linux/security/selinux/hooks.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 *  NSA Security-Enhanced Linux (SELinux) security module
   4 *
   5 *  This file contains the SELinux hook function implementations.
   6 *
   7 *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
   8 *            Chris Vance, <cvance@nai.com>
   9 *            Wayne Salamon, <wsalamon@nai.com>
  10 *            James Morris <jmorris@redhat.com>
  11 *
  12 *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
  13 *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
  14 *                                         Eric Paris <eparis@redhat.com>
  15 *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  16 *                          <dgoeddel@trustedcs.com>
  17 *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
  18 *      Paul Moore <paul@paul-moore.com>
  19 *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  20 *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
  21 *  Copyright (C) 2016 Mellanox Technologies
  22 */
  23
  24#include <linux/init.h>
  25#include <linux/kd.h>
  26#include <linux/kernel.h>
  27#include <linux/kernel_read_file.h>
  28#include <linux/tracehook.h>
  29#include <linux/errno.h>
  30#include <linux/sched/signal.h>
  31#include <linux/sched/task.h>
  32#include <linux/lsm_hooks.h>
  33#include <linux/xattr.h>
  34#include <linux/capability.h>
  35#include <linux/unistd.h>
  36#include <linux/mm.h>
  37#include <linux/mman.h>
  38#include <linux/slab.h>
  39#include <linux/pagemap.h>
  40#include <linux/proc_fs.h>
  41#include <linux/swap.h>
  42#include <linux/spinlock.h>
  43#include <linux/syscalls.h>
  44#include <linux/dcache.h>
  45#include <linux/file.h>
  46#include <linux/fdtable.h>
  47#include <linux/namei.h>
  48#include <linux/mount.h>
  49#include <linux/fs_context.h>
  50#include <linux/fs_parser.h>
  51#include <linux/netfilter_ipv4.h>
  52#include <linux/netfilter_ipv6.h>
  53#include <linux/tty.h>
  54#include <net/icmp.h>
  55#include <net/ip.h>             /* for local_port_range[] */
  56#include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
  57#include <net/inet_connection_sock.h>
  58#include <net/net_namespace.h>
  59#include <net/netlabel.h>
  60#include <linux/uaccess.h>
  61#include <asm/ioctls.h>
  62#include <linux/atomic.h>
  63#include <linux/bitops.h>
  64#include <linux/interrupt.h>
  65#include <linux/netdevice.h>    /* for network interface checks */
  66#include <net/netlink.h>
  67#include <linux/tcp.h>
  68#include <linux/udp.h>
  69#include <linux/dccp.h>
  70#include <linux/sctp.h>
  71#include <net/sctp/structs.h>
  72#include <linux/quota.h>
  73#include <linux/un.h>           /* for Unix socket types */
  74#include <net/af_unix.h>        /* for Unix socket types */
  75#include <linux/parser.h>
  76#include <linux/nfs_mount.h>
  77#include <net/ipv6.h>
  78#include <linux/hugetlb.h>
  79#include <linux/personality.h>
  80#include <linux/audit.h>
  81#include <linux/string.h>
  82#include <linux/mutex.h>
  83#include <linux/posix-timers.h>
  84#include <linux/syslog.h>
  85#include <linux/user_namespace.h>
  86#include <linux/export.h>
  87#include <linux/msg.h>
  88#include <linux/shm.h>
  89#include <linux/bpf.h>
  90#include <linux/kernfs.h>
  91#include <linux/stringhash.h>   /* for hashlen_string() */
  92#include <uapi/linux/mount.h>
  93#include <linux/fsnotify.h>
  94#include <linux/fanotify.h>
  95
  96#include "avc.h"
  97#include "objsec.h"
  98#include "netif.h"
  99#include "netnode.h"
 100#include "netport.h"
 101#include "ibpkey.h"
 102#include "xfrm.h"
 103#include "netlabel.h"
 104#include "audit.h"
 105#include "avc_ss.h"
 106
 107struct selinux_state selinux_state;
 108
 109/* SECMARK reference count */
 110static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 111
 112#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 113static int selinux_enforcing_boot __initdata;
 114
 115static int __init enforcing_setup(char *str)
 116{
 117        unsigned long enforcing;
 118        if (!kstrtoul(str, 0, &enforcing))
 119                selinux_enforcing_boot = enforcing ? 1 : 0;
 120        return 1;
 121}
 122__setup("enforcing=", enforcing_setup);
 123#else
 124#define selinux_enforcing_boot 1
 125#endif
 126
 127int selinux_enabled_boot __initdata = 1;
 128#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
 129static int __init selinux_enabled_setup(char *str)
 130{
 131        unsigned long enabled;
 132        if (!kstrtoul(str, 0, &enabled))
 133                selinux_enabled_boot = enabled ? 1 : 0;
 134        return 1;
 135}
 136__setup("selinux=", selinux_enabled_setup);
 137#endif
 138
 139static unsigned int selinux_checkreqprot_boot =
 140        CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
 141
 142static int __init checkreqprot_setup(char *str)
 143{
 144        unsigned long checkreqprot;
 145
 146        if (!kstrtoul(str, 0, &checkreqprot)) {
 147                selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
 148                if (checkreqprot)
 149                        pr_warn("SELinux: checkreqprot set to 1 via kernel parameter.  This is deprecated and will be rejected in a future kernel release.\n");
 150        }
 151        return 1;
 152}
 153__setup("checkreqprot=", checkreqprot_setup);
 154
 155/**
 156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
 157 *
 158 * Description:
 159 * This function checks the SECMARK reference counter to see if any SECMARK
 160 * targets are currently configured, if the reference counter is greater than
 161 * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
 162 * enabled, false (0) if SECMARK is disabled.  If the always_check_network
 163 * policy capability is enabled, SECMARK is always considered enabled.
 164 *
 165 */
 166static int selinux_secmark_enabled(void)
 167{
 168        return (selinux_policycap_alwaysnetwork() ||
 169                atomic_read(&selinux_secmark_refcount));
 170}
 171
 172/**
 173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
 174 *
 175 * Description:
 176 * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
 177 * (1) if any are enabled or false (0) if neither are enabled.  If the
 178 * always_check_network policy capability is enabled, peer labeling
 179 * is always considered enabled.
 180 *
 181 */
 182static int selinux_peerlbl_enabled(void)
 183{
 184        return (selinux_policycap_alwaysnetwork() ||
 185                netlbl_enabled() || selinux_xfrm_enabled());
 186}
 187
 188static int selinux_netcache_avc_callback(u32 event)
 189{
 190        if (event == AVC_CALLBACK_RESET) {
 191                sel_netif_flush();
 192                sel_netnode_flush();
 193                sel_netport_flush();
 194                synchronize_net();
 195        }
 196        return 0;
 197}
 198
 199static int selinux_lsm_notifier_avc_callback(u32 event)
 200{
 201        if (event == AVC_CALLBACK_RESET) {
 202                sel_ib_pkey_flush();
 203                call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
 204        }
 205
 206        return 0;
 207}
 208
 209/*
 210 * initialise the security for the init task
 211 */
 212static void cred_init_security(void)
 213{
 214        struct cred *cred = (struct cred *) current->real_cred;
 215        struct task_security_struct *tsec;
 216
 217        tsec = selinux_cred(cred);
 218        tsec->osid = tsec->sid = SECINITSID_KERNEL;
 219}
 220
 221/*
 222 * get the security ID of a set of credentials
 223 */
 224static inline u32 cred_sid(const struct cred *cred)
 225{
 226        const struct task_security_struct *tsec;
 227
 228        tsec = selinux_cred(cred);
 229        return tsec->sid;
 230}
 231
 232/*
 233 * get the subjective security ID of a task
 234 */
 235static inline u32 task_sid_subj(const struct task_struct *task)
 236{
 237        u32 sid;
 238
 239        rcu_read_lock();
 240        sid = cred_sid(rcu_dereference(task->cred));
 241        rcu_read_unlock();
 242        return sid;
 243}
 244
 245/*
 246 * get the objective security ID of a task
 247 */
 248static inline u32 task_sid_obj(const struct task_struct *task)
 249{
 250        u32 sid;
 251
 252        rcu_read_lock();
 253        sid = cred_sid(__task_cred(task));
 254        rcu_read_unlock();
 255        return sid;
 256}
 257
 258/*
 259 * get the security ID of a task for use with binder
 260 */
 261static inline u32 task_sid_binder(const struct task_struct *task)
 262{
 263        /*
 264         * In many case where this function is used we should be using the
 265         * task's subjective SID, but we can't reliably access the subjective
 266         * creds of a task other than our own so we must use the objective
 267         * creds/SID, which are safe to access.  The downside is that if a task
 268         * is temporarily overriding it's creds it will not be reflected here;
 269         * however, it isn't clear that binder would handle that case well
 270         * anyway.
 271         *
 272         * If this ever changes and we can safely reference the subjective
 273         * creds/SID of another task, this function will make it easier to
 274         * identify the various places where we make use of the task SIDs in
 275         * the binder code.  It is also likely that we will need to adjust
 276         * the main drivers/android binder code as well.
 277         */
 278        return task_sid_obj(task);
 279}
 280
 281static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
 282
 283/*
 284 * Try reloading inode security labels that have been marked as invalid.  The
 285 * @may_sleep parameter indicates when sleeping and thus reloading labels is
 286 * allowed; when set to false, returns -ECHILD when the label is
 287 * invalid.  The @dentry parameter should be set to a dentry of the inode.
 288 */
 289static int __inode_security_revalidate(struct inode *inode,
 290                                       struct dentry *dentry,
 291                                       bool may_sleep)
 292{
 293        struct inode_security_struct *isec = selinux_inode(inode);
 294
 295        might_sleep_if(may_sleep);
 296
 297        if (selinux_initialized(&selinux_state) &&
 298            isec->initialized != LABEL_INITIALIZED) {
 299                if (!may_sleep)
 300                        return -ECHILD;
 301
 302                /*
 303                 * Try reloading the inode security label.  This will fail if
 304                 * @opt_dentry is NULL and no dentry for this inode can be
 305                 * found; in that case, continue using the old label.
 306                 */
 307                inode_doinit_with_dentry(inode, dentry);
 308        }
 309        return 0;
 310}
 311
 312static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
 313{
 314        return selinux_inode(inode);
 315}
 316
 317static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
 318{
 319        int error;
 320
 321        error = __inode_security_revalidate(inode, NULL, !rcu);
 322        if (error)
 323                return ERR_PTR(error);
 324        return selinux_inode(inode);
 325}
 326
 327/*
 328 * Get the security label of an inode.
 329 */
 330static struct inode_security_struct *inode_security(struct inode *inode)
 331{
 332        __inode_security_revalidate(inode, NULL, true);
 333        return selinux_inode(inode);
 334}
 335
 336static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
 337{
 338        struct inode *inode = d_backing_inode(dentry);
 339
 340        return selinux_inode(inode);
 341}
 342
 343/*
 344 * Get the security label of a dentry's backing inode.
 345 */
 346static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
 347{
 348        struct inode *inode = d_backing_inode(dentry);
 349
 350        __inode_security_revalidate(inode, dentry, true);
 351        return selinux_inode(inode);
 352}
 353
 354static void inode_free_security(struct inode *inode)
 355{
 356        struct inode_security_struct *isec = selinux_inode(inode);
 357        struct superblock_security_struct *sbsec;
 358
 359        if (!isec)
 360                return;
 361        sbsec = selinux_superblock(inode->i_sb);
 362        /*
 363         * As not all inode security structures are in a list, we check for
 364         * empty list outside of the lock to make sure that we won't waste
 365         * time taking a lock doing nothing.
 366         *
 367         * The list_del_init() function can be safely called more than once.
 368         * It should not be possible for this function to be called with
 369         * concurrent list_add(), but for better safety against future changes
 370         * in the code, we use list_empty_careful() here.
 371         */
 372        if (!list_empty_careful(&isec->list)) {
 373                spin_lock(&sbsec->isec_lock);
 374                list_del_init(&isec->list);
 375                spin_unlock(&sbsec->isec_lock);
 376        }
 377}
 378
 379struct selinux_mnt_opts {
 380        const char *fscontext, *context, *rootcontext, *defcontext;
 381};
 382
 383static void selinux_free_mnt_opts(void *mnt_opts)
 384{
 385        struct selinux_mnt_opts *opts = mnt_opts;
 386        kfree(opts->fscontext);
 387        kfree(opts->context);
 388        kfree(opts->rootcontext);
 389        kfree(opts->defcontext);
 390        kfree(opts);
 391}
 392
 393enum {
 394        Opt_error = -1,
 395        Opt_context = 0,
 396        Opt_defcontext = 1,
 397        Opt_fscontext = 2,
 398        Opt_rootcontext = 3,
 399        Opt_seclabel = 4,
 400};
 401
 402#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
 403static struct {
 404        const char *name;
 405        int len;
 406        int opt;
 407        bool has_arg;
 408} tokens[] = {
 409        A(context, true),
 410        A(fscontext, true),
 411        A(defcontext, true),
 412        A(rootcontext, true),
 413        A(seclabel, false),
 414};
 415#undef A
 416
 417static int match_opt_prefix(char *s, int l, char **arg)
 418{
 419        int i;
 420
 421        for (i = 0; i < ARRAY_SIZE(tokens); i++) {
 422                size_t len = tokens[i].len;
 423                if (len > l || memcmp(s, tokens[i].name, len))
 424                        continue;
 425                if (tokens[i].has_arg) {
 426                        if (len == l || s[len] != '=')
 427                                continue;
 428                        *arg = s + len + 1;
 429                } else if (len != l)
 430                        continue;
 431                return tokens[i].opt;
 432        }
 433        return Opt_error;
 434}
 435
 436#define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
 437
 438static int may_context_mount_sb_relabel(u32 sid,
 439                        struct superblock_security_struct *sbsec,
 440                        const struct cred *cred)
 441{
 442        const struct task_security_struct *tsec = selinux_cred(cred);
 443        int rc;
 444
 445        rc = avc_has_perm(&selinux_state,
 446                          tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 447                          FILESYSTEM__RELABELFROM, NULL);
 448        if (rc)
 449                return rc;
 450
 451        rc = avc_has_perm(&selinux_state,
 452                          tsec->sid, sid, SECCLASS_FILESYSTEM,
 453                          FILESYSTEM__RELABELTO, NULL);
 454        return rc;
 455}
 456
 457static int may_context_mount_inode_relabel(u32 sid,
 458                        struct superblock_security_struct *sbsec,
 459                        const struct cred *cred)
 460{
 461        const struct task_security_struct *tsec = selinux_cred(cred);
 462        int rc;
 463        rc = avc_has_perm(&selinux_state,
 464                          tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
 465                          FILESYSTEM__RELABELFROM, NULL);
 466        if (rc)
 467                return rc;
 468
 469        rc = avc_has_perm(&selinux_state,
 470                          sid, sbsec->sid, SECCLASS_FILESYSTEM,
 471                          FILESYSTEM__ASSOCIATE, NULL);
 472        return rc;
 473}
 474
 475static int selinux_is_genfs_special_handling(struct super_block *sb)
 476{
 477        /* Special handling. Genfs but also in-core setxattr handler */
 478        return  !strcmp(sb->s_type->name, "sysfs") ||
 479                !strcmp(sb->s_type->name, "pstore") ||
 480                !strcmp(sb->s_type->name, "debugfs") ||
 481                !strcmp(sb->s_type->name, "tracefs") ||
 482                !strcmp(sb->s_type->name, "rootfs") ||
 483                (selinux_policycap_cgroupseclabel() &&
 484                 (!strcmp(sb->s_type->name, "cgroup") ||
 485                  !strcmp(sb->s_type->name, "cgroup2")));
 486}
 487
 488static int selinux_is_sblabel_mnt(struct super_block *sb)
 489{
 490        struct superblock_security_struct *sbsec = selinux_superblock(sb);
 491
 492        /*
 493         * IMPORTANT: Double-check logic in this function when adding a new
 494         * SECURITY_FS_USE_* definition!
