Merge tag 'secureexec-v4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git...
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *      This program is free software; you can redistribute it and/or modify
23  *      it under the terms of the GNU General Public License version 2,
24  *      as published by the Free Software Foundation.
25  */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>             /* for local_port_range[] */
56 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>    /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h>           /* for Unix socket types */
72 #include <net/af_unix.h>        /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88
89 #include "avc.h"
90 #include "objsec.h"
91 #include "netif.h"
92 #include "netnode.h"
93 #include "netport.h"
94 #include "ibpkey.h"
95 #include "xfrm.h"
96 #include "netlabel.h"
97 #include "audit.h"
98 #include "avc_ss.h"
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
106 static int __init enforcing_setup(char *str)
107 {
108         unsigned long enforcing;
109         if (!kstrtoul(str, 0, &enforcing))
110                 selinux_enforcing = enforcing ? 1 : 0;
111         return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119 static int __init selinux_enabled_setup(char *str)
120 {
121         unsigned long enabled;
122         if (!kstrtoul(str, 0, &enabled))
123                 selinux_enabled = enabled ? 1 : 0;
124         return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132 static struct kmem_cache *file_security_cache;
133
134 /**
135  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136  *
137  * Description:
138  * This function checks the SECMARK reference counter to see if any SECMARK
139  * targets are currently configured, if the reference counter is greater than
140  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
141  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
142  * policy capability is enabled, SECMARK is always considered enabled.
143  *
144  */
145 static int selinux_secmark_enabled(void)
146 {
147         return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148 }
149
150 /**
151  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152  *
153  * Description:
154  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
155  * (1) if any are enabled or false (0) if neither are enabled.  If the
156  * always_check_network policy capability is enabled, peer labeling
157  * is always considered enabled.
158  *
159  */
160 static int selinux_peerlbl_enabled(void)
161 {
162         return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
163 }
164
165 static int selinux_netcache_avc_callback(u32 event)
166 {
167         if (event == AVC_CALLBACK_RESET) {
168                 sel_netif_flush();
169                 sel_netnode_flush();
170                 sel_netport_flush();
171                 synchronize_net();
172         }
173         return 0;
174 }
175
176 static int selinux_lsm_notifier_avc_callback(u32 event)
177 {
178         if (event == AVC_CALLBACK_RESET) {
179                 sel_ib_pkey_flush();
180                 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
181         }
182
183         return 0;
184 }
185
186 /*
187  * initialise the security for the init task
188  */
189 static void cred_init_security(void)
190 {
191         struct cred *cred = (struct cred *) current->real_cred;
192         struct task_security_struct *tsec;
193
194         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
195         if (!tsec)
196                 panic("SELinux:  Failed to initialize initial task.\n");
197
198         tsec->osid = tsec->sid = SECINITSID_KERNEL;
199         cred->security = tsec;
200 }
201
202 /*
203  * get the security ID of a set of credentials
204  */
205 static inline u32 cred_sid(const struct cred *cred)
206 {
207         const struct task_security_struct *tsec;
208
209         tsec = cred->security;
210         return tsec->sid;
211 }
212
213 /*
214  * get the objective security ID of a task
215  */
216 static inline u32 task_sid(const struct task_struct *task)
217 {
218         u32 sid;
219
220         rcu_read_lock();
221         sid = cred_sid(__task_cred(task));
222         rcu_read_unlock();
223         return sid;
224 }
225
226 /* Allocate and free functions for each kind of security blob. */
227
228 static int inode_alloc_security(struct inode *inode)
229 {
230         struct inode_security_struct *isec;
231         u32 sid = current_sid();
232
233         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
234         if (!isec)
235                 return -ENOMEM;
236
237         spin_lock_init(&isec->lock);
238         INIT_LIST_HEAD(&isec->list);
239         isec->inode = inode;
240         isec->sid = SECINITSID_UNLABELED;
241         isec->sclass = SECCLASS_FILE;
242         isec->task_sid = sid;
243         isec->initialized = LABEL_INVALID;
244         inode->i_security = isec;
245
246         return 0;
247 }
248
249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
250
251 /*
252  * Try reloading inode security labels that have been marked as invalid.  The
253  * @may_sleep parameter indicates when sleeping and thus reloading labels is
254  * allowed; when set to false, returns -ECHILD when the label is
255  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
256  * when no dentry is available, set it to NULL instead.
257  */
258 static int __inode_security_revalidate(struct inode *inode,
259                                        struct dentry *opt_dentry,
260                                        bool may_sleep)
261 {
262         struct inode_security_struct *isec = inode->i_security;
263
264         might_sleep_if(may_sleep);
265
266         if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
267                 if (!may_sleep)
268                         return -ECHILD;
269
270                 /*
271                  * Try reloading the inode security label.  This will fail if
272                  * @opt_dentry is NULL and no dentry for this inode can be
273                  * found; in that case, continue using the old label.
274                  */
275                 inode_doinit_with_dentry(inode, opt_dentry);
276         }
277         return 0;
278 }
279
280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
281 {
282         return inode->i_security;
283 }
284
285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
286 {
287         int error;
288
289         error = __inode_security_revalidate(inode, NULL, !rcu);
290         if (error)
291                 return ERR_PTR(error);
292         return inode->i_security;
293 }
294
295 /*
296  * Get the security label of an inode.
297  */
298 static struct inode_security_struct *inode_security(struct inode *inode)
299 {
300         __inode_security_revalidate(inode, NULL, true);
301         return inode->i_security;
302 }
303
304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
305 {
306         struct inode *inode = d_backing_inode(dentry);
307
308         return inode->i_security;
309 }
310
311 /*
312  * Get the security label of a dentry's backing inode.
313  */
314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
315 {
316         struct inode *inode = d_backing_inode(dentry);
317
318         __inode_security_revalidate(inode, dentry, true);
319         return inode->i_security;
320 }
321
322 static void inode_free_rcu(struct rcu_head *head)
323 {
324         struct inode_security_struct *isec;
325
326         isec = container_of(head, struct inode_security_struct, rcu);
327         kmem_cache_free(sel_inode_cache, isec);
328 }
329
330 static void inode_free_security(struct inode *inode)
331 {
332         struct inode_security_struct *isec = inode->i_security;
333         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
334
335         /*
336          * As not all inode security structures are in a list, we check for
337          * empty list outside of the lock to make sure that we won't waste
338          * time taking a lock doing nothing.
339          *
340          * The list_del_init() function can be safely called more than once.
341          * It should not be possible for this function to be called with
342          * concurrent list_add(), but for better safety against future changes
343          * in the code, we use list_empty_careful() here.
344          */
345         if (!list_empty_careful(&isec->list)) {
346                 spin_lock(&sbsec->isec_lock);
347                 list_del_init(&isec->list);
348                 spin_unlock(&sbsec->isec_lock);
349         }
350
351         /*
352          * The inode may still be referenced in a path walk and
353          * a call to selinux_inode_permission() can be made
354          * after inode_free_security() is called. Ideally, the VFS
355          * wouldn't do this, but fixing that is a much harder
356          * job. For now, simply free the i_security via RCU, and
357          * leave the current inode->i_security pointer intact.
358          * The inode will be freed after the RCU grace period too.
359          */
360         call_rcu(&isec->rcu, inode_free_rcu);
361 }
362
363 static int file_alloc_security(struct file *file)
364 {
365         struct file_security_struct *fsec;
366         u32 sid = current_sid();
367
368         fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
369         if (!fsec)
370                 return -ENOMEM;
371
372         fsec->sid = sid;
373         fsec->fown_sid = sid;
374         file->f_security = fsec;
375
376         return 0;
377 }
378
379 static void file_free_security(struct file *file)
380 {
381         struct file_security_struct *fsec = file->f_security;
382         file->f_security = NULL;
383         kmem_cache_free(file_security_cache, fsec);
384 }
385
386 static int superblock_alloc_security(struct super_block *sb)
387 {
388         struct superblock_security_struct *sbsec;
389
390         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
391         if (!sbsec)
392                 return -ENOMEM;
393
394         mutex_init(&sbsec->lock);
395         INIT_LIST_HEAD(&sbsec->isec_head);
396         spin_lock_init(&sbsec->isec_lock);
397         sbsec->sb = sb;
398         sbsec->sid = SECINITSID_UNLABELED;
399         sbsec->def_sid = SECINITSID_FILE;
400         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
401         sb->s_security = sbsec;
402
403         return 0;
404 }
405
406 static void superblock_free_security(struct super_block *sb)
407 {
408         struct superblock_security_struct *sbsec = sb->s_security;
409         sb->s_security = NULL;
410         kfree(sbsec);
411 }
412
413 static inline int inode_doinit(struct inode *inode)
414 {
415         return inode_doinit_with_dentry(inode, NULL);
416 }
417
418 enum {
419         Opt_error = -1,
420         Opt_context = 1,
421         Opt_fscontext = 2,
422         Opt_defcontext = 3,
423         Opt_rootcontext = 4,
424         Opt_labelsupport = 5,
425         Opt_nextmntopt = 6,
426 };
427
428 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
429
430 static const match_table_t tokens = {
431         {Opt_context, CONTEXT_STR "%s"},
432         {Opt_fscontext, FSCONTEXT_STR "%s"},
433         {Opt_defcontext, DEFCONTEXT_STR "%s"},
434         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
435         {Opt_labelsupport, LABELSUPP_STR},
436         {Opt_error, NULL},
437 };
438
439 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
440
441 static int may_context_mount_sb_relabel(u32 sid,
442                         struct superblock_security_struct *sbsec,
443                         const struct cred *cred)
444 {
445         const struct task_security_struct *tsec = cred->security;
446         int rc;
447
448         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449                           FILESYSTEM__RELABELFROM, NULL);
450         if (rc)
451                 return rc;
452
453         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454                           FILESYSTEM__RELABELTO, NULL);
455         return rc;
456 }
457
458 static int may_context_mount_inode_relabel(u32 sid,
459                         struct superblock_security_struct *sbsec,
460                         const struct cred *cred)
461 {
462         const struct task_security_struct *tsec = cred->security;
463         int rc;
464         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465                           FILESYSTEM__RELABELFROM, NULL);
466         if (rc)
467                 return rc;
468
469         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470                           FILESYSTEM__ASSOCIATE, NULL);
471         return rc;
472 }
473
474 static int selinux_is_sblabel_mnt(struct super_block *sb)
475 {
476         struct superblock_security_struct *sbsec = sb->s_security;
477
478         return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479                 sbsec->behavior == SECURITY_FS_USE_TRANS ||
480                 sbsec->behavior == SECURITY_FS_USE_TASK ||
481                 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
482                 /* Special handling. Genfs but also in-core setxattr handler */
483                 !strcmp(sb->s_type->name, "sysfs") ||
484                 !strcmp(sb->s_type->name, "pstore") ||
485                 !strcmp(sb->s_type->name, "debugfs") ||
486                 !strcmp(sb->s_type->name, "tracefs") ||
487                 !strcmp(sb->s_type->name, "rootfs") ||
488                 (selinux_policycap_cgroupseclabel &&
489                  (!strcmp(sb->s_type->name, "cgroup") ||
490                   !strcmp(sb->s_type->name, "cgroup2")));
491 }
492
493 static int sb_finish_set_opts(struct super_block *sb)
494 {
495         struct superblock_security_struct *sbsec = sb->s_security;
496         struct dentry *root = sb->s_root;
497         struct inode *root_inode = d_backing_inode(root);
498         int rc = 0;
499
500         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501                 /* Make sure that the xattr handler exists and that no
502                    error other than -ENODATA is returned by getxattr on
503                    the root directory.  -ENODATA is ok, as this may be
504                    the first boot of the SELinux kernel before we have
505                    assigned xattr values to the filesystem. */
506                 if (!(root_inode->i_opflags & IOP_XATTR)) {
507                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508                                "xattr support\n", sb->s_id, sb->s_type->name);
509                         rc = -EOPNOTSUPP;
510                         goto out;
511                 }
512
513                 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
514                 if (rc < 0 && rc != -ENODATA) {
515                         if (rc == -EOPNOTSUPP)
516                                 printk(KERN_WARNING "SELinux: (dev %s, type "
517                                        "%s) has no security xattr handler\n",
518                                        sb->s_id, sb->s_type->name);
519                         else
520                                 printk(KERN_WARNING "SELinux: (dev %s, type "
521                                        "%s) getxattr errno %d\n", sb->s_id,
522                                        sb->s_type->name, -rc);
523                         goto out;
524                 }
525         }
526
527         sbsec->flags |= SE_SBINITIALIZED;
528
529         /*
530          * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
531          * leave the flag untouched because sb_clone_mnt_opts might be handing
532          * us a superblock that needs the flag to be cleared.
