Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  NSA Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
8  *            Chris Vance, <cvance@nai.com>
9  *            Wayne Salamon, <wsalamon@nai.com>
10  *            James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *                                         Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *                          <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *      Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/tracehook.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>             /* for local_port_range[] */
55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>    /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h>           /* for Unix socket types */
73 #include <net/af_unix.h>        /* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h>   /* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94
95 #include "avc.h"
96 #include "objsec.h"
97 #include "netif.h"
98 #include "netnode.h"
99 #include "netport.h"
100 #include "ibpkey.h"
101 #include "xfrm.h"
102 #include "netlabel.h"
103 #include "audit.h"
104 #include "avc_ss.h"
105
106 struct selinux_state selinux_state;
107
108 /* SECMARK reference count */
109 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
110
111 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
112 static int selinux_enforcing_boot;
113
114 static int __init enforcing_setup(char *str)
115 {
116         unsigned long enforcing;
117         if (!kstrtoul(str, 0, &enforcing))
118                 selinux_enforcing_boot = enforcing ? 1 : 0;
119         return 1;
120 }
121 __setup("enforcing=", enforcing_setup);
122 #else
123 #define selinux_enforcing_boot 1
124 #endif
125
126 int selinux_enabled __lsm_ro_after_init = 1;
127 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
128 static int __init selinux_enabled_setup(char *str)
129 {
130         unsigned long enabled;
131         if (!kstrtoul(str, 0, &enabled))
132                 selinux_enabled = enabled ? 1 : 0;
133         return 1;
134 }
135 __setup("selinux=", selinux_enabled_setup);
136 #endif
137
138 static unsigned int selinux_checkreqprot_boot =
139         CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141 static int __init checkreqprot_setup(char *str)
142 {
143         unsigned long checkreqprot;
144
145         if (!kstrtoul(str, 0, &checkreqprot))
146                 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147         return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150
151 /**
152  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
153  *
154  * Description:
155  * This function checks the SECMARK reference counter to see if any SECMARK
156  * targets are currently configured, if the reference counter is greater than
157  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
158  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
159  * policy capability is enabled, SECMARK is always considered enabled.
160  *
161  */
162 static int selinux_secmark_enabled(void)
163 {
164         return (selinux_policycap_alwaysnetwork() ||
165                 atomic_read(&selinux_secmark_refcount));
166 }
167
168 /**
169  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
170  *
171  * Description:
172  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
173  * (1) if any are enabled or false (0) if neither are enabled.  If the
174  * always_check_network policy capability is enabled, peer labeling
175  * is always considered enabled.
176  *
177  */
178 static int selinux_peerlbl_enabled(void)
179 {
180         return (selinux_policycap_alwaysnetwork() ||
181                 netlbl_enabled() || selinux_xfrm_enabled());
182 }
183
184 static int selinux_netcache_avc_callback(u32 event)
185 {
186         if (event == AVC_CALLBACK_RESET) {
187                 sel_netif_flush();
188                 sel_netnode_flush();
189                 sel_netport_flush();
190                 synchronize_net();
191         }
192         return 0;
193 }
194
195 static int selinux_lsm_notifier_avc_callback(u32 event)
196 {
197         if (event == AVC_CALLBACK_RESET) {
198                 sel_ib_pkey_flush();
199                 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
200         }
201
202         return 0;
203 }
204
205 /*
206  * initialise the security for the init task
207  */
208 static void cred_init_security(void)
209 {
210         struct cred *cred = (struct cred *) current->real_cred;
211         struct task_security_struct *tsec;
212
213         tsec = selinux_cred(cred);
214         tsec->osid = tsec->sid = SECINITSID_KERNEL;
215 }
216
217 /*
218  * get the security ID of a set of credentials
219  */
220 static inline u32 cred_sid(const struct cred *cred)
221 {
222         const struct task_security_struct *tsec;
223
224         tsec = selinux_cred(cred);
225         return tsec->sid;
226 }
227
228 /*
229  * get the objective security ID of a task
230  */
231 static inline u32 task_sid(const struct task_struct *task)
232 {
233         u32 sid;
234
235         rcu_read_lock();
236         sid = cred_sid(__task_cred(task));
237         rcu_read_unlock();
238         return sid;
239 }
240
241 /* Allocate and free functions for each kind of security blob. */
242
243 static int inode_alloc_security(struct inode *inode)
244 {
245         struct inode_security_struct *isec = selinux_inode(inode);
246         u32 sid = current_sid();
247
248         spin_lock_init(&isec->lock);
249         INIT_LIST_HEAD(&isec->list);
250         isec->inode = inode;
251         isec->sid = SECINITSID_UNLABELED;
252         isec->sclass = SECCLASS_FILE;
253         isec->task_sid = sid;
254         isec->initialized = LABEL_INVALID;
255
256         return 0;
257 }
258
259 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
260
261 /*
262  * Try reloading inode security labels that have been marked as invalid.  The
263  * @may_sleep parameter indicates when sleeping and thus reloading labels is
264  * allowed; when set to false, returns -ECHILD when the label is
265  * invalid.  The @dentry parameter should be set to a dentry of the inode.
266  */
267 static int __inode_security_revalidate(struct inode *inode,
268                                        struct dentry *dentry,
269                                        bool may_sleep)
270 {
271         struct inode_security_struct *isec = selinux_inode(inode);
272
273         might_sleep_if(may_sleep);
274
275         if (selinux_state.initialized &&
276             isec->initialized != LABEL_INITIALIZED) {
277                 if (!may_sleep)
278                         return -ECHILD;
279
280                 /*
281                  * Try reloading the inode security label.  This will fail if
282                  * @opt_dentry is NULL and no dentry for this inode can be
283                  * found; in that case, continue using the old label.
284                  */
285                 inode_doinit_with_dentry(inode, dentry);
286         }
287         return 0;
288 }
289
290 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
291 {
292         return selinux_inode(inode);
293 }
294
295 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
296 {
297         int error;
298
299         error = __inode_security_revalidate(inode, NULL, !rcu);
300         if (error)
301                 return ERR_PTR(error);
302         return selinux_inode(inode);
303 }
304
305 /*
306  * Get the security label of an inode.
307  */
308 static struct inode_security_struct *inode_security(struct inode *inode)
309 {
310         __inode_security_revalidate(inode, NULL, true);
311         return selinux_inode(inode);
312 }
313
314 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
315 {
316         struct inode *inode = d_backing_inode(dentry);
317
318         return selinux_inode(inode);
319 }
320
321 /*
322  * Get the security label of a dentry's backing inode.
323  */
324 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
325 {
326         struct inode *inode = d_backing_inode(dentry);
327
328         __inode_security_revalidate(inode, dentry, true);
329         return selinux_inode(inode);
330 }
331
332 static void inode_free_security(struct inode *inode)
333 {
334         struct inode_security_struct *isec = selinux_inode(inode);
335         struct superblock_security_struct *sbsec;
336
337         if (!isec)
338                 return;
339         sbsec = inode->i_sb->s_security;
340         /*
341          * As not all inode security structures are in a list, we check for
342          * empty list outside of the lock to make sure that we won't waste
343          * time taking a lock doing nothing.
344          *
345          * The list_del_init() function can be safely called more than once.
346          * It should not be possible for this function to be called with
347          * concurrent list_add(), but for better safety against future changes
348          * in the code, we use list_empty_careful() here.
349          */
350         if (!list_empty_careful(&isec->list)) {
351                 spin_lock(&sbsec->isec_lock);
352                 list_del_init(&isec->list);
353                 spin_unlock(&sbsec->isec_lock);
354         }
355 }
356
357 static int file_alloc_security(struct file *file)
358 {
359         struct file_security_struct *fsec = selinux_file(file);
360         u32 sid = current_sid();
361
362         fsec->sid = sid;
363         fsec->fown_sid = sid;
364
365         return 0;
366 }
367
368 static int superblock_alloc_security(struct super_block *sb)
369 {
370         struct superblock_security_struct *sbsec;
371
372         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
373         if (!sbsec)
374                 return -ENOMEM;
375
376         mutex_init(&sbsec->lock);
377         INIT_LIST_HEAD(&sbsec->isec_head);
378         spin_lock_init(&sbsec->isec_lock);
379         sbsec->sb = sb;
380         sbsec->sid = SECINITSID_UNLABELED;
381         sbsec->def_sid = SECINITSID_FILE;
382         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
383         sb->s_security = sbsec;
384
385         return 0;
386 }
387
388 static void superblock_free_security(struct super_block *sb)
389 {
390         struct superblock_security_struct *sbsec = sb->s_security;
391         sb->s_security = NULL;
392         kfree(sbsec);
393 }
394
395 struct selinux_mnt_opts {
396         const char *fscontext, *context, *rootcontext, *defcontext;
397 };
398
399 static void selinux_free_mnt_opts(void *mnt_opts)
400 {
401         struct selinux_mnt_opts *opts = mnt_opts;
402         kfree(opts->fscontext);
403         kfree(opts->context);
404         kfree(opts->rootcontext);
405         kfree(opts->defcontext);
406         kfree(opts);
407 }
408
409 static inline int inode_doinit(struct inode *inode)
410 {
411         return inode_doinit_with_dentry(inode, NULL);
412 }
413
414 enum {
415         Opt_error = -1,
416         Opt_context = 0,
417         Opt_defcontext = 1,
418         Opt_fscontext = 2,
419         Opt_rootcontext = 3,
420         Opt_seclabel = 4,
421 };
422
423 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
424 static struct {
425         const char *name;
426         int len;
427         int opt;
428         bool has_arg;
429 } tokens[] = {
430         A(context, true),
431         A(fscontext, true),
432         A(defcontext, true),
433         A(rootcontext, true),
434         A(seclabel, false),
435 };
436 #undef A
437
438 static int match_opt_prefix(char *s, int l, char **arg)
439 {
440         int i;
441
442         for (i = 0; i < ARRAY_SIZE(tokens); i++) {
443                 size_t len = tokens[i].len;
444                 if (len > l || memcmp(s, tokens[i].name, len))
445                         continue;
446                 if (tokens[i].has_arg) {
447                         if (len == l || s[len] != '=')
448                                 continue;
449                         *arg = s + len + 1;
450                 } else if (len != l)
451                         continue;
452                 return tokens[i].opt;
453         }
454         return Opt_error;
455 }
456
457 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
458
459 static int may_context_mount_sb_relabel(u32 sid,
460                         struct superblock_security_struct *sbsec,
461                         const struct cred *cred)
462 {
463         const struct task_security_struct *tsec = selinux_cred(cred);
464         int rc;
465
466         rc = avc_has_perm(&selinux_state,
467                           tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
468                           FILESYSTEM__RELABELFROM, NULL);
469         if (rc)
470                 return rc;
471
472         rc = avc_has_perm(&selinux_state,
473                           tsec->sid, sid, SECCLASS_FILESYSTEM,
474                           FILESYSTEM__RELABELTO, NULL);
475         return rc;
476 }
477
478 static int may_context_mount_inode_relabel(u32 sid,
479                         struct superblock_security_struct *sbsec,
480                         const struct cred *cred)
481 {
482         const struct task_security_struct *tsec = selinux_cred(cred);
483         int rc;
484         rc = avc_has_perm(&selinux_state,
485                           tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
486                           FILESYSTEM__RELABELFROM, NULL);
487         if (rc)
488                 return rc;
489
490         rc = avc_has_perm(&selinux_state,
491                           sid, sbsec->sid, SECCLASS_FILESYSTEM,
492                           FILESYSTEM__ASSOCIATE, NULL);
493         return rc;
494 }
495
496 static int selinux_is_genfs_special_handling(struct super_block *sb)
497 {
498         /* Special handling. Genfs but also in-core setxattr handler */
499         return  !strcmp(sb->s_type->name, "sysfs") ||
500                 !strcmp(sb->s_type->name, "pstore") ||
501                 !strcmp(sb->s_type->name, "debugfs") ||
502                 !strcmp(sb->s_type->name, "tracefs") ||
503                 !strcmp(sb->s_type->name, "rootfs") ||
504                 (selinux_policycap_cgroupseclabel() &&
505                  (!strcmp(sb->s_type->name, "cgroup") ||
506                   !strcmp(sb->s_type->name, "cgroup2")));
507 }
508
509 static int selinux_is_sblabel_mnt(struct super_block *sb)
510 {
511         struct superblock_security_struct *sbsec = sb->s_security;
512
513         /*
514          * IMPORTANT: Double-check logic in this function when adding a new
515          * SECURITY_FS_USE_* definition!
