linux/security/selinux/hooks.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 *  NSA Security-Enhanced Linux (SELinux) security module
   4 *
   5 *  This file contains the SELinux hook function implementations.
   6 *
   7 *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
   8 *            Chris Vance, <cvance@nai.com>
   9 *            Wayne Salamon, <wsalamon@nai.com>
  10 *            James Morris <jmorris@redhat.com>
  11 *
  12 *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
  13 *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
  14 *                                         Eric Paris <eparis@redhat.com>
  15 *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  16 *                          <dgoeddel@trustedcs.com>
  17 *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
  18 *      Paul Moore <paul@paul-moore.com>
  19 *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  20 *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
  21 *  Copyright (C) 2016 Mellanox Technologies
  22 */
  23
  24#include <linux/init.h>
  25#include <linux/kd.h>
  26#include <linux/kernel.h>
  27#include <linux/kernel_read_file.h>
  28#include <linux/tracehook.h>
  29#include <linux/errno.h>
  30#include <linux/sched/signal.h>
  31#include <linux/sched/task.h>
  32#include <linux/lsm_hooks.h>
  33#include <linux/xattr.h>
  34#include <linux/capability.h>
  35#include <linux/unistd.h>
  36#include <linux/mm.h>
  37#include <linux/mman.h>
  38#include <linux/slab.h>
  39#include <linux/pagemap.h>
  40#include <linux/proc_fs.h>
  41#include <linux/swap.h>
  42#include <linux/spinlock.h>
  43#include <linux/syscalls.h>
  44#include <linux/dcache.h>
  45#include <linux/file.h>
  46#include <linux/fdtable.h>
  47#include <linux/namei.h>
  48#include <linux/mount.h>
  49#include <linux/fs_context.h>
  50#include <linux/fs_parser.h>
  51#include <linux/netfilter_ipv4.h>
  52#include <linux/netfilter_ipv6.h>
  53#include <linux/tty.h>
  54#include <net/icmp.h>
  55#include <net/ip.h>             /* for local_port_range[] */
  56#include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
  57#include <net/inet_connection_sock.h>
  58#include <net/net_namespace.h>
  59#include <net/netlabel.h>
  60#include <linux/uaccess.h>
  61#include <asm/ioctls.h>
  62#include <linux/atomic.h>
  63#include <linux/bitops.h>
  64#include <linux/interrupt.h>
  65#include <linux/netdevice.h>    /* for network interface checks */
  66#include <net/netlink.h>
  67#include <linux/tcp.h>
  68#include <linux/udp.h>
  69#include <linux/dccp.h>
  70#include <linux/sctp.h>
  71#include <net/sctp/structs.h>
  72#include <linux/quota.h>
  73#include <linux/un.h>           /* for Unix socket types */
  74#include <net/af_unix.h>        /* for Unix socket types */
  75#include <linux/parser.h>
  76#include <linux/nfs_mount.h>
  77#include <net/ipv6.h>
  78#include <linux/hugetlb.h>
  79#include <linux/personality.h>
  80#include <linux/audit.h>
  81#include <linux/string.h>
  82#include <linux/mutex.h>
  83#include <linux/posix-timers.h>
  84#include <linux/syslog.h>
  85#include <linux/user_namespace.h>
  86#include <linux/export.h>
  87#include <linux/msg.h>
  88#include <linux/shm.h>
  89#include <linux/bpf.h>
  90#include <linux/kernfs.h>
  91#include <linux/stringhash.h>   /* for hashlen_string() */
  92#include <uapi/linux/mount.h>
  93#include <linux/fsnotify.h>
  94#include <linux/fanotify.h>
  95
  96#include "avc.h"
  97#include "objsec.h"
  98#include "netif.h"
  99#include "netnode.h"
 100#include "netport.h"
 101#include "ibpkey.h"
 102#include "xfrm.h"
 103#include "netlabel.h"
 104#include "audit.h"
 105#include "avc_ss.h"
 106
 107struct selinux_state selinux_state;
 108
 109/* SECMARK reference count */
 110static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 111
 112#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 113static int selinux_enforcing_boot __initdata;
 114
 115static int __init enforcing_setup(char *str)
 116{
 117        unsigned long enforcing;
 118        if (!kstrtoul(str, 0, &enforcing))
 119                selinux_enforcing_boot = enforcing ? 1 : 0;
 120        return 1;
 121}
 122__setup("enforcing=", enforcing_setup);
 123#else
 124#define selinux_enforcing_boot 1
 125#endif
 126
 127int selinux_enabled_boot __initdata = 1;
 128#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
 129static int __init selinux_enabled_setup(char *str)
 130{
 131        unsigned long enabled;
 132        if (!kstrtoul(str, 0, &enabled))
 133                selinux_enabled_boot = enabled ? 1 : 0;
 134        return 1;
 135}
 136__setup("selinux=", selinux_enabled_setup);
 137#endif
 138
 139static unsigned int selinux_checkreqprot_boot =
 140        CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
 141
 142static int __init checkreqprot_setup(char *str)
 143{
 144        unsigned long checkreqprot;
 145
 146        if (!kstrtoul(str, 0, &checkreqprot)) {
 147                selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
 148                if (checkreqprot)
 149                        pr_warn("SELinux: checkreqprot set to 1 via kernel parameter.  This is deprecated and will be rejected in a future kernel release.\n");
 150        }
 151        return 1;
 152}
 153__setup("checkreqprot=", checkreqprot_setup);
 154
 155/**
 156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
 157 *
 158 * Description:
 159 * This function checks the SECMARK reference counter to see if any SECMARK
 160 * targets are currently configured, if the reference counter is greater than
 161 * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
 162 * enabled, false (0) if SECMARK is disabled.  If the always_check_network
 163 * policy capability is enabled, SECMARK is always considered enabled.
 164 *
 165 */
 166static int selinux_secmark_enabled(void)
 167{
 168        return (selinux_policycap_alwaysnetwork() ||
 169                atomic_read(&selinux_secmark_refcount));
 170}
 171
 172/**
 173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
 174 *
 175 * Description:
 176 * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
 177 * (1) if any are enabled or false (0) if neither are enabled.  If the
 178 * always_check_network policy capability is enabled, peer labeling
 179 * is always considered enabled.
 180 *
 181 */
 182static int selinux_peerlbl_enabled(void)
 183{
 184        return (selinux_policycap_alwaysnetwork() ||
 185                netlbl_enabled() || selinux_xfrm_enabled());
 186}
 187
 188static int selinux_netcache_avc_callback(u32 event)
 189{
 190        if (event == AVC_CALLBACK_RESET) {
 191                sel_netif_flush();
 192                sel_netnode_flush();
 193                sel_netport_flush();
 194                synchronize_net();
 195        }
 196        return 0;
 197}
 198
 199static int selinux_lsm_notifier_avc_callback(u32 event)
 200{
 201        if (event == AVC_CALLBACK_RESET) {
 202                sel_ib_pkey_flush();
 203                call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
 204        }
 205
 206        return 0;
 207}
 208
 209/*
 210 * initialise the security for the init task
 211 */
 212static void cred_init_security(void)
 213{
 214        struct cred *cred = (struct cred *) current->real_cred;
 215        struct task_security_struct *tsec;
 216
 217        tsec = selinux_cred(cred);
 218        tsec->osid = tsec->sid = SECINITSID_KERNEL;
 219}
 220
 221/*
 222 * get the security ID of a set of credentials
 223 */
 224static inline u32 cred_sid(const struct cred *cred)
 225{
 226        const struct task_security_struct *tsec;
 227
 228        tsec = selinux_cred(cred);
 229        return tsec->sid;
 230}
 231
 232/*
 233 * get the subjective security ID of a task
 234 */
 235static inline u32 task_sid_subj(const struct task_struct *task)
 236{
 237        u32 sid;
 238
 239        rcu_read_lock();
 240        sid = cred_sid(rcu_dereference(task->cred));
 241        rcu_read_unlock();
 242        return sid;
 243}
 244
 245/*
 246 * get the objective security ID of a task
 247 */
 248static inline u32 task_sid_obj(const struct task_struct *task)
 249{
 250        u32 sid;
 251
 252        rcu_read_lock();
 253        sid = cred_sid(__task_cred(task));
 254        rcu_read_unlock();
 255        return sid;
 256}
 257
 258/*
 259 * get the security ID of a task for use with binder
 260 */
 261static inline u32 task_sid_binder(const struct task_struct *task)
 262{
 263        /*
 264         * In many case where this function is used we should be using the
 265         * task's subjective SID, but we can't reliably access the subjective
 266         * creds of a task other than our own so we must use the objective
 267         * creds/SID, which are safe to access.  The downside is that if a task
 268         * is temporarily overriding it's creds it will not be reflected here;
 269         * however, it isn't clear that binder would handle that case well
 270         * anyway.
 271         *
 272         * If this ever changes and we can safely reference the subjective
 273         * creds/SID of another task, this function will make it easier to
 274         * identify the various places where we make use of the task SIDs in
 275         * the binder code.  It is also likely that we will need to adjust
 276         * the main drivers/android binder code as well.
 277         */
 278        return task_sid_obj(task);
 279}
 280
 281static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
 282
 283/*
 284 * Try reloading inode security labels that have been marked as invalid.  The
 285 * @may_sleep parameter indicates when sleeping and thus reloading labels is
 286 * allowed; when set to false, returns -ECHILD when the label is
 287 * invalid.  The @dentry parameter should be set to a dentry of the inode.
 288 */
 289static int __inode_security_revalidate(struct inode *inode,
 290                                       struct dentry *dentry,
 291                                       bool may_sleep)
 292{
 293        struct inode_security_struct *isec = selinux_inode(inode);
 294
 295        might_sleep_if(may_sleep);
 296
 297        if (selinux_initialized(&selinux_state) &&
 298            isec->initialized != LABEL_INITIALIZED) {
 299                if (!may_sleep)
 300                        return -ECHILD;
 301
 302                /*
 303                 * Try reloading the inode security label.  This will fail if
 304                 * @opt_dentry is NULL and no dentry for this inode can be
 305                 * found; in that case, continue using the old label.
 306                 */
 307                inode_doinit_with_dentry(inode, dentry);
 308        }
 309        return 0;
 310}
 311
 312static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
 313{
 314        return selinux_inode(inode);
 315}
 316
 317static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
 318{
 319        int error;
 320
 321        error = __inode_security_revalidate(inode, NULL, !rcu);
 322        if (error)
 323                return ERR_PTR(error);
 324        return selinux_inode(inode);
 325}
 326
 327/*
 328 * Get the security label of an inode.
 329 */
 330static struct inode_security_struct *inode_security(struct inode *inode)
 331{
 332        __inode_security_revalidate(inode, NULL, true);
 333        return selinux_inode(inode);
 334}
 335
 336static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
 337{
 338        struct inode *inode = d_backing_inode(dentry);
 339
 340        return selinux_inode(inode);
 341}
 342
 343/*
 344 * Get the security label of a dentry's backing inode.
 345 */
 346static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
 347{
 348        struct inode *inode = d_backing_inode(dentry);
 349
 350        __inode_security_revalidate(inode, dentry, true);
 351        return selinux_inode(inode);
 352}
 353
 354static void inode_free_security(struct inode *inode)
 355{
 356        struct inode_security_struct *isec = selinux_inode(inode);
 357        struct superblock_security_struct *sbsec;
 358
 359        if (!isec)
 360                return;
 361        sbsec = selinux_superblock(inode->i_sb);
 362        /*
 363         * As not all inode security structures are in a list, we check for
 364         * empty list outside of the lock to make sure that we won't waste
 365         * time taking a lock doing nothing.
 366         *
 367         * The list_del_init() function can be safely called more than once.
 368         * It should not be possible for this function to be called with
 369         * concurrent list_add(), but for better safety against future changes
 370         * in the code, we use list_empty_careful() here.
 371         */
 372        if (!list_empty_careful(&isec->list)) {
 373                spin_lock(&sbsec->isec_lock);
 374                list_del_init(&isec->list);
 375                spin_unlock(&sbsec->isec_lock);
 376        }
 377}
 378
 379struct selinux_mnt_opts {
 380        const char *fscontext, *context, *rootcontext, *defcontext;
 381};
 382
 383static void selinux_free_mnt_opts(void *mnt_opts)
 384{
 385        struct selinux_mnt_opts *opts = mnt_opts;
 386        kfree(opts->fscontext);
 387        kfree(opts->context);
 388        kfree(opts->rootcontext);
 389        kfree(opts->defcontext);
 390        kfree(opts);
 391}
 392
 393enum {
 394        Opt_error = -1,
 395        Opt_context = 0,
 396        Opt_defcontext = 1,
 397        Opt_fscontext = 2,
 398        Opt_rootcontext = 3,
 399        Opt_seclabel = 4,
 400};
 401
 402#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
 403static struct {
 404        const char *name;
 405        int len;
 406        int opt;
 407        bool has_arg;
 408} tokens[] = {
 409        A(context, true),
 410        A(fscontext, true),
 411        A(defcontext, true),
 412        A(rootcontext, true),
 413        A(seclabel, false),
 414};
 415#undef A
 416
 417static int match_opt_prefix(char *s, int l, char **arg)
 418{
 419        int i;
 420
 421        for (i = 0; i < ARRAY_SIZE(tokens); i++) {
 422                size_t len = tokens[i].len;
 423                if (len > l || memcmp(s, tokens[i].name, len))
 424                        continue;
 425                if (tokens[i].has_arg) {
 426                        if (len == l || s[len] != '=')
 427                                continue;
 428                        *arg = s + len + 1;
 429                } else if (len != l)
 430                        continue;
 431                return tokens[i].opt;
 432        }
 433        return Opt_error;
 434}
 435
 436#define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
 437
 438static int may_context_mount_sb_relabel(u32 sid,
 439                        struct superblock_security_struct *sbsec,
 440                        const struct cred *cred)
 441{
 442        const struct task_security_struct *tsec = selinux_cred(cred);
 443        int rc;
 444
 445        rc = avc_has_perm(&selinux_state,
 446                          tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 447                          FILESYSTEM__RELABELFROM, NULL);
 448        if (rc)
 449                return rc;
 450
 451        rc = avc_has_perm(&selinux_state,
 452                          tsec->sid, sid, SECCLASS_FILESYSTEM,
 453                          FILESYSTEM__RELABELTO, NULL);
 454        return rc;
 455}
 456
 457static int may_context_mount_inode_relabel(u32 sid,
 458                        struct superblock_security_struct *sbsec,
 459                        const struct cred *cred)
 460{
 461        const struct task_security_struct *tsec = selinux_cred(cred);
 462        int rc;
 463        rc = avc_has_perm(&selinux_state,
 464                          tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 465                          FILESYSTEM__RELABELFROM, NULL);
 466        if (rc)
 467                return rc;
 468
 469        rc = avc_has_perm(&selinux_state,
 470                          sid, sbsec->sid, SECCLASS_FILESYSTEM,
 471                          FILESYSTEM__ASSOCIATE, NULL);
 472        return rc;
 473}
 474
 475static int selinux_is_genfs_special_handling(struct super_block *sb)
 476{
 477        /* Special handling. Genfs but also in-core setxattr handler */
 478        return  !strcmp(sb->s_type->name, "sysfs") ||
 479                !strcmp(sb->s_type->name, "pstore") ||
 480                !strcmp(sb->s_type->name, "debugfs") ||
 481                !strcmp(sb->s_type->name, "tracefs") ||
 482                !strcmp(sb->s_type->name, "rootfs") ||
 483                (selinux_policycap_cgroupseclabel() &&
 484                 (!strcmp(sb->s_type->name, "cgroup") ||
 485                  !strcmp(sb->s_type->name, "cgroup2")));
 486}
 487
 488static int selinux_is_sblabel_mnt(struct super_block *sb)
 489{
 490        struct superblock_security_struct *sbsec = selinux_superblock(sb);
 491
 492        /*
 493         * IMPORTANT: Double-check logic in this function when adding a new
 494         * SECURITY_FS_USE_* definition!
 495         */
 496        BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
 497
 498        switch (sbsec->behavior) {
 499        case SECURITY_FS_USE_XATTR:
 500        case SECURITY_FS_USE_TRANS:
 501        case SECURITY_FS_USE_TASK:
 502        case SECURITY_FS_USE_NATIVE:
 503                return 1;
 504
 505        case SECURITY_FS_USE_GENFS:
 506                return selinux_is_genfs_special_handling(sb);
 507
 508        /* Never allow relabeling on context mounts */
 509        case SECURITY_FS_USE_MNTPOINT:
 510        case SECURITY_FS_USE_NONE:
 511        default:
 512                return 0;
 513        }
 514}
 515
 516static int sb_check_xattr_support(struct super_block *sb)
 517{
 518        struct superblock_security_struct *sbsec = sb->s_security;
 519        struct dentry *root = sb->s_root;
 520        struct inode *root_inode = d_backing_inode(root);
 521        u32 sid;
 522        int rc;
 523
 524        /*
 525         * Make sure that the xattr handler exists and that no
 526         * error other than -ENODATA is returned by getxattr on
 527         * the root directory.  -ENODATA is ok, as this may be
 528         * the first boot of the SELinux kernel before we have
 529         * assigned xattr values to the filesystem.