 495         */
 496        BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
 497
 498        switch (sbsec->behavior) {
 499        case SECURITY_FS_USE_XATTR:
 500        case SECURITY_FS_USE_TRANS:
 501        case SECURITY_FS_USE_TASK:
 502        case SECURITY_FS_USE_NATIVE:
 503                return 1;
 504
 505        case SECURITY_FS_USE_GENFS:
 506                return selinux_is_genfs_special_handling(sb);
 507
 508        /* Never allow relabeling on context mounts */
 509        case SECURITY_FS_USE_MNTPOINT:
 510        case SECURITY_FS_USE_NONE:
 511        default:
 512                return 0;
 513        }
 514}
 515
 516static int sb_check_xattr_support(struct super_block *sb)
 517{
 518        struct superblock_security_struct *sbsec = sb->s_security;
 519        struct dentry *root = sb->s_root;
 520        struct inode *root_inode = d_backing_inode(root);
 521        u32 sid;
 522        int rc;
 523
 524        /*
 525         * Make sure that the xattr handler exists and that no
 526         * error other than -ENODATA is returned by getxattr on
 527         * the root directory.  -ENODATA is ok, as this may be
 528         * the first boot of the SELinux kernel before we have
 529         * assigned xattr values to the filesystem.
 530         */
 531        if (!(root_inode->i_opflags & IOP_XATTR)) {
 532                pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
 533                        sb->s_id, sb->s_type->name);
 534                goto fallback;
 535        }
 536
 537        rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
 538        if (rc < 0 && rc != -ENODATA) {
 539                if (rc == -EOPNOTSUPP) {
 540                        pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
 541                                sb->s_id, sb->s_type->name);
 542                        goto fallback;
 543                } else {
 544                        pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
 545                                sb->s_id, sb->s_type->name, -rc);
 546                        return rc;
 547                }
 548        }
 549        return 0;
 550
 551fallback:
 552        /* No xattr support - try to fallback to genfs if possible. */
 553        rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/",
 554                                SECCLASS_DIR, &sid);
 555        if (rc)
 556                return -EOPNOTSUPP;
 557
 558        pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
 559                sb->s_id, sb->s_type->name);
 560        sbsec->behavior = SECURITY_FS_USE_GENFS;
 561        sbsec->sid = sid;
 562        return 0;
 563}
 564
 565static int sb_finish_set_opts(struct super_block *sb)
 566{
 567        struct superblock_security_struct *sbsec = selinux_superblock(sb);
 568        struct dentry *root = sb->s_root;
 569        struct inode *root_inode = d_backing_inode(root);
 570        int rc = 0;
 571
 572        if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 573                rc = sb_check_xattr_support(sb);
 574                if (rc)
 575                        return rc;
 576        }
 577
 578        sbsec->flags |= SE_SBINITIALIZED;
 579
 580        /*
 581         * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
 582         * leave the flag untouched because sb_clone_mnt_opts might be handing
 583         * us a superblock that needs the flag to be cleared.
 584         */
 585        if (selinux_is_sblabel_mnt(sb))
 586                sbsec->flags |= SBLABEL_MNT;
 587        else
 588                sbsec->flags &= ~SBLABEL_MNT;
 589
 590        /* Initialize the root inode. */
 591        rc = inode_doinit_with_dentry(root_inode, root);
 592
 593        /* Initialize any other inodes associated with the superblock, e.g.
 594           inodes created prior to initial policy load or inodes created
 595           during get_sb by a pseudo filesystem that directly
 596           populates itself. */
 597        spin_lock(&sbsec->isec_lock);
 598        while (!list_empty(&sbsec->isec_head)) {
 599                struct inode_security_struct *isec =
 600                                list_first_entry(&sbsec->isec_head,
 601                                           struct inode_security_struct, list);
 602                struct inode *inode = isec->inode;
 603                list_del_init(&isec->list);
 604                spin_unlock(&sbsec->isec_lock);
 605                inode = igrab(inode);
 606                if (inode) {
 607                        if (!IS_PRIVATE(inode))
 608                                inode_doinit_with_dentry(inode, NULL);
 609                        iput(inode);
 610                }
 611                spin_lock(&sbsec->isec_lock);
 612        }
 613        spin_unlock(&sbsec->isec_lock);
 614        return rc;
 615}
 616
 617static int bad_option(struct superblock_security_struct *sbsec, char flag,
 618                      u32 old_sid, u32 new_sid)
 619{
 620        char mnt_flags = sbsec->flags & SE_MNTMASK;
 621
 622        /* check if the old mount command had the same options */
 623        if (sbsec->flags & SE_SBINITIALIZED)
 624                if (!(sbsec->flags & flag) ||
 625                    (old_sid != new_sid))
 626                        return 1;
 627
 628        /* check if we were passed the same options twice,
 629         * aka someone passed context=a,context=b
 630         */
 631        if (!(sbsec->flags & SE_SBINITIALIZED))
 632                if (mnt_flags & flag)
 633                        return 1;
 634        return 0;
 635}
 636
 637static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
 638{
 639        int rc = security_context_str_to_sid(&selinux_state, s,
 640                                             sid, GFP_KERNEL);
 641        if (rc)
 642                pr_warn("SELinux: security_context_str_to_sid"
 643                       "(%s) failed for (dev %s, type %s) errno=%d\n",
 644                       s, sb->s_id, sb->s_type->name, rc);
 645        return rc;
 646}
 647
 648/*
 649 * Allow filesystems with binary mount data to explicitly set mount point
 650 * labeling information.
 651 */
 652static int selinux_set_mnt_opts(struct super_block *sb,
 653                                void *mnt_opts,
 654                                unsigned long kern_flags,
 655                                unsigned long *set_kern_flags)
 656{
 657        const struct cred *cred = current_cred();
 658        struct superblock_security_struct *sbsec = selinux_superblock(sb);
 659        struct dentry *root = sb->s_root;
 660        struct selinux_mnt_opts *opts = mnt_opts;
 661        struct inode_security_struct *root_isec;
 662        u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
 663        u32 defcontext_sid = 0;
 664        int rc = 0;
 665
 666        mutex_lock(&sbsec->lock);
 667
 668        if (!selinux_initialized(&selinux_state)) {
 669                if (!opts) {
 670                        /* Defer initialization until selinux_complete_init,
 671                           after the initial policy is loaded and the security
 672                           server is ready to handle calls. */
 673                        goto out;
 674                }
 675                rc = -EINVAL;
 676                pr_warn("SELinux: Unable to set superblock options "
 677                        "before the security server is initialized\n");
 678                goto out;
 679        }
 680        if (kern_flags && !set_kern_flags) {
 681                /* Specifying internal flags without providing a place to
 682                 * place the results is not allowed */
 683                rc = -EINVAL;
 684                goto out;
 685        }
 686
 687        /*
 688         * Binary mount data FS will come through this function twice.  Once
 689         * from an explicit call and once from the generic calls from the vfs.
 690         * Since the generic VFS calls will not contain any security mount data
 691         * we need to skip the double mount verification.
 692         *
 693         * This does open a hole in which we will not notice if the first
 694         * mount using this sb set explict options and a second mount using
 695         * this sb does not set any security options.  (The first options
 696         * will be used for both mounts)
 697         */
 698        if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
 699            && !opts)
 700                goto out;
 701
 702        root_isec = backing_inode_security_novalidate(root);
 703
 704        /*
 705         * parse the mount options, check if they are valid sids.
 706         * also check if someone is trying to mount the same sb more
 707         * than once with different security options.
 708         */
 709        if (opts) {
 710                if (opts->fscontext) {
 711                        rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
 712                        if (rc)
 713                                goto out;
 714                        if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
 715                                        fscontext_sid))
 716                                goto out_double_mount;
 717                        sbsec->flags |= FSCONTEXT_MNT;
 718                }
 719                if (opts->context) {
 720                        rc = parse_sid(sb, opts->context, &context_sid);
 721                        if (rc)
 722                                goto out;
 723                        if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
 724                                        context_sid))
 725                                goto out_double_mount;
 726                        sbsec->flags |= CONTEXT_MNT;
 727                }
 728                if (opts->rootcontext) {
 729                        rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
 730                        if (rc)
 731                                goto out;
 732                        if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
 733                                        rootcontext_sid))
 734                                goto out_double_mount;
 735                        sbsec->flags |= ROOTCONTEXT_MNT;
 736                }
 737                if (opts->defcontext) {
 738                        rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
 739                        if (rc)
 740                                goto out;
 741                        if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
 742                                        defcontext_sid))
 743                                goto out_double_mount;
 744                        sbsec->flags |= DEFCONTEXT_MNT;
 745                }
 746        }
 747
 748        if (sbsec->flags & SE_SBINITIALIZED) {
 749                /* previously mounted with options, but not on this attempt? */
 750                if ((sbsec->flags & SE_MNTMASK) && !opts)
 751                        goto out_double_mount;
 752                rc = 0;
 753                goto out;
 754        }
 755
 756        if (strcmp(sb->s_type->name, "proc") == 0)
 757                sbsec->flags |= SE_SBPROC | SE_SBGENFS;
 758
 759        if (!strcmp(sb->s_type->name, "debugfs") ||
 760            !strcmp(sb->s_type->name, "tracefs") ||
 761            !strcmp(sb->s_type->name, "binder") ||
 762            !strcmp(sb->s_type->name, "bpf") ||
 763            !strcmp(sb->s_type->name, "pstore"))
 764                sbsec->flags |= SE_SBGENFS;
 765
 766        if (!strcmp(sb->s_type->name, "sysfs") ||
 767            !strcmp(sb->s_type->name, "cgroup") ||
 768            !strcmp(sb->s_type->name, "cgroup2"))
 769                sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
 770
 771        if (!sbsec->behavior) {
 772                /*
 773                 * Determine the labeling behavior to use for this
 774                 * filesystem type.
 775                 */
 776                rc = security_fs_use(&selinux_state, sb);
 777                if (rc) {
 778                        pr_warn("%s: security_fs_use(%s) returned %d\n",
 779                                        __func__, sb->s_type->name, rc);
 780                        goto out;
 781                }
 782        }
 783
 784        /*
 785         * If this is a user namespace mount and the filesystem type is not
 786         * explicitly whitelisted, then no contexts are allowed on the command
 787         * line and security labels must be ignored.
 788         */
 789        if (sb->s_user_ns != &init_user_ns &&
 790            strcmp(sb->s_type->name, "tmpfs") &&
 791            strcmp(sb->s_type->name, "ramfs") &&
 792            strcmp(sb->s_type->name, "devpts") &&
 793            strcmp(sb->s_type->name, "overlay")) {
 794                if (context_sid || fscontext_sid || rootcontext_sid ||
 795                    defcontext_sid) {
 796                        rc = -EACCES;
 797                        goto out;
 798                }
 799                if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
 800                        sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 801                        rc = security_transition_sid(&selinux_state,
 802                                                     current_sid(),
 803                                                     current_sid(),
 804                                                     SECCLASS_FILE, NULL,
 805                                                     &sbsec->mntpoint_sid);
 806                        if (rc)
 807                                goto out;
 808                }
 809                goto out_set_opts;
 810        }
 811
 812        /* sets the context of the superblock for the fs being mounted. */
 813        if (fscontext_sid) {
 814                rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
 815                if (rc)
 816                        goto out;
 817
 818                sbsec->sid = fscontext_sid;
 819        }
 820
 821        /*
 822         * Switch to using mount point labeling behavior.
 823         * sets the label used on all file below the mountpoint, and will set
 824         * the superblock context if not already set.
 825         */
 826        if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
 827                sbsec->behavior = SECURITY_FS_USE_NATIVE;
 828                *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
 829        }
 830
 831        if (context_sid) {
 832                if (!fscontext_sid) {
 833                        rc = may_context_mount_sb_relabel(context_sid, sbsec,
 834                                                          cred);
 835                        if (rc)
 836                                goto out;
 837                        sbsec->sid = context_sid;
 838                } else {
 839                        rc = may_context_mount_inode_relabel(context_sid, sbsec,
 840                                                             cred);
 841                        if (rc)
 842                                goto out;
 843                }
 844                if (!rootcontext_sid)
 845                        rootcontext_sid = context_sid;
 846
 847                sbsec->mntpoint_sid = context_sid;
 848                sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
 849        }
 850
 851        if (rootcontext_sid) {
 852                rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
 853                                                     cred);
 854                if (rc)
 855                        goto out;
 856
 857                root_isec->sid = rootcontext_sid;
 858                root_isec->initialized = LABEL_INITIALIZED;
 859        }
 860
 861        if (defcontext_sid) {
 862                if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
 863                        sbsec->behavior != SECURITY_FS_USE_NATIVE) {
 864                        rc = -EINVAL;
 865                        pr_warn("SELinux: defcontext option is "
 866                               "invalid for this filesystem type\n");
 867                        goto out;
 868                }
 869
 870                if (defcontext_sid != sbsec->def_sid) {
 871                        rc = may_context_mount_inode_relabel(defcontext_sid,
 872                                                             sbsec, cred);
 873                        if (rc)
 874                                goto out;
 875                }
 876
 877                sbsec->def_sid = defcontext_sid;
 878        }
 879
 880out_set_opts:
 881        rc = sb_finish_set_opts(sb);
 882out:
 883        mutex_unlock(&sbsec->lock);
 884        return rc;
 885out_double_mount:
 886        rc = -EINVAL;
 887        pr_warn("SELinux: mount invalid.  Same superblock, different "
 888               "security settings for (dev %s, type %s)\n", sb->s_id,
 889               sb->s_type->name);
 890        goto out;
 891}
 892
 893static int selinux_cmp_sb_context(const struct super_block *oldsb,
 894                                    const struct super_block *newsb)
 895{
 896        struct superblock_security_struct *old = selinux_superblock(oldsb);
 897        struct superblock_security_struct *new = selinux_superblock(newsb);
 898        char oldflags = old->flags & SE_MNTMASK;
 899        char newflags = new->flags & SE_MNTMASK;
 900
 901        if (oldflags != newflags)
 902                goto mismatch;
 903        if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
 904                goto mismatch;
 905        if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
 906                goto mismatch;
 907        if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
 908                goto mismatch;
 909        if (oldflags & ROOTCONTEXT_MNT) {
 910                struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
 911                struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
 912                if (oldroot->sid != newroot->sid)
 913                        goto mismatch;
 914        }
 915        return 0;
 916mismatch:
 917        pr_warn("SELinux: mount invalid.  Same superblock, "
 918                            "different security settings for (dev %s, "
 919                            "type %s)\n", newsb->s_id, newsb->s_type->name);
 920        return -EBUSY;
 921}
 922
 923static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
 924                                        struct super_block *newsb,
 925                                        unsigned long kern_flags,
 926                                        unsigned long *set_kern_flags)
 927{
 928        int rc = 0;
 929        const struct superblock_security_struct *oldsbsec =
 930                                                selinux_superblock(oldsb);
 931        struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
 932
 933        int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
 934        int set_context =       (oldsbsec->flags & CONTEXT_MNT);
 935        int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
 936
 937        /*
 938         * if the parent was able to be mounted it clearly had no special lsm
 939         * mount options.  thus we can safely deal with this superblock later
 940         */
 941        if (!selinux_initialized(&selinux_state))
 942                return 0;
 943
 944        /*
 945         * Specifying internal flags without providing a place to
 946         * place the results is not allowed.
