Merge branch 'for-5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup
[sfrench/cifs-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17  *      Paul Moore <paul@paul-moore.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *  Copyright (C) 2016 Mellanox Technologies
21  *
22  *      This program is free software; you can redistribute it and/or modify
23  *      it under the terms of the GNU General Public License version 2,
24  *      as published by the Free Software Foundation.
25  */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h>             /* for local_port_range[] */
56 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h>    /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h>           /* for Unix socket types */
74 #include <net/af_unix.h>        /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
91 #include <uapi/linux/mount.h>
92
93 #include "avc.h"
94 #include "objsec.h"
95 #include "netif.h"
96 #include "netnode.h"
97 #include "netport.h"
98 #include "ibpkey.h"
99 #include "xfrm.h"
100 #include "netlabel.h"
101 #include "audit.h"
102 #include "avc_ss.h"
103
104 struct selinux_state selinux_state;
105
106 /* SECMARK reference count */
107 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
108
109 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
110 static int selinux_enforcing_boot;
111
112 static int __init enforcing_setup(char *str)
113 {
114         unsigned long enforcing;
115         if (!kstrtoul(str, 0, &enforcing))
116                 selinux_enforcing_boot = enforcing ? 1 : 0;
117         return 1;
118 }
119 __setup("enforcing=", enforcing_setup);
120 #else
121 #define selinux_enforcing_boot 1
122 #endif
123
124 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
125 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
126
127 static int __init selinux_enabled_setup(char *str)
128 {
129         unsigned long enabled;
130         if (!kstrtoul(str, 0, &enabled))
131                 selinux_enabled = enabled ? 1 : 0;
132         return 1;
133 }
134 __setup("selinux=", selinux_enabled_setup);
135 #else
136 int selinux_enabled = 1;
137 #endif
138
139 static unsigned int selinux_checkreqprot_boot =
140         CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
141
142 static int __init checkreqprot_setup(char *str)
143 {
144         unsigned long checkreqprot;
145
146         if (!kstrtoul(str, 0, &checkreqprot))
147                 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
148         return 1;
149 }
150 __setup("checkreqprot=", checkreqprot_setup);
151
152 static struct kmem_cache *sel_inode_cache;
153 static struct kmem_cache *file_security_cache;
154
155 /**
156  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
157  *
158  * Description:
159  * This function checks the SECMARK reference counter to see if any SECMARK
160  * targets are currently configured, if the reference counter is greater than
161  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
162  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
163  * policy capability is enabled, SECMARK is always considered enabled.
164  *
165  */
166 static int selinux_secmark_enabled(void)
167 {
168         return (selinux_policycap_alwaysnetwork() ||
169                 atomic_read(&selinux_secmark_refcount));
170 }
171
172 /**
173  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
174  *
175  * Description:
176  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
177  * (1) if any are enabled or false (0) if neither are enabled.  If the
178  * always_check_network policy capability is enabled, peer labeling
179  * is always considered enabled.
180  *
181  */
182 static int selinux_peerlbl_enabled(void)
183 {
184         return (selinux_policycap_alwaysnetwork() ||
185                 netlbl_enabled() || selinux_xfrm_enabled());
186 }
187
188 static int selinux_netcache_avc_callback(u32 event)
189 {
190         if (event == AVC_CALLBACK_RESET) {
191                 sel_netif_flush();
192                 sel_netnode_flush();
193                 sel_netport_flush();
194                 synchronize_net();
195         }
196         return 0;
197 }
198
199 static int selinux_lsm_notifier_avc_callback(u32 event)
200 {
201         if (event == AVC_CALLBACK_RESET) {
202                 sel_ib_pkey_flush();
203                 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
204         }
205
206         return 0;
207 }
208
209 /*
210  * initialise the security for the init task
211  */
212 static void cred_init_security(void)
213 {
214         struct cred *cred = (struct cred *) current->real_cred;
215         struct task_security_struct *tsec;
216
217         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
218         if (!tsec)
219                 panic("SELinux:  Failed to initialize initial task.\n");
220
221         tsec->osid = tsec->sid = SECINITSID_KERNEL;
222         cred->security = tsec;
223 }
224
225 /*
226  * get the security ID of a set of credentials
227  */
228 static inline u32 cred_sid(const struct cred *cred)
229 {
230         const struct task_security_struct *tsec;
231
232         tsec = cred->security;
233         return tsec->sid;
234 }
235
236 /*
237  * get the objective security ID of a task
238  */
239 static inline u32 task_sid(const struct task_struct *task)
240 {
241         u32 sid;
242
243         rcu_read_lock();
244         sid = cred_sid(__task_cred(task));
245         rcu_read_unlock();
246         return sid;
247 }
248
249 /* Allocate and free functions for each kind of security blob. */
250
251 static int inode_alloc_security(struct inode *inode)
252 {
253         struct inode_security_struct *isec;
254         u32 sid = current_sid();
255
256         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
257         if (!isec)
258                 return -ENOMEM;
259
260         spin_lock_init(&isec->lock);
261         INIT_LIST_HEAD(&isec->list);
262         isec->inode = inode;
263         isec->sid = SECINITSID_UNLABELED;
264         isec->sclass = SECCLASS_FILE;
265         isec->task_sid = sid;
266         isec->initialized = LABEL_INVALID;
267         inode->i_security = isec;
268
269         return 0;
270 }
271
272 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
273
274 /*
275  * Try reloading inode security labels that have been marked as invalid.  The
276  * @may_sleep parameter indicates when sleeping and thus reloading labels is
277  * allowed; when set to false, returns -ECHILD when the label is
278  * invalid.  The @dentry parameter should be set to a dentry of the inode.
279  */
280 static int __inode_security_revalidate(struct inode *inode,
281                                        struct dentry *dentry,
282                                        bool may_sleep)
283 {
284         struct inode_security_struct *isec = inode->i_security;
285
286         might_sleep_if(may_sleep);
287
288         if (selinux_state.initialized &&
289             isec->initialized != LABEL_INITIALIZED) {
290                 if (!may_sleep)
291                         return -ECHILD;
292
293                 /*
294                  * Try reloading the inode security label.  This will fail if
295                  * @opt_dentry is NULL and no dentry for this inode can be
296                  * found; in that case, continue using the old label.
297                  */
298                 inode_doinit_with_dentry(inode, dentry);
299         }
300         return 0;
301 }
302
303 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
304 {
305         return inode->i_security;
306 }
307
308 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
309 {
310         int error;
311
312         error = __inode_security_revalidate(inode, NULL, !rcu);
313         if (error)
314                 return ERR_PTR(error);
315         return inode->i_security;
316 }
317
318 /*
319  * Get the security label of an inode.
320  */
321 static struct inode_security_struct *inode_security(struct inode *inode)
322 {
323         __inode_security_revalidate(inode, NULL, true);
324         return inode->i_security;
325 }
326
327 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
328 {
329         struct inode *inode = d_backing_inode(dentry);
330
331         return inode->i_security;
332 }
333
334 /*
335  * Get the security label of a dentry's backing inode.
336  */
337 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
338 {
339         struct inode *inode = d_backing_inode(dentry);
340
341         __inode_security_revalidate(inode, dentry, true);
342         return inode->i_security;
343 }
344
345 static void inode_free_rcu(struct rcu_head *head)
346 {
347         struct inode_security_struct *isec;
348
349         isec = container_of(head, struct inode_security_struct, rcu);
350         kmem_cache_free(sel_inode_cache, isec);
351 }
352
353 static void inode_free_security(struct inode *inode)
354 {
355         struct inode_security_struct *isec = inode->i_security;
356         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
357
358         /*
359          * As not all inode security structures are in a list, we check for
360          * empty list outside of the lock to make sure that we won't waste
361          * time taking a lock doing nothing.
362          *
363          * The list_del_init() function can be safely called more than once.
364          * It should not be possible for this function to be called with
365          * concurrent list_add(), but for better safety against future changes
366          * in the code, we use list_empty_careful() here.
367          */
368         if (!list_empty_careful(&isec->list)) {
369                 spin_lock(&sbsec->isec_lock);
370                 list_del_init(&isec->list);
371                 spin_unlock(&sbsec->isec_lock);
372         }
373
374         /*
375          * The inode may still be referenced in a path walk and
376          * a call to selinux_inode_permission() can be made
377          * after inode_free_security() is called. Ideally, the VFS
378          * wouldn't do this, but fixing that is a much harder
379          * job. For now, simply free the i_security via RCU, and
380          * leave the current inode->i_security pointer intact.
381          * The inode will be freed after the RCU grace period too.
382          */
383         call_rcu(&isec->rcu, inode_free_rcu);
384 }
385
386 static int file_alloc_security(struct file *file)
387 {
388         struct file_security_struct *fsec;
389         u32 sid = current_sid();
390
391         fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
392         if (!fsec)
393                 return -ENOMEM;
394
395         fsec->sid = sid;
396         fsec->fown_sid = sid;
397         file->f_security = fsec;
398
399         return 0;
400 }
401
402 static void file_free_security(struct file *file)
403 {
404         struct file_security_struct *fsec = file->f_security;
405         file->f_security = NULL;
406         kmem_cache_free(file_security_cache, fsec);
407 }
408
409 static int superblock_alloc_security(struct super_block *sb)
410 {
411         struct superblock_security_struct *sbsec;
412
413         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
414         if (!sbsec)
415                 return -ENOMEM;
416
417         mutex_init(&sbsec->lock);
418         INIT_LIST_HEAD(&sbsec->isec_head);
419         spin_lock_init(&sbsec->isec_lock);
420         sbsec->sb = sb;
421         sbsec->sid = SECINITSID_UNLABELED;
422         sbsec->def_sid = SECINITSID_FILE;
423         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
424         sb->s_security = sbsec;
425
426         return 0;
427 }
428
429 static void superblock_free_security(struct super_block *sb)
430 {
431         struct superblock_security_struct *sbsec = sb->s_security;
432         sb->s_security = NULL;
433         kfree(sbsec);
434 }
435
436 struct selinux_mnt_opts {
437         const char *fscontext, *context, *rootcontext, *defcontext;
438 };
439
440 static void selinux_free_mnt_opts(void *mnt_opts)
441 {
442         struct selinux_mnt_opts *opts = mnt_opts;
443         kfree(opts->fscontext);
444         kfree(opts->context);
445         kfree(opts->rootcontext);
446         kfree(opts->defcontext);
447         kfree(opts);
448 }
449
450 static inline int inode_doinit(struct inode *inode)
451 {
452         return inode_doinit_with_dentry(inode, NULL);
453 }
454
455 enum {
456         Opt_error = -1,
457         Opt_context = 1,
458         Opt_fscontext = 2,
459         Opt_defcontext = 3,
460         Opt_rootcontext = 4,
461         Opt_seclabel = 5,
462 };
463
464 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
465 static struct {
466         const char *name;
467         int len;
468         int opt;
469         bool has_arg;
470 } tokens[] = {
471         A(context, true),
472         A(fscontext, true),
473         A(defcontext, true),
474         A(rootcontext, true),
475         A(seclabel, false),
476 };
477 #undef A
478
479 static int match_opt_prefix(char *s, int l, char **arg)
480 {
481         int i;
482
483         for (i = 0; i < ARRAY_SIZE(tokens); i++) {
484                 size_t len = tokens[i].len;
485                 if (len > l || memcmp(s, tokens[i].name, len))
486                         continue;
487                 if (tokens[i].has_arg) {
488                         if (len == l || s[len] != '=')
489                                 continue;
490                         *arg = s + len + 1;
491                 } else if (len != l)
492                         continue;
493                 return tokens[i].opt;
494         }
495         return Opt_error;
496 }
497
498 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
499
500 static int may_context_mount_sb_relabel(u32 sid,
501                         struct superblock_security_struct *sbsec,
502                         const struct cred *cred)
503 {
504         const struct task_security_struct *tsec = cred->security;
505         int rc;
506
507         rc = avc_has_perm(&selinux_state,
508                           tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
509                           FILESYSTEM__RELABELFROM, NULL);
510         if (rc)
511                 return rc;
512
513         rc = avc_has_perm(&selinux_state,
514                           tsec->sid, sid, SECCLASS_FILESYSTEM,
515                           FILESYSTEM__RELABELTO, NULL);
516         return rc;
517 }
518
519 static int may_context_mount_inode_relabel(u32 sid,
520                         struct superblock_security_struct *sbsec,
521                         const struct cred *cred)
522 {
523         const struct task_security_struct *tsec = cred->security;
524         int rc;
525         rc = avc_has_perm(&selinux_state,
526                           tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
527                           FILESYSTEM__RELABELFROM, NULL);
528         if (rc)
529                 return rc;
530
531         rc = avc_has_perm(&selinux_state,
532                           sid, sbsec->sid, SECCLASS_FILESYSTEM,
533                           FILESYSTEM__ASSOCIATE, NULL);
534         return rc;
535 }
536
537 static int selinux_is_sblabel_mnt(struct super_block *sb)
538 {
539         struct superblock_security_struct *sbsec = sb->s_security;
540
541         return sbsec->behavior == SECURITY_FS_USE_XATTR ||
542                 sbsec->behavior == SECURITY_FS_USE_TRANS ||
543                 sbsec->behavior == SECURITY_FS_USE_TASK ||
544                 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
545                 /* Special handling. Genfs but also in-core setxattr handler */
546                 !strcmp(sb->s_type->name, "sysfs") ||
547                 !strcmp(sb->s_type->name, "pstore") ||
548                 !strcmp(sb->s_type->name, "debugfs") ||
549                 !strcmp(sb->s_type->name, "tracefs") ||
550                 !strcmp(sb->s_type->name, "rootfs") ||
551                 (selinux_policycap_cgroupseclabel() &&
552                  (!strcmp(sb->s_type->name, "cgroup") ||
553                   !strcmp(sb->s_type->name, "cgroup2")));
554 }
555
556 static int sb_finish_set_opts(struct super_block *sb)
557 {
558         struct superblock_security_struct *sbsec = sb->s_security;
559         struct dentry *root = sb->s_root;
560         struct inode *root_inode = d_backing_inode(root);
561         int rc = 0;
562
563         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
564                 /* Make sure that the xattr handler exists and that no
565                    error other than -ENODATA is returned by getxattr on
566                    the root directory.  -ENODATA is ok, as this may be
567                    the first boot of the SELinux kernel before we have
568                    assigned xattr values to the filesystem. */
569                 if (!(root_inode->i_opflags & IOP_XATTR)) {
570                         pr_warn("SELinux: (dev %s, type %s) has no "
571                                "xattr support\n", sb->s_id, sb->s_type->name);
572                         rc = -EOPNOTSUPP;
573                         goto out;
574                 }
575
576                 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
577                 if (rc < 0 && rc != -ENODATA) {
578                         if (rc == -EOPNOTSUPP)
579                                 pr_warn("SELinux: (dev %s, type "
580                                        "%s) has no security xattr handler\n",
581                                        sb->s_id, sb->s_type->name);
582                         else
583                                 pr_warn("SELinux: (dev %s, type "
584                                        "%s) getxattr errno %d\n", sb->s_id,
585                                        sb->s_type->name, -rc);
586                         goto out;
587                 }
588         }
589
590         sbsec->flags |= SE_SBINITIALIZED;
591
592         /*
593          * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
594          * leave the flag untouched because sb_clone_mnt_opts might be handing
595          * us a superblock that needs the flag to be cleared.