516          */
517         BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
518
519         switch (sbsec->behavior) {
520         case SECURITY_FS_USE_XATTR:
521         case SECURITY_FS_USE_TRANS:
522         case SECURITY_FS_USE_TASK:
523         case SECURITY_FS_USE_NATIVE:
524                 return 1;
525
526         case SECURITY_FS_USE_GENFS:
527                 return selinux_is_genfs_special_handling(sb);
528
529         /* Never allow relabeling on context mounts */
530         case SECURITY_FS_USE_MNTPOINT:
531         case SECURITY_FS_USE_NONE:
532         default:
533                 return 0;
534         }
535 }
536
537 static int sb_finish_set_opts(struct super_block *sb)
538 {
539         struct superblock_security_struct *sbsec = sb->s_security;
540         struct dentry *root = sb->s_root;
541         struct inode *root_inode = d_backing_inode(root);
542         int rc = 0;
543
544         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
545                 /* Make sure that the xattr handler exists and that no
546                    error other than -ENODATA is returned by getxattr on
547                    the root directory.  -ENODATA is ok, as this may be
548                    the first boot of the SELinux kernel before we have
549                    assigned xattr values to the filesystem. */
550                 if (!(root_inode->i_opflags & IOP_XATTR)) {
551                         pr_warn("SELinux: (dev %s, type %s) has no "
552                                "xattr support\n", sb->s_id, sb->s_type->name);
553                         rc = -EOPNOTSUPP;
554                         goto out;
555                 }
556
557                 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
558                 if (rc < 0 && rc != -ENODATA) {
559                         if (rc == -EOPNOTSUPP)
560                                 pr_warn("SELinux: (dev %s, type "
561                                        "%s) has no security xattr handler\n",
562                                        sb->s_id, sb->s_type->name);
563                         else
564                                 pr_warn("SELinux: (dev %s, type "
565                                        "%s) getxattr errno %d\n", sb->s_id,
566                                        sb->s_type->name, -rc);
567                         goto out;
568                 }
569         }
570
571         sbsec->flags |= SE_SBINITIALIZED;
572
573         /*
574          * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
575          * leave the flag untouched because sb_clone_mnt_opts might be handing
576          * us a superblock that needs the flag to be cleared.
577          */
578         if (selinux_is_sblabel_mnt(sb))
579                 sbsec->flags |= SBLABEL_MNT;
580         else
581                 sbsec->flags &= ~SBLABEL_MNT;
582
583         /* Initialize the root inode. */
584         rc = inode_doinit_with_dentry(root_inode, root);
585
586         /* Initialize any other inodes associated with the superblock, e.g.
587            inodes created prior to initial policy load or inodes created
588            during get_sb by a pseudo filesystem that directly
589            populates itself. */
590         spin_lock(&sbsec->isec_lock);
591         while (!list_empty(&sbsec->isec_head)) {
592                 struct inode_security_struct *isec =
593                                 list_first_entry(&sbsec->isec_head,
594                                            struct inode_security_struct, list);
595                 struct inode *inode = isec->inode;
596                 list_del_init(&isec->list);
597                 spin_unlock(&sbsec->isec_lock);
598                 inode = igrab(inode);
599                 if (inode) {
600                         if (!IS_PRIVATE(inode))
601                                 inode_doinit(inode);
602                         iput(inode);
603                 }
604                 spin_lock(&sbsec->isec_lock);
605         }
606         spin_unlock(&sbsec->isec_lock);
607 out:
608         return rc;
609 }
610
611 static int bad_option(struct superblock_security_struct *sbsec, char flag,
612                       u32 old_sid, u32 new_sid)
613 {
614         char mnt_flags = sbsec->flags & SE_MNTMASK;
615
616         /* check if the old mount command had the same options */
617         if (sbsec->flags & SE_SBINITIALIZED)
618                 if (!(sbsec->flags & flag) ||
619                     (old_sid != new_sid))
620                         return 1;
621
622         /* check if we were passed the same options twice,
623          * aka someone passed context=a,context=b
624          */
625         if (!(sbsec->flags & SE_SBINITIALIZED))
626                 if (mnt_flags & flag)
627                         return 1;
628         return 0;
629 }
630
631 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
632 {
633         int rc = security_context_str_to_sid(&selinux_state, s,
634                                              sid, GFP_KERNEL);
635         if (rc)
636                 pr_warn("SELinux: security_context_str_to_sid"
637                        "(%s) failed for (dev %s, type %s) errno=%d\n",
638                        s, sb->s_id, sb->s_type->name, rc);
639         return rc;
640 }
641
642 /*
643  * Allow filesystems with binary mount data to explicitly set mount point
644  * labeling information.
645  */
646 static int selinux_set_mnt_opts(struct super_block *sb,
647                                 void *mnt_opts,
648                                 unsigned long kern_flags,
649                                 unsigned long *set_kern_flags)
650 {
651         const struct cred *cred = current_cred();
652         struct superblock_security_struct *sbsec = sb->s_security;
653         struct dentry *root = sbsec->sb->s_root;
654         struct selinux_mnt_opts *opts = mnt_opts;
655         struct inode_security_struct *root_isec;
656         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
657         u32 defcontext_sid = 0;
658         int rc = 0;
659
660         mutex_lock(&sbsec->lock);
661
662         if (!selinux_state.initialized) {
663                 if (!opts) {
664                         /* Defer initialization until selinux_complete_init,
665                            after the initial policy is loaded and the security
666                            server is ready to handle calls. */
667                         goto out;
668                 }
669                 rc = -EINVAL;
670                 pr_warn("SELinux: Unable to set superblock options "
671                         "before the security server is initialized\n");
672                 goto out;
673         }
674         if (kern_flags && !set_kern_flags) {
675                 /* Specifying internal flags without providing a place to
676                  * place the results is not allowed */
677                 rc = -EINVAL;
678                 goto out;
679         }
680
681         /*
682          * Binary mount data FS will come through this function twice.  Once
683          * from an explicit call and once from the generic calls from the vfs.
684          * Since the generic VFS calls will not contain any security mount data
685          * we need to skip the double mount verification.
686          *
687          * This does open a hole in which we will not notice if the first
688          * mount using this sb set explict options and a second mount using
689          * this sb does not set any security options.  (The first options
690          * will be used for both mounts)
691          */
692         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
693             && !opts)
694                 goto out;
695
696         root_isec = backing_inode_security_novalidate(root);
697
698         /*
699          * parse the mount options, check if they are valid sids.
700          * also check if someone is trying to mount the same sb more
701          * than once with different security options.
702          */
703         if (opts) {
704                 if (opts->fscontext) {
705                         rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
706                         if (rc)
707                                 goto out;
708                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
709                                         fscontext_sid))
710                                 goto out_double_mount;
711                         sbsec->flags |= FSCONTEXT_MNT;
712                 }
713                 if (opts->context) {
714                         rc = parse_sid(sb, opts->context, &context_sid);
715                         if (rc)
716                                 goto out;
717                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
718                                         context_sid))
719                                 goto out_double_mount;
720                         sbsec->flags |= CONTEXT_MNT;
721                 }
722                 if (opts->rootcontext) {
723                         rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
724                         if (rc)
725                                 goto out;
726                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
727                                         rootcontext_sid))
728                                 goto out_double_mount;
729                         sbsec->flags |= ROOTCONTEXT_MNT;
730                 }
731                 if (opts->defcontext) {
732                         rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
733                         if (rc)
734                                 goto out;
735                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
736                                         defcontext_sid))
737                                 goto out_double_mount;
738                         sbsec->flags |= DEFCONTEXT_MNT;
739                 }
740         }
741
742         if (sbsec->flags & SE_SBINITIALIZED) {
743                 /* previously mounted with options, but not on this attempt? */
744                 if ((sbsec->flags & SE_MNTMASK) && !opts)
745                         goto out_double_mount;
746                 rc = 0;
747                 goto out;
748         }
749
750         if (strcmp(sb->s_type->name, "proc") == 0)
751                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
752
753         if (!strcmp(sb->s_type->name, "debugfs") ||
754             !strcmp(sb->s_type->name, "tracefs") ||
755             !strcmp(sb->s_type->name, "pstore"))
756                 sbsec->flags |= SE_SBGENFS;
757
758         if (!strcmp(sb->s_type->name, "sysfs") ||
759             !strcmp(sb->s_type->name, "cgroup") ||
760             !strcmp(sb->s_type->name, "cgroup2"))
761                 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
762
763         if (!sbsec->behavior) {
764                 /*
765                  * Determine the labeling behavior to use for this
766                  * filesystem type.
767                  */
768                 rc = security_fs_use(&selinux_state, sb);
769                 if (rc) {
770                         pr_warn("%s: security_fs_use(%s) returned %d\n",
771                                         __func__, sb->s_type->name, rc);
772                         goto out;
773                 }
774         }
775
776         /*
777          * If this is a user namespace mount and the filesystem type is not
778          * explicitly whitelisted, then no contexts are allowed on the command
779          * line and security labels must be ignored.
780          */
781         if (sb->s_user_ns != &init_user_ns &&
782             strcmp(sb->s_type->name, "tmpfs") &&
783             strcmp(sb->s_type->name, "ramfs") &&
784             strcmp(sb->s_type->name, "devpts")) {
785                 if (context_sid || fscontext_sid || rootcontext_sid ||
786                     defcontext_sid) {
787                         rc = -EACCES;
788                         goto out;
789                 }
790                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
791                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
792                         rc = security_transition_sid(&selinux_state,
793                                                      current_sid(),
794                                                      current_sid(),
795                                                      SECCLASS_FILE, NULL,
796                                                      &sbsec->mntpoint_sid);
797                         if (rc)
798                                 goto out;
799                 }
800                 goto out_set_opts;
801         }
802
803         /* sets the context of the superblock for the fs being mounted. */
804         if (fscontext_sid) {
805                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
806                 if (rc)
807                         goto out;
808
809                 sbsec->sid = fscontext_sid;
810         }
811
812         /*
813          * Switch to using mount point labeling behavior.
814          * sets the label used on all file below the mountpoint, and will set
815          * the superblock context if not already set.