 947         */
 948        if (kern_flags && !set_kern_flags)
 949                return -EINVAL;
 950
 951        /* how can we clone if the old one wasn't set up?? */
 952        BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
 953
 954        /* if fs is reusing a sb, make sure that the contexts match */
 955        if (newsbsec->flags & SE_SBINITIALIZED) {
 956                if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
 957                        *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
 958                return selinux_cmp_sb_context(oldsb, newsb);
 959        }
 960
 961        mutex_lock(&newsbsec->lock);
 962
 963        newsbsec->flags = oldsbsec->flags;
 964
 965        newsbsec->sid = oldsbsec->sid;
 966        newsbsec->def_sid = oldsbsec->def_sid;
 967        newsbsec->behavior = oldsbsec->behavior;
 968
 969        if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
 970                !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
 971                rc = security_fs_use(&selinux_state, newsb);
 972                if (rc)
 973                        goto out;
 974        }
 975
 976        if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
 977                newsbsec->behavior = SECURITY_FS_USE_NATIVE;
 978                *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
 979        }
 980
 981        if (set_context) {
 982                u32 sid = oldsbsec->mntpoint_sid;
 983
 984                if (!set_fscontext)
 985                        newsbsec->sid = sid;
 986                if (!set_rootcontext) {
 987                        struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
 988                        newisec->sid = sid;
 989                }
 990                newsbsec->mntpoint_sid = sid;
 991        }
 992        if (set_rootcontext) {
 993                const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
 994                struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
 995
 996                newisec->sid = oldisec->sid;
 997        }
 998
 999        sb_finish_set_opts(newsb);
1000out:
1001        mutex_unlock(&newsbsec->lock);
1002        return rc;
1003}
1004
1005static int selinux_add_opt(int token, const char *s, void **mnt_opts)
1006{
1007        struct selinux_mnt_opts *opts = *mnt_opts;
1008
1009        if (token == Opt_seclabel)      /* eaten and completely ignored */
1010                return 0;
1011
1012        if (!opts) {
1013                opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1014                if (!opts)
1015                        return -ENOMEM;
1016                *mnt_opts = opts;
1017        }
1018        if (!s)
1019                return -ENOMEM;
1020        switch (token) {
1021        case Opt_context:
1022                if (opts->context || opts->defcontext)
1023                        goto Einval;
1024                opts->context = s;
1025                break;
1026        case Opt_fscontext:
1027                if (opts->fscontext)
1028                        goto Einval;
1029                opts->fscontext = s;
1030                break;
1031        case Opt_rootcontext:
1032                if (opts->rootcontext)
1033                        goto Einval;
1034                opts->rootcontext = s;
1035                break;
1036        case Opt_defcontext:
1037                if (opts->context || opts->defcontext)
1038                        goto Einval;
1039                opts->defcontext = s;
1040                break;
1041        }
1042        return 0;
1043Einval:
1044        pr_warn(SEL_MOUNT_FAIL_MSG);
1045        return -EINVAL;
1046}
1047
1048static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1049                               void **mnt_opts)
1050{
1051        int token = Opt_error;
1052        int rc, i;
1053
1054        for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1055                if (strcmp(option, tokens[i].name) == 0) {
1056                        token = tokens[i].opt;
1057                        break;
1058                }
1059        }
1060
1061        if (token == Opt_error)
1062                return -EINVAL;
1063
1064        if (token != Opt_seclabel) {
1065                val = kmemdup_nul(val, len, GFP_KERNEL);
1066                if (!val) {
1067                        rc = -ENOMEM;
1068                        goto free_opt;
1069                }
1070        }
1071        rc = selinux_add_opt(token, val, mnt_opts);
1072        if (unlikely(rc)) {
1073                kfree(val);
1074                goto free_opt;
1075        }
1076        return rc;
1077
1078free_opt:
1079        if (*mnt_opts) {
1080                selinux_free_mnt_opts(*mnt_opts);
1081                *mnt_opts = NULL;
1082        }
1083        return rc;
1084}
1085
1086static int show_sid(struct seq_file *m, u32 sid)
1087{
1088        char *context = NULL;
1089        u32 len;
1090        int rc;
1091
1092        rc = security_sid_to_context(&selinux_state, sid,
1093                                             &context, &len);
1094        if (!rc) {
1095                bool has_comma = context && strchr(context, ',');
1096
1097                seq_putc(m, '=');
1098                if (has_comma)
1099                        seq_putc(m, '\"');
1100                seq_escape(m, context, "\"\n\\");
1101                if (has_comma)
1102                        seq_putc(m, '\"');
1103        }
1104        kfree(context);
1105        return rc;
1106}
1107
1108static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1109{
1110        struct superblock_security_struct *sbsec = selinux_superblock(sb);
1111        int rc;
1112
1113        if (!(sbsec->flags & SE_SBINITIALIZED))
1114                return 0;
1115
1116        if (!selinux_initialized(&selinux_state))
1117                return 0;
1118
1119        if (sbsec->flags & FSCONTEXT_MNT) {
1120                seq_putc(m, ',');
1121                seq_puts(m, FSCONTEXT_STR);
1122                rc = show_sid(m, sbsec->sid);
1123                if (rc)
1124                        return rc;
1125        }
1126        if (sbsec->flags & CONTEXT_MNT) {
1127                seq_putc(m, ',');
1128                seq_puts(m, CONTEXT_STR);
1129                rc = show_sid(m, sbsec->mntpoint_sid);
1130                if (rc)
1131                        return rc;
1132        }
1133        if (sbsec->flags & DEFCONTEXT_MNT) {
1134                seq_putc(m, ',');
1135                seq_puts(m, DEFCONTEXT_STR);
1136                rc = show_sid(m, sbsec->def_sid);
1137                if (rc)
1138                        return rc;
1139        }
1140        if (sbsec->flags & ROOTCONTEXT_MNT) {
1141                struct dentry *root = sb->s_root;
1142                struct inode_security_struct *isec = backing_inode_security(root);
1143                seq_putc(m, ',');
1144                seq_puts(m, ROOTCONTEXT_STR);
1145                rc = show_sid(m, isec->sid);
1146                if (rc)
1147                        return rc;
1148        }
1149        if (sbsec->flags & SBLABEL_MNT) {
1150                seq_putc(m, ',');
1151                seq_puts(m, SECLABEL_STR);
1152        }
1153        return 0;
1154}
1155
1156static inline u16 inode_mode_to_security_class(umode_t mode)
1157{
1158        switch (mode & S_IFMT) {
1159        case S_IFSOCK:
1160                return SECCLASS_SOCK_FILE;
1161        case S_IFLNK:
1162                return SECCLASS_LNK_FILE;
1163        case S_IFREG:
1164                return SECCLASS_FILE;
1165        case S_IFBLK:
1166                return SECCLASS_BLK_FILE;
1167        case S_IFDIR:
1168                return SECCLASS_DIR;
1169        case S_IFCHR:
1170                return SECCLASS_CHR_FILE;
1171        case S_IFIFO:
1172                return SECCLASS_FIFO_FILE;
1173
1174        }
1175
1176        return SECCLASS_FILE;
1177}
1178
1179static inline int default_protocol_stream(int protocol)
1180{
1181        return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1182                protocol == IPPROTO_MPTCP);
1183}
1184
1185static inline int default_protocol_dgram(int protocol)
1186{
1187        return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1188}
1189
1190static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1191{
1192        int extsockclass = selinux_policycap_extsockclass();
1193
1194        switch (family) {
1195        case PF_UNIX:
1196                switch (type) {
1197                case SOCK_STREAM:
1198                case SOCK_SEQPACKET:
1199                        return SECCLASS_UNIX_STREAM_SOCKET;
1200                case SOCK_DGRAM:
1201                case SOCK_RAW:
1202                        return SECCLASS_UNIX_DGRAM_SOCKET;
1203                }
1204                break;
1205        case PF_INET:
1206        case PF_INET6:
1207                switch (type) {
1208                case SOCK_STREAM:
1209                case SOCK_SEQPACKET:
1210                        if (default_protocol_stream(protocol))
1211                                return SECCLASS_TCP_SOCKET;
1212                        else if (extsockclass && protocol == IPPROTO_SCTP)
1213                                return SECCLASS_SCTP_SOCKET;
1214                        else
1215                                return SECCLASS_RAWIP_SOCKET;
1216                case SOCK_DGRAM:
1217                        if (default_protocol_dgram(protocol))
1218                                return SECCLASS_UDP_SOCKET;
1219                        else if (extsockclass && (protocol == IPPROTO_ICMP ||
1220                                                  protocol == IPPROTO_ICMPV6))
1221                                return SECCLASS_ICMP_SOCKET;
1222                        else
1223                                return SECCLASS_RAWIP_SOCKET;
1224                case SOCK_DCCP:
1225                        return SECCLASS_DCCP_SOCKET;
1226                default:
1227                        return SECCLASS_RAWIP_SOCKET;
1228                }
1229                break;
1230        case PF_NETLINK:
1231                switch (protocol) {
1232                case NETLINK_ROUTE:
1233                        return SECCLASS_NETLINK_ROUTE_SOCKET;
1234                case NETLINK_SOCK_DIAG:
1235                        return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1236                case NETLINK_NFLOG:
1237                        return SECCLASS_NETLINK_NFLOG_SOCKET;
1238                case NETLINK_XFRM:
1239                        return SECCLASS_NETLINK_XFRM_SOCKET;
1240                case NETLINK_SELINUX:
1241                        return SECCLASS_NETLINK_SELINUX_SOCKET;
1242                case NETLINK_ISCSI:
1243                        return SECCLASS_NETLINK_ISCSI_SOCKET;
1244                case NETLINK_AUDIT:
1245                        return SECCLASS_NETLINK_AUDIT_SOCKET;
1246                case NETLINK_FIB_LOOKUP:
1247                        return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1248                case NETLINK_CONNECTOR:
1249                        return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1250                case NETLINK_NETFILTER:
1251                        return SECCLASS_NETLINK_NETFILTER_SOCKET;
1252                case NETLINK_DNRTMSG:
1253                        return SECCLASS_NETLINK_DNRT_SOCKET;
1254                case NETLINK_KOBJECT_UEVENT:
1255                        return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1256                case NETLINK_GENERIC:
1257                        return SECCLASS_NETLINK_GENERIC_SOCKET;
1258                case NETLINK_SCSITRANSPORT:
1259                        return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1260                case NETLINK_RDMA:
1261                        return SECCLASS_NETLINK_RDMA_SOCKET;
1262                case NETLINK_CRYPTO:
1263                        return SECCLASS_NETLINK_CRYPTO_SOCKET;
1264                default:
1265                        return SECCLASS_NETLINK_SOCKET;
1266                }
1267        case PF_PACKET:
1268                return SECCLASS_PACKET_SOCKET;
1269        case PF_KEY:
1270                return SECCLASS_KEY_SOCKET;
1271        case PF_APPLETALK:
1272                return SECCLASS_APPLETALK_SOCKET;
1273        }
1274
1275        if (extsockclass) {
1276                switch (family) {
1277                case PF_AX25:
1278                        return SECCLASS_AX25_SOCKET;
1279                case PF_IPX:
1280                        return SECCLASS_IPX_SOCKET;
1281                case PF_NETROM:
1282                        return SECCLASS_NETROM_SOCKET;
1283                case PF_ATMPVC:
1284                        return SECCLASS_ATMPVC_SOCKET;
1285                case PF_X25:
1286                        return SECCLASS_X25_SOCKET;
1287                case PF_ROSE:
1288                        return SECCLASS_ROSE_SOCKET;
1289                case PF_DECnet:
1290                        return SECCLASS_DECNET_SOCKET;
1291                case PF_ATMSVC:
1292                        return SECCLASS_ATMSVC_SOCKET;
1293                case PF_RDS:
1294                        return SECCLASS_RDS_SOCKET;
1295                case PF_IRDA:
1296                        return SECCLASS_IRDA_SOCKET;
1297                case PF_PPPOX:
1298                        return SECCLASS_PPPOX_SOCKET;
1299                case PF_LLC:
1300                        return SECCLASS_LLC_SOCKET;
1301                case PF_CAN:
1302                        return SECCLASS_CAN_SOCKET;
1303                case PF_TIPC:
1304                        return SECCLASS_TIPC_SOCKET;
1305                case PF_BLUETOOTH:
1306                        return SECCLASS_BLUETOOTH_SOCKET;
1307                case PF_IUCV:
1308                        return SECCLASS_IUCV_SOCKET;
1309                case PF_RXRPC:
1310                        return SECCLASS_RXRPC_SOCKET;
1311                case PF_ISDN:
1312                        return SECCLASS_ISDN_SOCKET;
1313                case PF_PHONET:
1314                        return SECCLASS_PHONET_SOCKET;
1315                case PF_IEEE802154:
1316                        return SECCLASS_IEEE802154_SOCKET;
1317                case PF_CAIF:
1318                        return SECCLASS_CAIF_SOCKET;
1319                case PF_ALG:
1320                        return SECCLASS_ALG_SOCKET;
1321                case PF_NFC:
1322                        return SECCLASS_NFC_SOCKET;
1323                case PF_VSOCK:
1324                        return SECCLASS_VSOCK_SOCKET;
1325                case PF_KCM:
1326                        return SECCLASS_KCM_SOCKET;
1327                case PF_QIPCRTR:
1328                        return SECCLASS_QIPCRTR_SOCKET;
1329                case PF_SMC:
1330                        return SECCLASS_SMC_SOCKET;
1331                case PF_XDP:
1332                        return SECCLASS_XDP_SOCKET;
1333#if PF_MAX > 45
1334#error New address family defined, please update this function.