533          */
534         if (selinux_is_sblabel_mnt(sb))
535                 sbsec->flags |= SBLABEL_MNT;
536         else
537                 sbsec->flags &= ~SBLABEL_MNT;
538
539         /* Initialize the root inode. */
540         rc = inode_doinit_with_dentry(root_inode, root);
541
542         /* Initialize any other inodes associated with the superblock, e.g.
543            inodes created prior to initial policy load or inodes created
544            during get_sb by a pseudo filesystem that directly
545            populates itself. */
546         spin_lock(&sbsec->isec_lock);
547 next_inode:
548         if (!list_empty(&sbsec->isec_head)) {
549                 struct inode_security_struct *isec =
550                                 list_entry(sbsec->isec_head.next,
551                                            struct inode_security_struct, list);
552                 struct inode *inode = isec->inode;
553                 list_del_init(&isec->list);
554                 spin_unlock(&sbsec->isec_lock);
555                 inode = igrab(inode);
556                 if (inode) {
557                         if (!IS_PRIVATE(inode))
558                                 inode_doinit(inode);
559                         iput(inode);
560                 }
561                 spin_lock(&sbsec->isec_lock);
562                 goto next_inode;
563         }
564         spin_unlock(&sbsec->isec_lock);
565 out:
566         return rc;
567 }
568
569 /*
570  * This function should allow an FS to ask what it's mount security
571  * options were so it can use those later for submounts, displaying
572  * mount options, or whatever.
573  */
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575                                 struct security_mnt_opts *opts)
576 {
577         int rc = 0, i;
578         struct superblock_security_struct *sbsec = sb->s_security;
579         char *context = NULL;
580         u32 len;
581         char tmp;
582
583         security_init_mnt_opts(opts);
584
585         if (!(sbsec->flags & SE_SBINITIALIZED))
586                 return -EINVAL;
587
588         if (!ss_initialized)
589                 return -EINVAL;
590
591         /* make sure we always check enough bits to cover the mask */
592         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593
594         tmp = sbsec->flags & SE_MNTMASK;
595         /* count the number of mount options for this sb */
596         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
597                 if (tmp & 0x01)
598                         opts->num_mnt_opts++;
599                 tmp >>= 1;
600         }
601         /* Check if the Label support flag is set */
602         if (sbsec->flags & SBLABEL_MNT)
603                 opts->num_mnt_opts++;
604
605         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606         if (!opts->mnt_opts) {
607                 rc = -ENOMEM;
608                 goto out_free;
609         }
610
611         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612         if (!opts->mnt_opts_flags) {
613                 rc = -ENOMEM;
614                 goto out_free;
615         }
616
617         i = 0;
618         if (sbsec->flags & FSCONTEXT_MNT) {
619                 rc = security_sid_to_context(sbsec->sid, &context, &len);
620                 if (rc)
621                         goto out_free;
622                 opts->mnt_opts[i] = context;
623                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
624         }
625         if (sbsec->flags & CONTEXT_MNT) {
626                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627                 if (rc)
628                         goto out_free;
629                 opts->mnt_opts[i] = context;
630                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
631         }
632         if (sbsec->flags & DEFCONTEXT_MNT) {
633                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634                 if (rc)
635                         goto out_free;
636                 opts->mnt_opts[i] = context;
637                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
638         }
639         if (sbsec->flags & ROOTCONTEXT_MNT) {
640                 struct dentry *root = sbsec->sb->s_root;
641                 struct inode_security_struct *isec = backing_inode_security(root);
642
643                 rc = security_sid_to_context(isec->sid, &context, &len);
644                 if (rc)
645                         goto out_free;
646                 opts->mnt_opts[i] = context;
647                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
648         }
649         if (sbsec->flags & SBLABEL_MNT) {
650                 opts->mnt_opts[i] = NULL;
651                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
652         }
653
654         BUG_ON(i != opts->num_mnt_opts);
655
656         return 0;
657
658 out_free:
659         security_free_mnt_opts(opts);
660         return rc;
661 }
662
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664                       u32 old_sid, u32 new_sid)
665 {
666         char mnt_flags = sbsec->flags & SE_MNTMASK;
667
668         /* check if the old mount command had the same options */
669         if (sbsec->flags & SE_SBINITIALIZED)
670                 if (!(sbsec->flags & flag) ||
671                     (old_sid != new_sid))
672                         return 1;
673
674         /* check if we were passed the same options twice,
675          * aka someone passed context=a,context=b
676          */
677         if (!(sbsec->flags & SE_SBINITIALIZED))
678                 if (mnt_flags & flag)
679                         return 1;
680         return 0;
681 }
682
683 /*
684  * Allow filesystems with binary mount data to explicitly set mount point
685  * labeling information.
686  */
687 static int selinux_set_mnt_opts(struct super_block *sb,
688                                 struct security_mnt_opts *opts,
689                                 unsigned long kern_flags,
690                                 unsigned long *set_kern_flags)
691 {
692         const struct cred *cred = current_cred();
693         int rc = 0, i;
694         struct superblock_security_struct *sbsec = sb->s_security;
695         const char *name = sb->s_type->name;
696         struct dentry *root = sbsec->sb->s_root;
697         struct inode_security_struct *root_isec;
698         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699         u32 defcontext_sid = 0;
700         char **mount_options = opts->mnt_opts;
701         int *flags = opts->mnt_opts_flags;
702         int num_opts = opts->num_mnt_opts;
703
704         mutex_lock(&sbsec->lock);
705
706         if (!ss_initialized) {
707                 if (!num_opts) {
708                         /* Defer initialization until selinux_complete_init,
709                            after the initial policy is loaded and the security
710                            server is ready to handle calls. */
711                         goto out;
712                 }
713                 rc = -EINVAL;
714                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715                         "before the security server is initialized\n");
716                 goto out;
717         }
718         if (kern_flags && !set_kern_flags) {
719                 /* Specifying internal flags without providing a place to
720                  * place the results is not allowed */
721                 rc = -EINVAL;
722                 goto out;
723         }
724
725         /*
726          * Binary mount data FS will come through this function twice.  Once
727          * from an explicit call and once from the generic calls from the vfs.
728          * Since the generic VFS calls will not contain any security mount data
729          * we need to skip the double mount verification.
730          *
731          * This does open a hole in which we will not notice if the first
732          * mount using this sb set explict options and a second mount using
733          * this sb does not set any security options.  (The first options
734          * will be used for both mounts)
735          */
736         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737             && (num_opts == 0))
738                 goto out;
739
740         root_isec = backing_inode_security_novalidate(root);
741
742         /*
743          * parse the mount options, check if they are valid sids.
744          * also check if someone is trying to mount the same sb more
745          * than once with different security options.
746          */
747         for (i = 0; i < num_opts; i++) {
748                 u32 sid;
749
750                 if (flags[i] == SBLABEL_MNT)
751                         continue;
752                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
753                 if (rc) {
754                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755                                "(%s) failed for (dev %s, type %s) errno=%d\n",
756                                mount_options[i], sb->s_id, name, rc);
757                         goto out;
758                 }
759                 switch (flags[i]) {
760                 case FSCONTEXT_MNT:
761                         fscontext_sid = sid;
762
763                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764                                         fscontext_sid))
765                                 goto out_double_mount;
766
767                         sbsec->flags |= FSCONTEXT_MNT;
768                         break;
769                 case CONTEXT_MNT:
770                         context_sid = sid;
771
772                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773                                         context_sid))
774                                 goto out_double_mount;
775
776                         sbsec->flags |= CONTEXT_MNT;
777                         break;
778                 case ROOTCONTEXT_MNT:
779                         rootcontext_sid = sid;
780
781                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782                                         rootcontext_sid))
783                                 goto out_double_mount;
784
785                         sbsec->flags |= ROOTCONTEXT_MNT;
786
787                         break;
788                 case DEFCONTEXT_MNT:
789                         defcontext_sid = sid;
790
791                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792                                         defcontext_sid))
793                                 goto out_double_mount;
794
795                         sbsec->flags |= DEFCONTEXT_MNT;
796
797                         break;
798                 default:
799                         rc = -EINVAL;
800                         goto out;
801                 }
802         }
803
804         if (sbsec->flags & SE_SBINITIALIZED) {
805                 /* previously mounted with options, but not on this attempt? */
806                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807                         goto out_double_mount;
808                 rc = 0;
809                 goto out;
810         }
811
812         if (strcmp(sb->s_type->name, "proc") == 0)
813                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814
815         if (!strcmp(sb->s_type->name, "debugfs") ||
816             !strcmp(sb->s_type->name, "tracefs") ||
817             !strcmp(sb->s_type->name, "sysfs") ||
818             !strcmp(sb->s_type->name, "pstore"))
819                 sbsec->flags |= SE_SBGENFS;
820
821         if (!sbsec->behavior) {
822                 /*
823                  * Determine the labeling behavior to use for this
824                  * filesystem type.
825                  */
826                 rc = security_fs_use(sb);
827                 if (rc) {
828                         printk(KERN_WARNING
829                                 "%s: security_fs_use(%s) returned %d\n",
830                                         __func__, sb->s_type->name, rc);
831                         goto out;
832                 }
833         }
834
835         /*
836          * If this is a user namespace mount and the filesystem type is not
837          * explicitly whitelisted, then no contexts are allowed on the command
838          * line and security labels must be ignored.
839          */
840         if (sb->s_user_ns != &init_user_ns &&
841             strcmp(sb->s_type->name, "tmpfs") &&
842             strcmp(sb->s_type->name, "ramfs") &&
843             strcmp(sb->s_type->name, "devpts")) {
844                 if (context_sid || fscontext_sid || rootcontext_sid ||
845                     defcontext_sid) {
846                         rc = -EACCES;
847                         goto out;
848                 }
849                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
850                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
851                         rc = security_transition_sid(current_sid(), current_sid(),
852                                                      SECCLASS_FILE, NULL,
853                                                      &sbsec->mntpoint_sid);
854                         if (rc)
855                                 goto out;
856                 }
857                 goto out_set_opts;
858         }
859
860         /* sets the context of the superblock for the fs being mounted. */
861         if (fscontext_sid) {
862                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
863                 if (rc)
864                         goto out;
865
866                 sbsec->sid = fscontext_sid;
867         }
868
869         /*
870          * Switch to using mount point labeling behavior.
871          * sets the label used on all file below the mountpoint, and will set
872          * the superblock context if not already set.
