !strcmp(sb->s_type->name, "tracefs") ||
754             !strcmp(sb->s_type->name, "sysfs") ||
755             !strcmp(sb->s_type->name, "pstore") ||
756             !strcmp(sb->s_type->name, "cgroup") ||
757             !strcmp(sb->s_type->name, "cgroup2"))
758                 sbsec->flags |= SE_SBGENFS;
759
760         if (!sbsec->behavior) {
761                 /*
762                  * Determine the labeling behavior to use for this
763                  * filesystem type.
764                  */
765                 rc = security_fs_use(&selinux_state, sb);
766                 if (rc) {
767                         pr_warn("%s: security_fs_use(%s) returned %d\n",
768                                         __func__, sb->s_type->name, rc);
769                         goto out;
770                 }
771         }
772
773         /*
774          * If this is a user namespace mount and the filesystem type is not
775          * explicitly whitelisted, then no contexts are allowed on the command
776          * line and security labels must be ignored.
777          */
778         if (sb->s_user_ns != &init_user_ns &&
779             strcmp(sb->s_type->name, "tmpfs") &&
780             strcmp(sb->s_type->name, "ramfs") &&
781             strcmp(sb->s_type->name, "devpts")) {
782                 if (context_sid || fscontext_sid || rootcontext_sid ||
783                     defcontext_sid) {
784                         rc = -EACCES;
785                         goto out;
786                 }
787                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
788                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
789                         rc = security_transition_sid(&selinux_state,
790                                                      current_sid(),
791                                                      current_sid(),
792                                                      SECCLASS_FILE, NULL,
793                                                      &sbsec->mntpoint_sid);
794                         if (rc)
795                                 goto out;
796                 }
797                 goto out_set_opts;
798         }
799
800         /* sets the context of the superblock for the fs being mounted. */
801         if (fscontext_sid) {
802                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
803                 if (rc)
804                         goto out;
805
806                 sbsec->sid = fscontext_sid;
807         }
808
809         /*
810          * Switch to using mount point labeling behavior.
811          * sets the label used on all file below the mountpoint, and will set
812          * the superblock context if not already set.
813          */
814         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
815                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
816                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
817         }
818
819         if (context_sid) {
820                 if (!fscontext_sid) {
821                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
822                                                           cred);
823                         if (rc)
824                                 goto out;
825                         sbsec->sid = context_sid;
826                 } else {
827                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
828                                                              cred);
829                         if (rc)
830                                 goto out;
831                 }
832                 if (!rootcontext_sid)
833                         rootcontext_sid = context_sid;
834
835                 sbsec->mntpoint_sid = context_sid;
836                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
837         }
838
839         if (rootcontext_sid) {
840                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
841                                                      cred);
842                 if (rc)
843                         goto out;
844
845                 root_isec->sid = rootcontext_sid;
846                 root_isec->initialized = LABEL_INITIALIZED;
847         }
848
849         if (defcontext_sid) {
850                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
851                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
852                         rc = -EINVAL;
853                         pr_warn("SELinux: defcontext option is "
854                                "invalid for this filesystem type\n");
855                         goto out;
856                 }
857
858                 if (defcontext_sid != sbsec->def_sid) {
859                         rc = may_context_mount_inode_relabel(defcontext_sid,
860                                                              sbsec, cred);
861                         if (rc)
862                                 goto out;
863                 }
864
865                 sbsec->def_sid = defcontext_sid;
866         }
867
868 out_set_opts:
869         rc = sb_finish_set_opts(sb);
870 out:
871         mutex_unlock(&sbsec->lock);
872         return rc;
873 out_double_mount:
874         rc = -EINVAL;
875         pr_warn("SELinux: mount invalid.  Same superblock, different "
876                "security settings for (dev %s, type %s)\n", sb->s_id,
877                sb->s_type->name);
878         goto out;
879 }
880
881 static int selinux_cmp_sb_context(const struct super_block *oldsb,
882                                     const struct super_block *newsb)
883 {
884         struct superblock_security_struct *old = oldsb->s_security;
885         struct superblock_security_struct *new = newsb->s_security;
886         char oldflags = old->flags & SE_MNTMASK;
887         char newflags = new->flags & SE_MNTMASK;
888
889         if (oldflags != newflags)
890                 goto mismatch;
891         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
892                 goto mismatch;
893         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
894                 goto mismatch;
895         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
896                 goto mismatch;
897         if (oldflags & ROOTCONTEXT_MNT) {
898                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
899                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
900                 if (oldroot->sid != newroot->sid)
901                         goto mismatch;
902         }
903         return 0;
904 mismatch:
905         pr_warn("SELinux: mount invalid.  Same superblock, "
906                             "different security settings for (dev %s, "
907                             "type %s)\n", newsb->s_id, newsb->s_type->name);
908         return -EBUSY;
909 }
910
911 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
912                                         struct super_block *newsb,
913                                         unsigned long kern_flags,
914                                         unsigned long *set_kern_flags)
915 {
916         int rc = 0;
917         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
918         struct superblock_security_struct *newsbsec = newsb->s_security;
919
920         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
921         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
922         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
923
924         /*
925          * if the parent was able to be mounted it clearly had no special lsm
926          * mount options.  thus we can safely deal with this superblock later
927          */
928         if (!selinux_state.initialized)
929                 return 0;
930
931         /*
932          * Specifying internal flags without providing a place to
933          * place the results is not allowed.
934          */
935         if (kern_flags && !set_kern_flags)
936                 return -EINVAL;
937
938         /* how can we clone if the old one wasn't set up?? */
939         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
940
941         /* if fs is reusing a sb, make sure that the contexts match */
942         if (newsbsec->flags & SE_SBINITIALIZED) {
943                 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
944                         *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
945                 return selinux_cmp_sb_context(oldsb, newsb);
946         }
947
948         mutex_lock(&newsbsec->lock);
949
950         newsbsec->flags = oldsbsec->flags;
951
952         newsbsec->sid = oldsbsec->sid;
953         newsbsec->def_sid = oldsbsec->def_sid;
954         newsbsec->behavior = oldsbsec->behavior;
955
956         if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
957                 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
958                 rc = security_fs_use(&selinux_state, newsb);
959                 if (rc)
960                         goto out;
961         }
962
963         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
964                 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
965                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
966         }
967
968         if (set_context) {
969                 u32 sid = oldsbsec->mntpoint_sid;
970
971                 if (!set_fscontext)
972                         newsbsec->sid = sid;
973                 if (!set_rootcontext) {
974                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
975                         newisec->sid = sid;
976                 }
977                 newsbsec->mntpoint_sid = sid;
978         }
979         if (set_rootcontext) {
980                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
981                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
982
983                 newisec->sid = oldisec->sid;
984         }
985
986         sb_finish_set_opts(newsb);
987 out:
988         mutex_unlock(&newsbsec->lock);
989         return rc;
990 }
991
992 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
993 {
994         struct selinux_mnt_opts *opts = *mnt_opts;
995
996         if (token == Opt_seclabel)      /* eaten and completely ignored */
997                 return 0;
998
999         if (!opts) {
1000                 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1001                 if (!opts)
1002                         return -ENOMEM;
1003                 *mnt_opts = opts;
1004         }
1005         if (!s)
1006                 return -ENOMEM;
1007         switch (token) {
1008         case Opt_context:
1009                 if (opts->context || opts->defcontext)
1010                         goto Einval;
1011                 opts->context = s;
1012                 break;
1013         case Opt_fscontext:
1014                 if (opts->fscontext)
1015                         goto Einval;
1016                 opts->fscontext = s;
1017                 break;
1018         case Opt_rootcontext:
1019                 if (opts->rootcontext)
1020                         goto Einval;
1021                 opts->rootcontext = s;
1022                 break;
1023         case Opt_defcontext:
1024                 if (opts->context || opts->defcontext)
1025                         goto Einval;
1026                 opts->defcontext = s;
1027                 break;
1028         }
1029         return 0;
1030 Einval:
1031         pr_warn(SEL_MOUNT_FAIL_MSG);
1032         return -EINVAL;
1033 }
1034
1035 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1036                                void **mnt_opts)
1037 {
1038         int token = Opt_error;
1039         int rc, i;
1040
1041         for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1042                 if (strcmp(option, tokens[i].name) == 0) {
1043                         token = tokens[i].opt;
