linux/security/selinux/hooks.c
<<
>>
Prefs
   1/*
   2 *  NSA Security-Enhanced Linux (SELinux) security module
   3 *
   4 *  This file contains the SELinux hook function implementations.
   5 *
   6 *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
   7 *            Chris Vance, <cvance@nai.com>
   8 *            Wayne Salamon, <wsalamon@nai.com>
   9 *            James Morris <jmorris@redhat.com>
  10 *
  11 *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
  12 *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
  13 *                                         Eric Paris <eparis@redhat.com>
  14 *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  15 *                          <dgoeddel@trustedcs.com>
  16 *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
  17 *      Paul Moore <paul@paul-moore.com>
  18 *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  19 *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
  20 *  Copyright (C) 2016 Mellanox Technologies
  21 *
  22 *      This program is free software; you can redistribute it and/or modify
  23 *      it under the terms of the GNU General Public License version 2,
  24 *      as published by the Free Software Foundation.
  25 */
  26
  27#include <linux/init.h>
  28#include <linux/kd.h>
  29#include <linux/kernel.h>
  30#include <linux/tracehook.h>
  31#include <linux/errno.h>
  32#include <linux/sched/signal.h>
  33#include <linux/sched/task.h>
  34#include <linux/lsm_hooks.h>
  35#include <linux/xattr.h>
  36#include <linux/capability.h>
  37#include <linux/unistd.h>
  38#include <linux/mm.h>
  39#include <linux/mman.h>
  40#include <linux/slab.h>
  41#include <linux/pagemap.h>
  42#include <linux/proc_fs.h>
  43#include <linux/swap.h>
  44#include <linux/spinlock.h>
  45#include <linux/syscalls.h>
  46#include <linux/dcache.h>
  47#include <linux/file.h>
  48#include <linux/fdtable.h>
  49#include <linux/namei.h>
  50#include <linux/mount.h>
  51#include <linux/netfilter_ipv4.h>
  52#include <linux/netfilter_ipv6.h>
  53#include <linux/tty.h>
  54#include <net/icmp.h>
  55#include <net/ip.h>             /* for local_port_range[] */
  56#include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
  57#include <net/inet_connection_sock.h>
  58#include <net/net_namespace.h>
  59#include <net/netlabel.h>
  60#include <linux/uaccess.h>
  61#include <asm/ioctls.h>
  62#include <linux/atomic.h>
  63#include <linux/bitops.h>
  64#include <linux/interrupt.h>
  65#include <linux/netdevice.h>    /* for network interface checks */
  66#include <net/netlink.h>
  67#include <linux/tcp.h>
  68#include <linux/udp.h>
  69#include <linux/dccp.h>
  70#include <linux/quota.h>
  71#include <linux/un.h>           /* for Unix socket types */
  72#include <net/af_unix.h>        /* for Unix socket types */
  73#include <linux/parser.h>
  74#include <linux/nfs_mount.h>
  75#include <net/ipv6.h>
  76#include <linux/hugetlb.h>
  77#include <linux/personality.h>
  78#include <linux/audit.h>
  79#include <linux/string.h>
  80#include <linux/selinux.h>
  81#include <linux/mutex.h>
  82#include <linux/posix-timers.h>
  83#include <linux/syslog.h>
  84#include <linux/user_namespace.h>
  85#include <linux/export.h>
  86#include <linux/msg.h>
  87#include <linux/shm.h>
  88#include <linux/bpf.h>
  89
  90#include "avc.h"
  91#include "objsec.h"
  92#include "netif.h"
  93#include "netnode.h"
  94#include "netport.h"
  95#include "ibpkey.h"
  96#include "xfrm.h"
  97#include "netlabel.h"
  98#include "audit.h"
  99#include "avc_ss.h"
 100
 101/* SECMARK reference count */
 102static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 103
 104#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 105int selinux_enforcing;
 106
 107static int __init enforcing_setup(char *str)
 108{
 109        unsigned long enforcing;
 110        if (!kstrtoul(str, 0, &enforcing))
 111                selinux_enforcing = enforcing ? 1 : 0;
 112        return 1;
 113}
 114__setup("enforcing=", enforcing_setup);
 115#endif
 116
 117#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
 118int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
 119
 120static int __init selinux_enabled_setup(char *str)
 121{
 122        unsigned long enabled;
 123        if (!kstrtoul(str, 0, &enabled))
 124                selinux_enabled = enabled ? 1 : 0;
 125        return 1;
 126}
 127__setup("selinux=", selinux_enabled_setup);
 128#else
 129int selinux_enabled = 1;
 130#endif
 131
 132static struct kmem_cache *sel_inode_cache;
 133static struct kmem_cache *file_security_cache;
 134
 135/**
 136 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
 137 *
 138 * Description:
 139 * This function checks the SECMARK reference counter to see if any SECMARK
 140 * targets are currently configured, if the reference counter is greater than
 141 * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
 142 * enabled, false (0) if SECMARK is disabled.  If the always_check_network
 143 * policy capability is enabled, SECMARK is always considered enabled.
 144 *
 145 */
 146static int selinux_secmark_enabled(void)
 147{
 148        return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
 149}
 150
 151/**
 152 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
 153 *
 154 * Description:
 155 * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
 156 * (1) if any are enabled or false (0) if neither are enabled.  If the
 157 * always_check_network policy capability is enabled, peer labeling
 158 * is always considered enabled.
 159 *
 160 */
 161static int selinux_peerlbl_enabled(void)
 162{
 163        return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
 164}
 165
 166static int selinux_netcache_avc_callback(u32 event)
 167{
 168        if (event == AVC_CALLBACK_RESET) {
 169                sel_netif_flush();
 170                sel_netnode_flush();
 171                sel_netport_flush();
 172                synchronize_net();
 173        }
 174        return 0;
 175}
 176
 177static int selinux_lsm_notifier_avc_callback(u32 event)
 178{
 179        if (event == AVC_CALLBACK_RESET) {
 180                sel_ib_pkey_flush();
 181                call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
 182        }
 183
 184        return 0;
 185}
 186
 187/*
 188 * initialise the security for the init task
 189 */
 190static void cred_init_security(void)
 191{
 192        struct cred *cred = (struct cred *) current->real_cred;
 193        struct task_security_struct *tsec;
 194
 195        tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
 196        if (!tsec)
 197                panic("SELinux:  Failed to initialize initial task.\n");
 198
 199        tsec->osid = tsec->sid = SECINITSID_KERNEL;
 200        cred->security = tsec;
 201}
 202
 203/*
 204 * get the security ID of a set of credentials
 205 */
 206static inline u32 cred_sid(const struct cred *cred)
 207{
 208        const struct task_security_struct *tsec;
 209
 210        tsec = cred->security;
 211        return tsec->sid;
 212}
 213
 214/*
 215 * get the objective security ID of a task
 216 */
 217static inline u32 task_sid(const struct task_struct *task)
 218{
 219        u32 sid;
 220
 221        rcu_read_lock();
 222        sid = cred_sid(__task_cred(task));
 223        rcu_read_unlock();
 224        return sid;
 225}
 226
 227/* Allocate and free functions for each kind of security blob. */
 228
 229static int inode_alloc_security(struct inode *inode)
 230{
 231        struct inode_security_struct *isec;
 232        u32 sid = current_sid();
 233
 234        isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
 235        if (!isec)
 236                return -ENOMEM;
 237
 238        spin_lock_init(&isec->lock);
 239        INIT_LIST_HEAD(&isec->list);
 240        isec->inode = inode;
 241        isec->sid = SECINITSID_UNLABELED;
 242        isec->sclass = SECCLASS_FILE;
 243        isec->task_sid = sid;
 244        isec->initialized = LABEL_INVALID;
 245        inode->i_security = isec;
 246
 247        return 0;
 248}
 249
 250static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
 251
 252/*
 253 * Try reloading inode security labels that have been marked as invalid.  The
 254 * @may_sleep parameter indicates when sleeping and thus reloading labels is
 255 * allowed; when set to false, returns -ECHILD when the label is
 256 * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
 257 * when no dentry is available, set it to NULL instead.
 258 */
 259static int __inode_security_revalidate(struct inode *inode,
 260                                       struct dentry *opt_dentry,
 261                                       bool may_sleep)
 262{
 263        struct inode_security_struct *isec = inode->i_security;
 264
 265        might_sleep_if(may_sleep);
 266
 267        if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
 268                if (!may_sleep)
 269                        return -ECHILD;
 270
 271                /*
 272                 * Try reloading the inode security label.  This will fail if
 273                 * @opt_dentry is NULL and no dentry for this inode can be
 274                 * found; in that case, continue using the old label.
 275                 */
 276                inode_doinit_with_dentry(inode, opt_dentry);
 277        }
 278        return 0;
 279}
 280
 281static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
 282{
 283        return inode->i_security;
 284}
 285
 286static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
 287{
 288        int error;
 289
 290        error = __inode_security_revalidate(inode, NULL, !rcu);
 291        if (error)
 292                return ERR_PTR(error);
 293        return inode->i_security;
 294}
 295
 296/*
 297 * Get the security label of an inode.
 298 */
 299static struct inode_security_struct *inode_security(struct inode *inode)
 300{
 301        __inode_security_revalidate(inode, NULL, true);
 302        return inode->i_security;
 303}
 304
 305static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
 306{
 307        struct inode *inode = d_backing_inode(dentry);
 308
 309        return inode->i_security;
 310}
 311
 312/*
 313 * Get the security label of a dentry's backing inode.
 314 */
 315static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
 316{
 317        struct inode *inode = d_backing_inode(dentry);
 318
 319        __inode_security_revalidate(inode, dentry, true);
 320        return inode->i_security;
 321}
 322
 323static void inode_free_rcu(struct rcu_head *head)
 324{
 325        struct inode_security_struct *isec;
 326
 327        isec = container_of(head, struct inode_security_struct, rcu);
 328        kmem_cache_free(sel_inode_cache, isec);
 329}
 330
 331static void inode_free_security(struct inode *inode)
 332{
 333        struct inode_security_struct *isec = inode->i_security;
 334        struct superblock_security_struct *sbsec = inode->i_sb->s_security;
 335
 336        /*
 337         * As not all inode security structures are in a list, we check for
 338         * empty list outside of the lock to make sure that we won't waste
 339         * time taking a lock doing nothing.
 340         *
 341         * The list_del_init() function can be safely called more than once.
 342         * It should not be possible for this function to be called with
 343         * concurrent list_add(), but for better safety against future changes
 344         * in the code, we use list_empty_careful() here.
 345         */
 346        if (!list_empty_careful(&isec->list)) {
 347                spin_lock(&sbsec->isec_lock);
 348                list_del_init(&isec->list);
 349                spin_unlock(&sbsec->isec_lock);
 350        }
 351
 352        /*
 353         * The inode may still be referenced in a path walk and
 354         * a call to selinux_inode_permission() can be made
 355         * after inode_free_security() is called. Ideally, the VFS
 356         * wouldn't do this, but fixing that is a much harder
 357         * job. For now, simply free the i_security via RCU, and
 358         * leave the current inode->i_security pointer intact.
 359         * The inode will be freed after the RCU grace period too.
 360         */
 361        call_rcu(&isec->rcu, inode_free_rcu);
 362}
 363
 364static int file_alloc_security(struct file *file)
 365{
 366        struct file_security_struct *fsec;
 367        u32 sid = current_sid();
 368
 369        fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
 370        if (!fsec)
 371                return -ENOMEM;
 372
 373        fsec->sid = sid;
 374        fsec->fown_sid = sid;
 375        file->f_security = fsec;
 376
 377        return 0;
 378}
 379
 380static void file_free_security(struct file *file)
 381{
 382        struct file_security_struct *fsec = file->f_security;
 383        file->f_security = NULL;
 384        kmem_cache_free(file_security_cache, fsec);
 385}
 386
 387static int superblock_alloc_security(struct super_block *sb)
 388{
 389        struct superblock_security_struct *sbsec;
 390
 391        sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
 392        if (!sbsec)
 393                return -ENOMEM;
 394
 395        mutex_init(&sbsec->lock);
 396        INIT_LIST_HEAD(&sbsec->isec_head);
 397        spin_lock_init(&sbsec->isec_lock);
 398        sbsec->sb = sb;
 399        sbsec->sid = SECINITSID_UNLABELED;
 400        sbsec->def_sid = SECINITSID_FILE;
 401        sbsec->mntpoint_sid = SECINITSID_UNLABELED;
 402        sb->s_security = sbsec;
 403
 404        return 0;
 405}
 406
 407static void superblock_free_security(struct super_block *sb)
 408{
 409        struct superblock_security_struct *sbsec = sb->s_security;
 410        sb->s_security = NULL;
 411        kfree(sbsec);
 412}
 413
 414static inline int inode_doinit(struct inode *inode)
 415{
 416        return inode_doinit_with_dentry(inode, NULL);
 417}
 418
 419enum {
 420        Opt_error = -1,
 421        Opt_context = 1,
 422        Opt_fscontext = 2,
 423        Opt_defcontext = 3,
 424        Opt_rootcontext = 4,
 425        Opt_labelsupport = 5,
 426        Opt_nextmntopt = 6,
 427};
 428
 429#define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
 430
 431static const match_table_t tokens = {
 432        {Opt_context, CONTEXT_STR "%s"},
 433        {Opt_fscontext, FSCONTEXT_STR "%s"},
 434        {Opt_defcontext, DEFCONTEXT_STR "%s"},
 435        {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
 436        {Opt_labelsupport, LABELSUPP_STR},
 437        {Opt_error, NULL},
 438};
 439
 440#define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
 441
 442static int may_context_mount_sb_relabel(u32 sid,
 443                        struct superblock_security_struct *sbsec,
 444                        const struct cred *cred)
 445{
 446        const struct task_security_struct *tsec = cred->security;
 447        int rc;
 448
 449        rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 450                          FILESYSTEM__RELABELFROM, NULL);
 451        if (rc)
 452                return rc;
 453
 454        rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
 455                          FILESYSTEM__RELABELTO, NULL);
 456        return rc;
 457}
 458
 459static int may_context_mount_inode_relabel(u32 sid,
 460                        struct superblock_security_struct *sbsec,
 461                        const struct cred *cred)
 462{
 463        const struct task_security_struct *tsec = cred->security;
 464        int rc;
 465        rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 466                          FILESYSTEM__RELABELFROM, NULL);
 467        if (rc)
 468                return rc;
 469
 470        rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
 471                          FILESYSTEM__ASSOCIATE, NULL);
 472        return rc;
 473}
 474
 475static int selinux_is_sblabel_mnt(struct super_block *sb)
 476{
 477        struct superblock_security_struct *sbsec = sb->s_security;
 478
 479        return sbsec->behavior == SECURITY_FS_USE_XATTR ||
 480                sbsec->behavior == SECURITY_FS_USE_TRANS ||
 481                sbsec->behavior == SECURITY_FS_USE_TASK ||
 482                sbsec->behavior == SECURITY_FS_USE_NATIVE ||
 483                /* Special handling. Genfs but also in-core setxattr handler */
 484                !strcmp(sb->s_type->name, "sysfs") ||
 485                !strcmp(sb->s_type->name, "pstore") ||
 486                !strcmp(sb->s_type->name, "debugfs") ||
 487                !strcmp(sb->s_type->name, "tracefs") ||
 488                !strcmp(sb->s_type->name, "rootfs") ||
 489                (selinux_policycap_cgroupseclabel &&
 490                 (!strcmp(sb->s_type->name, "cgroup") ||
 491                  !strcmp(sb->s_type->name, "cgroup2")));
 492}
 493
 494static int sb_finish_set_opts(struct super_block *sb)
 495{
 496        struct superblock_security_struct *sbsec = sb->s_security;
 497        struct dentry *root = sb->s_root;
 498        struct inode *root_inode = d_backing_inode(root);
 499        int rc = 0;
 500
 501        if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 502                /* Make sure that the xattr handler exists and that no
 503                   error other than -ENODATA is returned by getxattr on
 504                   the root directory.  -ENODATA is ok, as this may be
 505                   the first boot of the SELinux kernel before we have
 506                   assigned xattr values to the filesystem. */
 507                if (!(root_inode->i_opflags & IOP_XATTR)) {
 508                        printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
 509                               "xattr support\n", sb->s_id, sb->s_type->name);
 510                        rc = -EOPNOTSUPP;
 511                        goto out;
 512                }
 513
 514                rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
 515                if (rc < 0 && rc != -ENODATA) {
 516                        if (rc == -EOPNOTSUPP)
 517                                printk(KERN_WARNING "SELinux: (dev %s, type "
 518                                       "%s) has no security xattr handler\n",
 519                                       sb->s_id, sb->s_type->name);
 520                        else
 521                                printk(KERN_WARNING "SELinux: (dev %s, type "
 522                                       "%s) getxattr errno %d\n", sb->s_id,
 523                                       sb->s_type->name, -rc);
 524                        goto out;
 525                }
 526        }
 527
 528        sbsec->flags |= SE_SBINITIALIZED;
 529
 530        /*
 531         * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
 532         * leave the flag untouched because sb_clone_mnt_opts might be handing
 533         * us a superblock that needs the flag to be cleared.
 534         */
 535        if (selinux_is_sblabel_mnt(sb))
 536                sbsec->flags |= SBLABEL_MNT;
 537        else
 538                sbsec->flags &= ~SBLABEL_MNT;
 539
 540        /* Initialize the root inode. */
 541        rc = inode_doinit_with_dentry(root_inode, root);
 542
 543        /* Initialize any other inodes associated with the superblock, e.g.
 544           inodes created prior to initial policy load or inodes created
 545           during get_sb by a pseudo filesystem that directly
 546           populates itself. */
 547        spin_lock(&sbsec->isec_lock);
 548next_inode:
 549        if (!list_empty(&sbsec->isec_head)) {
 550                struct inode_security_struct *isec =
 551                                list_entry(sbsec->isec_head.next,
 552                                           struct inode_security_struct, list);
 553                struct inode *inode = isec->inode;
 554                list_del_init(&isec->list);
 555                spin_unlock(&sbsec->isec_lock);
 556                inode = igrab(inode);
 557                if (inode) {
 558                        if (!IS_PRIVATE(inode))
 559                                inode_doinit(inode);
 560                        iput(inode);
 561                }
 562                spin_lock(&sbsec->isec_lock);
 563                goto next_inode;
 564        }
 565        spin_unlock(&sbsec->isec_lock);
 566out:
 567        return rc;
 568}
 569
 570/*
 571 * This function should allow an FS to ask what it's mount security
 572 * options were so it can use those later for submounts, displaying
 573 * mount options, or whatever.