873          */
874         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
875                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
876                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
877         }
878
879         if (context_sid) {
880                 if (!fscontext_sid) {
881                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
882                                                           cred);
883                         if (rc)
884                                 goto out;
885                         sbsec->sid = context_sid;
886                 } else {
887                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
888                                                              cred);
889                         if (rc)
890                                 goto out;
891                 }
892                 if (!rootcontext_sid)
893                         rootcontext_sid = context_sid;
894
895                 sbsec->mntpoint_sid = context_sid;
896                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
897         }
898
899         if (rootcontext_sid) {
900                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
901                                                      cred);
902                 if (rc)
903                         goto out;
904
905                 root_isec->sid = rootcontext_sid;
906                 root_isec->initialized = LABEL_INITIALIZED;
907         }
908
909         if (defcontext_sid) {
910                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
911                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
912                         rc = -EINVAL;
913                         printk(KERN_WARNING "SELinux: defcontext option is "
914                                "invalid for this filesystem type\n");
915                         goto out;
916                 }
917
918                 if (defcontext_sid != sbsec->def_sid) {
919                         rc = may_context_mount_inode_relabel(defcontext_sid,
920                                                              sbsec, cred);
921                         if (rc)
922                                 goto out;
923                 }
924
925                 sbsec->def_sid = defcontext_sid;
926         }
927
928 out_set_opts:
929         rc = sb_finish_set_opts(sb);
930 out:
931         mutex_unlock(&sbsec->lock);
932         return rc;
933 out_double_mount:
934         rc = -EINVAL;
935         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
936                "security settings for (dev %s, type %s)\n", sb->s_id, name);
937         goto out;
938 }
939
940 static int selinux_cmp_sb_context(const struct super_block *oldsb,
941                                     const struct super_block *newsb)
942 {
943         struct superblock_security_struct *old = oldsb->s_security;
944         struct superblock_security_struct *new = newsb->s_security;
945         char oldflags = old->flags & SE_MNTMASK;
946         char newflags = new->flags & SE_MNTMASK;
947
948         if (oldflags != newflags)
949                 goto mismatch;
950         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
951                 goto mismatch;
952         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
953                 goto mismatch;
954         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
955                 goto mismatch;
956         if (oldflags & ROOTCONTEXT_MNT) {
957                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
958                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
959                 if (oldroot->sid != newroot->sid)
960                         goto mismatch;
961         }
962         return 0;
963 mismatch:
964         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
965                             "different security settings for (dev %s, "
966                             "type %s)\n", newsb->s_id, newsb->s_type->name);
967         return -EBUSY;
968 }
969
970 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
971                                         struct super_block *newsb,
972                                         unsigned long kern_flags,
973                                         unsigned long *set_kern_flags)
974 {
975         int rc = 0;
976         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
977         struct superblock_security_struct *newsbsec = newsb->s_security;
978
979         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
980         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
981         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
982
983         /*
984          * if the parent was able to be mounted it clearly had no special lsm
985          * mount options.  thus we can safely deal with this superblock later
986          */
987         if (!ss_initialized)
988                 return 0;
989
990         /*
991          * Specifying internal flags without providing a place to
992          * place the results is not allowed.
993          */
994         if (kern_flags && !set_kern_flags)
995                 return -EINVAL;
996
997         /* how can we clone if the old one wasn't set up?? */
998         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
999
1000         /* if fs is reusing a sb, make sure that the contexts match */
1001         if (newsbsec->flags & SE_SBINITIALIZED)
1002                 return selinux_cmp_sb_context(oldsb, newsb);
1003
1004         mutex_lock(&newsbsec->lock);
1005
1006         newsbsec->flags = oldsbsec->flags;
1007
1008         newsbsec->sid = oldsbsec->sid;
1009         newsbsec->def_sid = oldsbsec->def_sid;
1010         newsbsec->behavior = oldsbsec->behavior;
1011
1012         if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1013                 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1014                 rc = security_fs_use(newsb);
1015                 if (rc)
1016                         goto out;
1017         }
1018
1019         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1020                 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1021                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1022         }
1023
1024         if (set_context) {
1025                 u32 sid = oldsbsec->mntpoint_sid;
1026
1027                 if (!set_fscontext)
1028                         newsbsec->sid = sid;
1029                 if (!set_rootcontext) {
1030                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1031                         newisec->sid = sid;
1032                 }
1033                 newsbsec->mntpoint_sid = sid;
1034         }
1035         if (set_rootcontext) {
1036                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1037                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1038
1039                 newisec->sid = oldisec->sid;
1040         }
1041
1042         sb_finish_set_opts(newsb);
1043 out:
1044         mutex_unlock(&newsbsec->lock);
1045         return rc;
1046 }
1047
1048 static int selinux_parse_opts_str(char *options,
1049                                   struct security_mnt_opts *opts)
1050 {
1051         char *p;
1052         char *context = NULL, *defcontext = NULL;
1053         char *fscontext = NULL, *rootcontext = NULL;
1054         int rc, num_mnt_opts = 0;
1055
1056         opts->num_mnt_opts = 0;
1057
1058         /* Standard string-based options. */
1059         while ((p = strsep(&options, "|")) != NULL) {
1060                 int token;
1061                 substring_t args[MAX_OPT_ARGS];
1062
1063                 if (!*p)
1064                         continue;
1065
1066                 token = match_token(p, tokens, args);
1067
1068                 switch (token) {
1069                 case Opt_context:
1070                         if (context || defcontext) {
1071                                 rc = -EINVAL;
1072                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1073                                 goto out_err;
1074                         }
1075                         context = match_strdup(&args[0]);
1076                         if (!context) {
1077                                 rc = -ENOMEM;
1078                                 goto out_err;
1079                         }
1080                         break;
1081
1082                 case Opt_fscontext:
1083                         if (fscontext) {
1084                                 rc = -EINVAL;
1085                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1086                                 goto out_err;
1087                         }
1088                         fscontext = match_strdup(&args[0]);
1089                         if (!fscontext) {
1090                                 rc = -ENOMEM;
1091                                 goto out_err;
1092                         }
1093                         break;
1094
1095                 case Opt_rootcontext:
1096                         if (rootcontext) {
1097                                 rc = -EINVAL;
1098                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1099                                 goto out_err;
1100                         }
1101                         rootcontext = match_strdup(&args[0]);
1102                         if (!rootcontext) {
1103                                 rc = -ENOMEM;
1104                                 goto out_err;
1105                         }
1106                         break;
1107
1108                 case Opt_defcontext:
1109                         if (context || defcontext) {
1110                                 rc = -EINVAL;
1111                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1112                                 goto out_err;
1113                         }
1114                         defcontext = match_strdup(&args[0]);
1115                         if (!defcontext) {
1116                                 rc = -ENOMEM;
1117                                 goto out_err;
1118                         }
1119                         break;
1120                 case Opt_labelsupport:
1121                         break;
1122                 default:
1123                         rc = -EINVAL;
1124                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
1125                         goto out_err;
1126
1127                 }
1128         }
1129
1130         rc = -ENOMEM;
1131         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1132         if (!opts->mnt_opts)
1133                 goto out_err;
1134
1135         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1136                                        GFP_KERNEL);
1137         if (!opts->mnt_opts_flags)
1138                 goto out_err;
1139
1140         if (fscontext) {
1141                 opts->mnt_opts[num_mnt_opts] = fscontext;
1142                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1143         }
1144         if (context) {
1145                 opts->mnt_opts[num_mnt_opts] = context;
1146                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1147         }
1148         if (rootcontext) {
1149                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1150                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1151         }
1152         if (defcontext) {
1153                 opts->mnt_opts[num_mnt_opts] = defcontext;
1154                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1155         }
1156
1157         opts->num_mnt_opts = num_mnt_opts;
1158         return 0;
1159
1160 out_err:
1161         security_free_mnt_opts(opts);
1162         kfree(context);
1163         kfree(defcontext);
1164         kfree(fscontext);
1165         kfree(rootcontext);
1166         return rc;
1167 }
1168 /*
1169  * string mount options parsing and call set the sbsec
1170  */
1171 static int superblock_doinit(struct super_block *sb, void *data)
1172 {
1173         int rc = 0;
1174         char *options = data;
1175         struct security_mnt_opts opts;
1176
1177         security_init_mnt_opts(&opts);
1178
1179         if (!data)
1180                 goto out;
1181
1182         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1183
1184         rc = selinux_parse_opts_str(options, &opts);
1185         if (rc)
1186                 goto out_err;
1187
1188 out:
1189         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1190
1191 out_err:
1192         security_free_mnt_opts(&opts);
1193         return rc;
1194 }
1195
1196 static void selinux_write_opts(struct seq_file *m,
1197                                struct security_mnt_opts *opts)
1198 {
1199         int i;
1200         char *prefix;
1201
1202         for (i = 0; i < opts->num_mnt_opts; i++) {
1203                 char *has_comma;
1204
1205                 if (opts->mnt_opts[i])
1206                         has_comma = strchr(opts->mnt_opts[i], ',');
1207                 else
1208                         has_comma = NULL;
1209
1210                 switch (opts->mnt_opts_flags[i]) {
1211                 case CONTEXT_MNT:
1212                         prefix = CONTEXT_STR;
1213                         break;
1214                 case FSCONTEXT_MNT:
1215                         prefix = FSCONTEXT_STR;
1216                         break;
1217                 case ROOTCONTEXT_MNT:
1218                         prefix = ROOTCONTEXT_STR;
1219                         break;
1220                 case DEFCONTEXT_MNT:
1221                         prefix = DEFCONTEXT_STR;
1222                         break;
1223                 case SBLABEL_MNT:
1224                         seq_putc(m, ',');
1225                         seq_puts(m, LABELSUPP_STR);
1226                         continue;
1227                 default:
1228                         BUG();
1229                         return;
1230                 };
1231                 /* we need a comma before each option */
1232                 seq_putc(m, ',');
1233                 seq_puts(m, prefix);
1234                 if (has_comma)
1235                         seq_putc(m, '\"');
1236                 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1237                 if (has_comma)
1238                         seq_putc(m, '\"');
1239         }
1240 }
1241
1242 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1243 {
1244         struct security_mnt_opts opts;
1245         int rc;
1246
1247         rc = selinux_get_mnt_opts(sb, &opts);
1248         if (rc) {
1249                 /* before policy load we may get EINVAL, don't show anything */
1250                 if (rc == -EINVAL)
1251                         rc = 0;
1252                 return rc;
1253         }
1254
1255         selinux_write_opts(m, &opts);
1256
1257         security_free_mnt_opts(&opts);
1258
1259         return rc;
1260 }
1261
1262 static inline u16 inode_mode_to_security_class(umode_t mode)
1263 {
1264         switch (mode & S_IFMT) {
1265         case S_IFSOCK:
1266                 return SECCLASS_SOCK_FILE;
1267         case S_IFLNK:
1268                 return SECCLASS_LNK_FILE;
1269         case S_IFREG:
1270                 return SECCLASS_FILE;
1271         case S_IFBLK:
1272                 return SECCLASS_BLK_FILE;
1273         case S_IFDIR:
1274                 return SECCLASS_DIR;
1275         case S_IFCHR:
1276                 return SECCLASS_CHR_FILE;
1277         case S_IFIFO:
1278                 return SECCLASS_FIFO_FILE;
1279
1280         }
1281
1282         return SECCLASS_FILE;
1283 }
1284
1285 static inline int default_protocol_stream(int protocol)
1286 {
1287         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1288 }
1289
1290 static inline int default_protocol_dgram(int protocol)
1291 {
1292         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1293 }
1294
1295 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1296 {
1297         int extsockclass = selinux_policycap_extsockclass;
1298
1299         switch (family) {
1300         case PF_UNIX:
1301                 switch (type) {
1302                 case SOCK_STREAM:
1303                 case SOCK_SEQPACKET:
1304                         return SECCLASS_UNIX_STREAM_SOCKET;
1305                 case SOCK_DGRAM:
1306                         return SECCLASS_UNIX_DGRAM_SOCKET;
1307                 }
1308                 break;
1309         case PF_INET:
1310         case PF_INET6:
1311                 switch (type) {
1312                 case SOCK_STREAM:
1313                 case SOCK_SEQPACKET:
1314                         if (default_protocol_stream(protocol))
1315                                 return SECCLASS_TCP_SOCKET;
1316                         else if (extsockclass && protocol == IPPROTO_SCTP)
1317                                 return SECCLASS_SCTP_SOCKET;
1318                         else
1319                                 return SECCLASS_RAWIP_SOCKET;
1320                 case SOCK_DGRAM:
1321                         if (default_protocol_dgram(protocol))
1322                                 return SECCLASS_UDP_SOCKET;
1323                         else if (extsockclass && (protocol == IPPROTO_ICMP ||
1324                                                   protocol == IPPROTO_ICMPV6))
1325                                 return SECCLASS_ICMP_SOCKET;
1326                         else
1327                                 return SECCLASS_RAWIP_SOCKET;
1328                 case SOCK_DCCP:
1329                         return SECCLASS_DCCP_SOCKET;
1330                 default:
1331                         return SECCLASS_RAWIP_SOCKET;
1332                 }
1333                 break;
1334         case PF_NETLINK:
1335                 switch (protocol) {
1336                 case NETLINK_ROUTE:
1337                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1338                 case NETLINK_SOCK_DIAG:
1339                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1340                 case NETLINK_NFLOG:
1341                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1342                 case NETLINK_XFRM:
1343                         return SECCLASS_NETLINK_XFRM_SOCKET;
1344                 case NETLINK_SELINUX:
1345                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1346                 case NETLINK_ISCSI:
1347                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1348                 case NETLINK_AUDIT:
1349                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1350                 case NETLINK_FIB_LOOKUP:
1351                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1352                 case NETLINK_CONNECTOR:
1353                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1354                 case NETLINK_NETFILTER:
1355                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1356                 case NETLINK_DNRTMSG:
1357                         return SECCLASS_NETLINK_DNRT_SOCKET;
1358                 case NETLINK_KOBJECT_UEVENT:
1359                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1360                 case NETLINK_GENERIC:
1361                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1362                 case NETLINK_SCSITRANSPORT:
1363                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1364                 case NETLINK_RDMA:
1365                         return SECCLASS_NETLINK_RDMA_SOCKET;
1366                 case NETLINK_CRYPTO:
1367                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1368                 default:
1369                         return SECCLASS_NETLINK_SOCKET;
1370                 }
1371         case PF_PACKET:
1372                 return SECCLASS_PACKET_SOCKET;
1373         case PF_KEY:
1374                 return SECCLASS_KEY_SOCKET;
1375         case PF_APPLETALK:
1376                 return SECCLASS_APPLETALK_SOCKET;
1377         }
1378
1379         if (extsockclass) {
1380                 switch (family) {
1381                 case PF_AX25:
1382                         return SECCLASS_AX25_SOCKET;
1383                 case PF_IPX:
1384                         return SECCLASS_IPX_SOCKET;
1385                 case PF_NETROM:
1386                         return SECCLASS_NETROM_SOCKET;
1387                 case PF_ATMPVC:
1388                         return SECCLASS_ATMPVC_SOCKET;
1389                 case PF_X25:
1390                         return SECCLASS_X25_SOCKET;
1391                 case PF_ROSE:
1392                         return SECCLASS_ROSE_SOCKET;
1393                 case PF_DECnet:
1394                         return SECCLASS_DECNET_SOCKET;
1395                 case PF_ATMSVC:
1396                         return SECCLASS_ATMSVC_SOCKET;
1397                 case PF_RDS:
1398                         return SECCLASS_RDS_SOCKET;
1399                 case PF_IRDA:
1400                         return SECCLASS_IRDA_SOCKET;
1401                 case PF_PPPOX:
1402                         return SECCLASS_PPPOX_SOCKET;
1403                 case PF_LLC:
1404                         return SECCLASS_LLC_SOCKET;
1405                 case PF_CAN:
1406                         return SECCLASS_CAN_SOCKET;
1407                 case PF_TIPC:
1408                         return SECCLASS_TIPC_SOCKET;
1409                 case PF_BLUETOOTH:
1410                         return SECCLASS_BLUETOOTH_SOCKET;
1411                 case PF_IUCV:
1412                         return SECCLASS_IUCV_SOCKET;
1413                 case PF_RXRPC:
1414                         return SECCLASS_RXRPC_SOCKET;
1415                 case PF_ISDN:
1416                         return SECCLASS_ISDN_SOCKET;
1417                 case PF_PHONET:
1418                         return SECCLASS_PHONET_SOCKET;
1419                 case PF_IEEE802154:
1420                         return SECCLASS_IEEE802154_SOCKET;
1421                 case PF_CAIF:
1422                         return SECCLASS_CAIF_SOCKET;
1423                 case PF_ALG:
1424                         return SECCLASS_ALG_SOCKET;
1425                 case PF_NFC:
1426                         return SECCLASS_NFC_SOCKET;
1427                 case PF_VSOCK:
1428                         return SECCLASS_VSOCK_SOCKET;
1429                 case PF_KCM:
1430                         return SECCLASS_KCM_SOCKET;
1431                 case PF_QIPCRTR:
1432                         return SECCLASS_QIPCRTR_SOCKET;
1433                 case PF_SMC:
1434                         return SECCLASS_SMC_SOCKET;
1435 #if PF_MAX > 44
1436 #error New address family defined, please update this function.
1437 #endif
1438                 }
1439         }
1440
1441         return SECCLASS_SOCKET;
1442 }
1443
1444 static int selinux_genfs_get_sid(struct dentry *dentry,
1445                                  u16 tclass,
1446                                  u16 flags,
1447                                  u32 *sid)
1448 {
1449         int rc;
1450         struct super_block *sb = dentry->d_sb;
1451         char *buffer, *path;
1452
1453         buffer = (char *)__get_free_page(GFP_KERNEL);
1454         if (!buffer)
1455                 return -ENOMEM;
1456
1457         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1458         if (IS_ERR(path))
1459                 rc = PTR_ERR(path);
1460         else {
1461                 if (flags & SE_SBPROC) {
1462                         /* each process gets a /proc/PID/ entry. Strip off the
1463                          * PID part to get a valid selinux labeling.
1464                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1465                         while (path[1] >= '0' && path[1] <= '9') {
1466                                 path[1] = '/';
1467                                 path++;
1468                         }
1469                 }
1470                 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1471         }
1472         free_page((unsigned long)buffer);
1473         return rc;
1474 }
1475
1476 /* The inode's security attributes must be initialized before first use. */
1477 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1478 {
1479         struct superblock_security_struct *sbsec = NULL;
1480         struct inode_security_struct *isec = inode->i_security;
1481         u32 task_sid, sid = 0;
1482         u16 sclass;
1483         struct dentry *dentry;
1484 #define INITCONTEXTLEN 255
1485         char *context = NULL;
1486         unsigned len = 0;
1487         int rc = 0;
1488
1489         if (isec->initialized == LABEL_INITIALIZED)
1490                 return 0;
1491
1492         spin_lock(&isec->lock);
1493         if (isec->initialized == LABEL_INITIALIZED)
1494                 goto out_unlock;
1495
1496         if (isec->sclass == SECCLASS_FILE)
1497                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1498
1499         sbsec = inode->i_sb->s_security;
1500         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1501                 /* Defer initialization until selinux_complete_init,
1502                    after the initial policy is loaded and the security
1503                    server is ready to handle calls. */
1504                 spin_lock(&sbsec->isec_lock);
1505                 if (list_empty(&isec->list))
1506                         list_add(&isec->list, &sbsec->isec_head);
1507                 spin_unlock(&sbsec->isec_lock);
1508                 goto out_unlock;
1509         }
1510
1511         sclass = isec->sclass;
1512         task_sid = isec->task_sid;
1513         sid = isec->sid;
1514         isec->initialized = LABEL_PENDING;
1515         spin_unlock(&isec->lock);
1516
1517         switch (sbsec->behavior) {
1518         case SECURITY_FS_USE_NATIVE:
1519                 break;
1520         case SECURITY_FS_USE_XATTR:
1521                 if (!(inode->i_opflags & IOP_XATTR)) {
1522                         sid = sbsec->def_sid;
1523                         break;
1524                 }
1525                 /* Need a dentry, since the xattr API requires one.
1526                    Life would be simpler if we could just pass the inode. */
1527                 if (opt_dentry) {
1528                         /* Called from d_instantiate or d_splice_alias. */
1529                         dentry = dget(opt_dentry);
1530                 } else {
1531                         /* Called from selinux_complete_init, try to find a dentry. */
1532                         dentry = d_find_alias(inode);
1533                 }
1534                 if (!dentry) {
1535                         /*
1536                          * this is can be hit on boot when a file is accessed
1537                          * before the policy is loaded.  When we load policy we
1538                          * may find inodes that have no dentry on the
1539                          * sbsec->isec_head list.  No reason to complain as these
1540                          * will get fixed up the next time we go through
1541                          * inode_doinit with a dentry, before these inodes could
1542                          * be used again by userspace.
1543                          */
1544                         goto out;
1545                 }
1546
1547                 len = INITCONTEXTLEN;
1548                 context = kmalloc(len+1, GFP_NOFS);
1549                 if (!context) {
1550                         rc = -ENOMEM;
1551                         dput(dentry);
1552                         goto out;
1553                 }
1554                 context[len] = '\0';
1555                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1556                 if (rc == -ERANGE) {
1557                         kfree(context);
1558
1559                         /* Need a larger buffer.  Query for the right size. */
1560                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1561                         if (rc < 0) {
1562                                 dput(dentry);
1563                                 goto out;
1564                         }
1565                         len = rc;
1566                         context = kmalloc(len+1, GFP_NOFS);
1567                         if (!context) {
1568                                 rc = -ENOMEM;
1569                                 dput(dentry);
1570                                 goto out;
1571                         }
1572                         context[len] = '\0';
1573                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1574                 }
1575                 dput(dentry);
1576                 if (rc < 0) {
1577                         if (rc != -ENODATA) {
1578                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1579                                        "%d for dev=%s ino=%ld\n", __func__,
1580                                        -rc, inode->i_sb->s_id, inode->i_ino);
1581                                 kfree(context);
1582                                 goto out;
1583                         }
1584                         /* Map ENODATA to the default file SID */
1585                         sid = sbsec->def_sid;
1586                         rc = 0;
1587                 } else {
1588                         rc = security_context_to_sid_default(context, rc, &sid,
1589                                                              sbsec->def_sid,
1590                                                              GFP_NOFS);
1591                         if (rc) {
1592                                 char *dev = inode->i_sb->s_id;
1593                                 unsigned long ino = inode->i_ino;
1594
1595                                 if (rc == -EINVAL) {
1596                                         if (printk_ratelimit())
1597                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1598                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1599                                                         "filesystem in question.\n", ino, dev, context);
1600                                 } else {
1601                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1602                                                "returned %d for dev=%s ino=%ld\n",
1603                                                __func__, context, -rc, dev, ino);
1604                                 }
1605                                 kfree(context);
1606                                 /* Leave with the unlabeled SID */
1607                                 rc = 0;
1608                                 break;
1609                         }
1610                 }
1611                 kfree(context);
1612                 break;
1613         case SECURITY_FS_USE_TASK:
1614                 sid = task_sid;
1615                 break;
1616         case SECURITY_FS_USE_TRANS:
1617                 /* Default to the fs SID. */
1618                 sid = sbsec->sid;
1619
1620                 /* Try to obtain a transition SID. */
1621                 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1622                 if (rc)
1623                         goto out;
1624                 break;
1625         case SECURITY_FS_USE_MNTPOINT:
1626                 sid = sbsec->mntpoint_sid;
1627                 break;
1628         default:
1629                 /* Default to the fs superblock SID. */
1630                 sid = sbsec->sid;
1631
1632                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1633                         /* We must have a dentry to determine the label on
1634                          * procfs inodes */
1635                         if (opt_dentry)
1636                                 /* Called from d_instantiate or
1637                                  * d_splice_alias. */
1638                                 dentry = dget(opt_dentry);
1639                         else
1640                                 /* Called from selinux_complete_init, try to
1641                                  * find a dentry. */
1642                                 dentry = d_find_alias(inode);
1643                         /*
1644                          * This can be hit on boot when a file is accessed
1645                          * before the policy is loaded.  When we load policy we
1646                          * may find inodes that have no dentry on the
1647                          * sbsec->isec_head list.  No reason to complain as
1648                          * these will get fixed up the next time we go through
1649                          * inode_doinit() with a dentry, before these inodes
1650                          * could be used again by userspace.
