selinux: constify nf_hook_ops
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *      This program is free software; you can redistribute it and/or modify
23  *      it under the terms of the GNU General Public License version 2,
24  *      as published by the Free Software Foundation.
25  */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>             /* for local_port_range[] */
56 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>    /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h>           /* for Unix socket types */
72 #include <net/af_unix.h>        /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88
89 #include "avc.h"
90 #include "objsec.h"
91 #include "netif.h"
92 #include "netnode.h"
93 #include "netport.h"
94 #include "ibpkey.h"
95 #include "xfrm.h"
96 #include "netlabel.h"
97 #include "audit.h"
98 #include "avc_ss.h"
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
106 static int __init enforcing_setup(char *str)
107 {
108         unsigned long enforcing;
109         if (!kstrtoul(str, 0, &enforcing))
110                 selinux_enforcing = enforcing ? 1 : 0;
111         return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119 static int __init selinux_enabled_setup(char *str)
120 {
121         unsigned long enabled;
122         if (!kstrtoul(str, 0, &enabled))
123                 selinux_enabled = enabled ? 1 : 0;
124         return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132 static struct kmem_cache *file_security_cache;
133
134 /**
135  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136  *
137  * Description:
138  * This function checks the SECMARK reference counter to see if any SECMARK
139  * targets are currently configured, if the reference counter is greater than
140  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
141  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
142  * policy capability is enabled, SECMARK is always considered enabled.
143  *
144  */
145 static int selinux_secmark_enabled(void)
146 {
147         return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148 }
149
150 /**
151  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152  *
153  * Description:
154  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
155  * (1) if any are enabled or false (0) if neither are enabled.  If the
156  * always_check_network policy capability is enabled, peer labeling
157  * is always considered enabled.
158  *
159  */
160 static int selinux_peerlbl_enabled(void)
161 {
162         return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
163 }
164
165 static int selinux_netcache_avc_callback(u32 event)
166 {
167         if (event == AVC_CALLBACK_RESET) {
168                 sel_netif_flush();
169                 sel_netnode_flush();
170                 sel_netport_flush();
171                 synchronize_net();
172         }
173         return 0;
174 }
175
176 static int selinux_lsm_notifier_avc_callback(u32 event)
177 {
178         if (event == AVC_CALLBACK_RESET) {
179                 sel_ib_pkey_flush();
180                 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
181         }
182
183         return 0;
184 }
185
186 /*
187  * initialise the security for the init task
188  */
189 static void cred_init_security(void)
190 {
191         struct cred *cred = (struct cred *) current->real_cred;
192         struct task_security_struct *tsec;
193
194         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
195         if (!tsec)
196                 panic("SELinux:  Failed to initialize initial task.\n");
197
198         tsec->osid = tsec->sid = SECINITSID_KERNEL;
199         cred->security = tsec;
200 }
201
202 /*
203  * get the security ID of a set of credentials
204  */
205 static inline u32 cred_sid(const struct cred *cred)
206 {
207         const struct task_security_struct *tsec;
208
209         tsec = cred->security;
210         return tsec->sid;
211 }
212
213 /*
214  * get the objective security ID of a task
215  */
216 static inline u32 task_sid(const struct task_struct *task)
217 {
218         u32 sid;
219
220         rcu_read_lock();
221         sid = cred_sid(__task_cred(task));
222         rcu_read_unlock();
223         return sid;
224 }
225
226 /* Allocate and free functions for each kind of security blob. */
227
228 static int inode_alloc_security(struct inode *inode)
229 {
230         struct inode_security_struct *isec;
231         u32 sid = current_sid();
232
233         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
234         if (!isec)
235                 return -ENOMEM;
236
237         spin_lock_init(&isec->lock);
238         INIT_LIST_HEAD(&isec->list);
239         isec->inode = inode;
240         isec->sid = SECINITSID_UNLABELED;
241         isec->sclass = SECCLASS_FILE;
242         isec->task_sid = sid;
243         isec->initialized = LABEL_INVALID;
244         inode->i_security = isec;
245
246         return 0;
247 }
248
249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
250
251 /*
252  * Try reloading inode security labels that have been marked as invalid.  The
253  * @may_sleep parameter indicates when sleeping and thus reloading labels is
254  * allowed; when set to false, returns -ECHILD when the label is
255  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
256  * when no dentry is available, set it to NULL instead.
257  */
258 static int __inode_security_revalidate(struct inode *inode,
259                                        struct dentry *opt_dentry,
260                                        bool may_sleep)
261 {
262         struct inode_security_struct *isec = inode->i_security;
263
264         might_sleep_if(may_sleep);
265
266         if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
267                 if (!may_sleep)
268                         return -ECHILD;
269
270                 /*
271                  * Try reloading the inode security label.  This will fail if
272                  * @opt_dentry is NULL and no dentry for this inode can be
273                  * found; in that case, continue using the old label.
274                  */
275                 inode_doinit_with_dentry(inode, opt_dentry);
276         }
277         return 0;
278 }
279
280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
281 {
282         return inode->i_security;
283 }
284
285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
286 {
287         int error;
288
289         error = __inode_security_revalidate(inode, NULL, !rcu);
290         if (error)
291                 return ERR_PTR(error);
292         return inode->i_security;
293 }
294
295 /*
296  * Get the security label of an inode.
297  */
298 static struct inode_security_struct *inode_security(struct inode *inode)
299 {
300         __inode_security_revalidate(inode, NULL, true);
301         return inode->i_security;
302 }
303
304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
305 {
306         struct inode *inode = d_backing_inode(dentry);
307
308         return inode->i_security;
309 }
310
311 /*
312  * Get the security label of a dentry's backing inode.
313  */
314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
315 {
316         struct inode *inode = d_backing_inode(dentry);
317
318         __inode_security_revalidate(inode, dentry, true);
319         return inode->i_security;
320 }
321
322 static void inode_free_rcu(struct rcu_head *head)
323 {
324         struct inode_security_struct *isec;
325
326         isec = container_of(head, struct inode_security_struct, rcu);
327         kmem_cache_free(sel_inode_cache, isec);
328 }
329
330 static void inode_free_security(struct inode *inode)
331 {
332         struct inode_security_struct *isec = inode->i_security;
333         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
334
335         /*
336          * As not all inode security structures are in a list, we check for
337          * empty list outside of the lock to make sure that we won't waste
338          * time taking a lock doing nothing.
339          *
340          * The list_del_init() function can be safely called more than once.
341          * It should not be possible for this function to be called with
342          * concurrent list_add(), but for better safety against future changes
343          * in the code, we use list_empty_careful() here.
344          */
345         if (!list_empty_careful(&isec->list)) {
346                 spin_lock(&sbsec->isec_lock);
347                 list_del_init(&isec->list);
348                 spin_unlock(&sbsec->isec_lock);
349         }
350
351         /*
352          * The inode may still be referenced in a path walk and
353          * a call to selinux_inode_permission() can be made
354          * after inode_free_security() is called. Ideally, the VFS
355          * wouldn't do this, but fixing that is a much harder
356          * job. For now, simply free the i_security via RCU, and
357          * leave the current inode->i_security pointer intact.
358          * The inode will be freed after the RCU grace period too.
359          */
360         call_rcu(&isec->rcu, inode_free_rcu);
361 }
362
363 static int file_alloc_security(struct file *file)
364 {
365         struct file_security_struct *fsec;
366         u32 sid = current_sid();
367
368         fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
369         if (!fsec)
370                 return -ENOMEM;
371
372         fsec->sid = sid;
373         fsec->fown_sid = sid;
374         file->f_security = fsec;
375
376         return 0;
377 }
378
379 static void file_free_security(struct file *file)
380 {
381         struct file_security_struct *fsec = file->f_security;
382         file->f_security = NULL;
383         kmem_cache_free(file_security_cache, fsec);
384 }
385
386 static int superblock_alloc_security(struct super_block *sb)
387 {
388         struct superblock_security_struct *sbsec;
389
390         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
391         if (!sbsec)
392                 return -ENOMEM;
393
394         mutex_init(&sbsec->lock);
395         INIT_LIST_HEAD(&sbsec->isec_head);
396         spin_lock_init(&sbsec->isec_lock);
397         sbsec->sb = sb;
398         sbsec->sid = SECINITSID_UNLABELED;
399         sbsec->def_sid = SECINITSID_FILE;
400         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
401         sb->s_security = sbsec;
402
403         return 0;
404 }
405
406 static void superblock_free_security(struct super_block *sb)
407 {
408         struct superblock_security_struct *sbsec = sb->s_security;
409         sb->s_security = NULL;
410         kfree(sbsec);
411 }
412
413 static inline int inode_doinit(struct inode *inode)
414 {
415         return inode_doinit_with_dentry(inode, NULL);
416 }
417
418 enum {
419         Opt_error = -1,
420         Opt_context = 1,
421         Opt_fscontext = 2,
422         Opt_defcontext = 3,
423         Opt_rootcontext = 4,
424         Opt_labelsupport = 5,
425         Opt_nextmntopt = 6,
426 };
427
428 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
429
430 static const match_table_t tokens = {
431         {Opt_context, CONTEXT_STR "%s"},
432         {Opt_fscontext, FSCONTEXT_STR "%s"},
433         {Opt_defcontext, DEFCONTEXT_STR "%s"},
434         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
435         {Opt_labelsupport, LABELSUPP_STR},
436         {Opt_error, NULL},
437 };
438
439 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
440
441 static int may_context_mount_sb_relabel(u32 sid,
442                         struct superblock_security_struct *sbsec,
443                         const struct cred *cred)
444 {
445         const struct task_security_struct *tsec = cred->security;
446         int rc;
447
448         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449                           FILESYSTEM__RELABELFROM, NULL);
450         if (rc)
451                 return rc;
452
453         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454                           FILESYSTEM__RELABELTO, NULL);
455         return rc;
456 }
457
458 static int may_context_mount_inode_relabel(u32 sid,
459                         struct superblock_security_struct *sbsec,
460                         const struct cred *cred)
461 {
462         const struct task_security_struct *tsec = cred->security;
463         int rc;
464         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465                           FILESYSTEM__RELABELFROM, NULL);
466         if (rc)
467                 return rc;
468
469         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470                           FILESYSTEM__ASSOCIATE, NULL);
471         return rc;
472 }
473
474 static int selinux_is_sblabel_mnt(struct super_block *sb)
475 {
476         struct superblock_security_struct *sbsec = sb->s_security;
477
478         return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479                 sbsec->behavior == SECURITY_FS_USE_TRANS ||
480                 sbsec->behavior == SECURITY_FS_USE_TASK ||
481                 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
482                 /* Special handling. Genfs but also in-core setxattr handler */
483                 !strcmp(sb->s_type->name, "sysfs") ||
484                 !strcmp(sb->s_type->name, "pstore") ||
485                 !strcmp(sb->s_type->name, "debugfs") ||
486                 !strcmp(sb->s_type->name, "tracefs") ||
487                 !strcmp(sb->s_type->name, "rootfs") ||
488                 (selinux_policycap_cgroupseclabel &&
489                  (!strcmp(sb->s_type->name, "cgroup") ||
490                   !strcmp(sb->s_type->name, "cgroup2")));
491 }
492
493 static int sb_finish_set_opts(struct super_block *sb)
494 {
495         struct superblock_security_struct *sbsec = sb->s_security;
496         struct dentry *root = sb->s_root;
497         struct inode *root_inode = d_backing_inode(root);
498         int rc = 0;
499
500         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501                 /* Make sure that the xattr handler exists and that no
502                    error other than -ENODATA is returned by getxattr on
503                    the root directory.  -ENODATA is ok, as this may be
504                    the first boot of the SELinux kernel before we have
505                    assigned xattr values to the filesystem. */
506                 if (!(root_inode->i_opflags & IOP_XATTR)) {
507                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508                                "xattr support\n", sb->s_id, sb->s_type->name);
509                         rc = -EOPNOTSUPP;
510                         goto out;
511                 }
512
513                 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
514                 if (rc < 0 && rc != -ENODATA) {
515                         if (rc == -EOPNOTSUPP)
516                                 printk(KERN_WARNING "SELinux: (dev %s, type "
517                                        "%s) has no security xattr handler\n",
518                                        sb->s_id, sb->s_type->name);
519                         else
520                                 printk(KERN_WARNING "SELinux: (dev %s, type "
521                                        "%s) getxattr errno %d\n", sb->s_id,
522                                        sb->s_type->name, -rc);
523                         goto out;
524                 }
525         }
526
527         sbsec->flags |= SE_SBINITIALIZED;
528
529         /*
530          * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
531          * leave the flag untouched because sb_clone_mnt_opts might be handing
532          * us a superblock that needs the flag to be cleared.