1044                         break;
1045                 }
1046         }
1047
1048         if (token == Opt_error)
1049                 return -EINVAL;
1050
1051         if (token != Opt_seclabel)
1052                 val = kmemdup_nul(val, len, GFP_KERNEL);
1053         rc = selinux_add_opt(token, val, mnt_opts);
1054         if (unlikely(rc)) {
1055                 kfree(val);
1056                 if (*mnt_opts) {
1057                         selinux_free_mnt_opts(*mnt_opts);
1058                         *mnt_opts = NULL;
1059                 }
1060         }
1061         return rc;
1062 }
1063
1064 static int show_sid(struct seq_file *m, u32 sid)
1065 {
1066         char *context = NULL;
1067         u32 len;
1068         int rc;
1069
1070         rc = security_sid_to_context(&selinux_state, sid,
1071                                              &context, &len);
1072         if (!rc) {
1073                 bool has_comma = context && strchr(context, ',');
1074
1075                 seq_putc(m, '=');
1076                 if (has_comma)
1077                         seq_putc(m, '\"');
1078                 seq_escape(m, context, "\"\n\\");
1079                 if (has_comma)
1080                         seq_putc(m, '\"');
1081         }
1082         kfree(context);
1083         return rc;
1084 }
1085
1086 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1087 {
1088         struct superblock_security_struct *sbsec = sb->s_security;
1089         int rc;
1090
1091         if (!(sbsec->flags & SE_SBINITIALIZED))
1092                 return 0;
1093
1094         if (!selinux_state.initialized)
1095                 return 0;
1096
1097         if (sbsec->flags & FSCONTEXT_MNT) {
1098                 seq_putc(m, ',');
1099                 seq_puts(m, FSCONTEXT_STR);
1100                 rc = show_sid(m, sbsec->sid);
1101                 if (rc)
1102                         return rc;
1103         }
1104         if (sbsec->flags & CONTEXT_MNT) {
1105                 seq_putc(m, ',');
1106                 seq_puts(m, CONTEXT_STR);
1107                 rc = show_sid(m, sbsec->mntpoint_sid);
1108                 if (rc)
1109                         return rc;
1110         }
1111         if (sbsec->flags & DEFCONTEXT_MNT) {
1112                 seq_putc(m, ',');
1113                 seq_puts(m, DEFCONTEXT_STR);
1114                 rc = show_sid(m, sbsec->def_sid);
1115                 if (rc)
1116                         return rc;
1117         }
1118         if (sbsec->flags & ROOTCONTEXT_MNT) {
1119                 struct dentry *root = sbsec->sb->s_root;
1120                 struct inode_security_struct *isec = backing_inode_security(root);
1121                 seq_putc(m, ',');
1122                 seq_puts(m, ROOTCONTEXT_STR);
1123                 rc = show_sid(m, isec->sid);
1124                 if (rc)
1125                         return rc;
1126         }
1127         if (sbsec->flags & SBLABEL_MNT) {
1128                 seq_putc(m, ',');
1129                 seq_puts(m, SECLABEL_STR);
1130         }
1131         return 0;
1132 }
1133
1134 static inline u16 inode_mode_to_security_class(umode_t mode)
1135 {
1136         switch (mode & S_IFMT) {
1137         case S_IFSOCK:
1138                 return SECCLASS_SOCK_FILE;
1139         case S_IFLNK:
1140                 return SECCLASS_LNK_FILE;
1141         case S_IFREG:
1142                 return SECCLASS_FILE;
1143         case S_IFBLK:
1144                 return SECCLASS_BLK_FILE;
1145         case S_IFDIR:
1146                 return SECCLASS_DIR;
1147         case S_IFCHR:
1148                 return SECCLASS_CHR_FILE;
1149         case S_IFIFO:
1150                 return SECCLASS_FIFO_FILE;
1151
1152         }
1153
1154         return SECCLASS_FILE;
1155 }
1156
1157 static inline int default_protocol_stream(int protocol)
1158 {
1159         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1160 }
1161
1162 static inline int default_protocol_dgram(int protocol)
1163 {
1164         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1165 }
1166
1167 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1168 {
1169         int extsockclass = selinux_policycap_extsockclass();
1170
1171         switch (family) {
1172         case PF_UNIX:
1173                 switch (type) {
1174                 case SOCK_STREAM:
1175                 case SOCK_SEQPACKET:
1176                         return SECCLASS_UNIX_STREAM_SOCKET;
1177                 case SOCK_DGRAM:
1178                 case SOCK_RAW:
1179                         return SECCLASS_UNIX_DGRAM_SOCKET;
1180                 }
1181                 break;
1182         case PF_INET:
1183         case PF_INET6:
1184                 switch (type) {
1185                 case SOCK_STREAM:
1186                 case SOCK_SEQPACKET:
1187                         if (default_protocol_stream(protocol))
1188                                 return SECCLASS_TCP_SOCKET;
1189                         else if (extsockclass && protocol == IPPROTO_SCTP)
1190                                 return SECCLASS_SCTP_SOCKET;
1191                         else
1192                                 return SECCLASS_RAWIP_SOCKET;
1193                 case SOCK_DGRAM:
1194                         if (default_protocol_dgram(protocol))
1195                                 return SECCLASS_UDP_SOCKET;
1196                         else if (extsockclass && (protocol == IPPROTO_ICMP ||
1197                                                   protocol == IPPROTO_ICMPV6))
1198                                 return SECCLASS_ICMP_SOCKET;
1199                         else
1200                                 return SECCLASS_RAWIP_SOCKET;
1201                 case SOCK_DCCP:
1202                         return SECCLASS_DCCP_SOCKET;
1203                 default:
1204                         return SECCLASS_RAWIP_SOCKET;
1205                 }
1206                 break;
1207         case PF_NETLINK:
1208                 switch (protocol) {
1209                 case NETLINK_ROUTE:
1210                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1211                 case NETLINK_SOCK_DIAG:
1212                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1213                 case NETLINK_NFLOG:
1214                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1215                 case NETLINK_XFRM:
1216                         return SECCLASS_NETLINK_XFRM_SOCKET;
1217                 case NETLINK_SELINUX:
1218                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1219                 case NETLINK_ISCSI:
1220                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1221                 case NETLINK_AUDIT:
1222                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1223                 case NETLINK_FIB_LOOKUP:
1224                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1225                 case NETLINK_CONNECTOR:
1226                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1227                 case NETLINK_NETFILTER:
1228                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1229                 case NETLINK_DNRTMSG:
1230                         return SECCLASS_NETLINK_DNRT_SOCKET;
1231                 case NETLINK_KOBJECT_UEVENT:
1232                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1233                 case NETLINK_GENERIC:
1234                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1235                 case NETLINK_SCSITRANSPORT:
1236                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1237                 case NETLINK_RDMA:
1238                         return SECCLASS_NETLINK_RDMA_SOCKET;
1239                 case NETLINK_CRYPTO:
1240                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1241                 default:
1242                         return SECCLASS_NETLINK_SOCKET;
1243                 }
1244         case PF_PACKET:
1245                 return SECCLASS_PACKET_SOCKET;
1246         case PF_KEY:
1247                 return SECCLASS_KEY_SOCKET;
1248         case PF_APPLETALK:
1249                 return SECCLASS_APPLETALK_SOCKET;
1250         }
1251
1252         if (extsockclass) {
1253                 switch (family) {
1254                 case PF_AX25:
1255                         return SECCLASS_AX25_SOCKET;
1256                 case PF_IPX:
1257                         return SECCLASS_IPX_SOCKET;
1258                 case PF_NETROM:
1259                         return SECCLASS_NETROM_SOCKET;
1260                 case PF_ATMPVC:
1261                         return SECCLASS_ATMPVC_SOCKET;
1262                 case PF_X25:
1263                         return SECCLASS_X25_SOCKET;
1264                 case PF_ROSE:
1265                         return SECCLASS_ROSE_SOCKET;
1266                 case PF_DECnet:
1267                         return SECCLASS_DECNET_SOCKET;
1268                 case PF_ATMSVC:
1269                         return SECCLASS_ATMSVC_SOCKET;
1270                 case PF_RDS:
1271                         return SECCLASS_RDS_SOCKET;
1272                 case PF_IRDA:
1273                         return SECCLASS_IRDA_SOCKET;
1274                 case PF_PPPOX:
1275                         return SECCLASS_PPPOX_SOCKET;
1276                 case PF_LLC:
1277                         return SECCLASS_LLC_SOCKET;
1278                 case PF_CAN:
1279                         return SECCLASS_CAN_SOCKET;
1280                 case PF_TIPC:
1281                         return SECCLASS_TIPC_SOCKET;
1282                 case PF_BLUETOOTH:
1283                         return SECCLASS_BLUETOOTH_SOCKET;
1284                 case PF_IUCV:
1285                         return SECCLASS_IUCV_SOCKET;
1286                 case PF_RXRPC:
1287                         return SECCLASS_RXRPC_SOCKET;
1288                 case PF_ISDN:
1289                         return SECCLASS_ISDN_SOCKET;
1290                 case PF_PHONET:
1291                         return SECCLASS_PHONET_SOCKET;
1292                 case PF_IEEE802154:
1293                         return SECCLASS_IEEE802154_SOCKET;
1294                 case PF_CAIF:
1295                         return SECCLASS_CAIF_SOCKET;
1296                 case PF_ALG:
1297                         return SECCLASS_ALG_SOCKET;
1298                 case PF_NFC:
1299                         return SECCLASS_NFC_SOCKET;
1300                 case PF_VSOCK:
1301                         return SECCLASS_VSOCK_SOCKET;
1302                 case PF_KCM:
1303                         return SECCLASS_KCM_SOCKET;
1304                 case PF_QIPCRTR:
1305                         return SECCLASS_QIPCRTR_SOCKET;
1306                 case PF_SMC:
1307                         return SECCLASS_SMC_SOCKET;
1308                 case PF_XDP:
1309                         return SECCLASS_XDP_SOCKET;
1310 #if PF_MAX > 45
1311 #error New address family defined, please update this function.
1312 #endif
1313                 }
1314         }
1315
1316         return SECCLASS_SOCKET;
1317 }
1318
1319 static int selinux_genfs_get_sid(struct dentry *dentry,
1320                                  u16 tclass,
1321                                  u16 flags,
1322                                  u32 *sid)
1323 {
1324         int rc;
1325         struct super_block *sb = dentry->d_sb;
1326         char *buffer, *path;
1327
1328         buffer = (char *)__get_free_page(GFP_KERNEL);
1329         if (!buffer)
1330                 return -ENOMEM;
1331
1332         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1333         if (IS_ERR(path))
1334                 rc = PTR_ERR(path);
1335         else {
1336                 if (flags & SE_SBPROC) {
1337                         /* each process gets a /proc/PID/ entry. Strip off the
1338                          * PID part to get a valid selinux labeling.