1335#endif
1336                }
1337        }
1338
1339        return SECCLASS_SOCKET;
1340}
1341
1342static int selinux_genfs_get_sid(struct dentry *dentry,
1343                                 u16 tclass,
1344                                 u16 flags,
1345                                 u32 *sid)
1346{
1347        int rc;
1348        struct super_block *sb = dentry->d_sb;
1349        char *buffer, *path;
1350
1351        buffer = (char *)__get_free_page(GFP_KERNEL);
1352        if (!buffer)
1353                return -ENOMEM;
1354
1355        path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1356        if (IS_ERR(path))
1357                rc = PTR_ERR(path);
1358        else {
1359                if (flags & SE_SBPROC) {
1360                        /* each process gets a /proc/PID/ entry. Strip off the
1361                         * PID part to get a valid selinux labeling.
1362                         * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1363                        while (path[1] >= '0' && path[1] <= '9') {
1364                                path[1] = '/';
1365                                path++;
1366                        }
1367                }
1368                rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1369                                        path, tclass, sid);
1370                if (rc == -ENOENT) {
1371                        /* No match in policy, mark as unlabeled. */
1372                        *sid = SECINITSID_UNLABELED;
1373                        rc = 0;
1374                }
1375        }
1376        free_page((unsigned long)buffer);
1377        return rc;
1378}
1379
1380static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1381                                  u32 def_sid, u32 *sid)
1382{
1383#define INITCONTEXTLEN 255
1384        char *context;
1385        unsigned int len;
1386        int rc;
1387
1388        len = INITCONTEXTLEN;
1389        context = kmalloc(len + 1, GFP_NOFS);
1390        if (!context)
1391                return -ENOMEM;
1392
1393        context[len] = '\0';
1394        rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1395        if (rc == -ERANGE) {
1396                kfree(context);
1397
1398                /* Need a larger buffer.  Query for the right size. */
1399                rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1400                if (rc < 0)
1401                        return rc;
1402
1403                len = rc;
1404                context = kmalloc(len + 1, GFP_NOFS);
1405                if (!context)
1406                        return -ENOMEM;
1407
1408                context[len] = '\0';
1409                rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1410                                    context, len);
1411        }
1412        if (rc < 0) {
1413                kfree(context);
1414                if (rc != -ENODATA) {
1415                        pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1416                                __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1417                        return rc;
1418                }
1419                *sid = def_sid;
1420                return 0;
1421        }
1422
1423        rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1424                                             def_sid, GFP_NOFS);
1425        if (rc) {
1426                char *dev = inode->i_sb->s_id;
1427                unsigned long ino = inode->i_ino;
1428
1429                if (rc == -EINVAL) {
1430                        pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1431                                              ino, dev, context);
1432                } else {
1433                        pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1434                                __func__, context, -rc, dev, ino);
1435                }
1436        }
1437        kfree(context);
1438        return 0;
1439}
1440
1441/* The inode's security attributes must be initialized before first use. */
1442static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1443{
1444        struct superblock_security_struct *sbsec = NULL;
1445        struct inode_security_struct *isec = selinux_inode(inode);
1446        u32 task_sid, sid = 0;
1447        u16 sclass;
1448        struct dentry *dentry;
1449        int rc = 0;
1450
1451        if (isec->initialized == LABEL_INITIALIZED)
1452                return 0;
1453
1454        spin_lock(&isec->lock);
1455        if (isec->initialized == LABEL_INITIALIZED)
1456                goto out_unlock;
1457
1458        if (isec->sclass == SECCLASS_FILE)
1459                isec->sclass = inode_mode_to_security_class(inode->i_mode);
1460
1461        sbsec = selinux_superblock(inode->i_sb);
1462        if (!(sbsec->flags & SE_SBINITIALIZED)) {
1463                /* Defer initialization until selinux_complete_init,
1464                   after the initial policy is loaded and the security
1465                   server is ready to handle calls. */
1466                spin_lock(&sbsec->isec_lock);
1467                if (list_empty(&isec->list))
1468                        list_add(&isec->list, &sbsec->isec_head);
1469                spin_unlock(&sbsec->isec_lock);
1470                goto out_unlock;
1471        }
1472
1473        sclass = isec->sclass;
1474        task_sid = isec->task_sid;
1475        sid = isec->sid;
1476        isec->initialized = LABEL_PENDING;
1477        spin_unlock(&isec->lock);
1478
1479        switch (sbsec->behavior) {
1480        case SECURITY_FS_USE_NATIVE:
1481                break;
1482        case SECURITY_FS_USE_XATTR:
1483                if (!(inode->i_opflags & IOP_XATTR)) {
1484                        sid = sbsec->def_sid;
1485                        break;
1486                }
1487                /* Need a dentry, since the xattr API requires one.
1488                   Life would be simpler if we could just pass the inode. */
1489                if (opt_dentry) {
1490                        /* Called from d_instantiate or d_splice_alias. */
1491                        dentry = dget(opt_dentry);
1492                } else {
1493                        /*
1494                         * Called from selinux_complete_init, try to find a dentry.
1495                         * Some filesystems really want a connected one, so try
1496                         * that first.  We could split SECURITY_FS_USE_XATTR in
1497                         * two, depending upon that...
1498                         */
1499                        dentry = d_find_alias(inode);
1500                        if (!dentry)
1501                                dentry = d_find_any_alias(inode);
1502                }
1503                if (!dentry) {
1504                        /*
1505                         * this is can be hit on boot when a file is accessed
1506                         * before the policy is loaded.  When we load policy we
1507                         * may find inodes that have no dentry on the
1508                         * sbsec->isec_head list.  No reason to complain as these
1509                         * will get fixed up the next time we go through
1510                         * inode_doinit with a dentry, before these inodes could
1511                         * be used again by userspace.
1512                         */
1513                        goto out_invalid;
1514                }
1515
1516                rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1517                                            &sid);
1518                dput(dentry);
1519                if (rc)
1520                        goto out;
1521                break;
1522        case SECURITY_FS_USE_TASK:
1523                sid = task_sid;
1524                break;
1525        case SECURITY_FS_USE_TRANS:
1526                /* Default to the fs SID. */
1527                sid = sbsec->sid;
1528
1529                /* Try to obtain a transition SID. */
1530                rc = security_transition_sid(&selinux_state, task_sid, sid,
1531                                             sclass, NULL, &sid);
1532                if (rc)
1533                        goto out;
1534                break;
1535        case SECURITY_FS_USE_MNTPOINT:
1536                sid = sbsec->mntpoint_sid;
1537                break;
1538        default:
1539                /* Default to the fs superblock SID. */
1540                sid = sbsec->sid;
1541
1542                if ((sbsec->flags & SE_SBGENFS) &&
1543                     (!S_ISLNK(inode->i_mode) ||
1544                      selinux_policycap_genfs_seclabel_symlinks())) {
1545                        /* We must have a dentry to determine the label on
1546                         * procfs inodes */
1547                        if (opt_dentry) {
1548                                /* Called from d_instantiate or
1549                                 * d_splice_alias. */
1550                                dentry = dget(opt_dentry);
1551                        } else {
1552                                /* Called from selinux_complete_init, try to
1553                                 * find a dentry.  Some filesystems really want
1554                                 * a connected one, so try that first.
1555                                 */
1556                                dentry = d_find_alias(inode);
1557                                if (!dentry)
1558                                        dentry = d_find_any_alias(inode);
1559                        }
1560                        /*
1561                         * This can be hit on boot when a file is accessed
1562                         * before the policy is loaded.  When we load policy we
1563                         * may find inodes that have no dentry on the
1564                         * sbsec->isec_head list.  No reason to complain as
1565                         * these will get fixed up the next time we go through
1566                         * inode_doinit() with a dentry, before these inodes
1567                         * could be used again by userspace.
1568                         */
1569                        if (!dentry)
1570                                goto out_invalid;
1571                        rc = selinux_genfs_get_sid(dentry, sclass,
1572                                                   sbsec->flags, &sid);
1573                        if (rc) {
1574                                dput(dentry);
1575                                goto out;
1576                        }
1577
1578                        if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1579                            (inode->i_opflags & IOP_XATTR)) {
1580                                rc = inode_doinit_use_xattr(inode, dentry,
1581                                                            sid, &sid);
1582                                if (rc) {
1583                                        dput(dentry);
1584                                        goto out;
1585                                }
1586                        }
1587                        dput(dentry);
1588                }
1589                break;
1590        }
1591
1592out:
1593        spin_lock(&isec->lock);
1594        if (isec->initialized == LABEL_PENDING) {
1595                if (rc) {
1596                        isec->initialized = LABEL_INVALID;
1597                        goto out_unlock;
1598                }
1599                isec->initialized = LABEL_INITIALIZED;
1600                isec->sid = sid;
1601        }
1602
1603out_unlock:
1604        spin_unlock(&isec->lock);
1605        return rc;
1606
1607out_invalid:
1608        spin_lock(&isec->lock);
1609        if (isec->initialized == LABEL_PENDING) {
1610                isec->initialized = LABEL_INVALID;
1611                isec->sid = sid;
1612        }
1613        spin_unlock(&isec->lock);
1614        return 0;
1615}
1616
1617/* Convert a Linux signal to an access vector. */
1618static inline u32 signal_to_av(int sig)
1619{
1620        u32 perm = 0;
1621
1622        switch (sig) {
1623        case SIGCHLD:
1624                /* Commonly granted from child to parent. */
1625                perm = PROCESS__SIGCHLD;
1626                break;
1627        case SIGKILL:
1628                /* Cannot be caught or ignored */
1629                perm = PROCESS__SIGKILL;
1630                break;
1631        case SIGSTOP:
1632                /* Cannot be caught or ignored */
1633                perm = PROCESS__SIGSTOP;
1634                break;
1635        default:
1636                /* All other signals. */
1637                perm = PROCESS__SIGNAL;
1638                break;
1639        }
1640
1641        return perm;
1642}
1643
1644#if CAP_LAST_CAP > 63
1645#error Fix SELinux to handle capabilities > 63.
1646#endif
1647
1648/* Check whether a task is allowed to use a capability. */
1649static int cred_has_capability(const struct cred *cred,
1650                               int cap, unsigned int opts, bool initns)
1651{
1652        struct common_audit_data ad;
1653        struct av_decision avd;
1654        u16 sclass;
1655        u32 sid = cred_sid(cred);
1656        u32 av = CAP_TO_MASK(cap);
1657        int rc;
1658
1659        ad.type = LSM_AUDIT_DATA_CAP;
1660        ad.u.cap = cap;
1661
1662        switch (CAP_TO_INDEX(cap)) {
1663        case 0:
1664                sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1665                break;
1666        case 1:
1667                sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1668                break;
1669        default:
1670                pr_err("SELinux:  out of range capability %d\n", cap);
1671                BUG();
1672                return -EINVAL;
1673        }
1674
1675        rc = avc_has_perm_noaudit(&selinux_state,
1676                                  sid, sid, sclass, av, 0, &avd);
1677        if (!(opts & CAP_OPT_NOAUDIT)) {
1678                int rc2 = avc_audit(&selinux_state,
1679                                    sid, sid, sclass, av, &avd, rc, &ad, 0);
1680                if (rc2)
1681                        return rc2;
1682        }
1683        return rc;
1684}
1685
1686/* Check whether a task has a particular permission to an inode.
1687   The 'adp' parameter is optional and allows other audit
1688   data to be passed (e.g. the dentry). */
1689static int inode_has_perm(const struct cred *cred,
1690                          struct inode *inode,
1691                          u32 perms,
1692                          struct common_audit_data *adp)
1693{
1694        struct inode_security_struct *isec;
1695        u32 sid;
1696
1697        validate_creds(cred);
1698
1699        if (unlikely(IS_PRIVATE(inode)))
1700                return 0;
1701
1702        sid = cred_sid(cred);
1703        isec = selinux_inode(inode);
1704
1705        return avc_has_perm(&selinux_state,
1706                            sid, isec->sid, isec->sclass, perms, adp);
1707}
1708
1709/* Same as inode_has_perm, but pass explicit audit data containing
1710   the dentry to help the auditing code to more easily generate the
1711   pathname if needed. */
1712static inline int dentry_has_perm(const struct cred *cred,
1713                                  struct dentry *dentry,
1714                                  u32 av)
1715{
1716        struct inode *inode = d_backing_inode(dentry);
1717        struct common_audit_data ad;
1718
1719        ad.type = LSM_AUDIT_DATA_DENTRY;
1720        ad.u.dentry = dentry;
1721        __inode_security_revalidate(inode, dentry, true);
1722        return inode_has_perm(cred, inode, av, &ad);
1723}
1724
1725/* Same as inode_has_perm, but pass explicit audit data containing
1726   the path to help the auditing code to more easily generate the
1727   pathname if needed. */
1728static inline int path_has_perm(const struct cred *cred,
1729                                const struct path *path,
1730                                u32 av)
1731{
1732        struct inode *inode = d_backing_inode(path->dentry);
1733        struct common_audit_data ad;
1734
1735        ad.type = LSM_AUDIT_DATA_PATH;
1736        ad.u.path = *path;
1737        __inode_security_revalidate(inode, path->dentry, true);
1738        return inode_has_perm(cred, inode, av, &ad);
1739}
1740
1741/* Same as path_has_perm, but uses the inode from the file struct. */
1742static inline int file_path_has_perm(const struct cred *cred,
1743                                     struct file *file,
1744                                     u32 av)
1745{
1746        struct common_audit_data ad;
1747
1748        ad.type = LSM_AUDIT_DATA_FILE;
1749        ad.u.file = file;
1750        return inode_has_perm(cred, file_inode(file), av, &ad);
1751}
1752
1753#ifdef CONFIG_BPF_SYSCALL
1754static int bpf_fd_pass(struct file *file, u32 sid);
1755#endif
1756
1757/* Check whether a task can use an open file descriptor to
1758   access an inode in a given way.  Check access to the
1759   descriptor itself, and then use dentry_has_perm to
1760   check a particular permission to the file.
1761   Access to the descriptor is implicitly granted if it
1762   has the same SID as the process.  If av is zero, then
1763   access to the file is not checked, e.g. for cases
1764   where only the descriptor is affected like seek. */
1765static int file_has_perm(const struct cred *cred,
1766                         struct file *file,
1767                         u32 av)
1768{
1769        struct file_security_struct *fsec = selinux_file(file);
1770        struct inode *inode = file_inode(file);
1771        struct common_audit_data ad;
1772        u32 sid = cred_sid(cred);
1773        int rc;
1774
1775        ad.type = LSM_AUDIT_DATA_FILE;
1776        ad.u.file = file;
1777
1778        if (sid != fsec->sid) {
1779                rc = avc_has_perm(&selinux_state,
1780                                  sid, fsec->sid,
1781                                  SECCLASS_FD,
1782                                  FD__USE,
1783                                  &ad);
1784                if (rc)
1785                        goto out;
1786        }
1787
1788#ifdef CONFIG_BPF_SYSCALL
1789        rc = bpf_fd_pass(file, cred_sid(cred));
1790        if (rc)
1791                return rc;
1792#endif
1793
1794        /* av is zero if only checking access to the descriptor. */
1795        rc = 0;
1796        if (av)
1797                rc = inode_has_perm(cred, inode, av, &ad);
1798
1799out:
1800        return rc;
1801}
1802
1803/*
1804 * Determine the label for an inode that might be unioned.