533          */
534         if (selinux_is_sblabel_mnt(sb))
535                 sbsec->flags |= SBLABEL_MNT;
536         else
537                 sbsec->flags &= ~SBLABEL_MNT;
538
539         /* Initialize the root inode. */
540         rc = inode_doinit_with_dentry(root_inode, root);
541
542         /* Initialize any other inodes associated with the superblock, e.g.
543            inodes created prior to initial policy load or inodes created
544            during get_sb by a pseudo filesystem that directly
545            populates itself. */
546         spin_lock(&sbsec->isec_lock);
547 next_inode:
548         if (!list_empty(&sbsec->isec_head)) {
549                 struct inode_security_struct *isec =
550                                 list_entry(sbsec->isec_head.next,
551                                            struct inode_security_struct, list);
552                 struct inode *inode = isec->inode;
553                 list_del_init(&isec->list);
554                 spin_unlock(&sbsec->isec_lock);
555                 inode = igrab(inode);
556                 if (inode) {
557                         if (!IS_PRIVATE(inode))
558                                 inode_doinit(inode);
559                         iput(inode);
560                 }
561                 spin_lock(&sbsec->isec_lock);
562                 goto next_inode;
563         }
564         spin_unlock(&sbsec->isec_lock);
565 out:
566         return rc;
567 }
568
569 /*
570  * This function should allow an FS to ask what it's mount security
571  * options were so it can use those later for submounts, displaying
572  * mount options, or whatever.
573  */
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575                                 struct security_mnt_opts *opts)
576 {
577         int rc = 0, i;
578         struct superblock_security_struct *sbsec = sb->s_security;
579         char *context = NULL;
580         u32 len;
581         char tmp;
582
583         security_init_mnt_opts(opts);
584
585         if (!(sbsec->flags & SE_SBINITIALIZED))
586                 return -EINVAL;
587
588         if (!ss_initialized)
589                 return -EINVAL;
590
591         /* make sure we always check enough bits to cover the mask */
592         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593
594         tmp = sbsec->flags & SE_MNTMASK;
595         /* count the number of mount options for this sb */
596         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
597                 if (tmp & 0x01)
598                         opts->num_mnt_opts++;
599                 tmp >>= 1;
600         }
601         /* Check if the Label support flag is set */
602         if (sbsec->flags & SBLABEL_MNT)
603                 opts->num_mnt_opts++;
604
605         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606         if (!opts->mnt_opts) {
607                 rc = -ENOMEM;
608                 goto out_free;
609         }
610
611         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612         if (!opts->mnt_opts_flags) {
613                 rc = -ENOMEM;
614                 goto out_free;
615         }
616
617         i = 0;
618         if (sbsec->flags & FSCONTEXT_MNT) {
619                 rc = security_sid_to_context(sbsec->sid, &context, &len);
620                 if (rc)
621                         goto out_free;
622                 opts->mnt_opts[i] = context;
623                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
624         }
625         if (sbsec->flags & CONTEXT_MNT) {
626                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627                 if (rc)
628                         goto out_free;
629                 opts->mnt_opts[i] = context;
630                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
631         }
632         if (sbsec->flags & DEFCONTEXT_MNT) {
633                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634                 if (rc)
635                         goto out_free;
636                 opts->mnt_opts[i] = context;
637                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
638         }
639         if (sbsec->flags & ROOTCONTEXT_MNT) {
640                 struct dentry *root = sbsec->sb->s_root;
641                 struct inode_security_struct *isec = backing_inode_security(root);
642
643                 rc = security_sid_to_context(isec->sid, &context, &len);
644                 if (rc)
645                         goto out_free;
646                 opts->mnt_opts[i] = context;
647                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
648         }
649         if (sbsec->flags & SBLABEL_MNT) {
650                 opts->mnt_opts[i] = NULL;
651                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
652         }
653
654         BUG_ON(i != opts->num_mnt_opts);
655
656         return 0;
657
658 out_free:
659         security_free_mnt_opts(opts);
660         return rc;
661 }
662
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664                       u32 old_sid, u32 new_sid)
665 {
666         char mnt_flags = sbsec->flags & SE_MNTMASK;
667
668         /* check if the old mount command had the same options */
669         if (sbsec->flags & SE_SBINITIALIZED)
670                 if (!(sbsec->flags & flag) ||
671                     (old_sid != new_sid))
672                         return 1;
673
674         /* check if we were passed the same options twice,
675          * aka someone passed context=a,context=b
676          */
677         if (!(sbsec->flags & SE_SBINITIALIZED))
678                 if (mnt_flags & flag)
679                         return 1;
680         return 0;
681 }
682
683 /*
684  * Allow filesystems with binary mount data to explicitly set mount point
685  * labeling information.
686  */
687 static int selinux_set_mnt_opts(struct super_block *sb,
688                                 struct security_mnt_opts *opts,
689                                 unsigned long kern_flags,
690                                 unsigned long *set_kern_flags)
691 {
692         const struct cred *cred = current_cred();
693         int rc = 0, i;
694         struct superblock_security_struct *sbsec = sb->s_security;
695         const char *name = sb->s_type->name;
696         struct dentry *root = sbsec->sb->s_root;
697         struct inode_security_struct *root_isec;
698         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699         u32 defcontext_sid = 0;
700         char **mount_options = opts->mnt_opts;
701         int *flags = opts->mnt_opts_flags;
702         int num_opts = opts->num_mnt_opts;
703
704         mutex_lock(&sbsec->lock);
705
706         if (!ss_initialized) {
707                 if (!num_opts) {
708                         /* Defer initialization until selinux_complete_init,
709                            after the initial policy is loaded and the security
710                            server is ready to handle calls. */
711                         goto out;
712                 }
713                 rc = -EINVAL;
714                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715                         "before the security server is initialized\n");
716                 goto out;
717         }
718         if (kern_flags && !set_kern_flags) {
719                 /* Specifying internal flags without providing a place to
720                  * place the results is not allowed */
721                 rc = -EINVAL;
722                 goto out;
723         }
724
725         /*
726          * Binary mount data FS will come through this function twice.  Once
727          * from an explicit call and once from the generic calls from the vfs.
728          * Since the generic VFS calls will not contain any security mount data
729          * we need to skip the double mount verification.
730          *
731          * This does open a hole in which we will not notice if the first
732          * mount using this sb set explict options and a second mount using
733          * this sb does not set any security options.  (The first options
734          * will be used for both mounts)
735          */
736         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737             && (num_opts == 0))
738                 goto out;
739
740         root_isec = backing_inode_security_novalidate(root);
741
742         /*
743          * parse the mount options, check if they are valid sids.
744          * also check if someone is trying to mount the same sb more
745          * than once with different security options.
746          */
747         for (i = 0; i < num_opts; i++) {
748                 u32 sid;
749
750                 if (flags[i] == SBLABEL_MNT)
751                         continue;
752                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
753                 if (rc) {
754                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755                                "(%s) failed for (dev %s, type %s) errno=%d\n",
756                                mount_options[i], sb->s_id, name, rc);
757                         goto out;
758                 }
759                 switch (flags[i]) {
760                 case FSCONTEXT_MNT:
761                         fscontext_sid = sid;
762
763                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764                                         fscontext_sid))
765                                 goto out_double_mount;
766
767                         sbsec->flags |= FSCONTEXT_MNT;
768                         break;
769                 case CONTEXT_MNT:
770                         context_sid = sid;
771
772                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773                                         context_sid))
774                                 goto out_double_mount;
775
776                         sbsec->flags |= CONTEXT_MNT;
777                         break;
778                 case ROOTCONTEXT_MNT:
779                         rootcontext_sid = sid;
780
781                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782                                         rootcontext_sid))
783                                 goto out_double_mount;
784
785                         sbsec->flags |= ROOTCONTEXT_MNT;
786
787                         break;
788                 case DEFCONTEXT_MNT:
789                         defcontext_sid = sid;
790
791                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792                                         defcontext_sid))
793                                 goto out_double_mount;
794
795                         sbsec->flags |= DEFCONTEXT_MNT;
796
797                         break;
798                 default:
799                         rc = -EINVAL;
800                         goto out;
801                 }
802         }
803
804         if (sbsec->flags & SE_SBINITIALIZED) {
805                 /* previously mounted with options, but not on this attempt? */
806                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807                         goto out_double_mount;
808                 rc = 0;
809                 goto out;
810         }
811
812         if (strcmp(sb->s_type->name, "proc") == 0)
813                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814
815         if (!strcmp(sb->s_type->name, "debugfs") ||
816             !strcmp(sb->s_type->name, "tracefs") ||
817             !strcmp(sb->s_type->name, "sysfs") ||
818             !strcmp(sb->s_type->name, "pstore") ||
819             !strcmp(sb->s_type->name, "cgroup") ||
820             !strcmp(sb->s_type->name, "cgroup2"))
821                 sbsec->flags |= SE_SBGENFS;
822
823         if (!sbsec->behavior) {
824                 /*
825                  * Determine the labeling behavior to use for this
826                  * filesystem type.
827                  */
828                 rc = security_fs_use(sb);
829                 if (rc) {
830                         printk(KERN_WARNING
831                                 "%s: security_fs_use(%s) returned %d\n",
832                                         __func__, sb->s_type->name, rc);
833                         goto out;
834                 }
835         }
836
837         /*
838          * If this is a user namespace mount and the filesystem type is not
839          * explicitly whitelisted, then no contexts are allowed on the command
840          * line and security labels must be ignored.
841          */
842         if (sb->s_user_ns != &init_user_ns &&
843             strcmp(sb->s_type->name, "tmpfs") &&
844             strcmp(sb->s_type->name, "ramfs") &&
845             strcmp(sb->s_type->name, "devpts")) {
846                 if (context_sid || fscontext_sid || rootcontext_sid ||
847                     defcontext_sid) {
848                         rc = -EACCES;
849                         goto out;
850                 }
851                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
852                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
853                         rc = security_transition_sid(current_sid(), current_sid(),
854                                                      SECCLASS_FILE, NULL,
855                                                      &sbsec->mntpoint_sid);
856                         if (rc)
857                                 goto out;
858                 }
859                 goto out_set_opts;
860         }
861
862         /* sets the context of the superblock for the fs being mounted. */
863         if (fscontext_sid) {
864                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
865                 if (rc)
866                         goto out;
867
868                 sbsec->sid = fscontext_sid;
869         }
870
871         /*
872          * Switch to using mount point labeling behavior.