596          */
597         if (selinux_is_sblabel_mnt(sb))
598                 sbsec->flags |= SBLABEL_MNT;
599         else
600                 sbsec->flags &= ~SBLABEL_MNT;
601
602         /* Initialize the root inode. */
603         rc = inode_doinit_with_dentry(root_inode, root);
604
605         /* Initialize any other inodes associated with the superblock, e.g.
606            inodes created prior to initial policy load or inodes created
607            during get_sb by a pseudo filesystem that directly
608            populates itself. */
609         spin_lock(&sbsec->isec_lock);
610         while (!list_empty(&sbsec->isec_head)) {
611                 struct inode_security_struct *isec =
612                                 list_first_entry(&sbsec->isec_head,
613                                            struct inode_security_struct, list);
614                 struct inode *inode = isec->inode;
615                 list_del_init(&isec->list);
616                 spin_unlock(&sbsec->isec_lock);
617                 inode = igrab(inode);
618                 if (inode) {
619                         if (!IS_PRIVATE(inode))
620                                 inode_doinit(inode);
621                         iput(inode);
622                 }
623                 spin_lock(&sbsec->isec_lock);
624         }
625         spin_unlock(&sbsec->isec_lock);
626 out:
627         return rc;
628 }
629
630 static int bad_option(struct superblock_security_struct *sbsec, char flag,
631                       u32 old_sid, u32 new_sid)
632 {
633         char mnt_flags = sbsec->flags & SE_MNTMASK;
634
635         /* check if the old mount command had the same options */
636         if (sbsec->flags & SE_SBINITIALIZED)
637                 if (!(sbsec->flags & flag) ||
638                     (old_sid != new_sid))
639                         return 1;
640
641         /* check if we were passed the same options twice,
642          * aka someone passed context=a,context=b
643          */
644         if (!(sbsec->flags & SE_SBINITIALIZED))
645                 if (mnt_flags & flag)
646                         return 1;
647         return 0;
648 }
649
650 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
651 {
652         int rc = security_context_str_to_sid(&selinux_state, s,
653                                              sid, GFP_KERNEL);
654         if (rc)
655                 pr_warn("SELinux: security_context_str_to_sid"
656                        "(%s) failed for (dev %s, type %s) errno=%d\n",
657                        s, sb->s_id, sb->s_type->name, rc);
658         return rc;
659 }
660
661 /*
662  * Allow filesystems with binary mount data to explicitly set mount point
663  * labeling information.
664  */
665 static int selinux_set_mnt_opts(struct super_block *sb,
666                                 void *mnt_opts,
667                                 unsigned long kern_flags,
668                                 unsigned long *set_kern_flags)
669 {
670         const struct cred *cred = current_cred();
671         struct superblock_security_struct *sbsec = sb->s_security;
672         struct dentry *root = sbsec->sb->s_root;
673         struct selinux_mnt_opts *opts = mnt_opts;
674         struct inode_security_struct *root_isec;
675         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
676         u32 defcontext_sid = 0;
677         int rc = 0;
678
679         mutex_lock(&sbsec->lock);
680
681         if (!selinux_state.initialized) {
682                 if (!opts) {
683                         /* Defer initialization until selinux_complete_init,
684                            after the initial policy is loaded and the security
685                            server is ready to handle calls. */
686                         goto out;
687                 }
688                 rc = -EINVAL;
689                 pr_warn("SELinux: Unable to set superblock options "
690                         "before the security server is initialized\n");
691                 goto out;
692         }
693         if (kern_flags && !set_kern_flags) {
694                 /* Specifying internal flags without providing a place to
695                  * place the results is not allowed */
696                 rc = -EINVAL;
697                 goto out;
698         }
699
700         /*
701          * Binary mount data FS will come through this function twice.  Once
702          * from an explicit call and once from the generic calls from the vfs.
703          * Since the generic VFS calls will not contain any security mount data
704          * we need to skip the double mount verification.
705          *
706          * This does open a hole in which we will not notice if the first
707          * mount using this sb set explict options and a second mount using
708          * this sb does not set any security options.  (The first options
709          * will be used for both mounts)
710          */
711         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
712             && !opts)
713                 goto out;
714
715         root_isec = backing_inode_security_novalidate(root);
716
717         /*
718          * parse the mount options, check if they are valid sids.
719          * also check if someone is trying to mount the same sb more
720          * than once with different security options.
721          */
722         if (opts) {
723                 if (opts->fscontext) {
724                         rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
725                         if (rc)
726                                 goto out;
727                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
728                                         fscontext_sid))
729                                 goto out_double_mount;
730                         sbsec->flags |= FSCONTEXT_MNT;
731                 }
732                 if (opts->context) {
733                         rc = parse_sid(sb, opts->context, &context_sid);
734                         if (rc)
735                                 goto out;
736                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
737                                         context_sid))
738                                 goto out_double_mount;
739                         sbsec->flags |= CONTEXT_MNT;
740                 }
741                 if (opts->rootcontext) {
742                         rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
743                         if (rc)
744                                 goto out;
745                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
746                                         rootcontext_sid))
747                                 goto out_double_mount;
748                         sbsec->flags |= ROOTCONTEXT_MNT;
749                 }
750                 if (opts->defcontext) {
751                         rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
752                         if (rc)
753                                 goto out;
754                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
755                                         defcontext_sid))
756                                 goto out_double_mount;
757                         sbsec->flags |= DEFCONTEXT_MNT;
758                 }
759         }
760
761         if (sbsec->flags & SE_SBINITIALIZED) {
762                 /* previously mounted with options, but not on this attempt? */
763                 if ((sbsec->flags & SE_MNTMASK) && !opts)
764                         goto out_double_mount;
765                 rc = 0;
766                 goto out;
767         }
768
769         if (strcmp(sb->s_type->name, "proc") == 0)
770                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
771
772         if (!strcmp(sb->s_type->name, "debugfs") ||
773             !strcmp(sb->s_type->name, "tracefs") ||
774             !strcmp(sb->s_type->name, "sysfs") ||
775             !strcmp(sb->s_type->name, "pstore") ||
776             !strcmp(sb->s_type->name, "cgroup") ||
777             !strcmp(sb->s_type->name, "cgroup2"))
778                 sbsec->flags |= SE_SBGENFS;
779
780         if (!sbsec->behavior) {
781                 /*
782                  * Determine the labeling behavior to use for this
783                  * filesystem type.
784                  */
785                 rc = security_fs_use(&selinux_state, sb);
786                 if (rc) {
787                         pr_warn("%s: security_fs_use(%s) returned %d\n",
788                                         __func__, sb->s_type->name, rc);
789                         goto out;
790                 }
791         }
792
793         /*
794          * If this is a user namespace mount and the filesystem type is not
795          * explicitly whitelisted, then no contexts are allowed on the command
796          * line and security labels must be ignored.
797          */
798         if (sb->s_user_ns != &init_user_ns &&
799             strcmp(sb->s_type->name, "tmpfs") &&
800             strcmp(sb->s_type->name, "ramfs") &&
801             strcmp(sb->s_type->name, "devpts")) {
802                 if (context_sid || fscontext_sid || rootcontext_sid ||
803                     defcontext_sid) {
804                         rc = -EACCES;
805                         goto out;
806                 }
807                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
808                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
809                         rc = security_transition_sid(&selinux_state,
810                                                      current_sid(),
811                                                      current_sid(),
812                                                      SECCLASS_FILE, NULL,
813                                                      &sbsec->mntpoint_sid);
814                         if (rc)
815                                 goto out;
816                 }
817                 goto out_set_opts;
818         }
819
820         /* sets the context of the superblock for the fs being mounted. */
821         if (fscontext_sid) {
822                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
823                 if (rc)
824                         goto out;
825
826                 sbsec->sid = fscontext_sid;
827         }
828
829         /*
830          * Switch to using mount point labeling behavior.
831          * sets the label used on all file below the mountpoint, and will set
832          * the superblock context if not already set.