816          */
817         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
818                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
819                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
820         }
821
822         if (context_sid) {
823                 if (!fscontext_sid) {
824                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
825                                                           cred);
826                         if (rc)
827                                 goto out;
828                         sbsec->sid = context_sid;
829                 } else {
830                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
831                                                              cred);
832                         if (rc)
833                                 goto out;
834                 }
835                 if (!rootcontext_sid)
836                         rootcontext_sid = context_sid;
837
838                 sbsec->mntpoint_sid = context_sid;
839                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
840         }
841
842         if (rootcontext_sid) {
843                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
844                                                      cred);
845                 if (rc)
846                         goto out;
847
848                 root_isec->sid = rootcontext_sid;
849                 root_isec->initialized = LABEL_INITIALIZED;
850         }
851
852         if (defcontext_sid) {
853                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
854                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
855                         rc = -EINVAL;
856                         pr_warn("SELinux: defcontext option is "
857                                "invalid for this filesystem type\n");
858                         goto out;
859                 }
860
861                 if (defcontext_sid != sbsec->def_sid) {
862                         rc = may_context_mount_inode_relabel(defcontext_sid,
863                                                              sbsec, cred);
864                         if (rc)
865                                 goto out;
866                 }
867
868                 sbsec->def_sid = defcontext_sid;
869         }
870
871 out_set_opts:
872         rc = sb_finish_set_opts(sb);
873 out:
874         mutex_unlock(&sbsec->lock);
875         return rc;
876 out_double_mount:
877         rc = -EINVAL;
878         pr_warn("SELinux: mount invalid.  Same superblock, different "
879                "security settings for (dev %s, type %s)\n", sb->s_id,
880                sb->s_type->name);
881         goto out;
882 }
883
884 static int selinux_cmp_sb_context(const struct super_block *oldsb,
885                                     const struct super_block *newsb)
886 {
887         struct superblock_security_struct *old = oldsb->s_security;
888         struct superblock_security_struct *new = newsb->s_security;
889         char oldflags = old->flags & SE_MNTMASK;
890         char newflags = new->flags & SE_MNTMASK;
891
892         if (oldflags != newflags)
893                 goto mismatch;
894         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
895                 goto mismatch;
896         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
897                 goto mismatch;
898         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
899                 goto mismatch;
900         if (oldflags & ROOTCONTEXT_MNT) {
901                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
902                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
903                 if (oldroot->sid != newroot->sid)
904                         goto mismatch;
905         }
906         return 0;
907 mismatch:
908         pr_warn("SELinux: mount invalid.  Same superblock, "
909                             "different security settings for (dev %s, "
910                             "type %s)\n", newsb->s_id, newsb->s_type->name);
911         return -EBUSY;
912 }
913
914 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
915                                         struct super_block *newsb,
916                                         unsigned long kern_flags,
917                                         unsigned long *set_kern_flags)
918 {
919         int rc = 0;
920         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
921         struct superblock_security_struct *newsbsec = newsb->s_security;
922
923         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
924         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
925         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
926
927         /*
928          * if the parent was able to be mounted it clearly had no special lsm
929          * mount options.  thus we can safely deal with this superblock later
930          */
931         if (!selinux_state.initialized)
932                 return 0;
933
934         /*
935          * Specifying internal flags without providing a place to
936          * place the results is not allowed.
937          */
938         if (kern_flags && !set_kern_flags)
939                 return -EINVAL;
940
941         /* how can we clone if the old one wasn't set up?? */
942         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
943
944         /* if fs is reusing a sb, make sure that the contexts match */
945         if (newsbsec->flags & SE_SBINITIALIZED) {
946                 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
947                         *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
948                 return selinux_cmp_sb_context(oldsb, newsb);
949         }
950
951         mutex_lock(&newsbsec->lock);
952
953         newsbsec->flags = oldsbsec->flags;
954
955         newsbsec->sid = oldsbsec->sid;
956         newsbsec->def_sid = oldsbsec->def_sid;
957         newsbsec->behavior = oldsbsec->behavior;
958
959         if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
960                 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
961                 rc = security_fs_use(&selinux_state, newsb);
962                 if (rc)
963                         goto out;
964         }
965
966         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
967                 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
968                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
969         }
970
971         if (set_context) {
972                 u32 sid = oldsbsec->mntpoint_sid;
973
974                 if (!set_fscontext)
975                         newsbsec->sid = sid;
976                 if (!set_rootcontext) {
977                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
978                         newisec->sid = sid;
979                 }
980                 newsbsec->mntpoint_sid = sid;
981         }
982         if (set_rootcontext) {
983                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
984                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
985
986                 newisec->sid = oldisec->sid;
987         }
988
989         sb_finish_set_opts(newsb);
990 out:
991         mutex_unlock(&newsbsec->lock);
992         return rc;
993 }
994
995 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
996 {
997         struct selinux_mnt_opts *opts = *mnt_opts;
998
999         if (token == Opt_seclabel)      /* eaten and completely ignored */
1000                 return 0;
1001
1002         if (!opts) {
1003                 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1004                 if (!opts)
1005                         return -ENOMEM;
1006                 *mnt_opts = opts;
1007         }
1008         if (!s)
1009                 return -ENOMEM;
1010         switch (token) {
1011         case Opt_context:
1012                 if (opts->context || opts->defcontext)
1013                         goto Einval;
1014                 opts->context = s;
1015                 break;
1016         case Opt_fscontext:
1017                 if (opts->fscontext)
1018                         goto Einval;
1019                 opts->fscontext = s;
1020                 break;
1021         case Opt_rootcontext:
1022                 if (opts->rootcontext)
1023                         goto Einval;
1024                 opts->rootcontext = s;
1025                 break;
1026         case Opt_defcontext:
1027                 if (opts->context || opts->defcontext)
1028                         goto Einval;
1029                 opts->defcontext = s;
1030                 break;
1031         }
1032         return 0;
1033 Einval:
1034         pr_warn(SEL_MOUNT_FAIL_MSG);
1035         return -EINVAL;
1036 }
1037
1038 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1039                                void **mnt_opts)
1040 {
1041         int token = Opt_error;
1042         int rc, i;
1043
1044         for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1045                 if (strcmp(option, tokens[i].name) == 0) {
1046                         token = tokens[i].opt;
1047                         break;
1048                 }
1049         }
1050
1051         if (token == Opt_error)
1052                 return -EINVAL;
1053
1054         if (token != Opt_seclabel) {
1055                 val = kmemdup_nul(val, len, GFP_KERNEL);
1056                 if (!val) {
1057                         rc = -ENOMEM;
1058                         goto free_opt;
1059                 }
1060         }
1061         rc = selinux_add_opt(token, val, mnt_opts);
1062         if (unlikely(rc)) {
1063                 kfree(val);
1064                 goto free_opt;
1065         }
1066         return rc;
1067
1068 free_opt:
1069         if (*mnt_opts) {
1070                 selinux_free_mnt_opts(*mnt_opts);
1071                 *mnt_opts = NULL;
1072         }
1073         return rc;
1074 }
1075
1076 static int show_sid(struct seq_file *m, u32 sid)
1077 {
1078         char *context = NULL;
1079         u32 len;
1080         int rc;
1081
1082         rc = security_sid_to_context(&selinux_state, sid,
1083                                              &context, &len);
1084         if (!rc) {
1085                 bool has_comma = context && strchr(context, ',');
1086
1087                 seq_putc(m, '=');
1088                 if (has_comma)
1089                         seq_putc(m, '\"');
1090                 seq_escape(m, context, "\"\n\\");
1091                 if (has_comma)
1092                         seq_putc(m, '\"');
1093         }
1094         kfree(context);
1095         return rc;
1096 }
1097
1098 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1099 {
1100         struct superblock_security_struct *sbsec = sb->s_security;
1101         int rc;
1102
1103         if (!(sbsec->flags & SE_SBINITIALIZED))
1104                 return 0;
1105
1106         if (!selinux_state.initialized)
1107                 return 0;
1108
1109         if (sbsec->flags & FSCONTEXT_MNT) {
1110                 seq_putc(m, ',');
1111                 seq_puts(m, FSCONTEXT_STR);
1112                 rc = show_sid(m, sbsec->sid);
1113                 if (rc)
1114                         return rc;
1115         }
1116         if (sbsec->flags & CONTEXT_MNT) {
1117                 seq_putc(m, ',');
1118                 seq_puts(m, CONTEXT_STR);
1119                 rc = show_sid(m, sbsec->mntpoint_sid);
1120                 if (rc)
1121                         return rc;
1122         }
1123         if (sbsec->flags & DEFCONTEXT_MNT) {
1124                 seq_putc(m, ',');
1125                 seq_puts(m, DEFCONTEXT_STR);
1126                 rc = show_sid(m, sbsec->def_sid);
1127                 if (rc)
1128                         return rc;
1129         }
1130         if (sbsec->flags & ROOTCONTEXT_MNT) {
1131                 struct dentry *root = sbsec->sb->s_root;
1132                 struct inode_security_struct *isec = backing_inode_security(root);
1133                 seq_putc(m, ',');
1134                 seq_puts(m, ROOTCONTEXT_STR);
1135                 rc = show_sid(m, isec->sid);
1136                 if (rc)
1137                         return rc;
1138         }
1139         if (sbsec->flags & SBLABEL_MNT) {
1140                 seq_putc(m, ',');
1141                 seq_puts(m, SECLABEL_STR);
1142         }
1143         return 0;
1144 }
1145
1146 static inline u16 inode_mode_to_security_class(umode_t mode)
1147 {
1148         switch (mode & S_IFMT) {
1149         case S_IFSOCK:
1150                 return SECCLASS_SOCK_FILE;
1151         case S_IFLNK:
1152                 return SECCLASS_LNK_FILE;
1153         case S_IFREG:
1154                 return SECCLASS_FILE;
1155         case S_IFBLK:
1156                 return SECCLASS_BLK_FILE;
1157         case S_IFDIR:
1158                 return SECCLASS_DIR;
1159         case S_IFCHR:
1160                 return SECCLASS_CHR_FILE;
1161         case S_IFIFO:
1162                 return SECCLASS_FIFO_FILE;
1163
1164         }
1165
1166         return SECCLASS_FILE;
1167 }
1168
1169 static inline int default_protocol_stream(int protocol)
1170 {
1171         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1172 }
1173
1174 static inline int default_protocol_dgram(int protocol)
1175 {
1176         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1177 }
1178
1179 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1180 {
1181         int extsockclass = selinux_policycap_extsockclass();
1182
1183         switch (family) {
1184         case PF_UNIX:
1185                 switch (type) {
1186                 case SOCK_STREAM:
1187                 case SOCK_SEQPACKET:
1188                         return SECCLASS_UNIX_STREAM_SOCKET;
1189                 case SOCK_DGRAM:
1190                 case SOCK_RAW:
1191                         return SECCLASS_UNIX_DGRAM_SOCKET;
1192                 }
1193                 break;
1194         case PF_INET:
1195         case PF_INET6:
1196                 switch (type) {
1197                 case SOCK_STREAM:
1198                 case SOCK_SEQPACKET:
1199                         if (default_protocol_stream(protocol))
1200                                 return SECCLASS_TCP_SOCKET;
1201                         else if (extsockclass && protocol == IPPROTO_SCTP)
1202                                 return SECCLASS_SCTP_SOCKET;
1203                         else
1204                                 return SECCLASS_RAWIP_SOCKET;
1205                 case SOCK_DGRAM:
1206                         if (default_protocol_dgram(protocol))
1207                                 return SECCLASS_UDP_SOCKET;
1208                         else if (extsockclass && (protocol == IPPROTO_ICMP ||
1209                                                   protocol == IPPROTO_ICMPV6))
1210                                 return SECCLASS_ICMP_SOCKET;
1211                         else
1212                                 return SECCLASS_RAWIP_SOCKET;
1213                 case SOCK_DCCP:
1214                         return SECCLASS_DCCP_SOCKET;
1215                 default:
1216                         return SECCLASS_RAWIP_SOCKET;
1217                 }
1218                 break;
1219         case PF_NETLINK:
1220                 switch (protocol) {
1221                 case NETLINK_ROUTE:
1222                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1223                 case NETLINK_SOCK_DIAG:
1224                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1225                 case NETLINK_NFLOG:
1226                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1227                 case NETLINK_XFRM:
1228                         return SECCLASS_NETLINK_XFRM_SOCKET;
1229                 case NETLINK_SELINUX:
1230                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1231                 case NETLINK_ISCSI:
1232                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1233                 case NETLINK_AUDIT:
1234                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1235                 case NETLINK_FIB_LOOKUP:
1236                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1237                 case NETLINK_CONNECTOR:
1238                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1239                 case NETLINK_NETFILTER:
1240                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1241                 case NETLINK_DNRTMSG:
1242                         return SECCLASS_NETLINK_DNRT_SOCKET;
1243                 case NETLINK_KOBJECT_UEVENT:
1244                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1245                 case NETLINK_GENERIC:
1246                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1247                 case NETLINK_SCSITRANSPORT:
1248                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1249                 case NETLINK_RDMA:
1250                         return SECCLASS_NETLINK_RDMA_SOCKET;
1251                 case NETLINK_CRYPTO:
1252                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1253                 default:
1254                         return SECCLASS_NETLINK_SOCKET;
1255                 }
1256         case PF_PACKET:
1257                 return SECCLASS_PACKET_SOCKET;
1258         case PF_KEY:
1259                 return SECCLASS_KEY_SOCKET;
1260         case PF_APPLETALK:
1261                 return SECCLASS_APPLETALK_SOCKET;
1262         }
1263
1264         if (extsockclass) {
1265                 switch (family) {
1266                 case PF_AX25:
1267                         return SECCLASS_AX25_SOCKET;
1268                 case PF_IPX:
1269                         return SECCLASS_IPX_SOCKET;
1270                 case PF_NETROM:
1271                         return SECCLASS_NETROM_SOCKET;
1272                 case PF_ATMPVC:
1273                         return SECCLASS_ATMPVC_SOCKET;
1274                 case PF_X25:
1275                         return SECCLASS_X25_SOCKET;
1276                 case PF_ROSE:
1277                         return SECCLASS_ROSE_SOCKET;
1278                 case PF_DECnet:
1279                         return SECCLASS_DECNET_SOCKET;
1280                 case PF_ATMSVC:
1281                         return SECCLASS_ATMSVC_SOCKET;
1282                 case PF_RDS:
1283                         return SECCLASS_RDS_SOCKET;
1284                 case PF_IRDA:
1285                         return SECCLASS_IRDA_SOCKET;
1286                 case PF_PPPOX:
1287                         return SECCLASS_PPPOX_SOCKET;
1288                 case PF_LLC:
1289                         return SECCLASS_LLC_SOCKET;
1290                 case PF_CAN:
1291                         return SECCLASS_CAN_SOCKET;
1292                 case PF_TIPC:
1293                         return SECCLASS_TIPC_SOCKET;
1294                 case PF_BLUETOOTH:
1295                         return SECCLASS_BLUETOOTH_SOCKET;
1296                 case PF_IUCV:
1297                         return SECCLASS_IUCV_SOCKET;
1298                 case PF_RXRPC:
1299                         return SECCLASS_RXRPC_SOCKET;
1300                 case PF_ISDN:
1301                         return SECCLASS_ISDN_SOCKET;
1302                 case PF_PHONET:
1303                         return SECCLASS_PHONET_SOCKET;
1304                 case PF_IEEE802154:
1305                         return SECCLASS_IEEE802154_SOCKET;
1306                 case PF_CAIF:
1307                         return SECCLASS_CAIF_SOCKET;
1308                 case PF_ALG:
1309                         return SECCLASS_ALG_SOCKET;
1310                 case PF_NFC:
1311                         return SECCLASS_NFC_SOCKET;
1312                 case PF_VSOCK:
1313                         return SECCLASS_VSOCK_SOCKET;
1314                 case PF_KCM:
1315                         return SECCLASS_KCM_SOCKET;
1316                 case PF_QIPCRTR:
1317                         return SECCLASS_QIPCRTR_SOCKET;
1318                 case PF_SMC:
1319                         return SECCLASS_SMC_SOCKET;
1320                 case PF_XDP:
1321                         return SECCLASS_XDP_SOCKET;
1322 #if PF_MAX > 45
1323 #error New address family defined, please update this function.