1651                          */
1652                         if (!dentry)
1653                                 goto out;
1654                         rc = selinux_genfs_get_sid(dentry, sclass,
1655                                                    sbsec->flags, &sid);
1656                         dput(dentry);
1657                         if (rc)
1658                                 goto out;
1659                 }
1660                 break;
1661         }
1662
1663 out:
1664         spin_lock(&isec->lock);
1665         if (isec->initialized == LABEL_PENDING) {
1666                 if (!sid || rc) {
1667                         isec->initialized = LABEL_INVALID;
1668                         goto out_unlock;
1669                 }
1670
1671                 isec->initialized = LABEL_INITIALIZED;
1672                 isec->sid = sid;
1673         }
1674
1675 out_unlock:
1676         spin_unlock(&isec->lock);
1677         return rc;
1678 }
1679
1680 /* Convert a Linux signal to an access vector. */
1681 static inline u32 signal_to_av(int sig)
1682 {
1683         u32 perm = 0;
1684
1685         switch (sig) {
1686         case SIGCHLD:
1687                 /* Commonly granted from child to parent. */
1688                 perm = PROCESS__SIGCHLD;
1689                 break;
1690         case SIGKILL:
1691                 /* Cannot be caught or ignored */
1692                 perm = PROCESS__SIGKILL;
1693                 break;
1694         case SIGSTOP:
1695                 /* Cannot be caught or ignored */
1696                 perm = PROCESS__SIGSTOP;
1697                 break;
1698         default:
1699                 /* All other signals. */
1700                 perm = PROCESS__SIGNAL;
1701                 break;
1702         }
1703
1704         return perm;
1705 }
1706
1707 #if CAP_LAST_CAP > 63
1708 #error Fix SELinux to handle capabilities > 63.
1709 #endif
1710
1711 /* Check whether a task is allowed to use a capability. */
1712 static int cred_has_capability(const struct cred *cred,
1713                                int cap, int audit, bool initns)
1714 {
1715         struct common_audit_data ad;
1716         struct av_decision avd;
1717         u16 sclass;
1718         u32 sid = cred_sid(cred);
1719         u32 av = CAP_TO_MASK(cap);
1720         int rc;
1721
1722         ad.type = LSM_AUDIT_DATA_CAP;
1723         ad.u.cap = cap;
1724
1725         switch (CAP_TO_INDEX(cap)) {
1726         case 0:
1727                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1728                 break;
1729         case 1:
1730                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1731                 break;
1732         default:
1733                 printk(KERN_ERR
1734                        "SELinux:  out of range capability %d\n", cap);
1735                 BUG();
1736                 return -EINVAL;
1737         }
1738
1739         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1740         if (audit == SECURITY_CAP_AUDIT) {
1741                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1742                 if (rc2)
1743                         return rc2;
1744         }
1745         return rc;
1746 }
1747
1748 /* Check whether a task has a particular permission to an inode.
1749    The 'adp' parameter is optional and allows other audit
1750    data to be passed (e.g. the dentry). */
1751 static int inode_has_perm(const struct cred *cred,
1752                           struct inode *inode,
1753                           u32 perms,
1754                           struct common_audit_data *adp)
1755 {
1756         struct inode_security_struct *isec;
1757         u32 sid;
1758
1759         validate_creds(cred);
1760
1761         if (unlikely(IS_PRIVATE(inode)))
1762                 return 0;
1763
1764         sid = cred_sid(cred);
1765         isec = inode->i_security;
1766
1767         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1768 }
1769
1770 /* Same as inode_has_perm, but pass explicit audit data containing
1771    the dentry to help the auditing code to more easily generate the
1772    pathname if needed. */
1773 static inline int dentry_has_perm(const struct cred *cred,
1774                                   struct dentry *dentry,
1775                                   u32 av)
1776 {
1777         struct inode *inode = d_backing_inode(dentry);
1778         struct common_audit_data ad;
1779
1780         ad.type = LSM_AUDIT_DATA_DENTRY;
1781         ad.u.dentry = dentry;
1782         __inode_security_revalidate(inode, dentry, true);
1783         return inode_has_perm(cred, inode, av, &ad);
1784 }
1785
1786 /* Same as inode_has_perm, but pass explicit audit data containing
1787    the path to help the auditing code to more easily generate the
1788    pathname if needed. */
1789 static inline int path_has_perm(const struct cred *cred,
1790                                 const struct path *path,
1791                                 u32 av)
1792 {
1793         struct inode *inode = d_backing_inode(path->dentry);
1794         struct common_audit_data ad;
1795
1796         ad.type = LSM_AUDIT_DATA_PATH;
1797         ad.u.path = *path;
1798         __inode_security_revalidate(inode, path->dentry, true);
1799         return inode_has_perm(cred, inode, av, &ad);
1800 }
1801
1802 /* Same as path_has_perm, but uses the inode from the file struct. */
1803 static inline int file_path_has_perm(const struct cred *cred,
1804                                      struct file *file,
1805                                      u32 av)
1806 {
1807         struct common_audit_data ad;
1808
1809         ad.type = LSM_AUDIT_DATA_FILE;
1810         ad.u.file = file;
1811         return inode_has_perm(cred, file_inode(file), av, &ad);
1812 }
1813
1814 /* Check whether a task can use an open file descriptor to
1815    access an inode in a given way.  Check access to the
1816    descriptor itself, and then use dentry_has_perm to
1817    check a particular permission to the file.
1818    Access to the descriptor is implicitly granted if it
1819    has the same SID as the process.  If av is zero, then
1820    access to the file is not checked, e.g. for cases
1821    where only the descriptor is affected like seek. */
1822 static int file_has_perm(const struct cred *cred,
1823                          struct file *file,
1824                          u32 av)
1825 {
1826         struct file_security_struct *fsec = file->f_security;
1827         struct inode *inode = file_inode(file);
1828         struct common_audit_data ad;
1829         u32 sid = cred_sid(cred);
1830         int rc;
1831
1832         ad.type = LSM_AUDIT_DATA_FILE;
1833         ad.u.file = file;
1834
1835         if (sid != fsec->sid) {
1836                 rc = avc_has_perm(sid, fsec->sid,
1837                                   SECCLASS_FD,
1838                                   FD__USE,
1839                                   &ad);
1840                 if (rc)
1841                         goto out;
1842         }
1843
1844         /* av is zero if only checking access to the descriptor. */
1845         rc = 0;
1846         if (av)
1847                 rc = inode_has_perm(cred, inode, av, &ad);
1848
1849 out:
1850         return rc;
1851 }
1852
1853 /*
1854  * Determine the label for an inode that might be unioned.