1339                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1340                         while (path[1] >= '0' && path[1] <= '9') {
1341                                 path[1] = '/';
1342                                 path++;
1343                         }
1344                 }
1345                 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1346                                         path, tclass, sid);
1347                 if (rc == -ENOENT) {
1348                         /* No match in policy, mark as unlabeled. */
1349                         *sid = SECINITSID_UNLABELED;
1350                         rc = 0;
1351                 }
1352         }
1353         free_page((unsigned long)buffer);
1354         return rc;
1355 }
1356
1357 /* The inode's security attributes must be initialized before first use. */
1358 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1359 {
1360         struct superblock_security_struct *sbsec = NULL;
1361         struct inode_security_struct *isec = selinux_inode(inode);
1362         u32 task_sid, sid = 0;
1363         u16 sclass;
1364         struct dentry *dentry;
1365 #define INITCONTEXTLEN 255
1366         char *context = NULL;
1367         unsigned len = 0;
1368         int rc = 0;
1369
1370         if (isec->initialized == LABEL_INITIALIZED)
1371                 return 0;
1372
1373         spin_lock(&isec->lock);
1374         if (isec->initialized == LABEL_INITIALIZED)
1375                 goto out_unlock;
1376
1377         if (isec->sclass == SECCLASS_FILE)
1378                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1379
1380         sbsec = inode->i_sb->s_security;
1381         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1382                 /* Defer initialization until selinux_complete_init,
1383                    after the initial policy is loaded and the security
1384                    server is ready to handle calls. */
1385                 spin_lock(&sbsec->isec_lock);
1386                 if (list_empty(&isec->list))
1387                         list_add(&isec->list, &sbsec->isec_head);
1388                 spin_unlock(&sbsec->isec_lock);
1389                 goto out_unlock;
1390         }
1391
1392         sclass = isec->sclass;
1393         task_sid = isec->task_sid;
1394         sid = isec->sid;
1395         isec->initialized = LABEL_PENDING;
1396         spin_unlock(&isec->lock);
1397
1398         switch (sbsec->behavior) {
1399         case SECURITY_FS_USE_NATIVE:
1400                 break;
1401         case SECURITY_FS_USE_XATTR:
1402                 if (!(inode->i_opflags & IOP_XATTR)) {
1403                         sid = sbsec->def_sid;
1404                         break;
1405                 }
1406                 /* Need a dentry, since the xattr API requires one.
1407                    Life would be simpler if we could just pass the inode. */
1408                 if (opt_dentry) {
1409                         /* Called from d_instantiate or d_splice_alias. */
1410                         dentry = dget(opt_dentry);
1411                 } else {
1412                         /*
1413                          * Called from selinux_complete_init, try to find a dentry.
1414                          * Some filesystems really want a connected one, so try
1415                          * that first.  We could split SECURITY_FS_USE_XATTR in
1416                          * two, depending upon that...
1417                          */
1418                         dentry = d_find_alias(inode);
1419                         if (!dentry)
1420                                 dentry = d_find_any_alias(inode);
1421                 }
1422                 if (!dentry) {
1423                         /*
1424                          * this is can be hit on boot when a file is accessed
1425                          * before the policy is loaded.  When we load policy we
1426                          * may find inodes that have no dentry on the
1427                          * sbsec->isec_head list.  No reason to complain as these
1428                          * will get fixed up the next time we go through
1429                          * inode_doinit with a dentry, before these inodes could
1430                          * be used again by userspace.
1431                          */
1432                         goto out;
1433                 }
1434
1435                 len = INITCONTEXTLEN;
1436                 context = kmalloc(len+1, GFP_NOFS);
1437                 if (!context) {
1438                         rc = -ENOMEM;
1439                         dput(dentry);
1440                         goto out;
1441                 }
1442                 context[len] = '\0';
1443                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1444                 if (rc == -ERANGE) {
1445                         kfree(context);
1446
1447                         /* Need a larger buffer.  Query for the right size. */
1448                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1449                         if (rc < 0) {
1450                                 dput(dentry);
1451                                 goto out;
1452                         }
1453                         len = rc;
1454                         context = kmalloc(len+1, GFP_NOFS);
1455                         if (!context) {
1456                                 rc = -ENOMEM;
1457                                 dput(dentry);
1458                                 goto out;
1459                         }
1460                         context[len] = '\0';
1461                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1462                 }
1463                 dput(dentry);
1464                 if (rc < 0) {
1465                         if (rc != -ENODATA) {
1466                                 pr_warn("SELinux: %s:  getxattr returned "
1467                                        "%d for dev=%s ino=%ld\n", __func__,
1468                                        -rc, inode->i_sb->s_id, inode->i_ino);
1469                                 kfree(context);
1470                                 goto out;
1471                         }
1472                         /* Map ENODATA to the default file SID */
1473                         sid = sbsec->def_sid;
1474                         rc = 0;
1475                 } else {
1476                         rc = security_context_to_sid_default(&selinux_state,
1477                                                              context, rc, &sid,
1478                                                              sbsec->def_sid,
1479                                                              GFP_NOFS);
1480                         if (rc) {
1481                                 char *dev = inode->i_sb->s_id;
1482                                 unsigned long ino = inode->i_ino;
1483
1484                                 if (rc == -EINVAL) {
1485                                         if (printk_ratelimit())
1486                                                 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1487                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1488                                                         "filesystem in question.\n", ino, dev, context);
1489                                 } else {
1490                                         pr_warn("SELinux: %s:  context_to_sid(%s) "
1491                                                "returned %d for dev=%s ino=%ld\n",
1492                                                __func__, context, -rc, dev, ino);
1493                                 }
1494                                 kfree(context);
1495                                 /* Leave with the unlabeled SID */
1496                                 rc = 0;
1497                                 break;
1498                         }
1499                 }
1500                 kfree(context);
1501                 break;
1502         case SECURITY_FS_USE_TASK:
1503                 sid = task_sid;
1504                 break;
1505         case SECURITY_FS_USE_TRANS:
1506                 /* Default to the fs SID. */
1507                 sid = sbsec->sid;
1508
1509                 /* Try to obtain a transition SID. */
1510                 rc = security_transition_sid(&selinux_state, task_sid, sid,
1511                                              sclass, NULL, &sid);
1512                 if (rc)
1513                         goto out;
1514                 break;
1515         case SECURITY_FS_USE_MNTPOINT:
1516                 sid = sbsec->mntpoint_sid;
1517                 break;
1518         default:
1519                 /* Default to the fs superblock SID. */
1520                 sid = sbsec->sid;
1521
1522                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1523                         /* We must have a dentry to determine the label on
1524                          * procfs inodes */
1525                         if (opt_dentry) {
1526                                 /* Called from d_instantiate or
1527                                  * d_splice_alias. */
1528                                 dentry = dget(opt_dentry);
1529                         } else {
1530                                 /* Called from selinux_complete_init, try to
1531                                  * find a dentry.  Some filesystems really want
1532                                  * a connected one, so try that first.
1533                                  */
1534                                 dentry = d_find_alias(inode);
1535                                 if (!dentry)
1536                                         dentry = d_find_any_alias(inode);
1537                         }
1538                         /*
1539                          * This can be hit on boot when a file is accessed
1540                          * before the policy is loaded.  When we load policy we
1541                          * may find inodes that have no dentry on the
1542                          * sbsec->isec_head list.  No reason to complain as
1543                          * these will get fixed up the next time we go through
1544                          * inode_doinit() with a dentry, before these inodes
1545                          * could be used again by userspace.
1546                          */
1547                         if (!dentry)
1548                                 goto out;
1549                         rc = selinux_genfs_get_sid(dentry, sclass,
1550                                                    sbsec->flags, &sid);
1551                         dput(dentry);
1552                         if (rc)
1553                                 goto out;
1554                 }
1555                 break;
1556         }
1557
1558 out:
1559         spin_lock(&isec->lock);
1560         if (isec->initialized == LABEL_PENDING) {
1561                 if (!sid || rc) {
1562                         isec->initialized = LABEL_INVALID;
1563                         goto out_unlock;
1564                 }
1565
1566                 isec->initialized = LABEL_INITIALIZED;
1567                 isec->sid = sid;
1568         }
1569
1570 out_unlock:
1571         spin_unlock(&isec->lock);
1572         return rc;
1573 }
1574
1575 /* Convert a Linux signal to an access vector. */
1576 static inline u32 signal_to_av(int sig)
1577 {
1578         u32 perm = 0;
1579
1580         switch (sig) {
1581         case SIGCHLD:
1582                 /* Commonly granted from child to parent. */
1583                 perm = PROCESS__SIGCHLD;
1584                 break;
1585         case SIGKILL:
1586                 /* Cannot be caught or ignored */
1587                 perm = PROCESS__SIGKILL;
1588                 break;
1589         case SIGSTOP:
1590                 /* Cannot be caught or ignored */
1591                 perm = PROCESS__SIGSTOP;
1592                 break;
1593         default:
1594                 /* All other signals. */
1595                 perm = PROCESS__SIGNAL;
1596                 break;
1597         }
1598
1599         return perm;
1600 }
1601
1602 #if CAP_LAST_CAP > 63
1603 #error Fix SELinux to handle capabilities > 63.