 530         */
 531        if (!(root_inode->i_opflags & IOP_XATTR)) {
 532                pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
 533                        sb->s_id, sb->s_type->name);
 534                goto fallback;
 535        }
 536
 537        rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
 538        if (rc < 0 && rc != -ENODATA) {
 539                if (rc == -EOPNOTSUPP) {
 540                        pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
 541                                sb->s_id, sb->s_type->name);
 542                        goto fallback;
 543                } else {
 544                        pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
 545                                sb->s_id, sb->s_type->name, -rc);
 546                        return rc;
 547                }
 548        }
 549        return 0;
 550
 551fallback:
 552        /* No xattr support - try to fallback to genfs if possible. */
 553        rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/",
 554                                SECCLASS_DIR, &sid);
 555        if (rc)
 556                return -EOPNOTSUPP;
 557
 558        pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
 559                sb->s_id, sb->s_type->name);
 560        sbsec->behavior = SECURITY_FS_USE_GENFS;
 561        sbsec->sid = sid;
 562        return 0;
 563}
 564
 565static int sb_finish_set_opts(struct super_block *sb)
 566{
 567        struct superblock_security_struct *sbsec = selinux_superblock(sb);
 568        struct dentry *root = sb->s_root;
 569        struct inode *root_inode = d_backing_inode(root);
 570        int rc = 0;
 571
 572        if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 573                rc = sb_check_xattr_support(sb);
 574                if (rc)
 575                        return rc;
 576        }
 577
 578        sbsec->flags |= SE_SBINITIALIZED;
 579
 580        /*
 581         * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
 582         * leave the flag untouched because sb_clone_mnt_opts might be handing
 583         * us a superblock that needs the flag to be cleared.
 584         */
 585        if (selinux_is_sblabel_mnt(sb))
 586                sbsec->flags |= SBLABEL_MNT;
 587        else
 588                sbsec->flags &= ~SBLABEL_MNT;
 589
 590        /* Initialize the root inode. */
 591        rc = inode_doinit_with_dentry(root_inode, root);
 592
 593        /* Initialize any other inodes associated with the superblock, e.g.
 594           inodes created prior to initial policy load or inodes created
 595           during get_sb by a pseudo filesystem that directly
 596           populates itself. */
 597        spin_lock(&sbsec->isec_lock);
 598        while (!list_empty(&sbsec->isec_head)) {
 599                struct inode_security_struct *isec =
 600                                list_first_entry(&sbsec->isec_head,
 601                                           struct inode_security_struct, list);
 602                struct inode *inode = isec->inode;
 603                list_del_init(&isec->list);
 604                spin_unlock(&sbsec->isec_lock);
 605                inode = igrab(inode);
 606                if (inode) {
 607                        if (!IS_PRIVATE(inode))
 608                                inode_doinit_with_dentry(inode, NULL);
 609                        iput(inode);
 610                }
 611                spin_lock(&sbsec->isec_lock);
 612        }
 613        spin_unlock(&sbsec->isec_lock);
 614        return rc;
 615}
 616
 617static int bad_option(struct superblock_security_struct *sbsec, char flag,
 618                      u32 old_sid, u32 new_sid)
 619{
 620        char mnt_flags = sbsec->flags & SE_MNTMASK;
 621
 622        /* check if the old mount command had the same options */
 623        if (sbsec->flags & SE_SBINITIALIZED)
 624                if (!(sbsec->flags & flag) ||
 625                    (old_sid != new_sid))
 626                        return 1;
 627
 628        /* check if we were passed the same options twice,
 629         * aka someone passed context=a,context=b
 630         */
 631        if (!(sbsec->flags & SE_SBINITIALIZED))
 632                if (mnt_flags & flag)
 633                        return 1;
 634        return 0;
 635}
 636
 637static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
 638{
 639        int rc = security_context_str_to_sid(&selinux_state, s,
 640                                             sid, GFP_KERNEL);
 641        if (rc)
 642                pr_warn("SELinux: security_context_str_to_sid"
 643                       "(%s) failed for (dev %s, type %s) errno=%d\n",
 644                       s, sb->s_id, sb->s_type->name, rc);
 645        return rc;
 646}
 647
 648/*
 649 * Allow filesystems with binary mount data to explicitly set mount point
 650 * labeling information.
 651 */
 652static int selinux_set_mnt_opts(struct super_block *sb,
 653                                void *mnt_opts,
 654                                unsigned long kern_flags,
 655                                unsigned long *set_kern_flags)
 656{
 657        const struct cred *cred = current_cred();
 658        struct superblock_security_struct *sbsec = selinux_superblock(sb);
 659        struct dentry *root = sb->s_root;
 660        struct selinux_mnt_opts *opts = mnt_opts;
 661        struct inode_security_struct *root_isec;
 662        u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
 663        u32 defcontext_sid = 0;
 664        int rc = 0;
 665
 666        mutex_lock(&sbsec->lock);
 667
 668        if (!selinux_initialized(&selinux_state)) {
 669                if (!opts) {
 670                        /* Defer initialization until selinux_complete_init,
 671                           after the initial policy is loaded and the security
 672                           server is ready to handle calls. */
 673                        goto out;
 674                }
 675                rc = -EINVAL;
 676                pr_warn("SELinux: Unable to set superblock options "
 677                        "before the security server is initialized\n");
 678                goto out;
 679        }
 680        if (kern_flags && !set_kern_flags) {
 681                /* Specifying internal flags without providing a place to
 682                 * place the results is not allowed */
 683                rc = -EINVAL;
 684                goto out;
 685        }
 686
 687        /*
 688         * Binary mount data FS will come through this function twice.  Once
 689         * from an explicit call and once from the generic calls from the vfs.
 690         * Since the generic VFS calls will not contain any security mount data
 691         * we need to skip the double mount verification.
 692         *
 693         * This does open a hole in which we will not notice if the first
 694         * mount using this sb set explict options and a second mount using
 695         * this sb does not set any security options.  (The first options
 696         * will be used for both mounts)
 697         */
 698        if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
 699            && !opts)
 700                goto out;
 701
 702        root_isec = backing_inode_security_novalidate(root);
 703
 704        /*
 705         * parse the mount options, check if they are valid sids.
 706         * also check if someone is trying to mount the same sb more
 707         * than once with different security options.
 708         */
 709        if (opts) {
 710                if (opts->fscontext) {
 711                        rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
 712                        if (rc)
 713                                goto out;
 714                        if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
 715                                        fscontext_sid))
 716                                goto out_double_mount;
 717                        sbsec->flags |= FSCONTEXT_MNT;
 718                }
 719                if (opts->context) {
 720                        rc = parse_sid(sb, opts->context, &context_sid);
 721                        if (rc)
 722                                goto out;
 723                        if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
 724                                        context_sid))
 725                                goto out_double_mount;
 726                        sbsec->flags |= CONTEXT_MNT;
 727                }
 728                if (opts->rootcontext) {
 729                        rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
 730                        if (rc)
 731                                goto out;
 732                        if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
 733                                        rootcontext_sid))
 734                                goto out_double_mount;
 735                        sbsec->flags |= ROOTCONTEXT_MNT;
 736                }
 737                if (opts->defcontext) {
 738                        rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
 739                        if (rc)
 740                                goto out;
 741                        if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
 742                                        defcontext_sid))
 743                                goto out_double_mount;
 744                        sbsec->flags |= DEFCONTEXT_MNT;
 745                }
 746        }
 747
 748        if (sbsec->flags & SE_SBINITIALIZED) {
 749                /* previously mounted with options, but not on this attempt? */
 750                if ((sbsec->flags & SE_MNTMASK) && !opts)
 751                        goto out_double_mount;
 752                rc = 0;
 753                goto out;
 754        }
 755
 756        if (strcmp(sb->s_type->name, "proc") == 0)
 757                sbsec->flags |= SE_SBPROC | SE_SBGENFS;
 758
 759        if (!strcmp(sb->s_type->name, "debugfs") ||
 760            !strcmp(sb->s_type->name, "tracefs") ||
 761            !strcmp(sb->s_type->name, "binder") ||
 762            !strcmp(sb->s_type->name, "bpf") ||
 763            !strcmp(sb->s_type->name, "pstore"))
 764                sbsec->flags |= SE_SBGENFS;
 765
 766        if (!strcmp(sb->s_type->name, "sysfs") ||
 767            !strcmp(sb->s_type->name, "cgroup") ||
 768            !strcmp(sb->s_type->name, "cgroup2"))
 769                sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
 770
 771        if (!sbsec->behavior) {
 772                /*
 773                 * Determine the labeling behavior to use for this
 774                 * filesystem type.
 775                 */
 776                rc = security_fs_use(&selinux_state, sb);
 777                if (rc) {
 778                        pr_warn("%s: security_fs_use(%s) returned %d\n",
 779                                        __func__, sb->s_type->name, rc);
 780                        goto out;
 781                }
 782        }
 783
 784        /*
 785         * If this is a user namespace mount and the filesystem type is not
 786         * explicitly whitelisted, then no contexts are allowed on the command
 787         * line and security labels must be ignored.
 788         */
 789        if (sb->s_user_ns != &init_user_ns &&
 790            strcmp(sb->s_type->name, "tmpfs") &&
 791            strcmp(sb->s_type->name, "ramfs") &&
 792            strcmp(sb->s_type->name, "devpts") &&
 793            strcmp(sb->s_type->name, "overlay")) {
 794                if (context_sid || fscontext_sid || rootcontext_sid ||
 795                    defcontext_sid) {
 796                        rc = -EACCES;
 797                        goto out;
 798                }
 799                if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 800                        sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 801                        rc = security_transition_sid(&selinux_state,
 802                                                     current_sid(),
 803                                                     current_sid(),
 804                                                     SECCLASS_FILE, NULL,
 805                                                     &sbsec->mntpoint_sid);
 806                        if (rc)
 807                                goto out;
 808                }
 809                goto out_set_opts;
 810        }
 811
 812        /* sets the context of the superblock for the fs being mounted. */
 813        if (fscontext_sid) {
 814                rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
 815                if (rc)
 816                        goto out;
 817
 818                sbsec->sid = fscontext_sid;
 819        }
 820
 821        /*
 822         * Switch to using mount point labeling behavior.
 823         * sets the label used on all file below the mountpoint, and will set
 824         * the superblock context if not already set.
 825         */
 826        if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
 827                sbsec->behavior = SECURITY_FS_USE_NATIVE;
 828                *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
 829        }
 830
 831        if (context_sid) {
 832                if (!fscontext_sid) {
 833                        rc = may_context_mount_sb_relabel(context_sid, sbsec,
 834                                                          cred);
 835                        if (rc)
 836                                goto out;
 837                        sbsec->sid = context_sid;
 838                } else {
 839                        rc = may_context_mount_inode_relabel(context_sid, sbsec,
 840                                                             cred);
 841                        if (rc)
 842                                goto out;
 843                }
 844                if (!rootcontext_sid)
 845                        rootcontext_sid = context_sid;
 846
 847                sbsec->mntpoint_sid = context_sid;
 848                sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 849        }
 850
 851        if (rootcontext_sid) {
 852                rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
 853                                                     cred);
 854                if (rc)
 855                        goto out;
 856
 857                root_isec->sid = rootcontext_sid;
 858                root_isec->initialized = LABEL_INITIALIZED;
 859        }
 860
 861        if (defcontext_sid) {
 862                if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
 863                        sbsec->behavior != SECURITY_FS_USE_NATIVE) {
 864                        rc = -EINVAL;
 865                        pr_warn("SELinux: defcontext option is "
 866                               "invalid for this filesystem type\n");
 867                        goto out;
 868                }
 869
 870                if (defcontext_sid != sbsec->def_sid) {
 871                        rc = may_context_mount_inode_relabel(defcontext_sid,
 872                                                             sbsec, cred);
 873                        if (rc)
 874                                goto out;
 875                }
 876
 877                sbsec->def_sid = defcontext_sid;
 878        }
 879
 880out_set_opts:
 881        rc = sb_finish_set_opts(sb);
 882out:
 883        mutex_unlock(&sbsec->lock);
 884        return rc;
 885out_double_mount:
 886        rc = -EINVAL;
 887        pr_warn("SELinux: mount invalid.  Same superblock, different "
 888               "security settings for (dev %s, type %s)\n", sb->s_id,
 889               sb->s_type->name);
 890        goto out;
 891}
 892
 893static int selinux_cmp_sb_context(const struct super_block *oldsb,
 894                                    const struct super_block *newsb)
 895{
 896        struct superblock_security_struct *old = selinux_superblock(oldsb);
 897        struct superblock_security_struct *new = selinux_superblock(newsb);
 898        char oldflags = old->flags & SE_MNTMASK;
 899        char newflags = new->flags & SE_MNTMASK;
 900
 901        if (oldflags != newflags)
 902                goto mismatch;
 903        if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
 904                goto mismatch;
 905        if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
 906                goto mismatch;
 907        if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
 908                goto mismatch;
 909        if (oldflags & ROOTCONTEXT_MNT) {
 910                struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
 911                struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
 912                if (oldroot->sid != newroot->sid)
 913                        goto mismatch;
 914        }
 915        return 0;
 916mismatch:
 917        pr_warn("SELinux: mount invalid.  Same superblock, "
 918                            "different security settings for (dev %s, "
 919                            "type %s)\n", newsb->s_id, newsb->s_type->name);
 920        return -EBUSY;
 921}
 922
 923static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
 924                                        struct super_block *newsb,
 925                                        unsigned long kern_flags,
 926                                        unsigned long *set_kern_flags)
 927{
 928        int rc = 0;
 929        const struct superblock_security_struct *oldsbsec =
 930                                                selinux_superblock(oldsb);
 931        struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
 932
 933        int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
 934        int set_context =       (oldsbsec->flags & CONTEXT_MNT);
 935        int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
 936
 937        /*
 938         * if the parent was able to be mounted it clearly had no special lsm
 939         * mount options.  thus we can safely deal with this superblock later
 940         */
 941        if (!selinux_initialized(&selinux_state))
 942                return 0;
 943
 944        /*
 945         * Specifying internal flags without providing a place to
 946         * place the results is not allowed.