1855  */
1856 static int
1857 selinux_determine_inode_label(const struct task_security_struct *tsec,
1858                                  struct inode *dir,
1859                                  const struct qstr *name, u16 tclass,
1860                                  u32 *_new_isid)
1861 {
1862         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1863
1864         if ((sbsec->flags & SE_SBINITIALIZED) &&
1865             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1866                 *_new_isid = sbsec->mntpoint_sid;
1867         } else if ((sbsec->flags & SBLABEL_MNT) &&
1868                    tsec->create_sid) {
1869                 *_new_isid = tsec->create_sid;
1870         } else {
1871                 const struct inode_security_struct *dsec = inode_security(dir);
1872                 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1873                                                name, _new_isid);
1874         }
1875
1876         return 0;
1877 }
1878
1879 /* Check whether a task can create a file. */
1880 static int may_create(struct inode *dir,
1881                       struct dentry *dentry,
1882                       u16 tclass)
1883 {
1884         const struct task_security_struct *tsec = current_security();
1885         struct inode_security_struct *dsec;
1886         struct superblock_security_struct *sbsec;
1887         u32 sid, newsid;
1888         struct common_audit_data ad;
1889         int rc;
1890
1891         dsec = inode_security(dir);
1892         sbsec = dir->i_sb->s_security;
1893
1894         sid = tsec->sid;
1895
1896         ad.type = LSM_AUDIT_DATA_DENTRY;
1897         ad.u.dentry = dentry;
1898
1899         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1900                           DIR__ADD_NAME | DIR__SEARCH,
1901                           &ad);
1902         if (rc)
1903                 return rc;
1904
1905         rc = selinux_determine_inode_label(current_security(), dir,
1906                                            &dentry->d_name, tclass, &newsid);
1907         if (rc)
1908                 return rc;
1909
1910         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1911         if (rc)
1912                 return rc;
1913
1914         return avc_has_perm(newsid, sbsec->sid,
1915                             SECCLASS_FILESYSTEM,
1916                             FILESYSTEM__ASSOCIATE, &ad);
1917 }
1918
1919 #define MAY_LINK        0
1920 #define MAY_UNLINK      1
1921 #define MAY_RMDIR       2
1922
1923 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1924 static int may_link(struct inode *dir,
1925                     struct dentry *dentry,
1926                     int kind)
1927
1928 {
1929         struct inode_security_struct *dsec, *isec;
1930         struct common_audit_data ad;
1931         u32 sid = current_sid();
1932         u32 av;
1933         int rc;
1934
1935         dsec = inode_security(dir);
1936         isec = backing_inode_security(dentry);
1937
1938         ad.type = LSM_AUDIT_DATA_DENTRY;
1939         ad.u.dentry = dentry;
1940
1941         av = DIR__SEARCH;
1942         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1943         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1944         if (rc)
1945                 return rc;
1946
1947         switch (kind) {
1948         case MAY_LINK:
1949                 av = FILE__LINK;
1950                 break;
1951         case MAY_UNLINK:
1952                 av = FILE__UNLINK;
1953                 break;
1954         case MAY_RMDIR:
1955                 av = DIR__RMDIR;
1956                 break;
1957         default:
1958                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1959                         __func__, kind);
1960                 return 0;
1961         }
1962
1963         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1964         return rc;
1965 }
1966
1967 static inline int may_rename(struct inode *old_dir,
1968                              struct dentry *old_dentry,
1969                              struct inode *new_dir,
1970                              struct dentry *new_dentry)
1971 {
1972         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1973         struct common_audit_data ad;
1974         u32 sid = current_sid();
1975         u32 av;
1976         int old_is_dir, new_is_dir;
1977         int rc;
1978
1979         old_dsec = inode_security(old_dir);
1980         old_isec = backing_inode_security(old_dentry);
1981         old_is_dir = d_is_dir(old_dentry);
1982         new_dsec = inode_security(new_dir);
1983
1984         ad.type = LSM_AUDIT_DATA_DENTRY;
1985
1986         ad.u.dentry = old_dentry;
1987         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1988                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1989         if (rc)
1990                 return rc;
1991         rc = avc_has_perm(sid, old_isec->sid,
1992                           old_isec->sclass, FILE__RENAME, &ad);
1993         if (rc)
1994                 return rc;
1995         if (old_is_dir && new_dir != old_dir) {
1996                 rc = avc_has_perm(sid, old_isec->sid,
1997                                   old_isec->sclass, DIR__REPARENT, &ad);
1998                 if (rc)
1999                         return rc;
2000         }
2001
2002         ad.u.dentry = new_dentry;
2003         av = DIR__ADD_NAME | DIR__SEARCH;
2004         if (d_is_positive(new_dentry))
2005                 av |= DIR__REMOVE_NAME;
2006         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2007         if (rc)
2008                 return rc;
2009         if (d_is_positive(new_dentry)) {
2010                 new_isec = backing_inode_security(new_dentry);
2011                 new_is_dir = d_is_dir(new_dentry);
2012                 rc = avc_has_perm(sid, new_isec->sid,
2013                                   new_isec->sclass,
2014                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2015                 if (rc)
2016                         return rc;
2017         }
2018
2019         return 0;
2020 }
2021
2022 /* Check whether a task can perform a filesystem operation. */
2023 static int superblock_has_perm(const struct cred *cred,
2024                                struct super_block *sb,
2025                                u32 perms,
2026                                struct common_audit_data *ad)
2027 {
2028         struct superblock_security_struct *sbsec;
2029         u32 sid = cred_sid(cred);
2030
2031         sbsec = sb->s_security;
2032         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2033 }
2034
2035 /* Convert a Linux mode and permission mask to an access vector. */
2036 static inline u32 file_mask_to_av(int mode, int mask)
2037 {
2038         u32 av = 0;
2039
2040         if (!S_ISDIR(mode)) {
2041                 if (mask & MAY_EXEC)
2042                         av |= FILE__EXECUTE;
2043                 if (mask & MAY_READ)
2044                         av |= FILE__READ;
2045
2046                 if (mask & MAY_APPEND)
2047                         av |= FILE__APPEND;
2048                 else if (mask & MAY_WRITE)
2049                         av |= FILE__WRITE;
2050
2051         } else {
2052                 if (mask & MAY_EXEC)
2053                         av |= DIR__SEARCH;
2054                 if (mask & MAY_WRITE)
2055                         av |= DIR__WRITE;
2056                 if (mask & MAY_READ)
2057                         av |= DIR__READ;
2058         }
2059
2060         return av;
2061 }
2062
2063 /* Convert a Linux file to an access vector. */
2064 static inline u32 file_to_av(struct file *file)
2065 {
2066         u32 av = 0;
2067
2068         if (file->f_mode & FMODE_READ)
2069                 av |= FILE__READ;
2070         if (file->f_mode & FMODE_WRITE) {
2071                 if (file->f_flags & O_APPEND)
2072                         av |= FILE__APPEND;
2073                 else
2074                         av |= FILE__WRITE;
2075         }
2076         if (!av) {
2077                 /*
2078                  * Special file opened with flags 3 for ioctl-only use.
2079                  */
2080                 av = FILE__IOCTL;
2081         }
2082
2083         return av;
2084 }
2085
2086 /*
2087  * Convert a file to an access vector and include the correct open
2088  * open permission.
2089  */
2090 static inline u32 open_file_to_av(struct file *file)
2091 {
2092         u32 av = file_to_av(file);
2093         struct inode *inode = file_inode(file);
2094
2095         if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2096                 av |= FILE__OPEN;
2097
2098         return av;
2099 }
2100
2101 /* Hook functions begin here. */
2102
2103 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2104 {
2105         u32 mysid = current_sid();
2106         u32 mgrsid = task_sid(mgr);
2107
2108         return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2109                             BINDER__SET_CONTEXT_MGR, NULL);
2110 }
2111
2112 static int selinux_binder_transaction(struct task_struct *from,
2113                                       struct task_struct *to)
2114 {
2115         u32 mysid = current_sid();
2116         u32 fromsid = task_sid(from);
2117         u32 tosid = task_sid(to);
2118         int rc;
2119
2120         if (mysid != fromsid) {
2121                 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2122                                   BINDER__IMPERSONATE, NULL);
2123                 if (rc)
2124                         return rc;
2125         }
2126
2127         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2128                             NULL);
2129 }
2130
2131 static int selinux_binder_transfer_binder(struct task_struct *from,
2132                                           struct task_struct *to)
2133 {
2134         u32 fromsid = task_sid(from);
2135         u32 tosid = task_sid(to);
2136
2137         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2138                             NULL);
2139 }
2140
2141 static int selinux_binder_transfer_file(struct task_struct *from,
2142                                         struct task_struct *to,
2143                                         struct file *file)
2144 {
2145         u32 sid = task_sid(to);
2146         struct file_security_struct *fsec = file->f_security;
2147         struct dentry *dentry = file->f_path.dentry;
2148         struct inode_security_struct *isec;
2149         struct common_audit_data ad;
2150         int rc;
2151
2152         ad.type = LSM_AUDIT_DATA_PATH;
2153         ad.u.path = file->f_path;
2154
2155         if (sid != fsec->sid) {
2156                 rc = avc_has_perm(sid, fsec->sid,
2157                                   SECCLASS_FD,
2158                                   FD__USE,
2159                                   &ad);
2160                 if (rc)
2161                         return rc;
2162         }
2163
2164         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2165                 return 0;
2166
2167         isec = backing_inode_security(dentry);
2168         return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2169                             &ad);
2170 }
2171
2172 static int selinux_ptrace_access_check(struct task_struct *child,
2173                                      unsigned int mode)
2174 {
2175         u32 sid = current_sid();
2176         u32 csid = task_sid(child);
2177
2178         if (mode & PTRACE_MODE_READ)
2179                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2180
2181         return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2182 }
2183
2184 static int selinux_ptrace_traceme(struct task_struct *parent)
2185 {
2186         return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2187                             PROCESS__PTRACE, NULL);
2188 }
2189
2190 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2191                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2192 {
2193         return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2194                             PROCESS__GETCAP, NULL);
2195 }
2196
2197 static int selinux_capset(struct cred *new, const struct cred *old,
2198                           const kernel_cap_t *effective,
2199                           const kernel_cap_t *inheritable,
2200                           const kernel_cap_t *permitted)
2201 {
2202         return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2203                             PROCESS__SETCAP, NULL);
2204 }
2205
2206 /*
2207  * (This comment used to live with the selinux_task_setuid hook,
2208  * which was removed).
2209  *
2210  * Since setuid only affects the current process, and since the SELinux
2211  * controls are not based on the Linux identity attributes, SELinux does not
2212  * need to control this operation.  However, SELinux does control the use of
2213  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2214  */
2215
2216 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2217                            int cap, int audit)
2218 {
2219         return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2220 }
2221
2222 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2223 {
2224         const struct cred *cred = current_cred();
2225         int rc = 0;
2226
2227         if (!sb)
2228                 return 0;
2229
2230         switch (cmds) {
2231         case Q_SYNC:
2232         case Q_QUOTAON:
2233         case Q_QUOTAOFF:
2234         case Q_SETINFO:
2235         case Q_SETQUOTA:
2236                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2237                 break;
2238         case Q_GETFMT:
2239         case Q_GETINFO:
2240         case Q_GETQUOTA:
2241                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2242                 break;
2243         default:
2244                 rc = 0;  /* let the kernel handle invalid cmds */
2245                 break;
2246         }
2247         return rc;
2248 }
2249
2250 static int selinux_quota_on(struct dentry *dentry)
2251 {
2252         const struct cred *cred = current_cred();
2253
2254         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2255 }
2256
2257 static int selinux_syslog(int type)
2258 {
2259         switch (type) {
2260         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2261         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2262                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2263                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2264         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2265         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2266         /* Set level of messages printed to console */
2267         case SYSLOG_ACTION_CONSOLE_LEVEL:
2268                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2269                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2270                                     NULL);
2271         }
2272         /* All other syslog types */
2273         return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2274                             SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2275 }
2276
2277 /*
2278  * Check that a process has enough memory to allocate a new virtual
2279  * mapping. 0 means there is enough memory for the allocation to
2280  * succeed and -ENOMEM implies there is not.
2281  *
2282  * Do not audit the selinux permission check, as this is applied to all
2283  * processes that allocate mappings.
2284  */
2285 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2286 {
2287         int rc, cap_sys_admin = 0;
2288
2289         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2290                                  SECURITY_CAP_NOAUDIT, true);
2291         if (rc == 0)
2292                 cap_sys_admin = 1;
2293
2294         return cap_sys_admin;
2295 }
2296
2297 /* binprm security operations */
2298
2299 static u32 ptrace_parent_sid(void)
2300 {
2301         u32 sid = 0;
2302         struct task_struct *tracer;
2303
2304         rcu_read_lock();
2305         tracer = ptrace_parent(current);
2306         if (tracer)
2307                 sid = task_sid(tracer);
2308         rcu_read_unlock();
2309
2310         return sid;
2311 }
2312
2313 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2314                             const struct task_security_struct *old_tsec,
2315                             const struct task_security_struct *new_tsec)
2316 {
2317         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2318         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2319         int rc;
2320
2321         if (!nnp && !nosuid)
2322                 return 0; /* neither NNP nor nosuid */
2323
2324         if (new_tsec->sid == old_tsec->sid)
2325                 return 0; /* No change in credentials */
2326
2327         /*
2328          * The only transitions we permit under NNP or nosuid
2329          * are transitions to bounded SIDs, i.e. SIDs that are
2330          * guaranteed to only be allowed a subset of the permissions
2331          * of the current SID.
2332          */
2333         rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2334         if (rc) {
2335                 /*
2336                  * On failure, preserve the errno values for NNP vs nosuid.
2337                  * NNP:  Operation not permitted for caller.
2338                  * nosuid:  Permission denied to file.
2339                  */
2340                 if (nnp)
2341                         return -EPERM;
2342                 else
2343                         return -EACCES;
2344         }
2345         return 0;
2346 }
2347
2348 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2349 {
2350         const struct task_security_struct *old_tsec;
2351         struct task_security_struct *new_tsec;
2352         struct inode_security_struct *isec;
2353         struct common_audit_data ad;
2354         struct inode *inode = file_inode(bprm->file);
2355         int rc;
2356
2357         /* SELinux context only depends on initial program or script and not
2358          * the script interpreter */
2359         if (bprm->called_set_creds)
2360                 return 0;
2361
2362         old_tsec = current_security();
2363         new_tsec = bprm->cred->security;
2364         isec = inode_security(inode);
2365
2366         /* Default to the current task SID. */
2367         new_tsec->sid = old_tsec->sid;
2368         new_tsec->osid = old_tsec->sid;
2369
2370         /* Reset fs, key, and sock SIDs on execve. */
2371         new_tsec->create_sid = 0;
2372         new_tsec->keycreate_sid = 0;
2373         new_tsec->sockcreate_sid = 0;
2374
2375         if (old_tsec->exec_sid) {
2376                 new_tsec->sid = old_tsec->exec_sid;
2377                 /* Reset exec SID on execve. */
2378                 new_tsec->exec_sid = 0;
2379
2380                 /* Fail on NNP or nosuid if not an allowed transition. */
2381                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2382                 if (rc)
2383                         return rc;
2384         } else {
2385                 /* Check for a default transition on this program. */
2386                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2387                                              SECCLASS_PROCESS, NULL,
2388                                              &new_tsec->sid);
2389                 if (rc)
2390                         return rc;
2391
2392                 /*
2393                  * Fallback to old SID on NNP or nosuid if not an allowed
2394                  * transition.