873          * sets the label used on all file below the mountpoint, and will set
874          * the superblock context if not already set.
875          */
876         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
877                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
878                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
879         }
880
881         if (context_sid) {
882                 if (!fscontext_sid) {
883                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
884                                                           cred);
885                         if (rc)
886                                 goto out;
887                         sbsec->sid = context_sid;
888                 } else {
889                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
890                                                              cred);
891                         if (rc)
892                                 goto out;
893                 }
894                 if (!rootcontext_sid)
895                         rootcontext_sid = context_sid;
896
897                 sbsec->mntpoint_sid = context_sid;
898                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
899         }
900
901         if (rootcontext_sid) {
902                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
903                                                      cred);
904                 if (rc)
905                         goto out;
906
907                 root_isec->sid = rootcontext_sid;
908                 root_isec->initialized = LABEL_INITIALIZED;
909         }
910
911         if (defcontext_sid) {
912                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
913                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
914                         rc = -EINVAL;
915                         printk(KERN_WARNING "SELinux: defcontext option is "
916                                "invalid for this filesystem type\n");
917                         goto out;
918                 }
919
920                 if (defcontext_sid != sbsec->def_sid) {
921                         rc = may_context_mount_inode_relabel(defcontext_sid,
922                                                              sbsec, cred);
923                         if (rc)
924                                 goto out;
925                 }
926
927                 sbsec->def_sid = defcontext_sid;
928         }
929
930 out_set_opts:
931         rc = sb_finish_set_opts(sb);
932 out:
933         mutex_unlock(&sbsec->lock);
934         return rc;
935 out_double_mount:
936         rc = -EINVAL;
937         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
938                "security settings for (dev %s, type %s)\n", sb->s_id, name);
939         goto out;
940 }
941
942 static int selinux_cmp_sb_context(const struct super_block *oldsb,
943                                     const struct super_block *newsb)
944 {
945         struct superblock_security_struct *old = oldsb->s_security;
946         struct superblock_security_struct *new = newsb->s_security;
947         char oldflags = old->flags & SE_MNTMASK;
948         char newflags = new->flags & SE_MNTMASK;
949
950         if (oldflags != newflags)
951                 goto mismatch;
952         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
953                 goto mismatch;
954         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
955                 goto mismatch;
956         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
957                 goto mismatch;
958         if (oldflags & ROOTCONTEXT_MNT) {
959                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
960                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
961                 if (oldroot->sid != newroot->sid)
962                         goto mismatch;
963         }
964         return 0;
965 mismatch:
966         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
967                             "different security settings for (dev %s, "
968                             "type %s)\n", newsb->s_id, newsb->s_type->name);
969         return -EBUSY;
970 }
971
972 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
973                                         struct super_block *newsb,
974                                         unsigned long kern_flags,
975                                         unsigned long *set_kern_flags)
976 {
977         int rc = 0;
978         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
979         struct superblock_security_struct *newsbsec = newsb->s_security;
980
981         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
982         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
983         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
984
985         /*
986          * if the parent was able to be mounted it clearly had no special lsm
987          * mount options.  thus we can safely deal with this superblock later
988          */
989         if (!ss_initialized)
990                 return 0;
991
992         /*
993          * Specifying internal flags without providing a place to
994          * place the results is not allowed.
995          */
996         if (kern_flags && !set_kern_flags)
997                 return -EINVAL;
998
999         /* how can we clone if the old one wasn't set up?? */
1000         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1001
1002         /* if fs is reusing a sb, make sure that the contexts match */
1003         if (newsbsec->flags & SE_SBINITIALIZED)
1004                 return selinux_cmp_sb_context(oldsb, newsb);
1005
1006         mutex_lock(&newsbsec->lock);
1007
1008         newsbsec->flags = oldsbsec->flags;
1009
1010         newsbsec->sid = oldsbsec->sid;
1011         newsbsec->def_sid = oldsbsec->def_sid;
1012         newsbsec->behavior = oldsbsec->behavior;
1013
1014         if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1015                 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1016                 rc = security_fs_use(newsb);
1017                 if (rc)
1018                         goto out;
1019         }
1020
1021         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1022                 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1023                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1024         }
1025
1026         if (set_context) {
1027                 u32 sid = oldsbsec->mntpoint_sid;
1028
1029                 if (!set_fscontext)
1030                         newsbsec->sid = sid;
1031                 if (!set_rootcontext) {
1032                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1033                         newisec->sid = sid;
1034                 }
1035                 newsbsec->mntpoint_sid = sid;
1036         }
1037         if (set_rootcontext) {
1038                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1039                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1040
1041                 newisec->sid = oldisec->sid;
1042         }
1043
1044         sb_finish_set_opts(newsb);
1045 out:
1046         mutex_unlock(&newsbsec->lock);
1047         return rc;
1048 }
1049
1050 static int selinux_parse_opts_str(char *options,
1051                                   struct security_mnt_opts *opts)
1052 {
1053         char *p;
1054         char *context = NULL, *defcontext = NULL;
1055         char *fscontext = NULL, *rootcontext = NULL;
1056         int rc, num_mnt_opts = 0;
1057
1058         opts->num_mnt_opts = 0;
1059
1060         /* Standard string-based options. */
1061         while ((p = strsep(&options, "|")) != NULL) {
1062                 int token;
1063                 substring_t args[MAX_OPT_ARGS];
1064
1065                 if (!*p)
1066                         continue;
1067
1068                 token = match_token(p, tokens, args);
1069
1070                 switch (token) {
1071                 case Opt_context:
1072                         if (context || defcontext) {
1073                                 rc = -EINVAL;
1074                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1075                                 goto out_err;
1076                         }
1077                         context = match_strdup(&args[0]);
1078                         if (!context) {
1079                                 rc = -ENOMEM;
1080                                 goto out_err;
1081                         }
1082                         break;
1083
1084                 case Opt_fscontext:
1085                         if (fscontext) {
1086                                 rc = -EINVAL;
1087                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1088                                 goto out_err;
1089                         }
1090                         fscontext = match_strdup(&args[0]);
1091                         if (!fscontext) {
1092                                 rc = -ENOMEM;
1093                                 goto out_err;
1094                         }
1095                         break;
1096
1097                 case Opt_rootcontext:
1098                         if (rootcontext) {
1099                                 rc = -EINVAL;
1100                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1101                                 goto out_err;
1102                         }
1103                         rootcontext = match_strdup(&args[0]);
1104                         if (!rootcontext) {
1105                                 rc = -ENOMEM;
1106                                 goto out_err;
1107                         }
1108                         break;
1109
1110                 case Opt_defcontext:
1111                         if (context || defcontext) {
1112                                 rc = -EINVAL;
1113                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1114                                 goto out_err;
1115                         }
1116                         defcontext = match_strdup(&args[0]);
1117                         if (!defcontext) {
1118                                 rc = -ENOMEM;
1119                                 goto out_err;
1120                         }
1121                         break;
1122                 case Opt_labelsupport:
1123                         break;
1124                 default:
1125                         rc = -EINVAL;
1126                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
1127                         goto out_err;
1128
1129                 }
1130         }
1131
1132         rc = -ENOMEM;
1133         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1134         if (!opts->mnt_opts)
1135                 goto out_err;
1136
1137         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1138                                        GFP_KERNEL);
1139         if (!opts->mnt_opts_flags)
1140                 goto out_err;
1141
1142         if (fscontext) {
1143                 opts->mnt_opts[num_mnt_opts] = fscontext;
1144                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1145         }
1146         if (context) {
1147                 opts->mnt_opts[num_mnt_opts] = context;
1148                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1149         }
1150         if (rootcontext) {
1151                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1152                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1153         }
1154         if (defcontext) {
1155                 opts->mnt_opts[num_mnt_opts] = defcontext;
1156                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1157         }
1158
1159         opts->num_mnt_opts = num_mnt_opts;
1160         return 0;
1161
1162 out_err:
1163         security_free_mnt_opts(opts);
1164         kfree(context);
1165         kfree(defcontext);
1166         kfree(fscontext);
1167         kfree(rootcontext);
1168         return rc;
1169 }
1170 /*
1171  * string mount options parsing and call set the sbsec
1172  */
1173 static int superblock_doinit(struct super_block *sb, void *data)
1174 {
1175         int rc = 0;
1176         char *options = data;
1177         struct security_mnt_opts opts;
1178
1179         security_init_mnt_opts(&opts);
1180
1181         if (!data)
1182                 goto out;
1183
1184         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1185
1186         rc = selinux_parse_opts_str(options, &opts);
1187         if (rc)
1188                 goto out_err;
1189
1190 out:
1191         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1192
1193 out_err:
1194         security_free_mnt_opts(&opts);
1195         return rc;
1196 }
1197
1198 static void selinux_write_opts(struct seq_file *m,
1199                                struct security_mnt_opts *opts)
1200 {
1201         int i;
1202         char *prefix;
1203
1204         for (i = 0; i < opts->num_mnt_opts; i++) {
1205                 char *has_comma;
1206
1207                 if (opts->mnt_opts[i])
1208                         has_comma = strchr(opts->mnt_opts[i], ',');
1209                 else
1210                         has_comma = NULL;
1211
1212                 switch (opts->mnt_opts_flags[i]) {
1213                 case CONTEXT_MNT:
1214                         prefix = CONTEXT_STR;
1215                         break;
1216                 case FSCONTEXT_MNT:
1217                         prefix = FSCONTEXT_STR;
1218                         break;
1219                 case ROOTCONTEXT_MNT:
1220                         prefix = ROOTCONTEXT_STR;
1221                         break;
1222                 case DEFCONTEXT_MNT:
1223                         prefix = DEFCONTEXT_STR;
1224                         break;
1225                 case SBLABEL_MNT:
1226                         seq_putc(m, ',');
1227                         seq_puts(m, LABELSUPP_STR);
1228                         continue;
1229                 default:
1230                         BUG();
1231                         return;
1232                 };
1233                 /* we need a comma before each option */
1234                 seq_putc(m, ',');
1235                 seq_puts(m, prefix);
1236                 if (has_comma)
1237                         seq_putc(m, '\"');
1238                 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1239                 if (has_comma)
1240                         seq_putc(m, '\"');
1241         }
1242 }
1243
1244 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1245 {
1246         struct security_mnt_opts opts;
1247         int rc;
1248
1249         rc = selinux_get_mnt_opts(sb, &opts);
1250         if (rc) {
1251                 /* before policy load we may get EINVAL, don't show anything */
1252                 if (rc == -EINVAL)
1253                         rc = 0;
1254                 return rc;
1255         }
1256
1257         selinux_write_opts(m, &opts);
1258
1259         security_free_mnt_opts(&opts);
1260
1261         return rc;
1262 }
1263
1264 static inline u16 inode_mode_to_security_class(umode_t mode)
1265 {
1266         switch (mode & S_IFMT) {
1267         case S_IFSOCK:
1268                 return SECCLASS_SOCK_FILE;
1269         case S_IFLNK:
1270                 return SECCLASS_LNK_FILE;
1271         case S_IFREG:
1272                 return SECCLASS_FILE;
1273         case S_IFBLK:
1274                 return SECCLASS_BLK_FILE;
1275         case S_IFDIR:
1276                 return SECCLASS_DIR;
1277         case S_IFCHR:
1278                 return SECCLASS_CHR_FILE;
1279         case S_IFIFO:
1280                 return SECCLASS_FIFO_FILE;
1281
1282         }
1283
1284         return SECCLASS_FILE;
1285 }
1286
1287 static inline int default_protocol_stream(int protocol)
1288 {
1289         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1290 }
1291
1292 static inline int default_protocol_dgram(int protocol)
1293 {
1294         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1295 }
1296
1297 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1298 {
1299         int extsockclass = selinux_policycap_extsockclass;
1300
1301         switch (family) {
1302         case PF_UNIX:
1303                 switch (type) {
1304                 case SOCK_STREAM:
1305                 case SOCK_SEQPACKET:
1306                         return SECCLASS_UNIX_STREAM_SOCKET;