833          */
834         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
835                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
836                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
837         }
838
839         if (context_sid) {
840                 if (!fscontext_sid) {
841                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
842                                                           cred);
843                         if (rc)
844                                 goto out;
845                         sbsec->sid = context_sid;
846                 } else {
847                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
848                                                              cred);
849                         if (rc)
850                                 goto out;
851                 }
852                 if (!rootcontext_sid)
853                         rootcontext_sid = context_sid;
854
855                 sbsec->mntpoint_sid = context_sid;
856                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
857         }
858
859         if (rootcontext_sid) {
860                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
861                                                      cred);
862                 if (rc)
863                         goto out;
864
865                 root_isec->sid = rootcontext_sid;
866                 root_isec->initialized = LABEL_INITIALIZED;
867         }
868
869         if (defcontext_sid) {
870                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
871                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
872                         rc = -EINVAL;
873                         pr_warn("SELinux: defcontext option is "
874                                "invalid for this filesystem type\n");
875                         goto out;
876                 }
877
878                 if (defcontext_sid != sbsec->def_sid) {
879                         rc = may_context_mount_inode_relabel(defcontext_sid,
880                                                              sbsec, cred);
881                         if (rc)
882                                 goto out;
883                 }
884
885                 sbsec->def_sid = defcontext_sid;
886         }
887
888 out_set_opts:
889         rc = sb_finish_set_opts(sb);
890 out:
891         mutex_unlock(&sbsec->lock);
892         return rc;
893 out_double_mount:
894         rc = -EINVAL;
895         pr_warn("SELinux: mount invalid.  Same superblock, different "
896                "security settings for (dev %s, type %s)\n", sb->s_id,
897                sb->s_type->name);
898         goto out;
899 }
900
901 static int selinux_cmp_sb_context(const struct super_block *oldsb,
902                                     const struct super_block *newsb)
903 {
904         struct superblock_security_struct *old = oldsb->s_security;
905         struct superblock_security_struct *new = newsb->s_security;
906         char oldflags = old->flags & SE_MNTMASK;
907         char newflags = new->flags & SE_MNTMASK;
908
909         if (oldflags != newflags)
910                 goto mismatch;
911         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
912                 goto mismatch;
913         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
914                 goto mismatch;
915         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
916                 goto mismatch;
917         if (oldflags & ROOTCONTEXT_MNT) {
918                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
919                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
920                 if (oldroot->sid != newroot->sid)
921                         goto mismatch;
922         }
923         return 0;
924 mismatch:
925         pr_warn("SELinux: mount invalid.  Same superblock, "
926                             "different security settings for (dev %s, "
927                             "type %s)\n", newsb->s_id, newsb->s_type->name);
928         return -EBUSY;
929 }
930
931 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
932                                         struct super_block *newsb,
933                                         unsigned long kern_flags,
934                                         unsigned long *set_kern_flags)
935 {
936         int rc = 0;
937         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
938         struct superblock_security_struct *newsbsec = newsb->s_security;
939
940         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
941         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
942         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
943
944         /*
945          * if the parent was able to be mounted it clearly had no special lsm
946          * mount options.  thus we can safely deal with this superblock later
947          */
948         if (!selinux_state.initialized)
949                 return 0;
950
951         /*
952          * Specifying internal flags without providing a place to
953          * place the results is not allowed.
954          */
955         if (kern_flags && !set_kern_flags)
956                 return -EINVAL;
957
958         /* how can we clone if the old one wasn't set up?? */
959         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
960
961         /* if fs is reusing a sb, make sure that the contexts match */
962         if (newsbsec->flags & SE_SBINITIALIZED)
963                 return selinux_cmp_sb_context(oldsb, newsb);
964
965         mutex_lock(&newsbsec->lock);
966
967         newsbsec->flags = oldsbsec->flags;
968
969         newsbsec->sid = oldsbsec->sid;
970         newsbsec->def_sid = oldsbsec->def_sid;
971         newsbsec->behavior = oldsbsec->behavior;
972
973         if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
974                 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
975                 rc = security_fs_use(&selinux_state, newsb);
976                 if (rc)
977                         goto out;
978         }
979
980         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
981                 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
982                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
983         }
984
985         if (set_context) {
986                 u32 sid = oldsbsec->mntpoint_sid;
987
988                 if (!set_fscontext)
989                         newsbsec->sid = sid;
990                 if (!set_rootcontext) {
991                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
992                         newisec->sid = sid;
993                 }
994                 newsbsec->mntpoint_sid = sid;
995         }
996         if (set_rootcontext) {
997                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
998                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
999
1000                 newisec->sid = oldisec->sid;
1001         }
1002
1003         sb_finish_set_opts(newsb);
1004 out:
1005         mutex_unlock(&newsbsec->lock);
1006         return rc;
1007 }
1008
1009 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
1010 {
1011         struct selinux_mnt_opts *opts = *mnt_opts;
1012
1013         if (token == Opt_seclabel)      /* eaten and completely ignored */
1014                 return 0;
1015
1016         if (!opts) {
1017                 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1018                 if (!opts)
1019                         return -ENOMEM;
1020                 *mnt_opts = opts;
1021         }
1022         if (!s)
1023                 return -ENOMEM;
1024         switch (token) {
1025         case Opt_context:
1026                 if (opts->context || opts->defcontext)
1027                         goto Einval;
1028                 opts->context = s;
1029                 break;
1030         case Opt_fscontext:
1031                 if (opts->fscontext)
1032                         goto Einval;
1033                 opts->fscontext = s;
1034                 break;
1035         case Opt_rootcontext:
1036                 if (opts->rootcontext)
1037                         goto Einval;
1038                 opts->rootcontext = s;
1039                 break;
1040         case Opt_defcontext:
1041                 if (opts->context || opts->defcontext)
1042                         goto Einval;
1043                 opts->defcontext = s;
1044                 break;
1045         }
1046         return 0;
1047 Einval:
1048         pr_warn(SEL_MOUNT_FAIL_MSG);
1049         return -EINVAL;
1050 }
1051
1052 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1053                                void **mnt_opts)
1054 {
1055         int token = Opt_error;
1056         int rc, i;
1057
1058         for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1059                 if (strcmp(option, tokens[i].name) == 0) {
1060                         token = tokens[i].opt;
1061                         break;
1062                 }
1063         }
1064
1065         if (token == Opt_error)
1066                 return -EINVAL;
1067
1068         if (token != Opt_seclabel)
1069                 val = kmemdup_nul(val, len, GFP_KERNEL);
1070         rc = selinux_add_opt(token, val, mnt_opts);
1071         if (unlikely(rc)) {
1072                 kfree(val);
1073                 if (*mnt_opts) {
1074                         selinux_free_mnt_opts(*mnt_opts);
1075                         *mnt_opts = NULL;
1076                 }
1077         }
1078         return rc;
1079 }
1080
1081 static int show_sid(struct seq_file *m, u32 sid)
1082 {
1083         char *context = NULL;
1084         u32 len;
1085         int rc;
1086
1087         rc = security_sid_to_context(&selinux_state, sid,
1088                                              &context, &len);
1089         if (!rc) {
1090                 bool has_comma = context && strchr(context, ',');
1091
1092                 if (has_comma)
1093                         seq_putc(m, '\"');
1094                 seq_escape(m, context, "\"\n\\");
1095                 if (has_comma)
1096                         seq_putc(m, '\"');
1097         }
1098         kfree(context);
1099         return rc;
1100 }
1101
1102 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1103 {
1104         struct superblock_security_struct *sbsec = sb->s_security;
1105         int rc;
1106
1107         if (!(sbsec->flags & SE_SBINITIALIZED))
1108                 return 0;
1109
1110         if (!selinux_state.initialized)
1111                 return 0;
1112
1113         if (sbsec->flags & FSCONTEXT_MNT) {
1114                 seq_putc(m, ',');
1115                 seq_puts(m, FSCONTEXT_STR);
1116                 rc = show_sid(m, sbsec->sid);
1117                 if (rc)
1118                         return rc;
1119         }
1120         if (sbsec->flags & CONTEXT_MNT) {
1121                 seq_putc(m, ',');
1122                 seq_puts(m, CONTEXT_STR);
1123                 rc = show_sid(m, sbsec->mntpoint_sid);
1124                 if (rc)
1125                         return rc;
1126         }
1127         if (sbsec->flags & DEFCONTEXT_MNT) {
1128                 seq_putc(m, ',');
1129                 seq_puts(m, DEFCONTEXT_STR);
1130                 rc = show_sid(m, sbsec->def_sid);
1131                 if (rc)
1132                         return rc;
1133         }
1134         if (sbsec->flags & ROOTCONTEXT_MNT) {
1135                 struct dentry *root = sbsec->sb->s_root;
1136                 struct inode_security_struct *isec = backing_inode_security(root);
1137                 seq_putc(m, ',');
1138                 seq_puts(m, ROOTCONTEXT_STR);
1139                 rc = show_sid(m, isec->sid);
1140                 if (rc)
1141                         return rc;
1142         }
1143         if (sbsec->flags & SBLABEL_MNT) {
1144                 seq_putc(m, ',');
1145                 seq_puts(m, LABELSUPP_STR);
1146         }
1147         return 0;
1148 }
1149
1150 static inline u16 inode_mode_to_security_class(umode_t mode)
1151 {
1152         switch (mode & S_IFMT) {
1153         case S_IFSOCK:
1154                 return SECCLASS_SOCK_FILE;
1155         case S_IFLNK:
1156                 return SECCLASS_LNK_FILE;
1157         case S_IFREG:
1158                 return SECCLASS_FILE;
1159         case S_IFBLK:
1160                 return SECCLASS_BLK_FILE;
1161         case S_IFDIR:
1162                 return SECCLASS_DIR;
1163         case S_IFCHR:
1164                 return SECCLASS_CHR_FILE;
1165         case S_IFIFO:
1166                 return SECCLASS_FIFO_FILE;
1167
1168         }
1169
1170         return SECCLASS_FILE;
1171 }
1172
1173 static inline int default_protocol_stream(int protocol)
1174 {
1175         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1176 }
1177
1178 static inline int default_protocol_dgram(int protocol)
1179 {
1180         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1181 }
1182
1183 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1184 {
1185         int extsockclass = selinux_policycap_extsockclass();
1186
1187         switch (family) {
1188         case PF_UNIX:
1189                 switch (type) {
1190                 case SOCK_STREAM:
1191                 case SOCK_SEQPACKET:
1192                         return SECCLASS_UNIX_STREAM_SOCKET;
1193                 case SOCK_DGRAM:
1194                 case SOCK_RAW:
1195                         return SECCLASS_UNIX_DGRAM_SOCKET;
1196                 }
1197                 break;
1198         case PF_INET:
1199         case PF_INET6:
1200                 switch (type) {
1201                 case SOCK_STREAM:
1202                 case SOCK_SEQPACKET:
1203                         if (default_protocol_stream(protocol))
1204                                 return SECCLASS_TCP_SOCKET;
1205                         else if (extsockclass && protocol == IPPROTO_SCTP)
1206                                 return SECCLASS_SCTP_SOCKET;
1207                         else
1208                                 return SECCLASS_RAWIP_SOCKET;
1209                 case SOCK_DGRAM:
1210                         if (default_protocol_dgram(protocol))
1211                                 return SECCLASS_UDP_SOCKET;
1212                         else if (extsockclass && (protocol == IPPROTO_ICMP ||
1213                                                   protocol == IPPROTO_ICMPV6))
1214                                 return SECCLASS_ICMP_SOCKET;
1215                         else
1216                                 return SECCLASS_RAWIP_SOCKET;
1217                 case SOCK_DCCP:
1218                         return SECCLASS_DCCP_SOCKET;
1219                 default:
1220                         return SECCLASS_RAWIP_SOCKET;
1221                 }
1222                 break;
1223         case PF_NETLINK:
1224                 switch (protocol) {
1225                 case NETLINK_ROUTE:
1226                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1227                 case NETLINK_SOCK_DIAG:
1228                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1229                 case NETLINK_NFLOG:
1230                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1231                 case NETLINK_XFRM:
1232                         return SECCLASS_NETLINK_XFRM_SOCKET;
1233                 case NETLINK_SELINUX:
1234                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1235                 case NETLINK_ISCSI:
1236                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1237                 case NETLINK_AUDIT:
1238                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1239                 case NETLINK_FIB_LOOKUP:
1240                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1241                 case NETLINK_CONNECTOR:
1242                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1243                 case NETLINK_NETFILTER:
1244                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1245                 case NETLINK_DNRTMSG:
1246                         return SECCLASS_NETLINK_DNRT_SOCKET;
1247                 case NETLINK_KOBJECT_UEVENT:
1248                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1249                 case NETLINK_GENERIC:
1250                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1251                 case NETLINK_SCSITRANSPORT:
1252                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1253                 case NETLINK_RDMA:
1254                         return SECCLASS_NETLINK_RDMA_SOCKET;
1255                 case NETLINK_CRYPTO:
1256                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1257                 default:
1258                         return SECCLASS_NETLINK_SOCKET;
1259                 }
1260         case PF_PACKET:
1261                 return SECCLASS_PACKET_SOCKET;
1262         case PF_KEY:
1263                 return SECCLASS_KEY_SOCKET;
1264         case PF_APPLETALK:
1265                 return SECCLASS_APPLETALK_SOCKET;
1266         }
1267
1268         if (extsockclass) {
1269                 switch (family) {
1270                 case PF_AX25:
1271                         return SECCLASS_AX25_SOCKET;
1272                 case PF_IPX:
1273                         return SECCLASS_IPX_SOCKET;
1274                 case PF_NETROM:
1275                         return SECCLASS_NETROM_SOCKET;
1276                 case PF_ATMPVC:
1277                         return SECCLASS_ATMPVC_SOCKET;
1278                 case PF_X25:
1279                         return SECCLASS_X25_SOCKET;
1280                 case PF_ROSE:
1281                         return SECCLASS_ROSE_SOCKET;
1282                 case PF_DECnet:
1283                         return SECCLASS_DECNET_SOCKET;
1284                 case PF_ATMSVC:
1285                         return SECCLASS_ATMSVC_SOCKET;
1286                 case PF_RDS:
1287                         return SECCLASS_RDS_SOCKET;
1288                 case PF_IRDA:
1289                         return SECCLASS_IRDA_SOCKET;
1290                 case PF_PPPOX:
1291                         return SECCLASS_PPPOX_SOCKET;
1292                 case PF_LLC:
1293                         return SECCLASS_LLC_SOCKET;
1294                 case PF_CAN:
1295                         return SECCLASS_CAN_SOCKET;
1296                 case PF_TIPC:
1297                         return SECCLASS_TIPC_SOCKET;
1298                 case PF_BLUETOOTH:
1299                         return SECCLASS_BLUETOOTH_SOCKET;
1300                 case PF_IUCV:
1301                         return SECCLASS_IUCV_SOCKET;
1302                 case PF_RXRPC:
1303                         return SECCLASS_RXRPC_SOCKET;
1304                 case PF_ISDN:
1305                         return SECCLASS_ISDN_SOCKET;
1306                 case PF_PHONET:
1307                         return SECCLASS_PHONET_SOCKET;
1308                 case PF_IEEE802154:
1309                         return SECCLASS_IEEE802154_SOCKET;
1310                 case PF_CAIF:
1311                         return SECCLASS_CAIF_SOCKET;
1312                 case PF_ALG:
1313                         return SECCLASS_ALG_SOCKET;
1314                 case PF_NFC:
1315                         return SECCLASS_NFC_SOCKET;
1316                 case PF_VSOCK:
1317                         return SECCLASS_VSOCK_SOCKET;
1318                 case PF_KCM:
1319                         return SECCLASS_KCM_SOCKET;
1320                 case PF_QIPCRTR:
1321                         return SECCLASS_QIPCRTR_SOCKET;
1322                 case PF_SMC:
1323                         return SECCLASS_SMC_SOCKET;
1324                 case PF_XDP:
1325                         return SECCLASS_XDP_SOCKET;
1326 #if PF_MAX > 45
1327 #error New address family defined, please update this function.