 947         */
 948        if (kern_flags && !set_kern_flags)
 949                return -EINVAL;
 950
 951        /* how can we clone if the old one wasn't set up?? */
 952        BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
 953
 954        /* if fs is reusing a sb, make sure that the contexts match */
 955        if (newsbsec->flags & SE_SBINITIALIZED) {
 956                if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
 957                        *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
 958                return selinux_cmp_sb_context(oldsb, newsb);
 959        }
 960
 961        mutex_lock(&newsbsec->lock);
 962
 963        newsbsec->flags = oldsbsec->flags;
 964
 965        newsbsec->sid = oldsbsec->sid;
 966        newsbsec->def_sid = oldsbsec->def_sid;
 967        newsbsec->behavior = oldsbsec->behavior;
 968
 969        if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
 970                !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
 971                rc = security_fs_use(&selinux_state, newsb);
 972                if (rc)
 973                        goto out;
 974        }
 975
 976        if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
 977                newsbsec->behavior = SECURITY_FS_USE_NATIVE;
 978                *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
 979        }
 980
 981        if (set_context) {
 982                u32 sid = oldsbsec->mntpoint_sid;
 983
 984                if (!set_fscontext)
 985                        newsbsec->sid = sid;
 986                if (!set_rootcontext) {
 987                        struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
 988                        newisec->sid = sid;
 989                }
 990                newsbsec->mntpoint_sid = sid;
 991        }
 992        if (set_rootcontext) {
 993                const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
 994                struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
 995
 996                newisec->sid = oldisec->sid;
 997        }
 998
 999        sb_finish_set_opts(newsb);
1000out:
1001        mutex_unlock(&newsbsec->lock);
1002        return rc;
1003}
1004
1005static int selinux_add_opt(int token, const char *s, void **mnt_opts)
1006{
1007        struct selinux_mnt_opts *opts = *mnt_opts;
1008
1009        if (token == Opt_seclabel)      /* eaten and completely ignored */
1010                return 0;
1011
1012        if (!opts) {
1013                opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1014                if (!opts)
1015                        return -ENOMEM;
1016                *mnt_opts = opts;
1017        }
1018        if (!s)
1019                return -ENOMEM;
1020        switch (token) {
1021        case Opt_context:
1022                if (opts->context || opts->defcontext)
1023                        goto Einval;
1024                opts->context = s;
1025                break;
1026        case Opt_fscontext:
1027                if (opts->fscontext)
1028                        goto Einval;
1029                opts->fscontext = s;
1030                break;
1031        case Opt_rootcontext:
1032                if (opts->rootcontext)
1033                        goto Einval;
1034                opts->rootcontext = s;
1035                break;
1036        case Opt_defcontext:
1037                if (opts->context || opts->defcontext)
1038                        goto Einval;
1039                opts->defcontext = s;
1040                break;
1041        }
1042        return 0;
1043Einval:
1044        pr_warn(SEL_MOUNT_FAIL_MSG);
1045        return -EINVAL;
1046}
1047
1048static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1049                               void **mnt_opts)
1050{
1051        int token = Opt_error;
1052        int rc, i;
1053
1054        for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1055                if (strcmp(option, tokens[i].name) == 0) {
1056                        token = tokens[i].opt;
1057                        break;
1058                }
1059        }
1060
1061        if (token == Opt_error)
1062                return -EINVAL;
1063
1064        if (token != Opt_seclabel) {
1065                val = kmemdup_nul(val, len, GFP_KERNEL);
1066                if (!val) {
1067                        rc = -ENOMEM;
1068                        goto free_opt;
1069                }
1070        }
1071        rc = selinux_add_opt(token, val, mnt_opts);
1072        if (unlikely(rc)) {
1073                kfree(val);
1074                goto free_opt;
1075        }
1076        return rc;
1077
1078free_opt:
1079        if (*mnt_opts) {
1080                selinux_free_mnt_opts(*mnt_opts);
1081                *mnt_opts = NULL;
1082        }
1083        return rc;
1084}
1085
1086static int show_sid(struct seq_file *m, u32 sid)
1087{
1088        char *context = NULL;
1089        u32 len;
1090        int rc;
1091
1092        rc = security_sid_to_context(&selinux_state, sid,
1093                                             &context, &len);
1094        if (!rc) {
1095                bool has_comma = context && strchr(context, ',');
1096
1097                seq_putc(m, '=');
1098                if (has_comma)
1099                        seq_putc(m, '\"');
1100                seq_escape(m, context, "\"\n\\");
1101                if (has_comma)
1102                        seq_putc(m, '\"');
1103        }
1104        kfree(context);
1105        return rc;
1106}
1107
1108static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1109{
1110        struct superblock_security_struct *sbsec = selinux_superblock(sb);
1111        int rc;
1112
1113        if (!(sbsec->flags & SE_SBINITIALIZED))
1114                return 0;
1115
1116        if (!selinux_initialized(&selinux_state))
1117                return 0;
1118
1119        if (sbsec->flags & FSCONTEXT_MNT) {
1120                seq_putc(m, ',');
1121                seq_puts(m, FSCONTEXT_STR);
1122                rc = show_sid(m, sbsec->sid);
1123                if (rc)
1124                        return rc;
1125        }
1126        if (sbsec->flags & CONTEXT_MNT) {
1127                seq_putc(m, ',');
1128                seq_puts(m, CONTEXT_STR);
1129                rc = show_sid(m, sbsec->mntpoint_sid);
1130                if (rc)
1131                        return rc;
1132        }
1133        if (sbsec->flags & DEFCONTEXT_MNT) {
1134                seq_putc(m, ',');
1135                seq_puts(m, DEFCONTEXT_STR);
1136                rc = show_sid(m, sbsec->def_sid);
1137                if (rc)
1138                        return rc;
1139        }
1140        if (sbsec->flags & ROOTCONTEXT_MNT) {
1141                struct dentry *root = sb->s_root;
1142                struct inode_security_struct *isec = backing_inode_security(root);
1143                seq_putc(m, ',');
1144                seq_puts(m, ROOTCONTEXT_STR);
1145                rc = show_sid(m, isec->sid);
1146                if (rc)
1147                        return rc;
1148        }
1149        if (sbsec->flags & SBLABEL_MNT) {
1150                seq_putc(m, ',');
1151                seq_puts(m, SECLABEL_STR);
1152        }
1153        return 0;
1154}
1155
1156static inline u16 inode_mode_to_security_class(umode_t mode)
1157{
1158        switch (mode & S_IFMT) {
1159        case S_IFSOCK:
1160                return SECCLASS_SOCK_FILE;
1161        case S_IFLNK:
1162                return SECCLASS_LNK_FILE;
1163        case S_IFREG:
1164                return SECCLASS_FILE;
1165        case S_IFBLK:
1166                return SECCLASS_BLK_FILE;
1167        case S_IFDIR:
1168                return SECCLASS_DIR;
1169        case S_IFCHR:
1170                return SECCLASS_CHR_FILE;
1171        case S_IFIFO:
1172                return SECCLASS_FIFO_FILE;
1173
1174        }
1175
1176        return SECCLASS_FILE;
1177}
1178
1179static inline int default_protocol_stream(int protocol)
1180{
1181        return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1182                protocol == IPPROTO_MPTCP);
1183}
1184
1185static inline int default_protocol_dgram(int protocol)
1186{
1187        return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1188}
1189
1190static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1191{
1192        int extsockclass = selinux_policycap_extsockclass();
1193
1194        switch (family) {
1195        case PF_UNIX:
1196                switch (type) {
1197                case SOCK_STREAM:
1198                case SOCK_SEQPACKET:
1199                        return SECCLASS_UNIX_STREAM_SOCKET;
1200                case SOCK_DGRAM:
1201                case SOCK_RAW:
1202                        return SECCLASS_UNIX_DGRAM_SOCKET;
1203                }
1204                break;
1205        case PF_INET:
1206        case PF_INET6:
1207                switch (type) {
1208                case SOCK_STREAM:
1209                case SOCK_SEQPACKET:
1210                        if (default_protocol_stream(protocol))
1211                                return SECCLASS_TCP_SOCKET;
1212                        else if (extsockclass && protocol == IPPROTO_SCTP)
1213                                return SECCLASS_SCTP_SOCKET;
1214                        else
1215                                return SECCLASS_RAWIP_SOCKET;
1216                case SOCK_DGRAM:
1217                        if (default_protocol_dgram(protocol))
1218                                return SECCLASS_UDP_SOCKET;
1219                        else if (extsockclass && (protocol == IPPROTO_ICMP ||
1220                                                  protocol == IPPROTO_ICMPV6))
1221                                return SECCLASS_ICMP_SOCKET;
1222                        else
1223                                return SECCLASS_RAWIP_SOCKET;
1224                case SOCK_DCCP:
1225                        return SECCLASS_DCCP_SOCKET;
1226                default:
1227                        return SECCLASS_RAWIP_SOCKET;
1228                }
1229                break;
1230        case PF_NETLINK:
1231                switch (protocol) {
1232                case NETLINK_ROUTE:
1233                        return SECCLASS_NETLINK_ROUTE_SOCKET;
1234                case NETLINK_SOCK_DIAG:
1235                        return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1236                case NETLINK_NFLOG:
1237                        return SECCLASS_NETLINK_NFLOG_SOCKET;
1238                case NETLINK_XFRM:
1239                        return SECCLASS_NETLINK_XFRM_SOCKET;
1240                case NETLINK_SELINUX:
1241                        return SECCLASS_NETLINK_SELINUX_SOCKET;
1242                case NETLINK_ISCSI:
1243                        return SECCLASS_NETLINK_ISCSI_SOCKET;
1244                case NETLINK_AUDIT:
1245                        return SECCLASS_NETLINK_AUDIT_SOCKET;
1246                case NETLINK_FIB_LOOKUP:
1247                        return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1248                case NETLINK_CONNECTOR:
1249                        return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1250                case NETLINK_NETFILTER:
1251                        return SECCLASS_NETLINK_NETFILTER_SOCKET;
1252                case NETLINK_DNRTMSG:
1253                        return SECCLASS_NETLINK_DNRT_SOCKET;
1254                case NETLINK_KOBJECT_UEVENT:
1255                        return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1256                case NETLINK_GENERIC:
1257                        return SECCLASS_NETLINK_GENERIC_SOCKET;
1258                case NETLINK_SCSITRANSPORT:
1259                        return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1260                case NETLINK_RDMA:
1261                        return SECCLASS_NETLINK_RDMA_SOCKET;
1262                case NETLINK_CRYPTO:
1263                        return SECCLASS_NETLINK_CRYPTO_SOCKET;
1264                default:
1265                        return SECCLASS_NETLINK_SOCKET;
1266                }
1267        case PF_PACKET:
1268                return SECCLASS_PACKET_SOCKET;
1269        case PF_KEY:
1270                return SECCLASS_KEY_SOCKET;
1271        case PF_APPLETALK:
1272                return SECCLASS_APPLETALK_SOCKET;
1273        }
1274
1275        if (extsockclass) {
1276                switch (family) {
1277                case PF_AX25:
1278                        return SECCLASS_AX25_SOCKET;
1279                case PF_IPX:
1280                        return SECCLASS_IPX_SOCKET;
1281                case PF_NETROM:
1282                        return SECCLASS_NETROM_SOCKET;
1283                case PF_ATMPVC:
1284                        return SECCLASS_ATMPVC_SOCKET;
1285                case PF_X25:
1286                        return SECCLASS_X25_SOCKET;
1287                case PF_ROSE:
1288                        return SECCLASS_ROSE_SOCKET;
1289                case PF_DECnet:
1290                        return SECCLASS_DECNET_SOCKET;
1291                case PF_ATMSVC:
1292                        return SECCLASS_ATMSVC_SOCKET;
1293                case PF_RDS:
1294                        return SECCLASS_RDS_SOCKET;
1295                case PF_IRDA:
1296                        return SECCLASS_IRDA_SOCKET;
1297                case PF_PPPOX:
1298                        return SECCLASS_PPPOX_SOCKET;
1299                case PF_LLC:
1300                        return SECCLASS_LLC_SOCKET;
1301                case PF_CAN:
1302                        return SECCLASS_CAN_SOCKET;
1303                case PF_TIPC:
1304                        return SECCLASS_TIPC_SOCKET;
1305                case PF_BLUETOOTH:
1306                        return SECCLASS_BLUETOOTH_SOCKET;
1307                case PF_IUCV:
1308                        return SECCLASS_IUCV_SOCKET;
1309                case PF_RXRPC:
1310                        return SECCLASS_RXRPC_SOCKET;
1311                case PF_ISDN:
1312                        return SECCLASS_ISDN_SOCKET;
1313                case PF_PHONET:
1314                        return SECCLASS_PHONET_SOCKET;
1315                case PF_IEEE802154:
1316                        return SECCLASS_IEEE802154_SOCKET;
1317                case PF_CAIF:
1318                        return SECCLASS_CAIF_SOCKET;
1319                case PF_ALG:
1320                        return SECCLASS_ALG_SOCKET;
1321                case PF_NFC:
1322                        return SECCLASS_NFC_SOCKET;
1323                case PF_VSOCK:
1324                        return SECCLASS_VSOCK_SOCKET;
1325                case PF_KCM:
1326                        return SECCLASS_KCM_SOCKET;
1327                case PF_QIPCRTR:
1328                        return SECCLASS_QIPCRTR_SOCKET;
1329                case PF_SMC:
1330                        return SECCLASS_SMC_SOCKET;
1331                case PF_XDP:
1332                        return SECCLASS_XDP_SOCKET;
1333#if PF_MAX > 45
1334#error New address family defined, please update this function.
1335#endif
1336                }
1337        }
1338
1339        return SECCLASS_SOCKET;
1340}
1341
1342static int selinux_genfs_get_sid(struct dentry *dentry,
1343                                 u16 tclass,
1344                                 u16 flags,
1345                                 u32 *sid)
1346{
1347        int rc;
1348        struct super_block *sb = dentry->d_sb;
1349        char *buffer, *path;
1350
1351        buffer = (char *)__get_free_page(GFP_KERNEL);
1352        if (!buffer)
1353                return -ENOMEM;
1354
1355        path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1356        if (IS_ERR(path))
1357                rc = PTR_ERR(path);
1358        else {
1359                if (flags & SE_SBPROC) {
1360                        /* each process gets a /proc/PID/ entry. Strip off the
1361                         * PID part to get a valid selinux labeling.
1362                         * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1363                        while (path[1] >= '0' && path[1] <= '9') {
1364                                path[1] = '/';
1365                                path++;
1366                        }
1367                }
1368                rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1369                                        path, tclass, sid);
1370                if (rc == -ENOENT) {
1371                        /* No match in policy, mark as unlabeled. */
1372                        *sid = SECINITSID_UNLABELED;
1373                        rc = 0;
1374                }
1375        }
1376        free_page((unsigned long)buffer);
1377        return rc;
1378}
1379
1380static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1381                                  u32 def_sid, u32 *sid)
1382{
1383#define INITCONTEXTLEN 255
1384        char *context;
1385        unsigned int len;
1386        int rc;
1387
1388        len = INITCONTEXTLEN;
1389        context = kmalloc(len + 1, GFP_NOFS);
1390        if (!context)
1391                return -ENOMEM;
1392
1393        context[len] = '\0';
1394        rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1395        if (rc == -ERANGE) {
1396                kfree(context);
1397
1398                /* Need a larger buffer.  Query for the right size. */
1399                rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1400                if (rc < 0)
1401                        return rc;
1402
1403                len = rc;
1404                context = kmalloc(len + 1, GFP_NOFS);
1405                if (!context)
1406                        return -ENOMEM;
1407
1408                context[len] = '\0';
1409                rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1410                                    context, len);
1411        }
1412        if (rc < 0) {
1413                kfree(context);
1414                if (rc != -ENODATA) {
1415                        pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1416                                __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1417                        return rc;
1418                }
1419                *sid = def_sid;
1420                return 0;
1421        }
1422
1423        rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1424                                             def_sid, GFP_NOFS);
1425        if (rc) {
1426                char *dev = inode->i_sb->s_id;
1427                unsigned long ino = inode->i_ino;
1428
1429                if (rc == -EINVAL) {
1430                        pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1431                                              ino, dev, context);
1432                } else {
1433                        pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1434                                __func__, context, -rc, dev, ino);
1435                }
1436        }
1437        kfree(context);
1438        return 0;
1439}
1440
1441/* The inode's security attributes must be initialized before first use. */
1442static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1443{
1444        struct superblock_security_struct *sbsec = NULL;
1445        struct inode_security_struct *isec = selinux_inode(inode);
1446        u32 task_sid, sid = 0;
1447        u16 sclass;
1448        struct dentry *dentry;
1449        int rc = 0;
1450
1451        if (isec->initialized == LABEL_INITIALIZED)
1452                return 0;
1453
1454        spin_lock(&isec->lock);
1455        if (isec->initialized == LABEL_INITIALIZED)
1456                goto out_unlock;
1457
1458        if (isec->sclass == SECCLASS_FILE)
1459                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1460
1461        sbsec = selinux_superblock(inode->i_sb);
1462        if (!(sbsec->flags & SE_SBINITIALIZED)) {
1463                /* Defer initialization until selinux_complete_init,
1464                   after the initial policy is loaded and the security
1465                   server is ready to handle calls. */
1466                spin_lock(&sbsec->isec_lock);
1467                if (list_empty(&isec->list))
1468                        list_add(&isec->list, &sbsec->isec_head);
1469                spin_unlock(&sbsec->isec_lock);
1470                goto out_unlock;
1471        }
1472
1473        sclass = isec->sclass;
1474        task_sid = isec->task_sid;
1475        sid = isec->sid;
1476        isec->initialized = LABEL_PENDING;
1477        spin_unlock(&isec->lock);
1478
1479        switch (sbsec->behavior) {
1480        case SECURITY_FS_USE_NATIVE:
1481                break;
1482        case SECURITY_FS_USE_XATTR:
1483                if (!(inode->i_opflags & IOP_XATTR)) {
1484                        sid = sbsec->def_sid;
1485                        break;
1486                }
1487                /* Need a dentry, since the xattr API requires one.
1488                   Life would be simpler if we could just pass the inode. */
1489                if (opt_dentry) {
1490                        /* Called from d_instantiate or d_splice_alias. */
1491                        dentry = dget(opt_dentry);
1492                } else {
1493                        /*
1494                         * Called from selinux_complete_init, try to find a dentry.
1495                         * Some filesystems really want a connected one, so try
1496                         * that first.  We could split SECURITY_FS_USE_XATTR in
1497                         * two, depending upon that...
1498                         */
1499                        dentry = d_find_alias(inode);
1500                        if (!dentry)
1501                                dentry = d_find_any_alias(inode);
1502                }
1503                if (!dentry) {
1504                        /*
1505                         * this is can be hit on boot when a file is accessed
1506                         * before the policy is loaded.  When we load policy we
1507                         * may find inodes that have no dentry on the
1508                         * sbsec->isec_head list.  No reason to complain as these
1509                         * will get fixed up the next time we go through
1510                         * inode_doinit with a dentry, before these inodes could
1511                         * be used again by userspace.
1512                         */
1513                        goto out_invalid;
1514                }
1515
1516                rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1517                                            &sid);
1518                dput(dentry);
1519                if (rc)
1520                        goto out;
1521                break;
1522        case SECURITY_FS_USE_TASK:
1523                sid = task_sid;
1524                break;
1525        case SECURITY_FS_USE_TRANS:
1526                /* Default to the fs SID. */
1527                sid = sbsec->sid;
1528
1529                /* Try to obtain a transition SID. */
1530                rc = security_transition_sid(&selinux_state, task_sid, sid,
1531                                             sclass, NULL, &sid);
1532                if (rc)
1533                        goto out;
1534                break;
1535        case SECURITY_FS_USE_MNTPOINT:
1536                sid = sbsec->mntpoint_sid;
1537                break;
1538        default:
1539                /* Default to the fs superblock SID. */
1540                sid = sbsec->sid;
1541
1542                if ((sbsec->flags & SE_SBGENFS) &&
1543                     (!S_ISLNK(inode->i_mode) ||
1544                      selinux_policycap_genfs_seclabel_symlinks())) {
1545                        /* We must have a dentry to determine the label on
1546                         * procfs inodes */
1547                        if (opt_dentry) {
1548                                /* Called from d_instantiate or
1549                                 * d_splice_alias. */
1550                                dentry = dget(opt_dentry);
1551                        } else {
1552                                /* Called from selinux_complete_init, try to
1553                                 * find a dentry.  Some filesystems really want
1554                                 * a connected one, so try that first.
1555                                 */
1556                                dentry = d_find_alias(inode);
1557                                if (!dentry)
1558                                        dentry = d_find_any_alias(inode);
1559                        }
1560                        /*
1561                         * This can be hit on boot when a file is accessed
1562                         * before the policy is loaded.  When we load policy we
1563                         * may find inodes that have no dentry on the
1564                         * sbsec->isec_head list.  No reason to complain as
1565                         * these will get fixed up the next time we go through
1566                         * inode_doinit() with a dentry, before these inodes
1567                         * could be used again by userspace.
1568                         */
1569                        if (!dentry)
1570                                goto out_invalid;
1571                        rc = selinux_genfs_get_sid(dentry, sclass,
1572                                                   sbsec->flags, &sid);
1573                        if (rc) {
1574                                dput(dentry);
1575                                goto out;
1576                        }
1577
1578                        if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1579                            (inode->i_opflags & IOP_XATTR)) {
1580                                rc = inode_doinit_use_xattr(inode, dentry,
1581                                                            sid, &sid);
1582                                if (rc) {
1583                                        dput(dentry);
1584                                        goto out;
1585                                }
1586                        }
1587                        dput(dentry);
1588                }
1589                break;
1590        }
1591
1592out:
1593        spin_lock(&isec->lock);
1594        if (isec->initialized == LABEL_PENDING) {
1595                if (rc) {
1596                        isec->initialized = LABEL_INVALID;
1597                        goto out_unlock;
1598                }
1599                isec->initialized = LABEL_INITIALIZED;
1600                isec->sid = sid;
1601        }
1602
1603out_unlock:
1604        spin_unlock(&isec->lock);
1605        return rc;
1606
1607out_invalid:
1608        spin_lock(&isec->lock);
1609        if (isec->initialized == LABEL_PENDING) {
1610                isec->initialized = LABEL_INVALID;
1611                isec->sid = sid;
1612        }
1613        spin_unlock(&isec->lock);
1614        return 0;
1615}
1616
1617/* Convert a Linux signal to an access vector. */
1618static inline u32 signal_to_av(int sig)
1619{
1620        u32 perm = 0;
1621
1622        switch (sig) {
1623        case SIGCHLD:
1624                /* Commonly granted from child to parent. */
1625                perm = PROCESS__SIGCHLD;
1626                break;
1627        case SIGKILL:
1628                /* Cannot be caught or ignored */
1629                perm = PROCESS__SIGKILL;
1630                break;
1631        case SIGSTOP:
1632                /* Cannot be caught or ignored */
1633                perm = PROCESS__SIGSTOP;
1634                break;
1635        default:
1636                /* All other signals. */
1637                perm = PROCESS__SIGNAL;
1638                break;
1639        }
1640
1641        return perm;
1642}
1643
1644#if CAP_LAST_CAP > 63
1645#error Fix SELinux to handle capabilities > 63.