1307                 case SOCK_DGRAM:
1308                 case SOCK_RAW:
1309                         return SECCLASS_UNIX_DGRAM_SOCKET;
1310                 }
1311                 break;
1312         case PF_INET:
1313         case PF_INET6:
1314                 switch (type) {
1315                 case SOCK_STREAM:
1316                 case SOCK_SEQPACKET:
1317                         if (default_protocol_stream(protocol))
1318                                 return SECCLASS_TCP_SOCKET;
1319                         else if (extsockclass && protocol == IPPROTO_SCTP)
1320                                 return SECCLASS_SCTP_SOCKET;
1321                         else
1322                                 return SECCLASS_RAWIP_SOCKET;
1323                 case SOCK_DGRAM:
1324                         if (default_protocol_dgram(protocol))
1325                                 return SECCLASS_UDP_SOCKET;
1326                         else if (extsockclass && (protocol == IPPROTO_ICMP ||
1327                                                   protocol == IPPROTO_ICMPV6))
1328                                 return SECCLASS_ICMP_SOCKET;
1329                         else
1330                                 return SECCLASS_RAWIP_SOCKET;
1331                 case SOCK_DCCP:
1332                         return SECCLASS_DCCP_SOCKET;
1333                 default:
1334                         return SECCLASS_RAWIP_SOCKET;
1335                 }
1336                 break;
1337         case PF_NETLINK:
1338                 switch (protocol) {
1339                 case NETLINK_ROUTE:
1340                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1341                 case NETLINK_SOCK_DIAG:
1342                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1343                 case NETLINK_NFLOG:
1344                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1345                 case NETLINK_XFRM:
1346                         return SECCLASS_NETLINK_XFRM_SOCKET;
1347                 case NETLINK_SELINUX:
1348                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1349                 case NETLINK_ISCSI:
1350                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1351                 case NETLINK_AUDIT:
1352                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1353                 case NETLINK_FIB_LOOKUP:
1354                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1355                 case NETLINK_CONNECTOR:
1356                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1357                 case NETLINK_NETFILTER:
1358                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1359                 case NETLINK_DNRTMSG:
1360                         return SECCLASS_NETLINK_DNRT_SOCKET;
1361                 case NETLINK_KOBJECT_UEVENT:
1362                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1363                 case NETLINK_GENERIC:
1364                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1365                 case NETLINK_SCSITRANSPORT:
1366                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1367                 case NETLINK_RDMA:
1368                         return SECCLASS_NETLINK_RDMA_SOCKET;
1369                 case NETLINK_CRYPTO:
1370                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1371                 default:
1372                         return SECCLASS_NETLINK_SOCKET;
1373                 }
1374         case PF_PACKET:
1375                 return SECCLASS_PACKET_SOCKET;
1376         case PF_KEY:
1377                 return SECCLASS_KEY_SOCKET;
1378         case PF_APPLETALK:
1379                 return SECCLASS_APPLETALK_SOCKET;
1380         }
1381
1382         if (extsockclass) {
1383                 switch (family) {
1384                 case PF_AX25:
1385                         return SECCLASS_AX25_SOCKET;
1386                 case PF_IPX:
1387                         return SECCLASS_IPX_SOCKET;
1388                 case PF_NETROM:
1389                         return SECCLASS_NETROM_SOCKET;
1390                 case PF_ATMPVC:
1391                         return SECCLASS_ATMPVC_SOCKET;
1392                 case PF_X25:
1393                         return SECCLASS_X25_SOCKET;
1394                 case PF_ROSE:
1395                         return SECCLASS_ROSE_SOCKET;
1396                 case PF_DECnet:
1397                         return SECCLASS_DECNET_SOCKET;
1398                 case PF_ATMSVC:
1399                         return SECCLASS_ATMSVC_SOCKET;
1400                 case PF_RDS:
1401                         return SECCLASS_RDS_SOCKET;
1402                 case PF_IRDA:
1403                         return SECCLASS_IRDA_SOCKET;
1404                 case PF_PPPOX:
1405                         return SECCLASS_PPPOX_SOCKET;
1406                 case PF_LLC:
1407                         return SECCLASS_LLC_SOCKET;
1408                 case PF_CAN:
1409                         return SECCLASS_CAN_SOCKET;
1410                 case PF_TIPC:
1411                         return SECCLASS_TIPC_SOCKET;
1412                 case PF_BLUETOOTH:
1413                         return SECCLASS_BLUETOOTH_SOCKET;
1414                 case PF_IUCV:
1415                         return SECCLASS_IUCV_SOCKET;
1416                 case PF_RXRPC:
1417                         return SECCLASS_RXRPC_SOCKET;
1418                 case PF_ISDN:
1419                         return SECCLASS_ISDN_SOCKET;
1420                 case PF_PHONET:
1421                         return SECCLASS_PHONET_SOCKET;
1422                 case PF_IEEE802154:
1423                         return SECCLASS_IEEE802154_SOCKET;
1424                 case PF_CAIF:
1425                         return SECCLASS_CAIF_SOCKET;
1426                 case PF_ALG:
1427                         return SECCLASS_ALG_SOCKET;
1428                 case PF_NFC:
1429                         return SECCLASS_NFC_SOCKET;
1430                 case PF_VSOCK:
1431                         return SECCLASS_VSOCK_SOCKET;
1432                 case PF_KCM:
1433                         return SECCLASS_KCM_SOCKET;
1434                 case PF_QIPCRTR:
1435                         return SECCLASS_QIPCRTR_SOCKET;
1436                 case PF_SMC:
1437                         return SECCLASS_SMC_SOCKET;
1438 #if PF_MAX > 44
1439 #error New address family defined, please update this function.
1440 #endif
1441                 }
1442         }
1443
1444         return SECCLASS_SOCKET;
1445 }
1446
1447 static int selinux_genfs_get_sid(struct dentry *dentry,
1448                                  u16 tclass,
1449                                  u16 flags,
1450                                  u32 *sid)
1451 {
1452         int rc;
1453         struct super_block *sb = dentry->d_sb;
1454         char *buffer, *path;
1455
1456         buffer = (char *)__get_free_page(GFP_KERNEL);
1457         if (!buffer)
1458                 return -ENOMEM;
1459
1460         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1461         if (IS_ERR(path))
1462                 rc = PTR_ERR(path);
1463         else {
1464                 if (flags & SE_SBPROC) {
1465                         /* each process gets a /proc/PID/ entry. Strip off the
1466                          * PID part to get a valid selinux labeling.
1467                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1468                         while (path[1] >= '0' && path[1] <= '9') {
1469                                 path[1] = '/';
1470                                 path++;
1471                         }
1472                 }
1473                 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1474         }
1475         free_page((unsigned long)buffer);
1476         return rc;
1477 }
1478
1479 /* The inode's security attributes must be initialized before first use. */
1480 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1481 {
1482         struct superblock_security_struct *sbsec = NULL;
1483         struct inode_security_struct *isec = inode->i_security;
1484         u32 task_sid, sid = 0;
1485         u16 sclass;
1486         struct dentry *dentry;
1487 #define INITCONTEXTLEN 255
1488         char *context = NULL;
1489         unsigned len = 0;
1490         int rc = 0;
1491
1492         if (isec->initialized == LABEL_INITIALIZED)
1493                 return 0;
1494
1495         spin_lock(&isec->lock);
1496         if (isec->initialized == LABEL_INITIALIZED)
1497                 goto out_unlock;
1498
1499         if (isec->sclass == SECCLASS_FILE)
1500                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1501
1502         sbsec = inode->i_sb->s_security;
1503         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1504                 /* Defer initialization until selinux_complete_init,
1505                    after the initial policy is loaded and the security
1506                    server is ready to handle calls. */
1507                 spin_lock(&sbsec->isec_lock);
1508                 if (list_empty(&isec->list))
1509                         list_add(&isec->list, &sbsec->isec_head);
1510                 spin_unlock(&sbsec->isec_lock);
1511                 goto out_unlock;
1512         }
1513
1514         sclass = isec->sclass;
1515         task_sid = isec->task_sid;
1516         sid = isec->sid;
1517         isec->initialized = LABEL_PENDING;
1518         spin_unlock(&isec->lock);
1519
1520         switch (sbsec->behavior) {
1521         case SECURITY_FS_USE_NATIVE:
1522                 break;
1523         case SECURITY_FS_USE_XATTR:
1524                 if (!(inode->i_opflags & IOP_XATTR)) {
1525                         sid = sbsec->def_sid;
1526                         break;
1527                 }
1528                 /* Need a dentry, since the xattr API requires one.
1529                    Life would be simpler if we could just pass the inode. */
1530                 if (opt_dentry) {
1531                         /* Called from d_instantiate or d_splice_alias. */
1532                         dentry = dget(opt_dentry);
1533                 } else {
1534                         /* Called from selinux_complete_init, try to find a dentry. */
1535                         dentry = d_find_alias(inode);
1536                 }
1537                 if (!dentry) {
1538                         /*
1539                          * this is can be hit on boot when a file is accessed
1540                          * before the policy is loaded.  When we load policy we
1541                          * may find inodes that have no dentry on the
1542                          * sbsec->isec_head list.  No reason to complain as these
1543                          * will get fixed up the next time we go through
1544                          * inode_doinit with a dentry, before these inodes could
1545                          * be used again by userspace.
1546                          */
1547                         goto out;
1548                 }
1549
1550                 len = INITCONTEXTLEN;
1551                 context = kmalloc(len+1, GFP_NOFS);
1552                 if (!context) {
1553                         rc = -ENOMEM;
1554                         dput(dentry);
1555                         goto out;
1556                 }
1557                 context[len] = '\0';
1558                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1559                 if (rc == -ERANGE) {
1560                         kfree(context);
1561
1562                         /* Need a larger buffer.  Query for the right size. */
1563                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1564                         if (rc < 0) {
1565                                 dput(dentry);
1566                                 goto out;
1567                         }
1568                         len = rc;
1569                         context = kmalloc(len+1, GFP_NOFS);
1570                         if (!context) {
1571                                 rc = -ENOMEM;
1572                                 dput(dentry);
1573                                 goto out;
1574                         }
1575                         context[len] = '\0';
1576                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1577                 }
1578                 dput(dentry);
1579                 if (rc < 0) {
1580                         if (rc != -ENODATA) {
1581                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1582                                        "%d for dev=%s ino=%ld\n", __func__,
1583                                        -rc, inode->i_sb->s_id, inode->i_ino);
1584                                 kfree(context);
1585                                 goto out;
1586                         }
1587                         /* Map ENODATA to the default file SID */
1588                         sid = sbsec->def_sid;
1589                         rc = 0;
1590                 } else {
1591                         rc = security_context_to_sid_default(context, rc, &sid,
1592                                                              sbsec->def_sid,
1593                                                              GFP_NOFS);
1594                         if (rc) {
1595                                 char *dev = inode->i_sb->s_id;
1596                                 unsigned long ino = inode->i_ino;
1597
1598                                 if (rc == -EINVAL) {
1599                                         if (printk_ratelimit())
1600                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1601                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1602                                                         "filesystem in question.\n", ino, dev, context);
1603                                 } else {
1604                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1605                                                "returned %d for dev=%s ino=%ld\n",
1606                                                __func__, context, -rc, dev, ino);
1607                                 }
1608                                 kfree(context);
1609                                 /* Leave with the unlabeled SID */
1610                                 rc = 0;
1611                                 break;
1612                         }
1613                 }
1614                 kfree(context);
1615                 break;
1616         case SECURITY_FS_USE_TASK:
1617                 sid = task_sid;
1618                 break;
1619         case SECURITY_FS_USE_TRANS:
1620                 /* Default to the fs SID. */
1621                 sid = sbsec->sid;
1622
1623                 /* Try to obtain a transition SID. */
1624                 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1625                 if (rc)
1626                         goto out;
1627                 break;
1628         case SECURITY_FS_USE_MNTPOINT:
1629                 sid = sbsec->mntpoint_sid;
1630                 break;
1631         default:
1632                 /* Default to the fs superblock SID. */
1633                 sid = sbsec->sid;
1634
1635                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1636                         /* We must have a dentry to determine the label on
1637                          * procfs inodes */
1638                         if (opt_dentry)
1639                                 /* Called from d_instantiate or
1640                                  * d_splice_alias. */
1641                                 dentry = dget(opt_dentry);
1642                         else
1643                                 /* Called from selinux_complete_init, try to
1644                                  * find a dentry. */
1645                                 dentry = d_find_alias(inode);
1646                         /*
1647                          * This can be hit on boot when a file is accessed
1648                          * before the policy is loaded.  When we load policy we
1649                          * may find inodes that have no dentry on the
1650                          * sbsec->isec_head list.  No reason to complain as
1651                          * these will get fixed up the next time we go through
1652                          * inode_doinit() with a dentry, before these inodes
1653                          * could be used again by userspace.