1328 #endif
1329                 }
1330         }
1331
1332         return SECCLASS_SOCKET;
1333 }
1334
1335 static int selinux_genfs_get_sid(struct dentry *dentry,
1336                                  u16 tclass,
1337                                  u16 flags,
1338                                  u32 *sid)
1339 {
1340         int rc;
1341         struct super_block *sb = dentry->d_sb;
1342         char *buffer, *path;
1343
1344         buffer = (char *)__get_free_page(GFP_KERNEL);
1345         if (!buffer)
1346                 return -ENOMEM;
1347
1348         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1349         if (IS_ERR(path))
1350                 rc = PTR_ERR(path);
1351         else {
1352                 if (flags & SE_SBPROC) {
1353                         /* each process gets a /proc/PID/ entry. Strip off the
1354                          * PID part to get a valid selinux labeling.
1355                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1356                         while (path[1] >= '0' && path[1] <= '9') {
1357                                 path[1] = '/';
1358                                 path++;
1359                         }
1360                 }
1361                 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1362                                         path, tclass, sid);
1363                 if (rc == -ENOENT) {
1364                         /* No match in policy, mark as unlabeled. */
1365                         *sid = SECINITSID_UNLABELED;
1366                         rc = 0;
1367                 }
1368         }
1369         free_page((unsigned long)buffer);
1370         return rc;
1371 }
1372
1373 /* The inode's security attributes must be initialized before first use. */
1374 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1375 {
1376         struct superblock_security_struct *sbsec = NULL;
1377         struct inode_security_struct *isec = inode->i_security;
1378         u32 task_sid, sid = 0;
1379         u16 sclass;
1380         struct dentry *dentry;
1381 #define INITCONTEXTLEN 255
1382         char *context = NULL;
1383         unsigned len = 0;
1384         int rc = 0;
1385
1386         if (isec->initialized == LABEL_INITIALIZED)
1387                 return 0;
1388
1389         spin_lock(&isec->lock);
1390         if (isec->initialized == LABEL_INITIALIZED)
1391                 goto out_unlock;
1392
1393         if (isec->sclass == SECCLASS_FILE)
1394                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1395
1396         sbsec = inode->i_sb->s_security;
1397         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1398                 /* Defer initialization until selinux_complete_init,
1399                    after the initial policy is loaded and the security
1400                    server is ready to handle calls. */
1401                 spin_lock(&sbsec->isec_lock);
1402                 if (list_empty(&isec->list))
1403                         list_add(&isec->list, &sbsec->isec_head);
1404                 spin_unlock(&sbsec->isec_lock);
1405                 goto out_unlock;
1406         }
1407
1408         sclass = isec->sclass;
1409         task_sid = isec->task_sid;
1410         sid = isec->sid;
1411         isec->initialized = LABEL_PENDING;
1412         spin_unlock(&isec->lock);
1413
1414         switch (sbsec->behavior) {
1415         case SECURITY_FS_USE_NATIVE:
1416                 break;
1417         case SECURITY_FS_USE_XATTR:
1418                 if (!(inode->i_opflags & IOP_XATTR)) {
1419                         sid = sbsec->def_sid;
1420                         break;
1421                 }
1422                 /* Need a dentry, since the xattr API requires one.
1423                    Life would be simpler if we could just pass the inode. */
1424                 if (opt_dentry) {
1425                         /* Called from d_instantiate or d_splice_alias. */
1426                         dentry = dget(opt_dentry);
1427                 } else {
1428                         /*
1429                          * Called from selinux_complete_init, try to find a dentry.
1430                          * Some filesystems really want a connected one, so try
1431                          * that first.  We could split SECURITY_FS_USE_XATTR in
1432                          * two, depending upon that...
1433                          */
1434                         dentry = d_find_alias(inode);
1435                         if (!dentry)
1436                                 dentry = d_find_any_alias(inode);
1437                 }
1438                 if (!dentry) {
1439                         /*
1440                          * this is can be hit on boot when a file is accessed
1441                          * before the policy is loaded.  When we load policy we
1442                          * may find inodes that have no dentry on the
1443                          * sbsec->isec_head list.  No reason to complain as these
1444                          * will get fixed up the next time we go through
1445                          * inode_doinit with a dentry, before these inodes could
1446                          * be used again by userspace.
1447                          */
1448                         goto out;
1449                 }
1450
1451                 len = INITCONTEXTLEN;
1452                 context = kmalloc(len+1, GFP_NOFS);
1453                 if (!context) {
1454                         rc = -ENOMEM;
1455                         dput(dentry);
1456                         goto out;
1457                 }
1458                 context[len] = '\0';
1459                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1460                 if (rc == -ERANGE) {
1461                         kfree(context);
1462
1463                         /* Need a larger buffer.  Query for the right size. */
1464                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1465                         if (rc < 0) {
1466                                 dput(dentry);
1467                                 goto out;
1468                         }
1469                         len = rc;
1470                         context = kmalloc(len+1, GFP_NOFS);
1471                         if (!context) {
1472                                 rc = -ENOMEM;
1473                                 dput(dentry);
1474                                 goto out;
1475                         }
1476                         context[len] = '\0';
1477                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1478                 }
1479                 dput(dentry);
1480                 if (rc < 0) {
1481                         if (rc != -ENODATA) {
1482                                 pr_warn("SELinux: %s:  getxattr returned "
1483                                        "%d for dev=%s ino=%ld\n", __func__,
1484                                        -rc, inode->i_sb->s_id, inode->i_ino);
1485                                 kfree(context);
1486                                 goto out;
1487                         }
1488                         /* Map ENODATA to the default file SID */
1489                         sid = sbsec->def_sid;
1490                         rc = 0;
1491                 } else {
1492                         rc = security_context_to_sid_default(&selinux_state,
1493                                                              context, rc, &sid,
1494                                                              sbsec->def_sid,
1495                                                              GFP_NOFS);
1496                         if (rc) {
1497                                 char *dev = inode->i_sb->s_id;
1498                                 unsigned long ino = inode->i_ino;
1499
1500                                 if (rc == -EINVAL) {
1501                                         if (printk_ratelimit())
1502                                                 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1503                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1504                                                         "filesystem in question.\n", ino, dev, context);
1505                                 } else {
1506                                         pr_warn("SELinux: %s:  context_to_sid(%s) "
1507                                                "returned %d for dev=%s ino=%ld\n",
1508                                                __func__, context, -rc, dev, ino);
1509                                 }
1510                                 kfree(context);
1511                                 /* Leave with the unlabeled SID */
1512                                 rc = 0;
1513                                 break;
1514                         }
1515                 }
1516                 kfree(context);
1517                 break;
1518         case SECURITY_FS_USE_TASK:
1519                 sid = task_sid;
1520                 break;
1521         case SECURITY_FS_USE_TRANS:
1522                 /* Default to the fs SID. */
1523                 sid = sbsec->sid;
1524
1525                 /* Try to obtain a transition SID. */
1526                 rc = security_transition_sid(&selinux_state, task_sid, sid,
1527                                              sclass, NULL, &sid);
1528                 if (rc)
1529                         goto out;
1530                 break;
1531         case SECURITY_FS_USE_MNTPOINT:
1532                 sid = sbsec->mntpoint_sid;
1533                 break;
1534         default:
1535                 /* Default to the fs superblock SID. */
1536                 sid = sbsec->sid;
1537
1538                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1539                         /* We must have a dentry to determine the label on
1540                          * procfs inodes */
1541                         if (opt_dentry) {
1542                                 /* Called from d_instantiate or
1543                                  * d_splice_alias. */
1544                                 dentry = dget(opt_dentry);
1545                         } else {
1546                                 /* Called from selinux_complete_init, try to
1547                                  * find a dentry.  Some filesystems really want
1548                                  * a connected one, so try that first.
1549                                  */
1550                                 dentry = d_find_alias(inode);
1551                                 if (!dentry)
1552                                         dentry = d_find_any_alias(inode);
1553                         }
1554                         /*
1555                          * This can be hit on boot when a file is accessed
1556                          * before the policy is loaded.  When we load policy we
1557                          * may find inodes that have no dentry on the
1558                          * sbsec->isec_head list.  No reason to complain as
1559                          * these will get fixed up the next time we go through
1560                          * inode_doinit() with a dentry, before these inodes
1561                          * could be used again by userspace.