1604 #endif
1605
1606 /* Check whether a task is allowed to use a capability. */
1607 static int cred_has_capability(const struct cred *cred,
1608                                int cap, unsigned int opts, bool initns)
1609 {
1610         struct common_audit_data ad;
1611         struct av_decision avd;
1612         u16 sclass;
1613         u32 sid = cred_sid(cred);
1614         u32 av = CAP_TO_MASK(cap);
1615         int rc;
1616
1617         ad.type = LSM_AUDIT_DATA_CAP;
1618         ad.u.cap = cap;
1619
1620         switch (CAP_TO_INDEX(cap)) {
1621         case 0:
1622                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1623                 break;
1624         case 1:
1625                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1626                 break;
1627         default:
1628                 pr_err("SELinux:  out of range capability %d\n", cap);
1629                 BUG();
1630                 return -EINVAL;
1631         }
1632
1633         rc = avc_has_perm_noaudit(&selinux_state,
1634                                   sid, sid, sclass, av, 0, &avd);
1635         if (!(opts & CAP_OPT_NOAUDIT)) {
1636                 int rc2 = avc_audit(&selinux_state,
1637                                     sid, sid, sclass, av, &avd, rc, &ad, 0);
1638                 if (rc2)
1639                         return rc2;
1640         }
1641         return rc;
1642 }
1643
1644 /* Check whether a task has a particular permission to an inode.
1645    The 'adp' parameter is optional and allows other audit
1646    data to be passed (e.g. the dentry). */
1647 static int inode_has_perm(const struct cred *cred,
1648                           struct inode *inode,
1649                           u32 perms,
1650                           struct common_audit_data *adp)
1651 {
1652         struct inode_security_struct *isec;
1653         u32 sid;
1654
1655         validate_creds(cred);
1656
1657         if (unlikely(IS_PRIVATE(inode)))
1658                 return 0;
1659
1660         sid = cred_sid(cred);
1661         isec = selinux_inode(inode);
1662
1663         return avc_has_perm(&selinux_state,
1664                             sid, isec->sid, isec->sclass, perms, adp);
1665 }
1666
1667 /* Same as inode_has_perm, but pass explicit audit data containing
1668    the dentry to help the auditing code to more easily generate the
1669    pathname if needed. */
1670 static inline int dentry_has_perm(const struct cred *cred,
1671                                   struct dentry *dentry,
1672                                   u32 av)
1673 {
1674         struct inode *inode = d_backing_inode(dentry);
1675         struct common_audit_data ad;
1676
1677         ad.type = LSM_AUDIT_DATA_DENTRY;
1678         ad.u.dentry = dentry;
1679         __inode_security_revalidate(inode, dentry, true);
1680         return inode_has_perm(cred, inode, av, &ad);
1681 }
1682
1683 /* Same as inode_has_perm, but pass explicit audit data containing
1684    the path to help the auditing code to more easily generate the
1685    pathname if needed. */
1686 static inline int path_has_perm(const struct cred *cred,
1687                                 const struct path *path,
1688                                 u32 av)
1689 {
1690         struct inode *inode = d_backing_inode(path->dentry);
1691         struct common_audit_data ad;
1692
1693         ad.type = LSM_AUDIT_DATA_PATH;
1694         ad.u.path = *path;
1695         __inode_security_revalidate(inode, path->dentry, true);
1696         return inode_has_perm(cred, inode, av, &ad);
1697 }
1698
1699 /* Same as path_has_perm, but uses the inode from the file struct. */
1700 static inline int file_path_has_perm(const struct cred *cred,
1701                                      struct file *file,
1702                                      u32 av)
1703 {
1704         struct common_audit_data ad;
1705
1706         ad.type = LSM_AUDIT_DATA_FILE;
1707         ad.u.file = file;
1708         return inode_has_perm(cred, file_inode(file), av, &ad);
1709 }
1710
1711 #ifdef CONFIG_BPF_SYSCALL
1712 static int bpf_fd_pass(struct file *file, u32 sid);
1713 #endif
1714
1715 /* Check whether a task can use an open file descriptor to
1716    access an inode in a given way.  Check access to the
1717    descriptor itself, and then use dentry_has_perm to
1718    check a particular permission to the file.
1719    Access to the descriptor is implicitly granted if it
1720    has the same SID as the process.  If av is zero, then
1721    access to the file is not checked, e.g. for cases
1722    where only the descriptor is affected like seek. */
1723 static int file_has_perm(const struct cred *cred,
1724                          struct file *file,
1725                          u32 av)
1726 {
1727         struct file_security_struct *fsec = selinux_file(file);
1728         struct inode *inode = file_inode(file);
1729         struct common_audit_data ad;
1730         u32 sid = cred_sid(cred);
1731         int rc;
1732
1733         ad.type = LSM_AUDIT_DATA_FILE;
1734         ad.u.file = file;
1735
1736         if (sid != fsec->sid) {
1737                 rc = avc_has_perm(&selinux_state,
1738                                   sid, fsec->sid,
1739                                   SECCLASS_FD,
1740                                   FD__USE,
1741                                   &ad);
1742                 if (rc)
1743                         goto out;
1744         }
1745
1746 #ifdef CONFIG_BPF_SYSCALL
1747         rc = bpf_fd_pass(file, cred_sid(cred));
1748         if (rc)
1749                 return rc;
1750 #endif
1751
1752         /* av is zero if only checking access to the descriptor. */
1753         rc = 0;
1754         if (av)
1755                 rc = inode_has_perm(cred, inode, av, &ad);
1756
1757 out:
1758         return rc;
1759 }
1760
1761 /*
1762  * Determine the label for an inode that might be unioned.
1763  */
1764 static int
1765 selinux_determine_inode_label(const struct task_security_struct *tsec,
1766                                  struct inode *dir,
1767                                  const struct qstr *name, u16 tclass,
1768                                  u32 *_new_isid)
1769 {
1770         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1771
1772         if ((sbsec->flags & SE_SBINITIALIZED) &&
1773             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1774                 *_new_isid = sbsec->mntpoint_sid;
1775         } else if ((sbsec->flags & SBLABEL_MNT) &&
1776                    tsec->create_sid) {
1777                 *_new_isid = tsec->create_sid;
1778         } else {
1779                 const struct inode_security_struct *dsec = inode_security(dir);
1780                 return security_transition_sid(&selinux_state, tsec->sid,
1781                                                dsec->sid, tclass,
1782                                                name, _new_isid);
1783         }
1784
1785         return 0;
1786 }
1787
1788 /* Check whether a task can create a file. */
1789 static int may_create(struct inode *dir,
1790                       struct dentry *dentry,
1791                       u16 tclass)
1792 {
1793         const struct task_security_struct *tsec = selinux_cred(current_cred());
1794         struct inode_security_struct *dsec;
1795         struct superblock_security_struct *sbsec;
1796         u32 sid, newsid;
1797         struct common_audit_data ad;
1798         int rc;
1799
1800         dsec = inode_security(dir);
1801         sbsec = dir->i_sb->s_security;
1802
1803         sid = tsec->sid;
1804
1805         ad.type = LSM_AUDIT_DATA_DENTRY;
1806         ad.u.dentry = dentry;
1807
1808         rc = avc_has_perm(&selinux_state,
1809                           sid, dsec->sid, SECCLASS_DIR,
1810                           DIR__ADD_NAME | DIR__SEARCH,
1811                           &ad);
1812         if (rc)
1813                 return rc;
1814
1815         rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1816                                            &dentry->d_name, tclass, &newsid);
1817         if (rc)
1818                 return rc;
1819
1820         rc = avc_has_perm(&selinux_state,
1821                           sid, newsid, tclass, FILE__CREATE, &ad);
1822         if (rc)
1823                 return rc;
1824
1825         return avc_has_perm(&selinux_state,
1826                             newsid, sbsec->sid,
1827                             SECCLASS_FILESYSTEM,
1828                             FILESYSTEM__ASSOCIATE, &ad);
1829 }
1830
1831 #define MAY_LINK        0
1832 #define MAY_UNLINK      1
1833 #define MAY_RMDIR       2
1834
1835 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1836 static int may_link(struct inode *dir,
1837                     struct dentry *dentry,
1838                     int kind)
1839
1840 {
1841         struct inode_security_struct *dsec, *isec;
1842         struct common_audit_data ad;
1843         u32 sid = current_sid();
1844         u32 av;
1845         int rc;
1846
1847         dsec = inode_security(dir);
1848         isec = backing_inode_security(dentry);
1849
1850         ad.type = LSM_AUDIT_DATA_DENTRY;
1851         ad.u.dentry = dentry;
1852
1853         av = DIR__SEARCH;
1854         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1855         rc = avc_has_perm(&selinux_state,
1856                           sid, dsec->sid, SECCLASS_DIR, av, &ad);
1857         if (rc)
1858                 return rc;
1859
1860         switch (kind) {
1861         case MAY_LINK:
1862                 av = FILE__LINK;
1863                 break;
1864         case MAY_UNLINK:
1865                 av = FILE__UNLINK;
1866                 break;
1867         case MAY_RMDIR:
1868                 av = DIR__RMDIR;
1869                 break;
1870         default:
1871                 pr_warn("SELinux: %s:  unrecognized kind %d\n",
1872                         __func__, kind);
1873                 return 0;
1874         }
1875
1876         rc = avc_has_perm(&selinux_state,
1877                           sid, isec->sid, isec->sclass, av, &ad);
1878         return rc;
1879 }
1880
1881 static inline int may_rename(struct inode *old_dir,
1882                              struct dentry *old_dentry,
1883                              struct inode *new_dir,
1884                              struct dentry *new_dentry)
1885 {
1886         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1887         struct common_audit_data ad;
1888         u32 sid = current_sid();
1889         u32 av;
1890         int old_is_dir, new_is_dir;
1891         int rc;
1892
1893         old_dsec = inode_security(old_dir);
1894         old_isec = backing_inode_security(old_dentry);
1895         old_is_dir = d_is_dir(old_dentry);
1896         new_dsec = inode_security(new_dir);
1897
1898         ad.type = LSM_AUDIT_DATA_DENTRY;
1899
1900         ad.u.dentry = old_dentry;
1901         rc = avc_has_perm(&selinux_state,
1902                           sid, old_dsec->sid, SECCLASS_DIR,
1903                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1904         if (rc)
1905                 return rc;
1906         rc = avc_has_perm(&selinux_state,
1907                           sid, old_isec->sid,
1908                           old_isec->sclass, FILE__RENAME, &ad);
1909         if (rc)
1910                 return rc;
1911         if (old_is_dir && new_dir != old_dir) {
1912                 rc = avc_has_perm(&selinux_state,
1913                                   sid, old_isec->sid,
