2bd7b824b7f592578ea9a0d7ca5ee68ff33411cd
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *      This program is free software; you can redistribute it and/or modify
23  *      it under the terms of the GNU General Public License version 2,
24  *      as published by the Free Software Foundation.
25  */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>             /* for local_port_range[] */
56 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>    /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h>           /* for Unix socket types */
72 #include <net/af_unix.h>        /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88
89 #include "avc.h"
90 #include "objsec.h"
91 #include "netif.h"
92 #include "netnode.h"
93 #include "netport.h"
94 #include "ibpkey.h"
95 #include "xfrm.h"
96 #include "netlabel.h"
97 #include "audit.h"
98 #include "avc_ss.h"
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
106 static int __init enforcing_setup(char *str)
107 {
108         unsigned long enforcing;
109         if (!kstrtoul(str, 0, &enforcing))
110                 selinux_enforcing = enforcing ? 1 : 0;
111         return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119 static int __init selinux_enabled_setup(char *str)
120 {
121         unsigned long enabled;
122         if (!kstrtoul(str, 0, &enabled))
123                 selinux_enabled = enabled ? 1 : 0;
124         return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132 static struct kmem_cache *file_security_cache;
133
134 /**
135  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136  *
137  * Description:
138  * This function checks the SECMARK reference counter to see if any SECMARK
139  * targets are currently configured, if the reference counter is greater than
140  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
141  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
142  * policy capability is enabled, SECMARK is always considered enabled.
143  *
144  */
145 static int selinux_secmark_enabled(void)
146 {
147         return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148 }
149
150 /**
151  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152  *
153  * Description:
154  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
155  * (1) if any are enabled or false (0) if neither are enabled.  If the
156  * always_check_network policy capability is enabled, peer labeling
157  * is always considered enabled.
158  *
159  */
160 static int selinux_peerlbl_enabled(void)
161 {
162         return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
163 }
164
165 static int selinux_netcache_avc_callback(u32 event)
166 {
167         if (event == AVC_CALLBACK_RESET) {
168                 sel_netif_flush();
169                 sel_netnode_flush();
170                 sel_netport_flush();
171                 synchronize_net();
172         }
173         return 0;
174 }
175
176 static int selinux_lsm_notifier_avc_callback(u32 event)
177 {
178         if (event == AVC_CALLBACK_RESET) {
179                 sel_ib_pkey_flush();
180                 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
181         }
182
183         return 0;
184 }
185
186 /*
187  * initialise the security for the init task
188  */
189 static void cred_init_security(void)
190 {
191         struct cred *cred = (struct cred *) current->real_cred;
192         struct task_security_struct *tsec;
193
194         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
195         if (!tsec)
196                 panic("SELinux:  Failed to initialize initial task.\n");
197
198         tsec->osid = tsec->sid = SECINITSID_KERNEL;
199         cred->security = tsec;
200 }
201
202 /*
203  * get the security ID of a set of credentials
204  */
205 static inline u32 cred_sid(const struct cred *cred)
206 {
207         const struct task_security_struct *tsec;
208
209         tsec = cred->security;
210         return tsec->sid;
211 }
212
213 /*
214  * get the objective security ID of a task
215  */
216 static inline u32 task_sid(const struct task_struct *task)
217 {
218         u32 sid;
219
220         rcu_read_lock();
221         sid = cred_sid(__task_cred(task));
222         rcu_read_unlock();
223         return sid;
224 }
225
226 /* Allocate and free functions for each kind of security blob. */
227
228 static int inode_alloc_security(struct inode *inode)
229 {
230         struct inode_security_struct *isec;
231         u32 sid = current_sid();
232
233         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
234         if (!isec)
235                 return -ENOMEM;
236
237         spin_lock_init(&isec->lock);
238         INIT_LIST_HEAD(&isec->list);
239         isec->inode = inode;
240         isec->sid = SECINITSID_UNLABELED;
241         isec->sclass = SECCLASS_FILE;
242         isec->task_sid = sid;
243         isec->initialized = LABEL_INVALID;
244         inode->i_security = isec;
245
246         return 0;
247 }
248
249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
250
251 /*
252  * Try reloading inode security labels that have been marked as invalid.  The
253  * @may_sleep parameter indicates when sleeping and thus reloading labels is
254  * allowed; when set to false, returns -ECHILD when the label is
255  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
256  * when no dentry is available, set it to NULL instead.
257  */
258 static int __inode_security_revalidate(struct inode *inode,
259                                        struct dentry *opt_dentry,
260                                        bool may_sleep)
261 {
262         struct inode_security_struct *isec = inode->i_security;
263
264         might_sleep_if(may_sleep);
265
266         if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
267                 if (!may_sleep)
268                         return -ECHILD;
269
270                 /*
271                  * Try reloading the inode security label.  This will fail if
272                  * @opt_dentry is NULL and no dentry for this inode can be
273                  * found; in that case, continue using the old label.
274                  */
275                 inode_doinit_with_dentry(inode, opt_dentry);
276         }
277         return 0;
278 }
279
280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
281 {
282         return inode->i_security;
283 }
284
285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
286 {
287         int error;
288
289         error = __inode_security_revalidate(inode, NULL, !rcu);
290         if (error)
291                 return ERR_PTR(error);
292         return inode->i_security;
293 }
294
295 /*
296  * Get the security label of an inode.
297  */
298 static struct inode_security_struct *inode_security(struct inode *inode)
299 {
300         __inode_security_revalidate(inode, NULL, true);
301         return inode->i_security;
302 }
303
304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
305 {
306         struct inode *inode = d_backing_inode(dentry);
307
308         return inode->i_security;
309 }
310
311 /*
312  * Get the security label of a dentry's backing inode.
313  */
314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
315 {
316         struct inode *inode = d_backing_inode(dentry);
317
318         __inode_security_revalidate(inode, dentry, true);
319         return inode->i_security;
320 }
321
322 static void inode_free_rcu(struct rcu_head *head)
323 {
324         struct inode_security_struct *isec;
325
326         isec = container_of(head, struct inode_security_struct, rcu);
327         kmem_cache_free(sel_inode_cache, isec);
328 }
329
330 static void inode_free_security(struct inode *inode)
331 {
332         struct inode_security_struct *isec = inode->i_security;
333         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
334
335         /*
336          * As not all inode security structures are in a list, we check for
337          * empty list outside of the lock to make sure that we won't waste
338          * time taking a lock doing nothing.
339          *
340          * The list_del_init() function can be safely called more than once.
341          * It should not be possible for this function to be called with
342          * concurrent list_add(), but for better safety against future changes
343          * in the code, we use list_empty_careful() here.
344          */
345         if (!list_empty_careful(&isec->list)) {
346                 spin_lock(&sbsec->isec_lock);
347                 list_del_init(&isec->list);
348                 spin_unlock(&sbsec->isec_lock);
349         }
350
351         /*
352          * The inode may still be referenced in a path walk and
353          * a call to selinux_inode_permission() can be made
354          * after inode_free_security() is called. Ideally, the VFS
355          * wouldn't do this, but fixing that is a much harder
356          * job. For now, simply free the i_security via RCU, and
357          * leave the current inode->i_security pointer intact.
358          * The inode will be freed after the RCU grace period too.
359          */
360         call_rcu(&isec->rcu, inode_free_rcu);
361 }
362
363 static int file_alloc_security(struct file *file)
364 {
365         struct file_security_struct *fsec;
366         u32 sid = current_sid();
367
368         fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
369         if (!fsec)
370                 return -ENOMEM;
371
372         fsec->sid = sid;
373         fsec->fown_sid = sid;
374         file->f_security = fsec;
375
376         return 0;
377 }
378
379 static void file_free_security(struct file *file)
380 {
381         struct file_security_struct *fsec = file->f_security;
382         file->f_security = NULL;
383         kmem_cache_free(file_security_cache, fsec);
384 }
385
386 static int superblock_alloc_security(struct super_block *sb)
387 {
388         struct superblock_security_struct *sbsec;
389
390         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
391         if (!sbsec)
392                 return -ENOMEM;
393
394         mutex_init(&sbsec->lock);
395         INIT_LIST_HEAD(&sbsec->isec_head);
396         spin_lock_init(&sbsec->isec_lock);
397         sbsec->sb = sb;
398         sbsec->sid = SECINITSID_UNLABELED;
399         sbsec->def_sid = SECINITSID_FILE;
400         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
401         sb->s_security = sbsec;
402
403         return 0;
404 }
405
406 static void superblock_free_security(struct super_block *sb)
407 {
408         struct superblock_security_struct *sbsec = sb->s_security;
409         sb->s_security = NULL;
410         kfree(sbsec);
411 }
412
413 static inline int inode_doinit(struct inode *inode)
414 {
415         return inode_doinit_with_dentry(inode, NULL);
416 }
417
418 enum {
419         Opt_error = -1,
420         Opt_context = 1,
421         Opt_fscontext = 2,
422         Opt_defcontext = 3,
423         Opt_rootcontext = 4,
424         Opt_labelsupport = 5,
425         Opt_nextmntopt = 6,
426 };
427
428 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
429
430 static const match_table_t tokens = {
431         {Opt_context, CONTEXT_STR "%s"},
432         {Opt_fscontext, FSCONTEXT_STR "%s"},
433         {Opt_defcontext, DEFCONTEXT_STR "%s"},
434         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
435         {Opt_labelsupport, LABELSUPP_STR},
436         {Opt_error, NULL},
437 };
438
439 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
440
441 static int may_context_mount_sb_relabel(u32 sid,
442                         struct superblock_security_struct *sbsec,
443                         const struct cred *cred)
444 {
445         const struct task_security_struct *tsec = cred->security;
446         int rc;
447
448         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449                           FILESYSTEM__RELABELFROM, NULL);
450         if (rc)
451                 return rc;
452
453         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454                           FILESYSTEM__RELABELTO, NULL);
455         return rc;
456 }
457
458 static int may_context_mount_inode_relabel(u32 sid,
459                         struct superblock_security_struct *sbsec,
460                         const struct cred *cred)
461 {
462         const struct task_security_struct *tsec = cred->security;
463         int rc;
464         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465                           FILESYSTEM__RELABELFROM, NULL);
466         if (rc)
467                 return rc;
468
469         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470                           FILESYSTEM__ASSOCIATE, NULL);
471         return rc;
472 }
473
474 static int selinux_is_sblabel_mnt(struct super_block *sb)
475 {
476         struct superblock_security_struct *sbsec = sb->s_security;
477
478         return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479                 sbsec->behavior == SECURITY_FS_USE_TRANS ||
480                 sbsec->behavior == SECURITY_FS_USE_TASK ||
481                 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
482                 /* Special handling. Genfs but also in-core setxattr handler */
483                 !strcmp(sb->s_type->name, "sysfs") ||
484                 !strcmp(sb->s_type->name, "pstore") ||
485                 !strcmp(sb->s_type->name, "debugfs") ||
486                 !strcmp(sb->s_type->name, "tracefs") ||
487                 !strcmp(sb->s_type->name, "rootfs") ||
488                 (selinux_policycap_cgroupseclabel &&
489                  (!strcmp(sb->s_type->name, "cgroup") ||
490                   !strcmp(sb->s_type->name, "cgroup2")));
491 }
492
493 static int sb_finish_set_opts(struct super_block *sb)
494 {
495         struct superblock_security_struct *sbsec = sb->s_security;
496         struct dentry *root = sb->s_root;
497         struct inode *root_inode = d_backing_inode(root);
498         int rc = 0;
499
500         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501                 /* Make sure that the xattr handler exists and that no
502                    error other than -ENODATA is returned by getxattr on
503                    the root directory.  -ENODATA is ok, as this may be
504                    the first boot of the SELinux kernel before we have
505                    assigned xattr values to the filesystem. */
506                 if (!(root_inode->i_opflags & IOP_XATTR)) {
507                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508                                "xattr support\n", sb->s_id, sb->s_type->name);
509                         rc = -EOPNOTSUPP;
510                         goto out;
511                 }
512
513                 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
514                 if (rc < 0 && rc != -ENODATA) {
515                         if (rc == -EOPNOTSUPP)
516                                 printk(KERN_WARNING "SELinux: (dev %s, type "
517                                        "%s) has no security xattr handler\n",
518                                        sb->s_id, sb->s_type->name);
519                         else
520                                 printk(KERN_WARNING "SELinux: (dev %s, type "
521                                        "%s) getxattr errno %d\n", sb->s_id,
522                                        sb->s_type->name, -rc);
523                         goto out;
524                 }
525         }
526
527         sbsec->flags |= SE_SBINITIALIZED;
528
529         /*
530          * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
531          * leave the flag untouched because sb_clone_mnt_opts might be handing
532          * us a superblock that needs the flag to be cleared.