1654                          */
1655                         if (!dentry)
1656                                 goto out;
1657                         rc = selinux_genfs_get_sid(dentry, sclass,
1658                                                    sbsec->flags, &sid);
1659                         dput(dentry);
1660                         if (rc)
1661                                 goto out;
1662                 }
1663                 break;
1664         }
1665
1666 out:
1667         spin_lock(&isec->lock);
1668         if (isec->initialized == LABEL_PENDING) {
1669                 if (!sid || rc) {
1670                         isec->initialized = LABEL_INVALID;
1671                         goto out_unlock;
1672                 }
1673
1674                 isec->initialized = LABEL_INITIALIZED;
1675                 isec->sid = sid;
1676         }
1677
1678 out_unlock:
1679         spin_unlock(&isec->lock);
1680         return rc;
1681 }
1682
1683 /* Convert a Linux signal to an access vector. */
1684 static inline u32 signal_to_av(int sig)
1685 {
1686         u32 perm = 0;
1687
1688         switch (sig) {
1689         case SIGCHLD:
1690                 /* Commonly granted from child to parent. */
1691                 perm = PROCESS__SIGCHLD;
1692                 break;
1693         case SIGKILL:
1694                 /* Cannot be caught or ignored */
1695                 perm = PROCESS__SIGKILL;
1696                 break;
1697         case SIGSTOP:
1698                 /* Cannot be caught or ignored */
1699                 perm = PROCESS__SIGSTOP;
1700                 break;
1701         default:
1702                 /* All other signals. */
1703                 perm = PROCESS__SIGNAL;
1704                 break;
1705         }
1706
1707         return perm;
1708 }
1709
1710 #if CAP_LAST_CAP > 63
1711 #error Fix SELinux to handle capabilities > 63.
1712 #endif
1713
1714 /* Check whether a task is allowed to use a capability. */
1715 static int cred_has_capability(const struct cred *cred,
1716                                int cap, int audit, bool initns)
1717 {
1718         struct common_audit_data ad;
1719         struct av_decision avd;
1720         u16 sclass;
1721         u32 sid = cred_sid(cred);
1722         u32 av = CAP_TO_MASK(cap);
1723         int rc;
1724
1725         ad.type = LSM_AUDIT_DATA_CAP;
1726         ad.u.cap = cap;
1727
1728         switch (CAP_TO_INDEX(cap)) {
1729         case 0:
1730                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1731                 break;
1732         case 1:
1733                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1734                 break;
1735         default:
1736                 printk(KERN_ERR
1737                        "SELinux:  out of range capability %d\n", cap);
1738                 BUG();
1739                 return -EINVAL;
1740         }
1741
1742         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1743         if (audit == SECURITY_CAP_AUDIT) {
1744                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1745                 if (rc2)
1746                         return rc2;
1747         }
1748         return rc;
1749 }
1750
1751 /* Check whether a task has a particular permission to an inode.
1752    The 'adp' parameter is optional and allows other audit
1753    data to be passed (e.g. the dentry). */
1754 static int inode_has_perm(const struct cred *cred,
1755                           struct inode *inode,
1756                           u32 perms,
1757                           struct common_audit_data *adp)
1758 {
1759         struct inode_security_struct *isec;
1760         u32 sid;
1761
1762         validate_creds(cred);
1763
1764         if (unlikely(IS_PRIVATE(inode)))
1765                 return 0;
1766
1767         sid = cred_sid(cred);
1768         isec = inode->i_security;
1769
1770         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1771 }
1772
1773 /* Same as inode_has_perm, but pass explicit audit data containing
1774    the dentry to help the auditing code to more easily generate the
1775    pathname if needed. */
1776 static inline int dentry_has_perm(const struct cred *cred,
1777                                   struct dentry *dentry,
1778                                   u32 av)
1779 {
1780         struct inode *inode = d_backing_inode(dentry);
1781         struct common_audit_data ad;
1782
1783         ad.type = LSM_AUDIT_DATA_DENTRY;
1784         ad.u.dentry = dentry;
1785         __inode_security_revalidate(inode, dentry, true);
1786         return inode_has_perm(cred, inode, av, &ad);
1787 }
1788
1789 /* Same as inode_has_perm, but pass explicit audit data containing
1790    the path to help the auditing code to more easily generate the
1791    pathname if needed. */
1792 static inline int path_has_perm(const struct cred *cred,
1793                                 const struct path *path,
1794                                 u32 av)
1795 {
1796         struct inode *inode = d_backing_inode(path->dentry);
1797         struct common_audit_data ad;
1798
1799         ad.type = LSM_AUDIT_DATA_PATH;
1800         ad.u.path = *path;
1801         __inode_security_revalidate(inode, path->dentry, true);
1802         return inode_has_perm(cred, inode, av, &ad);
1803 }
1804
1805 /* Same as path_has_perm, but uses the inode from the file struct. */
1806 static inline int file_path_has_perm(const struct cred *cred,
1807                                      struct file *file,
1808                                      u32 av)
1809 {
1810         struct common_audit_data ad;
1811
1812         ad.type = LSM_AUDIT_DATA_FILE;
1813         ad.u.file = file;
1814         return inode_has_perm(cred, file_inode(file), av, &ad);
1815 }
1816
1817 /* Check whether a task can use an open file descriptor to
1818    access an inode in a given way.  Check access to the
1819    descriptor itself, and then use dentry_has_perm to
1820    check a particular permission to the file.
1821    Access to the descriptor is implicitly granted if it
1822    has the same SID as the process.  If av is zero, then
1823    access to the file is not checked, e.g. for cases
1824    where only the descriptor is affected like seek. */
1825 static int file_has_perm(const struct cred *cred,
1826                          struct file *file,
1827                          u32 av)
1828 {
1829         struct file_security_struct *fsec = file->f_security;
1830         struct inode *inode = file_inode(file);
1831         struct common_audit_data ad;
1832         u32 sid = cred_sid(cred);
1833         int rc;
1834
1835         ad.type = LSM_AUDIT_DATA_FILE;
1836         ad.u.file = file;
1837
1838         if (sid != fsec->sid) {
1839                 rc = avc_has_perm(sid, fsec->sid,
1840                                   SECCLASS_FD,
1841                                   FD__USE,
1842                                   &ad);
1843                 if (rc)
1844                         goto out;
1845         }
1846
1847         /* av is zero if only checking access to the descriptor. */
1848         rc = 0;
1849         if (av)
1850                 rc = inode_has_perm(cred, inode, av, &ad);
1851
1852 out:
1853         return rc;
1854 }
1855
1856 /*
1857  * Determine the label for an inode that might be unioned.