1914                                   old_isec->sclass, DIR__REPARENT, &ad);
1915                 if (rc)
1916                         return rc;
1917         }
1918
1919         ad.u.dentry = new_dentry;
1920         av = DIR__ADD_NAME | DIR__SEARCH;
1921         if (d_is_positive(new_dentry))
1922                 av |= DIR__REMOVE_NAME;
1923         rc = avc_has_perm(&selinux_state,
1924                           sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1925         if (rc)
1926                 return rc;
1927         if (d_is_positive(new_dentry)) {
1928                 new_isec = backing_inode_security(new_dentry);
1929                 new_is_dir = d_is_dir(new_dentry);
1930                 rc = avc_has_perm(&selinux_state,
1931                                   sid, new_isec->sid,
1932                                   new_isec->sclass,
1933                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1934                 if (rc)
1935                         return rc;
1936         }
1937
1938         return 0;
1939 }
1940
1941 /* Check whether a task can perform a filesystem operation. */
1942 static int superblock_has_perm(const struct cred *cred,
1943                                struct super_block *sb,
1944                                u32 perms,
1945                                struct common_audit_data *ad)
1946 {
1947         struct superblock_security_struct *sbsec;
1948         u32 sid = cred_sid(cred);
1949
1950         sbsec = sb->s_security;
1951         return avc_has_perm(&selinux_state,
1952                             sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1953 }
1954
1955 /* Convert a Linux mode and permission mask to an access vector. */
1956 static inline u32 file_mask_to_av(int mode, int mask)
1957 {
1958         u32 av = 0;
1959
1960         if (!S_ISDIR(mode)) {
1961                 if (mask & MAY_EXEC)
1962                         av |= FILE__EXECUTE;
1963                 if (mask & MAY_READ)
1964                         av |= FILE__READ;
1965
1966                 if (mask & MAY_APPEND)
1967                         av |= FILE__APPEND;
1968                 else if (mask & MAY_WRITE)
1969                         av |= FILE__WRITE;
1970
1971         } else {
1972                 if (mask & MAY_EXEC)
1973                         av |= DIR__SEARCH;
1974                 if (mask & MAY_WRITE)
1975                         av |= DIR__WRITE;
1976                 if (mask & MAY_READ)
1977                         av |= DIR__READ;
1978         }
1979
1980         return av;
1981 }
1982
1983 /* Convert a Linux file to an access vector. */
1984 static inline u32 file_to_av(struct file *file)
1985 {
1986         u32 av = 0;
1987
1988         if (file->f_mode & FMODE_READ)
1989                 av |= FILE__READ;
1990         if (file->f_mode & FMODE_WRITE) {
1991                 if (file->f_flags & O_APPEND)
1992                         av |= FILE__APPEND;
1993                 else
1994                         av |= FILE__WRITE;
1995         }
1996         if (!av) {
1997                 /*
1998                  * Special file opened with flags 3 for ioctl-only use.
1999                  */
2000                 av = FILE__IOCTL;
2001         }
2002
2003         return av;
2004 }
2005
2006 /*
2007  * Convert a file to an access vector and include the correct open
2008  * open permission.
2009  */
2010 static inline u32 open_file_to_av(struct file *file)
2011 {
2012         u32 av = file_to_av(file);
2013         struct inode *inode = file_inode(file);
2014
2015         if (selinux_policycap_openperm() &&
2016             inode->i_sb->s_magic != SOCKFS_MAGIC)
2017                 av |= FILE__OPEN;
2018
2019         return av;
2020 }
2021
2022 /* Hook functions begin here. */
2023
2024 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2025 {
2026         u32 mysid = current_sid();
2027         u32 mgrsid = task_sid(mgr);
2028
2029         return avc_has_perm(&selinux_state,
2030                             mysid, mgrsid, SECCLASS_BINDER,
2031                             BINDER__SET_CONTEXT_MGR, NULL);
2032 }
2033
2034 static int selinux_binder_transaction(struct task_struct *from,
2035                                       struct task_struct *to)
2036 {
2037         u32 mysid = current_sid();
2038         u32 fromsid = task_sid(from);
2039         u32 tosid = task_sid(to);
2040         int rc;
2041
2042         if (mysid != fromsid) {
2043                 rc = avc_has_perm(&selinux_state,
2044                                   mysid, fromsid, SECCLASS_BINDER,
2045                                   BINDER__IMPERSONATE, NULL);
2046                 if (rc)
2047                         return rc;
2048         }
2049
2050         return avc_has_perm(&selinux_state,
2051                             fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2052                             NULL);
2053 }
2054
2055 static int selinux_binder_transfer_binder(struct task_struct *from,
2056                                           struct task_struct *to)
2057 {
2058         u32 fromsid = task_sid(from);
2059         u32 tosid = task_sid(to);
2060
2061         return avc_has_perm(&selinux_state,
2062                             fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2063                             NULL);
2064 }
2065
2066 static int selinux_binder_transfer_file(struct task_struct *from,
2067                                         struct task_struct *to,
2068                                         struct file *file)
2069 {
2070         u32 sid = task_sid(to);
2071         struct file_security_struct *fsec = selinux_file(file);
2072         struct dentry *dentry = file->f_path.dentry;
2073         struct inode_security_struct *isec;
2074         struct common_audit_data ad;
2075         int rc;
2076
2077         ad.type = LSM_AUDIT_DATA_PATH;
2078         ad.u.path = file->f_path;
2079
2080         if (sid != fsec->sid) {
2081                 rc = avc_has_perm(&selinux_state,
2082                                   sid, fsec->sid,
2083                                   SECCLASS_FD,
2084                                   FD__USE,
2085                                   &ad);
2086                 if (rc)
2087                         return rc;
2088         }
2089
2090 #ifdef CONFIG_BPF_SYSCALL
2091         rc = bpf_fd_pass(file, sid);
2092         if (rc)
2093                 return rc;
2094 #endif
2095
2096         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2097                 return 0;
2098
2099         isec = backing_inode_security(dentry);
2100         return avc_has_perm(&selinux_state,
2101                             sid, isec->sid, isec->sclass, file_to_av(file),
2102                             &ad);
2103 }
2104
2105 static int selinux_ptrace_access_check(struct task_struct *child,
2106                                      unsigned int mode)
2107 {
2108         u32 sid = current_sid();
2109         u32 csid = task_sid(child);
2110
2111         if (mode & PTRACE_MODE_READ)
2112                 return avc_has_perm(&selinux_state,
2113                                     sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2114
2115         return avc_has_perm(&selinux_state,
2116                             sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2117 }
2118
2119 static int selinux_ptrace_traceme(struct task_struct *parent)
2120 {
2121         return avc_has_perm(&selinux_state,
2122                             task_sid(parent), current_sid(), SECCLASS_PROCESS,
2123                             PROCESS__PTRACE, NULL);
2124 }
2125
2126 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2127                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2128 {
2129         return avc_has_perm(&selinux_state,
2130                             current_sid(), task_sid(target), SECCLASS_PROCESS,
2131                             PROCESS__GETCAP, NULL);
2132 }
2133
2134 static int selinux_capset(struct cred *new, const struct cred *old,
2135                           const kernel_cap_t *effective,
2136                           const kernel_cap_t *inheritable,
2137                           const kernel_cap_t *permitted)
2138 {
2139         return avc_has_perm(&selinux_state,
2140                             cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2141                             PROCESS__SETCAP, NULL);
2142 }
2143
2144 /*
2145  * (This comment used to live with the selinux_task_setuid hook,
2146  * which was removed).
2147  *
2148  * Since setuid only affects the current process, and since the SELinux
2149  * controls are not based on the Linux identity attributes, SELinux does not
2150  * need to control this operation.  However, SELinux does control the use of
2151  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2152  */
2153
2154 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2155                            int cap, unsigned int opts)
2156 {
2157         return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2158 }
2159
2160 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2161 {
2162         const struct cred *cred = current_cred();
2163         int rc = 0;
2164
2165         if (!sb)
2166                 return 0;
2167
2168         switch (cmds) {
2169         case Q_SYNC:
2170         case Q_QUOTAON:
2171         case Q_QUOTAOFF:
2172         case Q_SETINFO:
2173         case Q_SETQUOTA:
2174                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2175                 break;
2176         case Q_GETFMT:
2177         case Q_GETINFO:
2178         case Q_GETQUOTA:
2179                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2180                 break;
2181         default:
2182                 rc = 0;  /* let the kernel handle invalid cmds */
2183                 break;
2184         }
2185         return rc;
2186 }
2187
2188 static int selinux_quota_on(struct dentry *dentry)
2189 {
2190         const struct cred *cred = current_cred();
2191
2192         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2193 }
2194
2195 static int selinux_syslog(int type)
2196 {
2197         switch (type) {
2198         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2199         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2200                 return avc_has_perm(&selinux_state,
2201                                     current_sid(), SECINITSID_KERNEL,
2202                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2203         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2204         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2205         /* Set level of messages printed to console */
2206         case SYSLOG_ACTION_CONSOLE_LEVEL:
2207                 return avc_has_perm(&selinux_state,
2208                                     current_sid(), SECINITSID_KERNEL,
2209                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2210                                     NULL);
2211         }
2212         /* All other syslog types */
2213         return avc_has_perm(&selinux_state,
2214                             current_sid(), SECINITSID_KERNEL,
2215                             SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2216 }
2217
2218 /*
2219  * Check that a process has enough memory to allocate a new virtual
2220  * mapping. 0 means there is enough memory for the allocation to
2221  * succeed and -ENOMEM implies there is not.