 574 */
 575static int selinux_get_mnt_opts(const struct super_block *sb,
 576                                struct security_mnt_opts *opts)
 577{
 578        int rc = 0, i;
 579        struct superblock_security_struct *sbsec = sb->s_security;
 580        char *context = NULL;
 581        u32 len;
 582        char tmp;
 583
 584        security_init_mnt_opts(opts);
 585
 586        if (!(sbsec->flags & SE_SBINITIALIZED))
 587                return -EINVAL;
 588
 589        if (!ss_initialized)
 590                return -EINVAL;
 591
 592        /* make sure we always check enough bits to cover the mask */
 593        BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
 594
 595        tmp = sbsec->flags & SE_MNTMASK;
 596        /* count the number of mount options for this sb */
 597        for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
 598                if (tmp & 0x01)
 599                        opts->num_mnt_opts++;
 600                tmp >>= 1;
 601        }
 602        /* Check if the Label support flag is set */
 603        if (sbsec->flags & SBLABEL_MNT)
 604                opts->num_mnt_opts++;
 605
 606        opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
 607        if (!opts->mnt_opts) {
 608                rc = -ENOMEM;
 609                goto out_free;
 610        }
 611
 612        opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
 613        if (!opts->mnt_opts_flags) {
 614                rc = -ENOMEM;
 615                goto out_free;
 616        }
 617
 618        i = 0;
 619        if (sbsec->flags & FSCONTEXT_MNT) {
 620                rc = security_sid_to_context(sbsec->sid, &context, &len);
 621                if (rc)
 622                        goto out_free;
 623                opts->mnt_opts[i] = context;
 624                opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
 625        }
 626        if (sbsec->flags & CONTEXT_MNT) {
 627                rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
 628                if (rc)
 629                        goto out_free;
 630                opts->mnt_opts[i] = context;
 631                opts->mnt_opts_flags[i++] = CONTEXT_MNT;
 632        }
 633        if (sbsec->flags & DEFCONTEXT_MNT) {
 634                rc = security_sid_to_context(sbsec->def_sid, &context, &len);
 635                if (rc)
 636                        goto out_free;
 637                opts->mnt_opts[i] = context;
 638                opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
 639        }
 640        if (sbsec->flags & ROOTCONTEXT_MNT) {
 641                struct dentry *root = sbsec->sb->s_root;
 642                struct inode_security_struct *isec = backing_inode_security(root);
 643
 644                rc = security_sid_to_context(isec->sid, &context, &len);
 645                if (rc)
 646                        goto out_free;
 647                opts->mnt_opts[i] = context;
 648                opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
 649        }
 650        if (sbsec->flags & SBLABEL_MNT) {
 651                opts->mnt_opts[i] = NULL;
 652                opts->mnt_opts_flags[i++] = SBLABEL_MNT;
 653        }
 654
 655        BUG_ON(i != opts->num_mnt_opts);
 656
 657        return 0;
 658
 659out_free:
 660        security_free_mnt_opts(opts);
 661        return rc;
 662}
 663
 664static int bad_option(struct superblock_security_struct *sbsec, char flag,
 665                      u32 old_sid, u32 new_sid)
 666{
 667        char mnt_flags = sbsec->flags & SE_MNTMASK;
 668
 669        /* check if the old mount command had the same options */
 670        if (sbsec->flags & SE_SBINITIALIZED)
 671                if (!(sbsec->flags & flag) ||
 672                    (old_sid != new_sid))
 673                        return 1;
 674
 675        /* check if we were passed the same options twice,
 676         * aka someone passed context=a,context=b
 677         */
 678        if (!(sbsec->flags & SE_SBINITIALIZED))
 679                if (mnt_flags & flag)
 680                        return 1;
 681        return 0;
 682}
 683
 684/*
 685 * Allow filesystems with binary mount data to explicitly set mount point
 686 * labeling information.
 687 */
 688static int selinux_set_mnt_opts(struct super_block *sb,
 689                                struct security_mnt_opts *opts,
 690                                unsigned long kern_flags,
 691                                unsigned long *set_kern_flags)
 692{
 693        const struct cred *cred = current_cred();
 694        int rc = 0, i;
 695        struct superblock_security_struct *sbsec = sb->s_security;
 696        const char *name = sb->s_type->name;
 697        struct dentry *root = sbsec->sb->s_root;
 698        struct inode_security_struct *root_isec;
 699        u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
 700        u32 defcontext_sid = 0;
 701        char **mount_options = opts->mnt_opts;
 702        int *flags = opts->mnt_opts_flags;
 703        int num_opts = opts->num_mnt_opts;
 704
 705        mutex_lock(&sbsec->lock);
 706
 707        if (!ss_initialized) {
 708                if (!num_opts) {
 709                        /* Defer initialization until selinux_complete_init,
 710                           after the initial policy is loaded and the security
 711                           server is ready to handle calls. */
 712                        goto out;
 713                }
 714                rc = -EINVAL;
 715                printk(KERN_WARNING "SELinux: Unable to set superblock options "
 716                        "before the security server is initialized\n");
 717                goto out;
 718        }
 719        if (kern_flags && !set_kern_flags) {
 720                /* Specifying internal flags without providing a place to
 721                 * place the results is not allowed */
 722                rc = -EINVAL;
 723                goto out;
 724        }
 725
 726        /*
 727         * Binary mount data FS will come through this function twice.  Once
 728         * from an explicit call and once from the generic calls from the vfs.
 729         * Since the generic VFS calls will not contain any security mount data
 730         * we need to skip the double mount verification.
 731         *
 732         * This does open a hole in which we will not notice if the first
 733         * mount using this sb set explict options and a second mount using
 734         * this sb does not set any security options.  (The first options
 735         * will be used for both mounts)
 736         */
 737        if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
 738            && (num_opts == 0))
 739                goto out;
 740
 741        root_isec = backing_inode_security_novalidate(root);
 742
 743        /*
 744         * parse the mount options, check if they are valid sids.
 745         * also check if someone is trying to mount the same sb more
 746         * than once with different security options.
 747         */
 748        for (i = 0; i < num_opts; i++) {
 749                u32 sid;
 750
 751                if (flags[i] == SBLABEL_MNT)
 752                        continue;
 753                rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
 754                if (rc) {
 755                        printk(KERN_WARNING "SELinux: security_context_str_to_sid"
 756                               "(%s) failed for (dev %s, type %s) errno=%d\n",
 757                               mount_options[i], sb->s_id, name, rc);
 758                        goto out;
 759                }
 760                switch (flags[i]) {
 761                case FSCONTEXT_MNT:
 762                        fscontext_sid = sid;
 763
 764                        if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
 765                                        fscontext_sid))
 766                                goto out_double_mount;
 767
 768                        sbsec->flags |= FSCONTEXT_MNT;
 769                        break;
 770                case CONTEXT_MNT:
 771                        context_sid = sid;
 772
 773                        if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
 774                                        context_sid))
 775                                goto out_double_mount;
 776
 777                        sbsec->flags |= CONTEXT_MNT;
 778                        break;
 779                case ROOTCONTEXT_MNT:
 780                        rootcontext_sid = sid;
 781
 782                        if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
 783                                        rootcontext_sid))
 784                                goto out_double_mount;
 785
 786                        sbsec->flags |= ROOTCONTEXT_MNT;
 787
 788                        break;
 789                case DEFCONTEXT_MNT:
 790                        defcontext_sid = sid;
 791
 792                        if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
 793                                        defcontext_sid))
 794                                goto out_double_mount;
 795
 796                        sbsec->flags |= DEFCONTEXT_MNT;
 797
 798                        break;
 799                default:
 800                        rc = -EINVAL;
 801                        goto out;
 802                }
 803        }
 804
 805        if (sbsec->flags & SE_SBINITIALIZED) {
 806                /* previously mounted with options, but not on this attempt? */
 807                if ((sbsec->flags & SE_MNTMASK) && !num_opts)
 808                        goto out_double_mount;
 809                rc = 0;
 810                goto out;
 811        }
 812
 813        if (strcmp(sb->s_type->name, "proc") == 0)
 814                sbsec->flags |= SE_SBPROC | SE_SBGENFS;
 815
 816        if (!strcmp(sb->s_type->name, "debugfs") ||
 817            !strcmp(sb->s_type->name, "tracefs") ||
 818            !strcmp(sb->s_type->name, "sysfs") ||
 819            !strcmp(sb->s_type->name, "pstore") ||
 820            !strcmp(sb->s_type->name, "cgroup") ||
 821            !strcmp(sb->s_type->name, "cgroup2"))
 822                sbsec->flags |= SE_SBGENFS;
 823
 824        if (!sbsec->behavior) {
 825                /*
 826                 * Determine the labeling behavior to use for this
 827                 * filesystem type.
 828                 */
 829                rc = security_fs_use(sb);
 830                if (rc) {
 831                        printk(KERN_WARNING
 832                                "%s: security_fs_use(%s) returned %d\n",
 833                                        __func__, sb->s_type->name, rc);
 834                        goto out;
 835                }
 836        }
 837
 838        /*
 839         * If this is a user namespace mount and the filesystem type is not
 840         * explicitly whitelisted, then no contexts are allowed on the command
 841         * line and security labels must be ignored.
 842         */
 843        if (sb->s_user_ns != &init_user_ns &&
 844            strcmp(sb->s_type->name, "tmpfs") &&
 845            strcmp(sb->s_type->name, "ramfs") &&
 846            strcmp(sb->s_type->name, "devpts")) {
 847                if (context_sid || fscontext_sid || rootcontext_sid ||
 848                    defcontext_sid) {
 849                        rc = -EACCES;
 850                        goto out;
 851                }
 852                if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 853                        sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 854                        rc = security_transition_sid(current_sid(), current_sid(),
 855                                                     SECCLASS_FILE, NULL,
 856                                                     &sbsec->mntpoint_sid);
 857                        if (rc)
 858                                goto out;
 859                }
 860                goto out_set_opts;
 861        }
 862
 863        /* sets the context of the superblock for the fs being mounted. */
 864        if (fscontext_sid) {
 865                rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
 866                if (rc)
 867                        goto out;
 868
 869                sbsec->sid = fscontext_sid;
 870        }
 871
 872        /*
 873         * Switch to using mount point labeling behavior.
 874         * sets the label used on all file below the mountpoint, and will set
 875         * the superblock context if not already set.
 876         */
 877        if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
 878                sbsec->behavior = SECURITY_FS_USE_NATIVE;
 879                *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
 880        }
 881
 882        if (context_sid) {
 883                if (!fscontext_sid) {
 884                        rc = may_context_mount_sb_relabel(context_sid, sbsec,
 885                                                          cred);
 886                        if (rc)
 887                                goto out;
 888                        sbsec->sid = context_sid;
 889                } else {
 890                        rc = may_context_mount_inode_relabel(context_sid, sbsec,
 891                                                             cred);
 892                        if (rc)
 893                                goto out;
 894                }
 895                if (!rootcontext_sid)
 896                        rootcontext_sid = context_sid;
 897
 898                sbsec->mntpoint_sid = context_sid;
 899                sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 900        }
 901
 902        if (rootcontext_sid) {
 903                rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
 904                                                     cred);
 905                if (rc)
 906                        goto out;
 907
 908                root_isec->sid = rootcontext_sid;
 909                root_isec->initialized = LABEL_INITIALIZED;
 910        }
 911
 912        if (defcontext_sid) {
 913                if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
 914                        sbsec->behavior != SECURITY_FS_USE_NATIVE) {
 915                        rc = -EINVAL;
 916                        printk(KERN_WARNING "SELinux: defcontext option is "
 917                               "invalid for this filesystem type\n");
 918                        goto out;
 919                }
 920
 921                if (defcontext_sid != sbsec->def_sid) {
 922                        rc = may_context_mount_inode_relabel(defcontext_sid,
 923                                                             sbsec, cred);
 924                        if (rc)
 925                                goto out;
 926                }
 927
 928                sbsec->def_sid = defcontext_sid;
 929        }
 930
 931out_set_opts:
 932        rc = sb_finish_set_opts(sb);
 933out:
 934        mutex_unlock(&sbsec->lock);
 935        return rc;
 936out_double_mount:
 937        rc = -EINVAL;
 938        printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
 939               "security settings for (dev %s, type %s)\n", sb->s_id, name);
 940        goto out;
 941}
 942
 943static int selinux_cmp_sb_context(const struct super_block *oldsb,
 944                                    const struct super_block *newsb)
 945{
 946        struct superblock_security_struct *old = oldsb->s_security;
 947        struct superblock_security_struct *new = newsb->s_security;
 948        char oldflags = old->flags & SE_MNTMASK;
 949        char newflags = new->flags & SE_MNTMASK;
 950
 951        if (oldflags != newflags)
 952                goto mismatch;
 953        if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
 954                goto mismatch;
 955        if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
 956                goto mismatch;
 957        if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
 958                goto mismatch;
 959        if (oldflags & ROOTCONTEXT_MNT) {
 960                struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
 961                struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
 962                if (oldroot->sid != newroot->sid)
 963                        goto mismatch;
 964        }
 965        return 0;
 966mismatch:
 967        printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
 968                            "different security settings for (dev %s, "
 969                            "type %s)\n", newsb->s_id, newsb->s_type->name);
 970        return -EBUSY;
 971}
 972
 973static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
 974                                        struct super_block *newsb,
 975                                        unsigned long kern_flags,
 976                                        unsigned long *set_kern_flags)
 977{
 978        int rc = 0;
 979        const struct superblock_security_struct *oldsbsec = oldsb->s_security;
 980        struct superblock_security_struct *newsbsec = newsb->s_security;
 981
 982        int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
 983        int set_context =       (oldsbsec->flags & CONTEXT_MNT);
 984        int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
 985
 986        /*
 987         * if the parent was able to be mounted it clearly had no special lsm
 988         * mount options.  thus we can safely deal with this superblock later
 989         */
 990        if (!ss_initialized)
 991                return 0;
 992
 993        /*
 994         * Specifying internal flags without providing a place to
 995         * place the results is not allowed.