1324 #endif
1325                 }
1326         }
1327
1328         return SECCLASS_SOCKET;
1329 }
1330
1331 static int selinux_genfs_get_sid(struct dentry *dentry,
1332                                  u16 tclass,
1333                                  u16 flags,
1334                                  u32 *sid)
1335 {
1336         int rc;
1337         struct super_block *sb = dentry->d_sb;
1338         char *buffer, *path;
1339
1340         buffer = (char *)__get_free_page(GFP_KERNEL);
1341         if (!buffer)
1342                 return -ENOMEM;
1343
1344         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1345         if (IS_ERR(path))
1346                 rc = PTR_ERR(path);
1347         else {
1348                 if (flags & SE_SBPROC) {
1349                         /* each process gets a /proc/PID/ entry. Strip off the
1350                          * PID part to get a valid selinux labeling.
1351                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1352                         while (path[1] >= '0' && path[1] <= '9') {
1353                                 path[1] = '/';
1354                                 path++;
1355                         }
1356                 }
1357                 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1358                                         path, tclass, sid);
1359                 if (rc == -ENOENT) {
1360                         /* No match in policy, mark as unlabeled. */
1361                         *sid = SECINITSID_UNLABELED;
1362                         rc = 0;
1363                 }
1364         }
1365         free_page((unsigned long)buffer);
1366         return rc;
1367 }
1368
1369 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1370                                   u32 def_sid, u32 *sid)
1371 {
1372 #define INITCONTEXTLEN 255
1373         char *context;
1374         unsigned int len;
1375         int rc;
1376
1377         len = INITCONTEXTLEN;
1378         context = kmalloc(len + 1, GFP_NOFS);
1379         if (!context)
1380                 return -ENOMEM;
1381
1382         context[len] = '\0';
1383         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1384         if (rc == -ERANGE) {
1385                 kfree(context);
1386
1387                 /* Need a larger buffer.  Query for the right size. */
1388                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1389                 if (rc < 0)
1390                         return rc;
1391
1392                 len = rc;
1393                 context = kmalloc(len + 1, GFP_NOFS);
1394                 if (!context)
1395                         return -ENOMEM;
1396
1397                 context[len] = '\0';
1398                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1399                                     context, len);
1400         }
1401         if (rc < 0) {
1402                 kfree(context);
1403                 if (rc != -ENODATA) {
1404                         pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1405                                 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1406                         return rc;
1407                 }
1408                 *sid = def_sid;
1409                 return 0;
1410         }
1411
1412         rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1413                                              def_sid, GFP_NOFS);
1414         if (rc) {
1415                 char *dev = inode->i_sb->s_id;
1416                 unsigned long ino = inode->i_ino;
1417
1418                 if (rc == -EINVAL) {
1419                         pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1420                                               ino, dev, context);
1421                 } else {
1422                         pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1423                                 __func__, context, -rc, dev, ino);
1424                 }
1425         }
1426         kfree(context);
1427         return 0;
1428 }
1429
1430 /* The inode's security attributes must be initialized before first use. */
1431 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1432 {
1433         struct superblock_security_struct *sbsec = NULL;
1434         struct inode_security_struct *isec = selinux_inode(inode);
1435         u32 task_sid, sid = 0;
1436         u16 sclass;
1437         struct dentry *dentry;
1438         int rc = 0;
1439
1440         if (isec->initialized == LABEL_INITIALIZED)
1441                 return 0;
1442
1443         spin_lock(&isec->lock);
1444         if (isec->initialized == LABEL_INITIALIZED)
1445                 goto out_unlock;
1446
1447         if (isec->sclass == SECCLASS_FILE)
1448                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1449
1450         sbsec = inode->i_sb->s_security;
1451         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1452                 /* Defer initialization until selinux_complete_init,
1453                    after the initial policy is loaded and the security
1454                    server is ready to handle calls. */
1455                 spin_lock(&sbsec->isec_lock);
1456                 if (list_empty(&isec->list))
1457                         list_add(&isec->list, &sbsec->isec_head);
1458                 spin_unlock(&sbsec->isec_lock);
1459                 goto out_unlock;
1460         }
1461
1462         sclass = isec->sclass;
1463         task_sid = isec->task_sid;
1464         sid = isec->sid;
1465         isec->initialized = LABEL_PENDING;
1466         spin_unlock(&isec->lock);
1467
1468         switch (sbsec->behavior) {
1469         case SECURITY_FS_USE_NATIVE:
1470                 break;
1471         case SECURITY_FS_USE_XATTR:
1472                 if (!(inode->i_opflags & IOP_XATTR)) {
1473                         sid = sbsec->def_sid;
1474                         break;
1475                 }
1476                 /* Need a dentry, since the xattr API requires one.
1477                    Life would be simpler if we could just pass the inode. */
1478                 if (opt_dentry) {
1479                         /* Called from d_instantiate or d_splice_alias. */
1480                         dentry = dget(opt_dentry);
1481                 } else {
1482                         /*
1483                          * Called from selinux_complete_init, try to find a dentry.
1484                          * Some filesystems really want a connected one, so try
1485                          * that first.  We could split SECURITY_FS_USE_XATTR in
1486                          * two, depending upon that...
1487                          */
1488                         dentry = d_find_alias(inode);
1489                         if (!dentry)
1490                                 dentry = d_find_any_alias(inode);
1491                 }
1492                 if (!dentry) {
1493                         /*
1494                          * this is can be hit on boot when a file is accessed
1495                          * before the policy is loaded.  When we load policy we
1496                          * may find inodes that have no dentry on the
1497                          * sbsec->isec_head list.  No reason to complain as these
1498                          * will get fixed up the next time we go through
1499                          * inode_doinit with a dentry, before these inodes could
1500                          * be used again by userspace.
1501                          */
1502                         goto out;
1503                 }
1504
1505                 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1506                                             &sid);
1507                 dput(dentry);
1508                 if (rc)
1509                         goto out;
1510                 break;
1511         case SECURITY_FS_USE_TASK:
1512                 sid = task_sid;
1513                 break;
1514         case SECURITY_FS_USE_TRANS:
1515                 /* Default to the fs SID. */
1516                 sid = sbsec->sid;
1517
1518                 /* Try to obtain a transition SID. */
1519                 rc = security_transition_sid(&selinux_state, task_sid, sid,
1520                                              sclass, NULL, &sid);
1521                 if (rc)
1522                         goto out;
1523                 break;
1524         case SECURITY_FS_USE_MNTPOINT:
1525                 sid = sbsec->mntpoint_sid;
1526                 break;
1527         default:
1528                 /* Default to the fs superblock SID. */
1529                 sid = sbsec->sid;
1530
1531                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1532                         /* We must have a dentry to determine the label on
1533                          * procfs inodes */
1534                         if (opt_dentry) {
1535                                 /* Called from d_instantiate or
1536                                  * d_splice_alias. */
1537                                 dentry = dget(opt_dentry);
1538                         } else {
1539                                 /* Called from selinux_complete_init, try to
1540                                  * find a dentry.  Some filesystems really want
1541                                  * a connected one, so try that first.
1542                                  */
1543                                 dentry = d_find_alias(inode);
1544                                 if (!dentry)
1545                                         dentry = d_find_any_alias(inode);
1546                         }
1547                         /*
1548                          * This can be hit on boot when a file is accessed
1549                          * before the policy is loaded.  When we load policy we
1550                          * may find inodes that have no dentry on the
1551                          * sbsec->isec_head list.  No reason to complain as
1552                          * these will get fixed up the next time we go through
1553                          * inode_doinit() with a dentry, before these inodes
1554                          * could be used again by userspace.
1555                          */
1556                         if (!dentry)
1557                                 goto out;
1558                         rc = selinux_genfs_get_sid(dentry, sclass,
1559                                                    sbsec->flags, &sid);
1560                         if (rc) {
1561                                 dput(dentry);
1562                                 goto out;
1563                         }
1564
1565                         if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1566                             (inode->i_opflags & IOP_XATTR)) {
1567                                 rc = inode_doinit_use_xattr(inode, dentry,
1568                                                             sid, &sid);
1569                                 if (rc) {
1570                                         dput(dentry);
1571                                         goto out;
1572                                 }
1573                         }
1574                         dput(dentry);
1575                 }
1576                 break;
1577         }
1578
1579 out:
1580         spin_lock(&isec->lock);
1581         if (isec->initialized == LABEL_PENDING) {
1582                 if (!sid || rc) {
1583                         isec->initialized = LABEL_INVALID;
1584                         goto out_unlock;
1585                 }
1586
1587                 isec->initialized = LABEL_INITIALIZED;
1588                 isec->sid = sid;
1589         }
1590
1591 out_unlock:
1592         spin_unlock(&isec->lock);
1593         return rc;
1594 }
1595
1596 /* Convert a Linux signal to an access vector. */
1597 static inline u32 signal_to_av(int sig)
1598 {
1599         u32 perm = 0;
1600
1601         switch (sig) {
1602         case SIGCHLD:
1603                 /* Commonly granted from child to parent. */
1604                 perm = PROCESS__SIGCHLD;
1605                 break;
1606         case SIGKILL:
1607                 /* Cannot be caught or ignored */
1608                 perm = PROCESS__SIGKILL;
1609                 break;
1610         case SIGSTOP:
1611                 /* Cannot be caught or ignored */
1612                 perm = PROCESS__SIGSTOP;
1613                 break;
1614         default:
1615                 /* All other signals. */
1616                 perm = PROCESS__SIGNAL;
1617                 break;
1618         }
1619
1620         return perm;
1621 }
1622
1623 #if CAP_LAST_CAP > 63
1624 #error Fix SELinux to handle capabilities > 63.