2222  *
2223  * Do not audit the selinux permission check, as this is applied to all
2224  * processes that allocate mappings.
2225  */
2226 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2227 {
2228         int rc, cap_sys_admin = 0;
2229
2230         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2231                                  CAP_OPT_NOAUDIT, true);
2232         if (rc == 0)
2233                 cap_sys_admin = 1;
2234
2235         return cap_sys_admin;
2236 }
2237
2238 /* binprm security operations */
2239
2240 static u32 ptrace_parent_sid(void)
2241 {
2242         u32 sid = 0;
2243         struct task_struct *tracer;
2244
2245         rcu_read_lock();
2246         tracer = ptrace_parent(current);
2247         if (tracer)
2248                 sid = task_sid(tracer);
2249         rcu_read_unlock();
2250
2251         return sid;
2252 }
2253
2254 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2255                             const struct task_security_struct *old_tsec,
2256                             const struct task_security_struct *new_tsec)
2257 {
2258         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2259         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2260         int rc;
2261         u32 av;
2262
2263         if (!nnp && !nosuid)
2264                 return 0; /* neither NNP nor nosuid */
2265
2266         if (new_tsec->sid == old_tsec->sid)
2267                 return 0; /* No change in credentials */
2268
2269         /*
2270          * If the policy enables the nnp_nosuid_transition policy capability,
2271          * then we permit transitions under NNP or nosuid if the
2272          * policy allows the corresponding permission between
2273          * the old and new contexts.
2274          */
2275         if (selinux_policycap_nnp_nosuid_transition()) {
2276                 av = 0;
2277                 if (nnp)
2278                         av |= PROCESS2__NNP_TRANSITION;
2279                 if (nosuid)
2280                         av |= PROCESS2__NOSUID_TRANSITION;
2281                 rc = avc_has_perm(&selinux_state,
2282                                   old_tsec->sid, new_tsec->sid,
2283                                   SECCLASS_PROCESS2, av, NULL);
2284                 if (!rc)
2285                         return 0;
2286         }
2287
2288         /*
2289          * We also permit NNP or nosuid transitions to bounded SIDs,
2290          * i.e. SIDs that are guaranteed to only be allowed a subset
2291          * of the permissions of the current SID.
2292          */
2293         rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2294                                          new_tsec->sid);
2295         if (!rc)
2296                 return 0;
2297
2298         /*
2299          * On failure, preserve the errno values for NNP vs nosuid.
2300          * NNP:  Operation not permitted for caller.
2301          * nosuid:  Permission denied to file.
2302          */
2303         if (nnp)
2304                 return -EPERM;
2305         return -EACCES;
2306 }
2307
2308 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2309 {
2310         const struct task_security_struct *old_tsec;
2311         struct task_security_struct *new_tsec;
2312         struct inode_security_struct *isec;
2313         struct common_audit_data ad;
2314         struct inode *inode = file_inode(bprm->file);
2315         int rc;
2316
2317         /* SELinux context only depends on initial program or script and not
2318          * the script interpreter */
2319         if (bprm->called_set_creds)
2320                 return 0;
2321
2322         old_tsec = selinux_cred(current_cred());
2323         new_tsec = selinux_cred(bprm->cred);
2324         isec = inode_security(inode);
2325
2326         /* Default to the current task SID. */
2327         new_tsec->sid = old_tsec->sid;
2328         new_tsec->osid = old_tsec->sid;
2329
2330         /* Reset fs, key, and sock SIDs on execve. */
2331         new_tsec->create_sid = 0;
2332         new_tsec->keycreate_sid = 0;
2333         new_tsec->sockcreate_sid = 0;
2334
2335         if (old_tsec->exec_sid) {
2336                 new_tsec->sid = old_tsec->exec_sid;
2337                 /* Reset exec SID on execve. */
2338                 new_tsec->exec_sid = 0;
2339
2340                 /* Fail on NNP or nosuid if not an allowed transition. */
2341                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2342                 if (rc)
2343                         return rc;
2344         } else {
2345                 /* Check for a default transition on this program. */
2346                 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2347                                              isec->sid, SECCLASS_PROCESS, NULL,
2348                                              &new_tsec->sid);
2349                 if (rc)
2350                         return rc;
2351
2352                 /*
2353                  * Fallback to old SID on NNP or nosuid if not an allowed
2354                  * transition.
2355                  */
2356                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2357                 if (rc)
2358                         new_tsec->sid = old_tsec->sid;
2359         }
2360
2361         ad.type = LSM_AUDIT_DATA_FILE;
2362         ad.u.file = bprm->file;
2363
2364         if (new_tsec->sid == old_tsec->sid) {
2365                 rc = avc_has_perm(&selinux_state,
2366                                   old_tsec->sid, isec->sid,
2367                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2368                 if (rc)
2369                         return rc;
2370         } else {
2371                 /* Check permissions for the transition. */
2372                 rc = avc_has_perm(&selinux_state,
2373                                   old_tsec->sid, new_tsec->sid,
2374                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2375                 if (rc)
2376                         return rc;
2377
2378                 rc = avc_has_perm(&selinux_state,
2379                                   new_tsec->sid, isec->sid,
2380                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2381                 if (rc)
2382                         return rc;
2383
2384                 /* Check for shared state */
2385                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2386                         rc = avc_has_perm(&selinux_state,
2387                                           old_tsec->sid, new_tsec->sid,
2388                                           SECCLASS_PROCESS, PROCESS__SHARE,
2389                                           NULL);
2390                         if (rc)
2391                                 return -EPERM;
2392                 }
2393
2394                 /* Make sure that anyone attempting to ptrace over a task that
2395                  * changes its SID has the appropriate permit */
2396                 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2397                         u32 ptsid = ptrace_parent_sid();
2398                         if (ptsid != 0) {
2399                                 rc = avc_has_perm(&selinux_state,
2400                                                   ptsid, new_tsec->sid,
2401                                                   SECCLASS_PROCESS,
2402                                                   PROCESS__PTRACE, NULL);
2403                                 if (rc)
2404                                         return -EPERM;
2405                         }
2406                 }
2407
2408                 /* Clear any possibly unsafe personality bits on exec: */
2409                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2410
2411                 /* Enable secure mode for SIDs transitions unless
2412                    the noatsecure permission is granted between
2413                    the two SIDs, i.e. ahp returns 0. */
2414                 rc = avc_has_perm(&selinux_state,
2415                                   old_tsec->sid, new_tsec->sid,
2416                                   SECCLASS_PROCESS, PROCESS__NOATSECURE,
2417                                   NULL);
2418                 bprm->secureexec |= !!rc;
2419         }
2420
2421         return 0;
2422 }
2423
2424 static int match_file(const void *p, struct file *file, unsigned fd)
2425 {
2426         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2427 }
2428
2429 /* Derived from fs/exec.c:flush_old_files. */
2430 static inline void flush_unauthorized_files(const struct cred *cred,
2431                                             struct files_struct *files)
2432 {
2433         struct file *file, *devnull = NULL;
2434         struct tty_struct *tty;
2435         int drop_tty = 0;
2436         unsigned n;
2437
2438         tty = get_current_tty();
2439         if (tty) {
2440                 spin_lock(&tty->files_lock);
2441                 if (!list_empty(&tty->tty_files)) {
2442                         struct tty_file_private *file_priv;
2443
2444                         /* Revalidate access to controlling tty.
2445                            Use file_path_has_perm on the tty path directly
2446                            rather than using file_has_perm, as this particular
2447                            open file may belong to another process and we are
2448                            only interested in the inode-based check here. */
2449                         file_priv = list_first_entry(&tty->tty_files,
2450                                                 struct tty_file_private, list);
2451                         file = file_priv->file;
2452                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2453                                 drop_tty = 1;
2454                 }
2455                 spin_unlock(&tty->files_lock);
2456                 tty_kref_put(tty);
2457         }
2458         /* Reset controlling tty. */
2459         if (drop_tty)
2460                 no_tty();
2461
2462         /* Revalidate access to inherited open files. */
2463         n = iterate_fd(files, 0, match_file, cred);
2464         if (!n) /* none found? */
2465                 return;
2466
2467         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2468         if (IS_ERR(devnull))
2469                 devnull = NULL;
2470         /* replace all the matching ones with this */
2471         do {
2472                 replace_fd(n - 1, devnull, 0);
2473         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2474         if (devnull)
2475                 fput(devnull);
2476 }
2477
2478 /*
2479  * Prepare a process for imminent new credential changes due to exec
2480  */
2481 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2482 {
2483         struct task_security_struct *new_tsec;
2484         struct rlimit *rlim, *initrlim;
2485         int rc, i;
2486
2487         new_tsec = selinux_cred(bprm->cred);
2488         if (new_tsec->sid == new_tsec->osid)
2489                 return;
2490
2491         /* Close files for which the new task SID is not authorized. */
2492         flush_unauthorized_files(bprm->cred, current->files);
2493
2494         /* Always clear parent death signal on SID transitions. */
2495         current->pdeath_signal = 0;
2496
2497         /* Check whether the new SID can inherit resource limits from the old
2498          * SID.  If not, reset all soft limits to the lower of the current
2499          * task's hard limit and the init task's soft limit.