1646#endif
1647
1648/* Check whether a task is allowed to use a capability. */
1649static int cred_has_capability(const struct cred *cred,
1650                               int cap, unsigned int opts, bool initns)
1651{
1652        struct common_audit_data ad;
1653        struct av_decision avd;
1654        u16 sclass;
1655        u32 sid = cred_sid(cred);
1656        u32 av = CAP_TO_MASK(cap);
1657        int rc;
1658
1659        ad.type = LSM_AUDIT_DATA_CAP;
1660        ad.u.cap = cap;
1661
1662        switch (CAP_TO_INDEX(cap)) {
1663        case 0:
1664                sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1665                break;
1666        case 1:
1667                sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1668                break;
1669        default:
1670                pr_err("SELinux:  out of range capability %d\n", cap);
1671                BUG();
1672                return -EINVAL;
1673        }
1674
1675        rc = avc_has_perm_noaudit(&selinux_state,
1676                                  sid, sid, sclass, av, 0, &avd);
1677        if (!(opts & CAP_OPT_NOAUDIT)) {
1678                int rc2 = avc_audit(&selinux_state,
1679                                    sid, sid, sclass, av, &avd, rc, &ad);
1680                if (rc2)
1681                        return rc2;
1682        }
1683        return rc;
1684}
1685
1686/* Check whether a task has a particular permission to an inode.
1687   The 'adp' parameter is optional and allows other audit
1688   data to be passed (e.g. the dentry). */
1689static int inode_has_perm(const struct cred *cred,
1690                          struct inode *inode,
1691                          u32 perms,
1692                          struct common_audit_data *adp)
1693{
1694        struct inode_security_struct *isec;
1695        u32 sid;
1696
1697        validate_creds(cred);
1698
1699        if (unlikely(IS_PRIVATE(inode)))
1700                return 0;
1701
1702        sid = cred_sid(cred);
1703        isec = selinux_inode(inode);
1704
1705        return avc_has_perm(&selinux_state,
1706                            sid, isec->sid, isec->sclass, perms, adp);
1707}
1708
1709/* Same as inode_has_perm, but pass explicit audit data containing
1710   the dentry to help the auditing code to more easily generate the
1711   pathname if needed. */
1712static inline int dentry_has_perm(const struct cred *cred,
1713                                  struct dentry *dentry,
1714                                  u32 av)
1715{
1716        struct inode *inode = d_backing_inode(dentry);
1717        struct common_audit_data ad;
1718
1719        ad.type = LSM_AUDIT_DATA_DENTRY;
1720        ad.u.dentry = dentry;
1721        __inode_security_revalidate(inode, dentry, true);
1722        return inode_has_perm(cred, inode, av, &ad);
1723}
1724
1725/* Same as inode_has_perm, but pass explicit audit data containing
1726   the path to help the auditing code to more easily generate the
1727   pathname if needed. */
1728static inline int path_has_perm(const struct cred *cred,
1729                                const struct path *path,
1730                                u32 av)
1731{
1732        struct inode *inode = d_backing_inode(path->dentry);
1733        struct common_audit_data ad;
1734
1735        ad.type = LSM_AUDIT_DATA_PATH;
1736        ad.u.path = *path;
1737        __inode_security_revalidate(inode, path->dentry, true);
1738        return inode_has_perm(cred, inode, av, &ad);
1739}
1740
1741/* Same as path_has_perm, but uses the inode from the file struct. */
1742static inline int file_path_has_perm(const struct cred *cred,
1743                                     struct file *file,
1744                                     u32 av)
1745{
1746        struct common_audit_data ad;
1747
1748        ad.type = LSM_AUDIT_DATA_FILE;
1749        ad.u.file = file;
1750        return inode_has_perm(cred, file_inode(file), av, &ad);
1751}
1752
1753#ifdef CONFIG_BPF_SYSCALL
1754static int bpf_fd_pass(struct file *file, u32 sid);
1755#endif
1756
1757/* Check whether a task can use an open file descriptor to
1758   access an inode in a given way.  Check access to the
1759   descriptor itself, and then use dentry_has_perm to
1760   check a particular permission to the file.
1761   Access to the descriptor is implicitly granted if it
1762   has the same SID as the process.  If av is zero, then
1763   access to the file is not checked, e.g. for cases
1764   where only the descriptor is affected like seek. */
1765static int file_has_perm(const struct cred *cred,
1766                         struct file *file,
1767                         u32 av)
1768{
1769        struct file_security_struct *fsec = selinux_file(file);
1770        struct inode *inode = file_inode(file);
1771        struct common_audit_data ad;
1772        u32 sid = cred_sid(cred);
1773        int rc;
1774
1775        ad.type = LSM_AUDIT_DATA_FILE;
1776        ad.u.file = file;
1777
1778        if (sid != fsec->sid) {
1779                rc = avc_has_perm(&selinux_state,
1780                                  sid, fsec->sid,
1781                                  SECCLASS_FD,
1782                                  FD__USE,
1783                                  &ad);
1784                if (rc)
1785                        goto out;
1786        }
1787
1788#ifdef CONFIG_BPF_SYSCALL
1789        rc = bpf_fd_pass(file, cred_sid(cred));
1790        if (rc)
1791                return rc;
1792#endif
1793
1794        /* av is zero if only checking access to the descriptor. */
1795        rc = 0;
1796        if (av)
1797                rc = inode_has_perm(cred, inode, av, &ad);
1798
1799out:
1800        return rc;
1801}
1802
1803/*
1804 * Determine the label for an inode that might be unioned.
1805 */
1806static int
1807selinux_determine_inode_label(const struct task_security_struct *tsec,
1808                                 struct inode *dir,
1809                                 const struct qstr *name, u16 tclass,
1810                                 u32 *_new_isid)
1811{
1812        const struct superblock_security_struct *sbsec =
1813                                                selinux_superblock(dir->i_sb);
1814
1815        if ((sbsec->flags & SE_SBINITIALIZED) &&
1816            (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1817                *_new_isid = sbsec->mntpoint_sid;
1818        } else if ((sbsec->flags & SBLABEL_MNT) &&
1819                   tsec->create_sid) {
1820                *_new_isid = tsec->create_sid;
1821        } else {
1822                const struct inode_security_struct *dsec = inode_security(dir);
1823                return security_transition_sid(&selinux_state, tsec->sid,
1824                                               dsec->sid, tclass,
1825                                               name, _new_isid);
1826        }
1827
1828        return 0;
1829}
1830
1831/* Check whether a task can create a file. */
1832static int may_create(struct inode *dir,
1833                      struct dentry *dentry,
1834                      u16 tclass)
1835{
1836        const struct task_security_struct *tsec = selinux_cred(current_cred());
1837        struct inode_security_struct *dsec;
1838        struct superblock_security_struct *sbsec;
1839        u32 sid, newsid;
1840        struct common_audit_data ad;
1841        int rc;
1842
1843        dsec = inode_security(dir);
1844        sbsec = selinux_superblock(dir->i_sb);
1845
1846        sid = tsec->sid;
1847
1848        ad.type = LSM_AUDIT_DATA_DENTRY;
1849        ad.u.dentry = dentry;
1850
1851        rc = avc_has_perm(&selinux_state,
1852                          sid, dsec->sid, SECCLASS_DIR,
1853                          DIR__ADD_NAME | DIR__SEARCH,
1854                          &ad);
1855        if (rc)
1856                return rc;
1857
1858        rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1859                                           &newsid);
1860        if (rc)
1861                return rc;
1862
1863        rc = avc_has_perm(&selinux_state,
1864                          sid, newsid, tclass, FILE__CREATE, &ad);
1865        if (rc)
1866                return rc;
1867
1868        return avc_has_perm(&selinux_state,
1869                            newsid, sbsec->sid,
1870                            SECCLASS_FILESYSTEM,
1871                            FILESYSTEM__ASSOCIATE, &ad);
1872}
1873
1874#define MAY_LINK        0
1875#define MAY_UNLINK      1
1876#define MAY_RMDIR       2
1877
1878/* Check whether a task can link, unlink, or rmdir a file/directory. */
1879static int may_link(struct inode *dir,
1880                    struct dentry *dentry,
1881                    int kind)
1882
1883{
1884        struct inode_security_struct *dsec, *isec;
1885        struct common_audit_data ad;
1886        u32 sid = current_sid();
1887        u32 av;
1888        int rc;
1889
1890        dsec = inode_security(dir);
1891        isec = backing_inode_security(dentry);
1892
1893        ad.type = LSM_AUDIT_DATA_DENTRY;
1894        ad.u.dentry = dentry;
1895
1896        av = DIR__SEARCH;
1897        av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1898        rc = avc_has_perm(&selinux_state,
1899                          sid, dsec->sid, SECCLASS_DIR, av, &ad);
1900        if (rc)
1901                return rc;
1902
1903        switch (kind) {
1904        case MAY_LINK:
1905                av = FILE__LINK;
1906                break;
1907        case MAY_UNLINK:
1908                av = FILE__UNLINK;
1909                break;
1910        case MAY_RMDIR:
1911                av = DIR__RMDIR;
1912                break;
1913        default:
1914                pr_warn("SELinux: %s:  unrecognized kind %d\n",
1915                        __func__, kind);
1916                return 0;
1917        }
1918
1919        rc = avc_has_perm(&selinux_state,
1920                          sid, isec->sid, isec->sclass, av, &ad);
1921        return rc;
1922}
1923
1924static inline int may_rename(struct inode *old_dir,
1925                             struct dentry *old_dentry,
1926                             struct inode *new_dir,
1927                             struct dentry *new_dentry)
1928{
1929        struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1930        struct common_audit_data ad;
1931        u32 sid = current_sid();
1932        u32 av;
1933        int old_is_dir, new_is_dir;
1934        int rc;
1935
1936        old_dsec = inode_security(old_dir);
1937        old_isec = backing_inode_security(old_dentry);
1938        old_is_dir = d_is_dir(old_dentry);
1939        new_dsec = inode_security(new_dir);
1940
1941        ad.type = LSM_AUDIT_DATA_DENTRY;
1942
1943        ad.u.dentry = old_dentry;
1944        rc = avc_has_perm(&selinux_state,
1945                          sid, old_dsec->sid, SECCLASS_DIR,
1946                          DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1947        if (rc)
1948                return rc;
1949        rc = avc_has_perm(&selinux_state,
1950                          sid, old_isec->sid,
1951                          old_isec->sclass, FILE__RENAME, &ad);
1952        if (rc)
1953                return rc;
1954        if (old_is_dir && new_dir != old_dir) {
1955                rc = avc_has_perm(&selinux_state,
1956                                  sid, old_isec->sid,
1957                                  old_isec->sclass, DIR__REPARENT, &ad);
1958                if (rc)
1959                        return rc;
1960        }
1961
1962        ad.u.dentry = new_dentry;
1963        av = DIR__ADD_NAME | DIR__SEARCH;
1964        if (d_is_positive(new_dentry))
1965                av |= DIR__REMOVE_NAME;
1966        rc = avc_has_perm(&selinux_state,
1967                          sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1968        if (rc)
1969                return rc;
1970        if (d_is_positive(new_dentry)) {
1971                new_isec = backing_inode_security(new_dentry);
1972                new_is_dir = d_is_dir(new_dentry);
1973                rc = avc_has_perm(&selinux_state,
1974                                  sid, new_isec->sid,
1975                                  new_isec->sclass,
1976                                  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1977                if (rc)
1978                        return rc;
1979        }
1980
1981        return 0;
1982}
1983
1984/* Check whether a task can perform a filesystem operation. */
1985static int superblock_has_perm(const struct cred *cred,
1986                               struct super_block *sb,
1987                               u32 perms,
1988                               struct common_audit_data *ad)
1989{
1990        struct superblock_security_struct *sbsec;
1991        u32 sid = cred_sid(cred);
1992
1993        sbsec = selinux_superblock(sb);
1994        return avc_has_perm(&selinux_state,
1995                            sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1996}
1997
1998/* Convert a Linux mode and permission mask to an access vector. */
1999static inline u32 file_mask_to_av(int mode, int mask)
2000{
2001        u32 av = 0;
2002
2003        if (!S_ISDIR(mode)) {
2004                if (mask & MAY_EXEC)
2005                        av |= FILE__EXECUTE;
2006                if (mask & MAY_READ)
2007                        av |= FILE__READ;
2008
2009                if (mask & MAY_APPEND)
2010                        av |= FILE__APPEND;
2011                else if (mask & MAY_WRITE)
2012                        av |= FILE__WRITE;
2013
2014        } else {
2015                if (mask & MAY_EXEC)
2016                        av |= DIR__SEARCH;
2017                if (mask & MAY_WRITE)
2018                        av |= DIR__WRITE;
2019                if (mask & MAY_READ)
2020                        av |= DIR__READ;
2021        }
2022
2023        return av;
2024}
2025
2026/* Convert a Linux file to an access vector. */
2027static inline u32 file_to_av(struct file *file)
2028{
2029        u32 av = 0;
2030
2031        if (file->f_mode & FMODE_READ)
2032                av |= FILE__READ;
2033        if (file->f_mode & FMODE_WRITE) {
2034                if (file->f_flags & O_APPEND)
2035                        av |= FILE__APPEND;
2036                else
2037                        av |= FILE__WRITE;
2038        }
2039        if (!av) {
2040                /*
2041                 * Special file opened with flags 3 for ioctl-only use.
2042                 */
2043                av = FILE__IOCTL;
2044        }
2045
2046        return av;
2047}
2048
2049/*
2050 * Convert a file to an access vector and include the correct
2051 * open permission.
2052 */
2053static inline u32 open_file_to_av(struct file *file)
2054{
2055        u32 av = file_to_av(file);
2056        struct inode *inode = file_inode(file);
2057
2058        if (selinux_policycap_openperm() &&
2059            inode->i_sb->s_magic != SOCKFS_MAGIC)
2060                av |= FILE__OPEN;
2061
2062        return av;
2063}
2064
2065/* Hook functions begin here. */
2066
2067static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2068{
2069        return avc_has_perm(&selinux_state,
2070                            current_sid(), task_sid_binder(mgr), SECCLASS_BINDER,
2071                            BINDER__SET_CONTEXT_MGR, NULL);
2072}
2073
2074static int selinux_binder_transaction(struct task_struct *from,
2075                                      struct task_struct *to)
2076{
2077        u32 mysid = current_sid();
2078        u32 fromsid = task_sid_binder(from);
2079        int rc;
2080
2081        if (mysid != fromsid) {
2082                rc = avc_has_perm(&selinux_state,
2083                                  mysid, fromsid, SECCLASS_BINDER,
2084                                  BINDER__IMPERSONATE, NULL);
2085                if (rc)
2086                        return rc;
2087        }
2088
2089        return avc_has_perm(&selinux_state, fromsid, task_sid_binder(to),
2090                            SECCLASS_BINDER, BINDER__CALL, NULL);
2091}
2092
2093static int selinux_binder_transfer_binder(struct task_struct *from,
2094                                          struct task_struct *to)
2095{
2096        return avc_has_perm(&selinux_state,
2097                            task_sid_binder(from), task_sid_binder(to),
2098                            SECCLASS_BINDER, BINDER__TRANSFER,
2099                            NULL);
2100}
2101
2102static int selinux_binder_transfer_file(struct task_struct *from,
2103                                        struct task_struct *to,
2104                                        struct file *file)
2105{
2106        u32 sid = task_sid_binder(to);
2107        struct file_security_struct *fsec = selinux_file(file);
2108        struct dentry *dentry = file->f_path.dentry;
2109        struct inode_security_struct *isec;
2110        struct common_audit_data ad;
2111        int rc;
2112
2113        ad.type = LSM_AUDIT_DATA_PATH;
2114        ad.u.path = file->f_path;
2115
2116        if (sid != fsec->sid) {
2117                rc = avc_has_perm(&selinux_state,
2118                                  sid, fsec->sid,
2119                                  SECCLASS_FD,
2120                                  FD__USE,
2121                                  &ad);
2122                if (rc)
2123                        return rc;
2124        }
2125
2126#ifdef CONFIG_BPF_SYSCALL
2127        rc = bpf_fd_pass(file, sid);
2128        if (rc)
2129                return rc;
2130#endif
2131
2132        if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2133                return 0;
2134
2135        isec = backing_inode_security(dentry);
2136        return avc_has_perm(&selinux_state,
2137                            sid, isec->sid, isec->sclass, file_to_av(file),
2138                            &ad);
2139}
2140
2141static int selinux_ptrace_access_check(struct task_struct *child,
2142                                       unsigned int mode)
2143{
2144        u32 sid = current_sid();
2145        u32 csid = task_sid_obj(child);
2146
2147        if (mode & PTRACE_MODE_READ)
2148                return avc_has_perm(&selinux_state,
2149                                    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2150
2151        return avc_has_perm(&selinux_state,
2152                            sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2153}
2154
2155static int selinux_ptrace_traceme(struct task_struct *parent)
2156{
2157        return avc_has_perm(&selinux_state,
2158                            task_sid_subj(parent), task_sid_obj(current),
2159                            SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2160}
2161
2162static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2163                          kernel_cap_t *inheritable, kernel_cap_t *permitted)
2164{
2165        return avc_has_perm(&selinux_state,
2166                            current_sid(), task_sid_obj(target), SECCLASS_PROCESS,
2167                            PROCESS__GETCAP, NULL);
2168}
2169
2170static int selinux_capset(struct cred *new, const struct cred *old,
2171                          const kernel_cap_t *effective,
2172                          const kernel_cap_t *inheritable,
2173                          const kernel_cap_t *permitted)
2174{
2175        return avc_has_perm(&selinux_state,
2176                            cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2177                            PROCESS__SETCAP, NULL);
2178}
2179
2180/*
2181 * (This comment used to live with the selinux_task_setuid hook,
2182 * which was removed).