2395                  */
2396                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2397                 if (rc)
2398                         new_tsec->sid = old_tsec->sid;
2399         }
2400
2401         ad.type = LSM_AUDIT_DATA_FILE;
2402         ad.u.file = bprm->file;
2403
2404         if (new_tsec->sid == old_tsec->sid) {
2405                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2406                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2407                 if (rc)
2408                         return rc;
2409         } else {
2410                 /* Check permissions for the transition. */
2411                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2412                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2413                 if (rc)
2414                         return rc;
2415
2416                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2417                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2418                 if (rc)
2419                         return rc;
2420
2421                 /* Check for shared state */
2422                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2423                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2424                                           SECCLASS_PROCESS, PROCESS__SHARE,
2425                                           NULL);
2426                         if (rc)
2427                                 return -EPERM;
2428                 }
2429
2430                 /* Make sure that anyone attempting to ptrace over a task that
2431                  * changes its SID has the appropriate permit */
2432                 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2433                         u32 ptsid = ptrace_parent_sid();
2434                         if (ptsid != 0) {
2435                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2436                                                   SECCLASS_PROCESS,
2437                                                   PROCESS__PTRACE, NULL);
2438                                 if (rc)
2439                                         return -EPERM;
2440                         }
2441                 }
2442
2443                 /* Clear any possibly unsafe personality bits on exec: */
2444                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2445
2446                 /* Enable secure mode for SIDs transitions unless
2447                    the noatsecure permission is granted between
2448                    the two SIDs, i.e. ahp returns 0. */
2449                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2450                                   SECCLASS_PROCESS, PROCESS__NOATSECURE,
2451                                   NULL);
2452                 bprm->secureexec |= !!rc;
2453         }
2454
2455         return 0;
2456 }
2457
2458 static int match_file(const void *p, struct file *file, unsigned fd)
2459 {
2460         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2461 }
2462
2463 /* Derived from fs/exec.c:flush_old_files. */
2464 static inline void flush_unauthorized_files(const struct cred *cred,
2465                                             struct files_struct *files)
2466 {
2467         struct file *file, *devnull = NULL;
2468         struct tty_struct *tty;
2469         int drop_tty = 0;
2470         unsigned n;
2471
2472         tty = get_current_tty();
2473         if (tty) {
2474                 spin_lock(&tty->files_lock);
2475                 if (!list_empty(&tty->tty_files)) {
2476                         struct tty_file_private *file_priv;
2477
2478                         /* Revalidate access to controlling tty.
2479                            Use file_path_has_perm on the tty path directly
2480                            rather than using file_has_perm, as this particular
2481                            open file may belong to another process and we are
2482                            only interested in the inode-based check here. */
2483                         file_priv = list_first_entry(&tty->tty_files,
2484                                                 struct tty_file_private, list);
2485                         file = file_priv->file;
2486                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2487                                 drop_tty = 1;
2488                 }
2489                 spin_unlock(&tty->files_lock);
2490                 tty_kref_put(tty);
2491         }
2492         /* Reset controlling tty. */
2493         if (drop_tty)
2494                 no_tty();
2495
2496         /* Revalidate access to inherited open files. */
2497         n = iterate_fd(files, 0, match_file, cred);
2498         if (!n) /* none found? */
2499                 return;
2500
2501         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2502         if (IS_ERR(devnull))
2503                 devnull = NULL;
2504         /* replace all the matching ones with this */
2505         do {
2506                 replace_fd(n - 1, devnull, 0);
2507         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2508         if (devnull)
2509                 fput(devnull);
2510 }
2511
2512 /*
2513  * Prepare a process for imminent new credential changes due to exec
2514  */
2515 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2516 {
2517         struct task_security_struct *new_tsec;
2518         struct rlimit *rlim, *initrlim;
2519         int rc, i;
2520
2521         new_tsec = bprm->cred->security;
2522         if (new_tsec->sid == new_tsec->osid)
2523                 return;
2524
2525         /* Close files for which the new task SID is not authorized. */
2526         flush_unauthorized_files(bprm->cred, current->files);
2527
2528         /* Always clear parent death signal on SID transitions. */
2529         current->pdeath_signal = 0;
2530
2531         /* Check whether the new SID can inherit resource limits from the old
2532          * SID.  If not, reset all soft limits to the lower of the current
2533          * task's hard limit and the init task's soft limit.
2534          *
2535          * Note that the setting of hard limits (even to lower them) can be
2536          * controlled by the setrlimit check.  The inclusion of the init task's
2537          * soft limit into the computation is to avoid resetting soft limits
2538          * higher than the default soft limit for cases where the default is
2539          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2540          */
2541         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2542                           PROCESS__RLIMITINH, NULL);
2543         if (rc) {
2544                 /* protect against do_prlimit() */
2545                 task_lock(current);
2546                 for (i = 0; i < RLIM_NLIMITS; i++) {
2547                         rlim = current->signal->rlim + i;
2548                         initrlim = init_task.signal->rlim + i;
2549                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2550                 }
2551                 task_unlock(current);
2552                 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2553                         update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2554         }
2555 }
2556
2557 /*
2558  * Clean up the process immediately after the installation of new credentials
2559  * due to exec
2560  */
2561 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2562 {
2563         const struct task_security_struct *tsec = current_security();
2564         struct itimerval itimer;
2565         u32 osid, sid;
2566         int rc, i;
2567
2568         osid = tsec->osid;
2569         sid = tsec->sid;
2570
2571         if (sid == osid)
2572                 return;
2573
2574         /* Check whether the new SID can inherit signal state from the old SID.
2575          * If not, clear itimers to avoid subsequent signal generation and
2576          * flush and unblock signals.
2577          *
2578          * This must occur _after_ the task SID has been updated so that any
2579          * kill done after the flush will be checked against the new SID.
2580          */
2581         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2582         if (rc) {
2583                 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2584                         memset(&itimer, 0, sizeof itimer);
2585                         for (i = 0; i < 3; i++)
2586                                 do_setitimer(i, &itimer, NULL);
2587                 }
2588                 spin_lock_irq(&current->sighand->siglock);
2589                 if (!fatal_signal_pending(current)) {
2590                         flush_sigqueue(&current->pending);
2591                         flush_sigqueue(&current->signal->shared_pending);
2592                         flush_signal_handlers(current, 1);
2593                         sigemptyset(&current->blocked);
2594                         recalc_sigpending();
2595                 }
2596                 spin_unlock_irq(&current->sighand->siglock);
2597         }
2598
2599         /* Wake up the parent if it is waiting so that it can recheck
2600          * wait permission to the new task SID. */
2601         read_lock(&tasklist_lock);
2602         __wake_up_parent(current, current->real_parent);
2603         read_unlock(&tasklist_lock);
2604 }
2605
2606 /* superblock security operations */
2607
2608 static int selinux_sb_alloc_security(struct super_block *sb)
2609 {
2610         return superblock_alloc_security(sb);
2611 }
2612
2613 static void selinux_sb_free_security(struct super_block *sb)
2614 {
2615         superblock_free_security(sb);
2616 }
2617
2618 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2619 {
2620         if (plen > olen)
2621                 return 0;
2622
2623         return !memcmp(prefix, option, plen);
2624 }
2625
2626 static inline int selinux_option(char *option, int len)
2627 {
2628         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2629                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2630                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2631                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2632                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2633 }
2634
2635 static inline void take_option(char **to, char *from, int *first, int len)
2636 {
2637         if (!*first) {
2638                 **to = ',';
2639                 *to += 1;
2640         } else
2641                 *first = 0;
2642         memcpy(*to, from, len);
2643         *to += len;
2644 }
2645
2646 static inline void take_selinux_option(char **to, char *from, int *first,
2647                                        int len)
2648 {
2649         int current_size = 0;
2650
2651         if (!*first) {
2652                 **to = '|';
2653                 *to += 1;
2654         } else
2655                 *first = 0;
2656
2657         while (current_size < len) {
2658                 if (*from != '"') {
2659                         **to = *from;
2660                         *to += 1;
2661                 }
2662                 from += 1;
2663                 current_size += 1;
2664         }
2665 }
2666
2667 static int selinux_sb_copy_data(char *orig, char *copy)
2668 {
2669         int fnosec, fsec, rc = 0;
2670         char *in_save, *in_curr, *in_end;
2671         char *sec_curr, *nosec_save, *nosec;
2672         int open_quote = 0;
2673
2674         in_curr = orig;
2675         sec_curr = copy;
2676
2677         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2678         if (!nosec) {
2679                 rc = -ENOMEM;
2680                 goto out;
2681         }
2682
2683         nosec_save = nosec;
2684         fnosec = fsec = 1;
2685         in_save = in_end = orig;
2686
2687         do {
2688                 if (*in_end == '"')
2689                         open_quote = !open_quote;
2690                 if ((*in_end == ',' && open_quote == 0) ||
2691                                 *in_end == '\0') {
2692                         int len = in_end - in_curr;
2693
2694                         if (selinux_option(in_curr, len))
2695                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2696                         else
2697                                 take_option(&nosec, in_curr, &fnosec, len);
2698
2699                         in_curr = in_end + 1;
2700                 }
2701         } while (*in_end++);
2702
2703         strcpy(in_save, nosec_save);
2704         free_page((unsigned long)nosec_save);
2705 out:
2706         return rc;
2707 }
2708
2709 static int selinux_sb_remount(struct super_block *sb, void *data)
2710 {
2711         int rc, i, *flags;
2712         struct security_mnt_opts opts;
2713         char *secdata, **mount_options;
2714         struct superblock_security_struct *sbsec = sb->s_security;
2715
2716         if (!(sbsec->flags & SE_SBINITIALIZED))
2717                 return 0;
2718
2719         if (!data)
2720                 return 0;
2721
2722         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2723                 return 0;
2724
2725         security_init_mnt_opts(&opts);
2726         secdata = alloc_secdata();
2727         if (!secdata)
2728                 return -ENOMEM;
2729         rc = selinux_sb_copy_data(data, secdata);
2730         if (rc)
2731                 goto out_free_secdata;
2732
2733         rc = selinux_parse_opts_str(secdata, &opts);
2734         if (rc)
2735                 goto out_free_secdata;
2736
2737         mount_options = opts.mnt_opts;
2738         flags = opts.mnt_opts_flags;
2739
2740         for (i = 0; i < opts.num_mnt_opts; i++) {
2741                 u32 sid;
2742
2743                 if (flags[i] == SBLABEL_MNT)
2744                         continue;
2745                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2746                 if (rc) {
2747                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2748                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2749                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2750                         goto out_free_opts;
2751                 }
2752                 rc = -EINVAL;
2753                 switch (flags[i]) {
2754                 case FSCONTEXT_MNT:
2755                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2756                                 goto out_bad_option;