1625 #endif
1626
1627 /* Check whether a task is allowed to use a capability. */
1628 static int cred_has_capability(const struct cred *cred,
1629                                int cap, unsigned int opts, bool initns)
1630 {
1631         struct common_audit_data ad;
1632         struct av_decision avd;
1633         u16 sclass;
1634         u32 sid = cred_sid(cred);
1635         u32 av = CAP_TO_MASK(cap);
1636         int rc;
1637
1638         ad.type = LSM_AUDIT_DATA_CAP;
1639         ad.u.cap = cap;
1640
1641         switch (CAP_TO_INDEX(cap)) {
1642         case 0:
1643                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1644                 break;
1645         case 1:
1646                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1647                 break;
1648         default:
1649                 pr_err("SELinux:  out of range capability %d\n", cap);
1650                 BUG();
1651                 return -EINVAL;
1652         }
1653
1654         rc = avc_has_perm_noaudit(&selinux_state,
1655                                   sid, sid, sclass, av, 0, &avd);
1656         if (!(opts & CAP_OPT_NOAUDIT)) {
1657                 int rc2 = avc_audit(&selinux_state,
1658                                     sid, sid, sclass, av, &avd, rc, &ad, 0);
1659                 if (rc2)
1660                         return rc2;
1661         }
1662         return rc;
1663 }
1664
1665 /* Check whether a task has a particular permission to an inode.
1666    The 'adp' parameter is optional and allows other audit
1667    data to be passed (e.g. the dentry). */
1668 static int inode_has_perm(const struct cred *cred,
1669                           struct inode *inode,
1670                           u32 perms,
1671                           struct common_audit_data *adp)
1672 {
1673         struct inode_security_struct *isec;
1674         u32 sid;
1675
1676         validate_creds(cred);
1677
1678         if (unlikely(IS_PRIVATE(inode)))
1679                 return 0;
1680
1681         sid = cred_sid(cred);
1682         isec = selinux_inode(inode);
1683
1684         return avc_has_perm(&selinux_state,
1685                             sid, isec->sid, isec->sclass, perms, adp);
1686 }
1687
1688 /* Same as inode_has_perm, but pass explicit audit data containing
1689    the dentry to help the auditing code to more easily generate the
1690    pathname if needed. */
1691 static inline int dentry_has_perm(const struct cred *cred,
1692                                   struct dentry *dentry,
1693                                   u32 av)
1694 {
1695         struct inode *inode = d_backing_inode(dentry);
1696         struct common_audit_data ad;
1697
1698         ad.type = LSM_AUDIT_DATA_DENTRY;
1699         ad.u.dentry = dentry;
1700         __inode_security_revalidate(inode, dentry, true);
1701         return inode_has_perm(cred, inode, av, &ad);
1702 }
1703
1704 /* Same as inode_has_perm, but pass explicit audit data containing
1705    the path to help the auditing code to more easily generate the
1706    pathname if needed. */
1707 static inline int path_has_perm(const struct cred *cred,
1708                                 const struct path *path,
1709                                 u32 av)
1710 {
1711         struct inode *inode = d_backing_inode(path->dentry);
1712         struct common_audit_data ad;
1713
1714         ad.type = LSM_AUDIT_DATA_PATH;
1715         ad.u.path = *path;
1716         __inode_security_revalidate(inode, path->dentry, true);
1717         return inode_has_perm(cred, inode, av, &ad);
1718 }
1719
1720 /* Same as path_has_perm, but uses the inode from the file struct. */
1721 static inline int file_path_has_perm(const struct cred *cred,
1722                                      struct file *file,
1723                                      u32 av)
1724 {
1725         struct common_audit_data ad;
1726
1727         ad.type = LSM_AUDIT_DATA_FILE;
1728         ad.u.file = file;
1729         return inode_has_perm(cred, file_inode(file), av, &ad);
1730 }
1731
1732 #ifdef CONFIG_BPF_SYSCALL
1733 static int bpf_fd_pass(struct file *file, u32 sid);
1734 #endif
1735
1736 /* Check whether a task can use an open file descriptor to
1737    access an inode in a given way.  Check access to the
1738    descriptor itself, and then use dentry_has_perm to
1739    check a particular permission to the file.
1740    Access to the descriptor is implicitly granted if it
1741    has the same SID as the process.  If av is zero, then
1742    access to the file is not checked, e.g. for cases
1743    where only the descriptor is affected like seek. */
1744 static int file_has_perm(const struct cred *cred,
1745                          struct file *file,
1746                          u32 av)
1747 {
1748         struct file_security_struct *fsec = selinux_file(file);
1749         struct inode *inode = file_inode(file);
1750         struct common_audit_data ad;
1751         u32 sid = cred_sid(cred);
1752         int rc;
1753
1754         ad.type = LSM_AUDIT_DATA_FILE;
1755         ad.u.file = file;
1756
1757         if (sid != fsec->sid) {
1758                 rc = avc_has_perm(&selinux_state,
1759                                   sid, fsec->sid,
1760                                   SECCLASS_FD,
1761                                   FD__USE,
1762                                   &ad);
1763                 if (rc)
1764                         goto out;
1765         }
1766
1767 #ifdef CONFIG_BPF_SYSCALL
1768         rc = bpf_fd_pass(file, cred_sid(cred));
1769         if (rc)
1770                 return rc;
1771 #endif
1772
1773         /* av is zero if only checking access to the descriptor. */
1774         rc = 0;
1775         if (av)
1776                 rc = inode_has_perm(cred, inode, av, &ad);
1777
1778 out:
1779         return rc;
1780 }
1781
1782 /*
1783  * Determine the label for an inode that might be unioned.
1784  */
1785 static int
1786 selinux_determine_inode_label(const struct task_security_struct *tsec,
1787                                  struct inode *dir,
1788                                  const struct qstr *name, u16 tclass,
1789                                  u32 *_new_isid)
1790 {
1791         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1792
1793         if ((sbsec->flags & SE_SBINITIALIZED) &&
1794             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1795                 *_new_isid = sbsec->mntpoint_sid;
1796         } else if ((sbsec->flags & SBLABEL_MNT) &&
1797                    tsec->create_sid) {
1798                 *_new_isid = tsec->create_sid;
1799         } else {
1800                 const struct inode_security_struct *dsec = inode_security(dir);
1801                 return security_transition_sid(&selinux_state, tsec->sid,
1802                                                dsec->sid, tclass,
1803                                                name, _new_isid);
1804         }
1805
1806         return 0;
1807 }
1808
1809 /* Check whether a task can create a file. */
1810 static int may_create(struct inode *dir,
1811                       struct dentry *dentry,
1812                       u16 tclass)
1813 {
1814         const struct task_security_struct *tsec = selinux_cred(current_cred());
1815         struct inode_security_struct *dsec;
1816         struct superblock_security_struct *sbsec;
1817         u32 sid, newsid;
1818         struct common_audit_data ad;
1819         int rc;
1820
1821         dsec = inode_security(dir);
1822         sbsec = dir->i_sb->s_security;
1823
1824         sid = tsec->sid;
1825
1826         ad.type = LSM_AUDIT_DATA_DENTRY;
1827         ad.u.dentry = dentry;
1828
1829         rc = avc_has_perm(&selinux_state,
1830                           sid, dsec->sid, SECCLASS_DIR,
1831                           DIR__ADD_NAME | DIR__SEARCH,
1832                           &ad);
1833         if (rc)
1834                 return rc;
1835
1836         rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1837                                            &dentry->d_name, tclass, &newsid);
1838         if (rc)
1839                 return rc;
1840
1841         rc = avc_has_perm(&selinux_state,
1842                           sid, newsid, tclass, FILE__CREATE, &ad);
1843         if (rc)
1844                 return rc;
1845
1846         return avc_has_perm(&selinux_state,
1847                             newsid, sbsec->sid,
1848                             SECCLASS_FILESYSTEM,
1849                             FILESYSTEM__ASSOCIATE, &ad);
1850 }
1851
1852 #define MAY_LINK        0
1853 #define MAY_UNLINK      1
1854 #define MAY_RMDIR       2
1855
1856 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1857 static int may_link(struct inode *dir,
1858                     struct dentry *dentry,
1859                     int kind)
1860
1861 {
1862         struct inode_security_struct *dsec, *isec;
1863         struct common_audit_data ad;
1864         u32 sid = current_sid();
1865         u32 av;
1866         int rc;
1867
1868         dsec = inode_security(dir);
1869         isec = backing_inode_security(dentry);
1870
1871         ad.type = LSM_AUDIT_DATA_DENTRY;
1872         ad.u.dentry = dentry;
1873
1874         av = DIR__SEARCH;
1875         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1876         rc = avc_has_perm(&selinux_state,
1877                           sid, dsec->sid, SECCLASS_DIR, av, &ad);
1878         if (rc)
1879                 return rc;
1880
1881         switch (kind) {
1882         case MAY_LINK:
1883                 av = FILE__LINK;
1884                 break;
1885         case MAY_UNLINK:
1886                 av = FILE__UNLINK;
1887                 break;
1888         case MAY_RMDIR:
1889                 av = DIR__RMDIR;
1890                 break;
1891         default:
1892                 pr_warn("SELinux: %s:  unrecognized kind %d\n",
1893                         __func__, kind);
1894                 return 0;
1895         }
1896
1897         rc = avc_has_perm(&selinux_state,
1898                           sid, isec->sid, isec->sclass, av, &ad);
1899         return rc;
1900 }
1901
1902 static inline int may_rename(struct inode *old_dir,
1903                              struct dentry *old_dentry,
1904                              struct inode *new_dir,
1905                              struct dentry *new_dentry)
1906 {
1907         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1908         struct common_audit_data ad;
1909         u32 sid = current_sid();
1910         u32 av;
1911         int old_is_dir, new_is_dir;
1912         int rc;
1913
1914         old_dsec = inode_security(old_dir);
1915         old_isec = backing_inode_security(old_dentry);
1916         old_is_dir = d_is_dir(old_dentry);
1917         new_dsec = inode_security(new_dir);
1918
1919         ad.type = LSM_AUDIT_DATA_DENTRY;
1920
1921         ad.u.dentry = old_dentry;
1922         rc = avc_has_perm(&selinux_state,
1923                           sid, old_dsec->sid, SECCLASS_DIR,
1924                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1925         if (rc)
1926                 return rc;
1927         rc = avc_has_perm(&selinux_state,
1928                           sid, old_isec->sid,
1929                           old_isec->sclass, FILE__RENAME, &ad);
1930         if (rc)
1931                 return rc;
1932         if (old_is_dir && new_dir != old_dir) {
1933                 rc = avc_has_perm(&selinux_state,
1934                                   sid, old_isec->sid,
1935                                   old_isec->sclass, DIR__REPARENT, &ad);
1936                 if (rc)
1937                         return rc;
1938         }
1939
1940         ad.u.dentry = new_dentry;
1941         av = DIR__ADD_NAME | DIR__SEARCH;
1942         if (d_is_positive(new_dentry))
1943                 av |= DIR__REMOVE_NAME;
1944         rc = avc_has_perm(&selinux_state,
1945                           sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1946         if (rc)
1947                 return rc;
1948         if (d_is_positive(new_dentry)) {
1949                 new_isec = backing_inode_security(new_dentry);
1950                 new_is_dir = d_is_dir(new_dentry);
1951                 rc = avc_has_perm(&selinux_state,
1952                                   sid, new_isec->sid,
1953                                   new_isec->sclass,
1954                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1955                 if (rc)
1956                         return rc;
1957         }
1958
1959         return 0;
1960 }
1961
1962 /* Check whether a task can perform a filesystem operation. */
1963 static int superblock_has_perm(const struct cred *cred,
1964                                struct super_block *sb,
1965                                u32 perms,
1966                                struct common_audit_data *ad)
1967 {
1968         struct superblock_security_struct *sbsec;
1969         u32 sid = cred_sid(cred);
1970
1971         sbsec = sb->s_security;
1972         return avc_has_perm(&selinux_state,
1973                             sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1974 }
1975
1976 /* Convert a Linux mode and permission mask to an access vector. */
1977 static inline u32 file_mask_to_av(int mode, int mask)
1978 {
1979         u32 av = 0;
1980
1981         if (!S_ISDIR(mode)) {
1982                 if (mask & MAY_EXEC)
1983                         av |= FILE__EXECUTE;
1984                 if (mask & MAY_READ)
1985                         av |= FILE__READ;
1986
1987                 if (mask & MAY_APPEND)
1988                         av |= FILE__APPEND;
1989                 else if (mask & MAY_WRITE)
1990                         av |= FILE__WRITE;
1991
1992         } else {
1993                 if (mask & MAY_EXEC)
1994                         av |= DIR__SEARCH;
1995                 if (mask & MAY_WRITE)
1996                         av |= DIR__WRITE;
1997                 if (mask & MAY_READ)
1998                         av |= DIR__READ;
1999         }
2000
2001         return av;
2002 }
2003
2004 /* Convert a Linux file to an access vector. */
2005 static inline u32 file_to_av(struct file *file)
2006 {
2007         u32 av = 0;
2008
2009         if (file->f_mode & FMODE_READ)
2010                 av |= FILE__READ;
2011         if (file->f_mode & FMODE_WRITE) {
2012                 if (file->f_flags & O_APPEND)
2013                         av |= FILE__APPEND;
2014                 else
2015                         av |= FILE__WRITE;
2016         }
2017         if (!av) {
2018                 /*
2019                  * Special file opened with flags 3 for ioctl-only use.