1562                          */
1563                         if (!dentry)
1564                                 goto out;
1565                         rc = selinux_genfs_get_sid(dentry, sclass,
1566                                                    sbsec->flags, &sid);
1567                         dput(dentry);
1568                         if (rc)
1569                                 goto out;
1570                 }
1571                 break;
1572         }
1573
1574 out:
1575         spin_lock(&isec->lock);
1576         if (isec->initialized == LABEL_PENDING) {
1577                 if (!sid || rc) {
1578                         isec->initialized = LABEL_INVALID;
1579                         goto out_unlock;
1580                 }
1581
1582                 isec->initialized = LABEL_INITIALIZED;
1583                 isec->sid = sid;
1584         }
1585
1586 out_unlock:
1587         spin_unlock(&isec->lock);
1588         return rc;
1589 }
1590
1591 /* Convert a Linux signal to an access vector. */
1592 static inline u32 signal_to_av(int sig)
1593 {
1594         u32 perm = 0;
1595
1596         switch (sig) {
1597         case SIGCHLD:
1598                 /* Commonly granted from child to parent. */
1599                 perm = PROCESS__SIGCHLD;
1600                 break;
1601         case SIGKILL:
1602                 /* Cannot be caught or ignored */
1603                 perm = PROCESS__SIGKILL;
1604                 break;
1605         case SIGSTOP:
1606                 /* Cannot be caught or ignored */
1607                 perm = PROCESS__SIGSTOP;
1608                 break;
1609         default:
1610                 /* All other signals. */
1611                 perm = PROCESS__SIGNAL;
1612                 break;
1613         }
1614
1615         return perm;
1616 }
1617
1618 #if CAP_LAST_CAP > 63
1619 #error Fix SELinux to handle capabilities > 63.
1620 #endif
1621
1622 /* Check whether a task is allowed to use a capability. */
1623 static int cred_has_capability(const struct cred *cred,
1624                                int cap, int audit, bool initns)
1625 {
1626         struct common_audit_data ad;
1627         struct av_decision avd;
1628         u16 sclass;
1629         u32 sid = cred_sid(cred);
1630         u32 av = CAP_TO_MASK(cap);
1631         int rc;
1632
1633         ad.type = LSM_AUDIT_DATA_CAP;
1634         ad.u.cap = cap;
1635
1636         switch (CAP_TO_INDEX(cap)) {
1637         case 0:
1638                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1639                 break;
1640         case 1:
1641                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1642                 break;
1643         default:
1644                 pr_err("SELinux:  out of range capability %d\n", cap);
1645                 BUG();
1646                 return -EINVAL;
1647         }
1648
1649         rc = avc_has_perm_noaudit(&selinux_state,
1650                                   sid, sid, sclass, av, 0, &avd);
1651         if (audit == SECURITY_CAP_AUDIT) {
1652                 int rc2 = avc_audit(&selinux_state,
1653                                     sid, sid, sclass, av, &avd, rc, &ad, 0);
1654                 if (rc2)
1655                         return rc2;
1656         }
1657         return rc;
1658 }
1659
1660 /* Check whether a task has a particular permission to an inode.
1661    The 'adp' parameter is optional and allows other audit
1662    data to be passed (e.g. the dentry). */
1663 static int inode_has_perm(const struct cred *cred,
1664                           struct inode *inode,
1665                           u32 perms,
1666                           struct common_audit_data *adp)
1667 {
1668         struct inode_security_struct *isec;
1669         u32 sid;
1670
1671         validate_creds(cred);
1672
1673         if (unlikely(IS_PRIVATE(inode)))
1674                 return 0;
1675
1676         sid = cred_sid(cred);
1677         isec = inode->i_security;
1678
1679         return avc_has_perm(&selinux_state,
1680                             sid, isec->sid, isec->sclass, perms, adp);
1681 }
1682
1683 /* Same as inode_has_perm, but pass explicit audit data containing
1684    the dentry to help the auditing code to more easily generate the
1685    pathname if needed. */
1686 static inline int dentry_has_perm(const struct cred *cred,
1687                                   struct dentry *dentry,
1688                                   u32 av)
1689 {
1690         struct inode *inode = d_backing_inode(dentry);
1691         struct common_audit_data ad;
1692
1693         ad.type = LSM_AUDIT_DATA_DENTRY;
1694         ad.u.dentry = dentry;
1695         __inode_security_revalidate(inode, dentry, true);
1696         return inode_has_perm(cred, inode, av, &ad);
1697 }
1698
1699 /* Same as inode_has_perm, but pass explicit audit data containing
1700    the path to help the auditing code to more easily generate the
1701    pathname if needed. */
1702 static inline int path_has_perm(const struct cred *cred,
1703                                 const struct path *path,
1704                                 u32 av)
1705 {
1706         struct inode *inode = d_backing_inode(path->dentry);
1707         struct common_audit_data ad;
1708
1709         ad.type = LSM_AUDIT_DATA_PATH;
1710         ad.u.path = *path;
1711         __inode_security_revalidate(inode, path->dentry, true);
1712         return inode_has_perm(cred, inode, av, &ad);
1713 }
1714
1715 /* Same as path_has_perm, but uses the inode from the file struct. */
1716 static inline int file_path_has_perm(const struct cred *cred,
1717                                      struct file *file,
1718                                      u32 av)
1719 {
1720         struct common_audit_data ad;
1721
1722         ad.type = LSM_AUDIT_DATA_FILE;
1723         ad.u.file = file;
1724         return inode_has_perm(cred, file_inode(file), av, &ad);
1725 }
1726
1727 #ifdef CONFIG_BPF_SYSCALL
1728 static int bpf_fd_pass(struct file *file, u32 sid);
1729 #endif
1730
1731 /* Check whether a task can use an open file descriptor to
1732    access an inode in a given way.  Check access to the
1733    descriptor itself, and then use dentry_has_perm to
1734    check a particular permission to the file.
1735    Access to the descriptor is implicitly granted if it
1736    has the same SID as the process.  If av is zero, then
1737    access to the file is not checked, e.g. for cases
1738    where only the descriptor is affected like seek. */
1739 static int file_has_perm(const struct cred *cred,
1740                          struct file *file,
1741                          u32 av)
1742 {
1743         struct file_security_struct *fsec = file->f_security;
1744         struct inode *inode = file_inode(file);
1745         struct common_audit_data ad;
1746         u32 sid = cred_sid(cred);
1747         int rc;
1748
1749         ad.type = LSM_AUDIT_DATA_FILE;
1750         ad.u.file = file;
1751
1752         if (sid != fsec->sid) {
1753                 rc = avc_has_perm(&selinux_state,
1754                                   sid, fsec->sid,
1755                                   SECCLASS_FD,
1756                                   FD__USE,
1757                                   &ad);
1758                 if (rc)
1759                         goto out;
1760         }
1761
1762 #ifdef CONFIG_BPF_SYSCALL
1763         rc = bpf_fd_pass(file, cred_sid(cred));
1764         if (rc)
1765                 return rc;
1766 #endif
1767
1768         /* av is zero if only checking access to the descriptor. */
1769         rc = 0;
1770         if (av)
1771                 rc = inode_has_perm(cred, inode, av, &ad);
1772
1773 out:
1774         return rc;
1775 }
1776
1777 /*
1778  * Determine the label for an inode that might be unioned.
1779  */
1780 static int
1781 selinux_determine_inode_label(const struct task_security_struct *tsec,
1782                                  struct inode *dir,
1783                                  const struct qstr *name, u16 tclass,
1784                                  u32 *_new_isid)
1785 {
1786         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1787
1788         if ((sbsec->flags & SE_SBINITIALIZED) &&
1789             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1790                 *_new_isid = sbsec->mntpoint_sid;
1791         } else if ((sbsec->flags & SBLABEL_MNT) &&
1792                    tsec->create_sid) {
1793                 *_new_isid = tsec->create_sid;
1794         } else {
1795                 const struct inode_security_struct *dsec = inode_security(dir);
1796                 return security_transition_sid(&selinux_state, tsec->sid,
1797                                                dsec->sid, tclass,
1798                                                name, _new_isid);
1799         }
1800
1801         return 0;
1802 }
1803
1804 /* Check whether a task can create a file. */
1805 static int may_create(struct inode *dir,
1806                       struct dentry *dentry,
1807                       u16 tclass)
1808 {
1809         const struct task_security_struct *tsec = current_security();
1810         struct inode_security_struct *dsec;
1811         struct superblock_security_struct *sbsec;
1812         u32 sid, newsid;
1813         struct common_audit_data ad;
1814         int rc;
1815
1816         dsec = inode_security(dir);
1817         sbsec = dir->i_sb->s_security;
1818
1819         sid = tsec->sid;
1820
1821         ad.type = LSM_AUDIT_DATA_DENTRY;
1822         ad.u.dentry = dentry;
1823
1824         rc = avc_has_perm(&selinux_state,
1825                           sid, dsec->sid, SECCLASS_DIR,
1826                           DIR__ADD_NAME | DIR__SEARCH,
1827                           &ad);
1828         if (rc)
1829                 return rc;
1830
1831         rc = selinux_determine_inode_label(current_security(), dir,
1832                                            &dentry->d_name, tclass, &newsid);
1833         if (rc)
1834                 return rc;
1835
1836         rc = avc_has_perm(&selinux_state,
1837                           sid, newsid, tclass, FILE__CREATE, &ad);
1838         if (rc)
1839                 return rc;
1840
1841         return avc_has_perm(&selinux_state,
1842                             newsid, sbsec->sid,
1843                             SECCLASS_FILESYSTEM,
1844                             FILESYSTEM__ASSOCIATE, &ad);
1845 }
1846
1847 #define MAY_LINK        0
1848 #define MAY_UNLINK      1
1849 #define MAY_RMDIR       2
1850
1851 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1852 static int may_link(struct inode *dir,
1853                     struct dentry *dentry,
1854                     int kind)
1855
1856 {
1857         struct inode_security_struct *dsec, *isec;
1858         struct common_audit_data ad;
1859         u32 sid = current_sid();
1860         u32 av;
1861         int rc;
1862
1863         dsec = inode_security(dir);
1864         isec = backing_inode_security(dentry);
1865
1866         ad.type = LSM_AUDIT_DATA_DENTRY;
1867         ad.u.dentry = dentry;
1868
1869         av = DIR__SEARCH;
1870         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1871         rc = avc_has_perm(&selinux_state,
1872                           sid, dsec->sid, SECCLASS_DIR, av, &ad);
1873         if (rc)
1874                 return rc;
1875
1876         switch (kind) {
1877         case MAY_LINK:
1878                 av = FILE__LINK;
1879                 break;
1880         case MAY_UNLINK:
1881                 av = FILE__UNLINK;
1882                 break;
1883         case MAY_RMDIR:
1884                 av = DIR__RMDIR;
1885                 break;
1886         default:
1887                 pr_warn("SELinux: %s:  unrecognized kind %d\n",
1888                         __func__, kind);
1889                 return 0;
1890         }
1891
1892         rc = avc_has_perm(&selinux_state,
1893                           sid, isec->sid, isec->sclass, av, &ad);
1894         return rc;
1895 }
1896
1897 static inline int may_rename(struct inode *old_dir,
1898                              struct dentry *old_dentry,
1899                              struct inode *new_dir,
1900                              struct dentry *new_dentry)
1901 {
1902         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1903         struct common_audit_data ad;
1904         u32 sid = current_sid();
1905         u32 av;
1906         int old_is_dir, new_is_dir;
1907         int rc;
1908
1909         old_dsec = inode_security(old_dir);
1910         old_isec = backing_inode_security(old_dentry);
1911         old_is_dir = d_is_dir(old_dentry);
1912         new_dsec = inode_security(new_dir);
1913
1914         ad.type = LSM_AUDIT_DATA_DENTRY;
1915
1916         ad.u.dentry = old_dentry;
1917         rc = avc_has_perm(&selinux_state,
1918                           sid, old_dsec->sid, SECCLASS_DIR,
1919                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1920         if (rc)
1921                 return rc;
1922         rc = avc_has_perm(&selinux_state,
1923                           sid, old_isec->sid,
1924                           old_isec->sclass, FILE__RENAME, &ad);
1925         if (rc)
1926                 return rc;
1927         if (old_is_dir && new_dir != old_dir) {
1928                 rc = avc_has_perm(&selinux_state,
1929                                   sid, old_isec->sid,
1930                                   old_isec->sclass, DIR__REPARENT, &ad);
1931                 if (rc)
1932                         return rc;
1933         }
1934
1935         ad.u.dentry = new_dentry;
1936         av = DIR__ADD_NAME | DIR__SEARCH;
1937         if (d_is_positive(new_dentry))
1938                 av |= DIR__REMOVE_NAME;
1939         rc = avc_has_perm(&selinux_state,
1940                           sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1941         if (rc)
1942                 return rc;
1943         if (d_is_positive(new_dentry)) {
1944                 new_isec = backing_inode_security(new_dentry);
1945                 new_is_dir = d_is_dir(new_dentry);
1946                 rc = avc_has_perm(&selinux_state,
1947                                   sid, new_isec->sid,
1948                                   new_isec->sclass,
1949                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1950                 if (rc)
1951                         return rc;
1952         }
1953
1954         return 0;
1955 }
1956
1957 /* Check whether a task can perform a filesystem operation. */
1958 static int superblock_has_perm(const struct cred *cred,
1959                                struct super_block *sb,
1960                                u32 perms,
1961                                struct common_audit_data *ad)
1962 {
1963         struct superblock_security_struct *sbsec;
1964         u32 sid = cred_sid(cred);
1965
1966         sbsec = sb->s_security;
1967         return avc_has_perm(&selinux_state,
1968                             sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1969 }
1970
1971 /* Convert a Linux mode and permission mask to an access vector. */
1972 static inline u32 file_mask_to_av(int mode, int mask)
1973 {
1974         u32 av = 0;
1975
1976         if (!S_ISDIR(mode)) {
1977                 if (mask & MAY_EXEC)
1978                         av |= FILE__EXECUTE;
1979                 if (mask & MAY_READ)
1980                         av |= FILE__READ;
1981
1982                 if (mask & MAY_APPEND)
1983                         av |= FILE__APPEND;
1984                 else if (mask & MAY_WRITE)
1985                         av |= FILE__WRITE;
1986
1987         } else {
1988                 if (mask & MAY_EXEC)
1989                         av |= DIR__SEARCH;
1990                 if (mask & MAY_WRITE)
1991                         av |= DIR__WRITE;
1992                 if (mask & MAY_READ)
1993                         av |= DIR__READ;
1994         }
1995
1996         return av;
1997 }
1998
1999 /* Convert a Linux file to an access vector. */
2000 static inline u32 file_to_av(struct file *file)
2001 {
2002         u32 av = 0;
2003
2004         if (file->f_mode & FMODE_READ)
2005                 av |= FILE__READ;
2006         if (file->f_mode & FMODE_WRITE) {
2007                 if (file->f_flags & O_APPEND)
2008                         av |= FILE__APPEND;
2009                 else
2010                         av |= FILE__WRITE;
2011         }
2012         if (!av) {
2013                 /*
2014                  * Special file opened with flags 3 for ioctl-only use.