1805 */
1806static int
1807selinux_determine_inode_label(const struct task_security_struct *tsec,
1808                                 struct inode *dir,
1809                                 const struct qstr *name, u16 tclass,
1810                                 u32 *_new_isid)
1811{
1812        const struct superblock_security_struct *sbsec =
1813                                                selinux_superblock(dir->i_sb);
1814
1815        if ((sbsec->flags & SE_SBINITIALIZED) &&
1816            (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1817                *_new_isid = sbsec->mntpoint_sid;
1818        } else if ((sbsec->flags & SBLABEL_MNT) &&
1819                   tsec->create_sid) {
1820                *_new_isid = tsec->create_sid;
1821        } else {
1822                const struct inode_security_struct *dsec = inode_security(dir);
1823                return security_transition_sid(&selinux_state, tsec->sid,
1824                                               dsec->sid, tclass,
1825                                               name, _new_isid);
1826        }
1827
1828        return 0;
1829}
1830
1831/* Check whether a task can create a file. */
1832static int may_create(struct inode *dir,
1833                      struct dentry *dentry,
1834                      u16 tclass)
1835{
1836        const struct task_security_struct *tsec = selinux_cred(current_cred());
1837        struct inode_security_struct *dsec;
1838        struct superblock_security_struct *sbsec;
1839        u32 sid, newsid;
1840        struct common_audit_data ad;
1841        int rc;
1842
1843        dsec = inode_security(dir);
1844        sbsec = selinux_superblock(dir->i_sb);
1845
1846        sid = tsec->sid;
1847
1848        ad.type = LSM_AUDIT_DATA_DENTRY;
1849        ad.u.dentry = dentry;
1850
1851        rc = avc_has_perm(&selinux_state,
1852                          sid, dsec->sid, SECCLASS_DIR,
1853                          DIR__ADD_NAME | DIR__SEARCH,
1854                          &ad);
1855        if (rc)
1856                return rc;
1857
1858        rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1859                                           &newsid);
1860        if (rc)
1861                return rc;
1862
1863        rc = avc_has_perm(&selinux_state,
1864                          sid, newsid, tclass, FILE__CREATE, &ad);
1865        if (rc)
1866                return rc;
1867
1868        return avc_has_perm(&selinux_state,
1869                            newsid, sbsec->sid,
1870                            SECCLASS_FILESYSTEM,
1871                            FILESYSTEM__ASSOCIATE, &ad);
1872}
1873
1874#define MAY_LINK        0
1875#define MAY_UNLINK      1
1876#define MAY_RMDIR       2
1877
1878/* Check whether a task can link, unlink, or rmdir a file/directory. */
1879static int may_link(struct inode *dir,
1880                    struct dentry *dentry,
1881                    int kind)
1882
1883{
1884        struct inode_security_struct *dsec, *isec;
1885        struct common_audit_data ad;
1886        u32 sid = current_sid();
1887        u32 av;
1888        int rc;
1889
1890        dsec = inode_security(dir);
1891        isec = backing_inode_security(dentry);
1892
1893        ad.type = LSM_AUDIT_DATA_DENTRY;
1894        ad.u.dentry = dentry;
1895
1896        av = DIR__SEARCH;
1897        av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1898        rc = avc_has_perm(&selinux_state,
1899                          sid, dsec->sid, SECCLASS_DIR, av, &ad);
1900        if (rc)
1901                return rc;
1902
1903        switch (kind) {
1904        case MAY_LINK:
1905                av = FILE__LINK;
1906                break;
1907        case MAY_UNLINK:
1908                av = FILE__UNLINK;
1909                break;
1910        case MAY_RMDIR:
1911                av = DIR__RMDIR;
1912                break;
1913        default:
1914                pr_warn("SELinux: %s:  unrecognized kind %d\n",
1915                        __func__, kind);
1916                return 0;
1917        }
1918
1919        rc = avc_has_perm(&selinux_state,
1920                          sid, isec->sid, isec->sclass, av, &ad);
1921        return rc;
1922}
1923
1924static inline int may_rename(struct inode *old_dir,
1925                             struct dentry *old_dentry,
1926                             struct inode *new_dir,
1927                             struct dentry *new_dentry)
1928{
1929        struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1930        struct common_audit_data ad;
1931        u32 sid = current_sid();
1932        u32 av;
1933        int old_is_dir, new_is_dir;
1934        int rc;
1935
1936        old_dsec = inode_security(old_dir);
1937        old_isec = backing_inode_security(old_dentry);
1938        old_is_dir = d_is_dir(old_dentry);
1939        new_dsec = inode_security(new_dir);
1940
1941        ad.type = LSM_AUDIT_DATA_DENTRY;
1942
1943        ad.u.dentry = old_dentry;
1944        rc = avc_has_perm(&selinux_state,
1945                          sid, old_dsec->sid, SECCLASS_DIR,
1946                          DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1947        if (rc)
1948                return rc;
1949        rc = avc_has_perm(&selinux_state,
1950                          sid, old_isec->sid,
1951                          old_isec->sclass, FILE__RENAME, &ad);
1952        if (rc)
1953                return rc;
1954        if (old_is_dir && new_dir != old_dir) {
1955                rc = avc_has_perm(&selinux_state,
1956                                  sid, old_isec->sid,
1957                                  old_isec->sclass, DIR__REPARENT, &ad);
1958                if (rc)
1959                        return rc;
1960        }
1961
1962        ad.u.dentry = new_dentry;
1963        av = DIR__ADD_NAME | DIR__SEARCH;
1964        if (d_is_positive(new_dentry))
1965                av |= DIR__REMOVE_NAME;
1966        rc = avc_has_perm(&selinux_state,
1967                          sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1968        if (rc)
1969                return rc;
1970        if (d_is_positive(new_dentry)) {
1971                new_isec = backing_inode_security(new_dentry);
1972                new_is_dir = d_is_dir(new_dentry);
1973                rc = avc_has_perm(&selinux_state,
1974                                  sid, new_isec->sid,
1975                                  new_isec->sclass,
1976                                  (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1977                if (rc)
1978                        return rc;
1979        }
1980
1981        return 0;
1982}
1983
1984/* Check whether a task can perform a filesystem operation. */
1985static int superblock_has_perm(const struct cred *cred,
1986                               struct super_block *sb,
1987                               u32 perms,
1988                               struct common_audit_data *ad)
1989{
1990        struct superblock_security_struct *sbsec;
1991        u32 sid = cred_sid(cred);
1992
1993        sbsec = selinux_superblock(sb);
1994        return avc_has_perm(&selinux_state,
1995                            sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1996}
1997
1998/* Convert a Linux mode and permission mask to an access vector. */
1999static inline u32 file_mask_to_av(int mode, int mask)
2000{
2001        u32 av = 0;
2002
2003        if (!S_ISDIR(mode)) {
2004                if (mask & MAY_EXEC)
2005                        av |= FILE__EXECUTE;
2006                if (mask & MAY_READ)
2007                        av |= FILE__READ;
2008
2009                if (mask & MAY_APPEND)
2010                        av |= FILE__APPEND;
2011                else if (mask & MAY_WRITE)
2012                        av |= FILE__WRITE;
2013
2014        } else {
2015                if (mask & MAY_EXEC)
2016                        av |= DIR__SEARCH;
2017                if (mask & MAY_WRITE)
2018                        av |= DIR__WRITE;
2019                if (mask & MAY_READ)
2020                        av |= DIR__READ;
2021        }
2022
2023        return av;
2024}
2025
2026/* Convert a Linux file to an access vector. */
2027static inline u32 file_to_av(struct file *file)
2028{
2029        u32 av = 0;
2030
2031        if (file->f_mode & FMODE_READ)
2032                av |= FILE__READ;
2033        if (file->f_mode & FMODE_WRITE) {
2034                if (file->f_flags & O_APPEND)
2035                        av |= FILE__APPEND;
2036                else
2037                        av |= FILE__WRITE;
2038        }
2039        if (!av) {
2040                /*
2041                 * Special file opened with flags 3 for ioctl-only use.
2042                 */
2043                av = FILE__IOCTL;
2044        }
2045
2046        return av;
2047}
2048
2049/*
2050 * Convert a file to an access vector and include the correct
2051 * open permission.
2052 */
2053static inline u32 open_file_to_av(struct file *file)
2054{
2055        u32 av = file_to_av(file);
2056        struct inode *inode = file_inode(file);
2057
2058        if (selinux_policycap_openperm() &&
2059            inode->i_sb->s_magic != SOCKFS_MAGIC)
2060                av |= FILE__OPEN;
2061
2062        return av;
2063}
2064
2065/* Hook functions begin here. */
2066
2067static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2068{
2069        return avc_has_perm(&selinux_state,
2070                            current_sid(), task_sid_binder(mgr), SECCLASS_BINDER,
2071                            BINDER__SET_CONTEXT_MGR, NULL);
2072}
2073
2074static int selinux_binder_transaction(struct task_struct *from,
2075                                      struct task_struct *to)
2076{
2077        u32 mysid = current_sid();
2078        u32 fromsid = task_sid_binder(from);
2079        int rc;
2080
2081        if (mysid != fromsid) {
2082                rc = avc_has_perm(&selinux_state,
2083                                  mysid, fromsid, SECCLASS_BINDER,
2084                                  BINDER__IMPERSONATE, NULL);
2085                if (rc)
2086                        return rc;
2087        }
2088
2089        return avc_has_perm(&selinux_state, fromsid, task_sid_binder(to),
2090                            SECCLASS_BINDER, BINDER__CALL, NULL);
2091}
2092
2093static int selinux_binder_transfer_binder(struct task_struct *from,
2094                                          struct task_struct *to)
2095{
2096        return avc_has_perm(&selinux_state,
2097                            task_sid_binder(from), task_sid_binder(to),
2098                            SECCLASS_BINDER, BINDER__TRANSFER,
2099                            NULL);
2100}
2101
2102static int selinux_binder_transfer_file(struct task_struct *from,
2103                                        struct task_struct *to,
2104                                        struct file *file)
2105{
2106        u32 sid = task_sid_binder(to);
2107        struct file_security_struct *fsec = selinux_file(file);
2108        struct dentry *dentry = file->f_path.dentry;
2109        struct inode_security_struct *isec;
2110        struct common_audit_data ad;
2111        int rc;
2112
2113        ad.type = LSM_AUDIT_DATA_PATH;
2114        ad.u.path = file->f_path;
2115
2116        if (sid != fsec->sid) {
2117                rc = avc_has_perm(&selinux_state,
2118                                  sid, fsec->sid,
2119                                  SECCLASS_FD,
2120                                  FD__USE,
2121                                  &ad);
2122                if (rc)
2123                        return rc;
2124        }
2125
2126#ifdef CONFIG_BPF_SYSCALL
2127        rc = bpf_fd_pass(file, sid);
2128        if (rc)
2129                return rc;
2130#endif
2131
2132        if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2133                return 0;
2134
2135        isec = backing_inode_security(dentry);
2136        return avc_has_perm(&selinux_state,
2137                            sid, isec->sid, isec->sclass, file_to_av(file),
2138                            &ad);
2139}
2140
2141static int selinux_ptrace_access_check(struct task_struct *child,
2142                                       unsigned int mode)
2143{
2144        u32 sid = current_sid();
2145        u32 csid = task_sid_obj(child);
2146
2147        if (mode & PTRACE_MODE_READ)
2148                return avc_has_perm(&selinux_state,
2149                                    sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2150
2151        return avc_has_perm(&selinux_state,
2152                            sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2153}
2154
2155static int selinux_ptrace_traceme(struct task_struct *parent)
2156{
2157        return avc_has_perm(&selinux_state,
2158                            task_sid_subj(parent), task_sid_obj(current),
2159                            SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2160}
2161
2162static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2163                          kernel_cap_t *inheritable, kernel_cap_t *permitted)
2164{
2165        return avc_has_perm(&selinux_state,
2166                            current_sid(), task_sid_obj(target), SECCLASS_PROCESS,
2167                            PROCESS__GETCAP, NULL);
2168}
2169
2170static int selinux_capset(struct cred *new, const struct cred *old,
2171                          const kernel_cap_t *effective,
2172                          const kernel_cap_t *inheritable,
2173                          const kernel_cap_t *permitted)
2174{
2175        return avc_has_perm(&selinux_state,
2176                            cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2177                            PROCESS__SETCAP, NULL);
2178}
2179
2180/*
2181 * (This comment used to live with the selinux_task_setuid hook,
2182 * which was removed).
2183 *
2184 * Since setuid only affects the current process, and since the SELinux
2185 * controls are not based on the Linux identity attributes, SELinux does not
2186 * need to control this operation.  However, SELinux does control the use of
2187 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2188 */
2189
2190static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2191                           int cap, unsigned int opts)
2192{
2193        return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2194}
2195
2196static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2197{
2198        const struct cred *cred = current_cred();
2199        int rc = 0;
2200
2201        if (!sb)
2202                return 0;
2203
2204        switch (cmds) {
2205        case Q_SYNC:
2206        case Q_QUOTAON:
2207        case Q_QUOTAOFF:
2208        case Q_SETINFO:
2209        case Q_SETQUOTA:
2210        case Q_XQUOTAOFF:
2211        case Q_XQUOTAON:
2212        case Q_XSETQLIM:
2213                rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2214                break;
2215        case Q_GETFMT:
2216        case Q_GETINFO:
2217        case Q_GETQUOTA:
2218        case Q_XGETQUOTA:
2219        case Q_XGETQSTAT:
2220        case Q_XGETQSTATV:
2221        case Q_XGETNEXTQUOTA:
2222                rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2223                break;
2224        default:
2225                rc = 0;  /* let the kernel handle invalid cmds */
2226                break;
2227        }
2228        return rc;
2229}
2230
2231static int selinux_quota_on(struct dentry *dentry)
2232{
2233        const struct cred *cred = current_cred();
2234
2235        return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2236}
2237
2238static int selinux_syslog(int type)
2239{
2240        switch (type) {
2241        case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2242        case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2243                return avc_has_perm(&selinux_state,
2244                                    current_sid(), SECINITSID_KERNEL,
2245                                    SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2246        case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2247        case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2248        /* Set level of messages printed to console */
2249        case SYSLOG_ACTION_CONSOLE_LEVEL:
2250                return avc_has_perm(&selinux_state,
2251                                    current_sid(), SECINITSID_KERNEL,
2252                                    SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2253                                    NULL);
2254        }
2255        /* All other syslog types */
2256        return avc_has_perm(&selinux_state,
2257                            current_sid(), SECINITSID_KERNEL,
2258                            SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2259}
2260
2261/*
2262 * Check that a process has enough memory to allocate a new virtual
2263 * mapping. 0 means there is enough memory for the allocation to
2264 * succeed and -ENOMEM implies there is not.
2265 *
2266 * Do not audit the selinux permission check, as this is applied to all
2267 * processes that allocate mappings.