 996         */
 997        if (kern_flags && !set_kern_flags)
 998                return -EINVAL;
 999
1000        /* how can we clone if the old one wasn't set up?? */
1001        BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1002
1003        /* if fs is reusing a sb, make sure that the contexts match */
1004        if (newsbsec->flags & SE_SBINITIALIZED)
1005                return selinux_cmp_sb_context(oldsb, newsb);
1006
1007        mutex_lock(&newsbsec->lock);
1008
1009        newsbsec->flags = oldsbsec->flags;
1010
1011        newsbsec->sid = oldsbsec->sid;
1012        newsbsec->def_sid = oldsbsec->def_sid;
1013        newsbsec->behavior = oldsbsec->behavior;
1014
1015        if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1016                !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1017                rc = security_fs_use(newsb);
1018                if (rc)
1019                        goto out;
1020        }
1021
1022        if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1023                newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1024                *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1025        }
1026
1027        if (set_context) {
1028                u32 sid = oldsbsec->mntpoint_sid;
1029
1030                if (!set_fscontext)
1031                        newsbsec->sid = sid;
1032                if (!set_rootcontext) {
1033                        struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1034                        newisec->sid = sid;
1035                }
1036                newsbsec->mntpoint_sid = sid;
1037        }
1038        if (set_rootcontext) {
1039                const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1040                struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1041
1042                newisec->sid = oldisec->sid;
1043        }
1044
1045        sb_finish_set_opts(newsb);
1046out:
1047        mutex_unlock(&newsbsec->lock);
1048        return rc;
1049}
1050
1051static int selinux_parse_opts_str(char *options,
1052                                  struct security_mnt_opts *opts)
1053{
1054        char *p;
1055        char *context = NULL, *defcontext = NULL;
1056        char *fscontext = NULL, *rootcontext = NULL;
1057        int rc, num_mnt_opts = 0;
1058
1059        opts->num_mnt_opts = 0;
1060
1061        /* Standard string-based options. */
1062        while ((p = strsep(&options, "|")) != NULL) {
1063                int token;
1064                substring_t args[MAX_OPT_ARGS];
1065
1066                if (!*p)
1067                        continue;
1068
1069                token = match_token(p, tokens, args);
1070
1071                switch (token) {
1072                case Opt_context:
1073                        if (context || defcontext) {
1074                                rc = -EINVAL;
1075                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1076                                goto out_err;
1077                        }
1078                        context = match_strdup(&args[0]);
1079                        if (!context) {
1080                                rc = -ENOMEM;
1081                                goto out_err;
1082                        }
1083                        break;
1084
1085                case Opt_fscontext:
1086                        if (fscontext) {
1087                                rc = -EINVAL;
1088                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1089                                goto out_err;
1090                        }
1091                        fscontext = match_strdup(&args[0]);
1092                        if (!fscontext) {
1093                                rc = -ENOMEM;
1094                                goto out_err;
1095                        }
1096                        break;
1097
1098                case Opt_rootcontext:
1099                        if (rootcontext) {
1100                                rc = -EINVAL;
1101                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1102                                goto out_err;
1103                        }
1104                        rootcontext = match_strdup(&args[0]);
1105                        if (!rootcontext) {
1106                                rc = -ENOMEM;
1107                                goto out_err;
1108                        }
1109                        break;
1110
1111                case Opt_defcontext:
1112                        if (context || defcontext) {
1113                                rc = -EINVAL;
1114                                printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1115                                goto out_err;
1116                        }
1117                        defcontext = match_strdup(&args[0]);
1118                        if (!defcontext) {
1119                                rc = -ENOMEM;
1120                                goto out_err;
1121                        }
1122                        break;
1123                case Opt_labelsupport:
1124                        break;
1125                default:
1126                        rc = -EINVAL;
1127                        printk(KERN_WARNING "SELinux:  unknown mount option\n");
1128                        goto out_err;
1129
1130                }
1131        }
1132
1133        rc = -ENOMEM;
1134        opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1135        if (!opts->mnt_opts)
1136                goto out_err;
1137
1138        opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1139                                       GFP_KERNEL);
1140        if (!opts->mnt_opts_flags)
1141                goto out_err;
1142
1143        if (fscontext) {
1144                opts->mnt_opts[num_mnt_opts] = fscontext;
1145                opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1146        }
1147        if (context) {
1148                opts->mnt_opts[num_mnt_opts] = context;
1149                opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1150        }
1151        if (rootcontext) {
1152                opts->mnt_opts[num_mnt_opts] = rootcontext;
1153                opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1154        }
1155        if (defcontext) {
1156                opts->mnt_opts[num_mnt_opts] = defcontext;
1157                opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1158        }
1159
1160        opts->num_mnt_opts = num_mnt_opts;
1161        return 0;
1162
1163out_err:
1164        security_free_mnt_opts(opts);
1165        kfree(context);
1166        kfree(defcontext);
1167        kfree(fscontext);
1168        kfree(rootcontext);
1169        return rc;
1170}
1171/*
1172 * string mount options parsing and call set the sbsec
1173 */
1174static int superblock_doinit(struct super_block *sb, void *data)
1175{
1176        int rc = 0;
1177        char *options = data;
1178        struct security_mnt_opts opts;
1179
1180        security_init_mnt_opts(&opts);
1181
1182        if (!data)
1183                goto out;
1184
1185        BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1186
1187        rc = selinux_parse_opts_str(options, &opts);
1188        if (rc)
1189                goto out_err;
1190
1191out:
1192        rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1193
1194out_err:
1195        security_free_mnt_opts(&opts);
1196        return rc;
1197}
1198
1199static void selinux_write_opts(struct seq_file *m,
1200                               struct security_mnt_opts *opts)
1201{
1202        int i;
1203        char *prefix;
1204
1205        for (i = 0; i < opts->num_mnt_opts; i++) {
1206                char *has_comma;
1207
1208                if (opts->mnt_opts[i])
1209                        has_comma = strchr(opts->mnt_opts[i], ',');
1210                else
1211                        has_comma = NULL;
1212
1213                switch (opts->mnt_opts_flags[i]) {
1214                case CONTEXT_MNT:
1215                        prefix = CONTEXT_STR;
1216                        break;
1217                case FSCONTEXT_MNT:
1218                        prefix = FSCONTEXT_STR;
1219                        break;
1220                case ROOTCONTEXT_MNT:
1221                        prefix = ROOTCONTEXT_STR;
1222                        break;
1223                case DEFCONTEXT_MNT:
1224                        prefix = DEFCONTEXT_STR;
1225                        break;
1226                case SBLABEL_MNT:
1227                        seq_putc(m, ',');
1228                        seq_puts(m, LABELSUPP_STR);
1229                        continue;
1230                default:
1231                        BUG();
1232                        return;
1233                };
1234                /* we need a comma before each option */
1235                seq_putc(m, ',');
1236                seq_puts(m, prefix);
1237                if (has_comma)
1238                        seq_putc(m, '\"');
1239                seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1240                if (has_comma)
1241                        seq_putc(m, '\"');
1242        }
1243}
1244
1245static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1246{
1247        struct security_mnt_opts opts;
1248        int rc;
1249
1250        rc = selinux_get_mnt_opts(sb, &opts);
1251        if (rc) {
1252                /* before policy load we may get EINVAL, don't show anything */
1253                if (rc == -EINVAL)
1254                        rc = 0;
1255                return rc;
1256        }
1257
1258        selinux_write_opts(m, &opts);
1259
1260        security_free_mnt_opts(&opts);
1261
1262        return rc;
1263}
1264
1265static inline u16 inode_mode_to_security_class(umode_t mode)
1266{
1267        switch (mode & S_IFMT) {
1268        case S_IFSOCK:
1269                return SECCLASS_SOCK_FILE;
1270        case S_IFLNK:
1271                return SECCLASS_LNK_FILE;
1272        case S_IFREG:
1273                return SECCLASS_FILE;
1274        case S_IFBLK:
1275                return SECCLASS_BLK_FILE;
1276        case S_IFDIR:
1277                return SECCLASS_DIR;
1278        case S_IFCHR:
1279                return SECCLASS_CHR_FILE;
1280        case S_IFIFO:
1281                return SECCLASS_FIFO_FILE;
1282
1283        }
1284
1285        return SECCLASS_FILE;
1286}
1287
1288static inline int default_protocol_stream(int protocol)
1289{
1290        return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1291}
1292
1293static inline int default_protocol_dgram(int protocol)
1294{
1295        return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1296}
1297
1298static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1299{
1300        int extsockclass = selinux_policycap_extsockclass;
1301
1302        switch (family) {
1303        case PF_UNIX:
1304                switch (type) {
1305                case SOCK_STREAM:
1306                case SOCK_SEQPACKET:
1307                        return SECCLASS_UNIX_STREAM_SOCKET;
1308                case SOCK_DGRAM:
1309                case SOCK_RAW:
1310                        return SECCLASS_UNIX_DGRAM_SOCKET;
1311                }
1312                break;
1313        case PF_INET:
1314        case PF_INET6:
1315                switch (type) {
1316                case SOCK_STREAM:
1317                case SOCK_SEQPACKET:
1318                        if (default_protocol_stream(protocol))
1319                                return SECCLASS_TCP_SOCKET;
1320                        else if (extsockclass && protocol == IPPROTO_SCTP)
1321                                return SECCLASS_SCTP_SOCKET;
1322                        else
1323                                return SECCLASS_RAWIP_SOCKET;
1324                case SOCK_DGRAM:
1325                        if (default_protocol_dgram(protocol))
1326                                return SECCLASS_UDP_SOCKET;
1327                        else if (extsockclass && (protocol == IPPROTO_ICMP ||
1328                                                  protocol == IPPROTO_ICMPV6))
1329                                return SECCLASS_ICMP_SOCKET;
1330                        else
1331                                return SECCLASS_RAWIP_SOCKET;
1332                case SOCK_DCCP:
1333                        return SECCLASS_DCCP_SOCKET;
1334                default:
1335                        return SECCLASS_RAWIP_SOCKET;
1336                }
1337                break;
1338        case PF_NETLINK:
1339                switch (protocol) {
1340                case NETLINK_ROUTE:
1341                        return SECCLASS_NETLINK_ROUTE_SOCKET;
1342                case NETLINK_SOCK_DIAG:
1343                        return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1344                case NETLINK_NFLOG:
1345                        return SECCLASS_NETLINK_NFLOG_SOCKET;
1346                case NETLINK_XFRM:
1347                        return SECCLASS_NETLINK_XFRM_SOCKET;
1348                case NETLINK_SELINUX:
1349                        return SECCLASS_NETLINK_SELINUX_SOCKET;
1350                case NETLINK_ISCSI:
1351                        return SECCLASS_NETLINK_ISCSI_SOCKET;
1352                case NETLINK_AUDIT:
1353                        return SECCLASS_NETLINK_AUDIT_SOCKET;
1354                case NETLINK_FIB_LOOKUP:
1355                        return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1356                case NETLINK_CONNECTOR:
1357                        return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1358                case NETLINK_NETFILTER:
1359                        return SECCLASS_NETLINK_NETFILTER_SOCKET;
1360                case NETLINK_DNRTMSG:
1361                        return SECCLASS_NETLINK_DNRT_SOCKET;
1362                case NETLINK_KOBJECT_UEVENT:
1363                        return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1364                case NETLINK_GENERIC:
1365                        return SECCLASS_NETLINK_GENERIC_SOCKET;
1366                case NETLINK_SCSITRANSPORT:
1367                        return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1368                case NETLINK_RDMA:
1369                        return SECCLASS_NETLINK_RDMA_SOCKET;
1370                case NETLINK_CRYPTO:
1371                        return SECCLASS_NETLINK_CRYPTO_SOCKET;
1372                default:
1373                        return SECCLASS_NETLINK_SOCKET;
1374                }
1375        case PF_PACKET:
1376                return SECCLASS_PACKET_SOCKET;
1377        case PF_KEY:
1378                return SECCLASS_KEY_SOCKET;
1379        case PF_APPLETALK:
1380                return SECCLASS_APPLETALK_SOCKET;
1381        }
1382
1383        if (extsockclass) {
1384                switch (family) {
1385                case PF_AX25:
1386                        return SECCLASS_AX25_SOCKET;
1387                case PF_IPX:
1388                        return SECCLASS_IPX_SOCKET;
1389                case PF_NETROM:
1390                        return SECCLASS_NETROM_SOCKET;
1391                case PF_ATMPVC:
1392                        return SECCLASS_ATMPVC_SOCKET;
1393                case PF_X25:
1394                        return SECCLASS_X25_SOCKET;
1395                case PF_ROSE:
1396                        return SECCLASS_ROSE_SOCKET;
1397                case PF_DECnet:
1398                        return SECCLASS_DECNET_SOCKET;
1399                case PF_ATMSVC:
1400                        return SECCLASS_ATMSVC_SOCKET;
1401                case PF_RDS:
1402                        return SECCLASS_RDS_SOCKET;
1403                case PF_IRDA:
1404                        return SECCLASS_IRDA_SOCKET;
1405                case PF_PPPOX:
1406                        return SECCLASS_PPPOX_SOCKET;
1407                case PF_LLC:
1408                        return SECCLASS_LLC_SOCKET;
1409                case PF_CAN:
1410                        return SECCLASS_CAN_SOCKET;
1411                case PF_TIPC:
1412                        return SECCLASS_TIPC_SOCKET;
1413                case PF_BLUETOOTH:
1414                        return SECCLASS_BLUETOOTH_SOCKET;
1415                case PF_IUCV:
1416                        return SECCLASS_IUCV_SOCKET;
1417                case PF_RXRPC:
1418                        return SECCLASS_RXRPC_SOCKET;
1419                case PF_ISDN:
1420                        return SECCLASS_ISDN_SOCKET;
1421                case PF_PHONET:
1422                        return SECCLASS_PHONET_SOCKET;
1423                case PF_IEEE802154:
1424                        return SECCLASS_IEEE802154_SOCKET;
1425                case PF_CAIF:
1426                        return SECCLASS_CAIF_SOCKET;
1427                case PF_ALG:
1428                        return SECCLASS_ALG_SOCKET;
1429                case PF_NFC:
1430                        return SECCLASS_NFC_SOCKET;
1431                case PF_VSOCK:
1432                        return SECCLASS_VSOCK_SOCKET;
1433                case PF_KCM:
1434                        return SECCLASS_KCM_SOCKET;
1435                case PF_QIPCRTR:
1436                        return SECCLASS_QIPCRTR_SOCKET;
1437                case PF_SMC:
1438                        return SECCLASS_SMC_SOCKET;
1439#if PF_MAX > 44
1440#error New address family defined, please update this function.
1441#endif
1442                }
1443        }
1444
1445        return SECCLASS_SOCKET;
1446}
1447
1448static int selinux_genfs_get_sid(struct dentry *dentry,
1449                                 u16 tclass,
1450                                 u16 flags,
1451                                 u32 *sid)
1452{
1453        int rc;
1454        struct super_block *sb = dentry->d_sb;
1455        char *buffer, *path;
1456
1457        buffer = (char *)__get_free_page(GFP_KERNEL);
1458        if (!buffer)
1459                return -ENOMEM;
1460
1461        path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1462        if (IS_ERR(path))
1463                rc = PTR_ERR(path);
1464        else {
1465                if (flags & SE_SBPROC) {
1466                        /* each process gets a /proc/PID/ entry. Strip off the
1467                         * PID part to get a valid selinux labeling.
1468                         * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1469                        while (path[1] >= '0' && path[1] <= '9') {
1470                                path[1] = '/';
1471                                path++;
1472                        }
1473                }
1474                rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1475        }
1476        free_page((unsigned long)buffer);
1477        return rc;
1478}
1479
1480/* The inode's security attributes must be initialized before first use. */
1481static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1482{
1483        struct superblock_security_struct *sbsec = NULL;
1484        struct inode_security_struct *isec = inode->i_security;
1485        u32 task_sid, sid = 0;
1486        u16 sclass;
1487        struct dentry *dentry;
1488#define INITCONTEXTLEN 255
1489        char *context = NULL;
1490        unsigned len = 0;
1491        int rc = 0;
1492
1493        if (isec->initialized == LABEL_INITIALIZED)
1494                return 0;
1495
1496        spin_lock(&isec->lock);
1497        if (isec->initialized == LABEL_INITIALIZED)
1498                goto out_unlock;
1499
1500        if (isec->sclass == SECCLASS_FILE)
1501                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1502
1503        sbsec = inode->i_sb->s_security;
1504        if (!(sbsec->flags & SE_SBINITIALIZED)) {
1505                /* Defer initialization until selinux_complete_init,
1506                   after the initial policy is loaded and the security
1507                   server is ready to handle calls. */
1508                spin_lock(&sbsec->isec_lock);
1509                if (list_empty(&isec->list))
1510                        list_add(&isec->list, &sbsec->isec_head);
1511                spin_unlock(&sbsec->isec_lock);
1512                goto out_unlock;
1513        }
1514
1515        sclass = isec->sclass;
1516        task_sid = isec->task_sid;
1517        sid = isec->sid;
1518        isec->initialized = LABEL_PENDING;
1519        spin_unlock(&isec->lock);
1520
1521        switch (sbsec->behavior) {
1522        case SECURITY_FS_USE_NATIVE:
1523                break;
1524        case SECURITY_FS_USE_XATTR:
1525                if (!(inode->i_opflags & IOP_XATTR)) {
1526                        sid = sbsec->def_sid;
1527                        break;
1528                }
1529                /* Need a dentry, since the xattr API requires one.
1530                   Life would be simpler if we could just pass the inode. */
1531                if (opt_dentry) {
1532                        /* Called from d_instantiate or d_splice_alias. */
1533                        dentry = dget(opt_dentry);
1534                } else {
1535                        /* Called from selinux_complete_init, try to find a dentry. */
1536                        dentry = d_find_alias(inode);
1537                }
1538                if (!dentry) {
1539                        /*
1540                         * this is can be hit on boot when a file is accessed
1541                         * before the policy is loaded.  When we load policy we
1542                         * may find inodes that have no dentry on the
1543                         * sbsec->isec_head list.  No reason to complain as these
1544                         * will get fixed up the next time we go through
1545                         * inode_doinit with a dentry, before these inodes could
1546                         * be used again by userspace.
1547                         */
1548                        goto out;
1549                }
1550
1551                len = INITCONTEXTLEN;
1552                context = kmalloc(len+1, GFP_NOFS);
1553                if (!context) {
1554                        rc = -ENOMEM;
1555                        dput(dentry);
1556                        goto out;
1557                }
1558                context[len] = '\0';
1559                rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1560                if (rc == -ERANGE) {
1561                        kfree(context);
1562
1563                        /* Need a larger buffer.  Query for the right size. */
1564                        rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1565                        if (rc < 0) {
1566                                dput(dentry);
1567                                goto out;
1568                        }
1569                        len = rc;
1570                        context = kmalloc(len+1, GFP_NOFS);
1571                        if (!context) {
1572                                rc = -ENOMEM;
1573                                dput(dentry);
1574                                goto out;
1575                        }
1576                        context[len] = '\0';
1577                        rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1578                }
1579                dput(dentry);
1580                if (rc < 0) {
1581                        if (rc != -ENODATA) {
1582                                printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1583                                       "%d for dev=%s ino=%ld\n", __func__,
1584                                       -rc, inode->i_sb->s_id, inode->i_ino);
1585                                kfree(context);
1586                                goto out;
1587                        }
1588                        /* Map ENODATA to the default file SID */
1589                        sid = sbsec->def_sid;
1590                        rc = 0;
1591                } else {
1592                        rc = security_context_to_sid_default(context, rc, &sid,
1593                                                             sbsec->def_sid,
1594                                                             GFP_NOFS);
1595                        if (rc) {
1596                                char *dev = inode->i_sb->s_id;
1597                                unsigned long ino = inode->i_ino;
1598
1599                                if (rc == -EINVAL) {
1600                                        if (printk_ratelimit())
1601                                                printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1602                                                        "context=%s.  This indicates you may need to relabel the inode or the "
1603                                                        "filesystem in question.\n", ino, dev, context);
1604                                } else {
1605                                        printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1606                                               "returned %d for dev=%s ino=%ld\n",
1607                                               __func__, context, -rc, dev, ino);
1608                                }
1609                                kfree(context);
1610                                /* Leave with the unlabeled SID */
1611                                rc = 0;
1612                                break;
1613                        }
1614                }
1615                kfree(context);
1616                break;
1617        case SECURITY_FS_USE_TASK:
1618                sid = task_sid;
1619                break;
1620        case SECURITY_FS_USE_TRANS:
1621                /* Default to the fs SID. */
1622                sid = sbsec->sid;
1623
1624                /* Try to obtain a transition SID. */
1625                rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1626                if (rc)
1627                        goto out;
1628                break;
1629        case SECURITY_FS_USE_MNTPOINT:
1630                sid = sbsec->mntpoint_sid;
1631                break;
1632        default:
1633                /* Default to the fs superblock SID. */
1634                sid = sbsec->sid;
1635
1636                if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1637                        /* We must have a dentry to determine the label on
1638                         * procfs inodes */
1639                        if (opt_dentry)
1640                                /* Called from d_instantiate or
1641                                 * d_splice_alias. */
1642                                dentry = dget(opt_dentry);
1643                        else
1644                                /* Called from selinux_complete_init, try to
1645                                 * find a dentry. */
1646                                dentry = d_find_alias(inode);
1647                        /*
1648                         * This can be hit on boot when a file is accessed
1649                         * before the policy is loaded.  When we load policy we
1650                         * may find inodes that have no dentry on the
1651                         * sbsec->isec_head list.  No reason to complain as
1652                         * these will get fixed up the next time we go through
1653                         * inode_doinit() with a dentry, before these inodes
1654                         * could be used again by userspace.
1655                         */
1656                        if (!dentry)
1657                                goto out;
1658                        rc = selinux_genfs_get_sid(dentry, sclass,
1659                                                   sbsec->flags, &sid);
1660                        dput(dentry);
1661                        if (rc)
1662                                goto out;
1663                }
1664                break;
1665        }
1666
1667out:
1668        spin_lock(&isec->lock);
1669        if (isec->initialized == LABEL_PENDING) {
1670                if (!sid || rc) {
1671                        isec->initialized = LABEL_INVALID;
1672                        goto out_unlock;
1673                }
1674
1675                isec->initialized = LABEL_INITIALIZED;
1676                isec->sid = sid;
1677        }
1678
1679out_unlock:
1680        spin_unlock(&isec->lock);
1681        return rc;
1682}
1683
1684/* Convert a Linux signal to an access vector. */
1685static inline u32 signal_to_av(int sig)
1686{
1687        u32 perm = 0;
1688
1689        switch (sig) {
1690        case SIGCHLD:
1691                /* Commonly granted from child to parent. */
1692                perm = PROCESS__SIGCHLD;
1693                break;
1694        case SIGKILL:
1695                /* Cannot be caught or ignored */
1696                perm = PROCESS__SIGKILL;
1697                break;
1698        case SIGSTOP:
1699                /* Cannot be caught or ignored */
1700                perm = PROCESS__SIGSTOP;
1701                break;
1702        default:
1703                /* All other signals. */
1704                perm = PROCESS__SIGNAL;
1705                break;
1706        }
1707
1708        return perm;
1709}
1710
1711#if CAP_LAST_CAP > 63
1712#error Fix SELinux to handle capabilities > 63.
1713#endif
1714
1715/* Check whether a task is allowed to use a capability. */
1716static int cred_has_capability(const struct cred *cred,
1717                               int cap, int audit, bool initns)
1718{
1719        struct common_audit_data ad;
1720        struct av_decision avd;
1721        u16 sclass;
1722        u32 sid = cred_sid(cred);
1723        u32 av = CAP_TO_MASK(cap);
1724        int rc;
1725
1726        ad.type = LSM_AUDIT_DATA_CAP;
1727        ad.u.cap = cap;
1728
1729        switch (CAP_TO_INDEX(cap)) {
1730        case 0:
1731                sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1732                break;
1733        case 1:
1734                sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1735                break;
1736        default:
1737                printk(KERN_ERR
1738                       "SELinux:  out of range capability %d\n", cap);
1739                BUG();
1740                return -EINVAL;
1741        }
1742
1743        rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1744        if (audit == SECURITY_CAP_AUDIT) {
1745                int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1746                if (rc2)
1747                        return rc2;
1748        }
1749        return rc;
1750}
1751
1752/* Check whether a task has a particular permission to an inode.