2015                  */
2016                 av = FILE__IOCTL;
2017         }
2018
2019         return av;
2020 }
2021
2022 /*
2023  * Convert a file to an access vector and include the correct open
2024  * open permission.
2025  */
2026 static inline u32 open_file_to_av(struct file *file)
2027 {
2028         u32 av = file_to_av(file);
2029         struct inode *inode = file_inode(file);
2030
2031         if (selinux_policycap_openperm() &&
2032             inode->i_sb->s_magic != SOCKFS_MAGIC)
2033                 av |= FILE__OPEN;
2034
2035         return av;
2036 }
2037
2038 /* Hook functions begin here. */
2039
2040 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2041 {
2042         u32 mysid = current_sid();
2043         u32 mgrsid = task_sid(mgr);
2044
2045         return avc_has_perm(&selinux_state,
2046                             mysid, mgrsid, SECCLASS_BINDER,
2047                             BINDER__SET_CONTEXT_MGR, NULL);
2048 }
2049
2050 static int selinux_binder_transaction(struct task_struct *from,
2051                                       struct task_struct *to)
2052 {
2053         u32 mysid = current_sid();
2054         u32 fromsid = task_sid(from);
2055         u32 tosid = task_sid(to);
2056         int rc;
2057
2058         if (mysid != fromsid) {
2059                 rc = avc_has_perm(&selinux_state,
2060                                   mysid, fromsid, SECCLASS_BINDER,
2061                                   BINDER__IMPERSONATE, NULL);
2062                 if (rc)
2063                         return rc;
2064         }
2065
2066         return avc_has_perm(&selinux_state,
2067                             fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2068                             NULL);
2069 }
2070
2071 static int selinux_binder_transfer_binder(struct task_struct *from,
2072                                           struct task_struct *to)
2073 {
2074         u32 fromsid = task_sid(from);
2075         u32 tosid = task_sid(to);
2076
2077         return avc_has_perm(&selinux_state,
2078                             fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2079                             NULL);
2080 }
2081
2082 static int selinux_binder_transfer_file(struct task_struct *from,
2083                                         struct task_struct *to,
2084                                         struct file *file)
2085 {
2086         u32 sid = task_sid(to);
2087         struct file_security_struct *fsec = file->f_security;
2088         struct dentry *dentry = file->f_path.dentry;
2089         struct inode_security_struct *isec;
2090         struct common_audit_data ad;
2091         int rc;
2092
2093         ad.type = LSM_AUDIT_DATA_PATH;
2094         ad.u.path = file->f_path;
2095
2096         if (sid != fsec->sid) {
2097                 rc = avc_has_perm(&selinux_state,
2098                                   sid, fsec->sid,
2099                                   SECCLASS_FD,
2100                                   FD__USE,
2101                                   &ad);
2102                 if (rc)
2103                         return rc;
2104         }
2105
2106 #ifdef CONFIG_BPF_SYSCALL
2107         rc = bpf_fd_pass(file, sid);
2108         if (rc)
2109                 return rc;
2110 #endif
2111
2112         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2113                 return 0;
2114
2115         isec = backing_inode_security(dentry);
2116         return avc_has_perm(&selinux_state,
2117                             sid, isec->sid, isec->sclass, file_to_av(file),
2118                             &ad);
2119 }
2120
2121 static int selinux_ptrace_access_check(struct task_struct *child,
2122                                      unsigned int mode)
2123 {
2124         u32 sid = current_sid();
2125         u32 csid = task_sid(child);
2126
2127         if (mode & PTRACE_MODE_READ)
2128                 return avc_has_perm(&selinux_state,
2129                                     sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2130
2131         return avc_has_perm(&selinux_state,
2132                             sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2133 }
2134
2135 static int selinux_ptrace_traceme(struct task_struct *parent)
2136 {
2137         return avc_has_perm(&selinux_state,
2138                             task_sid(parent), current_sid(), SECCLASS_PROCESS,
2139                             PROCESS__PTRACE, NULL);
2140 }
2141
2142 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2143                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2144 {
2145         return avc_has_perm(&selinux_state,
2146                             current_sid(), task_sid(target), SECCLASS_PROCESS,
2147                             PROCESS__GETCAP, NULL);
2148 }
2149
2150 static int selinux_capset(struct cred *new, const struct cred *old,
2151                           const kernel_cap_t *effective,
2152                           const kernel_cap_t *inheritable,
2153                           const kernel_cap_t *permitted)
2154 {
2155         return avc_has_perm(&selinux_state,
2156                             cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2157                             PROCESS__SETCAP, NULL);
2158 }
2159
2160 /*
2161  * (This comment used to live with the selinux_task_setuid hook,
2162  * which was removed).
2163  *
2164  * Since setuid only affects the current process, and since the SELinux
2165  * controls are not based on the Linux identity attributes, SELinux does not
2166  * need to control this operation.  However, SELinux does control the use of
2167  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2168  */
2169
2170 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2171                            int cap, int audit)
2172 {
2173         return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2174 }
2175
2176 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2177 {
2178         const struct cred *cred = current_cred();
2179         int rc = 0;
2180
2181         if (!sb)
2182                 return 0;
2183
2184         switch (cmds) {
2185         case Q_SYNC:
2186         case Q_QUOTAON:
2187         case Q_QUOTAOFF:
2188         case Q_SETINFO:
2189         case Q_SETQUOTA:
2190                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2191                 break;
2192         case Q_GETFMT:
2193         case Q_GETINFO:
2194         case Q_GETQUOTA:
2195                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2196                 break;
2197         default:
2198                 rc = 0;  /* let the kernel handle invalid cmds */
2199                 break;
2200         }
2201         return rc;
2202 }
2203
2204 static int selinux_quota_on(struct dentry *dentry)
2205 {
2206         const struct cred *cred = current_cred();
2207
2208         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2209 }
2210
2211 static int selinux_syslog(int type)
2212 {
2213         switch (type) {
2214         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2215         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2216                 return avc_has_perm(&selinux_state,
2217                                     current_sid(), SECINITSID_KERNEL,
2218                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2219         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2220         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2221         /* Set level of messages printed to console */
2222         case SYSLOG_ACTION_CONSOLE_LEVEL:
2223                 return avc_has_perm(&selinux_state,
2224                                     current_sid(), SECINITSID_KERNEL,
2225                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2226                                     NULL);
2227         }
2228         /* All other syslog types */
2229         return avc_has_perm(&selinux_state,
2230                             current_sid(), SECINITSID_KERNEL,
2231                             SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2232 }
2233
2234 /*
2235  * Check that a process has enough memory to allocate a new virtual
2236  * mapping. 0 means there is enough memory for the allocation to
2237  * succeed and -ENOMEM implies there is not.
2238  *
2239  * Do not audit the selinux permission check, as this is applied to all
2240  * processes that allocate mappings.
2241  */
2242 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2243 {
2244         int rc, cap_sys_admin = 0;
2245
2246         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2247                                  SECURITY_CAP_NOAUDIT, true);
2248         if (rc == 0)
2249                 cap_sys_admin = 1;
2250
2251         return cap_sys_admin;
2252 }
2253
2254 /* binprm security operations */
2255
2256 static u32 ptrace_parent_sid(void)
2257 {
2258         u32 sid = 0;
2259         struct task_struct *tracer;
2260
2261         rcu_read_lock();
2262         tracer = ptrace_parent(current);
2263         if (tracer)
2264                 sid = task_sid(tracer);
2265         rcu_read_unlock();
2266
2267         return sid;
2268 }
2269
2270 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2271                             const struct task_security_struct *old_tsec,
2272                             const struct task_security_struct *new_tsec)
2273 {
2274         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2275         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2276         int rc;
2277         u32 av;
2278
2279         if (!nnp && !nosuid)
2280                 return 0; /* neither NNP nor nosuid */
2281
2282         if (new_tsec->sid == old_tsec->sid)
2283                 return 0; /* No change in credentials */
2284
2285         /*
2286          * If the policy enables the nnp_nosuid_transition policy capability,
2287          * then we permit transitions under NNP or nosuid if the
2288          * policy allows the corresponding permission between
2289          * the old and new contexts.
2290          */
2291         if (selinux_policycap_nnp_nosuid_transition()) {
2292                 av = 0;
2293                 if (nnp)
2294                         av |= PROCESS2__NNP_TRANSITION;
2295                 if (nosuid)
2296                         av |= PROCESS2__NOSUID_TRANSITION;
2297                 rc = avc_has_perm(&selinux_state,
2298                                   old_tsec->sid, new_tsec->sid,
2299                                   SECCLASS_PROCESS2, av, NULL);
2300                 if (!rc)
2301                         return 0;
2302         }
2303
2304         /*
2305          * We also permit NNP or nosuid transitions to bounded SIDs,
2306          * i.e. SIDs that are guaranteed to only be allowed a subset
2307          * of the permissions of the current SID.
2308          */
2309         rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2310                                          new_tsec->sid);
2311         if (!rc)
2312                 return 0;
2313
2314         /*
2315          * On failure, preserve the errno values for NNP vs nosuid.
2316          * NNP:  Operation not permitted for caller.
2317          * nosuid:  Permission denied to file.