533          */
534         if (selinux_is_sblabel_mnt(sb))
535                 sbsec->flags |= SBLABEL_MNT;
536         else
537                 sbsec->flags &= ~SBLABEL_MNT;
538
539         /* Initialize the root inode. */
540         rc = inode_doinit_with_dentry(root_inode, root);
541
542         /* Initialize any other inodes associated with the superblock, e.g.
543            inodes created prior to initial policy load or inodes created
544            during get_sb by a pseudo filesystem that directly
545            populates itself. */
546         spin_lock(&sbsec->isec_lock);
547 next_inode:
548         if (!list_empty(&sbsec->isec_head)) {
549                 struct inode_security_struct *isec =
550                                 list_entry(sbsec->isec_head.next,
551                                            struct inode_security_struct, list);
552                 struct inode *inode = isec->inode;
553                 list_del_init(&isec->list);
554                 spin_unlock(&sbsec->isec_lock);
555                 inode = igrab(inode);
556                 if (inode) {
557                         if (!IS_PRIVATE(inode))
558                                 inode_doinit(inode);
559                         iput(inode);
560                 }
561                 spin_lock(&sbsec->isec_lock);
562                 goto next_inode;
563         }
564         spin_unlock(&sbsec->isec_lock);
565 out:
566         return rc;
567 }
568
569 /*
570  * This function should allow an FS to ask what it's mount security
571  * options were so it can use those later for submounts, displaying
572  * mount options, or whatever.
573  */
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575                                 struct security_mnt_opts *opts)
576 {
577         int rc = 0, i;
578         struct superblock_security_struct *sbsec = sb->s_security;
579         char *context = NULL;
580         u32 len;
581         char tmp;
582
583         security_init_mnt_opts(opts);
584
585         if (!(sbsec->flags & SE_SBINITIALIZED))
586                 return -EINVAL;
587
588         if (!ss_initialized)
589                 return -EINVAL;
590
591         /* make sure we always check enough bits to cover the mask */
592         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593
594         tmp = sbsec->flags & SE_MNTMASK;
595         /* count the number of mount options for this sb */
596         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
597                 if (tmp & 0x01)
598                         opts->num_mnt_opts++;
599                 tmp >>= 1;
600         }
601         /* Check if the Label support flag is set */
602         if (sbsec->flags & SBLABEL_MNT)
603                 opts->num_mnt_opts++;
604
605         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606         if (!opts->mnt_opts) {
607                 rc = -ENOMEM;
608                 goto out_free;
609         }
610
611         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612         if (!opts->mnt_opts_flags) {
613                 rc = -ENOMEM;
614                 goto out_free;
615         }
616
617         i = 0;
618         if (sbsec->flags & FSCONTEXT_MNT) {
619                 rc = security_sid_to_context(sbsec->sid, &context, &len);
620                 if (rc)
621                         goto out_free;
622                 opts->mnt_opts[i] = context;
623                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
624         }
625         if (sbsec->flags & CONTEXT_MNT) {
626                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627                 if (rc)
628                         goto out_free;
629                 opts->mnt_opts[i] = context;
630                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
631         }
632         if (sbsec->flags & DEFCONTEXT_MNT) {
633                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634                 if (rc)
635                         goto out_free;
636                 opts->mnt_opts[i] = context;
637                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
638         }
639         if (sbsec->flags & ROOTCONTEXT_MNT) {
640                 struct dentry *root = sbsec->sb->s_root;
641                 struct inode_security_struct *isec = backing_inode_security(root);
642
643                 rc = security_sid_to_context(isec->sid, &context, &len);
644                 if (rc)
645                         goto out_free;
646                 opts->mnt_opts[i] = context;
647                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
648         }
649         if (sbsec->flags & SBLABEL_MNT) {
650                 opts->mnt_opts[i] = NULL;
651                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
652         }
653
654         BUG_ON(i != opts->num_mnt_opts);
655
656         return 0;
657
658 out_free:
659         security_free_mnt_opts(opts);
660         return rc;
661 }
662
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664                       u32 old_sid, u32 new_sid)
665 {
666         char mnt_flags = sbsec->flags & SE_MNTMASK;
667
668         /* check if the old mount command had the same options */
669         if (sbsec->flags & SE_SBINITIALIZED)
670                 if (!(sbsec->flags & flag) ||
671                     (old_sid != new_sid))
672                         return 1;
673
674         /* check if we were passed the same options twice,
675          * aka someone passed context=a,context=b
676          */
677         if (!(sbsec->flags & SE_SBINITIALIZED))
678                 if (mnt_flags & flag)
679                         return 1;
680         return 0;
681 }
682
683 /*
684  * Allow filesystems with binary mount data to explicitly set mount point
685  * labeling information.
686  */
687 static int selinux_set_mnt_opts(struct super_block *sb,
688                                 struct security_mnt_opts *opts,
689                                 unsigned long kern_flags,
690                                 unsigned long *set_kern_flags)
691 {
692         const struct cred *cred = current_cred();
693         int rc = 0, i;
694         struct superblock_security_struct *sbsec = sb->s_security;
695         const char *name = sb->s_type->name;
696         struct dentry *root = sbsec->sb->s_root;
697         struct inode_security_struct *root_isec;
698         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699         u32 defcontext_sid = 0;
700         char **mount_options = opts->mnt_opts;
701         int *flags = opts->mnt_opts_flags;
702         int num_opts = opts->num_mnt_opts;
703
704         mutex_lock(&sbsec->lock);
705
706         if (!ss_initialized) {
707                 if (!num_opts) {
708                         /* Defer initialization until selinux_complete_init,
709                            after the initial policy is loaded and the security
710                            server is ready to handle calls. */
711                         goto out;
712                 }
713                 rc = -EINVAL;
714                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715                         "before the security server is initialized\n");
716                 goto out;
717         }
718         if (kern_flags && !set_kern_flags) {
719                 /* Specifying internal flags without providing a place to
720                  * place the results is not allowed */
721                 rc = -EINVAL;
722                 goto out;
723         }
724
725         /*
726          * Binary mount data FS will come through this function twice.  Once
727          * from an explicit call and once from the generic calls from the vfs.
728          * Since the generic VFS calls will not contain any security mount data
729          * we need to skip the double mount verification.
730          *
731          * This does open a hole in which we will not notice if the first
732          * mount using this sb set explict options and a second mount using
733          * this sb does not set any security options.  (The first options
734          * will be used for both mounts)
735          */
736         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737             && (num_opts == 0))
738                 goto out;
739
740         root_isec = backing_inode_security_novalidate(root);
741
742         /*
743          * parse the mount options, check if they are valid sids.
744          * also check if someone is trying to mount the same sb more
745          * than once with different security options.
746          */
747         for (i = 0; i < num_opts; i++) {
748                 u32 sid;
749
750                 if (flags[i] == SBLABEL_MNT)
751                         continue;
752                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
753                 if (rc) {
754                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755                                "(%s) failed for (dev %s, type %s) errno=%d\n",
756                                mount_options[i], sb->s_id, name, rc);
757                         goto out;
758                 }
759                 switch (flags[i]) {
760                 case FSCONTEXT_MNT:
761                         fscontext_sid = sid;
762
763                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764                                         fscontext_sid))
765                                 goto out_double_mount;
766
767                         sbsec->flags |= FSCONTEXT_MNT;
768                         break;
769                 case CONTEXT_MNT:
770                         context_sid = sid;
771
772                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773                                         context_sid))
774                                 goto out_double_mount;
775
776                         sbsec->flags |= CONTEXT_MNT;
777                         break;
778                 case ROOTCONTEXT_MNT:
779                         rootcontext_sid = sid;
780
781                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782                                         rootcontext_sid))
783                                 goto out_double_mount;
784
785                         sbsec->flags |= ROOTCONTEXT_MNT;
786
787                         break;
788                 case DEFCONTEXT_MNT:
789                         defcontext_sid = sid;
790
791                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792                                         defcontext_sid))
793                                 goto out_double_mount;
794
795                         sbsec->flags |= DEFCONTEXT_MNT;
796
797                         break;
798                 default:
799                         rc = -EINVAL;
800                         goto out;
801                 }
802         }
803
804         if (sbsec->flags & SE_SBINITIALIZED) {
805                 /* previously mounted with options, but not on this attempt? */
806                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807                         goto out_double_mount;
808                 rc = 0;
809                 goto out;
810         }
811
812         if (strcmp(sb->s_type->name, "proc") == 0)
813                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814
815         if (!strcmp(sb->s_type->name, "debugfs") ||
816             !strcmp(sb->s_type->name, "tracefs") ||
817             !strcmp(sb->s_type->name, "sysfs") ||
818             !strcmp(sb->s_type->name, "pstore"))
819                 sbsec->flags |= SE_SBGENFS;
820
821         if (!sbsec->behavior) {
822                 /*
823                  * Determine the labeling behavior to use for this
824                  * filesystem type.
825                  */
826                 rc = security_fs_use(sb);
827                 if (rc) {
828                         printk(KERN_WARNING
829                                 "%s: security_fs_use(%s) returned %d\n",
830                                         __func__, sb->s_type->name, rc);
831                         goto out;
832                 }
833         }
834
835         /*
836          * If this is a user namespace mount and the filesystem type is not
837          * explicitly whitelisted, then no contexts are allowed on the command
838          * line and security labels must be ignored.
839          */
840         if (sb->s_user_ns != &init_user_ns &&
841             strcmp(sb->s_type->name, "tmpfs") &&
842             strcmp(sb->s_type->name, "ramfs") &&
843             strcmp(sb->s_type->name, "devpts")) {
844                 if (context_sid || fscontext_sid || rootcontext_sid ||
845                     defcontext_sid) {
846                         rc = -EACCES;
847                         goto out;
848                 }
849                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
850                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
851                         rc = security_transition_sid(current_sid(), current_sid(),
852                                                      SECCLASS_FILE, NULL,
853                                                      &sbsec->mntpoint_sid);
854                         if (rc)
855                                 goto out;
856                 }
857                 goto out_set_opts;
858         }
859
860         /* sets the context of the superblock for the fs being mounted. */
861         if (fscontext_sid) {
862                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
863                 if (rc)
864                         goto out;
865
866                 sbsec->sid = fscontext_sid;
867         }
868
869         /*
870          * Switch to using mount point labeling behavior.
871          * sets the label used on all file below the mountpoint, and will set
872          * the superblock context if not already set.