2500          *
2501          * Note that the setting of hard limits (even to lower them) can be
2502          * controlled by the setrlimit check.  The inclusion of the init task's
2503          * soft limit into the computation is to avoid resetting soft limits
2504          * higher than the default soft limit for cases where the default is
2505          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2506          */
2507         rc = avc_has_perm(&selinux_state,
2508                           new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2509                           PROCESS__RLIMITINH, NULL);
2510         if (rc) {
2511                 /* protect against do_prlimit() */
2512                 task_lock(current);
2513                 for (i = 0; i < RLIM_NLIMITS; i++) {
2514                         rlim = current->signal->rlim + i;
2515                         initrlim = init_task.signal->rlim + i;
2516                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2517                 }
2518                 task_unlock(current);
2519                 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2520                         update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2521         }
2522 }
2523
2524 /*
2525  * Clean up the process immediately after the installation of new credentials
2526  * due to exec
2527  */
2528 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2529 {
2530         const struct task_security_struct *tsec = selinux_cred(current_cred());
2531         struct itimerval itimer;
2532         u32 osid, sid;
2533         int rc, i;
2534
2535         osid = tsec->osid;
2536         sid = tsec->sid;
2537
2538         if (sid == osid)
2539                 return;
2540
2541         /* Check whether the new SID can inherit signal state from the old SID.
2542          * If not, clear itimers to avoid subsequent signal generation and
2543          * flush and unblock signals.
2544          *
2545          * This must occur _after_ the task SID has been updated so that any
2546          * kill done after the flush will be checked against the new SID.
2547          */
2548         rc = avc_has_perm(&selinux_state,
2549                           osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2550         if (rc) {
2551                 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2552                         memset(&itimer, 0, sizeof itimer);
2553                         for (i = 0; i < 3; i++)
2554                                 do_setitimer(i, &itimer, NULL);
2555                 }
2556                 spin_lock_irq(&current->sighand->siglock);
2557                 if (!fatal_signal_pending(current)) {
2558                         flush_sigqueue(&current->pending);
2559                         flush_sigqueue(&current->signal->shared_pending);
2560                         flush_signal_handlers(current, 1);
2561                         sigemptyset(&current->blocked);
2562                         recalc_sigpending();
2563                 }
2564                 spin_unlock_irq(&current->sighand->siglock);
2565         }
2566
2567         /* Wake up the parent if it is waiting so that it can recheck
2568          * wait permission to the new task SID. */
2569         read_lock(&tasklist_lock);
2570         __wake_up_parent(current, current->real_parent);
2571         read_unlock(&tasklist_lock);
2572 }
2573
2574 /* superblock security operations */
2575
2576 static int selinux_sb_alloc_security(struct super_block *sb)
2577 {
2578         return superblock_alloc_security(sb);
2579 }
2580
2581 static void selinux_sb_free_security(struct super_block *sb)
2582 {
2583         superblock_free_security(sb);
2584 }
2585
2586 static inline int opt_len(const char *s)
2587 {
2588         bool open_quote = false;
2589         int len;
2590         char c;
2591
2592         for (len = 0; (c = s[len]) != '\0'; len++) {
2593                 if (c == '"')
2594                         open_quote = !open_quote;
2595                 if (c == ',' && !open_quote)
2596                         break;
2597         }
2598         return len;
2599 }
2600
2601 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2602 {
2603         char *from = options;
2604         char *to = options;
2605         bool first = true;
2606
2607         while (1) {
2608                 int len = opt_len(from);
2609                 int token, rc;
2610                 char *arg = NULL;
2611
2612                 token = match_opt_prefix(from, len, &arg);
2613
2614                 if (token != Opt_error) {
2615                         char *p, *q;
2616
2617                         /* strip quotes */
2618                         if (arg) {
2619                                 for (p = q = arg; p < from + len; p++) {
2620                                         char c = *p;
2621                                         if (c != '"')
2622                                                 *q++ = c;
2623                                 }
2624                                 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2625                         }
2626                         rc = selinux_add_opt(token, arg, mnt_opts);
2627                         if (unlikely(rc)) {
2628                                 kfree(arg);
2629                                 if (*mnt_opts) {
2630                                         selinux_free_mnt_opts(*mnt_opts);
2631                                         *mnt_opts = NULL;
2632                                 }
2633                                 return rc;
2634                         }
2635                 } else {
2636                         if (!first) {   // copy with preceding comma
2637                                 from--;
2638                                 len++;
2639                         }
2640                         if (to != from)
2641                                 memmove(to, from, len);
2642                         to += len;
2643                         first = false;
2644                 }
2645                 if (!from[len])
2646                         break;
2647                 from += len + 1;
2648         }
2649         *to = '\0';
2650         return 0;
2651 }
2652
2653 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2654 {
2655         struct selinux_mnt_opts *opts = mnt_opts;
2656         struct superblock_security_struct *sbsec = sb->s_security;
2657         u32 sid;
2658         int rc;
2659
2660         if (!(sbsec->flags & SE_SBINITIALIZED))
2661                 return 0;
2662
2663         if (!opts)
2664                 return 0;
2665
2666         if (opts->fscontext) {
2667                 rc = parse_sid(sb, opts->fscontext, &sid);
2668                 if (rc)
2669                         return rc;
2670                 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2671                         goto out_bad_option;
2672         }
2673         if (opts->context) {
2674                 rc = parse_sid(sb, opts->context, &sid);
2675                 if (rc)
2676                         return rc;
2677                 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2678                         goto out_bad_option;
2679         }
2680         if (opts->rootcontext) {
2681                 struct inode_security_struct *root_isec;
2682                 root_isec = backing_inode_security(sb->s_root);
2683                 rc = parse_sid(sb, opts->rootcontext, &sid);
2684                 if (rc)
2685                         return rc;
2686                 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2687                         goto out_bad_option;
2688         }
2689         if (opts->defcontext) {
2690                 rc = parse_sid(sb, opts->defcontext, &sid);
2691                 if (rc)
2692                         return rc;
2693                 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2694                         goto out_bad_option;
2695         }
2696         return 0;
2697
2698 out_bad_option:
2699         pr_warn("SELinux: unable to change security options "
2700                "during remount (dev %s, type=%s)\n", sb->s_id,
2701                sb->s_type->name);
2702         return -EINVAL;
2703 }
2704
2705 static int selinux_sb_kern_mount(struct super_block *sb)
2706 {
2707         const struct cred *cred = current_cred();
2708         struct common_audit_data ad;
2709
2710         ad.type = LSM_AUDIT_DATA_DENTRY;
2711         ad.u.dentry = sb->s_root;
2712         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2713 }
2714
2715 static int selinux_sb_statfs(struct dentry *dentry)
2716 {
2717         const struct cred *cred = current_cred();
2718         struct common_audit_data ad;
2719
2720         ad.type = LSM_AUDIT_DATA_DENTRY;
2721         ad.u.dentry = dentry->d_sb->s_root;
2722         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2723 }
2724
2725 static int selinux_mount(const char *dev_name,
2726                          const struct path *path,
2727                          const char *type,
2728                          unsigned long flags,
2729                          void *data)
2730 {
2731         const struct cred *cred = current_cred();
2732
2733         if (flags & MS_REMOUNT)
2734                 return superblock_has_perm(cred, path->dentry->d_sb,
2735                                            FILESYSTEM__REMOUNT, NULL);
2736         else
2737                 return path_has_perm(cred, path, FILE__MOUNTON);
2738 }
2739
2740 static int selinux_umount(struct vfsmount *mnt, int flags)
2741 {
2742         const struct cred *cred = current_cred();
2743
2744         return superblock_has_perm(cred, mnt->mnt_sb,
2745                                    FILESYSTEM__UNMOUNT, NULL);
2746 }
2747
2748 static int selinux_fs_context_dup(struct fs_context *fc,
2749                                   struct fs_context *src_fc)
2750 {
2751         const struct selinux_mnt_opts *src = src_fc->security;
2752         struct selinux_mnt_opts *opts;
2753
2754         if (!src)
2755                 return 0;
2756
2757         fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2758         if (!fc->security)
2759                 return -ENOMEM;
2760
2761         opts = fc->security;
2762
2763         if (src->fscontext) {
2764                 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2765                 if (!opts->fscontext)
2766                         return -ENOMEM;
2767         }
2768         if (src->context) {
2769                 opts->context = kstrdup(src->context, GFP_KERNEL);
2770                 if (!opts->context)
2771                         return -ENOMEM;
2772         }
2773         if (src->rootcontext) {
2774                 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2775                 if (!opts->rootcontext)
2776                         return -ENOMEM;
2777         }
2778         if (src->defcontext) {
2779                 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2780                 if (!opts->defcontext)
2781                         return -ENOMEM;
2782         }
2783         return 0;
2784 }
2785
2786 static const struct fs_parameter_spec selinux_param_specs[] = {
2787         fsparam_string(CONTEXT_STR,     Opt_context),
2788         fsparam_string(DEFCONTEXT_STR,  Opt_defcontext),
2789         fsparam_string(FSCONTEXT_STR,   Opt_fscontext),
2790         fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2791         fsparam_flag  (SECLABEL_STR,    Opt_seclabel),
2792         {}
2793 };
2794
2795 static const struct fs_parameter_description selinux_fs_parameters = {
2796         .name           = "SELinux",
2797         .specs          = selinux_param_specs,
2798 };
2799
2800 static int selinux_fs_context_parse_param(struct fs_context *fc,
2801                                           struct fs_parameter *param)
2802 {
2803         struct fs_parse_result result;
2804         int opt, rc;
2805
2806         opt = fs_parse(fc, &selinux_fs_parameters, param, &result);