1753   The 'adp' parameter is optional and allows other audit
1754   data to be passed (e.g. the dentry). */
1755static int inode_has_perm(const struct cred *cred,
1756                          struct inode *inode,
1757                          u32 perms,
1758                          struct common_audit_data *adp)
1759{
1760        struct inode_security_struct *isec;
1761        u32 sid;
1762
1763        validate_creds(cred);
1764
1765        if (unlikely(IS_PRIVATE(inode)))
1766                return 0;
1767
1768        sid = cred_sid(cred);
1769        isec = inode->i_security;
1770
1771        return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1772}
1773
1774/* Same as inode_has_perm, but pass explicit audit data containing
1775   the dentry to help the auditing code to more easily generate the
1776   pathname if needed. */
1777static inline int dentry_has_perm(const struct cred *cred,
1778                                  struct dentry *dentry,
1779                                  u32 av)
1780{
1781        struct inode *inode = d_backing_inode(dentry);
1782        struct common_audit_data ad;
1783
1784        ad.type = LSM_AUDIT_DATA_DENTRY;
1785        ad.u.dentry = dentry;
1786        __inode_security_revalidate(inode, dentry, true);
1787        return inode_has_perm(cred, inode, av, &ad);
1788}
1789
1790/* Same as inode_has_perm, but pass explicit audit data containing
1791   the path to help the auditing code to more easily generate the
1792   pathname if needed. */
1793static inline int path_has_perm(const struct cred *cred,
1794                                const struct path *path,
1795                                u32 av)
1796{
1797        struct inode *inode = d_backing_inode(path->dentry);
1798        struct common_audit_data ad;
1799
1800        ad.type = LSM_AUDIT_DATA_PATH;
1801        ad.u.path = *path;
1802        __inode_security_revalidate(inode, path->dentry, true);
1803        return inode_has_perm(cred, inode, av, &ad);
1804}
1805
1806/* Same as path_has_perm, but uses the inode from the file struct. */
1807static inline int file_path_has_perm(const struct cred *cred,
1808                                     struct file *file,
1809                                     u32 av)
1810{
1811        struct common_audit_data ad;
1812
1813        ad.type = LSM_AUDIT_DATA_FILE;
1814        ad.u.file = file;
1815        return inode_has_perm(cred, file_inode(file), av, &ad);
1816}
1817
1818#ifdef CONFIG_BPF_SYSCALL
1819static int bpf_fd_pass(struct file *file, u32 sid);
1820#endif
1821
1822/* Check whether a task can use an open file descriptor to
1823   access an inode in a given way.  Check access to the
1824   descriptor itself, and then use dentry_has_perm to
1825   check a particular permission to the file.
1826   Access to the descriptor is implicitly granted if it
1827   has the same SID as the process.  If av is zero, then
1828   access to the file is not checked, e.g. for cases
1829   where only the descriptor is affected like seek. */
1830static int file_has_perm(const struct cred *cred,
1831                         struct file *file,
1832                         u32 av)
1833{
1834        struct file_security_struct *fsec = file->f_security;
1835        struct inode *inode = file_inode(file);
1836        struct common_audit_data ad;
1837        u32 sid = cred_sid(cred);
1838        int rc;
1839
1840        ad.type = LSM_AUDIT_DATA_FILE;
1841        ad.u.file = file;
1842
1843        if (sid != fsec->sid) {
1844                rc = avc_has_perm(sid, fsec->sid,
1845                                  SECCLASS_FD,
1846                                  FD__USE,
1847                                  &ad);
1848                if (rc)
1849                        goto out;
1850        }
1851
1852#ifdef CONFIG_BPF_SYSCALL
1853        rc = bpf_fd_pass(file, cred_sid(cred));
1854        if (rc)
1855                return rc;
1856#endif
1857
1858        /* av is zero if only checking access to the descriptor. */
1859        rc = 0;
1860        if (av)
1861                rc = inode_has_perm(cred, inode, av, &ad);
1862
1863out:
1864        return rc;
1865}
1866
1867/*
1868 * Determine the label for an inode that might be unioned.
1869 */
1870static int
1871selinux_determine_inode_label(const struct task_security_struct *tsec,
1872                                 struct inode *dir,
1873                                 const struct qstr *name, u16 tclass,
1874                                 u32 *_new_isid)
1875{
1876        const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1877
1878        if ((sbsec->flags & SE_SBINITIALIZED) &&
1879            (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1880                *_new_isid = sbsec->mntpoint_sid;
1881        } else if ((sbsec->flags & SBLABEL_MNT) &&
1882                   tsec->create_sid) {
1883                *_new_isid = tsec->create_sid;
1884        } else {
1885                const struct inode_security_struct *dsec = inode_security(dir);
1886                return security_transition_sid(tsec->sid, dsec->sid, tclass,
1887                                               name, _new_isid);
1888        }
1889
1890        return 0;
1891}
1892
1893/* Check whether a task can create a file. */
1894static int may_create(struct inode *dir,
1895                      struct dentry *dentry,
1896                      u16 tclass)
1897{
1898        const struct task_security_struct *tsec = current_security();
1899        struct inode_security_struct *dsec;
1900        struct superblock_security_struct *sbsec;
1901        u32 sid, newsid;
1902        struct common_audit_data ad;
1903        int rc;
1904
1905        dsec = inode_security(dir);
1906        sbsec = dir->i_sb->s_security;
1907
1908        sid = tsec->sid;
1909
1910        ad.type = LSM_AUDIT_DATA_DENTRY;
1911        ad.u.dentry = dentry;
1912
1913        rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1914                          DIR__ADD_NAME | DIR__SEARCH,
1915                          &ad);
1916        if (rc)
1917                return rc;
1918
1919        rc = selinux_determine_inode_label(current_security(), dir,
1920                                           &dentry->d_name, tclass, &newsid);
1921        if (rc)
1922                return rc;
1923
1924        rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1925        if (rc)
1926                return rc;
1927
1928        return avc_has_perm(newsid, sbsec->sid,
1929                            SECCLASS_FILESYSTEM,
1930                            FILESYSTEM__ASSOCIATE, &ad);
1931}
1932
1933#define MAY_LINK        0
1934#define MAY_UNLINK      1
1935#define MAY_RMDIR       2
1936
1937/* Check whether a task can link, unlink, or rmdir a file/directory. */
1938static int may_link(struct inode *dir,
1939                    struct dentry *dentry,
1940                    int kind)
1941
1942{
1943        struct inode_security_struct *dsec, *isec;
1944        struct common_audit_data ad;
1945        u32 sid = current_sid();
1946        u32 av;
1947        int rc;
1948
1949        dsec = inode_security(dir);
1950        isec = backing_inode_security(dentry);
1951
1952        ad.type = LSM_AUDIT_DATA_DENTRY;
1953        ad.u.dentry = dentry;
1954
1955        av = DIR__SEARCH;
1956        av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1957        rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1958        if (rc)
1959                return rc;
1960
1961        switch (kind) {
1962        case MAY_LINK:
1963                av = FILE__LINK;
1964                break;
1965        case MAY_UNLINK:
1966                av = FILE__UNLINK;
1967                break;
1968        case MAY_RMDIR:
1969                av = DIR__RMDIR;
1970                break;
1971        default:
1972                printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1973                        __func__, kind);
1974                return 0;
1975        }
1976
1977        rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1978        return rc;
1979}
1980
1981static inline int may_rename(struct inode *old_dir,
1982                             struct dentry *old_dentry,
1983                             struct inode *new_dir,
1984                             struct dentry *new_dentry)
1985{
1986        struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1987        struct common_audit_data ad;
1988        u32 sid = current_sid();
1989        u32 av;
1990        int old_is_dir, new_is_dir;
1991        int rc;
1992
1993        old_dsec = inode_security(old_dir);
1994        old_isec = backing_inode_security(old_dentry);
1995        old_is_dir = d_is_dir(old_dentry);
1996        new_dsec = inode_security(new_dir);
1997
1998        ad.type = LSM_AUDIT_DATA_DENTRY;
1999
2000        ad.u.dentry = old_dentry;
2001        rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
2002                          DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2003        if (rc)
2004                return rc;
2005        rc = avc_has_perm(sid, old_isec->sid,
2006                          old_isec->sclass, FILE__RENAME, &ad);
2007        if (rc)
2008                return rc;
2009        if (old_is_dir && new_dir != old_dir) {
2010                rc = avc_has_perm(sid, old_isec->sid,
2011                                  old_isec->sclass, DIR__REPARENT, &ad);
2012                if (rc)
2013                        return rc;
2014        }
2015
2016        ad.u.dentry = new_dentry;
2017        av = DIR__ADD_NAME | DIR__SEARCH;
2018        if (d_is_positive(new_dentry))
2019                av |= DIR__REMOVE_NAME;
2020        rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2021        if (rc)
2022                return rc;
2023        if (d_is_positive(new_dentry)) {
2024                new_isec = backing_inode_security(new_dentry);
2025                new_is_dir = d_is_dir(new_dentry);
2026                rc = avc_has_perm(sid, new_isec->sid,
2027                                  new_isec->sclass,
2028                                  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2029                if (rc)
2030                        return rc;
2031        }
2032
2033        return 0;
2034}
2035
2036/* Check whether a task can perform a filesystem operation. */
2037static int superblock_has_perm(const struct cred *cred,
2038                               struct super_block *sb,
2039                               u32 perms,
2040                               struct common_audit_data *ad)
2041{
2042        struct superblock_security_struct *sbsec;
2043        u32 sid = cred_sid(cred);
2044
2045        sbsec = sb->s_security;
2046        return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2047}
2048
2049/* Convert a Linux mode and permission mask to an access vector. */
2050static inline u32 file_mask_to_av(int mode, int mask)
2051{
2052        u32 av = 0;
2053
2054        if (!S_ISDIR(mode)) {
2055                if (mask & MAY_EXEC)
2056                        av |= FILE__EXECUTE;
2057                if (mask & MAY_READ)
2058                        av |= FILE__READ;
2059
2060                if (mask & MAY_APPEND)
2061                        av |= FILE__APPEND;
2062                else if (mask & MAY_WRITE)
2063                        av |= FILE__WRITE;
2064
2065        } else {
2066                if (mask & MAY_EXEC)
2067                        av |= DIR__SEARCH;
2068                if (mask & MAY_WRITE)
2069                        av |= DIR__WRITE;
2070                if (mask & MAY_READ)
2071                        av |= DIR__READ;
2072        }
2073
2074        return av;
2075}
2076
2077/* Convert a Linux file to an access vector. */
2078static inline u32 file_to_av(struct file *file)
2079{
2080        u32 av = 0;
2081
2082        if (file->f_mode & FMODE_READ)
2083                av |= FILE__READ;
2084        if (file->f_mode & FMODE_WRITE) {
2085                if (file->f_flags & O_APPEND)
2086                        av |= FILE__APPEND;
2087                else
2088                        av |= FILE__WRITE;
2089        }
2090        if (!av) {
2091                /*
2092                 * Special file opened with flags 3 for ioctl-only use.
2093                 */
2094                av = FILE__IOCTL;
2095        }
2096
2097        return av;
2098}
2099
2100/*
2101 * Convert a file to an access vector and include the correct open
2102 * open permission.
2103 */
2104static inline u32 open_file_to_av(struct file *file)
2105{
2106        u32 av = file_to_av(file);
2107        struct inode *inode = file_inode(file);
2108
2109        if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2110                av |= FILE__OPEN;
2111
2112        return av;
2113}
2114
2115/* Hook functions begin here. */
2116
2117static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2118{
2119        u32 mysid = current_sid();
2120        u32 mgrsid = task_sid(mgr);
2121
2122        return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2123                            BINDER__SET_CONTEXT_MGR, NULL);
2124}
2125
2126static int selinux_binder_transaction(struct task_struct *from,
2127                                      struct task_struct *to)
2128{
2129        u32 mysid = current_sid();
2130        u32 fromsid = task_sid(from);
2131        u32 tosid = task_sid(to);
2132        int rc;
2133
2134        if (mysid != fromsid) {
2135                rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2136                                  BINDER__IMPERSONATE, NULL);
2137                if (rc)
2138                        return rc;
2139        }
2140
2141        return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2142                            NULL);
2143}
2144
2145static int selinux_binder_transfer_binder(struct task_struct *from,
2146                                          struct task_struct *to)
2147{
2148        u32 fromsid = task_sid(from);
2149        u32 tosid = task_sid(to);
2150
2151        return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2152                            NULL);
2153}
2154
2155static int selinux_binder_transfer_file(struct task_struct *from,
2156                                        struct task_struct *to,
2157                                        struct file *file)
2158{
2159        u32 sid = task_sid(to);
2160        struct file_security_struct *fsec = file->f_security;
2161        struct dentry *dentry = file->f_path.dentry;
2162        struct inode_security_struct *isec;
2163        struct common_audit_data ad;
2164        int rc;
2165
2166        ad.type = LSM_AUDIT_DATA_PATH;
2167        ad.u.path = file->f_path;
2168
2169        if (sid != fsec->sid) {
2170                rc = avc_has_perm(sid, fsec->sid,
2171                                  SECCLASS_FD,
2172                                  FD__USE,
2173                                  &ad);
2174                if (rc)
2175                        return rc;
2176        }
2177
2178#ifdef CONFIG_BPF_SYSCALL
2179        rc = bpf_fd_pass(file, sid);
2180        if (rc)
2181                return rc;
2182#endif
2183
2184        if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2185                return 0;
2186
2187        isec = backing_inode_security(dentry);
2188        return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2189                            &ad);
2190}
2191
2192static int selinux_ptrace_access_check(struct task_struct *child,
2193                                     unsigned int mode)
2194{
2195        u32 sid = current_sid();
2196        u32 csid = task_sid(child);
2197
2198        if (mode & PTRACE_MODE_READ)
2199                return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2200
2201        return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2202}
2203
2204static int selinux_ptrace_traceme(struct task_struct *parent)
2205{
2206        return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2207                            PROCESS__PTRACE, NULL);
2208}
2209
2210static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2211                          kernel_cap_t *inheritable, kernel_cap_t *permitted)
2212{
2213        return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2214                            PROCESS__GETCAP, NULL);
2215}
2216
2217static int selinux_capset(struct cred *new, const struct cred *old,
2218                          const kernel_cap_t *effective,
2219                          const kernel_cap_t *inheritable,
2220                          const kernel_cap_t *permitted)
2221{
2222        return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2223                            PROCESS__SETCAP, NULL);
2224}
2225
2226/*
2227 * (This comment used to live with the selinux_task_setuid hook,
2228 * which was removed).
2229 *
2230 * Since setuid only affects the current process, and since the SELinux
2231 * controls are not based on the Linux identity attributes, SELinux does not
2232 * need to control this operation.  However, SELinux does control the use of
2233 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2234 */
2235
2236static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2237                           int cap, int audit)
2238{
2239        return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2240}
2241
2242static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2243{
2244        const struct cred *cred = current_cred();
2245        int rc = 0;
2246
2247        if (!sb)
2248                return 0;
2249
2250        switch (cmds) {
2251        case Q_SYNC:
2252        case Q_QUOTAON:
2253        case Q_QUOTAOFF:
2254        case Q_SETINFO:
2255        case Q_SETQUOTA:
2256                rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2257                break;
2258        case Q_GETFMT:
2259        case Q_GETINFO:
2260        case Q_GETQUOTA:
2261                rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2262                break;
2263        default:
2264                rc = 0;  /* let the kernel handle invalid cmds */
2265                break;
2266        }
2267        return rc;
2268}
2269
2270static int selinux_quota_on(struct dentry *dentry)
2271{
2272        const struct cred *cred = current_cred();
2273
2274        return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2275}
2276
2277static int selinux_syslog(int type)
2278{
2279        switch (type) {
2280        case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2281        case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2282                return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2283                                    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2284        case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2285        case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2286        /* Set level of messages printed to console */
2287        case SYSLOG_ACTION_CONSOLE_LEVEL:
2288                return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2289                                    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2290                                    NULL);
2291        }
2292        /* All other syslog types */
2293        return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2294                            SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2295}
2296
2297/*
2298 * Check that a process has enough memory to allocate a new virtual
2299 * mapping. 0 means there is enough memory for the allocation to
2300 * succeed and -ENOMEM implies there is not.
2301 *
2302 * Do not audit the selinux permission check, as this is applied to all
2303 * processes that allocate mappings.
2304 */
2305static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2306{
2307        int rc, cap_sys_admin = 0;
2308
2309        rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2310                                 SECURITY_CAP_NOAUDIT, true);
2311        if (rc == 0)
2312                cap_sys_admin = 1;
2313
2314        return cap_sys_admin;
2315}
2316
2317/* binprm security operations */
2318
2319static u32 ptrace_parent_sid(void)
2320{
2321        u32 sid = 0;
2322        struct task_struct *tracer;
2323
2324        rcu_read_lock();
2325        tracer = ptrace_parent(current);
2326        if (tracer)
2327                sid = task_sid(tracer);
2328        rcu_read_unlock();
2329
2330        return sid;
2331}
2332
2333static int check_nnp_nosuid(const struct linux_binprm *bprm,
2334                            const struct task_security_struct *old_tsec,
2335                            const struct task_security_struct *new_tsec)
2336{
2337        int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2338        int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2339        int rc;
2340        u32 av;
2341
2342        if (!nnp && !nosuid)
2343                return 0; /* neither NNP nor nosuid */
2344
2345        if (new_tsec->sid == old_tsec->sid)
2346                return 0; /* No change in credentials */
2347
2348        /*
2349         * If the policy enables the nnp_nosuid_transition policy capability,
2350         * then we permit transitions under NNP or nosuid if the
2351         * policy allows the corresponding permission between
2352         * the old and new contexts.
2353         */
2354        if (selinux_policycap_nnp_nosuid_transition) {
2355                av = 0;
2356                if (nnp)
2357                        av |= PROCESS2__NNP_TRANSITION;
2358                if (nosuid)
2359                        av |= PROCESS2__NOSUID_TRANSITION;
2360                rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2361                                  SECCLASS_PROCESS2, av, NULL);
2362                if (!rc)
2363                        return 0;
2364        }
2365
2366        /*
2367         * We also permit NNP or nosuid transitions to bounded SIDs,
2368         * i.e. SIDs that are guaranteed to only be allowed a subset
2369         * of the permissions of the current SID.
2370         */
2371        rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2372        if (!rc)
2373                return 0;
2374
2375        /*
2376         * On failure, preserve the errno values for NNP vs nosuid.
2377         * NNP:  Operation not permitted for caller.
2378         * nosuid:  Permission denied to file.