2318          */
2319         if (nnp)
2320                 return -EPERM;
2321         return -EACCES;
2322 }
2323
2324 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2325 {
2326         const struct task_security_struct *old_tsec;
2327         struct task_security_struct *new_tsec;
2328         struct inode_security_struct *isec;
2329         struct common_audit_data ad;
2330         struct inode *inode = file_inode(bprm->file);
2331         int rc;
2332
2333         /* SELinux context only depends on initial program or script and not
2334          * the script interpreter */
2335         if (bprm->called_set_creds)
2336                 return 0;
2337
2338         old_tsec = current_security();
2339         new_tsec = bprm->cred->security;
2340         isec = inode_security(inode);
2341
2342         /* Default to the current task SID. */
2343         new_tsec->sid = old_tsec->sid;
2344         new_tsec->osid = old_tsec->sid;
2345
2346         /* Reset fs, key, and sock SIDs on execve. */
2347         new_tsec->create_sid = 0;
2348         new_tsec->keycreate_sid = 0;
2349         new_tsec->sockcreate_sid = 0;
2350
2351         if (old_tsec->exec_sid) {
2352                 new_tsec->sid = old_tsec->exec_sid;
2353                 /* Reset exec SID on execve. */
2354                 new_tsec->exec_sid = 0;
2355
2356                 /* Fail on NNP or nosuid if not an allowed transition. */
2357                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2358                 if (rc)
2359                         return rc;
2360         } else {
2361                 /* Check for a default transition on this program. */
2362                 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2363                                              isec->sid, SECCLASS_PROCESS, NULL,
2364                                              &new_tsec->sid);
2365                 if (rc)
2366                         return rc;
2367
2368                 /*
2369                  * Fallback to old SID on NNP or nosuid if not an allowed
2370                  * transition.
2371                  */
2372                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2373                 if (rc)
2374                         new_tsec->sid = old_tsec->sid;
2375         }
2376
2377         ad.type = LSM_AUDIT_DATA_FILE;
2378         ad.u.file = bprm->file;
2379
2380         if (new_tsec->sid == old_tsec->sid) {
2381                 rc = avc_has_perm(&selinux_state,
2382                                   old_tsec->sid, isec->sid,
2383                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2384                 if (rc)
2385                         return rc;
2386         } else {
2387                 /* Check permissions for the transition. */
2388                 rc = avc_has_perm(&selinux_state,
2389                                   old_tsec->sid, new_tsec->sid,
2390                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2391                 if (rc)
2392                         return rc;
2393
2394                 rc = avc_has_perm(&selinux_state,
2395                                   new_tsec->sid, isec->sid,
2396                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2397                 if (rc)
2398                         return rc;
2399
2400                 /* Check for shared state */
2401                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2402                         rc = avc_has_perm(&selinux_state,
2403                                           old_tsec->sid, new_tsec->sid,
2404                                           SECCLASS_PROCESS, PROCESS__SHARE,
2405                                           NULL);
2406                         if (rc)
2407                                 return -EPERM;
2408                 }
2409
2410                 /* Make sure that anyone attempting to ptrace over a task that
2411                  * changes its SID has the appropriate permit */
2412                 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2413                         u32 ptsid = ptrace_parent_sid();
2414                         if (ptsid != 0) {
2415                                 rc = avc_has_perm(&selinux_state,
2416                                                   ptsid, new_tsec->sid,
2417                                                   SECCLASS_PROCESS,
2418                                                   PROCESS__PTRACE, NULL);
2419                                 if (rc)
2420                                         return -EPERM;
2421                         }
2422                 }
2423
2424                 /* Clear any possibly unsafe personality bits on exec: */
2425                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2426
2427                 /* Enable secure mode for SIDs transitions unless
2428                    the noatsecure permission is granted between
2429                    the two SIDs, i.e. ahp returns 0. */
2430                 rc = avc_has_perm(&selinux_state,
2431                                   old_tsec->sid, new_tsec->sid,
2432                                   SECCLASS_PROCESS, PROCESS__NOATSECURE,
2433                                   NULL);
2434                 bprm->secureexec |= !!rc;
2435         }
2436
2437         return 0;
2438 }
2439
2440 static int match_file(const void *p, struct file *file, unsigned fd)
2441 {
2442         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2443 }
2444
2445 /* Derived from fs/exec.c:flush_old_files. */
2446 static inline void flush_unauthorized_files(const struct cred *cred,
2447                                             struct files_struct *files)
2448 {
2449         struct file *file, *devnull = NULL;
2450         struct tty_struct *tty;
2451         int drop_tty = 0;
2452         unsigned n;
2453
2454         tty = get_current_tty();
2455         if (tty) {
2456                 spin_lock(&tty->files_lock);
2457                 if (!list_empty(&tty->tty_files)) {
2458                         struct tty_file_private *file_priv;
2459
2460                         /* Revalidate access to controlling tty.
2461                            Use file_path_has_perm on the tty path directly
2462                            rather than using file_has_perm, as this particular
2463                            open file may belong to another process and we are
2464                            only interested in the inode-based check here. */
2465                         file_priv = list_first_entry(&tty->tty_files,
2466                                                 struct tty_file_private, list);
2467                         file = file_priv->file;
2468                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2469                                 drop_tty = 1;
2470                 }
2471                 spin_unlock(&tty->files_lock);
2472                 tty_kref_put(tty);
2473         }
2474         /* Reset controlling tty. */
2475         if (drop_tty)
2476                 no_tty();
2477
2478         /* Revalidate access to inherited open files. */
2479         n = iterate_fd(files, 0, match_file, cred);
2480         if (!n) /* none found? */
2481                 return;
2482
2483         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2484         if (IS_ERR(devnull))
2485                 devnull = NULL;
2486         /* replace all the matching ones with this */
2487         do {
2488                 replace_fd(n - 1, devnull, 0);
2489         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2490         if (devnull)
2491                 fput(devnull);
2492 }
2493
2494 /*
2495  * Prepare a process for imminent new credential changes due to exec
2496  */
2497 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2498 {
2499         struct task_security_struct *new_tsec;
2500         struct rlimit *rlim, *initrlim;
2501         int rc, i;
2502
2503         new_tsec = bprm->cred->security;
2504         if (new_tsec->sid == new_tsec->osid)
2505                 return;
2506
2507         /* Close files for which the new task SID is not authorized. */
2508         flush_unauthorized_files(bprm->cred, current->files);
2509
2510         /* Always clear parent death signal on SID transitions. */
2511         current->pdeath_signal = 0;
2512
2513         /* Check whether the new SID can inherit resource limits from the old
2514          * SID.  If not, reset all soft limits to the lower of the current
2515          * task's hard limit and the init task's soft limit.
2516          *
2517          * Note that the setting of hard limits (even to lower them) can be
2518          * controlled by the setrlimit check.  The inclusion of the init task's
2519          * soft limit into the computation is to avoid resetting soft limits
2520          * higher than the default soft limit for cases where the default is
2521          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2522          */
2523         rc = avc_has_perm(&selinux_state,
2524                           new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2525                           PROCESS__RLIMITINH, NULL);
2526         if (rc) {
2527                 /* protect against do_prlimit() */
2528                 task_lock(current);
2529                 for (i = 0; i < RLIM_NLIMITS; i++) {
2530                         rlim = current->signal->rlim + i;
2531                         initrlim = init_task.signal->rlim + i;
2532                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2533                 }
2534                 task_unlock(current);
2535                 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2536                         update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2537         }
2538 }
2539
2540 /*
2541  * Clean up the process immediately after the installation of new credentials
2542  * due to exec
2543  */
2544 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2545 {
2546         const struct task_security_struct *tsec = current_security();
2547         struct itimerval itimer;
2548         u32 osid, sid;
2549         int rc, i;
2550
2551         osid = tsec->osid;
2552         sid = tsec->sid;
2553
2554         if (sid == osid)
2555                 return;
2556
2557         /* Check whether the new SID can inherit signal state from the old SID.
2558          * If not, clear itimers to avoid subsequent signal generation and
2559          * flush and unblock signals.
2560          *
2561          * This must occur _after_ the task SID has been updated so that any
2562          * kill done after the flush will be checked against the new SID.
2563          */
2564         rc = avc_has_perm(&selinux_state,
2565                           osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2566         if (rc) {
2567                 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2568                         memset(&itimer, 0, sizeof itimer);
2569                         for (i = 0; i < 3; i++)
2570                                 do_setitimer(i, &itimer, NULL);
2571                 }
2572                 spin_lock_irq(&current->sighand->siglock);
2573                 if (!fatal_signal_pending(current)) {
2574                         flush_sigqueue(&current->pending);
2575                         flush_sigqueue(&current->signal->shared_pending);
2576                         flush_signal_handlers(current, 1);
2577                         sigemptyset(&current->blocked);
2578                         recalc_sigpending();
2579                 }
2580                 spin_unlock_irq(&current->sighand->siglock);
2581         }
2582
2583         /* Wake up the parent if it is waiting so that it can recheck
2584          * wait permission to the new task SID. */
2585         read_lock(&tasklist_lock);
2586         __wake_up_parent(current, current->real_parent);
2587         read_unlock(&tasklist_lock);
2588 }
2589
2590 /* superblock security operations */
2591
2592 static int selinux_sb_alloc_security(struct super_block *sb)
2593 {
2594         return superblock_alloc_security(sb);
2595 }
2596
2597 static void selinux_sb_free_security(struct super_block *sb)
2598 {
2599         superblock_free_security(sb);
2600 }
2601
2602 static inline int opt_len(const char *s)
2603 {
2604         bool open_quote = false;
2605         int len;
2606         char c;
2607
2608         for (len = 0; (c = s[len]) != '\0'; len++) {
2609                 if (c == '"')
2610                         open_quote = !open_quote;
2611                 if (c == ',' && !open_quote)
2612                         break;
2613         }
2614         return len;
2615 }
2616
2617 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2618 {
2619         char *from = options;
2620         char *to = options;
2621         bool first = true;
2622
2623         while (1) {
2624                 int len = opt_len(from);
2625                 int token, rc;
2626                 char *arg = NULL;
2627
2628                 token = match_opt_prefix(from, len, &arg);
2629
2630                 if (token != Opt_error) {
2631                         char *p, *q;
2632
2633                         /* strip quotes */
2634                         if (arg) {
2635                                 for (p = q = arg; p < from + len; p++) {
2636                                         char c = *p;
2637                                         if (c != '"')
2638                                                 *q++ = c;
2639                                 }
2640                                 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2641                         }
2642                         rc = selinux_add_opt(token, arg, mnt_opts);
2643                         if (unlikely(rc)) {
2644                                 kfree(arg);
2645                                 if (*mnt_opts) {
2646                                         selinux_free_mnt_opts(*mnt_opts);
2647                                         *mnt_opts = NULL;
2648                                 }
2649                                 return rc;
2650                         }
2651                 } else {
2652                         if (!first) {   // copy with preceding comma
2653                                 from--;
2654                                 len++;
2655                         }
2656                         if (to != from)
2657                                 memmove(to, from, len);
2658                         to += len;
2659                         first = false;
2660                 }
2661                 if (!from[len])
2662                         break;
2663                 from += len + 1;
2664         }
2665         *to = '\0';
2666         return 0;
2667 }
2668
2669 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2670 {
2671         struct selinux_mnt_opts *opts = mnt_opts;
2672         struct superblock_security_struct *sbsec = sb->s_security;
2673         u32 sid;
2674         int rc;
2675
2676         if (!(sbsec->flags & SE_SBINITIALIZED))
2677                 return 0;
2678
2679         if (!opts)
2680                 return 0;
2681
2682         if (opts->fscontext) {
2683                 rc = parse_sid(sb, opts->fscontext, &sid);
2684                 if (rc)
2685                         return rc;
2686                 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2687                         goto out_bad_option;
2688         }
2689         if (opts->context) {
2690                 rc = parse_sid(sb, opts->context, &sid);
2691                 if (rc)
2692                         return rc;
2693                 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2694                         goto out_bad_option;
2695         }
2696         if (opts->rootcontext) {
2697                 struct inode_security_struct *root_isec;
2698                 root_isec = backing_inode_security(sb->s_root);
2699                 rc = parse_sid(sb, opts->rootcontext, &sid);