2268 */
2269static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2270{
2271        int rc, cap_sys_admin = 0;
2272
2273        rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2274                                 CAP_OPT_NOAUDIT, true);
2275        if (rc == 0)
2276                cap_sys_admin = 1;
2277
2278        return cap_sys_admin;
2279}
2280
2281/* binprm security operations */
2282
2283static u32 ptrace_parent_sid(void)
2284{
2285        u32 sid = 0;
2286        struct task_struct *tracer;
2287
2288        rcu_read_lock();
2289        tracer = ptrace_parent(current);
2290        if (tracer)
2291                sid = task_sid_obj(tracer);
2292        rcu_read_unlock();
2293
2294        return sid;
2295}
2296
2297static int check_nnp_nosuid(const struct linux_binprm *bprm,
2298                            const struct task_security_struct *old_tsec,
2299                            const struct task_security_struct *new_tsec)
2300{
2301        int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2302        int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2303        int rc;
2304        u32 av;
2305
2306        if (!nnp && !nosuid)
2307                return 0; /* neither NNP nor nosuid */
2308
2309        if (new_tsec->sid == old_tsec->sid)
2310                return 0; /* No change in credentials */
2311
2312        /*
2313         * If the policy enables the nnp_nosuid_transition policy capability,
2314         * then we permit transitions under NNP or nosuid if the
2315         * policy allows the corresponding permission between
2316         * the old and new contexts.
2317         */
2318        if (selinux_policycap_nnp_nosuid_transition()) {
2319                av = 0;
2320                if (nnp)
2321                        av |= PROCESS2__NNP_TRANSITION;
2322                if (nosuid)
2323                        av |= PROCESS2__NOSUID_TRANSITION;
2324                rc = avc_has_perm(&selinux_state,
2325                                  old_tsec->sid, new_tsec->sid,
2326                                  SECCLASS_PROCESS2, av, NULL);
2327                if (!rc)
2328                        return 0;
2329        }
2330
2331        /*
2332         * We also permit NNP or nosuid transitions to bounded SIDs,
2333         * i.e. SIDs that are guaranteed to only be allowed a subset
2334         * of the permissions of the current SID.
2335         */
2336        rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2337                                         new_tsec->sid);
2338        if (!rc)
2339                return 0;
2340
2341        /*
2342         * On failure, preserve the errno values for NNP vs nosuid.
2343         * NNP:  Operation not permitted for caller.
2344         * nosuid:  Permission denied to file.
2345         */
2346        if (nnp)
2347                return -EPERM;
2348        return -EACCES;
2349}
2350
2351static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2352{
2353        const struct task_security_struct *old_tsec;
2354        struct task_security_struct *new_tsec;
2355        struct inode_security_struct *isec;
2356        struct common_audit_data ad;
2357        struct inode *inode = file_inode(bprm->file);
2358        int rc;
2359
2360        /* SELinux context only depends on initial program or script and not
2361         * the script interpreter */
2362
2363        old_tsec = selinux_cred(current_cred());
2364        new_tsec = selinux_cred(bprm->cred);
2365        isec = inode_security(inode);
2366
2367        /* Default to the current task SID. */
2368        new_tsec->sid = old_tsec->sid;
2369        new_tsec->osid = old_tsec->sid;
2370
2371        /* Reset fs, key, and sock SIDs on execve. */
2372        new_tsec->create_sid = 0;
2373        new_tsec->keycreate_sid = 0;
2374        new_tsec->sockcreate_sid = 0;
2375
2376        if (old_tsec->exec_sid) {
2377                new_tsec->sid = old_tsec->exec_sid;
2378                /* Reset exec SID on execve. */
2379                new_tsec->exec_sid = 0;
2380
2381                /* Fail on NNP or nosuid if not an allowed transition. */
2382                rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2383                if (rc)
2384                        return rc;
2385        } else {
2386                /* Check for a default transition on this program. */
2387                rc = security_transition_sid(&selinux_state, old_tsec->sid,
2388                                             isec->sid, SECCLASS_PROCESS, NULL,
2389                                             &new_tsec->sid);
2390                if (rc)
2391                        return rc;
2392
2393                /*
2394                 * Fallback to old SID on NNP or nosuid if not an allowed
2395                 * transition.
2396                 */
2397                rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2398                if (rc)
2399                        new_tsec->sid = old_tsec->sid;
2400        }
2401
2402        ad.type = LSM_AUDIT_DATA_FILE;
2403        ad.u.file = bprm->file;
2404
2405        if (new_tsec->sid == old_tsec->sid) {
2406                rc = avc_has_perm(&selinux_state,
2407                                  old_tsec->sid, isec->sid,
2408                                  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2409                if (rc)
2410                        return rc;
2411        } else {
2412                /* Check permissions for the transition. */
2413                rc = avc_has_perm(&selinux_state,
2414                                  old_tsec->sid, new_tsec->sid,
2415                                  SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2416                if (rc)
2417                        return rc;
2418
2419                rc = avc_has_perm(&selinux_state,
2420                                  new_tsec->sid, isec->sid,
2421                                  SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2422                if (rc)
2423                        return rc;
2424
2425                /* Check for shared state */
2426                if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2427                        rc = avc_has_perm(&selinux_state,
2428                                          old_tsec->sid, new_tsec->sid,
2429                                          SECCLASS_PROCESS, PROCESS__SHARE,
2430                                          NULL);
2431                        if (rc)
2432                                return -EPERM;
2433                }
2434
2435                /* Make sure that anyone attempting to ptrace over a task that
2436                 * changes its SID has the appropriate permit */
2437                if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2438                        u32 ptsid = ptrace_parent_sid();
2439                        if (ptsid != 0) {
2440                                rc = avc_has_perm(&selinux_state,
2441                                                  ptsid, new_tsec->sid,
2442                                                  SECCLASS_PROCESS,
2443                                                  PROCESS__PTRACE, NULL);
2444                                if (rc)
2445                                        return -EPERM;
2446                        }
2447                }
2448
2449                /* Clear any possibly unsafe personality bits on exec: */
2450                bprm->per_clear |= PER_CLEAR_ON_SETID;
2451
2452                /* Enable secure mode for SIDs transitions unless
2453                   the noatsecure permission is granted between
2454                   the two SIDs, i.e. ahp returns 0. */
2455                rc = avc_has_perm(&selinux_state,
2456                                  old_tsec->sid, new_tsec->sid,
2457                                  SECCLASS_PROCESS, PROCESS__NOATSECURE,
2458                                  NULL);
2459                bprm->secureexec |= !!rc;
2460        }
2461
2462        return 0;
2463}
2464
2465static int match_file(const void *p, struct file *file, unsigned fd)
2466{
2467        return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2468}
2469
2470/* Derived from fs/exec.c:flush_old_files. */
2471static inline void flush_unauthorized_files(const struct cred *cred,
2472                                            struct files_struct *files)
2473{
2474        struct file *file, *devnull = NULL;
2475        struct tty_struct *tty;
2476        int drop_tty = 0;
2477        unsigned n;
2478
2479        tty = get_current_tty();
2480        if (tty) {
2481                spin_lock(&tty->files_lock);
2482                if (!list_empty(&tty->tty_files)) {
2483                        struct tty_file_private *file_priv;
2484
2485                        /* Revalidate access to controlling tty.
2486                           Use file_path_has_perm on the tty path directly
2487                           rather than using file_has_perm, as this particular
2488                           open file may belong to another process and we are
2489                           only interested in the inode-based check here. */
2490                        file_priv = list_first_entry(&tty->tty_files,
2491                                                struct tty_file_private, list);
2492                        file = file_priv->file;
2493                        if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2494                                drop_tty = 1;
2495                }
2496                spin_unlock(&tty->files_lock);
2497                tty_kref_put(tty);
2498        }
2499        /* Reset controlling tty. */
2500        if (drop_tty)
2501                no_tty();
2502
2503        /* Revalidate access to inherited open files. */
2504        n = iterate_fd(files, 0, match_file, cred);
2505        if (!n) /* none found? */
2506                return;
2507
2508        devnull = dentry_open(&selinux_null, O_RDWR, cred);
2509        if (IS_ERR(devnull))
2510                devnull = NULL;
2511        /* replace all the matching ones with this */
2512        do {
2513                replace_fd(n - 1, devnull, 0);
2514        } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2515        if (devnull)
2516                fput(devnull);
2517}
2518
2519/*
2520 * Prepare a process for imminent new credential changes due to exec
2521 */
2522static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2523{
2524        struct task_security_struct *new_tsec;
2525        struct rlimit *rlim, *initrlim;
2526        int rc, i;
2527
2528        new_tsec = selinux_cred(bprm->cred);
2529        if (new_tsec->sid == new_tsec->osid)
2530                return;
2531
2532        /* Close files for which the new task SID is not authorized. */
2533        flush_unauthorized_files(bprm->cred, current->files);
2534
2535        /* Always clear parent death signal on SID transitions. */
2536        current->pdeath_signal = 0;
2537
2538        /* Check whether the new SID can inherit resource limits from the old
2539         * SID.  If not, reset all soft limits to the lower of the current
2540         * task's hard limit and the init task's soft limit.
2541         *
2542         * Note that the setting of hard limits (even to lower them) can be
2543         * controlled by the setrlimit check.  The inclusion of the init task's
2544         * soft limit into the computation is to avoid resetting soft limits
2545         * higher than the default soft limit for cases where the default is
2546         * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2547         */
2548        rc = avc_has_perm(&selinux_state,
2549                          new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2550                          PROCESS__RLIMITINH, NULL);
2551        if (rc) {
2552                /* protect against do_prlimit() */
2553                task_lock(current);
2554                for (i = 0; i < RLIM_NLIMITS; i++) {
2555                        rlim = current->signal->rlim + i;
2556                        initrlim = init_task.signal->rlim + i;
2557                        rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2558                }
2559                task_unlock(current);
2560                if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2561                        update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2562        }
2563}
2564
2565/*
2566 * Clean up the process immediately after the installation of new credentials
2567 * due to exec
2568 */
2569static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2570{
2571        const struct task_security_struct *tsec = selinux_cred(current_cred());
2572        u32 osid, sid;
2573        int rc;
2574
2575        osid = tsec->osid;
2576        sid = tsec->sid;
2577
2578        if (sid == osid)
2579                return;
2580
2581        /* Check whether the new SID can inherit signal state from the old SID.
2582         * If not, clear itimers to avoid subsequent signal generation and
2583         * flush and unblock signals.
2584         *
2585         * This must occur _after_ the task SID has been updated so that any
2586         * kill done after the flush will be checked against the new SID.
2587         */
2588        rc = avc_has_perm(&selinux_state,
2589                          osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2590        if (rc) {
2591                clear_itimer();
2592
2593                spin_lock_irq(&current->sighand->siglock);
2594                if (!fatal_signal_pending(current)) {
2595                        flush_sigqueue(&current->pending);
2596                        flush_sigqueue(&current->signal->shared_pending);
2597                        flush_signal_handlers(current, 1);
2598                        sigemptyset(&current->blocked);
2599                        recalc_sigpending();
2600                }
2601                spin_unlock_irq(&current->sighand->siglock);
2602        }
2603
2604        /* Wake up the parent if it is waiting so that it can recheck
2605         * wait permission to the new task SID. */
2606        read_lock(&tasklist_lock);
2607        __wake_up_parent(current, current->real_parent);
2608        read_unlock(&tasklist_lock);
2609}
2610
2611/* superblock security operations */
2612
2613static int selinux_sb_alloc_security(struct super_block *sb)
2614{
2615        struct superblock_security_struct *sbsec = selinux_superblock(sb);
2616
2617        mutex_init(&sbsec->lock);
2618        INIT_LIST_HEAD(&sbsec->isec_head);
2619        spin_lock_init(&sbsec->isec_lock);
2620        sbsec->sid = SECINITSID_UNLABELED;
2621        sbsec->def_sid = SECINITSID_FILE;
2622        sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2623
2624        return 0;
2625}
2626
2627static inline int opt_len(const char *s)
2628{
2629        bool open_quote = false;
2630        int len;
2631        char c;
2632
2633        for (len = 0; (c = s[len]) != '\0'; len++) {
2634                if (c == '"')
2635                        open_quote = !open_quote;
2636                if (c == ',' && !open_quote)
2637                        break;
2638        }
2639        return len;
2640}
2641
2642static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2643{
2644        char *from = options;
2645        char *to = options;
2646        bool first = true;
2647        int rc;
2648
2649        while (1) {
2650                int len = opt_len(from);
2651                int token;
2652                char *arg = NULL;
2653
2654                token = match_opt_prefix(from, len, &arg);
2655
2656                if (token != Opt_error) {
2657                        char *p, *q;
2658
2659                        /* strip quotes */
2660                        if (arg) {
2661                                for (p = q = arg; p < from + len; p++) {
2662                                        char c = *p;
2663                                        if (c != '"')
2664                                                *q++ = c;
2665                                }
2666                                arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2667                                if (!arg) {
2668                                        rc = -ENOMEM;
2669                                        goto free_opt;
2670                                }
2671                        }
2672                        rc = selinux_add_opt(token, arg, mnt_opts);
2673                        if (unlikely(rc)) {
2674                                kfree(arg);
2675                                goto free_opt;
2676                        }
2677                } else {
2678                        if (!first) {   // copy with preceding comma
2679                                from--;
2680                                len++;
2681                        }
2682                        if (to != from)
2683                                memmove(to, from, len);
2684                        to += len;
2685                        first = false;
2686                }
2687                if (!from[len])
2688                        break;
2689                from += len + 1;
2690        }
2691        *to = '\0';
2692        return 0;
2693
2694free_opt:
2695        if (*mnt_opts) {
2696                selinux_free_mnt_opts(*mnt_opts);
2697                *mnt_opts = NULL;
2698        }
2699        return rc;
2700}
2701
2702static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2703{
2704        struct selinux_mnt_opts *opts = mnt_opts;
2705        struct superblock_security_struct *sbsec = sb->s_security;
2706        u32 sid;
2707        int rc;
2708
2709        /*
2710         * Superblock not initialized (i.e. no options) - reject if any
2711         * options specified, otherwise accept.
2712         */
2713        if (!(sbsec->flags & SE_SBINITIALIZED))
2714                return opts ? 1 : 0;
2715
2716        /*
2717         * Superblock initialized and no options specified - reject if
2718         * superblock has any options set, otherwise accept.