2379         */
2380        if (nnp)
2381                return -EPERM;
2382        return -EACCES;
2383}
2384
2385static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2386{
2387        const struct task_security_struct *old_tsec;
2388        struct task_security_struct *new_tsec;
2389        struct inode_security_struct *isec;
2390        struct common_audit_data ad;
2391        struct inode *inode = file_inode(bprm->file);
2392        int rc;
2393
2394        /* SELinux context only depends on initial program or script and not
2395         * the script interpreter */
2396        if (bprm->called_set_creds)
2397                return 0;
2398
2399        old_tsec = current_security();
2400        new_tsec = bprm->cred->security;
2401        isec = inode_security(inode);
2402
2403        /* Default to the current task SID. */
2404        new_tsec->sid = old_tsec->sid;
2405        new_tsec->osid = old_tsec->sid;
2406
2407        /* Reset fs, key, and sock SIDs on execve. */
2408        new_tsec->create_sid = 0;
2409        new_tsec->keycreate_sid = 0;
2410        new_tsec->sockcreate_sid = 0;
2411
2412        if (old_tsec->exec_sid) {
2413                new_tsec->sid = old_tsec->exec_sid;
2414                /* Reset exec SID on execve. */
2415                new_tsec->exec_sid = 0;
2416
2417                /* Fail on NNP or nosuid if not an allowed transition. */
2418                rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2419                if (rc)
2420                        return rc;
2421        } else {
2422                /* Check for a default transition on this program. */
2423                rc = security_transition_sid(old_tsec->sid, isec->sid,
2424                                             SECCLASS_PROCESS, NULL,
2425                                             &new_tsec->sid);
2426                if (rc)
2427                        return rc;
2428
2429                /*
2430                 * Fallback to old SID on NNP or nosuid if not an allowed
2431                 * transition.
2432                 */
2433                rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2434                if (rc)
2435                        new_tsec->sid = old_tsec->sid;
2436        }
2437
2438        ad.type = LSM_AUDIT_DATA_FILE;
2439        ad.u.file = bprm->file;
2440
2441        if (new_tsec->sid == old_tsec->sid) {
2442                rc = avc_has_perm(old_tsec->sid, isec->sid,
2443                                  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2444                if (rc)
2445                        return rc;
2446        } else {
2447                /* Check permissions for the transition. */
2448                rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2449                                  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2450                if (rc)
2451                        return rc;
2452
2453                rc = avc_has_perm(new_tsec->sid, isec->sid,
2454                                  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2455                if (rc)
2456                        return rc;
2457
2458                /* Check for shared state */
2459                if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2460                        rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2461                                          SECCLASS_PROCESS, PROCESS__SHARE,
2462                                          NULL);
2463                        if (rc)
2464                                return -EPERM;
2465                }
2466
2467                /* Make sure that anyone attempting to ptrace over a task that
2468                 * changes its SID has the appropriate permit */
2469                if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2470                        u32 ptsid = ptrace_parent_sid();
2471                        if (ptsid != 0) {
2472                                rc = avc_has_perm(ptsid, new_tsec->sid,
2473                                                  SECCLASS_PROCESS,
2474                                                  PROCESS__PTRACE, NULL);
2475                                if (rc)
2476                                        return -EPERM;
2477                        }
2478                }
2479
2480                /* Clear any possibly unsafe personality bits on exec: */
2481                bprm->per_clear |= PER_CLEAR_ON_SETID;
2482
2483                /* Enable secure mode for SIDs transitions unless
2484                   the noatsecure permission is granted between
2485                   the two SIDs, i.e. ahp returns 0. */
2486                rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2487                                  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2488                                  NULL);
2489                bprm->secureexec |= !!rc;
2490        }
2491
2492        return 0;
2493}
2494
2495static int match_file(const void *p, struct file *file, unsigned fd)
2496{
2497        return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2498}
2499
2500/* Derived from fs/exec.c:flush_old_files. */
2501static inline void flush_unauthorized_files(const struct cred *cred,
2502                                            struct files_struct *files)
2503{
2504        struct file *file, *devnull = NULL;
2505        struct tty_struct *tty;
2506        int drop_tty = 0;
2507        unsigned n;
2508
2509        tty = get_current_tty();
2510        if (tty) {
2511                spin_lock(&tty->files_lock);
2512                if (!list_empty(&tty->tty_files)) {
2513                        struct tty_file_private *file_priv;
2514
2515                        /* Revalidate access to controlling tty.
2516                           Use file_path_has_perm on the tty path directly
2517                           rather than using file_has_perm, as this particular
2518                           open file may belong to another process and we are
2519                           only interested in the inode-based check here. */
2520                        file_priv = list_first_entry(&tty->tty_files,
2521                                                struct tty_file_private, list);
2522                        file = file_priv->file;
2523                        if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2524                                drop_tty = 1;
2525                }
2526                spin_unlock(&tty->files_lock);
2527                tty_kref_put(tty);
2528        }
2529        /* Reset controlling tty. */
2530        if (drop_tty)
2531                no_tty();
2532
2533        /* Revalidate access to inherited open files. */
2534        n = iterate_fd(files, 0, match_file, cred);
2535        if (!n) /* none found? */
2536                return;
2537
2538        devnull = dentry_open(&selinux_null, O_RDWR, cred);
2539        if (IS_ERR(devnull))
2540                devnull = NULL;
2541        /* replace all the matching ones with this */
2542        do {
2543                replace_fd(n - 1, devnull, 0);
2544        } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2545        if (devnull)
2546                fput(devnull);
2547}
2548
2549/*
2550 * Prepare a process for imminent new credential changes due to exec
2551 */
2552static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2553{
2554        struct task_security_struct *new_tsec;
2555        struct rlimit *rlim, *initrlim;
2556        int rc, i;
2557
2558        new_tsec = bprm->cred->security;
2559        if (new_tsec->sid == new_tsec->osid)
2560                return;
2561
2562        /* Close files for which the new task SID is not authorized. */
2563        flush_unauthorized_files(bprm->cred, current->files);
2564
2565        /* Always clear parent death signal on SID transitions. */
2566        current->pdeath_signal = 0;
2567
2568        /* Check whether the new SID can inherit resource limits from the old
2569         * SID.  If not, reset all soft limits to the lower of the current
2570         * task's hard limit and the init task's soft limit.
2571         *
2572         * Note that the setting of hard limits (even to lower them) can be
2573         * controlled by the setrlimit check.  The inclusion of the init task's
2574         * soft limit into the computation is to avoid resetting soft limits
2575         * higher than the default soft limit for cases where the default is
2576         * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2577         */
2578        rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2579                          PROCESS__RLIMITINH, NULL);
2580        if (rc) {
2581                /* protect against do_prlimit() */
2582                task_lock(current);
2583                for (i = 0; i < RLIM_NLIMITS; i++) {
2584                        rlim = current->signal->rlim + i;
2585                        initrlim = init_task.signal->rlim + i;
2586                        rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2587                }
2588                task_unlock(current);
2589                if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2590                        update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2591        }
2592}
2593
2594/*
2595 * Clean up the process immediately after the installation of new credentials
2596 * due to exec
2597 */
2598static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2599{
2600        const struct task_security_struct *tsec = current_security();
2601        struct itimerval itimer;
2602        u32 osid, sid;
2603        int rc, i;
2604
2605        osid = tsec->osid;
2606        sid = tsec->sid;
2607
2608        if (sid == osid)
2609                return;
2610
2611        /* Check whether the new SID can inherit signal state from the old SID.
2612         * If not, clear itimers to avoid subsequent signal generation and
2613         * flush and unblock signals.
2614         *
2615         * This must occur _after_ the task SID has been updated so that any
2616         * kill done after the flush will be checked against the new SID.
2617         */
2618        rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2619        if (rc) {
2620                if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2621                        memset(&itimer, 0, sizeof itimer);
2622                        for (i = 0; i < 3; i++)
2623                                do_setitimer(i, &itimer, NULL);
2624                }
2625                spin_lock_irq(&current->sighand->siglock);
2626                if (!fatal_signal_pending(current)) {
2627                        flush_sigqueue(&current->pending);
2628                        flush_sigqueue(&current->signal->shared_pending);
2629                        flush_signal_handlers(current, 1);
2630                        sigemptyset(&current->blocked);
2631                        recalc_sigpending();
2632                }
2633                spin_unlock_irq(&current->sighand->siglock);
2634        }
2635
2636        /* Wake up the parent if it is waiting so that it can recheck
2637         * wait permission to the new task SID. */
2638        read_lock(&tasklist_lock);
2639        __wake_up_parent(current, current->real_parent);
2640        read_unlock(&tasklist_lock);
2641}
2642
2643/* superblock security operations */
2644
2645static int selinux_sb_alloc_security(struct super_block *sb)
2646{
2647        return superblock_alloc_security(sb);
2648}
2649
2650static void selinux_sb_free_security(struct super_block *sb)
2651{
2652        superblock_free_security(sb);
2653}
2654
2655static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2656{
2657        if (plen > olen)
2658                return 0;
2659
2660        return !memcmp(prefix, option, plen);
2661}
2662
2663static inline int selinux_option(char *option, int len)
2664{
2665        return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2666                match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2667                match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2668                match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2669                match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2670}
2671
2672static inline void take_option(char **to, char *from, int *first, int len)
2673{
2674        if (!*first) {
2675                **to = ',';
2676                *to += 1;
2677        } else
2678                *first = 0;
2679        memcpy(*to, from, len);
2680        *to += len;
2681}
2682
2683static inline void take_selinux_option(char **to, char *from, int *first,
2684                                       int len)
2685{
2686        int current_size = 0;
2687
2688        if (!*first) {
2689                **to = '|';
2690                *to += 1;
2691        } else
2692                *first = 0;
2693
2694        while (current_size < len) {
2695                if (*from != '"') {
2696                        **to = *from;
2697                        *to += 1;
2698                }
2699                from += 1;
2700                current_size += 1;
2701        }
2702}
2703
2704static int selinux_sb_copy_data(char *orig, char *copy)
2705{
2706        int fnosec, fsec, rc = 0;
2707        char *in_save, *in_curr, *in_end;
2708        char *sec_curr, *nosec_save, *nosec;
2709        int open_quote = 0;
2710
2711        in_curr = orig;
2712        sec_curr = copy;
2713
2714        nosec = (char *)get_zeroed_page(GFP_KERNEL);
2715        if (!nosec) {
2716                rc = -ENOMEM;
2717                goto out;
2718        }
2719
2720        nosec_save = nosec;
2721        fnosec = fsec = 1;
2722        in_save = in_end = orig;
2723
2724        do {
2725                if (*in_end == '"')
2726                        open_quote = !open_quote;
2727                if ((*in_end == ',' && open_quote == 0) ||
2728                                *in_end == '\0') {
2729                        int len = in_end - in_curr;
2730
2731                        if (selinux_option(in_curr, len))
2732                                take_selinux_option(&sec_curr, in_curr, &fsec, len);
2733                        else
2734                                take_option(&nosec, in_curr, &fnosec, len);
2735
2736                        in_curr = in_end + 1;
2737                }
2738        } while (*in_end++);
2739
2740        strcpy(in_save, nosec_save);
2741        free_page((unsigned long)nosec_save);
2742out:
2743        return rc;
2744}
2745
2746static int selinux_sb_remount(struct super_block *sb, void *data)
2747{
2748        int rc, i, *flags;
2749        struct security_mnt_opts opts;
2750        char *secdata, **mount_options;
2751        struct superblock_security_struct *sbsec = sb->s_security;
2752
2753        if (!(sbsec->flags & SE_SBINITIALIZED))
2754                return 0;
2755
2756        if (!data)
2757                return 0;
2758
2759        if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2760                return 0;
2761
2762        security_init_mnt_opts(&opts);
2763        secdata = alloc_secdata();
2764        if (!secdata)
2765                return -ENOMEM;
2766        rc = selinux_sb_copy_data(data, secdata);
2767        if (rc)
2768                goto out_free_secdata;
2769
2770        rc = selinux_parse_opts_str(secdata, &opts);
2771        if (rc)
2772                goto out_free_secdata;
2773
2774        mount_options = opts.mnt_opts;
2775        flags = opts.mnt_opts_flags;
2776
2777        for (i = 0; i < opts.num_mnt_opts; i++) {
2778                u32 sid;
2779
2780                if (flags[i] == SBLABEL_MNT)
2781                        continue;
2782                rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2783                if (rc) {
2784                        printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2785                               "(%s) failed for (dev %s, type %s) errno=%d\n",
2786                               mount_options[i], sb->s_id, sb->s_type->name, rc);
2787                        goto out_free_opts;
2788                }
2789                rc = -EINVAL;
2790                switch (flags[i]) {
2791                case FSCONTEXT_MNT:
2792                        if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2793                                goto out_bad_option;
2794                        break;
2795                case CONTEXT_MNT:
2796                        if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2797                                goto out_bad_option;
2798                        break;
2799                case ROOTCONTEXT_MNT: {
2800                        struct inode_security_struct *root_isec;
2801                        root_isec = backing_inode_security(sb->s_root);
2802
2803                        if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2804                                goto out_bad_option;
2805                        break;
2806                }
2807                case DEFCONTEXT_MNT:
2808                        if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2809                                goto out_bad_option;
2810                        break;
2811                default:
2812                        goto out_free_opts;
2813                }
2814        }
2815
2816        rc = 0;
2817out_free_opts:
2818        security_free_mnt_opts(&opts);
2819out_free_secdata:
2820        free_secdata(secdata);
2821        return rc;
2822out_bad_option:
2823        printk(KERN_WARNING "SELinux: unable to change security options "
2824               "during remount (dev %s, type=%s)\n", sb->s_id,
2825               sb->s_type->name);
2826        goto out_free_opts;
2827}
2828
2829static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2830{
2831        const struct cred *cred = current_cred();
2832        struct common_audit_data ad;
2833        int rc;
2834
2835        rc = superblock_doinit(sb, data);
2836        if (rc)
2837                return rc;
2838
2839        /* Allow all mounts performed by the kernel */
2840        if (flags & MS_KERNMOUNT)
2841                return 0;
2842
2843        ad.type = LSM_AUDIT_DATA_DENTRY;
2844        ad.u.dentry = sb->s_root;
2845        return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2846}
2847
2848static int selinux_sb_statfs(struct dentry *dentry)
2849{
2850        const struct cred *cred = current_cred();
2851        struct common_audit_data ad;
2852
2853        ad.type = LSM_AUDIT_DATA_DENTRY;
2854        ad.u.dentry = dentry->d_sb->s_root;
2855        return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2856}
2857
2858static int selinux_mount(const char *dev_name,
2859                         const struct path *path,
2860                         const char *type,
2861                         unsigned long flags,
2862                         void *data)
2863{
2864        const struct cred *cred = current_cred();
2865
2866        if (flags & MS_REMOUNT)
2867                return superblock_has_perm(cred, path->dentry->d_sb,
2868                                           FILESYSTEM__REMOUNT, NULL);
2869        else
2870                return path_has_perm(cred, path, FILE__MOUNTON);
2871}
2872
2873static int selinux_umount(struct vfsmount *mnt, int flags)
2874{
2875        const struct cred *cred = current_cred();
2876
2877        return superblock_has_perm(cred, mnt->mnt_sb,
2878                                   FILESYSTEM__UNMOUNT, NULL);
2879}
2880
2881/* inode security operations */
2882
2883static int selinux_inode_alloc_security(struct inode *inode)
2884{
2885        return inode_alloc_security(inode);
2886}
2887
2888static void selinux_inode_free_security(struct inode *inode)
2889{
2890        inode_free_security(inode);
2891}
2892
2893static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2894                                        const struct qstr *name, void **ctx,
2895                                        u32 *ctxlen)
2896{
2897        u32 newsid;
2898        int rc;
2899
2900        rc = selinux_determine_inode_label(current_security(),
2901                                           d_inode(dentry->d_parent), name,
2902                                           inode_mode_to_security_class(mode),
2903                                           &newsid);
2904        if (rc)
2905                return rc;
2906
2907        return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2908}
2909
2910static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2911                                          struct qstr *name,
2912                                          const struct cred *old,
2913                                          struct cred *new)
2914{
2915        u32 newsid;
2916        int rc;
2917        struct task_security_struct *tsec;
2918
2919        rc = selinux_determine_inode_label(old->security,
2920                                           d_inode(dentry->d_parent), name,
2921                                           inode_mode_to_security_class(mode),
2922                                           &newsid);
2923        if (rc)
2924                return rc;
2925
2926        tsec = new->security;
2927        tsec->create_sid = newsid;
2928        return 0;
2929}
2930
2931static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2932                                       const struct qstr *qstr,
2933                                       const char **name,
2934                                       void **value, size_t *len)
2935{
2936        const struct task_security_struct *tsec = current_security();
2937        struct superblock_security_struct *sbsec;
2938        u32 newsid, clen;
2939        int rc;
2940        char *context;
2941
2942        sbsec = dir->i_sb->s_security;
2943
2944        newsid = tsec->create_sid;
2945
2946        rc = selinux_determine_inode_label(current_security(),
2947                dir, qstr,
2948                inode_mode_to_security_class(inode->i_mode),
2949                &newsid);
2950        if (rc)
2951                return rc;
2952
2953        /* Possibly defer initialization to selinux_complete_init. */
2954        if (sbsec->flags & SE_SBINITIALIZED) {
2955                struct inode_security_struct *isec = inode->i_security;
2956                isec->sclass = inode_mode_to_security_class(inode->i_mode);
2957                isec->sid = newsid;
2958                isec->initialized = LABEL_INITIALIZED;
2959        }
2960
2961        if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2962                return -EOPNOTSUPP;
2963
2964        if (name)
2965                *name = XATTR_SELINUX_SUFFIX;
2966
2967        if (value && len) {
2968                rc = security_sid_to_context_force(newsid, &context, &clen);
2969                if (rc)
2970                        return rc;
2971                *value = context;
2972                *len = clen;
2973        }
2974
2975        return 0;
2976}
2977
2978static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2979{
2980        return may_create(dir, dentry, SECCLASS_FILE);
2981}
2982
2983static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2984{
2985        return may_link(dir, old_dentry, MAY_LINK);
2986}
2987
2988static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2989{
2990        return may_link(dir, dentry, MAY_UNLINK);
2991}
2992
2993static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2994{
2995        return may_create(dir, dentry, SECCLASS_LNK_FILE);
2996}
2997
2998static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2999{