2020                  */
2021                 av = FILE__IOCTL;
2022         }
2023
2024         return av;
2025 }
2026
2027 /*
2028  * Convert a file to an access vector and include the correct open
2029  * open permission.
2030  */
2031 static inline u32 open_file_to_av(struct file *file)
2032 {
2033         u32 av = file_to_av(file);
2034         struct inode *inode = file_inode(file);
2035
2036         if (selinux_policycap_openperm() &&
2037             inode->i_sb->s_magic != SOCKFS_MAGIC)
2038                 av |= FILE__OPEN;
2039
2040         return av;
2041 }
2042
2043 /* Hook functions begin here. */
2044
2045 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2046 {
2047         u32 mysid = current_sid();
2048         u32 mgrsid = task_sid(mgr);
2049
2050         return avc_has_perm(&selinux_state,
2051                             mysid, mgrsid, SECCLASS_BINDER,
2052                             BINDER__SET_CONTEXT_MGR, NULL);
2053 }
2054
2055 static int selinux_binder_transaction(struct task_struct *from,
2056                                       struct task_struct *to)
2057 {
2058         u32 mysid = current_sid();
2059         u32 fromsid = task_sid(from);
2060         u32 tosid = task_sid(to);
2061         int rc;
2062
2063         if (mysid != fromsid) {
2064                 rc = avc_has_perm(&selinux_state,
2065                                   mysid, fromsid, SECCLASS_BINDER,
2066                                   BINDER__IMPERSONATE, NULL);
2067                 if (rc)
2068                         return rc;
2069         }
2070
2071         return avc_has_perm(&selinux_state,
2072                             fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2073                             NULL);
2074 }
2075
2076 static int selinux_binder_transfer_binder(struct task_struct *from,
2077                                           struct task_struct *to)
2078 {
2079         u32 fromsid = task_sid(from);
2080         u32 tosid = task_sid(to);
2081
2082         return avc_has_perm(&selinux_state,
2083                             fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2084                             NULL);
2085 }
2086
2087 static int selinux_binder_transfer_file(struct task_struct *from,
2088                                         struct task_struct *to,
2089                                         struct file *file)
2090 {
2091         u32 sid = task_sid(to);
2092         struct file_security_struct *fsec = selinux_file(file);
2093         struct dentry *dentry = file->f_path.dentry;
2094         struct inode_security_struct *isec;
2095         struct common_audit_data ad;
2096         int rc;
2097
2098         ad.type = LSM_AUDIT_DATA_PATH;
2099         ad.u.path = file->f_path;
2100
2101         if (sid != fsec->sid) {
2102                 rc = avc_has_perm(&selinux_state,
2103                                   sid, fsec->sid,
2104                                   SECCLASS_FD,
2105                                   FD__USE,
2106                                   &ad);
2107                 if (rc)
2108                         return rc;
2109         }
2110
2111 #ifdef CONFIG_BPF_SYSCALL
2112         rc = bpf_fd_pass(file, sid);
2113         if (rc)
2114                 return rc;
2115 #endif
2116
2117         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2118                 return 0;
2119
2120         isec = backing_inode_security(dentry);
2121         return avc_has_perm(&selinux_state,
2122                             sid, isec->sid, isec->sclass, file_to_av(file),
2123                             &ad);
2124 }
2125
2126 static int selinux_ptrace_access_check(struct task_struct *child,
2127                                      unsigned int mode)
2128 {
2129         u32 sid = current_sid();
2130         u32 csid = task_sid(child);
2131
2132         if (mode & PTRACE_MODE_READ)
2133                 return avc_has_perm(&selinux_state,
2134                                     sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2135
2136         return avc_has_perm(&selinux_state,
2137                             sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2138 }
2139
2140 static int selinux_ptrace_traceme(struct task_struct *parent)
2141 {
2142         return avc_has_perm(&selinux_state,
2143                             task_sid(parent), current_sid(), SECCLASS_PROCESS,
2144                             PROCESS__PTRACE, NULL);
2145 }
2146
2147 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2148                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2149 {
2150         return avc_has_perm(&selinux_state,
2151                             current_sid(), task_sid(target), SECCLASS_PROCESS,
2152                             PROCESS__GETCAP, NULL);
2153 }
2154
2155 static int selinux_capset(struct cred *new, const struct cred *old,
2156                           const kernel_cap_t *effective,
2157                           const kernel_cap_t *inheritable,
2158                           const kernel_cap_t *permitted)
2159 {
2160         return avc_has_perm(&selinux_state,
2161                             cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2162                             PROCESS__SETCAP, NULL);
2163 }
2164
2165 /*
2166  * (This comment used to live with the selinux_task_setuid hook,
2167  * which was removed).
2168  *
2169  * Since setuid only affects the current process, and since the SELinux
2170  * controls are not based on the Linux identity attributes, SELinux does not
2171  * need to control this operation.  However, SELinux does control the use of
2172  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2173  */
2174
2175 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2176                            int cap, unsigned int opts)
2177 {
2178         return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2179 }
2180
2181 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2182 {
2183         const struct cred *cred = current_cred();
2184         int rc = 0;
2185
2186         if (!sb)
2187                 return 0;
2188
2189         switch (cmds) {
2190         case Q_SYNC:
2191         case Q_QUOTAON:
2192         case Q_QUOTAOFF:
2193         case Q_SETINFO:
2194         case Q_SETQUOTA:
2195                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2196                 break;
2197         case Q_GETFMT:
2198         case Q_GETINFO:
2199         case Q_GETQUOTA:
2200                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2201                 break;
2202         default:
2203                 rc = 0;  /* let the kernel handle invalid cmds */
2204                 break;
2205         }
2206         return rc;
2207 }
2208
2209 static int selinux_quota_on(struct dentry *dentry)
2210 {
2211         const struct cred *cred = current_cred();
2212
2213         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2214 }
2215
2216 static int selinux_syslog(int type)
2217 {
2218         switch (type) {
2219         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2220         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2221                 return avc_has_perm(&selinux_state,
2222                                     current_sid(), SECINITSID_KERNEL,
2223                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2224         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2225         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2226         /* Set level of messages printed to console */
2227         case SYSLOG_ACTION_CONSOLE_LEVEL:
2228                 return avc_has_perm(&selinux_state,
2229                                     current_sid(), SECINITSID_KERNEL,
2230                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2231                                     NULL);
2232         }
2233         /* All other syslog types */
2234         return avc_has_perm(&selinux_state,
2235                             current_sid(), SECINITSID_KERNEL,
2236                             SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2237 }
2238
2239 /*
2240  * Check that a process has enough memory to allocate a new virtual
2241  * mapping. 0 means there is enough memory for the allocation to
2242  * succeed and -ENOMEM implies there is not.
2243  *
2244  * Do not audit the selinux permission check, as this is applied to all
2245  * processes that allocate mappings.
2246  */
2247 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2248 {
2249         int rc, cap_sys_admin = 0;
2250
2251         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2252                                  CAP_OPT_NOAUDIT, true);
2253         if (rc == 0)
2254                 cap_sys_admin = 1;
2255
2256         return cap_sys_admin;
2257 }
2258
2259 /* binprm security operations */
2260
2261 static u32 ptrace_parent_sid(void)
2262 {
2263         u32 sid = 0;
2264         struct task_struct *tracer;
2265
2266         rcu_read_lock();
2267         tracer = ptrace_parent(current);
2268         if (tracer)
2269                 sid = task_sid(tracer);
2270         rcu_read_unlock();
2271
2272         return sid;
2273 }
2274
2275 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2276                             const struct task_security_struct *old_tsec,
2277                             const struct task_security_struct *new_tsec)
2278 {
2279         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2280         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2281         int rc;
2282         u32 av;
2283
2284         if (!nnp && !nosuid)
2285                 return 0; /* neither NNP nor nosuid */
2286
2287         if (new_tsec->sid == old_tsec->sid)
2288                 return 0; /* No change in credentials */
2289
2290         /*
2291          * If the policy enables the nnp_nosuid_transition policy capability,
2292          * then we permit transitions under NNP or nosuid if the
2293          * policy allows the corresponding permission between
2294          * the old and new contexts.
2295          */
2296         if (selinux_policycap_nnp_nosuid_transition()) {
2297                 av = 0;
2298                 if (nnp)
2299                         av |= PROCESS2__NNP_TRANSITION;
2300                 if (nosuid)
2301                         av |= PROCESS2__NOSUID_TRANSITION;
2302                 rc = avc_has_perm(&selinux_state,
2303                                   old_tsec->sid, new_tsec->sid,
2304                                   SECCLASS_PROCESS2, av, NULL);
2305                 if (!rc)
2306                         return 0;
2307         }
2308
2309         /*
2310          * We also permit NNP or nosuid transitions to bounded SIDs,
2311          * i.e. SIDs that are guaranteed to only be allowed a subset
2312          * of the permissions of the current SID.
2313          */
2314         rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2315                                          new_tsec->sid);
2316         if (!rc)
2317                 return 0;
2318
2319         /*
2320          * On failure, preserve the errno values for NNP vs nosuid.
2321          * NNP:  Operation not permitted for caller.
2322          * nosuid:  Permission denied to file.
2323          */
2324         if (nnp)
2325                 return -EPERM;
2326         return -EACCES;
2327 }
2328
2329 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2330 {
2331         const struct task_security_struct *old_tsec;
2332         struct task_security_struct *new_tsec;
2333         struct inode_security_struct *isec;
2334         struct common_audit_data ad;
2335         struct inode *inode = file_inode(bprm->file);
2336         int rc;
2337
2338         /* SELinux context only depends on initial program or script and not
2339          * the script interpreter */
2340         if (bprm->called_set_creds)
2341                 return 0;
2342
2343         old_tsec = selinux_cred(current_cred());
2344         new_tsec = selinux_cred(bprm->cred);
2345         isec = inode_security(inode);
2346
2347         /* Default to the current task SID. */
2348         new_tsec->sid = old_tsec->sid;
2349         new_tsec->osid = old_tsec->sid;
2350
2351         /* Reset fs, key, and sock SIDs on execve. */
2352         new_tsec->create_sid = 0;
2353         new_tsec->keycreate_sid = 0;
2354         new_tsec->sockcreate_sid = 0;
2355
2356         if (old_tsec->exec_sid) {
2357                 new_tsec->sid = old_tsec->exec_sid;
2358                 /* Reset exec SID on execve. */
2359                 new_tsec->exec_sid = 0;
2360
2361                 /* Fail on NNP or nosuid if not an allowed transition. */
2362                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2363                 if (rc)
2364                         return rc;
2365         } else {
2366                 /* Check for a default transition on this program. */
2367                 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2368                                              isec->sid, SECCLASS_PROCESS, NULL,
2369                                              &new_tsec->sid);
2370                 if (rc)
2371                         return rc;
2372
2373                 /*
2374                  * Fallback to old SID on NNP or nosuid if not an allowed
2375                  * transition.