2807         if (opt < 0)
2808                 return opt;
2809
2810         rc = selinux_add_opt(opt, param->string, &fc->security);
2811         if (!rc) {
2812                 param->string = NULL;
2813                 rc = 1;
2814         }
2815         return rc;
2816 }
2817
2818 /* inode security operations */
2819
2820 static int selinux_inode_alloc_security(struct inode *inode)
2821 {
2822         return inode_alloc_security(inode);
2823 }
2824
2825 static void selinux_inode_free_security(struct inode *inode)
2826 {
2827         inode_free_security(inode);
2828 }
2829
2830 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2831                                         const struct qstr *name, void **ctx,
2832                                         u32 *ctxlen)
2833 {
2834         u32 newsid;
2835         int rc;
2836
2837         rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2838                                            d_inode(dentry->d_parent), name,
2839                                            inode_mode_to_security_class(mode),
2840                                            &newsid);
2841         if (rc)
2842                 return rc;
2843
2844         return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2845                                        ctxlen);
2846 }
2847
2848 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2849                                           struct qstr *name,
2850                                           const struct cred *old,
2851                                           struct cred *new)
2852 {
2853         u32 newsid;
2854         int rc;
2855         struct task_security_struct *tsec;
2856
2857         rc = selinux_determine_inode_label(selinux_cred(old),
2858                                            d_inode(dentry->d_parent), name,
2859                                            inode_mode_to_security_class(mode),
2860                                            &newsid);
2861         if (rc)
2862                 return rc;
2863
2864         tsec = selinux_cred(new);
2865         tsec->create_sid = newsid;
2866         return 0;
2867 }
2868
2869 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2870                                        const struct qstr *qstr,
2871                                        const char **name,
2872                                        void **value, size_t *len)
2873 {
2874         const struct task_security_struct *tsec = selinux_cred(current_cred());
2875         struct superblock_security_struct *sbsec;
2876         u32 newsid, clen;
2877         int rc;
2878         char *context;
2879
2880         sbsec = dir->i_sb->s_security;
2881
2882         newsid = tsec->create_sid;
2883
2884         rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2885                 dir, qstr,
2886                 inode_mode_to_security_class(inode->i_mode),
2887                 &newsid);
2888         if (rc)
2889                 return rc;
2890
2891         /* Possibly defer initialization to selinux_complete_init. */
2892         if (sbsec->flags & SE_SBINITIALIZED) {
2893                 struct inode_security_struct *isec = selinux_inode(inode);
2894                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2895                 isec->sid = newsid;
2896                 isec->initialized = LABEL_INITIALIZED;
2897         }
2898
2899         if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2900                 return -EOPNOTSUPP;
2901
2902         if (name)
2903                 *name = XATTR_SELINUX_SUFFIX;
2904
2905         if (value && len) {
2906                 rc = security_sid_to_context_force(&selinux_state, newsid,
2907                                                    &context, &clen);
2908                 if (rc)
2909                         return rc;
2910                 *value = context;
2911                 *len = clen;
2912         }
2913
2914         return 0;
2915 }
2916
2917 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2918 {
2919         return may_create(dir, dentry, SECCLASS_FILE);
2920 }
2921
2922 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2923 {
2924         return may_link(dir, old_dentry, MAY_LINK);
2925 }
2926
2927 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2928 {
2929         return may_link(dir, dentry, MAY_UNLINK);
2930 }
2931
2932 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2933 {
2934         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2935 }
2936
2937 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2938 {
2939         return may_create(dir, dentry, SECCLASS_DIR);
2940 }
2941
2942 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2943 {
2944         return may_link(dir, dentry, MAY_RMDIR);
2945 }
2946
2947 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2948 {
2949         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2950 }
2951
2952 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2953                                 struct inode *new_inode, struct dentry *new_dentry)
2954 {
2955         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2956 }
2957
2958 static int selinux_inode_readlink(struct dentry *dentry)
2959 {
2960         const struct cred *cred = current_cred();
2961
2962         return dentry_has_perm(cred, dentry, FILE__READ);
2963 }
2964
2965 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2966                                      bool rcu)
2967 {
2968         const struct cred *cred = current_cred();
2969         struct common_audit_data ad;
2970         struct inode_security_struct *isec;
2971         u32 sid;
2972
2973         validate_creds(cred);
2974
2975         ad.type = LSM_AUDIT_DATA_DENTRY;
2976         ad.u.dentry = dentry;
2977         sid = cred_sid(cred);
2978         isec = inode_security_rcu(inode, rcu);
2979         if (IS_ERR(isec))
2980                 return PTR_ERR(isec);
2981
2982         return avc_has_perm(&selinux_state,
2983                             sid, isec->sid, isec->sclass, FILE__READ, &ad);
2984 }
2985
2986 static noinline int audit_inode_permission(struct inode *inode,
2987                                            u32 perms, u32 audited, u32 denied,
2988                                            int result,
2989                                            unsigned flags)
2990 {
2991         struct common_audit_data ad;
2992         struct inode_security_struct *isec = selinux_inode(inode);
2993         int rc;
2994
2995         ad.type = LSM_AUDIT_DATA_INODE;
2996         ad.u.inode = inode;
2997
2998         rc = slow_avc_audit(&selinux_state,
2999                             current_sid(), isec->sid, isec->sclass, perms,
3000                             audited, denied, result, &ad, flags);
3001         if (rc)
3002                 return rc;
3003         return 0;
3004 }
3005
3006 static int selinux_inode_permission(struct inode *inode, int mask)
3007 {
3008         const struct cred *cred = current_cred();
3009         u32 perms;
3010         bool from_access;
3011         unsigned flags = mask & MAY_NOT_BLOCK;
3012         struct inode_security_struct *isec;
3013         u32 sid;
3014         struct av_decision avd;
3015         int rc, rc2;
3016         u32 audited, denied;
3017
3018         from_access = mask & MAY_ACCESS;
3019         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3020
3021         /* No permission to check.  Existence test. */
3022         if (!mask)
3023                 return 0;
3024
3025         validate_creds(cred);
3026
3027         if (unlikely(IS_PRIVATE(inode)))
3028                 return 0;
3029
3030         perms = file_mask_to_av(inode->i_mode, mask);
3031
3032         sid = cred_sid(cred);
3033         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3034         if (IS_ERR(isec))
3035                 return PTR_ERR(isec);
3036
3037         rc = avc_has_perm_noaudit(&selinux_state,
3038                                   sid, isec->sid, isec->sclass, perms,
3039                                   (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3040                                   &avd);
3041         audited = avc_audit_required(perms, &avd, rc,
3042                                      from_access ? FILE__AUDIT_ACCESS : 0,
3043                                      &denied);
3044         if (likely(!audited))
3045                 return rc;
3046
3047         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3048         if (rc2)
3049                 return rc2;
3050         return rc;
3051 }
3052
3053 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3054 {
3055         const struct cred *cred = current_cred();
3056         struct inode *inode = d_backing_inode(dentry);
3057         unsigned int ia_valid = iattr->ia_valid;
3058         __u32 av = FILE__WRITE;
3059
3060         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3061         if (ia_valid & ATTR_FORCE) {
3062                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3063                               ATTR_FORCE);
3064                 if (!ia_valid)
3065                         return 0;
3066         }
3067
3068         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3069                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3070                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3071
3072         if (selinux_policycap_openperm() &&
3073             inode->i_sb->s_magic != SOCKFS_MAGIC &&
3074             (ia_valid & ATTR_SIZE) &&
3075             !(ia_valid & ATTR_FILE))
3076                 av |= FILE__OPEN;
3077
3078         return dentry_has_perm(cred, dentry, av);
3079 }
3080
3081 static int selinux_inode_getattr(const struct path *path)
3082 {
3083         return path_has_perm(current_cred(), path, FILE__GETATTR);
3084 }
3085
3086 static bool has_cap_mac_admin(bool audit)
3087 {
3088         const struct cred *cred = current_cred();
3089         unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3090
3091         if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3092                 return false;
3093         if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3094                 return false;
3095         return true;
3096 }
3097
3098 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3099                                   const void *value, size_t size, int flags)
3100 {
3101         struct inode *inode = d_backing_inode(dentry);
3102         struct inode_security_struct *isec;
3103         struct superblock_security_struct *sbsec;
3104         struct common_audit_data ad;
3105         u32 newsid, sid = current_sid();
3106         int rc = 0;
3107
3108         if (strcmp(name, XATTR_NAME_SELINUX)) {
3109                 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3110                 if (rc)
3111                         return rc;
3112
3113                 /* Not an attribute we recognize, so just check the
3114                    ordinary setattr permission. */
3115                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3116         }
3117
3118         sbsec = inode->i_sb->s_security;
3119         if (!(sbsec->flags & SBLABEL_MNT))
3120                 return -EOPNOTSUPP;
3121
3122         if (!inode_owner_or_capable(inode))
3123                 return -EPERM;
3124
3125         ad.type = LSM_AUDIT_DATA_DENTRY;
3126         ad.u.dentry = dentry;
3127
3128         isec = backing_inode_security(dentry);
3129         rc = avc_has_perm(&selinux_state,
3130                           sid, isec->sid, isec->sclass,
3131                           FILE__RELABELFROM, &ad);
3132         if (rc)
3133                 return rc;
3134
3135         rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3136                                      GFP_KERNEL);
3137         if (rc == -EINVAL) {
3138                 if (!has_cap_mac_admin(true)) {
3139                         struct audit_buffer *ab;
3140                         size_t audit_size;
3141