3000        return may_create(dir, dentry, SECCLASS_DIR);
3001}
3002
3003static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3004{
3005        return may_link(dir, dentry, MAY_RMDIR);
3006}
3007
3008static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3009{
3010        return may_create(dir, dentry, inode_mode_to_security_class(mode));
3011}
3012
3013static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3014                                struct inode *new_inode, struct dentry *new_dentry)
3015{
3016        return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3017}
3018
3019static int selinux_inode_readlink(struct dentry *dentry)
3020{
3021        const struct cred *cred = current_cred();
3022
3023        return dentry_has_perm(cred, dentry, FILE__READ);
3024}
3025
3026static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3027                                     bool rcu)
3028{
3029        const struct cred *cred = current_cred();
3030        struct common_audit_data ad;
3031        struct inode_security_struct *isec;
3032        u32 sid;
3033
3034        validate_creds(cred);
3035
3036        ad.type = LSM_AUDIT_DATA_DENTRY;
3037        ad.u.dentry = dentry;
3038        sid = cred_sid(cred);
3039        isec = inode_security_rcu(inode, rcu);
3040        if (IS_ERR(isec))
3041                return PTR_ERR(isec);
3042
3043        return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3044                                  rcu ? MAY_NOT_BLOCK : 0);
3045}
3046
3047static noinline int audit_inode_permission(struct inode *inode,
3048                                           u32 perms, u32 audited, u32 denied,
3049                                           int result,
3050                                           unsigned flags)
3051{
3052        struct common_audit_data ad;
3053        struct inode_security_struct *isec = inode->i_security;
3054        int rc;
3055
3056        ad.type = LSM_AUDIT_DATA_INODE;
3057        ad.u.inode = inode;
3058
3059        rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3060                            audited, denied, result, &ad, flags);
3061        if (rc)
3062                return rc;
3063        return 0;
3064}
3065
3066static int selinux_inode_permission(struct inode *inode, int mask)
3067{
3068        const struct cred *cred = current_cred();
3069        u32 perms;
3070        bool from_access;
3071        unsigned flags = mask & MAY_NOT_BLOCK;
3072        struct inode_security_struct *isec;
3073        u32 sid;
3074        struct av_decision avd;
3075        int rc, rc2;
3076        u32 audited, denied;
3077
3078        from_access = mask & MAY_ACCESS;
3079        mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3080
3081        /* No permission to check.  Existence test. */
3082        if (!mask)
3083                return 0;
3084
3085        validate_creds(cred);
3086
3087        if (unlikely(IS_PRIVATE(inode)))
3088                return 0;
3089
3090        perms = file_mask_to_av(inode->i_mode, mask);
3091
3092        sid = cred_sid(cred);
3093        isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3094        if (IS_ERR(isec))
3095                return PTR_ERR(isec);
3096
3097        rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3098        audited = avc_audit_required(perms, &avd, rc,
3099                                     from_access ? FILE__AUDIT_ACCESS : 0,
3100                                     &denied);
3101        if (likely(!audited))
3102                return rc;
3103
3104        rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3105        if (rc2)
3106                return rc2;
3107        return rc;
3108}
3109
3110static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3111{
3112        const struct cred *cred = current_cred();
3113        struct inode *inode = d_backing_inode(dentry);
3114        unsigned int ia_valid = iattr->ia_valid;
3115        __u32 av = FILE__WRITE;
3116
3117        /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3118        if (ia_valid & ATTR_FORCE) {
3119                ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3120                              ATTR_FORCE);
3121                if (!ia_valid)
3122                        return 0;
3123        }
3124
3125        if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3126                        ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3127                return dentry_has_perm(cred, dentry, FILE__SETATTR);
3128
3129        if (selinux_policycap_openperm &&
3130            inode->i_sb->s_magic != SOCKFS_MAGIC &&
3131            (ia_valid & ATTR_SIZE) &&
3132            !(ia_valid & ATTR_FILE))
3133                av |= FILE__OPEN;
3134
3135        return dentry_has_perm(cred, dentry, av);
3136}
3137
3138static int selinux_inode_getattr(const struct path *path)
3139{
3140        return path_has_perm(current_cred(), path, FILE__GETATTR);
3141}
3142
3143static bool has_cap_mac_admin(bool audit)
3144{
3145        const struct cred *cred = current_cred();
3146        int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3147
3148        if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3149                return false;
3150        if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3151                return false;
3152        return true;
3153}
3154
3155static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3156                                  const void *value, size_t size, int flags)
3157{
3158        struct inode *inode = d_backing_inode(dentry);
3159        struct inode_security_struct *isec;
3160        struct superblock_security_struct *sbsec;
3161        struct common_audit_data ad;
3162        u32 newsid, sid = current_sid();
3163        int rc = 0;
3164
3165        if (strcmp(name, XATTR_NAME_SELINUX)) {
3166                rc = cap_inode_setxattr(dentry, name, value, size, flags);
3167                if (rc)
3168                        return rc;
3169
3170                /* Not an attribute we recognize, so just check the
3171                   ordinary setattr permission. */
3172                return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3173        }
3174
3175        sbsec = inode->i_sb->s_security;
3176        if (!(sbsec->flags & SBLABEL_MNT))
3177                return -EOPNOTSUPP;
3178
3179        if (!inode_owner_or_capable(inode))
3180                return -EPERM;
3181
3182        ad.type = LSM_AUDIT_DATA_DENTRY;
3183        ad.u.dentry = dentry;
3184
3185        isec = backing_inode_security(dentry);
3186        rc = avc_has_perm(sid, isec->sid, isec->sclass,
3187                          FILE__RELABELFROM, &ad);
3188        if (rc)
3189                return rc;
3190
3191        rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3192        if (rc == -EINVAL) {
3193                if (!has_cap_mac_admin(true)) {
3194                        struct audit_buffer *ab;
3195                        size_t audit_size;
3196
3197                        /* We strip a nul only if it is at the end, otherwise the
3198                         * context contains a nul and we should audit that */
3199                        if (value) {
3200                                const char *str = value;
3201
3202                                if (str[size - 1] == '\0')
3203                                        audit_size = size - 1;
3204                                else
3205                                        audit_size = size;
3206                        } else {
3207                                audit_size = 0;
3208                        }
3209                        ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3210                        audit_log_format(ab, "op=setxattr invalid_context=");
3211                        audit_log_n_untrustedstring(ab, value, audit_size);
3212                        audit_log_end(ab);
3213
3214                        return rc;
3215                }
3216                rc = security_context_to_sid_force(value, size, &newsid);
3217        }
3218        if (rc)
3219                return rc;
3220
3221        rc = avc_has_perm(sid, newsid, isec->sclass,
3222                          FILE__RELABELTO, &ad);
3223        if (rc)
3224                return rc;
3225
3226        rc = security_validate_transition(isec->sid, newsid, sid,
3227                                          isec->sclass);
3228        if (rc)
3229                return rc;
3230
3231        return avc_has_perm(newsid,
3232                            sbsec->sid,
3233                            SECCLASS_FILESYSTEM,
3234                            FILESYSTEM__ASSOCIATE,
3235                            &ad);
3236}
3237
3238static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3239                                        const void *value, size_t size,
3240                                        int flags)
3241{
3242        struct inode *inode = d_backing_inode(dentry);
3243        struct inode_security_struct *isec;
3244        u32 newsid;
3245        int rc;
3246
3247        if (strcmp(name, XATTR_NAME_SELINUX)) {
3248                /* Not an attribute we recognize, so nothing to do. */
3249                return;
3250        }
3251
3252        rc = security_context_to_sid_force(value, size, &newsid);
3253        if (rc) {
3254                printk(KERN_ERR "SELinux:  unable to map context to SID"
3255                       "for (%s, %lu), rc=%d\n",
3256                       inode->i_sb->s_id, inode->i_ino, -rc);
3257                return;
3258        }
3259
3260        isec = backing_inode_security(dentry);
3261        spin_lock(&isec->lock);
3262        isec->sclass = inode_mode_to_security_class(inode->i_mode);
3263        isec->sid = newsid;
3264        isec->initialized = LABEL_INITIALIZED;
3265        spin_unlock(&isec->lock);
3266
3267        return;
3268}
3269
3270static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3271{
3272        const struct cred *cred = current_cred();
3273
3274        return dentry_has_perm(cred, dentry, FILE__GETATTR);
3275}
3276
3277static int selinux_inode_listxattr(struct dentry *dentry)
3278{
3279        const struct cred *cred = current_cred();
3280
3281        return dentry_has_perm(cred, dentry, FILE__GETATTR);
3282}
3283
3284static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3285{
3286        if (strcmp(name, XATTR_NAME_SELINUX)) {
3287                int rc = cap_inode_removexattr(dentry, name);
3288                if (rc)
3289                        return rc;
3290
3291                /* Not an attribute we recognize, so just check the
3292                   ordinary setattr permission. */
3293                return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3294        }
3295
3296        /* No one is allowed to remove a SELinux security label.
3297           You can change the label, but all data must be labeled. */
3298        return -EACCES;
3299}
3300
3301/*
3302 * Copy the inode security context value to the user.
3303 *
3304 * Permission check is handled by selinux_inode_getxattr hook.
3305 */
3306static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3307{
3308        u32 size;
3309        int error;
3310        char *context = NULL;
3311        struct inode_security_struct *isec;
3312
3313        if (strcmp(name, XATTR_SELINUX_SUFFIX))
3314                return -EOPNOTSUPP;
3315
3316        /*
3317         * If the caller has CAP_MAC_ADMIN, then get the raw context
3318         * value even if it is not defined by current policy; otherwise,
3319         * use the in-core value under current policy.
3320         * Use the non-auditing forms of the permission checks since
3321         * getxattr may be called by unprivileged processes commonly
3322         * and lack of permission just means that we fall back to the
3323         * in-core context value, not a denial.
3324         */
3325        isec = inode_security(inode);
3326        if (has_cap_mac_admin(false))
3327                error = security_sid_to_context_force(isec->sid, &context,
3328                                                      &size);
3329        else
3330                error = security_sid_to_context(isec->sid, &context, &size);
3331        if (error)
3332                return error;
3333        error = size;
3334        if (alloc) {
3335                *buffer = context;
3336                goto out_nofree;
3337        }
3338        kfree(context);
3339out_nofree:
3340        return error;
3341}
3342
3343static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3344                                     const void *value, size_t size, int flags)
3345{
3346        struct inode_security_struct *isec = inode_security_novalidate(inode);
3347        u32 newsid;
3348        int rc;
3349
3350        if (strcmp(name, XATTR_SELINUX_SUFFIX))
3351                return -EOPNOTSUPP;
3352
3353        if (!value || !size)
3354                return -EACCES;
3355
3356        rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3357        if (rc)
3358                return rc;
3359
3360        spin_lock(&isec->lock);
3361        isec->sclass = inode_mode_to_security_class(inode->i_mode);
3362        isec->sid = newsid;
3363        isec->initialized = LABEL_INITIALIZED;
3364        spin_unlock(&isec->lock);
3365        return 0;
3366}
3367
3368static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3369{
3370        const int len = sizeof(XATTR_NAME_SELINUX);
3371        if (buffer && len <= buffer_size)
3372                memcpy(buffer, XATTR_NAME_SELINUX, len);
3373        return len;
3374}
3375
3376static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3377{
3378        struct inode_security_struct *isec = inode_security_novalidate(inode);
3379        *secid = isec->sid;
3380}
3381
3382static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3383{
3384        u32 sid;
3385        struct task_security_struct *tsec;
3386        struct cred *new_creds = *new;
3387
3388        if (new_creds == NULL) {
3389                new_creds = prepare_creds();
3390                if (!new_creds)
3391                        return -ENOMEM;
3392        }
3393
3394        tsec = new_creds->security;
3395        /* Get label from overlay inode and set it in create_sid */
3396        selinux_inode_getsecid(d_inode(src), &sid);
3397        tsec->create_sid = sid;
3398        *new = new_creds;
3399        return 0;
3400}
3401
3402static int selinux_inode_copy_up_xattr(const char *name)
3403{
3404        /* The copy_up hook above sets the initial context on an inode, but we
3405         * don't then want to overwrite it by blindly copying all the lower
3406         * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3407         */
3408        if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3409                return 1; /* Discard */
3410        /*
3411         * Any other attribute apart from SELINUX is not claimed, supported
3412         * by selinux.
3413         */
3414        return -EOPNOTSUPP;
3415}
3416
3417/* file security operations */
3418
3419static int selinux_revalidate_file_permission(struct file *file, int mask)
3420{
3421        const struct cred *cred = current_cred();
3422        struct inode *inode = file_inode(file);
3423
3424        /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3425        if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3426                mask |= MAY_APPEND;
3427
3428        return file_has_perm(cred, file,
3429                             file_mask_to_av(inode->i_mode, mask));
3430}
3431
3432static int selinux_file_permission(struct file *file, int mask)
3433{
3434        struct inode *inode = file_inode(file);
3435        struct file_security_struct *fsec = file->f_security;
3436        struct inode_security_struct *isec;
3437        u32 sid = current_sid();
3438
3439        if (!mask)
3440                /* No permission to check.  Existence test. */
3441                return 0;
3442
3443        isec = inode_security(inode);
3444        if (sid == fsec->sid && fsec->isid == isec->sid &&
3445            fsec->pseqno == avc_policy_seqno())
3446                /* No change since file_open check. */
3447                return 0;
3448
3449        return selinux_revalidate_file_permission(file, mask);
3450}
3451
3452static int selinux_file_alloc_security(struct file *file)
3453{
3454        return file_alloc_security(file);
3455}
3456
3457static void selinux_file_free_security(struct file *file)
3458{
3459        file_free_security(file);
3460}
3461
3462/*
3463 * Check whether a task has the ioctl permission and cmd
3464 * operation to an inode.
3465 */
3466static int ioctl_has_perm(const struct cred *cred, struct file *file,
3467                u32 requested, u16 cmd)
3468{
3469        struct common_audit_data ad;
3470        struct file_security_struct *fsec = file->f_security;
3471        struct inode *inode = file_inode(file);
3472        struct inode_security_struct *isec;
3473        struct lsm_ioctlop_audit ioctl;
3474        u32 ssid = cred_sid(cred);
3475        int rc;
3476        u8 driver = cmd >> 8;
3477        u8 xperm = cmd & 0xff;
3478
3479        ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3480        ad.u.op = &ioctl;
3481        ad.u.op->cmd = cmd;
3482        ad.u.op->path = file->f_path;
3483
3484        if (ssid != fsec->sid) {
3485                rc = avc_has_perm(ssid, fsec->sid,
3486                                SECCLASS_FD,
3487                                FD__USE,
3488                                &ad);
3489                if (rc)
3490                        goto out;
3491        }
3492
3493        if (unlikely(IS_PRIVATE(inode)))
3494                return 0;
3495
3496        isec = inode_security(inode);
3497        rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3498                        requested, driver, xperm, &ad);
3499out:
3500        return rc;
3501}
3502
3503static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3504                              unsigned long arg)
3505{
3506        const struct cred *cred = current_cred();
3507        int error = 0;
3508
3509        switch (cmd) {
3510        case FIONREAD:
3511        /* fall through */
3512        case FIBMAP:
3513        /* fall through */
3514        case FIGETBSZ:
3515        /* fall through */
3516        case FS_IOC_GETFLAGS:
3517        /* fall through */
3518        case FS_IOC_GETVERSION:
3519                error = file_has_perm(cred, file, FILE__GETATTR);
3520                break;
3521
3522        case FS_IOC_SETFLAGS:
3523        /* fall through */
3524        case FS_IOC_SETVERSION:
3525                error = file_has_perm(cred, file, FILE__SETATTR);
3526                break;
3527
3528        /* sys_ioctl() checks */
3529        case FIONBIO:
3530        /* fall through */
3531        case FIOASYNC:
3532                error = file_has_perm(cred, file, 0);
3533                break;
3534
3535        case KDSKBENT:
3536        case KDSKBSENT:
3537                error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3538                                            SECURITY_CAP_AUDIT, true);
3539                break;
3540
3541        /* default case assumes that the command will go
3542         * to the file's ioctl() function.
3543         */
3544        default:
3545                error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3546        }
3547        return error;
3548}
3549
3550static int default_noexec;
3551
3552static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3553{
3554        const struct cred *cred = current_cred();
3555        u32 sid = cred_sid(cred);
3556        int rc = 0;
3557
3558        if (default_noexec &&
3559            (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3560                                   (!shared && (prot & PROT_WRITE)))) {
3561                /*
3562                 * We are making executable an anonymous mapping or a
3563                 * private file mapping that will also be writable.
3564                 * This has an additional check.
3565                 */
3566                rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3567                                  PROCESS__EXECMEM, NULL);
3568                if (rc)
3569                        goto error;
3570        }
3571
3572        if (file) {
3573                /* read access is always possible with a mapping */
3574                u32 av = FILE__READ;
3575
3576                /* write access only matters if the mapping is shared */
3577                if (shared && (prot & PROT_WRITE))
3578                        av |= FILE__WRITE;
3579
3580                if (prot & PROT_EXEC)
3581                        av |= FILE__EXECUTE;
3582
3583                return file_has_perm(cred, file, av);
3584        }
3585
3586error:
3587        return rc;
3588}
3589
3590static int selinux_mmap_addr(unsigned long addr)
3591{
3592        int rc = 0;
3593
3594        if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3595                u32 sid = current_sid();
3596                rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3597                                  MEMPROTECT__MMAP_ZERO, NULL);
3598        }
3599
3600        return rc;
3601}
3602
3603static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3604                             unsigned long prot, unsigned long flags)
3605{
3606        struct common_audit_data ad;
3607        int rc;
3608
3609        if (file) {
3610                ad.type = LSM_AUDIT_DATA_FILE;
3611                ad.u.file = file;
3612                rc = inode_has_perm(current_cred(), file_inode(file),
3613                                    FILE__MAP, &ad);
3614                if (rc)
3615                        return rc;
3616        }
3617
3618        if (selinux_checkreqprot)
3619                prot = reqprot;
3620
3621        return file_map_prot_check(file, prot,
3622                                   (flags & MAP_TYPE) == MAP_SHARED);
3623}
3624
3625static int selinux_file_mprotect(struct vm_area_struct *vma,
3626                                 unsigned long reqprot,
3627                                 unsigned long prot)
3628{
3629        const struct cred *cred = current_cred();
3630        u32 sid = cred_sid(cred);
3631
3632        if (selinux_checkreqprot)
3633                prot = reqprot;
3634
3635        if (default_noexec &&
3636            (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3637                int rc = 0;
3638                if (vma->vm_start >= vma->vm_mm->start_brk &&
3639                    vma->vm_end <= vma->vm_mm->brk) {
3640                        rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3641                                          PROCESS__EXECHEAP, NULL);
3642                } else if (!vma->vm_file &&
3643                           ((vma->vm_start <= vma->vm_mm->start_stack &&
3644                             vma->vm_end >= vma->vm_mm->start_stack) ||
3645                            vma_is_stack_for_current(vma))) {
3646                        rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3647                                          PROCESS__EXECSTACK, NULL);
3648                } else if (vma->vm_file && vma->anon_vma) {
3649                        /*
3650                         * We are making executable a file mapping that has
3651                         * had some COW done. Since pages might have been
3652                         * written, check ability to execute the possibly
3653                         * modified content.  This typically should only
3654                         * occur for text relocations.