873          */
874         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
875                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
876                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
877         }
878
879         if (context_sid) {
880                 if (!fscontext_sid) {
881                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
882                                                           cred);
883                         if (rc)
884                                 goto out;
885                         sbsec->sid = context_sid;
886                 } else {
887                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
888                                                              cred);
889                         if (rc)
890                                 goto out;
891                 }
892                 if (!rootcontext_sid)
893                         rootcontext_sid = context_sid;
894
895                 sbsec->mntpoint_sid = context_sid;
896                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
897         }
898
899         if (rootcontext_sid) {
900                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
901                                                      cred);
902                 if (rc)
903                         goto out;
904
905                 root_isec->sid = rootcontext_sid;
906                 root_isec->initialized = LABEL_INITIALIZED;
907         }
908
909         if (defcontext_sid) {
910                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
911                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
912                         rc = -EINVAL;
913                         printk(KERN_WARNING "SELinux: defcontext option is "
914                                "invalid for this filesystem type\n");
915                         goto out;
916                 }
917
918                 if (defcontext_sid != sbsec->def_sid) {
919                         rc = may_context_mount_inode_relabel(defcontext_sid,
920                                                              sbsec, cred);
921                         if (rc)
922                                 goto out;
923                 }
924
925                 sbsec->def_sid = defcontext_sid;
926         }
927
928 out_set_opts:
929         rc = sb_finish_set_opts(sb);
930 out:
931         mutex_unlock(&sbsec->lock);
932         return rc;
933 out_double_mount:
934         rc = -EINVAL;
935         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
936                "security settings for (dev %s, type %s)\n", sb->s_id, name);
937         goto out;
938 }
939
940 static int selinux_cmp_sb_context(const struct super_block *oldsb,
941                                     const struct super_block *newsb)
942 {
943         struct superblock_security_struct *old = oldsb->s_security;
944         struct superblock_security_struct *new = newsb->s_security;
945         char oldflags = old->flags & SE_MNTMASK;
946         char newflags = new->flags & SE_MNTMASK;
947
948         if (oldflags != newflags)
949                 goto mismatch;
950         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
951                 goto mismatch;
952         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
953                 goto mismatch;
954         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
955                 goto mismatch;
956         if (oldflags & ROOTCONTEXT_MNT) {
957                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
958                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
959                 if (oldroot->sid != newroot->sid)
960                         goto mismatch;
961         }
962         return 0;
963 mismatch:
964         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
965                             "different security settings for (dev %s, "
966                             "type %s)\n", newsb->s_id, newsb->s_type->name);
967         return -EBUSY;
968 }
969
970 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
971                                         struct super_block *newsb,
972                                         unsigned long kern_flags,
973                                         unsigned long *set_kern_flags)
974 {
975         int rc = 0;
976         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
977         struct superblock_security_struct *newsbsec = newsb->s_security;
978
979         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
980         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
981         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
982
983         /*
984          * if the parent was able to be mounted it clearly had no special lsm
985          * mount options.  thus we can safely deal with this superblock later
986          */
987         if (!ss_initialized)
988                 return 0;
989
990         /*
991          * Specifying internal flags without providing a place to
992          * place the results is not allowed.
993          */
994         if (kern_flags && !set_kern_flags)
995                 return -EINVAL;
996
997         /* how can we clone if the old one wasn't set up?? */
998         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
999
1000         /* if fs is reusing a sb, make sure that the contexts match */
1001         if (newsbsec->flags & SE_SBINITIALIZED)
1002                 return selinux_cmp_sb_context(oldsb, newsb);
1003
1004         mutex_lock(&newsbsec->lock);
1005
1006         newsbsec->flags = oldsbsec->flags;
1007
1008         newsbsec->sid = oldsbsec->sid;
1009         newsbsec->def_sid = oldsbsec->def_sid;
1010         newsbsec->behavior = oldsbsec->behavior;
1011
1012         if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1013                 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1014                 rc = security_fs_use(newsb);
1015                 if (rc)
1016                         goto out;
1017         }
1018
1019         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1020                 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1021                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1022         }
1023
1024         if (set_context) {
1025                 u32 sid = oldsbsec->mntpoint_sid;
1026
1027                 if (!set_fscontext)
1028                         newsbsec->sid = sid;
1029                 if (!set_rootcontext) {
1030                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1031                         newisec->sid = sid;
1032                 }
1033                 newsbsec->mntpoint_sid = sid;
1034         }
1035         if (set_rootcontext) {
1036                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1037                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1038
1039                 newisec->sid = oldisec->sid;
1040         }
1041
1042         sb_finish_set_opts(newsb);
1043 out:
1044         mutex_unlock(&newsbsec->lock);
1045         return rc;
1046 }
1047
1048 static int selinux_parse_opts_str(char *options,
1049                                   struct security_mnt_opts *opts)
1050 {
1051         char *p;
1052         char *context = NULL, *defcontext = NULL;
1053         char *fscontext = NULL, *rootcontext = NULL;
1054         int rc, num_mnt_opts = 0;
1055
1056         opts->num_mnt_opts = 0;
1057
1058         /* Standard string-based options. */
1059         while ((p = strsep(&options, "|")) != NULL) {
1060                 int token;
1061                 substring_t args[MAX_OPT_ARGS];
1062
1063                 if (!*p)
1064                         continue;
1065
1066                 token = match_token(p, tokens, args);
1067
1068                 switch (token) {
1069                 case Opt_context:
1070                         if (context || defcontext) {
1071                                 rc = -EINVAL;
1072                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1073                                 goto out_err;
1074                         }
1075                         context = match_strdup(&args[0]);
1076                         if (!context) {
1077                                 rc = -ENOMEM;
1078                                 goto out_err;
1079                         }
1080                         break;
1081
1082                 case Opt_fscontext:
1083                         if (fscontext) {
1084                                 rc = -EINVAL;
1085                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1086                                 goto out_err;
1087                         }
1088                         fscontext = match_strdup(&args[0]);
1089                         if (!fscontext) {
1090                                 rc = -ENOMEM;
1091                                 goto out_err;
1092                         }
1093                         break;
1094
1095                 case Opt_rootcontext:
1096                         if (rootcontext) {
1097                                 rc = -EINVAL;
1098                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1099                                 goto out_err;
1100                         }
1101                         rootcontext = match_strdup(&args[0]);
1102                         if (!rootcontext) {
1103                                 rc = -ENOMEM;
1104                                 goto out_err;
1105                         }
1106                         break;
1107
1108                 case Opt_defcontext:
1109                         if (context || defcontext) {
1110                                 rc = -EINVAL;
1111                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1112                                 goto out_err;
1113                         }
1114                         defcontext = match_strdup(&args[0]);
1115                         if (!defcontext) {
1116                                 rc = -ENOMEM;
1117                                 goto out_err;
1118                         }
1119                         break;
1120                 case Opt_labelsupport:
1121                         break;
1122                 default:
1123                         rc = -EINVAL;
1124                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
1125                         goto out_err;
1126
1127                 }
1128         }
1129
1130         rc = -ENOMEM;
1131         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1132         if (!opts->mnt_opts)
1133                 goto out_err;
1134
1135         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1136                                        GFP_KERNEL);
1137         if (!opts->mnt_opts_flags)
1138                 goto out_err;
1139
1140         if (fscontext) {
1141                 opts->mnt_opts[num_mnt_opts] = fscontext;
1142                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1143         }
1144         if (context) {
1145                 opts->mnt_opts[num_mnt_opts] = context;
1146                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1147         }
1148         if (rootcontext) {
1149                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1150                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1151         }
1152         if (defcontext) {
1153                 opts->mnt_opts[num_mnt_opts] = defcontext;
1154                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1155         }
1156
1157         opts->num_mnt_opts = num_mnt_opts;
1158         return 0;
1159
1160 out_err:
1161         security_free_mnt_opts(opts);
1162         kfree(context);
1163         kfree(defcontext);
1164         kfree(fscontext);
1165         kfree(rootcontext);
1166         return rc;
1167 }
1168 /*
1169  * string mount options parsing and call set the sbsec
1170  */
1171 static int superblock_doinit(struct super_block *sb, void *data)
1172 {
1173         int rc = 0;
1174         char *options = data;
1175         struct security_mnt_opts opts;
1176
1177         security_init_mnt_opts(&opts);
1178
1179         if (!data)
1180                 goto out;
1181
1182         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1183
1184         rc = selinux_parse_opts_str(options, &opts);
1185         if (rc)
1186                 goto out_err;
1187
1188 out:
1189         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1190
1191 out_err:
1192         security_free_mnt_opts(&opts);
1193         return rc;
1194 }
1195
1196 static void selinux_write_opts(struct seq_file *m,
1197                                struct security_mnt_opts *opts)
1198 {
1199         int i;
1200         char *prefix;
1201
1202         for (i = 0; i < opts->num_mnt_opts; i++) {
1203                 char *has_comma;
1204
1205                 if (opts->mnt_opts[i])
1206                         has_comma = strchr(opts->mnt_opts[i], ',');
1207                 else
1208                         has_comma = NULL;
1209
1210                 switch (opts->mnt_opts_flags[i]) {
1211                 case CONTEXT_MNT:
1212                         prefix = CONTEXT_STR;
1213                         break;
1214                 case FSCONTEXT_MNT:
1215                         prefix = FSCONTEXT_STR;
1216                         break;
1217                 case ROOTCONTEXT_MNT:
1218                         prefix = ROOTCONTEXT_STR;
1219                         break;
1220                 case DEFCONTEXT_MNT:
1221                         prefix = DEFCONTEXT_STR;
1222                         break;
1223                 case SBLABEL_MNT:
1224                         seq_putc(m, ',');
1225                         seq_puts(m, LABELSUPP_STR);
1226                         continue;
1227                 default:
1228                         BUG();
1229                         return;
1230                 };
1231                 /* we need a comma before each option */
1232                 seq_putc(m, ',');
1233                 seq_puts(m, prefix);
1234                 if (has_comma)
1235                         seq_putc(m, '\"');
1236                 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1237                 if (has_comma)
1238                         seq_putc(m, '\"');
1239         }
1240 }
1241
1242 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1243 {
1244         struct security_mnt_opts opts;
1245         int rc;
1246
1247         rc = selinux_get_mnt_opts(sb, &opts);
1248         if (rc) {
1249                 /* before policy load we may get EINVAL, don't show anything */
1250                 if (rc == -EINVAL)
1251                         rc = 0;
1252                 return rc;
1253         }
1254
1255         selinux_write_opts(m, &opts);
1256
1257         security_free_mnt_opts(&opts);
1258
1259         return rc;
1260 }
1261
1262 static inline u16 inode_mode_to_security_class(umode_t mode)
1263 {
1264         switch (mode & S_IFMT) {
1265         case S_IFSOCK:
1266                 return SECCLASS_SOCK_FILE;
1267         case S_IFLNK:
1268                 return SECCLASS_LNK_FILE;
1269         case S_IFREG:
1270                 return SECCLASS_FILE;
1271         case S_IFBLK:
1272                 return SECCLASS_BLK_FILE;
1273         case S_IFDIR:
1274                 return SECCLASS_DIR;
1275         case S_IFCHR:
1276                 return SECCLASS_CHR_FILE;
1277         case S_IFIFO:
1278                 return SECCLASS_FIFO_FILE;
1279
1280         }
1281
1282         return SECCLASS_FILE;
1283 }
1284
1285 static inline int default_protocol_stream(int protocol)
1286 {
1287         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1288 }
1289
1290 static inline int default_protocol_dgram(int protocol)
1291 {
1292         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1293 }
1294
1295 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1296 {
1297         int extsockclass = selinux_policycap_extsockclass;
1298
1299         switch (family) {
1300         case PF_UNIX:
1301                 switch (type) {
1302                 case SOCK_STREAM:
1303                 case SOCK_SEQPACKET:
1304                         return SECCLASS_UNIX_STREAM_SOCKET;
1305                 case SOCK_DGRAM:
1306                 case SOCK_RAW:
1307                         return SECCLASS_UNIX_DGRAM_SOCKET;
1308                 }
1309                 break;
1310         case PF_INET:
1311         case PF_INET6:
1312                 switch (type) {
1313                 case SOCK_STREAM:
1314                 case SOCK_SEQPACKET:
1315                         if (default_protocol_stream(protocol))
1316                                 return SECCLASS_TCP_SOCKET;
1317                         else if (extsockclass && protocol == IPPROTO_SCTP)
1318                                 return SECCLASS_SCTP_SOCKET;
1319                         else
1320                                 return SECCLASS_RAWIP_SOCKET;
1321                 case SOCK_DGRAM:
1322                         if (default_protocol_dgram(protocol))
1323                                 return SECCLASS_UDP_SOCKET;
1324                         else if (extsockclass && (protocol == IPPROTO_ICMP ||
1325                                                   protocol == IPPROTO_ICMPV6))
1326                                 return SECCLASS_ICMP_SOCKET;
1327                         else
1328                                 return SECCLASS_RAWIP_SOCKET;
1329                 case SOCK_DCCP:
1330                         return SECCLASS_DCCP_SOCKET;
1331                 default:
1332                         return SECCLASS_RAWIP_SOCKET;
1333                 }
1334                 break;
1335         case PF_NETLINK:
1336                 switch (protocol) {
1337                 case NETLINK_ROUTE:
1338                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1339                 case NETLINK_SOCK_DIAG:
1340                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1341                 case NETLINK_NFLOG:
1342                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1343                 case NETLINK_XFRM:
1344                         return SECCLASS_NETLINK_XFRM_SOCKET;
1345                 case NETLINK_SELINUX:
1346                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1347                 case NETLINK_ISCSI:
1348                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1349                 case NETLINK_AUDIT:
1350                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1351                 case NETLINK_FIB_LOOKUP:
1352                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1353                 case NETLINK_CONNECTOR:
1354                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1355                 case NETLINK_NETFILTER:
1356                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1357                 case NETLINK_DNRTMSG:
1358                         return SECCLASS_NETLINK_DNRT_SOCKET;
1359                 case NETLINK_KOBJECT_UEVENT:
1360                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1361                 case NETLINK_GENERIC:
1362                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1363                 case NETLINK_SCSITRANSPORT:
1364                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1365                 case NETLINK_RDMA:
1366                         return SECCLASS_NETLINK_RDMA_SOCKET;
1367                 case NETLINK_CRYPTO:
1368                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1369                 default:
1370                         return SECCLASS_NETLINK_SOCKET;
1371                 }
1372         case PF_PACKET:
1373                 return SECCLASS_PACKET_SOCKET;
1374         case PF_KEY:
1375                 return SECCLASS_KEY_SOCKET;
1376         case PF_APPLETALK:
1377                 return SECCLASS_APPLETALK_SOCKET;
1378         }
1379
1380         if (extsockclass) {
1381                 switch (family) {
1382                 case PF_AX25:
1383                         return SECCLASS_AX25_SOCKET;
1384                 case PF_IPX:
1385                         return SECCLASS_IPX_SOCKET;
1386                 case PF_NETROM:
1387                         return SECCLASS_NETROM_SOCKET;
1388                 case PF_ATMPVC:
1389                         return SECCLASS_ATMPVC_SOCKET;
1390                 case PF_X25:
1391                         return SECCLASS_X25_SOCKET;
1392                 case PF_ROSE:
1393                         return SECCLASS_ROSE_SOCKET;
1394                 case PF_DECnet:
1395                         return SECCLASS_DECNET_SOCKET;
1396                 case PF_ATMSVC:
1397                         return SECCLASS_ATMSVC_SOCKET;
1398                 case PF_RDS:
1399                         return SECCLASS_RDS_SOCKET;
1400                 case PF_IRDA:
1401                         return SECCLASS_IRDA_SOCKET;
1402                 case PF_PPPOX:
1403                         return SECCLASS_PPPOX_SOCKET;
1404                 case PF_LLC:
1405                         return SECCLASS_LLC_SOCKET;
1406                 case PF_CAN:
1407                         return SECCLASS_CAN_SOCKET;
1408                 case PF_TIPC:
1409                         return SECCLASS_TIPC_SOCKET;
1410                 case PF_BLUETOOTH:
1411                         return SECCLASS_BLUETOOTH_SOCKET;
1412                 case PF_IUCV:
1413                         return SECCLASS_IUCV_SOCKET;
1414                 case PF_RXRPC:
1415                         return SECCLASS_RXRPC_SOCKET;
1416                 case PF_ISDN:
1417                         return SECCLASS_ISDN_SOCKET;
1418                 case PF_PHONET:
1419                         return SECCLASS_PHONET_SOCKET;
1420                 case PF_IEEE802154:
1421                         return SECCLASS_IEEE802154_SOCKET;
1422                 case PF_CAIF:
1423                         return SECCLASS_CAIF_SOCKET;
1424                 case PF_ALG:
1425                         return SECCLASS_ALG_SOCKET;
1426                 case PF_NFC:
1427                         return SECCLASS_NFC_SOCKET;
1428                 case PF_VSOCK:
1429                         return SECCLASS_VSOCK_SOCKET;
1430                 case PF_KCM:
1431                         return SECCLASS_KCM_SOCKET;
1432                 case PF_QIPCRTR:
1433                         return SECCLASS_QIPCRTR_SOCKET;
1434                 case PF_SMC:
1435                         return SECCLASS_SMC_SOCKET;
1436 #if PF_MAX > 44
1437 #error New address family defined, please update this function.
1438 #endif
1439                 }
1440         }
1441
1442         return SECCLASS_SOCKET;
1443 }
1444
1445 static int selinux_genfs_get_sid(struct dentry *dentry,
1446                                  u16 tclass,
1447                                  u16 flags,
1448                                  u32 *sid)
1449 {
1450         int rc;
1451         struct super_block *sb = dentry->d_sb;
1452         char *buffer, *path;
1453
1454         buffer = (char *)__get_free_page(GFP_KERNEL);
1455         if (!buffer)
1456                 return -ENOMEM;
1457
1458         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1459         if (IS_ERR(path))
1460                 rc = PTR_ERR(path);
1461         else {
1462                 if (flags & SE_SBPROC) {
1463                         /* each process gets a /proc/PID/ entry. Strip off the
1464                          * PID part to get a valid selinux labeling.
1465                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1466                         while (path[1] >= '0' && path[1] <= '9') {
1467                                 path[1] = '/';
1468                                 path++;
1469                         }
1470                 }
1471                 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1472         }
1473         free_page((unsigned long)buffer);
1474         return rc;
1475 }
1476
1477 /* The inode's security attributes must be initialized before first use. */
1478 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1479 {
1480         struct superblock_security_struct *sbsec = NULL;
1481         struct inode_security_struct *isec = inode->i_security;
1482         u32 task_sid, sid = 0;
1483         u16 sclass;
1484         struct dentry *dentry;
1485 #define INITCONTEXTLEN 255
1486         char *context = NULL;
1487         unsigned len = 0;
1488         int rc = 0;
1489
1490         if (isec->initialized == LABEL_INITIALIZED)
1491                 return 0;
1492
1493         spin_lock(&isec->lock);
1494         if (isec->initialized == LABEL_INITIALIZED)
1495                 goto out_unlock;
1496
1497         if (isec->sclass == SECCLASS_FILE)
1498                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1499
1500         sbsec = inode->i_sb->s_security;
1501         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1502                 /* Defer initialization until selinux_complete_init,
1503                    after the initial policy is loaded and the security
1504                    server is ready to handle calls. */
1505                 spin_lock(&sbsec->isec_lock);
1506                 if (list_empty(&isec->list))
1507                         list_add(&isec->list, &sbsec->isec_head);
1508                 spin_unlock(&sbsec->isec_lock);
1509                 goto out_unlock;
1510         }
1511
1512         sclass = isec->sclass;
1513         task_sid = isec->task_sid;
1514         sid = isec->sid;
1515         isec->initialized = LABEL_PENDING;
1516         spin_unlock(&isec->lock);
1517
1518         switch (sbsec->behavior) {
1519         case SECURITY_FS_USE_NATIVE:
1520                 break;
1521         case SECURITY_FS_USE_XATTR:
1522                 if (!(inode->i_opflags & IOP_XATTR)) {
1523                         sid = sbsec->def_sid;
1524                         break;
1525                 }
1526                 /* Need a dentry, since the xattr API requires one.
1527                    Life would be simpler if we could just pass the inode. */
1528                 if (opt_dentry) {
1529                         /* Called from d_instantiate or d_splice_alias. */
1530                         dentry = dget(opt_dentry);
1531                 } else {
1532                         /* Called from selinux_complete_init, try to find a dentry. */
1533                         dentry = d_find_alias(inode);
1534                 }
1535                 if (!dentry) {
1536                         /*
1537                          * this is can be hit on boot when a file is accessed
1538                          * before the policy is loaded.  When we load policy we
1539                          * may find inodes that have no dentry on the
1540                          * sbsec->isec_head list.  No reason to complain as these
1541                          * will get fixed up the next time we go through
1542                          * inode_doinit with a dentry, before these inodes could
1543                          * be used again by userspace.
1544                          */
1545                         goto out;
1546                 }
1547
1548                 len = INITCONTEXTLEN;
1549                 context = kmalloc(len+1, GFP_NOFS);
1550                 if (!context) {
1551                         rc = -ENOMEM;
1552                         dput(dentry);
1553                         goto out;
1554                 }
1555                 context[len] = '\0';
1556                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1557                 if (rc == -ERANGE) {
1558                         kfree(context);
1559
1560                         /* Need a larger buffer.  Query for the right size. */
1561                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1562                         if (rc < 0) {
1563                                 dput(dentry);
1564                                 goto out;
1565                         }
1566                         len = rc;
1567                         context = kmalloc(len+1, GFP_NOFS);
1568                         if (!context) {
1569                                 rc = -ENOMEM;
1570                                 dput(dentry);
1571                                 goto out;
1572                         }
1573                         context[len] = '\0';
1574                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1575                 }
1576                 dput(dentry);
1577                 if (rc < 0) {
1578                         if (rc != -ENODATA) {
1579                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1580                                        "%d for dev=%s ino=%ld\n", __func__,
1581                                        -rc, inode->i_sb->s_id, inode->i_ino);
1582                                 kfree(context);
1583                                 goto out;
1584                         }
1585                         /* Map ENODATA to the default file SID */
1586                         sid = sbsec->def_sid;
1587                         rc = 0;
1588                 } else {
1589                         rc = security_context_to_sid_default(context, rc, &sid,
1590                                                              sbsec->def_sid,
1591                                                              GFP_NOFS);
1592                         if (rc) {
1593                                 char *dev = inode->i_sb->s_id;
1594                                 unsigned long ino = inode->i_ino;
1595
1596                                 if (rc == -EINVAL) {
1597                                         if (printk_ratelimit())
1598                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1599                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1600                                                         "filesystem in question.\n", ino, dev, context);
1601                                 } else {
1602                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1603                                                "returned %d for dev=%s ino=%ld\n",
1604                                                __func__, context, -rc, dev, ino);
1605                                 }
1606                                 kfree(context);
1607                                 /* Leave with the unlabeled SID */
1608                                 rc = 0;
1609                                 break;
1610                         }
1611                 }
1612                 kfree(context);
1613                 break;
1614         case SECURITY_FS_USE_TASK:
1615                 sid = task_sid;
1616                 break;
1617         case SECURITY_FS_USE_TRANS:
1618                 /* Default to the fs SID. */
1619                 sid = sbsec->sid;
1620
1621                 /* Try to obtain a transition SID. */
1622                 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1623                 if (rc)
1624                         goto out;
1625                 break;
1626         case SECURITY_FS_USE_MNTPOINT:
1627                 sid = sbsec->mntpoint_sid;
1628                 break;
1629         default:
1630                 /* Default to the fs superblock SID. */
1631                 sid = sbsec->sid;
1632
1633                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1634                         /* We must have a dentry to determine the label on
1635                          * procfs inodes */
1636                         if (opt_dentry)
1637                                 /* Called from d_instantiate or
1638                                  * d_splice_alias. */
1639                                 dentry = dget(opt_dentry);
1640                         else
1641                                 /* Called from selinux_complete_init, try to
1642                                  * find a dentry. */
1643                                 dentry = d_find_alias(inode);
1644                         /*
1645                          * This can be hit on boot when a file is accessed
1646                          * before the policy is loaded.  When we load policy we
1647                          * may find inodes that have no dentry on the
1648                          * sbsec->isec_head list.  No reason to complain as
1649                          * these will get fixed up the next time we go through
1650                          * inode_doinit() with a dentry, before these inodes
1651                          * could be used again by userspace.