2719         */
2720        if (!opts)
2721                return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2722
2723        if (opts->fscontext) {
2724                rc = parse_sid(sb, opts->fscontext, &sid);
2725                if (rc)
2726                        return 1;
2727                if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2728                        return 1;
2729        }
2730        if (opts->context) {
2731                rc = parse_sid(sb, opts->context, &sid);
2732                if (rc)
2733                        return 1;
2734                if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2735                        return 1;
2736        }
2737        if (opts->rootcontext) {
2738                struct inode_security_struct *root_isec;
2739
2740                root_isec = backing_inode_security(sb->s_root);
2741                rc = parse_sid(sb, opts->rootcontext, &sid);
2742                if (rc)
2743                        return 1;
2744                if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2745                        return 1;
2746        }
2747        if (opts->defcontext) {
2748                rc = parse_sid(sb, opts->defcontext, &sid);
2749                if (rc)
2750                        return 1;
2751                if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2752                        return 1;
2753        }
2754        return 0;
2755}
2756
2757static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2758{
2759        struct selinux_mnt_opts *opts = mnt_opts;
2760        struct superblock_security_struct *sbsec = selinux_superblock(sb);
2761        u32 sid;
2762        int rc;
2763
2764        if (!(sbsec->flags & SE_SBINITIALIZED))
2765                return 0;
2766
2767        if (!opts)
2768                return 0;
2769
2770        if (opts->fscontext) {
2771                rc = parse_sid(sb, opts->fscontext, &sid);
2772                if (rc)
2773                        return rc;
2774                if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2775                        goto out_bad_option;
2776        }
2777        if (opts->context) {
2778                rc = parse_sid(sb, opts->context, &sid);
2779                if (rc)
2780                        return rc;
2781                if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2782                        goto out_bad_option;
2783        }
2784        if (opts->rootcontext) {
2785                struct inode_security_struct *root_isec;
2786                root_isec = backing_inode_security(sb->s_root);
2787                rc = parse_sid(sb, opts->rootcontext, &sid);
2788                if (rc)
2789                        return rc;
2790                if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2791                        goto out_bad_option;
2792        }
2793        if (opts->defcontext) {
2794                rc = parse_sid(sb, opts->defcontext, &sid);
2795                if (rc)
2796                        return rc;
2797                if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2798                        goto out_bad_option;
2799        }
2800        return 0;
2801
2802out_bad_option:
2803        pr_warn("SELinux: unable to change security options "
2804               "during remount (dev %s, type=%s)\n", sb->s_id,
2805               sb->s_type->name);
2806        return -EINVAL;
2807}
2808
2809static int selinux_sb_kern_mount(struct super_block *sb)
2810{
2811        const struct cred *cred = current_cred();
2812        struct common_audit_data ad;
2813
2814        ad.type = LSM_AUDIT_DATA_DENTRY;
2815        ad.u.dentry = sb->s_root;
2816        return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2817}
2818
2819static int selinux_sb_statfs(struct dentry *dentry)
2820{
2821        const struct cred *cred = current_cred();
2822        struct common_audit_data ad;
2823
2824        ad.type = LSM_AUDIT_DATA_DENTRY;
2825        ad.u.dentry = dentry->d_sb->s_root;
2826        return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2827}
2828
2829static int selinux_mount(const char *dev_name,
2830                         const struct path *path,
2831                         const char *type,
2832                         unsigned long flags,
2833                         void *data)
2834{
2835        const struct cred *cred = current_cred();
2836
2837        if (flags & MS_REMOUNT)
2838                return superblock_has_perm(cred, path->dentry->d_sb,
2839                                           FILESYSTEM__REMOUNT, NULL);
2840        else
2841                return path_has_perm(cred, path, FILE__MOUNTON);
2842}
2843
2844static int selinux_move_mount(const struct path *from_path,
2845                              const struct path *to_path)
2846{
2847        const struct cred *cred = current_cred();
2848
2849        return path_has_perm(cred, to_path, FILE__MOUNTON);
2850}
2851
2852static int selinux_umount(struct vfsmount *mnt, int flags)
2853{
2854        const struct cred *cred = current_cred();
2855
2856        return superblock_has_perm(cred, mnt->mnt_sb,
2857                                   FILESYSTEM__UNMOUNT, NULL);
2858}
2859
2860static int selinux_fs_context_dup(struct fs_context *fc,
2861                                  struct fs_context *src_fc)
2862{
2863        const struct selinux_mnt_opts *src = src_fc->security;
2864        struct selinux_mnt_opts *opts;
2865
2866        if (!src)
2867                return 0;
2868
2869        fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2870        if (!fc->security)
2871                return -ENOMEM;
2872
2873        opts = fc->security;
2874
2875        if (src->fscontext) {
2876                opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2877                if (!opts->fscontext)
2878                        return -ENOMEM;
2879        }
2880        if (src->context) {
2881                opts->context = kstrdup(src->context, GFP_KERNEL);
2882                if (!opts->context)
2883                        return -ENOMEM;
2884        }
2885        if (src->rootcontext) {
2886                opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2887                if (!opts->rootcontext)
2888                        return -ENOMEM;
2889        }
2890        if (src->defcontext) {
2891                opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2892                if (!opts->defcontext)
2893                        return -ENOMEM;
2894        }
2895        return 0;
2896}
2897
2898static const struct fs_parameter_spec selinux_fs_parameters[] = {
2899        fsparam_string(CONTEXT_STR,     Opt_context),
2900        fsparam_string(DEFCONTEXT_STR,  Opt_defcontext),
2901        fsparam_string(FSCONTEXT_STR,   Opt_fscontext),
2902        fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2903        fsparam_flag  (SECLABEL_STR,    Opt_seclabel),
2904        {}
2905};
2906
2907static int selinux_fs_context_parse_param(struct fs_context *fc,
2908                                          struct fs_parameter *param)
2909{
2910        struct fs_parse_result result;
2911        int opt, rc;
2912
2913        opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2914        if (opt < 0)
2915                return opt;
2916
2917        rc = selinux_add_opt(opt, param->string, &fc->security);
2918        if (!rc) {
2919                param->string = NULL;
2920                rc = 1;
2921        }
2922        return rc;
2923}
2924
2925/* inode security operations */
2926
2927static int selinux_inode_alloc_security(struct inode *inode)
2928{
2929        struct inode_security_struct *isec = selinux_inode(inode);
2930        u32 sid = current_sid();
2931
2932        spin_lock_init(&isec->lock);
2933        INIT_LIST_HEAD(&isec->list);
2934        isec->inode = inode;
2935        isec->sid = SECINITSID_UNLABELED;
2936        isec->sclass = SECCLASS_FILE;
2937        isec->task_sid = sid;
2938        isec->initialized = LABEL_INVALID;
2939
2940        return 0;
2941}
2942
2943static void selinux_inode_free_security(struct inode *inode)
2944{
2945        inode_free_security(inode);
2946}
2947
2948static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2949                                        const struct qstr *name, void **ctx,
2950                                        u32 *ctxlen)
2951{
2952        u32 newsid;
2953        int rc;
2954
2955        rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2956                                           d_inode(dentry->d_parent), name,
2957                                           inode_mode_to_security_class(mode),
2958                                           &newsid);
2959        if (rc)
2960                return rc;
2961
2962        return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2963                                       ctxlen);
2964}
2965
2966static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2967                                          struct qstr *name,
2968                                          const struct cred *old,
2969                                          struct cred *new)
2970{
2971        u32 newsid;
2972        int rc;
2973        struct task_security_struct *tsec;
2974
2975        rc = selinux_determine_inode_label(selinux_cred(old),
2976                                           d_inode(dentry->d_parent), name,
2977                                           inode_mode_to_security_class(mode),
2978                                           &newsid);
2979        if (rc)
2980                return rc;
2981
2982        tsec = selinux_cred(new);
2983        tsec->create_sid = newsid;
2984        return 0;
2985}
2986
2987static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2988                                       const struct qstr *qstr,
2989                                       const char **name,
2990                                       void **value, size_t *len)
2991{
2992        const struct task_security_struct *tsec = selinux_cred(current_cred());
2993        struct superblock_security_struct *sbsec;
2994        u32 newsid, clen;
2995        int rc;
2996        char *context;
2997
2998        sbsec = selinux_superblock(dir->i_sb);
2999
3000        newsid = tsec->create_sid;
3001
3002        rc = selinux_determine_inode_label(tsec, dir, qstr,
3003                inode_mode_to_security_class(inode->i_mode),
3004                &newsid);
3005        if (rc)
3006                return rc;
3007
3008        /* Possibly defer initialization to selinux_complete_init. */
3009        if (sbsec->flags & SE_SBINITIALIZED) {
3010                struct inode_security_struct *isec = selinux_inode(inode);
3011                isec->sclass = inode_mode_to_security_class(inode->i_mode);
3012                isec->sid = newsid;
3013                isec->initialized = LABEL_INITIALIZED;
3014        }
3015
3016        if (!selinux_initialized(&selinux_state) ||
3017            !(sbsec->flags & SBLABEL_MNT))
3018                return -EOPNOTSUPP;
3019
3020        if (name)
3021                *name = XATTR_SELINUX_SUFFIX;
3022
3023        if (value && len) {
3024                rc = security_sid_to_context_force(&selinux_state, newsid,
3025                                                   &context, &clen);
3026                if (rc)
3027                        return rc;
3028                *value = context;
3029                *len = clen;
3030        }
3031
3032        return 0;
3033}
3034
3035static int selinux_inode_init_security_anon(struct inode *inode,
3036                                            const struct qstr *name,
3037                                            const struct inode *context_inode)
3038{
3039        const struct task_security_struct *tsec = selinux_cred(current_cred());
3040        struct common_audit_data ad;
3041        struct inode_security_struct *isec;
3042        int rc;
3043
3044        if (unlikely(!selinux_initialized(&selinux_state)))
3045                return 0;
3046
3047        isec = selinux_inode(inode);
3048
3049        /*
3050         * We only get here once per ephemeral inode.  The inode has
3051         * been initialized via inode_alloc_security but is otherwise
3052         * untouched.
3053         */
3054
3055        if (context_inode) {
3056                struct inode_security_struct *context_isec =
3057                        selinux_inode(context_inode);
3058                if (context_isec->initialized != LABEL_INITIALIZED) {
3059                        pr_err("SELinux:  context_inode is not initialized");
3060                        return -EACCES;
3061                }
3062
3063                isec->sclass = context_isec->sclass;
3064                isec->sid = context_isec->sid;
3065        } else {
3066                isec->sclass = SECCLASS_ANON_INODE;
3067                rc = security_transition_sid(
3068                        &selinux_state, tsec->sid, tsec->sid,
3069                        isec->sclass, name, &isec->sid);
3070                if (rc)
3071                        return rc;
3072        }
3073
3074        isec->initialized = LABEL_INITIALIZED;
3075        /*
3076         * Now that we've initialized security, check whether we're
3077         * allowed to actually create this type of anonymous inode.
3078         */
3079
3080        ad.type = LSM_AUDIT_DATA_INODE;
3081        ad.u.inode = inode;
3082
3083        return avc_has_perm(&selinux_state,
3084                            tsec->sid,
3085                            isec->sid,
3086                            isec->sclass,
3087                            FILE__CREATE,
3088                            &ad);
3089}
3090
3091static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3092{
3093        return may_create(dir, dentry, SECCLASS_FILE);
3094}
3095
3096static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3097{
3098        return may_link(dir, old_dentry, MAY_LINK);
3099}
3100
3101static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3102{
3103        return may_link(dir, dentry, MAY_UNLINK);
3104}
3105
3106static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3107{
3108        return may_create(dir, dentry, SECCLASS_LNK_FILE);
3109}
3110
3111static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3112{
3113        return may_create(dir, dentry, SECCLASS_DIR);
3114}
3115
3116static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3117{
3118        return may_link(dir, dentry, MAY_RMDIR);
3119}
3120
3121static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3122{
3123        return may_create(dir, dentry, inode_mode_to_security_class(mode));
3124}
3125
3126static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3127                                struct inode *new_inode, struct dentry *new_dentry)
3128{
3129        return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3130}
3131
3132static int selinux_inode_readlink(struct dentry *dentry)
3133{
3134        const struct cred *cred = current_cred();
3135
3136        return dentry_has_perm(cred, dentry, FILE__READ);
3137}
3138
3139static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3140                                     bool rcu)
3141{
3142        const struct cred *cred = current_cred();
3143        struct common_audit_data ad;
3144        struct inode_security_struct *isec;
3145        u32 sid;
3146
3147        validate_creds(cred);
3148
3149        ad.type = LSM_AUDIT_DATA_DENTRY;
3150        ad.u.dentry = dentry;
3151        sid = cred_sid(cred);
3152        isec = inode_security_rcu(inode, rcu);
3153        if (IS_ERR(isec))
3154                return PTR_ERR(isec);
3155
3156        return avc_has_perm_flags(&selinux_state,
3157                                  sid, isec->sid, isec->sclass, FILE__READ, &ad,
3158                                  rcu ? MAY_NOT_BLOCK : 0);
3159}
3160
3161static noinline int audit_inode_permission(struct inode *inode,
3162                                           u32 perms, u32 audited, u32 denied,
3163                                           int result)
3164{
3165        struct common_audit_data ad;
3166        struct inode_security_struct *isec = selinux_inode(inode);
3167        int rc;
3168
3169        ad.type = LSM_AUDIT_DATA_INODE;
3170        ad.u.inode = inode;
3171
3172        rc = slow_avc_audit(&selinux_state,
3173                            current_sid(), isec->sid, isec->sclass, perms,
3174                            audited, denied, result, &ad);
3175        if (rc)
3176                return rc;
3177        return 0;
3178}
3179
3180static int selinux_inode_permission(struct inode *inode, int mask)
3181{
3182        const struct cred *cred = current_cred();
3183        u32 perms;
3184        bool from_access;
3185        bool no_block = mask & MAY_NOT_BLOCK;
3186        struct inode_security_struct *isec;
3187        u32 sid;
3188        struct av_decision avd;
3189        int rc, rc2;
3190        u32 audited, denied;
3191
3192        from_access = mask & MAY_ACCESS;
3193        mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3194
3195        /* No permission to check.  Existence test. */
3196        if (!mask)
3197                return 0;
3198
3199        validate_creds(cred);
3200
3201        if (unlikely(IS_PRIVATE(inode)))
3202                return 0;
3203
3204        perms = file_mask_to_av(inode->i_mode, mask);
3205
3206        sid = cred_sid(cred);
3207        isec = inode_security_rcu(inode, no_block);
3208        if (IS_ERR(isec))
3209                return PTR_ERR(isec);
3210
3211        rc = avc_has_perm_noaudit(&selinux_state,
3212                                  sid, isec->sid, isec->sclass, perms,
3213                                  no_block ? AVC_NONBLOCKING : 0,
3214                                  &avd);
3215        audited = avc_audit_required(perms, &avd, rc,
3216                                     from_access ? FILE__AUDIT_ACCESS : 0,
3217                                     &denied);
3218        if (likely(!audited))
3219                return rc;
3220
3221        /* fall back to ref-walk if we have to generate audit */
3222        if (no_block)
3223                return -ECHILD;
3224
3225        rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3226        if (rc2)
3227                return rc2;
3228        return rc;
3229}
3230
3231static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3232{
3233        const struct cred *cred = current_cred();
3234        struct inode *inode = d_backing_inode(dentry);
3235        unsigned int ia_valid = iattr->ia_valid;
3236        __u32 av = FILE__WRITE;
3237
3238        /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3239        if (ia_valid & ATTR_FORCE) {
3240                ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3241                              ATTR_FORCE);
3242                if (!ia_valid)
3243                        return 0;
3244        }
3245
3246        if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3247                        ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3248                return dentry_has_perm(cred, dentry, FILE__SETATTR);
3249
3250        if (selinux_policycap_openperm() &&
3251            inode->i_sb->s_magic != SOCKFS_MAGIC &&
3252            (ia_valid & ATTR_SIZE) &&
3253            !(ia_valid & ATTR_FILE))
3254                av |= FILE__OPEN;
3255
3256        return dentry_has_perm(cred, dentry, av);
3257}
3258
3259static int selinux_inode_getattr(const struct path *path)
3260{
3261        return path_has_perm(current_cred(), path, FILE__GETATTR);
3262}
3263
3264static bool has_cap_mac_admin(bool audit)
3265{
3266        const struct cred *cred = current_cred();
3267        unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3268
3269        if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3270                return false;
3271        if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3272                return false;
3273        return true;
3274}
3275
3276static int selinux_inode_setxattr(struct user_namespace *mnt_userns,
3277                                  struct dentry *dentry, const char *name,
3278                                  const void *value, size_t size, int flags)
3279{
3280        struct inode *inode = d_backing_inode(dentry);
3281        struct inode_security_struct *isec;
3282        struct superblock_security_struct *sbsec;
3283        struct common_audit_data ad;
3284        u32 newsid, sid = current_sid();
3285        int rc = 0;
3286
3287        if (strcmp(name, XATTR_NAME_SELINUX)) {
3288                rc = cap_inode_setxattr(dentry, name, value, size, flags);
3289                if (rc)
3290                        return rc;
3291
3292                /* Not an attribute we recognize, so just check the
3293                   ordinary setattr permission. */
3294                return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3295        }
3296
3297        if (!selinux_initialized(&selinux_state))
3298                return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM);
3299
3300        sbsec = selinux_superblock(inode->i_sb);
3301        if (!(sbsec->flags & SBLABEL_MNT))
3302                return -EOPNOTSUPP;
3303
3304        if (!inode_owner_or_capable(mnt_userns, inode))
3305                return -EPERM;
3306
3307        ad.type = LSM_AUDIT_DATA_DENTRY;
3308        ad.u.dentry = dentry;
3309
3310        isec = backing_inode_security(dentry);
3311        rc = avc_has_perm(&selinux_state,
3312                          sid, isec->sid, isec->sclass,
3313                          FILE__RELABELFROM, &ad);
3314        if (rc)
3315                return rc;
3316
3317        rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3318                                     GFP_KERNEL);
3319        if (rc == -EINVAL) {
3320                if (!has_cap_mac_admin(true)) {
3321                        struct audit_buffer *ab;
3322                        size_t audit_size;
3323
3324                        /* We strip a nul only if it is at the end, otherwise the
3325                         * context contains a nul and we should audit that */
3326                        if (value) {
3327                                const char *str = value;
3328
3329                                if (str[size - 1] == '\0')
3330                                        audit_size = size - 1;
3331                                else
3332                                        audit_size = size;
3333                        } else {
3334                                audit_size = 0;
3335                        }
3336                        ab = audit_log_start(audit_context(),
3337                                             GFP_ATOMIC, AUDIT_SELINUX_ERR);
3338                        audit_log_format(ab, "op=setxattr invalid_context=");
3339                        audit_log_n_untrustedstring(ab, value, audit_size);
3340                        audit_log_end(ab);
3341
3342                        return rc;
3343                }
3344                rc = security_context_to_sid_force(&selinux_state, value,
3345                                                   size, &newsid);
3346        }
3347        if (rc)
3348                return rc;
3349
3350        rc = avc_has_perm(&selinux_state,
3351                          sid, newsid, isec->sclass,
3352                          FILE__RELABELTO, &ad);
3353        if (rc)
3354                return rc;
3355
3356        rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3357                                          sid, isec->sclass);
3358        if (rc)
3359                return rc;
3360
3361        return avc_has_perm(&selinux_state,
3362                            newsid,
3363                            sbsec->sid,
3364                            SECCLASS_FILESYSTEM,
3365                            FILESYSTEM__ASSOCIATE,
3366                            &ad);
3367}
3368
3369static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3370                                        const void *value, size_t size,
3371                                        int flags)
3372{
3373        struct inode *inode = d_backing_inode(dentry);
3374        struct inode_security_struct *isec;
3375        u32 newsid;
3376        int rc;
3377
3378        if (strcmp(name, XATTR_NAME_SELINUX)) {
3379                /* Not an attribute we recognize, so nothing to do. */
3380                return;
3381        }
3382
3383        if (!selinux_initialized(&selinux_state)) {
3384                /* If we haven't even been initialized, then we can't validate
3385                 * against a policy, so leave the label as invalid. It may
3386                 * resolve to a valid label on the next revalidation try if
3387                 * we've since initialized.