3655                         */
3656                        rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3657                }
3658                if (rc)
3659                        return rc;
3660        }
3661
3662        return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3663}
3664
3665static int selinux_file_lock(struct file *file, unsigned int cmd)
3666{
3667        const struct cred *cred = current_cred();
3668
3669        return file_has_perm(cred, file, FILE__LOCK);
3670}
3671
3672static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3673                              unsigned long arg)
3674{
3675        const struct cred *cred = current_cred();
3676        int err = 0;
3677
3678        switch (cmd) {
3679        case F_SETFL:
3680                if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3681                        err = file_has_perm(cred, file, FILE__WRITE);
3682                        break;
3683                }
3684                /* fall through */
3685        case F_SETOWN:
3686        case F_SETSIG:
3687        case F_GETFL:
3688        case F_GETOWN:
3689        case F_GETSIG:
3690        case F_GETOWNER_UIDS:
3691                /* Just check FD__USE permission */
3692                err = file_has_perm(cred, file, 0);
3693                break;
3694        case F_GETLK:
3695        case F_SETLK:
3696        case F_SETLKW:
3697        case F_OFD_GETLK:
3698        case F_OFD_SETLK:
3699        case F_OFD_SETLKW:
3700#if BITS_PER_LONG == 32
3701        case F_GETLK64:
3702        case F_SETLK64:
3703        case F_SETLKW64:
3704#endif
3705                err = file_has_perm(cred, file, FILE__LOCK);
3706                break;
3707        }
3708
3709        return err;
3710}
3711
3712static void selinux_file_set_fowner(struct file *file)
3713{
3714        struct file_security_struct *fsec;
3715
3716        fsec = file->f_security;
3717        fsec->fown_sid = current_sid();
3718}
3719
3720static int selinux_file_send_sigiotask(struct task_struct *tsk,
3721                                       struct fown_struct *fown, int signum)
3722{
3723        struct file *file;
3724        u32 sid = task_sid(tsk);
3725        u32 perm;
3726        struct file_security_struct *fsec;
3727
3728        /* struct fown_struct is never outside the context of a struct file */
3729        file = container_of(fown, struct file, f_owner);
3730
3731        fsec = file->f_security;
3732
3733        if (!signum)
3734                perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3735        else
3736                perm = signal_to_av(signum);
3737
3738        return avc_has_perm(fsec->fown_sid, sid,
3739                            SECCLASS_PROCESS, perm, NULL);
3740}
3741
3742static int selinux_file_receive(struct file *file)
3743{
3744        const struct cred *cred = current_cred();
3745
3746        return file_has_perm(cred, file, file_to_av(file));
3747}
3748
3749static int selinux_file_open(struct file *file, const struct cred *cred)
3750{
3751        struct file_security_struct *fsec;
3752        struct inode_security_struct *isec;
3753
3754        fsec = file->f_security;
3755        isec = inode_security(file_inode(file));
3756        /*
3757         * Save inode label and policy sequence number
3758         * at open-time so that selinux_file_permission
3759         * can determine whether revalidation is necessary.
3760         * Task label is already saved in the file security
3761         * struct as its SID.
3762         */
3763        fsec->isid = isec->sid;
3764        fsec->pseqno = avc_policy_seqno();
3765        /*
3766         * Since the inode label or policy seqno may have changed
3767         * between the selinux_inode_permission check and the saving
3768         * of state above, recheck that access is still permitted.
3769         * Otherwise, access might never be revalidated against the
3770         * new inode label or new policy.
3771         * This check is not redundant - do not remove.
3772         */
3773        return file_path_has_perm(cred, file, open_file_to_av(file));
3774}
3775
3776/* task security operations */
3777
3778static int selinux_task_alloc(struct task_struct *task,
3779                              unsigned long clone_flags)
3780{
3781        u32 sid = current_sid();
3782
3783        return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3784}
3785
3786/*
3787 * allocate the SELinux part of blank credentials
3788 */
3789static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3790{
3791        struct task_security_struct *tsec;
3792
3793        tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3794        if (!tsec)
3795                return -ENOMEM;
3796
3797        cred->security = tsec;
3798        return 0;
3799}
3800
3801/*
3802 * detach and free the LSM part of a set of credentials
3803 */
3804static void selinux_cred_free(struct cred *cred)
3805{
3806        struct task_security_struct *tsec = cred->security;
3807
3808        /*
3809         * cred->security == NULL if security_cred_alloc_blank() or
3810         * security_prepare_creds() returned an error.
3811         */
3812        BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3813        cred->security = (void *) 0x7UL;
3814        kfree(tsec);
3815}
3816
3817/*
3818 * prepare a new set of credentials for modification
3819 */
3820static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3821                                gfp_t gfp)
3822{
3823        const struct task_security_struct *old_tsec;
3824        struct task_security_struct *tsec;
3825
3826        old_tsec = old->security;
3827
3828        tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3829        if (!tsec)
3830                return -ENOMEM;
3831
3832        new->security = tsec;
3833        return 0;
3834}
3835
3836/*
3837 * transfer the SELinux data to a blank set of creds
3838 */
3839static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3840{
3841        const struct task_security_struct *old_tsec = old->security;
3842        struct task_security_struct *tsec = new->security;
3843
3844        *tsec = *old_tsec;
3845}
3846
3847/*
3848 * set the security data for a kernel service
3849 * - all the creation contexts are set to unlabelled
3850 */
3851static int selinux_kernel_act_as(struct cred *new, u32 secid)
3852{
3853        struct task_security_struct *tsec = new->security;
3854        u32 sid = current_sid();
3855        int ret;
3856
3857        ret = avc_has_perm(sid, secid,
3858                           SECCLASS_KERNEL_SERVICE,
3859                           KERNEL_SERVICE__USE_AS_OVERRIDE,
3860                           NULL);
3861        if (ret == 0) {
3862                tsec->sid = secid;
3863                tsec->create_sid = 0;
3864                tsec->keycreate_sid = 0;
3865                tsec->sockcreate_sid = 0;
3866        }
3867        return ret;
3868}
3869
3870/*
3871 * set the file creation context in a security record to the same as the
3872 * objective context of the specified inode
3873 */
3874static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3875{
3876        struct inode_security_struct *isec = inode_security(inode);
3877        struct task_security_struct *tsec = new->security;
3878        u32 sid = current_sid();
3879        int ret;
3880
3881        ret = avc_has_perm(sid, isec->sid,
3882                           SECCLASS_KERNEL_SERVICE,
3883                           KERNEL_SERVICE__CREATE_FILES_AS,
3884                           NULL);
3885
3886        if (ret == 0)
3887                tsec->create_sid = isec->sid;
3888        return ret;
3889}
3890
3891static int selinux_kernel_module_request(char *kmod_name)
3892{
3893        struct common_audit_data ad;
3894
3895        ad.type = LSM_AUDIT_DATA_KMOD;
3896        ad.u.kmod_name = kmod_name;
3897
3898        return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3899                            SYSTEM__MODULE_REQUEST, &ad);
3900}
3901
3902static int selinux_kernel_module_from_file(struct file *file)
3903{
3904        struct common_audit_data ad;
3905        struct inode_security_struct *isec;
3906        struct file_security_struct *fsec;
3907        u32 sid = current_sid();
3908        int rc;
3909
3910        /* init_module */
3911        if (file == NULL)
3912                return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3913                                        SYSTEM__MODULE_LOAD, NULL);
3914
3915        /* finit_module */
3916
3917        ad.type = LSM_AUDIT_DATA_FILE;
3918        ad.u.file = file;
3919
3920        fsec = file->f_security;
3921        if (sid != fsec->sid) {
3922                rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3923                if (rc)
3924                        return rc;
3925        }
3926
3927        isec = inode_security(file_inode(file));
3928        return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3929                                SYSTEM__MODULE_LOAD, &ad);
3930}
3931
3932static int selinux_kernel_read_file(struct file *file,
3933                                    enum kernel_read_file_id id)
3934{
3935        int rc = 0;
3936
3937        switch (id) {
3938        case READING_MODULE:
3939                rc = selinux_kernel_module_from_file(file);
3940                break;
3941        default:
3942                break;
3943        }
3944
3945        return rc;
3946}
3947
3948static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3949{
3950        return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3951                            PROCESS__SETPGID, NULL);
3952}
3953
3954static int selinux_task_getpgid(struct task_struct *p)
3955{
3956        return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3957                            PROCESS__GETPGID, NULL);
3958}
3959
3960static int selinux_task_getsid(struct task_struct *p)
3961{
3962        return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3963                            PROCESS__GETSESSION, NULL);
3964}
3965
3966static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3967{
3968        *secid = task_sid(p);
3969}
3970
3971static int selinux_task_setnice(struct task_struct *p, int nice)
3972{
3973        return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3974                            PROCESS__SETSCHED, NULL);
3975}
3976
3977static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3978{
3979        return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3980                            PROCESS__SETSCHED, NULL);
3981}
3982
3983static int selinux_task_getioprio(struct task_struct *p)
3984{
3985        return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3986                            PROCESS__GETSCHED, NULL);
3987}
3988
3989static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3990                                unsigned int flags)
3991{
3992        u32 av = 0;
3993
3994        if (!flags)
3995                return 0;
3996        if (flags & LSM_PRLIMIT_WRITE)
3997                av |= PROCESS__SETRLIMIT;
3998        if (flags & LSM_PRLIMIT_READ)
3999                av |= PROCESS__GETRLIMIT;
4000        return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4001                            SECCLASS_PROCESS, av, NULL);
4002}
4003
4004static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4005                struct rlimit *new_rlim)
4006{
4007        struct rlimit *old_rlim = p->signal->rlim + resource;
4008
4009        /* Control the ability to change the hard limit (whether
4010           lowering or raising it), so that the hard limit can
4011           later be used as a safe reset point for the soft limit
4012           upon context transitions.  See selinux_bprm_committing_creds. */
4013        if (old_rlim->rlim_max != new_rlim->rlim_max)
4014                return avc_has_perm(current_sid(), task_sid(p),
4015                                    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4016
4017        return 0;
4018}
4019
4020static int selinux_task_setscheduler(struct task_struct *p)
4021{
4022        return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4023                            PROCESS__SETSCHED, NULL);
4024}
4025
4026static int selinux_task_getscheduler(struct task_struct *p)
4027{
4028        return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4029                            PROCESS__GETSCHED, NULL);
4030}
4031
4032static int selinux_task_movememory(struct task_struct *p)
4033{
4034        return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4035                            PROCESS__SETSCHED, NULL);
4036}
4037
4038static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4039                                int sig, u32 secid)
4040{
4041        u32 perm;
4042
4043        if (!sig)
4044                perm = PROCESS__SIGNULL; /* null signal; existence test */
4045        else
4046                perm = signal_to_av(sig);
4047        if (!secid)
4048                secid = current_sid();
4049        return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4050}
4051
4052static void selinux_task_to_inode(struct task_struct *p,
4053                                  struct inode *inode)
4054{
4055        struct inode_security_struct *isec = inode->i_security;
4056        u32 sid = task_sid(p);
4057
4058        spin_lock(&isec->lock);
4059        isec->sclass = inode_mode_to_security_class(inode->i_mode);
4060        isec->sid = sid;
4061        isec->initialized = LABEL_INITIALIZED;
4062        spin_unlock(&isec->lock);
4063}
4064
4065/* Returns error only if unable to parse addresses */
4066static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4067                        struct common_audit_data *ad, u8 *proto)
4068{
4069        int offset, ihlen, ret = -EINVAL;
4070        struct iphdr _iph, *ih;
4071
4072        offset = skb_network_offset(skb);
4073        ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4074        if (ih == NULL)
4075                goto out;
4076
4077        ihlen = ih->ihl * 4;
4078        if (ihlen < sizeof(_iph))
4079                goto out;
4080
4081        ad->u.net->v4info.saddr = ih->saddr;
4082        ad->u.net->v4info.daddr = ih->daddr;
4083        ret = 0;
4084
4085        if (proto)
4086                *proto = ih->protocol;
4087
4088        switch (ih->protocol) {
4089        case IPPROTO_TCP: {
4090                struct tcphdr _tcph, *th;
4091
4092                if (ntohs(ih->frag_off) & IP_OFFSET)
4093                        break;
4094
4095                offset += ihlen;
4096                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4097                if (th == NULL)
4098                        break;
4099
4100                ad->u.net->sport = th->source;
4101                ad->u.net->dport = th->dest;
4102                break;
4103        }
4104
4105        case IPPROTO_UDP: {
4106                struct udphdr _udph, *uh;
4107
4108                if (ntohs(ih->frag_off) & IP_OFFSET)
4109                        break;
4110
4111                offset += ihlen;
4112                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4113                if (uh == NULL)
4114                        break;
4115
4116                ad->u.net->sport = uh->source;
4117                ad->u.net->dport = uh->dest;
4118                break;
4119        }
4120
4121        case IPPROTO_DCCP: {
4122                struct dccp_hdr _dccph, *dh;
4123
4124                if (ntohs(ih->frag_off) & IP_OFFSET)
4125                        break;
4126
4127                offset += ihlen;
4128                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4129                if (dh == NULL)
4130                        break;
4131
4132                ad->u.net->sport = dh->dccph_sport;
4133                ad->u.net->dport = dh->dccph_dport;
4134                break;
4135        }
4136
4137        default:
4138                break;
4139        }
4140out:
4141        return ret;
4142}
4143
4144#if IS_ENABLED(CONFIG_IPV6)
4145
4146/* Returns error only if unable to parse addresses */
4147static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4148                        struct common_audit_data *ad, u8 *proto)
4149{
4150        u8 nexthdr;
4151        int ret = -EINVAL, offset;
4152        struct ipv6hdr _ipv6h, *ip6;
4153        __be16 frag_off;
4154
4155        offset = skb_network_offset(skb);
4156        ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4157        if (ip6 == NULL)
4158                goto out;
4159
4160        ad->u.net->v6info.saddr = ip6->saddr;
4161        ad->u.net->v6info.daddr = ip6->daddr;
4162        ret = 0;
4163
4164        nexthdr = ip6->nexthdr;
4165        offset += sizeof(_ipv6h);
4166        offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4167        if (offset < 0)
4168                goto out;
4169
4170        if (proto)
4171                *proto = nexthdr;
4172
4173        switch (nexthdr) {
4174        case IPPROTO_TCP: {
4175                struct tcphdr _tcph, *th;
4176
4177                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4178                if (th == NULL)
4179                        break;
4180
4181                ad->u.net->sport = th->source;
4182                ad->u.net->dport = th->dest;
4183                break;
4184        }
4185
4186        case IPPROTO_UDP: {
4187                struct udphdr _udph, *uh;
4188
4189                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4190                if (uh == NULL)
4191                        break;
4192
4193                ad->u.net->sport = uh->source;
4194                ad->u.net->dport = uh->dest;
4195                break;
4196        }
4197
4198        case IPPROTO_DCCP: {
4199                struct dccp_hdr _dccph, *dh;
4200
4201                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4202                if (dh == NULL)
4203                        break;
4204
4205                ad->u.net->sport = dh->dccph_sport;
4206                ad->u.net->dport = dh->dccph_dport;
4207                break;
4208        }
4209
4210        /* includes fragments */
4211        default:
4212                break;
4213        }
4214out:
4215        return ret;
4216}
4217
4218#endif /* IPV6 */
4219
4220static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4221                             char **_addrp, int src, u8 *proto)
4222{
4223        char *addrp;
4224        int ret;
4225
4226        switch (ad->u.net->family) {
4227        case PF_INET:
4228                ret = selinux_parse_skb_ipv4(skb, ad, proto);
4229                if (ret)
4230                        goto parse_error;
4231                addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4232                                       &ad->u.net->v4info.daddr);
4233                goto okay;
4234
4235#if IS_ENABLED(CONFIG_IPV6)
4236        case PF_INET6:
4237                ret = selinux_parse_skb_ipv6(skb, ad, proto);
4238                if (ret)
4239                        goto parse_error;
4240                addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4241                                       &ad->u.net->v6info.daddr);
4242                goto okay;
4243#endif  /* IPV6 */
4244        default:
4245                addrp = NULL;
4246                goto okay;
4247        }
4248
4249parse_error:
4250        printk(KERN_WARNING
4251               "SELinux: failure in selinux_parse_skb(),"
4252               " unable to parse packet\n");
4253        return ret;
4254
4255okay:
4256        if (_addrp)
4257                *_addrp = addrp;
4258        return 0;
4259}
4260
4261/**
4262 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4263 * @skb: the packet
4264 * @family: protocol family
4265 * @sid: the packet's peer label SID
4266 *
4267 * Description:
4268 * Check the various different forms of network peer labeling and determine
4269 * the peer label/SID for the packet; most of the magic actually occurs in
4270 * the security server function security_net_peersid_cmp().  The function
4271 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4272 * or -EACCES if @sid is invalid due to inconsistencies with the different
4273 * peer labels.
4274 *
4275 */
4276static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4277{
4278        int err;
4279        u32 xfrm_sid;
4280        u32 nlbl_sid;
4281        u32 nlbl_type;
4282
4283        err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4284        if (unlikely(err))
4285                return -EACCES;
4286        err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4287        if (unlikely(err))
4288                return -EACCES;
4289
4290        err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4291        if (unlikely(err)) {
4292                printk(KERN_WARNING
4293                       "SELinux: failure in selinux_skb_peerlbl_sid(),"
4294                       " unable to determine packet's peer label\n");
4295                return -EACCES;
4296        }
4297
4298        return 0;
4299}
4300
4301/**
4302 * selinux_conn_sid - Determine the child socket label for a connection
4303 * @sk_sid: the parent socket's SID
4304 * @skb_sid: the packet's SID
4305 * @conn_sid: the resulting connection SID
4306 *
4307 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4308 * combined with the MLS information from @skb_sid in order to create
4309 * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4310 * of @sk_sid.  Returns zero on success, negative values on failure.
4311 *
4312 */
4313static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4314{
4315        int err = 0;
4316
4317        if (skb_sid != SECSID_NULL)
4318                err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4319        else
4320                *conn_sid = sk_sid;
4321
4322        return err;
4323}
4324
4325/* socket security operations */
4326
4327static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4328                                 u16 secclass, u32 *socksid)
4329{
4330        if (tsec->sockcreate_sid > SECSID_NULL) {
4331                *socksid = tsec->sockcreate_sid;
4332                return 0;
4333        }
4334
4335        return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4336                                       socksid);
4337}
4338
4339static int sock_has_perm(struct sock *sk, u32 perms)
4340{
4341        struct sk_security_struct *sksec = sk->sk_security;
4342        struct common_audit_data ad;
4343        struct lsm_network_audit net = {0,};
4344
4345        if (sksec->sid == SECINITSID_KERNEL)
4346                return 0;
4347
4348        ad.type = LSM_AUDIT_DATA_NET;
4349        ad.u.net = &net;
4350        ad.u.net->sk = sk;
4351
4352        return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4353                            &ad);
4354}
4355
4356static int selinux_socket_create(int family, int type,
4357                                 int protocol, int kern)
4358{
4359        const struct task_security_struct *tsec = current_security();
4360        u32 newsid;
4361        u16 secclass;
4362        int rc;
4363
4364        if (kern)
4365                return 0;
4366
4367        secclass = socket_type_to_security_class(family, type, protocol);
4368        rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4369        if (rc)
4370                return rc;
4371
4372        return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4373}
4374
4375static int selinux_socket_post_create(struct socket *sock, int family,
4376                                      int type, int protocol, int kern)
4377{
4378        const struct task_security_struct *tsec = current_security();
4379        struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4380        struct sk_security_struct *sksec;
4381        u16 sclass = socket_type_to_security_class(family, type, protocol);
4382        u32 sid = SECINITSID_KERNEL;
4383        int err = 0;
4384
4385        if (!kern) {
4386                err = socket_sockcreate_sid(tsec, sclass, &sid);
4387                if (err)
4388                        return err;
4389        }
4390
4391        isec->sclass = sclass;
4392        isec->sid = sid;
4393        isec->initialized = LABEL_INITIALIZED;
4394
4395        if (sock->sk) {
4396                sksec = sock->sk->sk_security;
4397                sksec->sclass = sclass;
4398                sksec->sid = sid;
4399                err = selinux_netlbl_socket_post_create(sock->sk, family);
4400        }
4401
4402        return err;
4403}
4404
4405/* Range of port numbers used to automatically bind.