1652                          */
1653                         if (!dentry)
1654                                 goto out;
1655                         rc = selinux_genfs_get_sid(dentry, sclass,
1656                                                    sbsec->flags, &sid);
1657                         dput(dentry);
1658                         if (rc)
1659                                 goto out;
1660                 }
1661                 break;
1662         }
1663
1664 out:
1665         spin_lock(&isec->lock);
1666         if (isec->initialized == LABEL_PENDING) {
1667                 if (!sid || rc) {
1668                         isec->initialized = LABEL_INVALID;
1669                         goto out_unlock;
1670                 }
1671
1672                 isec->initialized = LABEL_INITIALIZED;
1673                 isec->sid = sid;
1674         }
1675
1676 out_unlock:
1677         spin_unlock(&isec->lock);
1678         return rc;
1679 }
1680
1681 /* Convert a Linux signal to an access vector. */
1682 static inline u32 signal_to_av(int sig)
1683 {
1684         u32 perm = 0;
1685
1686         switch (sig) {
1687         case SIGCHLD:
1688                 /* Commonly granted from child to parent. */
1689                 perm = PROCESS__SIGCHLD;
1690                 break;
1691         case SIGKILL:
1692                 /* Cannot be caught or ignored */
1693                 perm = PROCESS__SIGKILL;
1694                 break;
1695         case SIGSTOP:
1696                 /* Cannot be caught or ignored */
1697                 perm = PROCESS__SIGSTOP;
1698                 break;
1699         default:
1700                 /* All other signals. */
1701                 perm = PROCESS__SIGNAL;
1702                 break;
1703         }
1704
1705         return perm;
1706 }
1707
1708 #if CAP_LAST_CAP > 63
1709 #error Fix SELinux to handle capabilities > 63.
1710 #endif
1711
1712 /* Check whether a task is allowed to use a capability. */
1713 static int cred_has_capability(const struct cred *cred,
1714                                int cap, int audit, bool initns)
1715 {
1716         struct common_audit_data ad;
1717         struct av_decision avd;
1718         u16 sclass;
1719         u32 sid = cred_sid(cred);
1720         u32 av = CAP_TO_MASK(cap);
1721         int rc;
1722
1723         ad.type = LSM_AUDIT_DATA_CAP;
1724         ad.u.cap = cap;
1725
1726         switch (CAP_TO_INDEX(cap)) {
1727         case 0:
1728                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1729                 break;
1730         case 1:
1731                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1732                 break;
1733         default:
1734                 printk(KERN_ERR
1735                        "SELinux:  out of range capability %d\n", cap);
1736                 BUG();
1737                 return -EINVAL;
1738         }
1739
1740         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1741         if (audit == SECURITY_CAP_AUDIT) {
1742                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1743                 if (rc2)
1744                         return rc2;
1745         }
1746         return rc;
1747 }
1748
1749 /* Check whether a task has a particular permission to an inode.
1750    The 'adp' parameter is optional and allows other audit
1751    data to be passed (e.g. the dentry). */
1752 static int inode_has_perm(const struct cred *cred,
1753                           struct inode *inode,
1754                           u32 perms,
1755                           struct common_audit_data *adp)
1756 {
1757         struct inode_security_struct *isec;
1758         u32 sid;
1759
1760         validate_creds(cred);
1761
1762         if (unlikely(IS_PRIVATE(inode)))
1763                 return 0;
1764
1765         sid = cred_sid(cred);
1766         isec = inode->i_security;
1767
1768         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1769 }
1770
1771 /* Same as inode_has_perm, but pass explicit audit data containing
1772    the dentry to help the auditing code to more easily generate the
1773    pathname if needed. */
1774 static inline int dentry_has_perm(const struct cred *cred,
1775                                   struct dentry *dentry,
1776                                   u32 av)
1777 {
1778         struct inode *inode = d_backing_inode(dentry);
1779         struct common_audit_data ad;
1780
1781         ad.type = LSM_AUDIT_DATA_DENTRY;
1782         ad.u.dentry = dentry;
1783         __inode_security_revalidate(inode, dentry, true);
1784         return inode_has_perm(cred, inode, av, &ad);
1785 }
1786
1787 /* Same as inode_has_perm, but pass explicit audit data containing
1788    the path to help the auditing code to more easily generate the
1789    pathname if needed. */
1790 static inline int path_has_perm(const struct cred *cred,
1791                                 const struct path *path,
1792                                 u32 av)
1793 {
1794         struct inode *inode = d_backing_inode(path->dentry);
1795         struct common_audit_data ad;
1796
1797         ad.type = LSM_AUDIT_DATA_PATH;
1798         ad.u.path = *path;
1799         __inode_security_revalidate(inode, path->dentry, true);
1800         return inode_has_perm(cred, inode, av, &ad);
1801 }
1802
1803 /* Same as path_has_perm, but uses the inode from the file struct. */
1804 static inline int file_path_has_perm(const struct cred *cred,
1805                                      struct file *file,
1806                                      u32 av)
1807 {
1808         struct common_audit_data ad;
1809
1810         ad.type = LSM_AUDIT_DATA_FILE;
1811         ad.u.file = file;
1812         return inode_has_perm(cred, file_inode(file), av, &ad);
1813 }
1814
1815 /* Check whether a task can use an open file descriptor to
1816    access an inode in a given way.  Check access to the
1817    descriptor itself, and then use dentry_has_perm to
1818    check a particular permission to the file.
1819    Access to the descriptor is implicitly granted if it
1820    has the same SID as the process.  If av is zero, then
1821    access to the file is not checked, e.g. for cases
1822    where only the descriptor is affected like seek. */
1823 static int file_has_perm(const struct cred *cred,
1824                          struct file *file,
1825                          u32 av)
1826 {
1827         struct file_security_struct *fsec = file->f_security;
1828         struct inode *inode = file_inode(file);
1829         struct common_audit_data ad;
1830         u32 sid = cred_sid(cred);
1831         int rc;
1832
1833         ad.type = LSM_AUDIT_DATA_FILE;
1834         ad.u.file = file;
1835
1836         if (sid != fsec->sid) {
1837                 rc = avc_has_perm(sid, fsec->sid,
1838                                   SECCLASS_FD,
1839                                   FD__USE,
1840                                   &ad);
1841                 if (rc)
1842                         goto out;
1843         }
1844
1845         /* av is zero if only checking access to the descriptor. */
1846         rc = 0;
1847         if (av)
1848                 rc = inode_has_perm(cred, inode, av, &ad);
1849
1850 out:
1851         return rc;
1852 }
1853
1854 /*
1855  * Determine the label for an inode that might be unioned.
1856  */
1857 static int
1858 selinux_determine_inode_label(const struct task_security_struct *tsec,
1859                                  struct inode *dir,
1860                                  const struct qstr *name, u16 tclass,
1861                                  u32 *_new_isid)
1862 {
1863         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1864
1865         if ((sbsec->flags & SE_SBINITIALIZED) &&
1866             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1867                 *_new_isid = sbsec->mntpoint_sid;
1868         } else if ((sbsec->flags & SBLABEL_MNT) &&
1869                    tsec->create_sid) {
1870                 *_new_isid = tsec->create_sid;
1871         } else {
1872                 const struct inode_security_struct *dsec = inode_security(dir);
1873                 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1874                                                name, _new_isid);
1875         }
1876
1877         return 0;
1878 }
1879
1880 /* Check whether a task can create a file. */
1881 static int may_create(struct inode *dir,
1882                       struct dentry *dentry,
1883                       u16 tclass)
1884 {
1885         const struct task_security_struct *tsec = current_security();
1886         struct inode_security_struct *dsec;
1887         struct superblock_security_struct *sbsec;
1888         u32 sid, newsid;
1889         struct common_audit_data ad;
1890         int rc;
1891
1892         dsec = inode_security(dir);
1893         sbsec = dir->i_sb->s_security;
1894
1895         sid = tsec->sid;
1896
1897         ad.type = LSM_AUDIT_DATA_DENTRY;
1898         ad.u.dentry = dentry;
1899
1900         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1901                           DIR__ADD_NAME | DIR__SEARCH,
1902                           &ad);
1903         if (rc)
1904                 return rc;
1905
1906         rc = selinux_determine_inode_label(current_security(), dir,
1907                                            &dentry->d_name, tclass, &newsid);
1908         if (rc)
1909                 return rc;
1910
1911         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1912         if (rc)
1913                 return rc;
1914
1915         return avc_has_perm(newsid, sbsec->sid,
1916                             SECCLASS_FILESYSTEM,
1917                             FILESYSTEM__ASSOCIATE, &ad);
1918 }
1919
1920 #define MAY_LINK        0
1921 #define MAY_UNLINK      1
1922 #define MAY_RMDIR       2
1923
1924 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1925 static int may_link(struct inode *dir,
1926                     struct dentry *dentry,
1927                     int kind)
1928
1929 {
1930         struct inode_security_struct *dsec, *isec;
1931         struct common_audit_data ad;
1932         u32 sid = current_sid();
1933         u32 av;
1934         int rc;
1935
1936         dsec = inode_security(dir);
1937         isec = backing_inode_security(dentry);
1938
1939         ad.type = LSM_AUDIT_DATA_DENTRY;
1940         ad.u.dentry = dentry;
1941
1942         av = DIR__SEARCH;
1943         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1944         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1945         if (rc)
1946                 return rc;
1947
1948         switch (kind) {
1949         case MAY_LINK:
1950                 av = FILE__LINK;
1951                 break;
1952         case MAY_UNLINK:
1953                 av = FILE__UNLINK;
1954                 break;
1955         case MAY_RMDIR:
1956                 av = DIR__RMDIR;
1957                 break;
1958         default:
1959                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1960                         __func__, kind);
1961                 return 0;
1962         }
1963
1964         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1965         return rc;
1966 }
1967
1968 static inline int may_rename(struct inode *old_dir,
1969                              struct dentry *old_dentry,
1970                              struct inode *new_dir,
1971                              struct dentry *new_dentry)
1972 {
1973         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1974         struct common_audit_data ad;
1975         u32 sid = current_sid();
1976         u32 av;
1977         int old_is_dir, new_is_dir;
1978         int rc;
1979
1980         old_dsec = inode_security(old_dir);
1981         old_isec = backing_inode_security(old_dentry);
1982         old_is_dir = d_is_dir(old_dentry);
1983         new_dsec = inode_security(new_dir);
1984
1985         ad.type = LSM_AUDIT_DATA_DENTRY;
1986
1987         ad.u.dentry = old_dentry;
1988         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1989                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1990         if (rc)
1991                 return rc;
1992         rc = avc_has_perm(sid, old_isec->sid,
1993                           old_isec->sclass, FILE__RENAME, &ad);
1994         if (rc)
1995                 return rc;
1996         if (old_is_dir && new_dir != old_dir) {
1997                 rc = avc_has_perm(sid, old_isec->sid,
1998                                   old_isec->sclass, DIR__REPARENT, &ad);
1999                 if (rc)
2000                         return rc;
2001         }
2002
2003         ad.u.dentry = new_dentry;
2004         av = DIR__ADD_NAME | DIR__SEARCH;
2005         if (d_is_positive(new_dentry))
2006                 av |= DIR__REMOVE_NAME;