2757                         break;
2758                 case CONTEXT_MNT:
2759                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2760                                 goto out_bad_option;
2761                         break;
2762                 case ROOTCONTEXT_MNT: {
2763                         struct inode_security_struct *root_isec;
2764                         root_isec = backing_inode_security(sb->s_root);
2765
2766                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2767                                 goto out_bad_option;
2768                         break;
2769                 }
2770                 case DEFCONTEXT_MNT:
2771                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2772                                 goto out_bad_option;
2773                         break;
2774                 default:
2775                         goto out_free_opts;
2776                 }
2777         }
2778
2779         rc = 0;
2780 out_free_opts:
2781         security_free_mnt_opts(&opts);
2782 out_free_secdata:
2783         free_secdata(secdata);
2784         return rc;
2785 out_bad_option:
2786         printk(KERN_WARNING "SELinux: unable to change security options "
2787                "during remount (dev %s, type=%s)\n", sb->s_id,
2788                sb->s_type->name);
2789         goto out_free_opts;
2790 }
2791
2792 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2793 {
2794         const struct cred *cred = current_cred();
2795         struct common_audit_data ad;
2796         int rc;
2797
2798         rc = superblock_doinit(sb, data);
2799         if (rc)
2800                 return rc;
2801
2802         /* Allow all mounts performed by the kernel */
2803         if (flags & MS_KERNMOUNT)
2804                 return 0;
2805
2806         ad.type = LSM_AUDIT_DATA_DENTRY;
2807         ad.u.dentry = sb->s_root;
2808         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2809 }
2810
2811 static int selinux_sb_statfs(struct dentry *dentry)
2812 {
2813         const struct cred *cred = current_cred();
2814         struct common_audit_data ad;
2815
2816         ad.type = LSM_AUDIT_DATA_DENTRY;
2817         ad.u.dentry = dentry->d_sb->s_root;
2818         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2819 }
2820
2821 static int selinux_mount(const char *dev_name,
2822                          const struct path *path,
2823                          const char *type,
2824                          unsigned long flags,
2825                          void *data)
2826 {
2827         const struct cred *cred = current_cred();
2828
2829         if (flags & MS_REMOUNT)
2830                 return superblock_has_perm(cred, path->dentry->d_sb,
2831                                            FILESYSTEM__REMOUNT, NULL);
2832         else
2833                 return path_has_perm(cred, path, FILE__MOUNTON);
2834 }
2835
2836 static int selinux_umount(struct vfsmount *mnt, int flags)
2837 {
2838         const struct cred *cred = current_cred();
2839
2840         return superblock_has_perm(cred, mnt->mnt_sb,
2841                                    FILESYSTEM__UNMOUNT, NULL);
2842 }
2843
2844 /* inode security operations */
2845
2846 static int selinux_inode_alloc_security(struct inode *inode)
2847 {
2848         return inode_alloc_security(inode);
2849 }
2850
2851 static void selinux_inode_free_security(struct inode *inode)
2852 {
2853         inode_free_security(inode);
2854 }
2855
2856 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2857                                         const struct qstr *name, void **ctx,
2858                                         u32 *ctxlen)
2859 {
2860         u32 newsid;
2861         int rc;
2862
2863         rc = selinux_determine_inode_label(current_security(),
2864                                            d_inode(dentry->d_parent), name,
2865                                            inode_mode_to_security_class(mode),
2866                                            &newsid);
2867         if (rc)
2868                 return rc;
2869
2870         return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2871 }
2872
2873 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2874                                           struct qstr *name,
2875                                           const struct cred *old,
2876                                           struct cred *new)
2877 {
2878         u32 newsid;
2879         int rc;
2880         struct task_security_struct *tsec;
2881
2882         rc = selinux_determine_inode_label(old->security,
2883                                            d_inode(dentry->d_parent), name,
2884                                            inode_mode_to_security_class(mode),
2885                                            &newsid);
2886         if (rc)
2887                 return rc;
2888
2889         tsec = new->security;
2890         tsec->create_sid = newsid;
2891         return 0;
2892 }
2893
2894 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2895                                        const struct qstr *qstr,
2896                                        const char **name,
2897                                        void **value, size_t *len)
2898 {
2899         const struct task_security_struct *tsec = current_security();
2900         struct superblock_security_struct *sbsec;
2901         u32 sid, newsid, clen;
2902         int rc;
2903         char *context;
2904
2905         sbsec = dir->i_sb->s_security;
2906
2907         sid = tsec->sid;
2908         newsid = tsec->create_sid;
2909
2910         rc = selinux_determine_inode_label(current_security(),
2911                 dir, qstr,
2912                 inode_mode_to_security_class(inode->i_mode),
2913                 &newsid);
2914         if (rc)
2915                 return rc;
2916
2917         /* Possibly defer initialization to selinux_complete_init. */
2918         if (sbsec->flags & SE_SBINITIALIZED) {
2919                 struct inode_security_struct *isec = inode->i_security;
2920                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2921                 isec->sid = newsid;
2922                 isec->initialized = LABEL_INITIALIZED;
2923         }
2924
2925         if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2926                 return -EOPNOTSUPP;
2927
2928         if (name)
2929                 *name = XATTR_SELINUX_SUFFIX;
2930
2931         if (value && len) {
2932                 rc = security_sid_to_context_force(newsid, &context, &clen);
2933                 if (rc)
2934                         return rc;
2935                 *value = context;
2936                 *len = clen;
2937         }
2938
2939         return 0;
2940 }
2941
2942 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2943 {
2944         return may_create(dir, dentry, SECCLASS_FILE);
2945 }
2946
2947 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2948 {
2949         return may_link(dir, old_dentry, MAY_LINK);
2950 }
2951
2952 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2953 {
2954         return may_link(dir, dentry, MAY_UNLINK);
2955 }
2956
2957 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2958 {
2959         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2960 }
2961
2962 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2963 {
2964         return may_create(dir, dentry, SECCLASS_DIR);
2965 }
2966
2967 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2968 {
2969         return may_link(dir, dentry, MAY_RMDIR);
2970 }
2971
2972 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2973 {
2974         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2975 }
2976
2977 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2978                                 struct inode *new_inode, struct dentry *new_dentry)
2979 {
2980         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2981 }
2982
2983 static int selinux_inode_readlink(struct dentry *dentry)
2984 {
2985         const struct cred *cred = current_cred();
2986
2987         return dentry_has_perm(cred, dentry, FILE__READ);
2988 }
2989
2990 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2991                                      bool rcu)
2992 {
2993         const struct cred *cred = current_cred();
2994         struct common_audit_data ad;
2995         struct inode_security_struct *isec;
2996         u32 sid;
2997
2998         validate_creds(cred);
2999
3000         ad.type = LSM_AUDIT_DATA_DENTRY;
3001         ad.u.dentry = dentry;
3002         sid = cred_sid(cred);
3003         isec = inode_security_rcu(inode, rcu);
3004         if (IS_ERR(isec))
3005                 return PTR_ERR(isec);
3006
3007         return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3008                                   rcu ? MAY_NOT_BLOCK : 0);
3009 }
3010
3011 static noinline int audit_inode_permission(struct inode *inode,
3012                                            u32 perms, u32 audited, u32 denied,
3013                                            int result,
3014                                            unsigned flags)
3015 {
3016         struct common_audit_data ad;
3017         struct inode_security_struct *isec = inode->i_security;
3018         int rc;
3019
3020         ad.type = LSM_AUDIT_DATA_INODE;
3021         ad.u.inode = inode;
3022
3023         rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3024                             audited, denied, result, &ad, flags);
3025         if (rc)
3026                 return rc;
3027         return 0;
3028 }
3029
3030 static int selinux_inode_permission(struct inode *inode, int mask)
3031 {
3032         const struct cred *cred = current_cred();
3033         u32 perms;
3034         bool from_access;
3035         unsigned flags = mask & MAY_NOT_BLOCK;
3036         struct inode_security_struct *isec;
3037         u32 sid;
3038         struct av_decision avd;
3039         int rc, rc2;
3040         u32 audited, denied;
3041
3042         from_access = mask & MAY_ACCESS;
3043         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3044
3045         /* No permission to check.  Existence test. */
3046         if (!mask)
3047                 return 0;
3048
3049         validate_creds(cred);
3050
3051         if (unlikely(IS_PRIVATE(inode)))
3052                 return 0;
3053
3054         perms = file_mask_to_av(inode->i_mode, mask);
3055
3056         sid = cred_sid(cred);
3057         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3058         if (IS_ERR(isec))
3059                 return PTR_ERR(isec);
3060
3061         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3062         audited = avc_audit_required(perms, &avd, rc,
3063                                      from_access ? FILE__AUDIT_ACCESS : 0,
3064                                      &denied);
3065         if (likely(!audited))
3066                 return rc;
3067
3068         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3069         if (rc2)
3070                 return rc2;
3071         return rc;
3072 }
3073
3074 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3075 {
3076         const struct cred *cred = current_cred();
3077         struct inode *inode = d_backing_inode(dentry);
3078         unsigned int ia_valid = iattr->ia_valid;
3079         __u32 av = FILE__WRITE;
3080
3081         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3082         if (ia_valid & ATTR_FORCE) {
3083                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3084                               ATTR_FORCE);
3085                 if (!ia_valid)
3086                         return 0;
3087         }
3088
3089         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3090                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3091                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3092
3093         if (selinux_policycap_openperm &&
3094             inode->i_sb->s_magic != SOCKFS_MAGIC &&
3095             (ia_valid & ATTR_SIZE) &&
3096             !(ia_valid & ATTR_FILE))
3097                 av |= FILE__OPEN;
3098
3099         return dentry_has_perm(cred, dentry, av);
3100 }
3101
3102 static int selinux_inode_getattr(const struct path *path)
3103 {
3104         return path_has_perm(current_cred(), path, FILE__GETATTR);
3105 }
3106
3107 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3108 {
3109         const struct cred *cred = current_cred();
3110
3111         if (!strncmp(name, XATTR_SECURITY_PREFIX,
3112                      sizeof XATTR_SECURITY_PREFIX - 1)) {
3113                 if (!strcmp(name, XATTR_NAME_CAPS)) {
3114                         if (!capable(CAP_SETFCAP))
3115                                 return -EPERM;
3116                 } else if (!capable(CAP_SYS_ADMIN)) {
3117                         /* A different attribute in the security namespace.
3118                            Restrict to administrator. */
3119                         return -EPERM;
3120                 }
3121         }
3122
3123         /* Not an attribute we recognize, so just check the
3124            ordinary setattr permission. */
3125         return dentry_has_perm(cred, dentry, FILE__SETATTR);
3126 }
3127
3128 static bool has_cap_mac_admin(bool audit)
3129 {
3130         const struct cred *cred = current_cred();
3131         int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3132
3133         if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3134                 return false;
3135         if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3136                 return false;
3137         return true;
3138 }
3139
3140 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3141                                   const void *value, size_t size, int flags)
3142 {
3143         struct inode *inode = d_backing_inode(dentry);
3144         struct inode_security_struct *isec;
3145         struct superblock_security_struct *sbsec;
3146         struct common_audit_data ad;
3147         u32 newsid, sid = current_sid();
3148         int rc = 0;
3149
3150         if (strcmp(name, XATTR_NAME_SELINUX))
3151                 return selinux_inode_setotherxattr(dentry, name);
3152
3153         sbsec = inode->i_sb->s_security;
3154         if (!(sbsec->flags & SBLABEL_MNT))
3155                 return -EOPNOTSUPP;
3156
3157         if (!inode_owner_or_capable(inode))
3158                 return -EPERM;
3159
3160         ad.type = LSM_AUDIT_DATA_DENTRY;
3161         ad.u.dentry = dentry;
3162