2376                  */
2377                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2378                 if (rc)
2379                         new_tsec->sid = old_tsec->sid;
2380         }
2381
2382         ad.type = LSM_AUDIT_DATA_FILE;
2383         ad.u.file = bprm->file;
2384
2385         if (new_tsec->sid == old_tsec->sid) {
2386                 rc = avc_has_perm(&selinux_state,
2387                                   old_tsec->sid, isec->sid,
2388                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2389                 if (rc)
2390                         return rc;
2391         } else {
2392                 /* Check permissions for the transition. */
2393                 rc = avc_has_perm(&selinux_state,
2394                                   old_tsec->sid, new_tsec->sid,
2395                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2396                 if (rc)
2397                         return rc;
2398
2399                 rc = avc_has_perm(&selinux_state,
2400                                   new_tsec->sid, isec->sid,
2401                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2402                 if (rc)
2403                         return rc;
2404
2405                 /* Check for shared state */
2406                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2407                         rc = avc_has_perm(&selinux_state,
2408                                           old_tsec->sid, new_tsec->sid,
2409                                           SECCLASS_PROCESS, PROCESS__SHARE,
2410                                           NULL);
2411                         if (rc)
2412                                 return -EPERM;
2413                 }
2414
2415                 /* Make sure that anyone attempting to ptrace over a task that
2416                  * changes its SID has the appropriate permit */
2417                 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2418                         u32 ptsid = ptrace_parent_sid();
2419                         if (ptsid != 0) {
2420                                 rc = avc_has_perm(&selinux_state,
2421                                                   ptsid, new_tsec->sid,
2422                                                   SECCLASS_PROCESS,
2423                                                   PROCESS__PTRACE, NULL);
2424                                 if (rc)
2425                                         return -EPERM;
2426                         }
2427                 }
2428
2429                 /* Clear any possibly unsafe personality bits on exec: */
2430                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2431
2432                 /* Enable secure mode for SIDs transitions unless
2433                    the noatsecure permission is granted between
2434                    the two SIDs, i.e. ahp returns 0. */
2435                 rc = avc_has_perm(&selinux_state,
2436                                   old_tsec->sid, new_tsec->sid,
2437                                   SECCLASS_PROCESS, PROCESS__NOATSECURE,
2438                                   NULL);
2439                 bprm->secureexec |= !!rc;
2440         }
2441
2442         return 0;
2443 }
2444
2445 static int match_file(const void *p, struct file *file, unsigned fd)
2446 {
2447         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2448 }
2449
2450 /* Derived from fs/exec.c:flush_old_files. */
2451 static inline void flush_unauthorized_files(const struct cred *cred,
2452                                             struct files_struct *files)
2453 {
2454         struct file *file, *devnull = NULL;
2455         struct tty_struct *tty;
2456         int drop_tty = 0;
2457         unsigned n;
2458
2459         tty = get_current_tty();
2460         if (tty) {
2461                 spin_lock(&tty->files_lock);
2462                 if (!list_empty(&tty->tty_files)) {
2463                         struct tty_file_private *file_priv;
2464
2465                         /* Revalidate access to controlling tty.
2466                            Use file_path_has_perm on the tty path directly
2467                            rather than using file_has_perm, as this particular
2468                            open file may belong to another process and we are
2469                            only interested in the inode-based check here. */
2470                         file_priv = list_first_entry(&tty->tty_files,
2471                                                 struct tty_file_private, list);
2472                         file = file_priv->file;
2473                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2474                                 drop_tty = 1;
2475                 }
2476                 spin_unlock(&tty->files_lock);
2477                 tty_kref_put(tty);
2478         }
2479         /* Reset controlling tty. */
2480         if (drop_tty)
2481                 no_tty();
2482
2483         /* Revalidate access to inherited open files. */
2484         n = iterate_fd(files, 0, match_file, cred);
2485         if (!n) /* none found? */
2486                 return;
2487
2488         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2489         if (IS_ERR(devnull))
2490                 devnull = NULL;
2491         /* replace all the matching ones with this */
2492         do {
2493                 replace_fd(n - 1, devnull, 0);
2494         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2495         if (devnull)
2496                 fput(devnull);
2497 }
2498
2499 /*
2500  * Prepare a process for imminent new credential changes due to exec
2501  */
2502 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2503 {
2504         struct task_security_struct *new_tsec;
2505         struct rlimit *rlim, *initrlim;
2506         int rc, i;
2507
2508         new_tsec = selinux_cred(bprm->cred);
2509         if (new_tsec->sid == new_tsec->osid)
2510                 return;
2511
2512         /* Close files for which the new task SID is not authorized. */
2513         flush_unauthorized_files(bprm->cred, current->files);
2514
2515         /* Always clear parent death signal on SID transitions. */
2516         current->pdeath_signal = 0;
2517
2518         /* Check whether the new SID can inherit resource limits from the old
2519          * SID.  If not, reset all soft limits to the lower of the current
2520          * task's hard limit and the init task's soft limit.
2521          *
2522          * Note that the setting of hard limits (even to lower them) can be
2523          * controlled by the setrlimit check.  The inclusion of the init task's
2524          * soft limit into the computation is to avoid resetting soft limits
2525          * higher than the default soft limit for cases where the default is
2526          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2527          */
2528         rc = avc_has_perm(&selinux_state,
2529                           new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2530                           PROCESS__RLIMITINH, NULL);
2531         if (rc) {
2532                 /* protect against do_prlimit() */
2533                 task_lock(current);
2534                 for (i = 0; i < RLIM_NLIMITS; i++) {
2535                         rlim = current->signal->rlim + i;
2536                         initrlim = init_task.signal->rlim + i;
2537                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2538                 }
2539                 task_unlock(current);
2540                 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2541                         update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2542         }
2543 }
2544
2545 /*
2546  * Clean up the process immediately after the installation of new credentials
2547  * due to exec
2548  */
2549 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2550 {
2551         const struct task_security_struct *tsec = selinux_cred(current_cred());
2552         struct itimerval itimer;
2553         u32 osid, sid;
2554         int rc, i;
2555
2556         osid = tsec->osid;
2557         sid = tsec->sid;
2558
2559         if (sid == osid)
2560                 return;
2561
2562         /* Check whether the new SID can inherit signal state from the old SID.
2563          * If not, clear itimers to avoid subsequent signal generation and
2564          * flush and unblock signals.
2565          *
2566          * This must occur _after_ the task SID has been updated so that any
2567          * kill done after the flush will be checked against the new SID.
2568          */
2569         rc = avc_has_perm(&selinux_state,
2570                           osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2571         if (rc) {
2572                 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2573                         memset(&itimer, 0, sizeof itimer);
2574                         for (i = 0; i < 3; i++)
2575                                 do_setitimer(i, &itimer, NULL);
2576                 }
2577                 spin_lock_irq(&current->sighand->siglock);
2578                 if (!fatal_signal_pending(current)) {
2579                         flush_sigqueue(&current->pending);
2580                         flush_sigqueue(&current->signal->shared_pending);
2581                         flush_signal_handlers(current, 1);
2582                         sigemptyset(&current->blocked);
2583                         recalc_sigpending();
2584                 }
2585                 spin_unlock_irq(&current->sighand->siglock);
2586         }
2587
2588         /* Wake up the parent if it is waiting so that it can recheck
2589          * wait permission to the new task SID. */
2590         read_lock(&tasklist_lock);
2591         __wake_up_parent(current, current->real_parent);
2592         read_unlock(&tasklist_lock);
2593 }
2594
2595 /* superblock security operations */
2596
2597 static int selinux_sb_alloc_security(struct super_block *sb)
2598 {
2599         return superblock_alloc_security(sb);
2600 }
2601
2602 static void selinux_sb_free_security(struct super_block *sb)
2603 {
2604         superblock_free_security(sb);
2605 }
2606
2607 static inline int opt_len(const char *s)
2608 {
2609         bool open_quote = false;
2610         int len;
2611         char c;
2612
2613         for (len = 0; (c = s[len]) != '\0'; len++) {
2614                 if (c == '"')
2615                         open_quote = !open_quote;
2616                 if (c == ',' && !open_quote)
2617                         break;
2618         }
2619         return len;
2620 }
2621
2622 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2623 {
2624         char *from = options;
2625         char *to = options;
2626         bool first = true;
2627         int rc;
2628
2629         while (1) {
2630                 int len = opt_len(from);
2631                 int token;
2632                 char *arg = NULL;
2633
2634                 token = match_opt_prefix(from, len, &arg);
2635
2636                 if (token != Opt_error) {
2637                         char *p, *q;
2638
2639                         /* strip quotes */
2640                         if (arg) {
2641                                 for (p = q = arg; p < from + len; p++) {
2642                                         char c = *p;
2643                                         if (c != '"')
2644                                                 *q++ = c;
2645                                 }
2646                                 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2647                                 if (!arg) {
2648                                         rc = -ENOMEM;
2649                                         goto free_opt;
2650                                 }
2651                         }
2652                         rc = selinux_add_opt(token, arg, mnt_opts);
2653                         if (unlikely(rc)) {
2654                                 kfree(arg);
2655                                 goto free_opt;
2656                         }
2657                 } else {
2658                         if (!first) {   // copy with preceding comma
2659                                 from--;
2660                                 len++;
2661                         }
2662                         if (to != from)
2663                                 memmove(to, from, len);
2664                         to += len;
2665                         first = false;
2666                 }
2667                 if (!from[len])
2668                         break;
2669                 from += len + 1;
2670         }
2671         *to = '\0';
2672         return 0;
2673
2674 free_opt:
2675         if (*mnt_opts) {
2676                 selinux_free_mnt_opts(*mnt_opts);
2677                 *mnt_opts = NULL;
2678         }
2679         return rc;
2680 }
2681
2682 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2683 {
2684         struct selinux_mnt_opts *opts = mnt_opts;
2685         struct superblock_security_struct *sbsec = sb->s_security;
2686         u32 sid;
2687         int rc;
2688
2689         if (!(sbsec->flags & SE_SBINITIALIZED))
2690                 return 0;
2691
2692         if (!opts)
2693                 return 0;
2694
2695         if (opts->fscontext) {
2696                 rc = parse_sid(sb, opts->fscontext, &sid);
2697                 if (rc)
2698                         return rc;
2699                 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2700                         goto out_bad_option;
2701         }
2702         if (opts->context) {
2703                 rc = parse_sid(sb, opts->context, &sid);
2704                 if (rc)
2705                         return rc;
2706                 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2707                         goto out_bad_option;
2708         }
2709         if (opts->rootcontext) {
2710                 struct inode_security_struct *root_isec;
2711                 root_isec = backing_inode_security(sb->s_root);
2712                 rc = parse_sid(sb, opts->rootcontext, &sid);
2713                 if (rc)
2714                         return rc;
2715                 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2716                         goto out_bad_option;
2717         }
2718         if (opts->defcontext) {
2719                 rc = parse_sid(sb, opts->defcontext, &sid);
2720                 if (rc)
2721                         return rc;
2722                 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2723                         goto out_bad_option;
2724         }
2725         return 0;
2726
2727 out_bad_option:
2728         pr_warn("SELinux: unable to change security options "
2729                "during remount (dev %s, type=%s)\n", sb->s_id,
2730                sb->s_type->name);
2731         return -EINVAL;
2732 }
2733
2734 static int selinux_sb_kern_mount(struct super_block *sb)
2735 {
2736         const struct cred *cred = current_cred();
2737         struct common_audit_data ad;
2738