2007         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2008         if (rc)
2009                 return rc;
2010         if (d_is_positive(new_dentry)) {
2011                 new_isec = backing_inode_security(new_dentry);
2012                 new_is_dir = d_is_dir(new_dentry);
2013                 rc = avc_has_perm(sid, new_isec->sid,
2014                                   new_isec->sclass,
2015                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2016                 if (rc)
2017                         return rc;
2018         }
2019
2020         return 0;
2021 }
2022
2023 /* Check whether a task can perform a filesystem operation. */
2024 static int superblock_has_perm(const struct cred *cred,
2025                                struct super_block *sb,
2026                                u32 perms,
2027                                struct common_audit_data *ad)
2028 {
2029         struct superblock_security_struct *sbsec;
2030         u32 sid = cred_sid(cred);
2031
2032         sbsec = sb->s_security;
2033         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2034 }
2035
2036 /* Convert a Linux mode and permission mask to an access vector. */
2037 static inline u32 file_mask_to_av(int mode, int mask)
2038 {
2039         u32 av = 0;
2040
2041         if (!S_ISDIR(mode)) {
2042                 if (mask & MAY_EXEC)
2043                         av |= FILE__EXECUTE;
2044                 if (mask & MAY_READ)
2045                         av |= FILE__READ;
2046
2047                 if (mask & MAY_APPEND)
2048                         av |= FILE__APPEND;
2049                 else if (mask & MAY_WRITE)
2050                         av |= FILE__WRITE;
2051
2052         } else {
2053                 if (mask & MAY_EXEC)
2054                         av |= DIR__SEARCH;
2055                 if (mask & MAY_WRITE)
2056                         av |= DIR__WRITE;
2057                 if (mask & MAY_READ)
2058                         av |= DIR__READ;
2059         }
2060
2061         return av;
2062 }
2063
2064 /* Convert a Linux file to an access vector. */
2065 static inline u32 file_to_av(struct file *file)
2066 {
2067         u32 av = 0;
2068
2069         if (file->f_mode & FMODE_READ)
2070                 av |= FILE__READ;
2071         if (file->f_mode & FMODE_WRITE) {
2072                 if (file->f_flags & O_APPEND)
2073                         av |= FILE__APPEND;
2074                 else
2075                         av |= FILE__WRITE;
2076         }
2077         if (!av) {
2078                 /*
2079                  * Special file opened with flags 3 for ioctl-only use.
2080                  */
2081                 av = FILE__IOCTL;
2082         }
2083
2084         return av;
2085 }
2086
2087 /*
2088  * Convert a file to an access vector and include the correct open
2089  * open permission.
2090  */
2091 static inline u32 open_file_to_av(struct file *file)
2092 {
2093         u32 av = file_to_av(file);
2094         struct inode *inode = file_inode(file);
2095
2096         if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2097                 av |= FILE__OPEN;
2098
2099         return av;
2100 }
2101
2102 /* Hook functions begin here. */
2103
2104 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2105 {
2106         u32 mysid = current_sid();
2107         u32 mgrsid = task_sid(mgr);
2108
2109         return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2110                             BINDER__SET_CONTEXT_MGR, NULL);
2111 }
2112
2113 static int selinux_binder_transaction(struct task_struct *from,
2114                                       struct task_struct *to)
2115 {
2116         u32 mysid = current_sid();
2117         u32 fromsid = task_sid(from);
2118         u32 tosid = task_sid(to);
2119         int rc;
2120
2121         if (mysid != fromsid) {
2122                 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2123                                   BINDER__IMPERSONATE, NULL);
2124                 if (rc)
2125                         return rc;
2126         }
2127
2128         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2129                             NULL);
2130 }
2131
2132 static int selinux_binder_transfer_binder(struct task_struct *from,
2133                                           struct task_struct *to)
2134 {
2135         u32 fromsid = task_sid(from);
2136         u32 tosid = task_sid(to);
2137
2138         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2139                             NULL);
2140 }
2141
2142 static int selinux_binder_transfer_file(struct task_struct *from,
2143                                         struct task_struct *to,
2144                                         struct file *file)
2145 {
2146         u32 sid = task_sid(to);
2147         struct file_security_struct *fsec = file->f_security;
2148         struct dentry *dentry = file->f_path.dentry;
2149         struct inode_security_struct *isec;
2150         struct common_audit_data ad;
2151         int rc;
2152
2153         ad.type = LSM_AUDIT_DATA_PATH;
2154         ad.u.path = file->f_path;
2155
2156         if (sid != fsec->sid) {
2157                 rc = avc_has_perm(sid, fsec->sid,
2158                                   SECCLASS_FD,
2159                                   FD__USE,
2160                                   &ad);
2161                 if (rc)
2162                         return rc;
2163         }
2164
2165         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2166                 return 0;
2167
2168         isec = backing_inode_security(dentry);
2169         return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2170                             &ad);
2171 }
2172
2173 static int selinux_ptrace_access_check(struct task_struct *child,
2174                                      unsigned int mode)
2175 {
2176         u32 sid = current_sid();
2177         u32 csid = task_sid(child);
2178
2179         if (mode & PTRACE_MODE_READ)
2180                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2181
2182         return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2183 }
2184
2185 static int selinux_ptrace_traceme(struct task_struct *parent)
2186 {
2187         return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2188                             PROCESS__PTRACE, NULL);
2189 }
2190
2191 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2192                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2193 {
2194         return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2195                             PROCESS__GETCAP, NULL);
2196 }
2197
2198 static int selinux_capset(struct cred *new, const struct cred *old,
2199                           const kernel_cap_t *effective,
2200                           const kernel_cap_t *inheritable,
2201                           const kernel_cap_t *permitted)
2202 {
2203         return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2204                             PROCESS__SETCAP, NULL);
2205 }
2206
2207 /*
2208  * (This comment used to live with the selinux_task_setuid hook,
2209  * which was removed).
2210  *
2211  * Since setuid only affects the current process, and since the SELinux
2212  * controls are not based on the Linux identity attributes, SELinux does not
2213  * need to control this operation.  However, SELinux does control the use of
2214  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2215  */
2216
2217 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2218                            int cap, int audit)
2219 {
2220         return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2221 }
2222
2223 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2224 {
2225         const struct cred *cred = current_cred();
2226         int rc = 0;
2227
2228         if (!sb)
2229                 return 0;
2230
2231         switch (cmds) {
2232         case Q_SYNC:
2233         case Q_QUOTAON:
2234         case Q_QUOTAOFF:
2235         case Q_SETINFO:
2236         case Q_SETQUOTA:
2237                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2238                 break;
2239         case Q_GETFMT:
2240         case Q_GETINFO:
2241         case Q_GETQUOTA:
2242                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2243                 break;
2244         default:
2245                 rc = 0;  /* let the kernel handle invalid cmds */
2246                 break;
2247         }
2248         return rc;
2249 }
2250
2251 static int selinux_quota_on(struct dentry *dentry)
2252 {
2253         const struct cred *cred = current_cred();
2254
2255         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2256 }
2257
2258 static int selinux_syslog(int type)
2259 {
2260         switch (type) {
2261         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2262         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2263                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2264                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2265         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2266         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2267         /* Set level of messages printed to console */
2268         case SYSLOG_ACTION_CONSOLE_LEVEL:
2269                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2270                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2271                                     NULL);
2272         }
2273         /* All other syslog types */
2274         return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2275                             SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2276 }
2277
2278 /*
2279  * Check that a process has enough memory to allocate a new virtual
2280  * mapping. 0 means there is enough memory for the allocation to
2281  * succeed and -ENOMEM implies there is not.
2282  *
2283  * Do not audit the selinux permission check, as this is applied to all
2284  * processes that allocate mappings.
2285  */
2286 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2287 {
2288         int rc, cap_sys_admin = 0;
2289
2290         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2291                                  SECURITY_CAP_NOAUDIT, true);
2292         if (rc == 0)
2293                 cap_sys_admin = 1;
2294
2295         return cap_sys_admin;
2296 }
2297
2298 /* binprm security operations */
2299
2300 static u32 ptrace_parent_sid(void)
2301 {
2302         u32 sid = 0;
2303         struct task_struct *tracer;
2304
2305         rcu_read_lock();
2306         tracer = ptrace_parent(current);
2307         if (tracer)
2308                 sid = task_sid(tracer);
2309         rcu_read_unlock();
2310
2311         return sid;
2312 }
2313
2314 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2315                             const struct task_security_struct *old_tsec,
2316                             const struct task_security_struct *new_tsec)
2317 {
2318         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2319         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2320         int rc;
2321         u32 av;
2322
2323         if (!nnp && !nosuid)
2324                 return 0; /* neither NNP nor nosuid */
2325
2326         if (new_tsec->sid == old_tsec->sid)
2327                 return 0; /* No change in credentials */
2328
2329         /*
2330          * If the policy enables the nnp_nosuid_transition policy capability,
2331          * then we permit transitions under NNP or nosuid if the
2332          * policy allows the corresponding permission between
2333          * the old and new contexts.
2334          */
2335         if (selinux_policycap_nnp_nosuid_transition) {
2336                 av = 0;
2337                 if (nnp)
2338                         av |= PROCESS2__NNP_TRANSITION;
2339                 if (nosuid)
2340                         av |= PROCESS2__NOSUID_TRANSITION;
2341                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2342                                   SECCLASS_PROCESS2, av, NULL);
2343                 if (!rc)
2344                         return 0;
2345         }
2346
2347         /*
2348          * We also permit NNP or nosuid transitions to bounded SIDs,
2349          * i.e. SIDs that are guaranteed to only be allowed a subset
2350          * of the permissions of the current SID.
2351          */
2352         rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2353         if (!rc)
2354                 return 0;
2355
2356         /*
2357          * On failure, preserve the errno values for NNP vs nosuid.
2358          * NNP:  Operation not permitted for caller.
2359          * nosuid:  Permission denied to file.