2700                 if (rc)
2701                         return rc;
2702                 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2703                         goto out_bad_option;
2704         }
2705         if (opts->defcontext) {
2706                 rc = parse_sid(sb, opts->defcontext, &sid);
2707                 if (rc)
2708                         return rc;
2709                 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2710                         goto out_bad_option;
2711         }
2712         return 0;
2713
2714 out_bad_option:
2715         pr_warn("SELinux: unable to change security options "
2716                "during remount (dev %s, type=%s)\n", sb->s_id,
2717                sb->s_type->name);
2718         return -EINVAL;
2719 }
2720
2721 static int selinux_sb_kern_mount(struct super_block *sb)
2722 {
2723         const struct cred *cred = current_cred();
2724         struct common_audit_data ad;
2725
2726         ad.type = LSM_AUDIT_DATA_DENTRY;
2727         ad.u.dentry = sb->s_root;
2728         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2729 }
2730
2731 static int selinux_sb_statfs(struct dentry *dentry)
2732 {
2733         const struct cred *cred = current_cred();
2734         struct common_audit_data ad;
2735
2736         ad.type = LSM_AUDIT_DATA_DENTRY;
2737         ad.u.dentry = dentry->d_sb->s_root;
2738         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2739 }
2740
2741 static int selinux_mount(const char *dev_name,
2742                          const struct path *path,
2743                          const char *type,
2744                          unsigned long flags,
2745                          void *data)
2746 {
2747         const struct cred *cred = current_cred();
2748
2749         if (flags & MS_REMOUNT)
2750                 return superblock_has_perm(cred, path->dentry->d_sb,
2751                                            FILESYSTEM__REMOUNT, NULL);
2752         else
2753                 return path_has_perm(cred, path, FILE__MOUNTON);
2754 }
2755
2756 static int selinux_umount(struct vfsmount *mnt, int flags)
2757 {
2758         const struct cred *cred = current_cred();
2759
2760         return superblock_has_perm(cred, mnt->mnt_sb,
2761                                    FILESYSTEM__UNMOUNT, NULL);
2762 }
2763
2764 /* inode security operations */
2765
2766 static int selinux_inode_alloc_security(struct inode *inode)
2767 {
2768         return inode_alloc_security(inode);
2769 }
2770
2771 static void selinux_inode_free_security(struct inode *inode)
2772 {
2773         inode_free_security(inode);
2774 }
2775
2776 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2777                                         const struct qstr *name, void **ctx,
2778                                         u32 *ctxlen)
2779 {
2780         u32 newsid;
2781         int rc;
2782
2783         rc = selinux_determine_inode_label(current_security(),
2784                                            d_inode(dentry->d_parent), name,
2785                                            inode_mode_to_security_class(mode),
2786                                            &newsid);
2787         if (rc)
2788                 return rc;
2789
2790         return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2791                                        ctxlen);
2792 }
2793
2794 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2795                                           struct qstr *name,
2796                                           const struct cred *old,
2797                                           struct cred *new)
2798 {
2799         u32 newsid;
2800         int rc;
2801         struct task_security_struct *tsec;
2802
2803         rc = selinux_determine_inode_label(old->security,
2804                                            d_inode(dentry->d_parent), name,
2805                                            inode_mode_to_security_class(mode),
2806                                            &newsid);
2807         if (rc)
2808                 return rc;
2809
2810         tsec = new->security;
2811         tsec->create_sid = newsid;
2812         return 0;
2813 }
2814
2815 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2816                                        const struct qstr *qstr,
2817                                        const char **name,
2818                                        void **value, size_t *len)
2819 {
2820         const struct task_security_struct *tsec = current_security();
2821         struct superblock_security_struct *sbsec;
2822         u32 newsid, clen;
2823         int rc;
2824         char *context;
2825
2826         sbsec = dir->i_sb->s_security;
2827
2828         newsid = tsec->create_sid;
2829
2830         rc = selinux_determine_inode_label(current_security(),
2831                 dir, qstr,
2832                 inode_mode_to_security_class(inode->i_mode),
2833                 &newsid);
2834         if (rc)
2835                 return rc;
2836
2837         /* Possibly defer initialization to selinux_complete_init. */
2838         if (sbsec->flags & SE_SBINITIALIZED) {
2839                 struct inode_security_struct *isec = inode->i_security;
2840                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2841                 isec->sid = newsid;
2842                 isec->initialized = LABEL_INITIALIZED;
2843         }
2844
2845         if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2846                 return -EOPNOTSUPP;
2847
2848         if (name)
2849                 *name = XATTR_SELINUX_SUFFIX;
2850
2851         if (value && len) {
2852                 rc = security_sid_to_context_force(&selinux_state, newsid,
2853                                                    &context, &clen);
2854                 if (rc)
2855                         return rc;
2856                 *value = context;
2857                 *len = clen;
2858         }
2859
2860         return 0;
2861 }
2862
2863 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2864 {
2865         return may_create(dir, dentry, SECCLASS_FILE);
2866 }
2867
2868 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2869 {
2870         return may_link(dir, old_dentry, MAY_LINK);
2871 }
2872
2873 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2874 {
2875         return may_link(dir, dentry, MAY_UNLINK);
2876 }
2877
2878 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2879 {
2880         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2881 }
2882
2883 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2884 {
2885         return may_create(dir, dentry, SECCLASS_DIR);
2886 }
2887
2888 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2889 {
2890         return may_link(dir, dentry, MAY_RMDIR);
2891 }
2892
2893 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2894 {
2895         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2896 }
2897
2898 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2899                                 struct inode *new_inode, struct dentry *new_dentry)
2900 {
2901         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2902 }
2903
2904 static int selinux_inode_readlink(struct dentry *dentry)
2905 {
2906         const struct cred *cred = current_cred();
2907
2908         return dentry_has_perm(cred, dentry, FILE__READ);
2909 }
2910
2911 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2912                                      bool rcu)
2913 {
2914         const struct cred *cred = current_cred();
2915         struct common_audit_data ad;
2916         struct inode_security_struct *isec;
2917         u32 sid;
2918
2919         validate_creds(cred);
2920
2921         ad.type = LSM_AUDIT_DATA_DENTRY;
2922         ad.u.dentry = dentry;
2923         sid = cred_sid(cred);
2924         isec = inode_security_rcu(inode, rcu);
2925         if (IS_ERR(isec))
2926                 return PTR_ERR(isec);
2927
2928         return avc_has_perm_flags(&selinux_state,
2929                                   sid, isec->sid, isec->sclass, FILE__READ, &ad,
2930                                   rcu ? MAY_NOT_BLOCK : 0);
2931 }
2932
2933 static noinline int audit_inode_permission(struct inode *inode,
2934                                            u32 perms, u32 audited, u32 denied,
2935                                            int result,
2936                                            unsigned flags)
2937 {
2938         struct common_audit_data ad;
2939         struct inode_security_struct *isec = inode->i_security;
2940         int rc;
2941
2942         ad.type = LSM_AUDIT_DATA_INODE;
2943         ad.u.inode = inode;
2944
2945         rc = slow_avc_audit(&selinux_state,
2946                             current_sid(), isec->sid, isec->sclass, perms,
2947                             audited, denied, result, &ad, flags);
2948         if (rc)
2949                 return rc;
2950         return 0;
2951 }
2952
2953 static int selinux_inode_permission(struct inode *inode, int mask)
2954 {
2955         const struct cred *cred = current_cred();
2956         u32 perms;
2957         bool from_access;
2958         unsigned flags = mask & MAY_NOT_BLOCK;
2959         struct inode_security_struct *isec;
2960         u32 sid;
2961         struct av_decision avd;
2962         int rc, rc2;
2963         u32 audited, denied;
2964
2965         from_access = mask & MAY_ACCESS;
2966         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2967
2968         /* No permission to check.  Existence test. */
2969         if (!mask)
2970                 return 0;
2971
2972         validate_creds(cred);
2973
2974         if (unlikely(IS_PRIVATE(inode)))
2975                 return 0;
2976
2977         perms = file_mask_to_av(inode->i_mode, mask);
2978
2979         sid = cred_sid(cred);
2980         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2981         if (IS_ERR(isec))
2982                 return PTR_ERR(isec);
2983
2984         rc = avc_has_perm_noaudit(&selinux_state,
2985                                   sid, isec->sid, isec->sclass, perms, 0, &avd);
2986         audited = avc_audit_required(perms, &avd, rc,
2987                                      from_access ? FILE__AUDIT_ACCESS : 0,
2988                                      &denied);
2989         if (likely(!audited))
2990                 return rc;
2991
2992         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2993         if (rc2)
2994                 return rc2;
2995         return rc;
2996 }
2997
2998 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2999 {
3000         const struct cred *cred = current_cred();
3001         struct inode *inode = d_backing_inode(dentry);
3002         unsigned int ia_valid = iattr->ia_valid;
3003         __u32 av = FILE__WRITE;
3004
3005         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3006         if (ia_valid & ATTR_FORCE) {
3007                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3008                               ATTR_FORCE);
3009                 if (!ia_valid)
3010                         return 0;
3011         }
3012
3013         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3014                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3015                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3016
3017         if (selinux_policycap_openperm() &&
3018             inode->i_sb->s_magic != SOCKFS_MAGIC &&
3019             (ia_valid & ATTR_SIZE) &&
3020             !(ia_valid & ATTR_FILE))
3021                 av |= FILE__OPEN;
3022
3023         return dentry_has_perm(cred, dentry, av);
3024 }
3025
3026 static int selinux_inode_getattr(const struct path *path)
3027 {
3028         return path_has_perm(current_cred(), path, FILE__GETATTR);
3029 }
3030
3031 static bool has_cap_mac_admin(bool audit)
3032 {
3033         const struct cred *cred = current_cred();
3034         int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3035
3036         if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3037                 return false;
3038         if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3039                 return false;
3040         return true;
3041 }
3042
3043 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3044                                   const void *value, size_t size, int flags)
3045 {
3046         struct inode *inode = d_backing_inode(dentry);
3047         struct inode_security_struct *isec;
3048         struct superblock_security_struct *sbsec;
3049         struct common_audit_data ad;
3050         u32 newsid, sid = current_sid();
3051         int rc = 0;
3052
3053         if (strcmp(name, XATTR_NAME_SELINUX)) {
3054                 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3055                 if (rc)
3056                         return rc;
3057
3058                 /* Not an attribute we recognize, so just check the
3059                    ordinary setattr permission. */
3060                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3061         }
3062
3063         sbsec = inode->i_sb->s_security;
3064         if (!(sbsec->flags & SBLABEL_MNT))
3065                 return -EOPNOTSUPP;
3066
3067         if (!inode_owner_or_capable(inode))
3068                 return -EPERM;
3069
3070         ad.type = LSM_AUDIT_DATA_DENTRY;
3071         ad.u.dentry = dentry;
3072
3073         isec = backing_inode_security(dentry);
3074         rc = avc_has_perm(&selinux_state,
3075                           sid, isec->sid, isec->sclass,
3076                           FILE__RELABELFROM, &ad);
3077         if (rc)
3078                 return rc;
3079
3080         rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3081                                      GFP_KERNEL);
3082         if (rc == -EINVAL) {
3083                 if (!has_cap_mac_admin(true)) {
3084                         struct audit_buffer *ab;
3085                         size_t audit_size;
3086
3087                         /* We strip a nul only if it is at the end, otherwise the
3088                          * context contains a nul and we should audit that */
3089                         if (value) {
3090                                 const char *str = value;
3091
3092                                 if (str[size - 1] == '\0')
3093                                         audit_size = size - 1;
3094                                 else
3095                                         audit_size = size;
3096                         } else {
3097                                 audit_size = 0;
3098                         }
3099                         ab = audit_log_start(audit_context(),
3100                                              GFP_ATOMIC, AUDIT_SELINUX_ERR);
3101                         audit_log_format(ab, "op=setxattr invalid_context=");
3102                         audit_log_n_untrustedstring(ab, value, audit_size);
3103                         audit_log_end(ab);
3104
3105                         return rc;
3106                 }
3107                 rc = security_context_to_sid_force(&selinux_state, value,
3108                                                    size, &newsid);
3109         }
3110         if (rc)
3111                 return rc;
3112
3113         rc = avc_has_perm(&selinux_state,
3114                           sid, newsid, isec->sclass,
3115                           FILE__RELABELTO, &ad);
3116         if (rc)
3117                 return rc;
3118
3119         rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3120                                           sid, isec->sclass);
3121         if (rc)
3122                 return rc;
3123
3124         return avc_has_perm(&selinux_state,
3125                             newsid,
3126                             sbsec->sid,
3127                             SECCLASS_FILESYSTEM,
3128                             FILESYSTEM__ASSOCIATE,
3129                             &ad);
3130 }
3131
3132 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3133    &nbs