2739         ad.type = LSM_AUDIT_DATA_DENTRY;
2740         ad.u.dentry = sb->s_root;
2741         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2742 }
2743
2744 static int selinux_sb_statfs(struct dentry *dentry)
2745 {
2746         const struct cred *cred = current_cred();
2747         struct common_audit_data ad;
2748
2749         ad.type = LSM_AUDIT_DATA_DENTRY;
2750         ad.u.dentry = dentry->d_sb->s_root;
2751         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2752 }
2753
2754 static int selinux_mount(const char *dev_name,
2755                          const struct path *path,
2756                          const char *type,
2757                          unsigned long flags,
2758                          void *data)
2759 {
2760         const struct cred *cred = current_cred();
2761
2762         if (flags & MS_REMOUNT)
2763                 return superblock_has_perm(cred, path->dentry->d_sb,
2764                                            FILESYSTEM__REMOUNT, NULL);
2765         else
2766                 return path_has_perm(cred, path, FILE__MOUNTON);
2767 }
2768
2769 static int selinux_umount(struct vfsmount *mnt, int flags)
2770 {
2771         const struct cred *cred = current_cred();
2772
2773         return superblock_has_perm(cred, mnt->mnt_sb,
2774                                    FILESYSTEM__UNMOUNT, NULL);
2775 }
2776
2777 static int selinux_fs_context_dup(struct fs_context *fc,
2778                                   struct fs_context *src_fc)
2779 {
2780         const struct selinux_mnt_opts *src = src_fc->security;
2781         struct selinux_mnt_opts *opts;
2782
2783         if (!src)
2784                 return 0;
2785
2786         fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2787         if (!fc->security)
2788                 return -ENOMEM;
2789
2790         opts = fc->security;
2791
2792         if (src->fscontext) {
2793                 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2794                 if (!opts->fscontext)
2795                         return -ENOMEM;
2796         }
2797         if (src->context) {
2798                 opts->context = kstrdup(src->context, GFP_KERNEL);
2799                 if (!opts->context)
2800                         return -ENOMEM;
2801         }
2802         if (src->rootcontext) {
2803                 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2804                 if (!opts->rootcontext)
2805                         return -ENOMEM;
2806         }
2807         if (src->defcontext) {
2808                 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2809                 if (!opts->defcontext)
2810                         return -ENOMEM;
2811         }
2812         return 0;
2813 }
2814
2815 static const struct fs_parameter_spec selinux_param_specs[] = {
2816         fsparam_string(CONTEXT_STR,     Opt_context),
2817         fsparam_string(DEFCONTEXT_STR,  Opt_defcontext),
2818         fsparam_string(FSCONTEXT_STR,   Opt_fscontext),
2819         fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2820         fsparam_flag  (SECLABEL_STR,    Opt_seclabel),
2821         {}
2822 };
2823
2824 static const struct fs_parameter_description selinux_fs_parameters = {
2825         .name           = "SELinux",
2826         .specs          = selinux_param_specs,
2827 };
2828
2829 static int selinux_fs_context_parse_param(struct fs_context *fc,
2830                                           struct fs_parameter *param)
2831 {
2832         struct fs_parse_result result;
2833         int opt, rc;
2834
2835         opt = fs_parse(fc, &selinux_fs_parameters, param, &result);
2836         if (opt < 0)
2837                 return opt;
2838
2839         rc = selinux_add_opt(opt, param->string, &fc->security);
2840         if (!rc) {
2841                 param->string = NULL;
2842                 rc = 1;
2843         }
2844         return rc;
2845 }
2846
2847 /* inode security operations */
2848
2849 static int selinux_inode_alloc_security(struct inode *inode)
2850 {
2851         return inode_alloc_security(inode);
2852 }
2853
2854 static void selinux_inode_free_security(struct inode *inode)
2855 {
2856         inode_free_security(inode);
2857 }
2858
2859 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2860                                         const struct qstr *name, void **ctx,
2861                                         u32 *ctxlen)
2862 {
2863         u32 newsid;
2864         int rc;
2865
2866         rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2867                                            d_inode(dentry->d_parent), name,
2868                                            inode_mode_to_security_class(mode),
2869                                            &newsid);
2870         if (rc)
2871                 return rc;
2872
2873         return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2874                                        ctxlen);
2875 }
2876
2877 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2878                                           struct qstr *name,
2879                                           const struct cred *old,
2880                                           struct cred *new)
2881 {
2882         u32 newsid;
2883         int rc;
2884         struct task_security_struct *tsec;
2885
2886         rc = selinux_determine_inode_label(selinux_cred(old),
2887                                            d_inode(dentry->d_parent), name,
2888                                            inode_mode_to_security_class(mode),
2889                                            &newsid);
2890         if (rc)
2891                 return rc;
2892
2893         tsec = selinux_cred(new);
2894         tsec->create_sid = newsid;
2895         return 0;
2896 }
2897
2898 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2899                                        const struct qstr *qstr,
2900                                        const char **name,
2901                                        void **value, size_t *len)
2902 {
2903         const struct task_security_struct *tsec = selinux_cred(current_cred());
2904         struct superblock_security_struct *sbsec;
2905         u32 newsid, clen;
2906         int rc;
2907         char *context;
2908
2909         sbsec = dir->i_sb->s_security;
2910
2911         newsid = tsec->create_sid;
2912
2913         rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2914                 dir, qstr,
2915                 inode_mode_to_security_class(inode->i_mode),
2916                 &newsid);
2917         if (rc)
2918                 return rc;
2919
2920         /* Possibly defer initialization to selinux_complete_init. */
2921         if (sbsec->flags & SE_SBINITIALIZED) {
2922                 struct inode_security_struct *isec = selinux_inode(inode);
2923                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2924                 isec->sid = newsid;
2925                 isec->initialized = LABEL_INITIALIZED;
2926         }
2927
2928         if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2929                 return -EOPNOTSUPP;
2930
2931         if (name)
2932                 *name = XATTR_SELINUX_SUFFIX;
2933
2934         if (value && len) {
2935                 rc = security_sid_to_context_force(&selinux_state, newsid,
2936                                                    &context, &clen);
2937                 if (rc)
2938                         return rc;
2939                 *value = context;
2940                 *len = clen;
2941         }
2942
2943         return 0;
2944 }
2945
2946 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2947 {
2948         return may_create(dir, dentry, SECCLASS_FILE);
2949 }
2950
2951 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2952 {
2953         return may_link(dir, old_dentry, MAY_LINK);
2954 }
2955
2956 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2957 {
2958         return may_link(dir, dentry, MAY_UNLINK);
2959 }
2960
2961 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2962 {
2963         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2964 }
2965
2966 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2967 {
2968         return may_create(dir, dentry, SECCLASS_DIR);
2969 }
2970
2971 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2972 {
2973         return may_link(dir, dentry, MAY_RMDIR);
2974 }
2975
2976 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2977 {
2978         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2979 }
2980
2981 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2982                                 struct inode *new_inode, struct dentry *new_dentry)
2983 {
2984         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2985 }
2986
2987 static int selinux_inode_readlink(struct dentry *dentry)
2988 {
2989         const struct cred *cred = current_cred();
2990
2991         return dentry_has_perm(cred, dentry, FILE__READ);
2992 }
2993
2994 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2995                                      bool rcu)
2996 {
2997         const struct cred *cred = current_cred();
2998         struct common_audit_data ad;
2999         struct inode_security_struct *isec;
3000         u32 sid;
3001
3002         validate_creds(cred);
3003
3004         ad.type = LSM_AUDIT_DATA_DENTRY;
3005         ad.u.dentry = dentry;
3006         sid = cred_sid(cred);
3007         isec = inode_security_rcu(inode, rcu);
3008         if (IS_ERR(isec))
3009                 return PTR_ERR(isec);
3010
3011         return avc_has_perm(&selinux_state,
3012                             sid, isec->sid, isec->sclass, FILE__READ, &ad);
3013 }
3014
3015 static noinline int audit_inode_permission(struct inode *inode,
3016                                            u32 perms, u32 audited, u32 denied,
3017                                            int result,
3018                                            unsigned flags)
3019 {
3020         struct common_audit_data ad;
3021         struct inode_security_struct *isec = selinux_inode(inode);
3022         int rc;
3023
3024         ad.type = LSM_AUDIT_DATA_INODE;
3025         ad.u.inode = inode;
3026
3027         rc = slow_avc_audit(&selinux_state,
3028                             current_sid(), isec->sid, isec->sclass, perms,
3029                             audited, denied, result, &ad, flags);
3030         if (rc)
3031                 return rc;
3032         return 0;
3033 }
3034
3035 static int selinux_inode_permission(struct inode *inode, int mask)
3036 {
3037         const struct cred *cred = current_cred();
3038         u32 perms;
3039         bool from_access;
3040         unsigned flags = mask & MAY_NOT_BLOCK;
3041         struct inode_security_struct *isec;
3042         u32 sid;
3043         struct av_decision avd;
3044         int rc, rc2;
3045         u32 audited, denied;
3046
3047         from_access = mask & MAY_ACCESS;
3048         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3049
3050         /* No permission to check.  Existence test. */
3051         if (!mask)
3052                 return 0;
3053
3054         validate_creds(cred);
3055
3056         if (unlikely(IS_PRIVATE(inode)))
3057                 return 0;
3058
3059         perms = file_mask_to_av(inode->i_mode, mask);
3060
3061         sid = cred_sid(cred);
3062         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3063         if (IS_ERR(isec))
3064                 return PTR_ERR(isec);
3065
3066         rc = avc_has_perm_noaudit(&selinux_state,
3067                                   sid, isec->sid, isec->sclass, perms,
3068                                   (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3069                                   &avd);
3070         audited = avc_audit_required(perms, &avd, rc,
3071                                      from_access ? FILE__AUDIT_ACCESS : 0,
3072                                      &denied);
3073         if (likely(!audited))
3074                 return rc;
3075
3076         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3077         if (rc2)
3078                 return rc2;
3079         return rc;
3080 }
3081
3082 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3083 {
3084         const struct cred *cred = current_cred();
3085         struct inode *inode = d_backing_inode(dentry);
3086         unsigned int ia_valid = iattr->ia_valid;
3087         __u32 av = FILE__WRITE;
3088
3089         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3090         if (ia_valid & ATTR_FORCE) {
3091                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3092                               ATTR_FORCE);
3093                 if (!ia_valid)
3094                         return 0;
3095         }
3096
3097         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3098                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3099                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3100
3101         if (selinux_policycap_openperm() &&
3102             inode->i_sb->s_magic != SOCKFS_MAGIC &&
3103             (ia_valid & ATTR_SIZE) &&
3104             !(ia_valid & ATTR_FILE))
3105                 av |= FILE__OPEN;
3106
3107         return dentry_has_perm(cred, dentry, av);
3108 }
3109
3110 static int selinux_inode_getattr(const struct path *path)
3111 {
3112         return path_has_perm(current_cred(), path, FILE__GETATTR);
3113 }
3114
3115 static bool has_cap_mac_admin(bool audit)
3116 {
3117         const struct cred *cred = current_cred();
3118         unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3119
3120         if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3121                 return false;
3122         if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3123                 return false;
3124         return true;
3125 }
3126
3127 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3128                                   const void *value, size_t size, int flags)
3129 {
3130         struct inode *inode = d_backing_inode(dentry);
3131         struct inode_security_struct *isec;
3132         struct superblock_security_struct *sbsec;
3133         struct common_audit_data ad;
3134         u32 newsid, sid = current_sid();
3135         int rc = 0;
3136
3137         if (strcmp(name, XATTR_NAME_SELINUX)) {
3138                 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3139                 if (rc)
3140                         return rc;
3141
3142                 /* Not an attribute we recognize, so just check the
3143                    ordinary setattr permission. */
3144                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3145         }
3146
3147         sbsec = inode->i_sb->s_security;
3148         if (!(sbsec->flags & SBLABEL_MNT))
3149                 return -EOPNOTSUPP;
3150
3151         if (!inode_owner_or_capable(inode))
3152                 return -EPERM;
3153
3154         ad.type = LSM_AUDIT_DATA_DENTRY;
3155         ad.u.dentry = dentry;
3156
3157         isec = backing_inode_security(dentry);
3158  &