2360          */
2361         if (nnp)
2362                 return -EPERM;
2363         return -EACCES;
2364 }
2365
2366 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2367 {
2368         const struct task_security_struct *old_tsec;
2369         struct task_security_struct *new_tsec;
2370         struct inode_security_struct *isec;
2371         struct common_audit_data ad;
2372         struct inode *inode = file_inode(bprm->file);
2373         int rc;
2374
2375         /* SELinux context only depends on initial program or script and not
2376          * the script interpreter */
2377         if (bprm->cred_prepared)
2378                 return 0;
2379
2380         old_tsec = current_security();
2381         new_tsec = bprm->cred->security;
2382         isec = inode_security(inode);
2383
2384         /* Default to the current task SID. */
2385         new_tsec->sid = old_tsec->sid;
2386         new_tsec->osid = old_tsec->sid;
2387
2388         /* Reset fs, key, and sock SIDs on execve. */
2389         new_tsec->create_sid = 0;
2390         new_tsec->keycreate_sid = 0;
2391         new_tsec->sockcreate_sid = 0;
2392
2393         if (old_tsec->exec_sid) {
2394                 new_tsec->sid = old_tsec->exec_sid;
2395                 /* Reset exec SID on execve. */
2396                 new_tsec->exec_sid = 0;
2397
2398                 /* Fail on NNP or nosuid if not an allowed transition. */
2399                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2400                 if (rc)
2401                         return rc;
2402         } else {
2403                 /* Check for a default transition on this program. */
2404                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2405                                              SECCLASS_PROCESS, NULL,
2406                                              &new_tsec->sid);
2407                 if (rc)
2408                         return rc;
2409
2410                 /*
2411                  * Fallback to old SID on NNP or nosuid if not an allowed
2412                  * transition.
2413                  */
2414                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2415                 if (rc)
2416                         new_tsec->sid = old_tsec->sid;
2417         }
2418
2419         ad.type = LSM_AUDIT_DATA_FILE;
2420         ad.u.file = bprm->file;
2421
2422         if (new_tsec->sid == old_tsec->sid) {
2423                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2424                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2425                 if (rc)
2426                         return rc;
2427         } else {
2428                 /* Check permissions for the transition. */
2429                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2430                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2431                 if (rc)
2432                         return rc;
2433
2434                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2435                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2436                 if (rc)
2437                         return rc;
2438
2439                 /* Check for shared state */
2440                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2441                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2442                                           SECCLASS_PROCESS, PROCESS__SHARE,
2443                                           NULL);
2444                         if (rc)
2445                                 return -EPERM;
2446                 }
2447
2448                 /* Make sure that anyone attempting to ptrace over a task that
2449                  * changes its SID has the appropriate permit */
2450                 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2451                         u32 ptsid = ptrace_parent_sid();
2452                         if (ptsid != 0) {
2453                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2454                                                   SECCLASS_PROCESS,
2455                                                   PROCESS__PTRACE, NULL);
2456                                 if (rc)
2457                                         return -EPERM;
2458                         }
2459                 }
2460
2461                 /* Clear any possibly unsafe personality bits on exec: */
2462                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2463         }
2464
2465         return 0;
2466 }
2467
2468 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2469 {
2470         const struct task_security_struct *tsec = current_security();
2471         u32 sid, osid;
2472         int atsecure = 0;
2473
2474         sid = tsec->sid;
2475         osid = tsec->osid;
2476
2477         if (osid != sid) {
2478                 /* Enable secure mode for SIDs transitions unless
2479                    the noatsecure permission is granted between
2480                    the two SIDs, i.e. ahp returns 0. */
2481                 atsecure = avc_has_perm(osid, sid,
2482                                         SECCLASS_PROCESS,
2483                                         PROCESS__NOATSECURE, NULL);
2484         }
2485
2486         return !!atsecure;
2487 }
2488
2489 static int match_file(const void *p, struct file *file, unsigned fd)
2490 {
2491         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2492 }
2493
2494 /* Derived from fs/exec.c:flush_old_files. */
2495 static inline void flush_unauthorized_files(const struct cred *cred,
2496                                             struct files_struct *files)
2497 {
2498         struct file *file, *devnull = NULL;
2499         struct tty_struct *tty;
2500         int drop_tty = 0;
2501         unsigned n;
2502
2503         tty = get_current_tty();
2504         if (tty) {
2505                 spin_lock(&tty->files_lock);
2506                 if (!list_empty(&tty->tty_files)) {
2507                         struct tty_file_private *file_priv;
2508
2509                         /* Revalidate access to controlling tty.
2510                            Use file_path_has_perm on the tty path directly
2511                            rather than using file_has_perm, as this particular
2512                            open file may belong to another process and we are
2513                            only interested in the inode-based check here. */
2514                         file_priv = list_first_entry(&tty->tty_files,
2515                                                 struct tty_file_private, list);
2516                         file = file_priv->file;
2517                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2518                                 drop_tty = 1;
2519                 }
2520                 spin_unlock(&tty->files_lock);
2521                 tty_kref_put(tty);
2522         }
2523         /* Reset controlling tty. */
2524         if (drop_tty)
2525                 no_tty();
2526
2527         /* Revalidate access to inherited open files. */
2528         n = iterate_fd(files, 0, match_file, cred);
2529         if (!n) /* none found? */
2530                 return;
2531
2532         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2533         if (IS_ERR(devnull))
2534                 devnull = NULL;
2535         /* replace all the matching ones with this */
2536         do {
2537                 replace_fd(n - 1, devnull, 0);
2538         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2539         if (devnull)
2540                 fput(devnull);
2541 }
2542
2543 /*
2544  * Prepare a process for imminent new credential changes due to exec
2545  */
2546 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2547 {
2548         struct task_security_struct *new_tsec;
2549         struct rlimit *rlim, *initrlim;
2550         int rc, i;
2551
2552         new_tsec = bprm->cred->security;
2553         if (new_tsec->sid == new_tsec->osid)
2554                 return;
2555
2556         /* Close files for which the new task SID is not authorized. */
2557         flush_unauthorized_files(bprm->cred, current->files);
2558
2559         /* Always clear parent death signal on SID transitions. */
2560         current->pdeath_signal = 0;
2561
2562         /* Check whether the new SID can inherit resource limits from the old
2563          * SID.  If not, reset all soft limits to the lower of the current
2564          * task's hard limit and the init task's soft limit.
2565          *
2566          * Note that the setting of hard limits (even to lower them) can be
2567          * controlled by the setrlimit check.  The inclusion of the init task's
2568          * soft limit into the computation is to avoid resetting soft limits
2569          * higher than the default soft limit for cases where the default is
2570          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2571          */
2572         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2573                           PROCESS__RLIMITINH, NULL);
2574         if (rc) {
2575                 /* protect against do_prlimit() */
2576                 task_lock(current);
2577                 for (i = 0; i < RLIM_NLIMITS; i++) {
2578                         rlim = current->signal->rlim + i;
2579                         initrlim = init_task.signal->rlim + i;
2580                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2581                 }
2582                 task_unlock(current);
2583                 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2584                         update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2585         }
2586 }
2587
2588 /*
2589  * Clean up the process immediately after the installation of new credentials
2590  * due to exec
2591  */
2592 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2593 {
2594         const struct task_security_struct *tsec = current_security();
2595         struct itimerval itimer;
2596         u32 osid, sid;
2597         int rc, i;
2598
2599         osid = tsec->osid;
2600         sid = tsec->sid;
2601
2602         if (sid == osid)
2603                 return;
2604
2605         /* Check whether the new SID can inherit signal state from the old SID.
2606          * If not, clear itimers to avoid subsequent signal generation and
2607          * flush and unblock signals.
2608          *
2609          * This must occur _after_ the task SID has been updated so that any
2610          * kill done after the flush will be checked against the new SID.
2611          */
2612         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2613         if (rc) {
2614                 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2615                         memset(&itimer, 0, sizeof itimer);
2616                         for (i = 0; i < 3; i++)
2617                                 do_setitimer(i, &itimer, NULL);
2618                 }
2619                 spin_lock_irq(&current->sighand->siglock);
2620                 if (!fatal_signal_pending(current)) {
2621                         flush_sigqueue(&current->pending);
2622                         flush_sigqueue(&current->signal->shared_pending);
2623                         flush_signal_handlers(current, 1);
2624                         sigemptyset(&current->blocked);
2625                         recalc_sigpending();
2626                 }
2627                 spin_unlock_irq(&current->sighand->siglock);
2628         }
2629
2630         /* Wake up the parent if it is waiting so that it can recheck
2631          * wait permission to the new task SID. */
2632         read_lock(&tasklist_lock);
2633         __wake_up_parent(current, current->real_parent);
2634         read_unlock(&tasklist_lock);
2635 }
2636
2637 /* superblock security operations */
2638
2639 static int selinux_sb_alloc_security(struct super_block *sb)
2640 {
2641         return superblock_alloc_security(sb);
2642 }
2643
2644 static void selinux_sb_free_security(struct super_block *sb)
2645 {
2646         superblock_free_security(sb);
2647 }
2648
2649 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2650 {
2651         if (plen > olen)
2652                 return 0;
2653
2654         return !memcmp(prefix, option, plen);
2655 }
2656
2657 static inline int selinux_option(char *option, int len)
2658 {
2659         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2660                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2661                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2662                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2663                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2664 }
2665
2666 static inline void take_option(char **to, char *from, int *first, int len)
2667 {
2668         if (!*first) {
2669                 **to = ',';
2670                 *to += 1;
2671         } else
2672                 *first = 0;
2673         memcpy(*to, from, len);
2674         *to += len;
2675 }
2676
2677 static inline void take_selinux_option(char **to, char *from, int *first,
2678                                        int len)
2679 {
2680         int current_size = 0;
2681
2682         if (!*first) {
2683                 **to = '|';
2684                 *to += 1;
2685         } else
2686                 *first = 0;
2687
2688         while (current_size < len) {
2689                 if (*from != '"') {
2690                         **to = *from;
2691                         *to += 1;
2692                 }
2693                 from += 1;
2694                 current_size += 1;
2695         }
2696 }
2697
2698 static int selinux_sb_copy_data(char *orig, char *copy)
2699 {
2700         int fnosec, fsec, rc = 0;
2701         char *in_save, *in_curr, *in_end;
2702         char *sec_curr, *nosec_save, *nosec;
2703         int open_quote = 0;
2704
2705         in_curr = orig;
2706         sec_curr = copy;
2707
2708         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2709         if (!nosec) {
2710                 rc = -ENOMEM;
2711                 goto out;
2712         }
2713
2714         nosec_save = nosec;
2715         fnosec = fsec = 1;
2716         in_save = in_end = orig;
2717
2718         do {
2719                 if (*in_end == '"')
2720                         open_quote = !open_quote;
2721                 if ((*in_end == ',' && open_quote == 0) ||
2722                                 *in_end == '\0') {
2723                         int len = in_end - in_curr;
2724
2725                         if (selinux_option(in_curr, len))
2726                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2727                         else
2728                                 take_option(&nosec, in_curr, &fnosec, len);
2729
2730                         in_curr = in_end + 1;
2731                 }
2732         } while (*in_end++);
2733
2734         strcpy(in_save, nosec_save);
2735         free_page((unsigned long)nosec_save);
2736 out:
2737         return rc;
2738 }
2739
2740 static int selinux_sb_remount(struct super_block *sb, void *data)
2741 {
2742         int rc, i, *flags;
2743         struct security_mnt_opts opts;
2744         char *secdata, **mount_options;