2183 *
2184 * Since setuid only affects the current process, and since the SELinux
2185 * controls are not based on the Linux identity attributes, SELinux does not
2186 * need to control this operation.  However, SELinux does control the use of
2187 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2188 */
2189
2190static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2191                           int cap, unsigned int opts)
2192{
2193        return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2194}
2195
2196static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2197{
2198        const struct cred *cred = current_cred();
2199        int rc = 0;
2200
2201        if (!sb)
2202                return 0;
2203
2204        switch (cmds) {
2205        case Q_SYNC:
2206        case Q_QUOTAON:
2207        case Q_QUOTAOFF:
2208        case Q_SETINFO:
2209        case Q_SETQUOTA:
2210        case Q_XQUOTAOFF:
2211        case Q_XQUOTAON:
2212        case Q_XSETQLIM:
2213                rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2214                break;
2215        case Q_GETFMT:
2216        case Q_GETINFO:
2217        case Q_GETQUOTA:
2218        case Q_XGETQUOTA:
2219        case Q_XGETQSTAT:
2220        case Q_XGETQSTATV:
2221        case Q_XGETNEXTQUOTA:
2222                rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2223                break;
2224        default:
2225                rc = 0;  /* let the kernel handle invalid cmds */
2226                break;
2227        }
2228        return rc;
2229}
2230
2231static int selinux_quota_on(struct dentry *dentry)
2232{
2233        const struct cred *cred = current_cred();
2234
2235        return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2236}
2237
2238static int selinux_syslog(int type)
2239{
2240        switch (type) {
2241        case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2242        case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2243                return avc_has_perm(&selinux_state,
2244                                    current_sid(), SECINITSID_KERNEL,
2245                                    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2246        case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2247        case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2248        /* Set level of messages printed to console */
2249        case SYSLOG_ACTION_CONSOLE_LEVEL:
2250                return avc_has_perm(&selinux_state,
2251                                    current_sid(), SECINITSID_KERNEL,
2252                                    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2253                                    NULL);
2254        }
2255        /* All other syslog types */
2256        return avc_has_perm(&selinux_state,
2257                            current_sid(), SECINITSID_KERNEL,
2258                            SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2259}
2260
2261/*
2262 * Check that a process has enough memory to allocate a new virtual
2263 * mapping. 0 means there is enough memory for the allocation to
2264 * succeed and -ENOMEM implies there is not.
2265 *
2266 * Do not audit the selinux permission check, as this is applied to all
2267 * processes that allocate mappings.
2268 */
2269static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2270{
2271        int rc, cap_sys_admin = 0;
2272
2273        rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2274                                 CAP_OPT_NOAUDIT, true);
2275        if (rc == 0)
2276                cap_sys_admin = 1;
2277
2278        return cap_sys_admin;
2279}
2280
2281/* binprm security operations */
2282
2283static u32 ptrace_parent_sid(void)
2284{
2285        u32 sid = 0;
2286        struct task_struct *tracer;
2287
2288        rcu_read_lock();
2289        tracer = ptrace_parent(current);
2290        if (tracer)
2291                sid = task_sid_obj(tracer);
2292        rcu_read_unlock();
2293
2294        return sid;
2295}
2296
2297static int check_nnp_nosuid(const struct linux_binprm *bprm,
2298                            const struct task_security_struct *old_tsec,
2299                            const struct task_security_struct *new_tsec)
2300{
2301        int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2302        int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2303        int rc;
2304        u32 av;
2305
2306        if (!nnp && !nosuid)
2307                return 0; /* neither NNP nor nosuid */
2308
2309        if (new_tsec->sid == old_tsec->sid)
2310                return 0; /* No change in credentials */
2311
2312        /*
2313         * If the policy enables the nnp_nosuid_transition policy capability,
2314         * then we permit transitions under NNP or nosuid if the
2315         * policy allows the corresponding permission between
2316         * the old and new contexts.
2317         */
2318        if (selinux_policycap_nnp_nosuid_transition()) {
2319                av = 0;
2320                if (nnp)
2321                        av |= PROCESS2__NNP_TRANSITION;
2322                if (nosuid)
2323                        av |= PROCESS2__NOSUID_TRANSITION;
2324                rc = avc_has_perm(&selinux_state,
2325                                  old_tsec->sid, new_tsec->sid,
2326                                  SECCLASS_PROCESS2, av, NULL);
2327                if (!rc)
2328                        return 0;
2329        }
2330
2331        /*
2332         * We also permit NNP or nosuid transitions to bounded SIDs,
2333         * i.e. SIDs that are guaranteed to only be allowed a subset
2334         * of the permissions of the current SID.
2335         */
2336        rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2337                                         new_tsec->sid);
2338        if (!rc)
2339                return 0;
2340
2341        /*
2342         * On failure, preserve the errno values for NNP vs nosuid.
2343         * NNP:  Operation not permitted for caller.
2344         * nosuid:  Permission denied to file.
2345         */
2346        if (nnp)
2347                return -EPERM;
2348        return -EACCES;
2349}
2350
2351static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2352{
2353        const struct task_security_struct *old_tsec;
2354        struct task_security_struct *new_tsec;
2355        struct inode_security_struct *isec;
2356        struct common_audit_data ad;
2357        struct inode *inode = file_inode(bprm->file);
2358        int rc;
2359
2360        /* SELinux context only depends on initial program or script and not
2361         * the script interpreter */
2362
2363        old_tsec = selinux_cred(current_cred());
2364        new_tsec = selinux_cred(bprm->cred);
2365        isec = inode_security(inode);
2366
2367        /* Default to the current task SID. */
2368        new_tsec->sid = old_tsec->sid;
2369        new_tsec->osid = old_tsec->sid;
2370
2371        /* Reset fs, key, and sock SIDs on execve. */
2372        new_tsec->create_sid = 0;
2373        new_tsec->keycreate_sid = 0;
2374        new_tsec->sockcreate_sid = 0;
2375
2376        if (old_tsec->exec_sid) {
2377                new_tsec->sid = old_tsec->exec_sid;
2378                /* Reset exec SID on execve. */
2379                new_tsec->exec_sid = 0;
2380
2381                /* Fail on NNP or nosuid if not an allowed transition. */
2382                rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2383                if (rc)
2384                        return rc;
2385        } else {
2386                /* Check for a default transition on this program. */
2387                rc = security_transition_sid(&selinux_state, old_tsec->sid,
2388                                             isec->sid, SECCLASS_PROCESS, NULL,
2389                                             &new_tsec->sid);
2390                if (rc)
2391                        return rc;
2392
2393                /*
2394                 * Fallback to old SID on NNP or nosuid if not an allowed
2395                 * transition.
2396                 */
2397                rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2398                if (rc)
2399                        new_tsec->sid = old_tsec->sid;
2400        }
2401
2402        ad.type = LSM_AUDIT_DATA_FILE;
2403        ad.u.file = bprm->file;
2404
2405        if (new_tsec->sid == old_tsec->sid) {
2406                rc = avc_has_perm(&selinux_state,
2407                                  old_tsec->sid, isec->sid,
2408                                  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2409                if (rc)
2410                        return rc;
2411        } else {
2412                /* Check permissions for the transition. */
2413                rc = avc_has_perm(&selinux_state,
2414                                  old_tsec->sid, new_tsec->sid,
2415                                  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2416                if (rc)
2417                        return rc;
2418
2419                rc = avc_has_perm(&selinux_state,
2420                                  new_tsec->sid, isec->sid,
2421                                  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2422                if (rc)
2423                        return rc;
2424
2425                /* Check for shared state */
2426                if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2427                        rc = avc_has_perm(&selinux_state,
2428                                          old_tsec->sid, new_tsec->sid,
2429                                          SECCLASS_PROCESS, PROCESS__SHARE,
2430                                          NULL);
2431                        if (rc)
2432                                return -EPERM;
2433                }
2434
2435                /* Make sure that anyone attempting to ptrace over a task that
2436                 * changes its SID has the appropriate permit */
2437                if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2438                        u32 ptsid = ptrace_parent_sid();
2439                        if (ptsid != 0) {
2440                                rc = avc_has_perm(&selinux_state,
2441                                                  ptsid, new_tsec->sid,
2442                                                  SECCLASS_PROCESS,
2443                                                  PROCESS__PTRACE, NULL);
2444                                if (rc)
2445                                        return -EPERM;
2446                        }
2447                }
2448
2449                /* Clear any possibly unsafe personality bits on exec: */
2450                bprm->per_clear |= PER_CLEAR_ON_SETID;
2451
2452                /* Enable secure mode for SIDs transitions unless
2453                   the noatsecure permission is granted between
2454                   the two SIDs, i.e. ahp returns 0. */
2455                rc = avc_has_perm(&selinux_state,
2456                                  old_tsec->sid, new_tsec->sid,
2457                                  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2458                                  NULL);
2459                bprm->secureexec |= !!rc;
2460        }
2461
2462        return 0;
2463}
2464
2465static int match_file(const void *p, struct file *file, unsigned fd)
2466{
2467        return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2468}
2469
2470/* Derived from fs/exec.c:flush_old_files. */
2471static inline void flush_unauthorized_files(const struct cred *cred,
2472                                            struct files_struct *files)
2473{
2474        struct file *file, *devnull = NULL;
2475        struct tty_struct *tty;
2476        int drop_tty = 0;
2477        unsigned n;
2478
2479        tty = get_current_tty();
2480        if (tty) {
2481                spin_lock(&tty->files_lock);
2482                if (!list_empty(&tty->tty_files)) {
2483                        struct tty_file_private *file_priv;
2484
2485                        /* Revalidate access to controlling tty.
2486                           Use file_path_has_perm on the tty path directly
2487                           rather than using file_has_perm, as this particular
2488                           open file may belong to another process and we are
2489                           only interested in the inode-based check here. */
2490                        file_priv = list_first_entry(&tty->tty_files,
2491                                                struct tty_file_private, list);
2492                        file = file_priv->file;
2493                        if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2494                                drop_tty = 1;
2495                }
2496                spin_unlock(&tty->files_lock);
2497                tty_kref_put(tty);
2498        }
2499        /* Reset controlling tty. */
2500        if (drop_tty)
2501                no_tty();
2502
2503        /* Revalidate access to inherited open files. */
2504        n = iterate_fd(files, 0, match_file, cred);
2505        if (!n) /* none found? */
2506                return;
2507
2508        devnull = dentry_open(&selinux_null, O_RDWR, cred);
2509        if (IS_ERR(devnull))
2510                devnull = NULL;
2511        /* replace all the matching ones with this */
2512        do {
2513                replace_fd(n - 1, devnull, 0);
2514        } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2515        if (devnull)
2516                fput(devnull);
2517}
2518
2519/*
2520 * Prepare a process for imminent new credential changes due to exec
2521 */
2522static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2523{
2524        struct task_security_struct *new_tsec;
2525        struct rlimit *rlim, *initrlim;
2526        int rc, i;
2527
2528        new_tsec = selinux_cred(bprm->cred);
2529        if (new_tsec->sid == new_tsec->osid)
2530                return;
2531
2532        /* Close files for which the new task SID is not authorized. */
2533        flush_unauthorized_files(bprm->cred, current->files);
2534
2535        /* Always clear parent death signal on SID transitions. */
2536        current->pdeath_signal = 0;
2537
2538        /* Check whether the new SID can inherit resource limits from the old
2539         * SID.  If not, reset all soft limits to the lower of the current
2540         * task's hard limit and the init task's soft limit.
2541         *
2542         * Note that the setting of hard limits (even to lower them) can be
2543         * controlled by the setrlimit check.  The inclusion of the init task's
2544         * soft limit into the computation is to avoid resetting soft limits
2545         * higher than the default soft limit for cases where the default is
2546         * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2547         */
2548        rc = avc_has_perm(&selinux_state,
2549                          new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2550                          PROCESS__RLIMITINH, NULL);
2551        if (rc) {
2552                /* protect against do_prlimit() */
2553                task_lock(current);
2554                for (i = 0; i < RLIM_NLIMITS; i++) {
2555                        rlim = current->signal->rlim + i;
2556                        initrlim = init_task.signal->rlim + i;
2557                        rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2558                }
2559                task_unlock(current);
2560                if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2561                        update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2562        }
2563}
2564
2565/*
2566 * Clean up the process immediately after the installation of new credentials
2567 * due to exec
2568 */
2569static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2570{
2571        const struct task_security_struct *tsec = selinux_cred(current_cred());
2572        u32 osid, sid;
2573        int rc;
2574
2575        osid = tsec->osid;
2576        sid = tsec->sid;
2577
2578        if (sid == osid)
2579                return;
2580
2581        /* Check whether the new SID can inherit signal state from the old SID.
2582         * If not, clear itimers to avoid subsequent signal generation and
2583         * flush and unblock signals.
2584         *
2585         * This must occur _after_ the task SID has been updated so that any
2586         * kill done after the flush will be checked against the new SID.
2587         */
2588        rc = avc_has_perm(&selinux_state,
2589                          osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2590        if (rc) {
2591                clear_itimer();
2592
2593                spin_lock_irq(&current->sighand->siglock);
2594                if (!fatal_signal_pending(current)) {
2595                        flush_sigqueue(&current->pending);
2596                        flush_sigqueue(&current->signal->shared_pending);
2597                        flush_signal_handlers(current, 1);
2598                        sigemptyset(&current->blocked);
2599                        recalc_sigpending();
2600                }
2601                spin_unlock_irq(&current->sighand->siglock);
2602        }
2603
2604        /* Wake up the parent if it is waiting so that it can recheck
2605         * wait permission to the new task SID. */
2606        read_lock(&tasklist_lock);
2607        __wake_up_parent(current, current->real_parent);
2608        read_unlock(&tasklist_lock);
2609}
2610
2611/* superblock security operations */
2612
2613static int selinux_sb_alloc_security(struct super_block *sb)
2614{
2615        struct superblock_security_struct *sbsec = selinux_superblock(sb);
2616
2617        mutex_init(&sbsec->lock);
2618        INIT_LIST_HEAD(&sbsec->isec_head);
2619        spin_lock_init(&sbsec->isec_lock);
2620        sbsec->sid = SECINITSID_UNLABELED;
2621        sbsec->def_sid = SECINITSID_FILE;
2622        sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2623
2624        return 0;
2625}
2626
2627static inline int opt_len(const char *s)
2628{
2629        bool open_quote = false;
2630        int len;
2631        char c;
2632
2633        for (len = 0; (c = s[len]) != '\0'; len++) {
2634                if (c == '"')
2635                        open_quote = !open_quote;
2636                if (c == ',' && !open_quote)
2637                        break;
2638        }
2639        return len;
2640}
2641
2642static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2643{
2644        char *from = options;
2645        char *to = options;
2646        bool first = true;
2647        int rc;
2648
2649        while (1) {
2650                int len = opt_len(from);
2651                int token;
2652                char *arg = NULL;
2653
2654                token = match_opt_prefix(from, len, &arg);
2655
2656                if (token != Opt_error) {
2657                        char *p, *q;
2658
2659                        /* strip quotes */
2660                        if (arg) {
2661                                for (p = q = arg; p < from + len; p++) {
2662                                        char c = *p;
2663                                        if (c != '"')
2664                                                *q++ = c;
2665                                }
2666                                arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2667                                if (!arg) {
2668                                        rc = -ENOMEM;
2669                                        goto free_opt;
2670                                }
2671                        }
2672                        rc = selinux_add_opt(token, arg, mnt_opts);
2673                        if (unlikely(rc)) {
2674                                kfree(arg);
2675                                goto free_opt;
2676                        }
2677                } else {
2678                        if (!first) {   // copy with preceding comma
2679                                from--;
2680                                len++;
2681                        }
2682                        if (to != from)
2683                                memmove(to, from, len);
2684                        to += len;
2685                        first = false;
2686                }
2687                if (!from[len])
2688                        break;
2689                from += len + 1;
2690        }
2691        *to = '\0';
2692        return 0;
2693
2694free_opt:
2695        if (*mnt_opts) {
2696                selinux_free_mnt_opts(*mnt_opts);
2697                *mnt_opts = NULL;
2698        }
2699        return rc;
2700}
2701
2702static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2703{
2704        struct selinux_mnt_opts *opts = mnt_opts;
2705        struct superblock_security_struct *sbsec = sb->s_security;
2706        u32 sid;
2707        int rc;
2708
2709        /*
2710         * Superblock not initialized (i.e. no options) - reject if any
2711         * options specified, otherwise accept.
2712         */
2713        if (!(sbsec->flags & SE_SBINITIALIZED))
2714                return opts ? 1 : 0;
2715
2716        /*
2717         * Superblock initialized and no options specified - reject if
2718         * superblock has any options set, otherwise accept.