4406   Need to determine whether we should perform a name_bind
4407   permission check between the socket and the port number. */
4408
4409static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4410{
4411        struct sock *sk = sock->sk;
4412        u16 family;
4413        int err;
4414
4415        err = sock_has_perm(sk, SOCKET__BIND);
4416        if (err)
4417                goto out;
4418
4419        /*
4420         * If PF_INET or PF_INET6, check name_bind permission for the port.
4421         * Multiple address binding for SCTP is not supported yet: we just
4422         * check the first address now.
4423         */
4424        family = sk->sk_family;
4425        if (family == PF_INET || family == PF_INET6) {
4426                char *addrp;
4427                struct sk_security_struct *sksec = sk->sk_security;
4428                struct common_audit_data ad;
4429                struct lsm_network_audit net = {0,};
4430                struct sockaddr_in *addr4 = NULL;
4431                struct sockaddr_in6 *addr6 = NULL;
4432                unsigned short snum;
4433                u32 sid, node_perm;
4434
4435                if (family == PF_INET) {
4436                        if (addrlen < sizeof(struct sockaddr_in)) {
4437                                err = -EINVAL;
4438                                goto out;
4439                        }
4440                        addr4 = (struct sockaddr_in *)address;
4441                        snum = ntohs(addr4->sin_port);
4442                        addrp = (char *)&addr4->sin_addr.s_addr;
4443                } else {
4444                        if (addrlen < SIN6_LEN_RFC2133) {
4445                                err = -EINVAL;
4446                                goto out;
4447                        }
4448                        addr6 = (struct sockaddr_in6 *)address;
4449                        snum = ntohs(addr6->sin6_port);
4450                        addrp = (char *)&addr6->sin6_addr.s6_addr;
4451                }
4452
4453                if (snum) {
4454                        int low, high;
4455
4456                        inet_get_local_port_range(sock_net(sk), &low, &high);
4457
4458                        if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4459                            snum > high) {
4460                                err = sel_netport_sid(sk->sk_protocol,
4461                                                      snum, &sid);
4462                                if (err)
4463                                        goto out;
4464                                ad.type = LSM_AUDIT_DATA_NET;
4465                                ad.u.net = &net;
4466                                ad.u.net->sport = htons(snum);
4467                                ad.u.net->family = family;
4468                                err = avc_has_perm(sksec->sid, sid,
4469                                                   sksec->sclass,
4470                                                   SOCKET__NAME_BIND, &ad);
4471                                if (err)
4472                                        goto out;
4473                        }
4474                }
4475
4476                switch (sksec->sclass) {
4477                case SECCLASS_TCP_SOCKET:
4478                        node_perm = TCP_SOCKET__NODE_BIND;
4479                        break;
4480
4481                case SECCLASS_UDP_SOCKET:
4482                        node_perm = UDP_SOCKET__NODE_BIND;
4483                        break;
4484
4485                case SECCLASS_DCCP_SOCKET:
4486                        node_perm = DCCP_SOCKET__NODE_BIND;
4487                        break;
4488
4489                default:
4490                        node_perm = RAWIP_SOCKET__NODE_BIND;
4491                        break;
4492                }
4493
4494                err = sel_netnode_sid(addrp, family, &sid);
4495                if (err)
4496                        goto out;
4497
4498                ad.type = LSM_AUDIT_DATA_NET;
4499                ad.u.net = &net;
4500                ad.u.net->sport = htons(snum);
4501                ad.u.net->family = family;
4502
4503                if (family == PF_INET)
4504                        ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4505                else
4506                        ad.u.net->v6info.saddr = addr6->sin6_addr;
4507
4508                err = avc_has_perm(sksec->sid, sid,
4509                                   sksec->sclass, node_perm, &ad);
4510                if (err)
4511                        goto out;
4512        }
4513out:
4514        return err;
4515}
4516
4517static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4518{
4519        struct sock *sk = sock->sk;
4520        struct sk_security_struct *sksec = sk->sk_security;
4521        int err;
4522
4523        err = sock_has_perm(sk, SOCKET__CONNECT);
4524        if (err)
4525                return err;
4526
4527        /*
4528         * If a TCP or DCCP socket, check name_connect permission for the port.
4529         */
4530        if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4531            sksec->sclass == SECCLASS_DCCP_SOCKET) {
4532                struct common_audit_data ad;
4533                struct lsm_network_audit net = {0,};
4534                struct sockaddr_in *addr4 = NULL;
4535                struct sockaddr_in6 *addr6 = NULL;
4536                unsigned short snum;
4537                u32 sid, perm;
4538
4539                if (sk->sk_family == PF_INET) {
4540                        addr4 = (struct sockaddr_in *)address;
4541                        if (addrlen < sizeof(struct sockaddr_in))
4542                                return -EINVAL;
4543                        snum = ntohs(addr4->sin_port);
4544                } else {
4545                        addr6 = (struct sockaddr_in6 *)address;
4546                        if (addrlen < SIN6_LEN_RFC2133)
4547                                return -EINVAL;
4548                        snum = ntohs(addr6->sin6_port);
4549                }
4550
4551                err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4552                if (err)
4553                        goto out;
4554
4555                perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4556                       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4557
4558                ad.type = LSM_AUDIT_DATA_NET;
4559                ad.u.net = &net;
4560                ad.u.net->dport = htons(snum);
4561                ad.u.net->family = sk->sk_family;
4562                err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4563                if (err)
4564                        goto out;
4565        }
4566
4567        err = selinux_netlbl_socket_connect(sk, address);
4568
4569out:
4570        return err;
4571}
4572
4573static int selinux_socket_listen(struct socket *sock, int backlog)
4574{
4575        return sock_has_perm(sock->sk, SOCKET__LISTEN);
4576}
4577
4578static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4579{
4580        int err;
4581        struct inode_security_struct *isec;
4582        struct inode_security_struct *newisec;
4583        u16 sclass;
4584        u32 sid;
4585
4586        err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4587        if (err)
4588                return err;
4589
4590        isec = inode_security_novalidate(SOCK_INODE(sock));
4591        spin_lock(&isec->lock);
4592        sclass = isec->sclass;
4593        sid = isec->sid;
4594        spin_unlock(&isec->lock);
4595
4596        newisec = inode_security_novalidate(SOCK_INODE(newsock));
4597        newisec->sclass = sclass;
4598        newisec->sid = sid;
4599        newisec->initialized = LABEL_INITIALIZED;
4600
4601        return 0;
4602}
4603
4604static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4605                                  int size)
4606{
4607        return sock_has_perm(sock->sk, SOCKET__WRITE);
4608}
4609
4610static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4611                                  int size, int flags)
4612{
4613        return sock_has_perm(sock->sk, SOCKET__READ);
4614}
4615
4616static int selinux_socket_getsockname(struct socket *sock)
4617{
4618        return sock_has_perm(sock->sk, SOCKET__GETATTR);
4619}
4620
4621static int selinux_socket_getpeername(struct socket *sock)
4622{
4623        return sock_has_perm(sock->sk, SOCKET__GETATTR);
4624}
4625
4626static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4627{
4628        int err;
4629
4630        err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4631        if (err)
4632                return err;
4633
4634        return selinux_netlbl_socket_setsockopt(sock, level, optname);
4635}
4636
4637static int selinux_socket_getsockopt(struct socket *sock, int level,
4638                                     int optname)
4639{
4640        return sock_has_perm(sock->sk, SOCKET__GETOPT);
4641}
4642
4643static int selinux_socket_shutdown(struct socket *sock, int how)
4644{
4645        return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4646}
4647
4648static int selinux_socket_unix_stream_connect(struct sock *sock,
4649                                              struct sock *other,
4650                                              struct sock *newsk)
4651{
4652        struct sk_security_struct *sksec_sock = sock->sk_security;
4653        struct sk_security_struct *sksec_other = other->sk_security;
4654        struct sk_security_struct *sksec_new = newsk->sk_security;
4655        struct common_audit_data ad;
4656        struct lsm_network_audit net = {0,};
4657        int err;
4658
4659        ad.type = LSM_AUDIT_DATA_NET;
4660        ad.u.net = &net;
4661        ad.u.net->sk = other;
4662
4663        err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4664                           sksec_other->sclass,
4665                           UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4666        if (err)
4667                return err;
4668
4669        /* server child socket */
4670        sksec_new->peer_sid = sksec_sock->sid;
4671        err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4672                                    &sksec_new->sid);
4673        if (err)
4674                return err;
4675
4676        /* connecting socket */
4677        sksec_sock->peer_sid = sksec_new->sid;
4678
4679        return 0;
4680}
4681
4682static int selinux_socket_unix_may_send(struct socket *sock,
4683                                        struct socket *other)
4684{
4685        struct sk_security_struct *ssec = sock->sk->sk_security;
4686        struct sk_security_struct *osec = other->sk->sk_security;
4687        struct common_audit_data ad;
4688        struct lsm_network_audit net = {0,};
4689
4690        ad.type = LSM_AUDIT_DATA_NET;
4691        ad.u.net = &net;
4692        ad.u.net->sk = other->sk;
4693
4694        return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4695                            &ad);
4696}
4697
4698static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4699                                    char *addrp, u16 family, u32 peer_sid,
4700                                    struct common_audit_data *ad)
4701{
4702        int err;
4703        u32 if_sid;
4704        u32 node_sid;
4705
4706        err = sel_netif_sid(ns, ifindex, &if_sid);
4707        if (err)
4708                return err;
4709        err = avc_has_perm(peer_sid, if_sid,
4710                           SECCLASS_NETIF, NETIF__INGRESS, ad);
4711        if (err)
4712                return err;
4713
4714        err = sel_netnode_sid(addrp, family, &node_sid);
4715        if (err)
4716                return err;
4717        return avc_has_perm(peer_sid, node_sid,
4718                            SECCLASS_NODE, NODE__RECVFROM, ad);
4719}
4720
4721static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4722                                       u16 family)
4723{
4724        int err = 0;
4725        struct sk_security_struct *sksec = sk->sk_security;
4726        u32 sk_sid = sksec->sid;
4727        struct common_audit_data ad;
4728        struct lsm_network_audit net = {0,};
4729        char *addrp;
4730
4731        ad.type = LSM_AUDIT_DATA_NET;
4732        ad.u.net = &net;
4733        ad.u.net->netif = skb->skb_iif;
4734        ad.u.net->family = family;
4735        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4736        if (err)
4737                return err;
4738
4739        if (selinux_secmark_enabled()) {
4740                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4741                                   PACKET__RECV, &ad);
4742                if (err)
4743                        return err;
4744        }
4745
4746        err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4747        if (err)
4748                return err;
4749        err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4750
4751        return err;
4752}
4753
4754static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4755{
4756        int err;
4757        struct sk_security_struct *sksec = sk->sk_security;
4758        u16 family = sk->sk_family;
4759        u32 sk_sid = sksec->sid;
4760        struct common_audit_data ad;
4761        struct lsm_network_audit net = {0,};
4762        char *addrp;
4763        u8 secmark_active;
4764        u8 peerlbl_active;
4765
4766        if (family != PF_INET && family != PF_INET6)
4767                return 0;
4768
4769        /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4770        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4771                family = PF_INET;
4772
4773        /* If any sort of compatibility mode is enabled then handoff processing
4774         * to the selinux_sock_rcv_skb_compat() function to deal with the
4775         * special handling.  We do this in an attempt to keep this function
4776         * as fast and as clean as possible. */
4777        if (!selinux_policycap_netpeer)
4778                return selinux_sock_rcv_skb_compat(sk, skb, family);
4779
4780        secmark_active = selinux_secmark_enabled();
4781        peerlbl_active = selinux_peerlbl_enabled();
4782        if (!secmark_active && !peerlbl_active)
4783                return 0;
4784
4785        ad.type = LSM_AUDIT_DATA_NET;
4786        ad.u.net = &net;
4787        ad.u.net->netif = skb->skb_iif;
4788        ad.u.net->family = family;
4789        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4790        if (err)
4791                return err;
4792
4793        if (peerlbl_active) {
4794                u32 peer_sid;
4795
4796                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4797                if (err)
4798                        return err;
4799                err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4800                                               addrp, family, peer_sid, &ad);
4801                if (err) {
4802                        selinux_netlbl_err(skb, family, err, 0);
4803                        return err;
4804                }
4805                err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4806                                   PEER__RECV, &ad);
4807                if (err) {
4808                        selinux_netlbl_err(skb, family, err, 0);
4809                        return err;
4810                }
4811        }
4812
4813        if (secmark_active) {
4814                err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4815                                   PACKET__RECV, &ad);
4816                if (err)
4817                        return err;
4818        }
4819
4820        return err;
4821}
4822
4823static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4824                                            int __user *optlen, unsigned len)
4825{
4826        int err = 0;
4827        char *scontext;
4828        u32 scontext_len;
4829        struct sk_security_struct *sksec = sock->sk->sk_security;
4830        u32 peer_sid = SECSID_NULL;
4831
4832        if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4833            sksec->sclass == SECCLASS_TCP_SOCKET)
4834                peer_sid = sksec->peer_sid;
4835        if (peer_sid == SECSID_NULL)
4836                return -ENOPROTOOPT;
4837
4838        err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4839        if (err)
4840                return err;
4841
4842        if (scontext_len > len) {
4843                err = -ERANGE;
4844                goto out_len;
4845        }
4846
4847        if (copy_to_user(optval, scontext, scontext_len))
4848                err = -EFAULT;
4849
4850out_len:
4851        if (put_user(scontext_len, optlen))
4852                err = -EFAULT;
4853        kfree(scontext);
4854        return err;
4855}
4856
4857static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4858{
4859        u32 peer_secid = SECSID_NULL;
4860        u16 family;
4861        struct inode_security_struct *isec;
4862
4863        if (skb && skb->protocol == htons(ETH_P_IP))
4864                family = PF_INET;
4865        else if (skb && skb->protocol == htons(ETH_P_IPV6))
4866                family = PF_INET6;
4867        else if (sock)
4868                family = sock->sk->sk_family;
4869        else
4870                goto out;
4871
4872        if (sock && family == PF_UNIX) {
4873                isec = inode_security_novalidate(SOCK_INODE(sock));
4874                peer_secid = isec->sid;
4875        } else if (skb)
4876                selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4877
4878out:
4879        *secid = peer_secid;
4880        if (peer_secid == SECSID_NULL)
4881                return -EINVAL;
4882        return 0;
4883}
4884
4885static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4886{
4887        struct sk_security_struct *sksec;
4888
4889        sksec = kzalloc(sizeof(*sksec), priority);
4890        if (!sksec)
4891                return -ENOMEM;
4892
4893        sksec->peer_sid = SECINITSID_UNLABELED;
4894        sksec->sid = SECINITSID_UNLABELED;
4895        sksec->sclass = SECCLASS_SOCKET;
4896        selinux_netlbl_sk_security_reset(sksec);
4897        sk->sk_security = sksec;
4898
4899        return 0;
4900}
4901
4902static void selinux_sk_free_security(struct sock *sk)
4903{
4904        struct sk_security_struct *sksec = sk->sk_security;
4905
4906        sk->sk_security = NULL;
4907        selinux_netlbl_sk_security_free(sksec);
4908        kfree(sksec);
4909}
4910
4911static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4912{
4913        struct sk_security_struct *sksec = sk->sk_security;
4914        struct sk_security_struct *newsksec = newsk->sk_security;
4915
4916        newsksec->sid = sksec->sid;
4917        newsksec->peer_sid = sksec->peer_sid;
4918        newsksec->sclass = sksec->sclass;
4919
4920        selinux_netlbl_sk_security_reset(newsksec);
4921}
4922
4923static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4924{
4925        if (!sk)
4926                *secid = SECINITSID_ANY_SOCKET;
4927        else {
4928                struct sk_security_struct *sksec = sk->sk_security;
4929
4930                *secid = sksec->sid;
4931        }
4932}
4933
4934static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4935{
4936        struct inode_security_struct *isec =
4937                inode_security_novalidate(SOCK_INODE(parent));
4938        struct sk_security_struct *sksec = sk->sk_security;
4939
4940        if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4941            sk->sk_family == PF_UNIX)
4942                isec->sid = sksec->sid;
4943        sksec->sclass = isec->sclass;
4944}
4945
4946static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4947                                     struct request_sock *req)
4948{
4949        struct sk_security_struct *sksec = sk->sk_security;
4950        int err;
4951        u16 family = req->rsk_ops->family;
4952        u32 connsid;
4953        u32 peersid;
4954
4955        err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4956        if (err)
4957                return err;
4958        err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4959        if (err)
4960                return err;
4961        req->secid = connsid;
4962        req->peer_secid = peersid;
4963
4964        return selinux_netlbl_inet_conn_request(req, family);
4965}
4966
4967static void selinux_inet_csk_clone(struct sock *newsk,
4968                                   const struct request_sock *req)
4969{
4970        struct sk_security_struct *newsksec = newsk->sk_security;
4971
4972        newsksec->sid = req->secid;
4973        newsksec->peer_sid = req->peer_secid;
4974        /* NOTE: Ideally, we should also get the isec->sid for the
4975           new socket in sync, but we don't have the isec available yet.
4976           So we will wait until sock_graft to do it, by which
4977           time it will have been created and available. */
4978
4979        /* We don't need to take any sort of lock here as we are the only
4980         * thread with access to newsksec */
4981        selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4982}
4983
4984static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4985{
4986        u16 family = sk->sk_family;
4987        struct sk_security_struct *sksec = sk->sk_security;
4988
4989        /* handle mapped IPv4 packets arriving via IPv6 sockets */
4990        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4991                family = PF_INET;
4992
4993        selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4994}
4995
4996static int selinux_secmark_relabel_packet(u32 sid)
4997{
4998        const struct task_security_struct *__tsec;
4999        u32 tsid;
5000
5001        __tsec = current_security();
5002        tsid = __tsec->sid;
5003
5004        return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
5005}
5006
5007static void selinux_secmark_refcount_inc(void)
5008{
5009        atomic_inc(&selinux_secmark_refcount);
5010}
5011
5012static void selinux_secmark_refcount_dec(void)
5013{
5014        atomic_dec(&selinux_secmark_refcount);
5015}
5016
5017static void selinux_req_classify_flow(const struct request_sock *req,
5018                                      struct flowi *fl)