2745         struct superblock_security_struct *sbsec = sb->s_security;
2746
2747         if (!(sbsec->flags & SE_SBINITIALIZED))
2748                 return 0;
2749
2750         if (!data)
2751                 return 0;
2752
2753         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2754                 return 0;
2755
2756         security_init_mnt_opts(&opts);
2757         secdata = alloc_secdata();
2758         if (!secdata)
2759                 return -ENOMEM;
2760         rc = selinux_sb_copy_data(data, secdata);
2761         if (rc)
2762                 goto out_free_secdata;
2763
2764         rc = selinux_parse_opts_str(secdata, &opts);
2765         if (rc)
2766                 goto out_free_secdata;
2767
2768         mount_options = opts.mnt_opts;
2769         flags = opts.mnt_opts_flags;
2770
2771         for (i = 0; i < opts.num_mnt_opts; i++) {
2772                 u32 sid;
2773
2774                 if (flags[i] == SBLABEL_MNT)
2775                         continue;
2776                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2777                 if (rc) {
2778                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2779                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2780                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2781                         goto out_free_opts;
2782                 }
2783                 rc = -EINVAL;
2784                 switch (flags[i]) {
2785                 case FSCONTEXT_MNT:
2786                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2787                                 goto out_bad_option;
2788                         break;
2789                 case CONTEXT_MNT:
2790                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2791                                 goto out_bad_option;
2792                         break;
2793                 case ROOTCONTEXT_MNT: {
2794                         struct inode_security_struct *root_isec;
2795                         root_isec = backing_inode_security(sb->s_root);
2796
2797                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2798                                 goto out_bad_option;
2799                         break;
2800                 }
2801                 case DEFCONTEXT_MNT:
2802                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2803                                 goto out_bad_option;
2804                         break;
2805                 default:
2806                         goto out_free_opts;
2807                 }
2808         }
2809
2810         rc = 0;
2811 out_free_opts:
2812         security_free_mnt_opts(&opts);
2813 out_free_secdata:
2814         free_secdata(secdata);
2815         return rc;
2816 out_bad_option:
2817         printk(KERN_WARNING "SELinux: unable to change security options "
2818                "during remount (dev %s, type=%s)\n", sb->s_id,
2819                sb->s_type->name);
2820         goto out_free_opts;
2821 }
2822
2823 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2824 {
2825         const struct cred *cred = current_cred();
2826         struct common_audit_data ad;
2827         int rc;
2828
2829         rc = superblock_doinit(sb, data);
2830         if (rc)
2831                 return rc;
2832
2833         /* Allow all mounts performed by the kernel */
2834         if (flags & MS_KERNMOUNT)
2835                 return 0;
2836
2837         ad.type = LSM_AUDIT_DATA_DENTRY;
2838         ad.u.dentry = sb->s_root;
2839         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2840 }
2841
2842 static int selinux_sb_statfs(struct dentry *dentry)
2843 {
2844         const struct cred *cred = current_cred();
2845         struct common_audit_data ad;
2846
2847         ad.type = LSM_AUDIT_DATA_DENTRY;
2848         ad.u.dentry = dentry->d_sb->s_root;
2849         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2850 }
2851
2852 static int selinux_mount(const char *dev_name,
2853                          const struct path *path,
2854                          const char *type,
2855                          unsigned long flags,
2856                          void *data)
2857 {
2858         const struct cred *cred = current_cred();
2859
2860         if (flags & MS_REMOUNT)
2861                 return superblock_has_perm(cred, path->dentry->d_sb,
2862                                            FILESYSTEM__REMOUNT, NULL);
2863         else
2864                 return path_has_perm(cred, path, FILE__MOUNTON);
2865 }
2866
2867 static int selinux_umount(struct vfsmount *mnt, int flags)
2868 {
2869         const struct cred *cred = current_cred();
2870
2871         return superblock_has_perm(cred, mnt->mnt_sb,
2872                                    FILESYSTEM__UNMOUNT, NULL);
2873 }
2874
2875 /* inode security operations */
2876
2877 static int selinux_inode_alloc_security(struct inode *inode)
2878 {
2879         return inode_alloc_security(inode);
2880 }
2881
2882 static void selinux_inode_free_security(struct inode *inode)
2883 {
2884         inode_free_security(inode);
2885 }
2886
2887 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2888                                         const struct qstr *name, void **ctx,
2889                                         u32 *ctxlen)
2890 {
2891         u32 newsid;
2892         int rc;
2893
2894         rc = selinux_determine_inode_label(current_security(),
2895                                            d_inode(dentry->d_parent), name,
2896                                            inode_mode_to_security_class(mode),
2897                                            &newsid);
2898         if (rc)
2899                 return rc;
2900
2901         return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2902 }
2903
2904 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2905                                           struct qstr *name,
2906                                           const struct cred *old,
2907                                           struct cred *new)
2908 {
2909         u32 newsid;
2910         int rc;
2911         struct task_security_struct *tsec;
2912
2913         rc = selinux_determine_inode_label(old->security,
2914                                            d_inode(dentry->d_parent), name,
2915                                            inode_mode_to_security_class(mode),
2916                                            &newsid);
2917         if (rc)
2918                 return rc;
2919
2920         tsec = new->security;
2921         tsec->create_sid = newsid;
2922         return 0;
2923 }
2924
2925 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2926                                        const struct qstr *qstr,
2927                                        const char **name,
2928                                        void **value, size_t *len)
2929 {
2930         const struct task_security_struct *tsec = current_security();
2931         struct superblock_security_struct *sbsec;
2932         u32 sid, newsid, clen;
2933         int rc;
2934         char *context;
2935
2936         sbsec = dir->i_sb->s_security;
2937
2938         sid = tsec->sid;
2939         newsid = tsec->create_sid;
2940
2941         rc = selinux_determine_inode_label(current_security(),
2942                 dir, qstr,
2943                 inode_mode_to_security_class(inode->i_mode),
2944                 &newsid);
2945         if (rc)
2946                 return rc;
2947
2948         /* Possibly defer initialization to selinux_complete_init. */
2949         if (sbsec->flags & SE_SBINITIALIZED) {
2950                 struct inode_security_struct *isec = inode->i_security;
2951                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2952                 isec->sid = newsid;
2953                 isec->initialized = LABEL_INITIALIZED;
2954         }
2955
2956         if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2957                 return -EOPNOTSUPP;
2958
2959         if (name)
2960                 *name = XATTR_SELINUX_SUFFIX;
2961
2962         if (value && len) {
2963                 rc = security_sid_to_context_force(newsid, &context, &clen);
2964                 if (rc)
2965                         return rc;
2966                 *value = context;
2967                 *len = clen;
2968         }
2969
2970         return 0;
2971 }
2972
2973 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2974 {
2975         return may_create(dir, dentry, SECCLASS_FILE);
2976 }
2977
2978 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2979 {
2980         return may_link(dir, old_dentry, MAY_LINK);
2981 }
2982
2983 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2984 {
2985         return may_link(dir, dentry, MAY_UNLINK);
2986 }
2987
2988 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2989 {
2990         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2991 }
2992
2993 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2994 {
2995         return may_create(dir, dentry, SECCLASS_DIR);
2996 }
2997
2998 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2999 {
3000         return may_link(dir, dentry, MAY_RMDIR);
3001 }
3002
3003 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3004 {
3005         return may_create(dir, dentry, inode_mode_to_security_class(mode));
3006 }
3007
3008 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3009                                 struct inode *new_inode, struct dentry *new_dentry)
3010 {
3011         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3012 }
3013
3014 static int selinux_inode_readlink(struct dentry *dentry)
3015 {
3016         const struct cred *cred = current_cred();
3017
3018         return dentry_has_perm(cred, dentry, FILE__READ);
3019 }
3020
3021 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3022                                      bool rcu)
3023 {
3024         const struct cred *cred = current_cred();
3025         struct common_audit_data ad;
3026         struct inode_security_struct *isec;
3027         u32 sid;
3028
3029         validate_creds(cred);
3030
3031         ad.type = LSM_AUDIT_DATA_DENTRY;
3032         ad.u.dentry = dentry;
3033         sid = cred_sid(cred);
3034         isec = inode_security_rcu(inode, rcu);
3035         if (IS_ERR(isec))
3036                 return PTR_ERR(isec);
3037
3038         return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3039                                   rcu ? MAY_NOT_BLOCK : 0);
3040 }
3041
3042 static noinline int audit_inode_permission(struct inode *inode,
3043                                            u32 perms, u32 audited, u32 denied,
3044                                            int result,
3045                                            unsigned flags)
3046 {
3047         struct common_audit_data ad;
3048         struct inode_security_struct *isec = inode->i_security;
3049         int rc;
3050
3051         ad.type = LSM_AUDIT_DATA_INODE;
3052         ad.u.inode = inode;
3053
3054         rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3055                             audited, denied, result, &ad, flags);
3056         if (rc)
3057                 return rc;
3058         return 0;
3059 }
3060
3061 static int selinux_inode_permission(struct inode *inode, int mask)
3062 {
3063         const struct cred *cred = current_cred();
3064         u32 perms;
3065         bool from_access;
3066         unsigned flags = mask & MAY_NOT_BLOCK;
3067         struct inode_security_struct *isec;
3068         u32 sid;
3069         struct av_decision avd;
3070         int rc, rc2;
3071         u32 audited, denied;
3072
3073         from_access = mask & MAY_ACCESS;
3074         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3075
3076         /* No permission to check.  Existence test. */
3077         if (!mask)
3078                 return 0;
3079
3080         validate_creds(cred);
3081
3082         if (unlikely(IS_PRIVATE(inode)))
3083                 return 0;
3084
3085         perms = file_mask_to_av(inode->i_mode, mask);
3086
3087         sid = cred_sid(cred);
3088         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3089         if (IS_ERR(isec))
3090                 return PTR_ERR(isec);
3091
3092         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3093         audited = avc_audit_required(perms, &avd, rc,
3094                                      from_access ? FILE__AUDIT_ACCESS : 0,
3095                                      &denied);
3096         if (likely(!audited))
3097                 return rc;
3098
3099         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3100         if (rc2)
3101                 return rc2;
3102         return rc;
3103 }
3104
3105 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3106 {
3107         const struct cred *cred = current_cred();
3108         struct inode *inode = d_backing_inode(dentry);
3109         unsigned int ia_valid = iattr->ia_valid;
3110         __u32 av = FILE__WRITE;
3111
3112         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3113         if (ia_valid & ATTR_FORCE) {
3114                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3115                               ATTR_FORCE);
3116                 if (!ia_valid)
3117                         return 0;
3118         }
3119
3120         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3121                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3122                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3123
3124         if (selinux_policycap_openperm &&
3125             inode->i_sb->s_magic != SOCKFS_MAGIC &&
3126             (ia_valid & ATTR_SIZE) &&
3127             !(ia_valid & ATTR_FILE))
3128                 av |= FILE__OPEN;
3129
3130         return dentry_has_perm(cred, dentry, av);
3131 }
3132
3133 static int selinux_inode_getattr(const struct path *path)
3134 {
3135         return path_has_perm(current_cred(), path, FILE__GETATTR);
3136 }
3137
3138 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3139 {
3140         const struct cred *cred = current_cred();
3141
3142         if (!strncmp(name, XATTR_SECURITY_PREFIX,
3143                      sizeof XATTR_SECURITY_PREFIX - 1)) {
3144                 if (!strcmp(name, XATTR_NAME_CAPS)) {
3145                         if (!capable(CAP_SETFCAP))
3146                                 return -EPERM;
3147                 } else if (!capable(CAP_SYS_ADMIN)) {
3148                         /* A different attribute in the security namespace.
3149                            Restrict to administrator. */
3150                         return -EPERM;
3151                 }
3152         }
3153
3154         /* Not an attribute we recognize, so just check the
3155            ordinary setattr permission. */
3156         return dentry_has_perm(cred, dentry, FILE__SETATTR);
3157 }
3158
3159 static bool has_cap_mac_admin(bool audit)
3160 {
3161         const struct cred *cred = current_cred();
3162         int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3163
3164         if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3165                 return false;
3166         if (cred_has_capability(cred, CAP_MAC_ADMIN, ca