2719         */
2720        if (!opts)
2721                return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2722
2723        if (opts->fscontext) {
2724                rc = parse_sid(sb, opts->fscontext, &sid);
2725                if (rc)
2726                        return 1;
2727                if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2728                        return 1;
2729        }
2730        if (opts->context) {
2731                rc = parse_sid(sb, opts->context, &sid);
2732                if (rc)
2733                        return 1;
2734                if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2735                        return 1;
2736        }
2737        if (opts->rootcontext) {
2738                struct inode_security_struct *root_isec;
2739
2740                root_isec = backing_inode_security(sb->s_root);
2741                rc = parse_sid(sb, opts->rootcontext, &sid);
2742                if (rc)
2743                        return 1;
2744                if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2745                        return 1;
2746        }
2747        if (opts->defcontext) {
2748                rc = parse_sid(sb, opts->defcontext, &sid);
2749                if (rc)
2750                        return 1;
2751                if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2752                        return 1;
2753        }
2754        return 0;
2755}
2756
2757static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2758{
2759        struct selinux_mnt_opts *opts = mnt_opts;
2760        struct superblock_security_struct *sbsec = selinux_superblock(sb);
2761        u32 sid;
2762        int rc;
2763
2764        if (!(sbsec->flags & SE_SBINITIALIZED))
2765                return 0;
2766
2767        if (!opts)
2768                return 0;
2769
2770        if (opts->fscontext) {
2771                rc = parse_sid(sb, opts->fscontext, &sid);
2772                if (rc)
2773                        return rc;
2774                if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2775                        goto out_bad_option;
2776        }
2777        if (opts->context) {
2778                rc = parse_sid(sb, opts->context, &sid);
2779                if (rc)
2780                        return rc;
2781                if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2782                        goto out_bad_option;
2783        }
2784        if (opts->rootcontext) {
2785                struct inode_security_struct *root_isec;
2786                root_isec = backing_inode_security(sb->s_root);
2787                rc = parse_sid(sb, opts->rootcontext, &sid);
2788                if (rc)
2789                        return rc;
2790                if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2791                        goto out_bad_option;
2792        }
2793        if (opts->defcontext) {
2794                rc = parse_sid(sb, opts->defcontext, &sid);
2795                if (rc)
2796                        return rc;
2797                if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2798                        goto out_bad_option;
2799        }
2800        return 0;
2801
2802out_bad_option:
2803        pr_warn("SELinux: unable to change security options "
2804               "during remount (dev %s, type=%s)\n", sb->s_id,
2805               sb->s_type->name);
2806        return -EINVAL;
2807}
2808
2809static int selinux_sb_kern_mount(struct super_block *sb)
2810{
2811        const struct cred *cred = current_cred();
2812        struct common_audit_data ad;
2813
2814        ad.type = LSM_AUDIT_DATA_DENTRY;
2815        ad.u.dentry = sb->s_root;
2816        return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2817}
2818
2819static int selinux_sb_statfs(struct dentry *dentry)
2820{
2821        const struct cred *cred = current_cred();
2822        struct common_audit_data ad;
2823
2824        ad.type = LSM_AUDIT_DATA_DENTRY;
2825        ad.u.dentry = dentry->d_sb->s_root;
2826        return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2827}
2828
2829static int selinux_mount(const char *dev_name,
2830                         const struct path *path,
2831                         const char *type,
2832                         unsigned long flags,
2833                         void *data)
2834{
2835        const struct cred *cred = current_cred();
2836
2837        if (flags & MS_REMOUNT)
2838                return superblock_has_perm(cred, path->dentry->d_sb,
2839                                           FILESYSTEM__REMOUNT, NULL);
2840        else
2841                return path_has_perm(cred, path, FILE__MOUNTON);
2842}
2843
2844static int selinux_move_mount(const struct path *from_path,
2845                              const struct path *to_path)
2846{
2847        const struct cred *cred = current_cred();
2848
2849        return path_has_perm(cred, to_path, FILE__MOUNTON);
2850}
2851
2852static int selinux_umount(struct vfsmount *mnt, int flags)
2853{
2854        const struct cred *cred = current_cred();
2855
2856        return superblock_has_perm(cred, mnt->mnt_sb,
2857                                   FILESYSTEM__UNMOUNT, NULL);
2858}
2859
2860static int selinux_fs_context_dup(struct fs_context *fc,
2861                                  struct fs_context *src_fc)
2862{
2863        const struct selinux_mnt_opts *src = src_fc->security;
2864        struct selinux_mnt_opts *opts;
2865
2866        if (!src)
2867                return 0;
2868
2869        fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2870        if (!fc->security)
2871                return -ENOMEM;
2872
2873        opts = fc->security;
2874
2875        if (src->fscontext) {
2876                opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2877                if (!opts->fscontext)
2878                        return -ENOMEM;
2879        }
2880        if (src->context) {
2881                opts->context = kstrdup(src->context, GFP_KERNEL);
2882                if (!opts->context)
2883                        return -ENOMEM;
2884        }
2885        if (src->rootcontext) {
2886                opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2887                if (!opts->rootcontext)
2888                        return -ENOMEM;
2889        }
2890        if (src->defcontext) {
2891                opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2892                if (!opts->defcontext)
2893                        return -ENOMEM;
2894        }
2895        return 0;
2896}
2897
2898static const struct fs_parameter_spec selinux_fs_parameters[] = {
2899        fsparam_string(CONTEXT_STR,     Opt_context),
2900        fsparam_string(DEFCONTEXT_STR,  Opt_defcontext),
2901        fsparam_string(FSCONTEXT_STR,   Opt_fscontext),
2902        fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2903        fsparam_flag  (SECLABEL_STR,    Opt_seclabel),
2904        {}
2905};
2906
2907static int selinux_fs_context_parse_param(struct fs_context *fc,
2908                                          struct fs_parameter *param)
2909{
2910        struct fs_parse_result result;
2911        int opt, rc;
2912
2913        opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2914        if (opt < 0)
2915                return opt;
2916
2917        rc = selinux_add_opt(opt, param->string, &fc->security);
2918        if (!rc) {
2919                param->string = NULL;
2920                rc = 1;
2921        }
2922        return rc;
2923}
2924
2925/* inode security operations */
2926
2927static int selinux_inode_alloc_security(struct inode *inode)
2928{
2929        struct inode_security_struct *isec = selinux_inode(inode);
2930        u32 sid = current_sid();
2931
2932        spin_lock_init(&isec->lock);
2933        INIT_LIST_HEAD(&isec->list);
2934        isec->inode = inode;
2935        isec->sid = SECINITSID_UNLABELED;
2936        isec->sclass = SECCLASS_FILE;
2937        isec->task_sid = sid;
2938        isec->initialized = LABEL_INVALID;
2939
2940        return 0;
2941}
2942
2943static void selinux_inode_free_security(struct inode *inode)
2944{
2945        inode_free_security(inode);
2946}
2947
2948static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2949                                        const struct qstr *name, void **ctx,
2950                                        u32 *ctxlen)
2951{
2952        u32 newsid;
2953        int rc;
2954
2955        rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2956                                           d_inode(dentry->d_parent), name,
2957                                           inode_mode_to_security_class(mode),
2958                                           &newsid);
2959        if (rc)
2960                return rc;
2961
2962        return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2963                                       ctxlen);
2964}
2965
2966static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2967                                          struct qstr *name,
2968                                          const struct cred *old,
2969                                          struct cred *new)
2970{
2971        u32 newsid;
2972        int rc;
2973        struct task_security_struct *tsec;
2974
2975        rc = selinux_determine_inode_label(selinux_cred(old),
2976                                           d_inode(dentry->d_parent), name,
2977                                           inode_mode_to_security_class(mode),
2978                                           &newsid);
2979        if (rc)
2980                return rc;
2981
2982        tsec = selinux_cred(new);
2983        tsec->create_sid = newsid;
2984        return 0;
2985}
2986
2987static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2988                                       const struct qstr *qstr,
2989                                       const char **name,
2990                                       void **value, size_t *len)
2991{
2992        const struct task_security_struct *tsec = selinux_cred(current_cred());
2993        struct superblock_security_struct *sbsec;
2994        u32 newsid, clen;
2995        int rc;
2996        char *context;
2997
2998        sbsec = selinux_superblock(dir->i_sb);
2999
3000        newsid = tsec->create_sid;
3001
3002        rc = selinux_determine_inode_label(tsec, dir, qstr,
3003                inode_mode_to_security_class(inode->i_mode),
3004                &newsid);
3005        if (rc)
3006                return rc;
3007
3008        /* Possibly defer initialization to selinux_complete_init. */
3009        if (sbsec->flags & SE_SBINITIALIZED) {
3010                struct inode_security_struct *isec = selinux_inode(inode);
3011                isec->sclass = inode_mode_to_security_class(inode->i_mode);
3012                isec->sid = newsid;
3013                isec->initialized = LABEL_INITIALIZED;
3014        }
3015
3016        if (!selinux_initialized(&selinux_state) ||
3017            !(sbsec->flags & SBLABEL_MNT))
3018                return -EOPNOTSUPP;
3019
3020        if (name)
3021                *name = XATTR_SELINUX_SUFFIX;
3022
3023        if (value && len) {
3024                rc = security_sid_to_context_force(&selinux_state, newsid,
3025                                                   &context, &clen);
3026                if (rc)
3027                        return rc;
3028                *value = context;
3029                *len = clen;
3030        }
3031
3032        return 0;
3033}
3034
3035static int selinux_inode_init_security_anon(struct inode *inode,
3036                                            const struct qstr *name,
3037                                            const struct inode *context_inode)
3038{
3039        const struct task_security_struct *tsec = selinux_cred(current_cred());
3040        struct common_audit_data ad;
3041        struct inode_security_struct *isec;
3042        int rc;
3043
3044        if (unlikely(!selinux_initialized(&selinux_state)))
3045                return 0;
3046
3047        isec = selinux_inode(inode);
3048
3049        /*
3050         * We only get here once per ephemeral inode.  The inode has
3051         * been initialized via inode_alloc_security but is otherwise
3052         * untouched.
3053         */
3054
3055        if (context_inode) {
3056                struct inode_security_struct *context_isec =
3057                        selinux_inode(context_inode);
3058                if (context_isec->initialized != LABEL_INITIALIZED) {
3059                        pr_err("SELinux:  context_inode is not initialized");
3060                        return -EACCES;
3061                }
3062
3063                isec->sclass = context_isec->sclass;
3064                isec->sid = context_isec->sid;
3065        } else {
3066                isec->sclass = SECCLASS_ANON_INODE;
3067                rc = security_transition_sid(
3068                        &selinux_state, tsec->sid, tsec->sid,
3069                        isec->sclass, name, &isec->sid);
3070                if (rc)
3071                        return rc;
3072        }
3073
3074        isec->initialized = LABEL_INITIALIZED;
3075        /*
3076         * Now that we've initialized security, check whether we're
3077         * allowed to actually create this type of anonymous inode.
3078         */
3079
3080        ad.type = LSM_AUDIT_DATA_INODE;
3081        ad.u.inode = inode;
3082
3083        return avc_has_perm(&selinux_state,
3084                            tsec->sid,
3085                            isec->sid,
3086                            isec->sclass,
3087                            FILE__CREATE,
3088                            &ad);
3089}
3090
3091static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3092{
3093        return may_create(dir, dentry, SECCLASS_FILE);
3094}
3095
3096static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3097{
3098        return may_link(dir, old_dentry, MAY_LINK);
3099}
3100
3101static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3102{
3103        return may_link(dir, dentry, MAY_UNLINK);
3104}
3105
3106static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3107{
3108        return may_create(dir, dentry, SECCLASS_LNK_FILE);
3109}
3110
3111static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3112{
3113        return may_create(dir, dentry, SECCLASS_DIR);
3114}
3115
3116static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3117{
3118        return may_link(dir, dentry, MAY_RMDIR);
3119}
3120
3121static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3122{
3123        return may_create(dir, dentry, inode_mode_to_security_class(mode));
3124}
3125
3126static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3127                                struct inode *new_inode, struct dentry *new_dentry)
3128{
3129        return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3130}
3131
3132static int selinux_inode_readlink(struct dentry *dentry)
3133{
3134        const struct cred *cred = current_cred();
3135
3136        return dentry_has_perm(cred, dentry, FILE__READ);
3137}
3138
3139static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3140                                     bool rcu)
3141{
3142        const struct cred *cred = current_cred();
3143        struct common_audit_data ad;
3144        struct inode_security_struct *isec;
3145        u32 sid;
3146
3147        validate_creds(cred);
3148
3149        ad.type = LSM_AUDIT_DATA_DENTRY;
3150        ad.u.dentry = dentry;
3151        sid = cred_sid(cred);
3152        isec = inode_security_rcu(inode, rcu);
3153        if (IS_ERR(isec))
3154                return PTR_ERR(isec);
3155
3156        return avc_has_perm(&selinux_state,
3157                                  sid, isec->sid, isec->sclass, FILE__READ, &ad);
3158}
3159
3160static noinline int audit_inode_permission(struct inode *inode,
3161                                           u32 perms, u32 audited, u32 denied,
3162                                           int result)
3163{
3164        struct common_audit_data ad;
3165        struct inode_security_struct *isec = selinux_inode(inode);
3166
3167        ad.type = LSM_AUDIT_DATA_INODE;
3168        ad.u.inode = inode;
3169
3170        return slow_avc_audit(&selinux_state,
3171                            current_sid(), isec->sid, isec->sclass, perms,
3172                            audited, denied, result, &ad);
3173}
3174
3175static int selinux_inode_permission(struct inode *inode, int mask)
3176{
3177        const struct cred *cred = current_cred();
3178        u32 perms;
3179        bool from_access;
3180        bool no_block = mask & MAY_NOT_BLOCK;
3181        struct inode_security_struct *isec;
3182        u32 sid;
3183        struct av_decision avd;
3184        int rc, rc2;
3185        u32 audited, denied;
3186
3187        from_access = mask & MAY_ACCESS;
3188        mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3189
3190        /* No permission to check.  Existence test. */
3191        if (!mask)
3192                return 0;
3193
3194        validate_creds(cred);
3195
3196        if (unlikely(IS_PRIVATE(inode)))
3197                return 0;
3198
3199        perms = file_mask_to_av(inode->i_mode, mask);
3200
3201        sid = cred_sid(cred);
3202        isec = inode_security_rcu(inode, no_block);
3203        if (IS_ERR(isec))
3204                return PTR_ERR(isec);
3205
3206        rc = avc_has_perm_noaudit(&selinux_state,
3207                                  sid, isec->sid, isec->sclass, perms, 0,
3208                                  &avd);
3209        audited = avc_audit_required(perms, &avd, rc,
3210                                     from_access ? FILE__AUDIT_ACCESS : 0,
3211                                     &denied);
3212        if (likely(!audited))
3213                return rc;
3214
3215        rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3216        if (rc2)
3217                return rc2;
3218        return rc;
3219}
3220
3221static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3222{
3223        const struct cred *cred = current_cred();
3224        struct inode *inode = d_backing_inode(dentry);
3225        unsigned int ia_valid = iattr->ia_valid;
3226        __u32 av = FILE__WRITE;
3227
3228        /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3229        if (ia_valid & ATTR_FORCE) {
3230                ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3231                              ATTR_FORCE);
3232                if (!ia_valid)
3233                        return 0;
3234        }
3235
3236        if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3237                        ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3238                return dentry_has_perm(cred, dentry, FILE__SETATTR);
3239
3240        if (selinux_policycap_openperm() &&
3241            inode->i_sb->s_magic != SOCKFS_MAGIC &&
3242            (ia_valid & ATTR_SIZE) &&
3243            !(ia_valid & ATTR_FILE))
3244                av |= FILE__OPEN;
3245
3246        return dentry_has_perm(cred, dentry, av);
3247}
3248
3249static int selinux_inode_getattr(const struct path *path)
3250{
3251        return path_has_perm(current_cred(), path, FILE__GETATTR);
3252}
3253
3254static bool has_cap_mac_admin(bool audit)
3255{
3256        const struct cred *cred = current_cred();
3257        unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3258
3259        if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3260                return false;
3261        if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3262                return false;
3263        return true;
3264}
3265
3266static int selinux_inode_setxattr(struct user_namespace *mnt_userns,
3267                                  struct dentry *dentry, const char *name,
3268                                  const void *value, size_t size, int flags)
3269{
3270        struct inode *inode = d_backing_inode(dentry);
3271        struct inode_security_struct *isec;
3272        struct superblock_security_struct *sbsec;
3273        struct common_audit_data ad;
3274        u32 newsid, sid = current_sid();
3275        int rc = 0;
3276
3277        if (strcmp(name, XATTR_NAME_SELINUX)) {
3278                rc = cap_inode_setxattr(dentry, name, value, size, flags);
3279                if (rc)
3280                        return rc;
3281
3282                /* Not an attribute we recognize, so just check the
3283                   ordinary setattr permission. */
3284                return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3285        }
3286
3287        if (!selinux_initialized(&selinux_state))
3288                return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM);
3289
3290        sbsec = selinux_superblock(inode->i_sb);
3291        if (!(sbsec->flags & SBLABEL_MNT))
3292                return -EOPNOTSUPP;
3293
3294        if (!inode_owner_or_capable(mnt_userns, inode))
3295                return -EPERM;
3296
3297        ad.type = LSM_AUDIT_DATA_DENTRY;
3298        ad.u.dentry = dentry;
3299
3300        isec = backing_inode_security(dentry);
3301        rc = avc_has_perm(&selinux_state,
3302                          sid, isec->sid, isec->sclass,
3303                          FILE__RELABELFROM, &ad);
3304        if (rc)
3305                return rc;
3306
3307        rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3308                                     GFP_KERNEL);
3309        if (rc == -EINVAL) {
3310                if (!has_cap_mac_admin(true)) {
3311                        struct audit_buffer *ab;
3312                        size_t audit_size;
3313
3314                        /* We strip a nul only if it is at the end, otherwise the
3315                         * context contains a nul and we should audit that */
3316                        if (value) {
3317                                const char *str = value;
3318
3319                                if (str[size - 1] == '\0')
3320                                        audit_size = size - 1;
3321                                else
3322                                        audit_size = size;
3323                        } else {
3324                                audit_size = 0;
3325                        }
3326                        ab = audit_log_start(audit_context(),
3327                                             GFP_ATOMIC, AUDIT_SELINUX_ERR);
3328                        audit_log_format(ab, "op=setxattr invalid_context=");
3329                        audit_log_n_untrustedstring(ab, value, audit_size);
3330                        audit_log_end(ab);
3331
3332                        return rc;
3333                }
3334                rc = security_context_to_sid_force(&selinux_state, value,
3335                                                   size, &newsid);
3336        }
3337        if (rc)
3338                return rc;
3339
3340        rc = avc_has_perm(&selinux_state,
3341                          sid, newsid, isec->sclass,
3342                          FILE__RELABELTO, &ad);
3343        if (rc)
3344                return rc;
3345
3346        rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3347                                          sid, isec->sclass);
3348        if (rc)
3349                return rc;
3350
3351        return avc_has_perm(&selinux_state,
3352                            newsid,
3353                            sbsec->sid,
3354                            SECCLASS_FILESYSTEM,
3355                            FILESYSTEM__ASSOCIATE,
3356                            &ad);
3357}
3358
3359static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3360                                        const void *value, size_t size,
3361                                        int flags)
3362{
3363        struct inode *inode = d_backing_inode(dentry);
3364        struct inode_security_struct *isec;
3365        u32 newsid;
3366        int rc;
3367
3368        if (strcmp(name, XATTR_NAME_SELINUX)) {
3369                /* Not an attribute we recognize, so nothing to do. */
3370                return;
3371        }
3372
3373        if (!selinux_initialized(&selinux_state)) {
3374                /* If we haven't even been initialized, then we can't validate
3375                 * against a policy, so leave the label as invalid. It may
3376                 * resolve to a valid label on the next revalidation try if
3377                 * we've since initialized.