1858  */
1859 static int
1860 selinux_determine_inode_label(const struct task_security_struct *tsec,
1861                                  struct inode *dir,
1862                                  const struct qstr *name, u16 tclass,
1863                                  u32 *_new_isid)
1864 {
1865         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1866
1867         if ((sbsec->flags & SE_SBINITIALIZED) &&
1868             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1869                 *_new_isid = sbsec->mntpoint_sid;
1870         } else if ((sbsec->flags & SBLABEL_MNT) &&
1871                    tsec->create_sid) {
1872                 *_new_isid = tsec->create_sid;
1873         } else {
1874                 const struct inode_security_struct *dsec = inode_security(dir);
1875                 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1876                                                name, _new_isid);
1877         }
1878
1879         return 0;
1880 }
1881
1882 /* Check whether a task can create a file. */
1883 static int may_create(struct inode *dir,
1884                       struct dentry *dentry,
1885                       u16 tclass)
1886 {
1887         const struct task_security_struct *tsec = current_security();
1888         struct inode_security_struct *dsec;
1889         struct superblock_security_struct *sbsec;
1890         u32 sid, newsid;
1891         struct common_audit_data ad;
1892         int rc;
1893
1894         dsec = inode_security(dir);
1895         sbsec = dir->i_sb->s_security;
1896
1897         sid = tsec->sid;
1898
1899         ad.type = LSM_AUDIT_DATA_DENTRY;
1900         ad.u.dentry = dentry;
1901
1902         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1903                           DIR__ADD_NAME | DIR__SEARCH,
1904                           &ad);
1905         if (rc)
1906                 return rc;
1907
1908         rc = selinux_determine_inode_label(current_security(), dir,
1909                                            &dentry->d_name, tclass, &newsid);
1910         if (rc)
1911                 return rc;
1912
1913         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1914         if (rc)
1915                 return rc;
1916
1917         return avc_has_perm(newsid, sbsec->sid,
1918                             SECCLASS_FILESYSTEM,
1919                             FILESYSTEM__ASSOCIATE, &ad);
1920 }
1921
1922 #define MAY_LINK        0
1923 #define MAY_UNLINK      1
1924 #define MAY_RMDIR       2
1925
1926 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1927 static int may_link(struct inode *dir,
1928                     struct dentry *dentry,
1929                     int kind)
1930
1931 {
1932         struct inode_security_struct *dsec, *isec;
1933         struct common_audit_data ad;
1934         u32 sid = current_sid();
1935         u32 av;
1936         int rc;
1937
1938         dsec = inode_security(dir);
1939         isec = backing_inode_security(dentry);
1940
1941         ad.type = LSM_AUDIT_DATA_DENTRY;
1942         ad.u.dentry = dentry;
1943
1944         av = DIR__SEARCH;
1945         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1946         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1947         if (rc)
1948                 return rc;
1949
1950         switch (kind) {
1951         case MAY_LINK:
1952                 av = FILE__LINK;
1953                 break;
1954         case MAY_UNLINK:
1955                 av = FILE__UNLINK;
1956                 break;
1957         case MAY_RMDIR:
1958                 av = DIR__RMDIR;
1959                 break;
1960         default:
1961                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1962                         __func__, kind);
1963                 return 0;
1964         }
1965
1966         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1967         return rc;
1968 }
1969
1970 static inline int may_rename(struct inode *old_dir,
1971                              struct dentry *old_dentry,
1972                              struct inode *new_dir,
1973                              struct dentry *new_dentry)
1974 {
1975         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1976         struct common_audit_data ad;
1977         u32 sid = current_sid();
1978         u32 av;
1979         int old_is_dir, new_is_dir;
1980         int rc;
1981
1982         old_dsec = inode_security(old_dir);
1983         old_isec = backing_inode_security(old_dentry);
1984         old_is_dir = d_is_dir(old_dentry);
1985         new_dsec = inode_security(new_dir);
1986
1987         ad.type = LSM_AUDIT_DATA_DENTRY;
1988
1989         ad.u.dentry = old_dentry;
1990         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1991                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1992         if (rc)
1993                 return rc;
1994         rc = avc_has_perm(sid, old_isec->sid,
1995                           old_isec->sclass, FILE__RENAME, &ad);
1996         if (rc)
1997                 return rc;
1998         if (old_is_dir && new_dir != old_dir) {
1999                 rc = avc_has_perm(sid, old_isec->sid,
2000                                   old_isec->sclass, DIR__REPARENT, &ad);
2001                 if (rc)
2002                         return rc;
2003         }
2004
2005         ad.u.dentry = new_dentry;
2006         av = DIR__ADD_NAME | DIR__SEARCH;
2007         if (d_is_positive(new_dentry))
2008                 av |= DIR__REMOVE_NAME;
2009         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2010         if (rc)
2011                 return rc;
2012         if (d_is_positive(new_dentry)) {
2013                 new_isec = backing_inode_security(new_dentry);
2014                 new_is_dir = d_is_dir(new_dentry);
2015                 rc = avc_has_perm(sid, new_isec->sid,
2016                                   new_isec->sclass,
2017                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2018                 if (rc)
2019                         return rc;
2020         }
2021
2022         return 0;
2023 }
2024
2025 /* Check whether a task can perform a filesystem operation. */
2026 static int superblock_has_perm(const struct cred *cred,
2027                                struct super_block *sb,
2028                                u32 perms,
2029                                struct common_audit_data *ad)
2030 {
2031         struct superblock_security_struct *sbsec;
2032         u32 sid = cred_sid(cred);
2033
2034         sbsec = sb->s_security;
2035         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2036 }
2037
2038 /* Convert a Linux mode and permission mask to an access vector. */
2039 static inline u32 file_mask_to_av(int mode, int mask)
2040 {
2041         u32 av = 0;
2042
2043         if (!S_ISDIR(mode)) {
2044                 if (mask & MAY_EXEC)
2045                         av |= FILE__EXECUTE;
2046                 if (mask & MAY_READ)
2047                         av |= FILE__READ;
2048
2049                 if (mask & MAY_APPEND)
2050                         av |= FILE__APPEND;
2051                 else if (mask & MAY_WRITE)
2052                         av |= FILE__WRITE;
2053
2054         } else {
2055                 if (mask & MAY_EXEC)
2056                         av |= DIR__SEARCH;
2057                 if (mask & MAY_WRITE)
2058                         av |= DIR__WRITE;
2059                 if (mask & MAY_READ)
2060                         av |= DIR__READ;
2061         }
2062
2063         return av;
2064 }
2065
2066 /* Convert a Linux file to an access vector. */
2067 static inline u32 file_to_av(struct file *file)
2068 {
2069         u32 av = 0;
2070
2071         if (file->f_mode & FMODE_READ)
2072                 av |= FILE__READ;
2073         if (file->f_mode & FMODE_WRITE) {
2074                 if (file->f_flags & O_APPEND)
2075                         av |= FILE__APPEND;
2076                 else
2077                         av |= FILE__WRITE;
2078         }
2079         if (!av) {
2080                 /*
2081                  * Special file opened with flags 3 for ioctl-only use.
2082                  */
2083                 av = FILE__IOCTL;
2084         }
2085
2086         return av;
2087 }
2088
2089 /*
2090  * Convert a file to an access vector and include the correct open
2091  * open permission.
2092  */
2093 static inline u32 open_file_to_av(struct file *file)
2094 {
2095         u32 av = file_to_av(file);
2096         struct inode *inode = file_inode(file);
2097
2098         if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2099                 av |= FILE__OPEN;
2100
2101         return av;
2102 }
2103
2104 /* Hook functions begin here. */
2105
2106 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2107 {
2108         u32 mysid = current_sid();
2109         u32 mgrsid = task_sid(mgr);
2110
2111         return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2112                             BINDER__SET_CONTEXT_MGR, NULL);
2113 }
2114
2115 static int selinux_binder_transaction(struct task_struct *from,
2116                                       struct task_struct *to)
2117 {
2118         u32 mysid = current_sid();
2119         u32 fromsid = task_sid(from);
2120         u32 tosid = task_sid(to);
2121         int rc;
2122
2123         if (mysid != fromsid) {
2124                 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2125                                   BINDER__IMPERSONATE, NULL);
2126                 if (rc)
2127                         return rc;
2128         }
2129
2130         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2131                             NULL);
2132 }
2133
2134 static int selinux_binder_transfer_binder(struct task_struct *from,
2135                                           struct task_struct *to)
2136 {
2137         u32 fromsid = task_sid(from);
2138         u32 tosid = task_sid(to);
2139
2140         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2141                             NULL);
2142 }
2143
2144 static int selinux_binder_transfer_file(struct task_struct *from,
2145                                         struct task_struct *to,
2146                                         struct file *file)
2147 {
2148         u32 sid = task_sid(to);
2149         struct file_security_struct *fsec = file->f_security;
2150         struct dentry *dentry = file->f_path.dentry;
2151         struct inode_security_struct *isec;
2152         struct common_audit_data ad;
2153         int rc;
2154
2155         ad.type = LSM_AUDIT_DATA_PATH;
2156         ad.u.path = file->f_path;
2157
2158         if (sid != fsec->sid) {
2159                 rc = avc_has_perm(sid, fsec->sid,
2160                                   SECCLASS_FD,
2161                                   FD__USE,
2162                                   &ad);
2163                 if (rc)
2164                         return rc;
2165         }
2166
2167         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2168                 return 0;
2169
2170         isec = backing_inode_security(dentry);
2171         return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2172                             &ad);
2173 }
2174
2175 static int selinux_ptrace_access_check(struct task_struct *child,
2176                                      unsigned int mode)
2177 {
2178         u32 sid = current_sid();
2179         u32 csid = task_sid(child);
2180
2181         if (mode & PTRACE_MODE_READ)
2182                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2183
2184         return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2185 }
2186
2187 static int selinux_ptrace_traceme(struct task_struct *parent)
2188 {
2189         return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2190                             PROCESS__PTRACE, NULL);
2191 }
2192
2193 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2194                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2195 {
2196         return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2197                             PROCESS__GETCAP, NULL);
2198 }
2199
2200 static int selinux_capset(struct cred *new, const struct cred *old,
2201                           const kernel_cap_t *effective,
2202                           const kernel_cap_t *inheritable,
2203                           const kernel_cap_t *permitted)
2204 {
2205         return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2206                             PROCESS__SETCAP, NULL);
2207 }
2208
2209 /*
2210  * (This comment used to live with the selinux_task_setuid hook,
2211  * which was removed).
2212  *
2213  * Since setuid only affects the current process, and since the SELinux
2214  * controls are not based on the Linux identity attributes, SELinux does not
2215  * need to control this operation.  However, SELinux does control the use of
2216  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2217  */
2218
2219 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2220                            int cap, int audit)
2221 {
2222         return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2223 }
2224
2225 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2226 {
2227         const struct cred *cred = current_cred();
2228         int rc = 0;
2229
2230         if (!sb)
2231                 return 0;
2232
2233         switch (cmds) {
2234         case Q_SYNC:
2235         case Q_QUOTAON:
2236         case Q_QUOTAOFF:
2237         case Q_SETINFO:
2238         case Q_SETQUOTA:
2239                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2240                 break;
2241         case Q_GETFMT:
2242         case Q_GETINFO:
2243         case Q_GETQUOTA:
2244                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2245                 break;
2246         default:
2247                 rc = 0;  /* let the kernel handle invalid cmds */
2248                 break;
2249         }
2250         return rc;
2251 }
2252
2253 static int selinux_quota_on(struct dentry *dentry)
2254 {
2255         const struct cred *cred = current_cred();
2256
2257         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2258 }
2259
2260 static int selinux_syslog(int type)
2261 {
2262         switch (type) {
2263         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2264         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2265                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2266                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2267         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2268         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2269         /* Set level of messages printed to console */
2270         case SYSLOG_ACTION_CONSOLE_LEVEL:
2271                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2272                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2273                                     NULL);
2274         }
2275         /* All other syslog types */
2276         return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2277                             SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2278 }
2279
2280 /*
2281  * Check that a process has enough memory to allocate a new virtual
2282  * mapping. 0 means there is enough memory for the allocation to
2283  * succeed and -ENOMEM implies there is not.
2284  *
2285  * Do not audit the selinux permission check, as this is applied to all
2286  * processes that allocate mappings.
2287  */
2288 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2289 {
2290         int rc, cap_sys_admin = 0;
2291
2292         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2293                                  SECURITY_CAP_NOAUDIT, true);
2294         if (rc == 0)
2295                 cap_sys_admin = 1;
2296
2297         return cap_sys_admin;
2298 }
2299
2300 /* binprm security operations */
2301
2302 static u32 ptrace_parent_sid(void)
2303 {
2304         u32 sid = 0;
2305         struct task_struct *tracer;
2306
2307         rcu_read_lock();
2308         tracer = ptrace_parent(current);
2309         if (tracer)
2310                 sid = task_sid(tracer);
2311         rcu_read_unlock();
2312
2313         return sid;
2314 }
2315
2316 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2317                             const struct task_security_struct *old_tsec,
2318                             const struct task_security_struct *new_tsec)
2319 {
2320         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2321         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2322         int rc;
2323         u32 av;
2324
2325         if (!nnp && !nosuid)
2326                 return 0; /* neither NNP nor nosuid */
2327
2328         if (new_tsec->sid == old_tsec->sid)
2329                 return 0; /* No change in credentials */
2330
2331         /*
2332          * If the policy enables the nnp_nosuid_transition policy capability,
2333          * then we permit transitions under NNP or nosuid if the
2334          * policy allows the corresponding permission between
2335          * the old and new contexts.
2336          */
2337         if (selinux_policycap_nnp_nosuid_transition) {
2338                 av = 0;
2339                 if (nnp)
2340                         av |= PROCESS2__NNP_TRANSITION;
2341                 if (nosuid)
2342                         av |= PROCESS2__NOSUID_TRANSITION;
2343                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2344                                   SECCLASS_PROCESS2, av, NULL);
2345                 if (!rc)
2346                         return 0;
2347         }
2348
2349         /*
2350          * We also permit NNP or nosuid transitions to bounded SIDs,
2351          * i.e. SIDs that are guaranteed to only be allowed a subset
2352          * of the permissions of the current SID.
2353          */
2354         rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2355         if (!rc)
2356                 return 0;
2357
2358         /*
2359          * On failure, preserve the errno values for NNP vs nosuid.
2360          * NNP:  Operation not permitted for caller.
2361          * nosuid:  Permission denied to file.
2362          */
2363         if (nnp)
2364                 return -EPERM;
2365         return -EACCES;
2366 }
2367
2368 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2369 {
2370         const struct task_security_struct *old_tsec;
2371         struct task_security_struct *new_tsec;
2372         struct inode_security_struct *isec;
2373         struct common_audit_data ad;
2374         struct inode *inode = file_inode(bprm->file);
2375         int rc;
2376
2377         /* SELinux context only depends on initial program or script and not
2378          * the script interpreter */
2379         if (bprm->cred_prepared)
2380                 return 0;
2381
2382         old_tsec = current_security();
2383         new_tsec = bprm->cred->security;
2384         isec = inode_security(inode);
2385
2386         /* Default to the current task SID. */
2387         new_tsec->sid = old_tsec->sid;
2388         new_tsec->osid = old_tsec->sid;
2389
2390         /* Reset fs, key, and sock SIDs on execve. */
2391         new_tsec->create_sid = 0;
2392         new_tsec->keycreate_sid = 0;
2393         new_tsec->sockcreate_sid = 0;
2394
2395         if (old_tsec->exec_sid) {
2396                 new_tsec->sid = old_tsec->exec_sid;
2397                 /* Reset exec SID on execve. */
2398                 new_tsec->exec_sid = 0;
2399
2400                 /* Fail on NNP or nosuid if not an allowed transition. */
2401                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2402                 if (rc)
2403                         return rc;
2404         } else {
2405                 /* Check for a default transition on this program. */
2406                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2407                                              SECCLASS_PROCESS, NULL,
2408                                              &new_tsec->sid);
2409                 if (rc)
2410                         return rc;
2411
2412                 /*
2413                  * Fallback to old SID on NNP or nosuid if not an allowed
2414                  * transition.
2415                  */
2416                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2417                 if (rc)
2418                         new_tsec->sid = old_tsec->sid;
2419         }
2420
2421         ad.type = LSM_AUDIT_DATA_FILE;
2422         ad.u.file = bprm->file;
2423
2424         if (new_tsec->sid == old_tsec->sid) {
2425                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2426                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2427                 if (rc)
2428                         return rc;
2429         } else {
2430                 /* Check permissions for the transition. */
2431                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2432                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2433                 if (rc)
2434                         return rc;
2435
2436                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2437                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2438                 if (rc)
2439                         return rc;
2440
2441                 /* Check for shared state */
2442                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2443                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2444                                           SECCLASS_PROCESS, PROCESS__SHARE,
2445                                           NULL);
2446                         if (rc)
2447                                 return -EPERM;
2448                 }
2449
2450                 /* Make sure that anyone attempting to ptrace over a task that
2451                  * changes its SID has the appropriate permit */
2452                 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2453                         u32 ptsid = ptrace_parent_sid();
2454                         if (ptsid != 0) {
2455                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2456                                                   SECCLASS_PROCESS,
2457                                                   PROCESS__PTRACE, NULL);
2458                                 if (rc)
2459                                         return -EPERM;
2460                         }
2461                 }
2462
2463                 /* Clear any possibly unsafe personality bits on exec: */
2464                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2465         }
2466
2467         return 0;
2468 }
2469
2470 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2471 {
2472         const struct task_security_struct *tsec = current_security();
2473         u32 sid, osid;
2474         int atsecure = 0;
2475
2476         sid = tsec->sid;
2477         osid = tsec->osid;
2478
2479         if (osid != sid) {
2480                 /* Enable secure mode for SIDs transitions unless
2481                    the noatsecure permission is granted between
2482                    the two SIDs, i.e. ahp returns 0. */
2483                 atsecure = avc_has_perm(osid, sid,
2484                                         SECCLASS_PROCESS,
2485                                         PROCESS__NOATSECURE, NULL);
2486         }
2487
2488         return !!atsecure;
2489 }
2490
2491 static int match_file(const void *p, struct file *file, unsigned fd)
2492 {
2493         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2494 }
2495
2496 /* Derived from fs/exec.c:flush_old_files. */
2497 static inline void flush_unauthorized_files(const struct cred *cred,
2498                                             struct files_struct *files)
2499 {
2500         struct file *file, *devnull = NULL;
2501         struct tty_struct *tty;
2502         int drop_tty = 0;
2503         unsigned n;
2504
2505         tty = get_current_tty();
2506         if (tty) {
2507                 spin_lock(&tty->files_lock);
2508                 if (!list_empty(&tty->tty_files)) {
2509                         struct tty_file_private *file_priv;
2510
2511                         /* Revalidate access to controlling tty.
2512                            Use file_path_has_perm on the tty path directly
2513                            rather than using file_has_perm, as this particular
2514                            open file may belong to another process and we are
2515                            only interested in the inode-based check here. */
2516                         file_priv = list_first_entry(&tty->tty_files,
2517                                                 struct tty_file_private, list);
2518                         file = file_priv->file;
2519                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2520                                 drop_tty = 1;
2521                 }
2522                 spin_unlock(&tty->files_lock);
2523                 tty_kref_put(tty);
2524         }
2525         /* Reset controlling tty. */
2526         if (drop_tty)
2527                 no_tty();
2528
2529         /* Revalidate access to inherited open files. */
2530         n = iterate_fd(files, 0, match_file, cred);
2531         if (!n) /* none found? */
2532                 return;
2533
2534         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2535         if (IS_ERR(devnull))
2536                 devnull = NULL;
2537         /* replace all the matching ones with this */
2538         do {
2539                 replace_fd(n - 1, devnull, 0);
2540         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2541         if (devnull)
2542                 fput(devnull);
2543 }
2544
2545 /*
2546  * Prepare a process for imminent new credential changes due to exec
2547  */
2548 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2549 {
2550         struct task_security_struct *new_tsec;
2551         struct rlimit *rlim, *initrlim;
2552         int rc, i;
2553
2554         new_tsec = bprm->cred->security;
2555         if (new_tsec->sid == new_tsec->osid)
2556                 return;
2557
2558         /* Close files for which the new task SID is not authorized. */
2559         flush_unauthorized_files(bprm->cred, current->files);
2560
2561         /* Always clear parent death signal on SID transitions. */
2562         current->pdeath_signal = 0;
2563
2564         /* Check whether the new SID can inherit resource limits from the old
2565          * SID.  If not, reset all soft limits to the lower of the current
2566          * task's hard limit and the init task's soft limit.
2567          *
2568          * Note that the setting of hard limits (even to lower them) can be
2569          * controlled by the setrlimit check.  The inclusion of the init task's
2570          * soft limit into the computation is to avoid resetting soft limits
2571          * higher than the default soft limit for cases where the default is
2572          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2573          */
2574         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2575                           PROCESS__RLIMITINH, NULL);
2576         if (rc) {
2577                 /* protect against do_prlimit() */
2578                 task_lock(current);
2579                 for (i = 0; i < RLIM_NLIMITS; i++) {
2580                         rlim = current->signal->rlim + i;
2581                         initrlim = init_task.signal->rlim + i;
2582                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2583                 }
2584                 task_unlock(current);
2585                 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2586                         update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2587         }
2588 }
2589
2590 /*
2591  * Clean up the process immediately after the installation of new credentials
2592  * due to exec
2593  */
2594 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2595 {
2596         const struct task_security_struct *tsec = current_security();
2597         struct itimerval itimer;
2598         u32 osid, sid;
2599         int rc, i;
2600
2601         osid = tsec->osid;
2602         sid = tsec->sid;
2603
2604         if (sid == osid)
2605                 return;
2606
2607         /* Check whether the new SID can inherit signal state from the old SID.
2608          * If not, clear itimers to avoid subsequent signal generation and
2609          * flush and unblock signals.
2610          *
2611          * This must occur _after_ the task SID has been updated so that any
2612          * kill done after the flush will be checked against the new SID.
2613          */
2614         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2615         if (rc) {
2616                 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2617                         memset(&itimer, 0, sizeof itimer);
2618                         for (i = 0; i < 3; i++)
2619                                 do_setitimer(i, &itimer, NULL);
2620                 }
2621                 spin_lock_irq(&current->sighand->siglock);
2622                 if (!fatal_signal_pending(current)) {
2623                         flush_sigqueue(&current->pending);
2624                         flush_sigqueue(&current->signal->shared_pending);
2625                         flush_signal_handlers(current, 1);
2626                         sigemptyset(&current->blocked);
2627                         recalc_sigpending();
2628                 }
2629                 spin_unlock_irq(&current->sighand->siglock);
2630         }
2631
2632         /* Wake up the parent if it is waiting so that it can recheck
2633          * wait permission to the new task SID. */
2634         read_lock(&tasklist_lock);
2635         __wake_up_parent(current, current->real_parent);
2636         read_unlock(&tasklist_lock);
2637 }
2638
2639 /* superblock security operations */
2640
2641 static int selinux_sb_alloc_security(struct super_block *sb)
2642 {
2643         return superblock_alloc_security(sb);
2644 }
2645
2646 static void selinux_sb_free_security(struct super_block *sb)
2647 {
2648         superblock_free_security(sb);
2649 }
2650
2651 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2652 {
2653         if (plen > olen)
2654                 return 0;
2655
2656         return !memcmp(prefix, option, plen);
2657 }
2658
2659 static inline int selinux_option(char *option, int len)
2660 {
2661         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2662                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2663                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2664                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2665                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2666 }
2667
2668 static inline void take_option(char **to, char *from, int *first, int len)
2669 {
2670         if (!*first) {
2671                 **to = ',';
2672                 *to += 1;
2673         } else
2674                 *first = 0;
2675         memcpy(*to, from, len);
2676         *to += len;
2677 }
2678
2679 static inline void take_selinux_option(char **to, char *from, int *first,
2680                                        int len)
2681 {
2682         int current_size = 0;
2683
2684         if (!*first) {
2685                 **to = '|';
2686                 *to += 1;
2687         } else
2688                 *first = 0;
2689
2690         while (current_size < len) {
2691                 if (*from != '"') {
2692                         **to = *from;
2693                         *to += 1;
2694                 }
2695                 from += 1;
2696                 current_size += 1;
2697         }
2698 }
2699
2700 static int selinux_sb_copy_data(char *orig, char *copy)
2701 {
2702         int fnosec, fsec, rc = 0;
2703         char *in_save, *in_curr, *in_end;
2704         char *sec_curr, *nosec_save, *nosec;
2705         int open_quote = 0;
2706
2707         in_curr = orig;
2708         sec_curr = copy;
2709
2710         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2711         if (!nosec) {
2712                 rc = -ENOMEM;
2713                 goto out;
2714         }
2715
2716         nosec_save = nosec;
2717         fnosec = fsec = 1;
2718         in_save = in_end = orig;
2719
2720         do {
2721                 if (*in_end == '"')
2722                         open_quote = !open_quote;
2723                 if ((*in_end == ',' && open_quote == 0) ||
2724                                 *in_end == '\0') {
2725                         int len = in_end - in_curr;
2726
2727                         if (selinux_option(in_curr, len))
2728                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2729                         else
2730                                 take_option(&nosec, in_curr, &fnosec, len);
2731
2732                         in_curr = in_end + 1;
2733                 }
2734         } while (*in_end++);
2735
2736         strcpy(in_save, nosec_save);
2737         free_page((unsigned long)nosec_save);
2738 out:
2739         return rc;
2740 }
2741
2742 static int selinux_sb_remount(struct super_block *sb, void *data)