3378                 */
3379                return;
3380        }
3381
3382        rc = security_context_to_sid_force(&selinux_state, value, size,
3383                                           &newsid);
3384        if (rc) {
3385                pr_err("SELinux:  unable to map context to SID"
3386                       "for (%s, %lu), rc=%d\n",
3387                       inode->i_sb->s_id, inode->i_ino, -rc);
3388                return;
3389        }
3390
3391        isec = backing_inode_security(dentry);
3392        spin_lock(&isec->lock);
3393        isec->sclass = inode_mode_to_security_class(inode->i_mode);
3394        isec->sid = newsid;
3395        isec->initialized = LABEL_INITIALIZED;
3396        spin_unlock(&isec->lock);
3397
3398        return;
3399}
3400
3401static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3402{
3403        const struct cred *cred = current_cred();
3404
3405        return dentry_has_perm(cred, dentry, FILE__GETATTR);
3406}
3407
3408static int selinux_inode_listxattr(struct dentry *dentry)
3409{
3410        const struct cred *cred = current_cred();
3411
3412        return dentry_has_perm(cred, dentry, FILE__GETATTR);
3413}
3414
3415static int selinux_inode_removexattr(struct user_namespace *mnt_userns,
3416                                     struct dentry *dentry, const char *name)
3417{
3418        if (strcmp(name, XATTR_NAME_SELINUX)) {
3419                int rc = cap_inode_removexattr(mnt_userns, dentry, name);
3420                if (rc)
3421                        return rc;
3422
3423                /* Not an attribute we recognize, so just check the
3424                   ordinary setattr permission. */
3425                return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3426        }
3427
3428        if (!selinux_initialized(&selinux_state))
3429                return 0;
3430
3431        /* No one is allowed to remove a SELinux security label.
3432           You can change the label, but all data must be labeled. */
3433        return -EACCES;
3434}
3435
3436static int selinux_path_notify(const struct path *path, u64 mask,
3437                                                unsigned int obj_type)
3438{
3439        int ret;
3440        u32 perm;
3441
3442        struct common_audit_data ad;
3443
3444        ad.type = LSM_AUDIT_DATA_PATH;
3445        ad.u.path = *path;
3446
3447        /*
3448         * Set permission needed based on the type of mark being set.
3449         * Performs an additional check for sb watches.
3450         */
3451        switch (obj_type) {
3452        case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3453                perm = FILE__WATCH_MOUNT;
3454                break;
3455        case FSNOTIFY_OBJ_TYPE_SB:
3456                perm = FILE__WATCH_SB;
3457                ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3458                                                FILESYSTEM__WATCH, &ad);
3459                if (ret)
3460                        return ret;
3461                break;
3462        case FSNOTIFY_OBJ_TYPE_INODE:
3463                perm = FILE__WATCH;
3464                break;
3465        default:
3466                return -EINVAL;
3467        }
3468
3469        /* blocking watches require the file:watch_with_perm permission */
3470        if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3471                perm |= FILE__WATCH_WITH_PERM;
3472
3473        /* watches on read-like events need the file:watch_reads permission */
3474        if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3475                perm |= FILE__WATCH_READS;
3476
3477        return path_has_perm(current_cred(), path, perm);
3478}
3479
3480/*
3481 * Copy the inode security context value to the user.
3482 *
3483 * Permission check is handled by selinux_inode_getxattr hook.
3484 */
3485static int selinux_inode_getsecurity(struct user_namespace *mnt_userns,
3486                                     struct inode *inode, const char *name,
3487                                     void **buffer, bool alloc)
3488{
3489        u32 size;
3490        int error;
3491        char *context = NULL;
3492        struct inode_security_struct *isec;
3493
3494        /*
3495         * If we're not initialized yet, then we can't validate contexts, so
3496         * just let vfs_getxattr fall back to using the on-disk xattr.
3497         */
3498        if (!selinux_initialized(&selinux_state) ||
3499            strcmp(name, XATTR_SELINUX_SUFFIX))
3500                return -EOPNOTSUPP;
3501
3502        /*
3503         * If the caller has CAP_MAC_ADMIN, then get the raw context
3504         * value even if it is not defined by current policy; otherwise,
3505         * use the in-core value under current policy.
3506         * Use the non-auditing forms of the permission checks since
3507         * getxattr may be called by unprivileged processes commonly
3508         * and lack of permission just means that we fall back to the
3509         * in-core context value, not a denial.
3510         */
3511        isec = inode_security(inode);
3512        if (has_cap_mac_admin(false))
3513                error = security_sid_to_context_force(&selinux_state,
3514                                                      isec->sid, &context,
3515                                                      &size);
3516        else
3517                error = security_sid_to_context(&selinux_state, isec->sid,
3518                                                &context, &size);
3519        if (error)
3520                return error;
3521        error = size;
3522        if (alloc) {
3523                *buffer = context;
3524                goto out_nofree;
3525        }
3526        kfree(context);
3527out_nofree:
3528        return error;
3529}
3530
3531static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3532                                     const void *value, size_t size, int flags)
3533{
3534        struct inode_security_struct *isec = inode_security_novalidate(inode);
3535        struct superblock_security_struct *sbsec;
3536        u32 newsid;
3537        int rc;
3538
3539        if (strcmp(name, XATTR_SELINUX_SUFFIX))
3540                return -EOPNOTSUPP;
3541
3542        sbsec = selinux_superblock(inode->i_sb);
3543        if (!(sbsec->flags & SBLABEL_MNT))
3544                return -EOPNOTSUPP;
3545
3546        if (!value || !size)
3547                return -EACCES;
3548
3549        rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3550                                     GFP_KERNEL);
3551        if (rc)
3552                return rc;
3553
3554        spin_lock(&isec->lock);
3555        isec->sclass = inode_mode_to_security_class(inode->i_mode);
3556        isec->sid = newsid;
3557        isec->initialized = LABEL_INITIALIZED;
3558        spin_unlock(&isec->lock);
3559        return 0;
3560}
3561
3562static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3563{
3564        const int len = sizeof(XATTR_NAME_SELINUX);
3565
3566        if (!selinux_initialized(&selinux_state))
3567                return 0;
3568
3569        if (buffer && len <= buffer_size)
3570                memcpy(buffer, XATTR_NAME_SELINUX, len);
3571        return len;
3572}
3573
3574static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3575{
3576        struct inode_security_struct *isec = inode_security_novalidate(inode);
3577        *secid = isec->sid;
3578}
3579
3580static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3581{
3582        u32 sid;
3583        struct task_security_struct *tsec;
3584        struct cred *new_creds = *new;
3585
3586        if (new_creds == NULL) {
3587                new_creds = prepare_creds();
3588                if (!new_creds)
3589                        return -ENOMEM;
3590        }
3591
3592        tsec = selinux_cred(new_creds);
3593        /* Get label from overlay inode and set it in create_sid */
3594        selinux_inode_getsecid(d_inode(src), &sid);
3595        tsec->create_sid = sid;
3596        *new = new_creds;
3597        return 0;
3598}
3599
3600static int selinux_inode_copy_up_xattr(const char *name)
3601{
3602        /* The copy_up hook above sets the initial context on an inode, but we
3603         * don't then want to overwrite it by blindly copying all the lower
3604         * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3605         */
3606        if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3607                return 1; /* Discard */
3608        /*
3609         * Any other attribute apart from SELINUX is not claimed, supported
3610         * by selinux.
3611         */
3612        return -EOPNOTSUPP;
3613}
3614
3615/* kernfs node operations */
3616
3617static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3618                                        struct kernfs_node *kn)
3619{
3620        const struct task_security_struct *tsec = selinux_cred(current_cred());
3621        u32 parent_sid, newsid, clen;
3622        int rc;
3623        char *context;
3624
3625        rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3626        if (rc == -ENODATA)
3627                return 0;
3628        else if (rc < 0)
3629                return rc;
3630
3631        clen = (u32)rc;
3632        context = kmalloc(clen, GFP_KERNEL);
3633        if (!context)
3634                return -ENOMEM;
3635
3636        rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3637        if (rc < 0) {
3638                kfree(context);
3639                return rc;
3640        }
3641
3642        rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3643                                     GFP_KERNEL);
3644        kfree(context);
3645        if (rc)
3646                return rc;
3647
3648        if (tsec->create_sid) {
3649                newsid = tsec->create_sid;
3650        } else {
3651                u16 secclass = inode_mode_to_security_class(kn->mode);
3652                struct qstr q;
3653
3654                q.name = kn->name;
3655                q.hash_len = hashlen_string(kn_dir, kn->name);
3656
3657                rc = security_transition_sid(&selinux_state, tsec->sid,
3658                                             parent_sid, secclass, &q,
3659                                             &newsid);
3660                if (rc)
3661                        return rc;
3662        }
3663
3664        rc = security_sid_to_context_force(&selinux_state, newsid,
3665                                           &context, &clen);
3666        if (rc)
3667                return rc;
3668
3669        rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3670                              XATTR_CREATE);
3671        kfree(context);
3672        return rc;
3673}
3674
3675
3676/* file security operations */
3677
3678static int selinux_revalidate_file_permission(struct file *file, int mask)
3679{
3680        const struct cred *cred = current_cred();
3681        struct inode *inode = file_inode(file);
3682
3683        /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3684        if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3685                mask |= MAY_APPEND;
3686
3687        return file_has_perm(cred, file,
3688                             file_mask_to_av(inode->i_mode, mask));
3689}
3690
3691static int selinux_file_permission(struct file *file, int mask)
3692{
3693        struct inode *inode = file_inode(file);
3694        struct file_security_struct *fsec = selinux_file(file);
3695        struct inode_security_struct *isec;
3696        u32 sid = current_sid();
3697
3698        if (!mask)
3699                /* No permission to check.  Existence test. */
3700                return 0;
3701
3702        isec = inode_security(inode);
3703        if (sid == fsec->sid && fsec->isid == isec->sid &&
3704            fsec->pseqno == avc_policy_seqno(&selinux_state))
3705                /* No change since file_open check. */
3706                return 0;
3707
3708        return selinux_revalidate_file_permission(file, mask);
3709}
3710
3711static int selinux_file_alloc_security(struct file *file)
3712{
3713        struct file_security_struct *fsec = selinux_file(file);
3714        u32 sid = current_sid();
3715
3716        fsec->sid = sid;
3717        fsec->fown_sid = sid;
3718
3719        return 0;
3720}
3721
3722/*
3723 * Check whether a task has the ioctl permission and cmd
3724 * operation to an inode.
3725 */
3726static int ioctl_has_perm(const struct cred *cred, struct file *file,
3727                u32 requested, u16 cmd)
3728{
3729        struct common_audit_data ad;
3730        struct file_security_struct *fsec = selinux_file(file);
3731        struct inode *inode = file_inode(file);
3732        struct inode_security_struct *isec;
3733        struct lsm_ioctlop_audit ioctl;
3734        u32 ssid = cred_sid(cred);
3735        int rc;
3736        u8 driver = cmd >> 8;
3737        u8 xperm = cmd & 0xff;
3738
3739        ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3740        ad.u.op = &ioctl;
3741        ad.u.op->cmd = cmd;
3742        ad.u.op->path = file->f_path;
3743
3744        if (ssid != fsec->sid) {
3745                rc = avc_has_perm(&selinux_state,
3746                                  ssid, fsec->sid,
3747                                SECCLASS_FD,
3748                                FD__USE,
3749                                &ad);
3750                if (rc)
3751                        goto out;
3752        }
3753
3754        if (unlikely(IS_PRIVATE(inode)))
3755                return 0;
3756
3757        isec = inode_security(inode);
3758        rc = avc_has_extended_perms(&selinux_state,
3759                                    ssid, isec->sid, isec->sclass,
3760                                    requested, driver, xperm, &ad);
3761out:
3762        return rc;
3763}
3764
3765static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3766                              unsigned long arg)
3767{
3768        const struct cred *cred = current_cred();
3769        int error = 0;
3770
3771        switch (cmd) {
3772        case FIONREAD:
3773        case FIBMAP:
3774        case FIGETBSZ:
3775        case FS_IOC_GETFLAGS:
3776        case FS_IOC_GETVERSION:
3777                error = file_has_perm(cred, file, FILE__GETATTR);
3778                break;
3779
3780        case FS_IOC_SETFLAGS:
3781        case FS_IOC_SETVERSION:
3782                error = file_has_perm(cred, file, FILE__SETATTR);
3783                break;
3784
3785        /* sys_ioctl() checks */
3786        case FIONBIO:
3787        case FIOASYNC:
3788                error = file_has_perm(cred, file, 0);
3789                break;
3790
3791        case KDSKBENT:
3792        case KDSKBSENT:
3793                error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3794                                            CAP_OPT_NONE, true);
3795                break;
3796
3797        /* default case assumes that the command will go
3798         * to the file's ioctl() function.
3799         */
3800        default:
3801                error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3802        }
3803        return error;
3804}
3805
3806static int default_noexec __ro_after_init;
3807
3808static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3809{
3810        const struct cred *cred = current_cred();
3811        u32 sid = cred_sid(cred);
3812        int rc = 0;
3813
3814        if (default_noexec &&
3815            (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3816                                   (!shared && (prot & PROT_WRITE)))) {
3817                /*
3818                 * We are making executable an anonymous mapping or a
3819                 * private file mapping that will also be writable.
3820                 * This has an additional check.
3821                 */
3822                rc = avc_has_perm(&selinux_state,
3823                                  sid, sid, SECCLASS_PROCESS,
3824                                  PROCESS__EXECMEM, NULL);
3825                if (rc)
3826                        goto error;
3827        }
3828
3829        if (file) {
3830                /* read access is always possible with a mapping */
3831                u32 av = FILE__READ;
3832
3833                /* write access only matters if the mapping is shared */
3834                if (shared && (prot & PROT_WRITE))
3835                        av |= FILE__WRITE;
3836
3837                if (prot & PROT_EXEC)
3838                        av |= FILE__EXECUTE;
3839
3840                return file_has_perm(cred, file, av);
3841        }
3842
3843error:
3844        return rc;
3845}
3846
3847static int selinux_mmap_addr(unsigned long addr)
3848{
3849        int rc = 0;
3850
3851        if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3852                u32 sid = current_sid();
3853                rc = avc_has_perm(&selinux_state,
3854                                  sid, sid, SECCLASS_MEMPROTECT,
3855                                  MEMPROTECT__MMAP_ZERO, NULL);
3856        }
3857
3858        return rc;
3859}
3860
3861static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3862                             unsigned long prot, unsigned long flags)
3863{
3864        struct common_audit_data ad;
3865        int rc;
3866
3867        if (file) {
3868                ad.type = LSM_AUDIT_DATA_FILE;
3869                ad.u.file = file;
3870                rc = inode_has_perm(current_cred(), file_inode(file),
3871                                    FILE__MAP, &ad);
3872                if (rc)
3873                        return rc;
3874        }
3875
3876        if (checkreqprot_get(&selinux_state))
3877                prot = reqprot;
3878
3879        return file_map_prot_check(file, prot,
3880                                   (flags & MAP_TYPE) == MAP_SHARED);
3881}
3882
3883static int selinux_file_mprotect(struct vm_area_struct *vma,
3884                                 unsigned long reqprot,
3885                                 unsigned long prot)
3886{
3887        const struct cred *cred = current_cred();
3888        u32 sid = cred_sid(cred);
3889
3890        if (checkreqprot_get(&selinux_state))
3891                prot = reqprot;
3892
3893        if (default_noexec &&
3894            (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3895                int rc = 0;
3896                if (vma->vm_start >= vma->vm_mm->start_brk &&
3897                    vma->vm_end <= vma->vm_mm->brk) {
3898                        rc = avc_has_perm(&selinux_state,
3899                                          sid, sid, SECCLASS_PROCESS,
3900                                          PROCESS__EXECHEAP, NULL);
3901                } else if (!vma->vm_file &&
3902                           ((vma->vm_start <= vma->vm_mm->start_stack &&
3903                             vma->vm_end >= vma->vm_mm->start_stack) ||
3904                            vma_is_stack_for_current(vma))) {
3905                        rc = avc_has_perm(&selinux_state,
3906                                          sid, sid, SECCLASS_PROCESS,
3907                                          PROCESS__EXECSTACK, NULL);
3908                } else if (vma->vm_file && vma->anon_vma) {
3909                        /*
3910                         * We are making executable a file mapping that has
3911                         * had some COW done. Since pages might have been
3912                         * written, check ability to execute the possibly
3913                         * modified content.  This typically should only
3914                         * occur for text relocations.
3915                         */
3916                        rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3917                }
3918                if (rc)
3919                        return rc;
3920        }
3921
3922        return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3923}
3924
3925static int selinux_file_lock(struct file *file, unsigned int cmd)
3926{
3927        const struct cred *cred = current_cred();
3928
3929        return file_has_perm(cred, file, FILE__LOCK);
3930}
3931
3932static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3933                              unsigned long arg)
3934{
3935        const struct cred *cred = current_cred();
3936        int err = 0;
3937
3938        switch (cmd) {
3939        case F_SETFL:
3940                if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3941                        err = file_has_perm(cred, file, FILE__WRITE);
3942                        break;
3943                }
3944                fallthrough;
3945        case F_SETOWN:
3946        case F_SETSIG:
3947        case F_GETFL:
3948        case F_GETOWN:
3949        case F_GETSIG:
3950        case F_GETOWNER_UIDS:
3951                /* Just check FD__USE permission */
3952                err = file_has_perm(cred, file, 0);
3953                break;
3954        case F_GETLK:
3955        case F_SETLK:
3956        case F_SETLKW:
3957        case F_OFD_GETLK:
3958        case F_OFD_SETLK:
3959        case F_OFD_SETLKW:
3960#if BITS_PER_LONG == 32
3961        case F_GETLK64:
3962        case F_SETLK64:
3963        case F_SETLKW64:
3964#endif
3965                err = file_has_perm(cred, file, FILE__LOCK);
3966                break;
3967        }
3968
3969        return err;
3970}
3971
3972static void selinux_file_set_fowner(struct file *file)
3973{
3974        struct file_security_struct *fsec;
3975
3976        fsec = selinux_file(file);
3977        fsec->fown_sid = current_sid();
3978}
3979
3980static int selinux_file_send_sigiotask(struct task_struct *tsk,
3981                                       struct fown_struct *fown, int signum)
3982{
3983        struct file *file;
3984        u32 sid = task_sid_obj(tsk);
3985        u32 perm;
3986        struct file_security_struct *fsec;
3987
3988        /* struct fown_struct is never outside the context of a struct file */
3989        file = container_of(fown, struct file, f_owner);
3990
3991        fsec = selinux_file(file);
3992
3993        if (!signum)
3994                perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3995        else
3996                perm = signal_to_av(signum);
3997
3998        return avc_has_perm(&selinux_state,
3999                            fsec->fown_sid, sid,
4000                            SECCLASS_PROCESS, perm, NULL);
4001}
4002
4003static int selinux_file_receive(struct file *file)
4004{
4005        const struct cred *cred = current_cred();
4006
4007        return file_has_perm(cred, file, file_to_av(file));
4008}
4009
4010static int selinux_file_open(struct file *file)
4011{
4012        struct file_security_struct *fsec;
4013        struct inode_security_struct *isec;
4014
4015        fsec = selinux_file(file);
4016        isec = inode_security(file_inode(file));
4017        /*
4018         * Save inode label and policy sequence number
4019         * at open-time so that selinux_file_permission
4020         * can determine whether revalidation is necessary.
4021         * Task label is already saved in the file security
4022         * struct as its SID.
4023         */
4024        fsec->isid = isec->sid;
4025        fsec->pseqno = avc_policy_seqno(&selinux_state);
4026        /*
4027         * Since the inode label or policy seqno may have changed
4028         * between the selinux_inode_permission check and the saving
4029         * of state above, recheck that access is still permitted.
4030         * Otherwise, access might never be revalidated against the
4031         * new inode label or new policy.
4032         * This check is not redundant - do not remove.
4033         */
4034        return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
4035}
4036
4037/* task security operations */
4038
4039static int selinux_task_alloc(struct task_struct *task,
4040                              unsigned long clone_flags)
4041{
4042        u32 sid = current_sid();
4043
4044        return avc_has_perm(&selinux_state,
4045                            sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
4046}
4047
4048/*
4049 * prepare a new set of credentials for modification
4050 */
4051static int selinux_cred_prepare(struct cred *new, const struct cred *old,
4052                                gfp_t gfp)
4053{
4054        const struct task_security_struct *old_tsec = selinux_cred(old);
4055        struct task_security_struct *tsec = selinux_cred(new);
4056
4057        *tsec = *old_tsec;
4058        return 0;
4059}
4060
4061/*
4062 * transfer the SELinux data to a blank set of creds
4063 */
4064static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4065{
4066        const struct task_security_struct *old_tsec = selinux_cred(old);
4067        struct task_security_struct *tsec = selinux_cred(new);
4068
4069        *tsec = *old_tsec;
4070}
4071
4072static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4073{
4074        *secid = cred_sid(c);
4075}
4076
4077/*
4078 * set the security data for a kernel service
4079 * - all the creation contexts are set to unlabelled
4080 */
4081static int selinux_kernel_act_as(struct cred *new, u32 secid)
4082{
4083        struct task_security_struct *tsec = selinux_cred(new);
4084        u32 sid = current_sid();
4085        int ret;
4086
4087        ret = avc_has_perm(&selinux_state,
4088                           sid, secid,
4089                           SECCLASS_KERNEL_SERVICE,
4090                           KERNEL_SERVICE__USE_AS_OVERRIDE,
4091                           NULL);
4092        if (ret == 0) {
4093                tsec->sid = secid;
4094                tsec->create_sid = 0;
4095                tsec->keycreate_sid = 0;
4096                tsec->sockcreate_sid = 0;
4097        }
4098        return ret;
4099}
4100
4101/*
4102 * set the file creation context in a security record to the same as the
4103 * objective context of the specified inode
4104 */
4105static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4106{
4107        struct inode_security_struct *isec = inode_security(inode);
4108        struct task_security_struct *tsec = selinux_cred(new);
4109        u32 sid = current_sid();
4110        int ret;
4111
4112        ret = avc_has_perm(&selinux_state,
4113                           sid, isec->sid,
4114                           SECCLASS_KERNEL_SERVICE,
4115                           KERNEL_SERVICE__CREATE_FILES_AS,
4116                           NULL);
4117
4118        if (ret == 0)
4119                tsec->create_sid = isec->sid;
4120        return ret;
4121}
4122
4123static int selinux_kernel_module_request(char *kmod_name)
4124{
4125        struct common_audit_data ad;
4126
4127        ad.type = LSM_AUDIT_DATA_KMOD;
4128        ad.u.kmod_name = kmod_name;
4129
4130        return avc_has_perm(&selinux_state,
4131                            current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4132                            SYSTEM__MODULE_REQUEST, &ad);
4133}
4134
4135static int selinux_kernel_module_from_file(struct file *file)
4136{
4137        struct common_audit_data ad;
4138        struct inode_security_struct *isec;
4139        struct file_security_struct *fsec;
4140        u32 sid = current_sid();
4141        int rc;
4142
4143        /* init_module */
4144        if (file == NULL)
4145                return avc_has_perm(&selinux_state,
4146                                    sid, sid, SECCLASS_SYSTEM,
4147                                        SYSTEM__MODULE_LOAD, NULL);
4148
4149        /* finit_module */
4150
4151        ad.type = LSM_AUDIT_DATA_FILE;
4152        ad.u.file = file;
4153
4154        fsec = selinux_file(file);
4155        if (sid != fsec->sid) {
4156                rc = avc_has_perm(&selinux_state,
4157                                  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4158                if (rc)
4159                        return rc;
4160        }
4161
4162        isec = inode_security(file_inode(file));
4163        return avc_has_perm(&selinux_state,
4164                            sid, isec->sid, SECCLASS_SYSTEM,
4165                                SYSTEM__MODULE_LOAD, &ad);
4166}
4167
4168static int selinux_kernel_read_file(struct file *file,
4169                                    enum kernel_read_file_id id,
4170                                    bool contents)
4171{
4172        int rc = 0;
4173
4174        switch (id) {
4175        case READING_MODULE:
4176                rc = selinux_kernel_module_from_file(contents ? file : NULL);
4177                break;
4178        default:
4179                break;
4180        }
4181
4182        return rc;
4183}
4184
4185static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4186{
4187        int rc = 0;
4188
4189        switch (id) {
4190        case LOADING_MODULE:
4191                rc = selinux_kernel_module_from_file(NULL);
4192                break;
4193        default:
4194                break;
4195        }
4196
4197        return rc;
4198}
4199
4200static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4201{
4202        return avc_has_perm(&selinux_state,
4203                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4204                            PROCESS__SETPGID, NULL);
4205}
4206
4207static int selinux_task_getpgid(struct task_struct *p)
4208{
4209        return avc_has_perm(&selinux_state,
4210                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4211                            PROCESS__GETPGID, NULL);
4212}
4213
4214static int selinux_task_getsid(struct task_struct *p)
4215{
4216        return avc_has_perm(&selinux_state,
4217                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4218                            PROCESS__GETSESSION, NULL);
4219}
4220
4221static void selinux_task_getsecid_subj(struct task_struct *p, u32 *secid)
4222{
4223        *secid = task_sid_subj(p);
4224}
4225
4226static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4227{
4228        *secid = task_sid_obj(p);
4229}
4230
4231static int selinux_task_setnice(struct task_struct *p, int nice)
4232{
4233        return avc_has_perm(&selinux_state,
4234                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4235                            PROCESS__SETSCHED, NULL);
4236}
4237
4238static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4239{
4240        return avc_has_perm(&selinux_state,
4241                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4242                            PROCESS__SETSCHED, NULL);
4243}
4244
4245static int selinux_task_getioprio(struct task_struct *p)
4246{
4247        return avc_has_perm(&selinux_state,
4248                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4249                            PROCESS__GETSCHED, NULL);
4250}
4251
4252static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4253                                unsigned int flags)
4254{
4255        u32 av = 0;
4256
4257        if (!flags)
4258                return 0;
4259        if (flags & LSM_PRLIMIT_WRITE)
4260                av |= PROCESS__SETRLIMIT;
4261        if (flags & LSM_PRLIMIT_READ)
4262                av |= PROCESS__GETRLIMIT;
4263        return avc_has_perm(&selinux_state,
4264                            cred_sid(cred), cred_sid(tcred),
4265                            SECCLASS_PROCESS, av, NULL);
4266}
4267
4268static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4269                struct rlimit *new_rlim)
4270{
4271        struct rlimit *old_rlim = p->signal->rlim + resource;
4272
4273        /* Control the ability to change the hard limit (whether
4274           lowering or raising it), so that the hard limit can
4275           later be used as a safe reset point for the soft limit
4276           upon context transitions.  See selinux_bprm_committing_creds. */
4277        if (old_rlim->rlim_max != new_rlim->rlim_max)
4278                return avc_has_perm(&selinux_state,
4279                                    current_sid(), task_sid_obj(p),
4280                                    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4281
4282        return 0;
4283}
4284
4285static int selinux_task_setscheduler(struct task_struct *p)
4286{
4287        return avc_has_perm(&selinux_state,
4288                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4289                            PROCESS__SETSCHED, NULL);
4290}
4291
4292static int selinux_task_getscheduler(struct task_struct *p)
4293{
4294        return avc_has_perm(&selinux_state,
4295                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4296                            PROCESS__GETSCHED, NULL);
4297}
4298
4299static int selinux_task_movememory(struct task_struct *p)
4300{
4301        return avc_has_perm(&selinux_state,
4302                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4303                            PROCESS__SETSCHED, NULL);
4304}
4305
4306static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4307                                int sig, const struct cred *cred)
4308{
4309        u32 secid;
4310        u32 perm;
4311
4312        if (!sig)
4313                perm = PROCESS__SIGNULL; /* null signal; existence test */
4314        else
4315                perm = signal_to_av(sig);
4316        if (!cred)
4317                secid = current_sid();
4318        else
4319                secid = cred_sid(cred);
4320        return avc_has_perm(&selinux_state,
4321                            secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4322}
4323
4324static void selinux_task_to_inode(struct task_struct *p,
4325                                  struct inode *inode)
4326{
4327        struct inode_security_struct *isec = selinux_inode(inode);
4328        u32 sid = task_sid_obj(p);
4329
4330        spin_lock(&isec->lock);
4331        isec->sclass = inode_mode_to_security_class(inode->i_mode);
4332        isec->sid = sid;
4333        isec->initialized = LABEL_INITIALIZED;
4334        spin_unlock(&isec->lock);
4335}
4336
4337/* Returns error only if unable to parse addresses */
4338static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4339                        struct common_audit_data *ad, u8 *proto)
4340{
4341        int offset, ihlen, ret = -EINVAL;
4342        struct iphdr _iph, *ih;
4343
4344        offset = skb_network_offset(skb);
4345        ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4346        if (ih == NULL)
4347                goto out;
4348
4349        ihlen = ih->ihl * 4;
4350        if (ihlen < sizeof(_iph))
4351                goto out;
4352
4353        ad->u.net->v4info.saddr = ih->saddr;
4354        ad->u.net->v4info.daddr = ih->daddr;
4355        ret = 0;
4356
4357        if (proto)
4358                *proto = ih->protocol;
4359
4360        switch (ih->protocol) {
4361        case IPPROTO_TCP: {
4362                struct tcphdr _tcph, *th;
4363
4364                if (ntohs(ih->frag_off) & IP_OFFSET)
4365                        break;
4366
4367                offset += ihlen;
4368                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4369                if (th == NULL)
4370                        break;
4371
4372                ad->u.net->sport = th->source;
4373                ad->u.net->dport = th->dest;
4374                break;
4375        }
4376
4377        case IPPROTO_UDP: {
4378                struct udphdr _udph, *uh;
4379
4380                if (ntohs(ih->frag_off) & IP_OFFSET)
4381                        break;
4382
4383                offset += ihlen;
4384                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4385                if (uh == NULL)
4386                        break;
4387
4388                ad->u.net->sport = uh->source;
4389                ad->u.net->dport = uh->dest;
4390                break;
4391        }
4392
4393        case IPPROTO_DCCP: {
4394                struct dccp_hdr _dccph, *dh;
4395
4396                if (ntohs(ih->frag_off) & IP_OFFSET)
4397                        break;
4398
4399                offset += ihlen;
4400                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4401                if (dh == NULL)
4402                        break;
4403
4404                ad->u.net->sport = dh->dccph_sport;
4405                ad->u.net->dport = dh->dccph_dport;
4406                break;
4407        }
4408
4409#if IS_ENABLED(CONFIG_IP_SCTP)
4410        case IPPROTO_SCTP: {
4411                struct sctphdr _sctph, *sh;
4412
4413                if (ntohs(ih->frag_off) & IP_OFFSET)
4414                        break;
4415
4416                offset += ihlen;
4417                sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4418                if (sh == NULL)
4419                        break;
4420
4421                ad->u.net->sport = sh->source;
4422                ad->u.net->dport = sh->dest;
4423                break;
4424        }
4425#endif
4426        default:
4427                break;
4428        }
4429out:
4430        return ret;
4431}
4432
4433#if IS_ENABLED(CONFIG_IPV6)
4434
4435/* Returns error only if unable to parse addresses */
4436static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4437                        struct common_audit_data *ad, u8 *proto)
4438{
4439        u8 nexthdr;
4440        int ret = -EINVAL, offset;
4441        struct ipv6hdr _ipv6h, *ip6;
4442        __be16 frag_off;
4443
4444        offset = skb_network_offset(skb);
4445        ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4446        if (ip6 == NULL)
4447                goto out;
4448
4449        ad->u.net->v6info.saddr = ip6->saddr;
4450        ad->u.net->v6info.daddr = ip6->daddr;
4451        ret = 0;
4452
4453        nexthdr = ip6->nexthdr;
4454        offset += sizeof(_ipv6h);
4455        offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4456        if (offset < 0)
4457                goto out;
4458
4459        if (proto)
4460                *proto = nexthdr;
4461
4462        switch (nexthdr) {
4463        case IPPROTO_TCP: {
4464                struct tcphdr _tcph, *th;
4465
4466                th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4467                if (th == NULL)
4468                        break;
4469
4470                ad->u.net->sport = th->source;
4471                ad->u.net->dport = th->dest;
4472                break;
4473        }
4474
4475        case IPPROTO_UDP: {
4476                struct udphdr _udph, *uh;
4477
4478                uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4479                if (uh == NULL)
4480                        break;
4481
4482                ad->u.net->sport = uh->source;
4483                ad->u.net->dport = uh->dest;
4484                break;
4485        }
4486
4487        case IPPROTO_DCCP: {
4488                struct dccp_hdr _dccph, *dh;
4489
4490                dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4491                if (dh == NULL)
4492                        break;
4493
4494                ad->u.net->sport = dh->dccph_sport;
4495                ad->u.net->dport = dh->dccph_dport;
4496                break;
4497        }
4498
4499#if IS_ENABLED(CONFIG_IP_SCTP)
4500        case IPPROTO_SCTP: {
4501                struct sctphdr _sctph, *sh;
4502
4503                sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4504                if (sh == NULL)
4505                        break;
4506
4507                ad->u.net->sport = sh->source;
4508                ad->u.net->dport = sh->dest;
4509                break;
4510        }
4511#endif
4512        /* includes fragments */
4513        default:
4514                break;
4515        }
4516out:
4517        return ret;
4518}
4519
4520#endif /* IPV6 */
4521
4522static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4523                             char **_addrp, int src, u8 *proto)
4524{
4525        char *addrp;
4526        int ret;
4527
4528        switch (ad->u.net->family) {
4529        case PF_INET:
4530                ret = selinux_parse_skb_ipv4(skb, ad, proto);
4531                if (ret)
4532                        goto parse_error;
4533                addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4534                                       &ad->u.net->v4info.daddr);
4535                goto okay;
4536
4537#if IS_ENABLED(CONFIG_IPV6)
4538        case PF_INET6:
4539                ret = selinux_parse_skb_ipv6(skb, ad, proto);
4540                if (ret)
4541                        goto parse_error;
4542                addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4543                                       &ad->u.net->v6info.daddr);
4544                goto okay;
4545#endif  /* IPV6 */
4546        default:
4547                addrp = NULL;
4548                goto okay;
4549        }
4550
4551parse_error:
4552        pr_warn(
4553               "SELinux: failure in selinux_parse_skb(),"
4554               " unable to parse packet\n");
4555        return ret;
4556
4557okay:
4558        if (_addrp)
4559                *_addrp = addrp;
4560        return 0;
4561}
4562
4563/**
4564 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4565 * @skb: the packet