2743 {
2744         int rc, i, *flags;
2745         struct security_mnt_opts opts;
2746         char *secdata, **mount_options;
2747         struct superblock_security_struct *sbsec = sb->s_security;
2748
2749         if (!(sbsec->flags & SE_SBINITIALIZED))
2750                 return 0;
2751
2752         if (!data)
2753                 return 0;
2754
2755         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2756                 return 0;
2757
2758         security_init_mnt_opts(&opts);
2759         secdata = alloc_secdata();
2760         if (!secdata)
2761                 return -ENOMEM;
2762         rc = selinux_sb_copy_data(data, secdata);
2763         if (rc)
2764                 goto out_free_secdata;
2765
2766         rc = selinux_parse_opts_str(secdata, &opts);
2767         if (rc)
2768                 goto out_free_secdata;
2769
2770         mount_options = opts.mnt_opts;
2771         flags = opts.mnt_opts_flags;
2772
2773         for (i = 0; i < opts.num_mnt_opts; i++) {
2774                 u32 sid;
2775
2776                 if (flags[i] == SBLABEL_MNT)
2777                         continue;
2778                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2779                 if (rc) {
2780                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2781                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2782                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2783                         goto out_free_opts;
2784                 }
2785                 rc = -EINVAL;
2786                 switch (flags[i]) {
2787                 case FSCONTEXT_MNT:
2788                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2789                                 goto out_bad_option;
2790                         break;
2791                 case CONTEXT_MNT:
2792                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2793                                 goto out_bad_option;
2794                         break;
2795                 case ROOTCONTEXT_MNT: {
2796                         struct inode_security_struct *root_isec;
2797                         root_isec = backing_inode_security(sb->s_root);
2798
2799                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2800                                 goto out_bad_option;
2801                         break;
2802                 }
2803                 case DEFCONTEXT_MNT:
2804                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2805                                 goto out_bad_option;
2806                         break;
2807                 default:
2808                         goto out_free_opts;
2809                 }
2810         }
2811
2812         rc = 0;
2813 out_free_opts:
2814         security_free_mnt_opts(&opts);
2815 out_free_secdata:
2816         free_secdata(secdata);
2817         return rc;
2818 out_bad_option:
2819         printk(KERN_WARNING "SELinux: unable to change security options "
2820                "during remount (dev %s, type=%s)\n", sb->s_id,
2821                sb->s_type->name);
2822         goto out_free_opts;
2823 }
2824
2825 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2826 {
2827         const struct cred *cred = current_cred();
2828         struct common_audit_data ad;
2829         int rc;
2830
2831         rc = superblock_doinit(sb, data);
2832         if (rc)
2833                 return rc;
2834
2835         /* Allow all mounts performed by the kernel */
2836         if (flags & MS_KERNMOUNT)
2837                 return 0;
2838
2839         ad.type = LSM_AUDIT_DATA_DENTRY;
2840         ad.u.dentry = sb->s_root;
2841         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2842 }
2843
2844 static int selinux_sb_statfs(struct dentry *dentry)
2845 {
2846         const struct cred *cred = current_cred();
2847         struct common_audit_data ad;
2848
2849         ad.type = LSM_AUDIT_DATA_DENTRY;
2850         ad.u.dentry = dentry->d_sb->s_root;
2851         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2852 }
2853
2854 static int selinux_mount(const char *dev_name,
2855                          const struct path *path,
2856                          const char *type,
2857                          unsigned long flags,
2858                          void *data)
2859 {
2860         const struct cred *cred = current_cred();
2861
2862         if (flags & MS_REMOUNT)
2863                 return superblock_has_perm(cred, path->dentry->d_sb,
2864                                            FILESYSTEM__REMOUNT, NULL);
2865         else
2866                 return path_has_perm(cred, path, FILE__MOUNTON);
2867 }
2868
2869 static int selinux_umount(struct vfsmount *mnt, int flags)
2870 {
2871         const struct cred *cred = current_cred();
2872
2873         return superblock_has_perm(cred, mnt->mnt_sb,
2874                                    FILESYSTEM__UNMOUNT, NULL);
2875 }
2876
2877 /* inode security operations */
2878
2879 static int selinux_inode_alloc_security(struct inode *inode)
2880 {
2881         return inode_alloc_security(inode);
2882 }
2883
2884 static void selinux_inode_free_security(struct inode *inode)
2885 {
2886         inode_free_security(inode);
2887 }
2888
2889 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2890                                         const struct qstr *name, void **ctx,
2891                                         u32 *ctxlen)
2892 {
2893         u32 newsid;
2894         int rc;
2895
2896         rc = selinux_determine_inode_label(current_security(),
2897                                            d_inode(dentry->d_parent), name,
2898                                            inode_mode_to_security_class(mode),
2899                                            &newsid);
2900         if (rc)
2901                 return rc;
2902
2903         return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2904 }
2905
2906 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2907                                           struct qstr *name,
2908                                           const struct cred *old,
2909                                           struct cred *new)
2910 {
2911         u32 newsid;
2912         int rc;
2913         struct task_security_struct *tsec;
2914
2915         rc = selinux_determine_inode_label(old->security,
2916                                            d_inode(dentry->d_parent), name,
2917                                            inode_mode_to_security_class(mode),
2918                                            &newsid);
2919         if (rc)
2920                 return rc;
2921
2922         tsec = new->security;
2923         tsec->create_sid = newsid;
2924         return 0;
2925 }
2926
2927 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2928                                        const struct qstr *qstr,
2929                                        const char **name,
2930                                        void **value, size_t *len)
2931 {
2932         const struct task_security_struct *tsec = current_security();
2933         struct superblock_security_struct *sbsec;
2934         u32 sid, newsid, clen;
2935         int rc;
2936         char *context;
2937
2938         sbsec = dir->i_sb->s_security;
2939
2940         sid = tsec->sid;
2941         newsid = tsec->create_sid;
2942
2943         rc = selinux_determine_inode_label(current_security(),
2944                 dir, qstr,
2945                 inode_mode_to_security_class(inode->i_mode),
2946                 &newsid);
2947         if (rc)
2948                 return rc;
2949
2950         /* Possibly defer initialization to selinux_complete_init. */
2951         if (sbsec->flags & SE_SBINITIALIZED) {
2952                 struct inode_security_struct *isec = inode->i_security;
2953                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2954                 isec->sid = newsid;
2955                 isec->initialized = LABEL_INITIALIZED;
2956         }
2957
2958         if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2959                 return -EOPNOTSUPP;
2960
2961         if (name)
2962                 *name = XATTR_SELINUX_SUFFIX;
2963
2964         if (value && len) {
2965                 rc = security_sid_to_context_force(newsid, &context, &clen);
2966                 if (rc)
2967                         return rc;
2968                 *value = context;
2969                 *len = clen;
2970         }
2971
2972         return 0;
2973 }
2974
2975 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2976 {
2977         return may_create(dir, dentry, SECCLASS_FILE);
2978 }
2979
2980 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2981 {
2982         return may_link(dir, old_dentry, MAY_LINK);
2983 }
2984
2985 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2986 {
2987         return may_link(dir, dentry, MAY_UNLINK);
2988 }
2989
2990 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2991 {
2992         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2993 }
2994
2995 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2996 {
2997         return may_create(dir, dentry, SECCLASS_DIR);
2998 }
2999
3000 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3001 {
3002         return may_link(dir, dentry, MAY_RMDIR);
3003 }
3004
3005 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3006 {
3007         return may_create(dir, dentry, inode_mode_to_security_class(mode));
3008 }
3009
3010 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3011                                 struct inode *new_inode, struct dentry *new_dentry)
3012 {
3013         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3014 }
3015
3016 static int selinux_inode_readlink(struct dentry *dentry)
3017 {
3018         const struct cred *cred = current_cred();
3019
3020         return dentry_has_perm(cred, dentry, FILE__READ);
3021 }
3022
3023 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3024                                      bool rcu)
3025 {
3026         const struct cred *cred = current_cred();
3027         struct common_audit_data ad;
3028         struct inode_security_struct *isec;
3029         u32 sid;
3030
3031         validate_creds(cred);
3032
3033         ad.type = LSM_AUDIT_DATA_DENTRY;
3034         ad.u.dentry = dentry;
3035         sid = cred_sid(cred);
3036         isec = inode_security_rcu(inode, rcu);
3037         if (IS_ERR(isec))
3038                 return PTR_ERR(isec);
3039
3040         return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3041                                   rcu ? MAY_NOT_BLOCK : 0);
3042 }
3043
3044 static noinline int audit_inode_permission(struct inode *inode,
3045                                            u32 perms, u32 audited, u32 denied,
3046                                            int result,
3047                                            unsigned flags)
3048 {
3049         struct common_audit_data ad;
3050         struct inode_security_struct *isec = inode->i_security;
3051         int rc;
3052
3053         ad.type = LSM_AUDIT_DATA_INODE;
3054         ad.u.inode = inode;
3055
3056         rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3057                             audited, denied, result, &ad, flags);
3058         if (rc)
3059                 return rc;
3060         return 0;
3061 }
3062
3063 static int selinux_inode_permission(struct inode *inode, int mask)
3064 {
3065         const struct cred *cred = current_cred();
3066         u32 perms;
3067         bool from_access;
3068         unsigned flags = mask & MAY_NOT_BLOCK;
3069         struct inode_security_struct *isec;
3070         u32 sid;
3071         struct av_decision avd;
3072         int rc, rc2;
3073         u32 audited, denied;
3074
3075         from_access = mask & MAY_ACCESS;
3076         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3077
3078         /* No permission to check.  Existence test. */
3079         if (!mask)
3080                 return 0;
3081
3082         validate_creds(cred);
3083
3084         if (unlikely(IS_PRIVATE(inode)))
3085                 return 0;
3086
3087         perms = file_mask_to_av(inode->i_mode, mask);
3088
3089         sid = cred_sid(cred);
3090         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3091         if (IS_ERR(isec))
3092                 return PTR_ERR(isec);
3093
3094         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3095         audited = avc_audit_required(perms, &avd, rc,
3096                                      from_access ? FILE__AUDIT_ACCESS : 0,
3097                                      &denied);
3098         if (likely(!audited))
3099                 return rc;
3100
3101         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3102         if (rc2)
3103                 return rc2;
3104         return rc;
3105 }
3106
3107 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3108 {
3109         const struct cred *cred = current_cred();
3110         struct inode *inode = d_backing_inode(dentry);
3111         unsigned int ia_valid = iattr->ia_valid;
3112         __u32 av = FILE__WRITE;
3113
3114         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3115         if (ia_valid & ATTR_FORCE) {
3116                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3117                               ATTR_FORCE);
3118                 if (!ia_valid)
3119                         return 0;
3120         }
3121
3122         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3123                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3124                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3125
3126         if (selinux_policycap_openperm &&
3127             inode->i_sb->s_magic != SOCKFS_MAGIC &&
3128             (ia_valid & ATTR_SIZE) &&
3129             !(ia_valid & ATTR_FILE))
3130                 av |= FILE__OPEN;
3131
3132         return dentry_has_perm(cred, dentry, av);
3133 }
3134
3135 static int selinux_inode_getattr(const struct path *path)
3136 {
3137         return path_has_perm(current_cred(), path, FILE__GETATTR);
3138 }
3139
3140 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3141 {
3142         const struct cred *cred = current_cred();
3143
3144         if (!strncmp(name, XATTR_SECURITY_PREFIX,
3145                      sizeof XATTR_SECURITY_PREFIX - 1)) {
3146                 if (!strcmp(name, XATTR_NAME_CAPS)) {
3147                         if (!capable(CAP_SETFCAP))
3148                                 return -EPERM;
3149                 } else if (!capable(CAP_SYS_ADMIN)) {
3150                         /* A different attribute in the security namespace.
3151                            Restrict to administrator. */
3152                         return -EPERM;
3153                 }
3154         }
3155
3156         /* Not an attribute we recognize, so just check the
3157            ordinary setattr permission. */
3158         return dentry_has_perm(cred, dentry, FILE__SETATTR);
3159 }
3160
3161 static bool has_cap_mac_admin(bool audit)
3162 {