3388                 */
3389                return;
3390        }
3391
3392        rc = security_context_to_sid_force(&selinux_state, value, size,
3393                                           &newsid);
3394        if (rc) {
3395                pr_err("SELinux:  unable to map context to SID"
3396                       "for (%s, %lu), rc=%d\n",
3397                       inode->i_sb->s_id, inode->i_ino, -rc);
3398                return;
3399        }
3400
3401        isec = backing_inode_security(dentry);
3402        spin_lock(&isec->lock);
3403        isec->sclass = inode_mode_to_security_class(inode->i_mode);
3404        isec->sid = newsid;
3405        isec->initialized = LABEL_INITIALIZED;
3406        spin_unlock(&isec->lock);
3407
3408        return;
3409}
3410
3411static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3412{
3413        const struct cred *cred = current_cred();
3414
3415        return dentry_has_perm(cred, dentry, FILE__GETATTR);
3416}
3417
3418static int selinux_inode_listxattr(struct dentry *dentry)
3419{
3420        const struct cred *cred = current_cred();
3421
3422        return dentry_has_perm(cred, dentry, FILE__GETATTR);
3423}
3424
3425static int selinux_inode_removexattr(struct user_namespace *mnt_userns,
3426                                     struct dentry *dentry, const char *name)
3427{
3428        if (strcmp(name, XATTR_NAME_SELINUX)) {
3429                int rc = cap_inode_removexattr(mnt_userns, dentry, name);
3430                if (rc)
3431                        return rc;
3432
3433                /* Not an attribute we recognize, so just check the
3434                   ordinary setattr permission. */
3435                return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3436        }
3437
3438        if (!selinux_initialized(&selinux_state))
3439                return 0;
3440
3441        /* No one is allowed to remove a SELinux security label.
3442           You can change the label, but all data must be labeled. */
3443        return -EACCES;
3444}
3445
3446static int selinux_path_notify(const struct path *path, u64 mask,
3447                                                unsigned int obj_type)
3448{
3449        int ret;
3450        u32 perm;
3451
3452        struct common_audit_data ad;
3453
3454        ad.type = LSM_AUDIT_DATA_PATH;
3455        ad.u.path = *path;
3456
3457        /*
3458         * Set permission needed based on the type of mark being set.
3459         * Performs an additional check for sb watches.
3460         */
3461        switch (obj_type) {
3462        case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3463                perm = FILE__WATCH_MOUNT;
3464                break;
3465        case FSNOTIFY_OBJ_TYPE_SB:
3466                perm = FILE__WATCH_SB;
3467                ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3468                                                FILESYSTEM__WATCH, &ad);
3469                if (ret)
3470                        return ret;
3471                break;
3472        case FSNOTIFY_OBJ_TYPE_INODE:
3473                perm = FILE__WATCH;
3474                break;
3475        default:
3476                return -EINVAL;
3477        }
3478
3479        /* blocking watches require the file:watch_with_perm permission */
3480        if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3481                perm |= FILE__WATCH_WITH_PERM;
3482
3483        /* watches on read-like events need the file:watch_reads permission */
3484        if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3485                perm |= FILE__WATCH_READS;
3486
3487        return path_has_perm(current_cred(), path, perm);
3488}
3489
3490/*
3491 * Copy the inode security context value to the user.
3492 *
3493 * Permission check is handled by selinux_inode_getxattr hook.
3494 */
3495static int selinux_inode_getsecurity(struct user_namespace *mnt_userns,
3496                                     struct inode *inode, const char *name,
3497                                     void **buffer, bool alloc)
3498{
3499        u32 size;
3500        int error;
3501        char *context = NULL;
3502        struct inode_security_struct *isec;
3503
3504        /*
3505         * If we're not initialized yet, then we can't validate contexts, so
3506         * just let vfs_getxattr fall back to using the on-disk xattr.
3507         */
3508        if (!selinux_initialized(&selinux_state) ||
3509            strcmp(name, XATTR_SELINUX_SUFFIX))
3510                return -EOPNOTSUPP;
3511
3512        /*
3513         * If the caller has CAP_MAC_ADMIN, then get the raw context
3514         * value even if it is not defined by current policy; otherwise,
3515         * use the in-core value under current policy.
3516         * Use the non-auditing forms of the permission checks since
3517         * getxattr may be called by unprivileged processes commonly
3518         * and lack of permission just means that we fall back to the
3519         * in-core context value, not a denial.
3520         */
3521        isec = inode_security(inode);
3522        if (has_cap_mac_admin(false))
3523                error = security_sid_to_context_force(&selinux_state,
3524                                                      isec->sid, &context,
3525                                                      &size);
3526        else
3527                error = security_sid_to_context(&selinux_state, isec->sid,
3528                                                &context, &size);
3529        if (error)
3530                return error;
3531        error = size;
3532        if (alloc) {
3533                *buffer = context;
3534                goto out_nofree;
3535        }
3536        kfree(context);
3537out_nofree:
3538        return error;
3539}
3540
3541static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3542                                     const void *value, size_t size, int flags)
3543{
3544        struct inode_security_struct *isec = inode_security_novalidate(inode);
3545        struct superblock_security_struct *sbsec;
3546        u32 newsid;
3547        int rc;
3548
3549        if (strcmp(name, XATTR_SELINUX_SUFFIX))
3550                return -EOPNOTSUPP;
3551
3552        sbsec = selinux_superblock(inode->i_sb);
3553        if (!(sbsec->flags & SBLABEL_MNT))
3554                return -EOPNOTSUPP;
3555
3556        if (!value || !size)
3557                return -EACCES;
3558
3559        rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3560                                     GFP_KERNEL);
3561        if (rc)
3562                return rc;
3563
3564        spin_lock(&isec->lock);
3565        isec->sclass = inode_mode_to_security_class(inode->i_mode);
3566        isec->sid = newsid;
3567        isec->initialized = LABEL_INITIALIZED;
3568        spin_unlock(&isec->lock);
3569        return 0;
3570}
3571
3572static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3573{
3574        const int len = sizeof(XATTR_NAME_SELINUX);
3575
3576        if (!selinux_initialized(&selinux_state))
3577                return 0;
3578
3579        if (buffer && len <= buffer_size)
3580                memcpy(buffer, XATTR_NAME_SELINUX, len);
3581        return len;
3582}
3583
3584static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3585{
3586        struct inode_security_struct *isec = inode_security_novalidate(inode);
3587        *secid = isec->sid;
3588}
3589
3590static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3591{
3592        u32 sid;
3593        struct task_security_struct *tsec;
3594        struct cred *new_creds = *new;
3595
3596        if (new_creds == NULL) {
3597                new_creds = prepare_creds();
3598                if (!new_creds)
3599                        return -ENOMEM;
3600        }
3601
3602        tsec = selinux_cred(new_creds);
3603        /* Get label from overlay inode and set it in create_sid */
3604        selinux_inode_getsecid(d_inode(src), &sid);
3605        tsec->create_sid = sid;
3606        *new = new_creds;
3607        return 0;
3608}
3609
3610static int selinux_inode_copy_up_xattr(const char *name)
3611{
3612        /* The copy_up hook above sets the initial context on an inode, but we
3613         * don't then want to overwrite it by blindly copying all the lower
3614         * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3615         */
3616        if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3617                return 1; /* Discard */
3618        /*
3619         * Any other attribute apart from SELINUX is not claimed, supported
3620         * by selinux.
3621         */
3622        return -EOPNOTSUPP;
3623}
3624
3625/* kernfs node operations */
3626
3627static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3628                                        struct kernfs_node *kn)
3629{
3630        const struct task_security_struct *tsec = selinux_cred(current_cred());
3631        u32 parent_sid, newsid, clen;
3632        int rc;
3633        char *context;
3634
3635        rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3636        if (rc == -ENODATA)
3637                return 0;
3638        else if (rc < 0)
3639                return rc;
3640
3641        clen = (u32)rc;
3642        context = kmalloc(clen, GFP_KERNEL);
3643        if (!context)
3644                return -ENOMEM;
3645
3646        rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3647        if (rc < 0) {
3648                kfree(context);
3649                return rc;
3650        }
3651
3652        rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3653                                     GFP_KERNEL);
3654        kfree(context);
3655        if (rc)
3656                return rc;
3657
3658        if (tsec->create_sid) {
3659                newsid = tsec->create_sid;
3660        } else {
3661                u16 secclass = inode_mode_to_security_class(kn->mode);
3662                struct qstr q;
3663
3664                q.name = kn->name;
3665                q.hash_len = hashlen_string(kn_dir, kn->name);
3666
3667                rc = security_transition_sid(&selinux_state, tsec->sid,
3668                                             parent_sid, secclass, &q,
3669                                             &newsid);
3670                if (rc)
3671                        return rc;
3672        }
3673
3674        rc = security_sid_to_context_force(&selinux_state, newsid,
3675                                           &context, &clen);
3676        if (rc)
3677                return rc;
3678
3679        rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3680                              XATTR_CREATE);
3681        kfree(context);
3682        return rc;
3683}
3684
3685
3686/* file security operations */
3687
3688static int selinux_revalidate_file_permission(struct file *file, int mask)
3689{
3690        const struct cred *cred = current_cred();
3691        struct inode *inode = file_inode(file);
3692
3693        /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3694        if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3695                mask |= MAY_APPEND;
3696
3697        return file_has_perm(cred, file,
3698                             file_mask_to_av(inode->i_mode, mask));
3699}
3700
3701static int selinux_file_permission(struct file *file, int mask)
3702{
3703        struct inode *inode = file_inode(file);
3704        struct file_security_struct *fsec = selinux_file(file);
3705        struct inode_security_struct *isec;
3706        u32 sid = current_sid();
3707
3708        if (!mask)
3709                /* No permission to check.  Existence test. */
3710                return 0;
3711
3712        isec = inode_security(inode);
3713        if (sid == fsec->sid && fsec->isid == isec->sid &&
3714            fsec->pseqno == avc_policy_seqno(&selinux_state))
3715                /* No change since file_open check. */
3716                return 0;
3717
3718        return selinux_revalidate_file_permission(file, mask);
3719}
3720
3721static int selinux_file_alloc_security(struct file *file)
3722{
3723        struct file_security_struct *fsec = selinux_file(file);
3724        u32 sid = current_sid();
3725
3726        fsec->sid = sid;
3727        fsec->fown_sid = sid;
3728
3729        return 0;
3730}
3731
3732/*
3733 * Check whether a task has the ioctl permission and cmd
3734 * operation to an inode.
3735 */
3736static int ioctl_has_perm(const struct cred *cred, struct file *file,
3737                u32 requested, u16 cmd)
3738{
3739        struct common_audit_data ad;
3740        struct file_security_struct *fsec = selinux_file(file);
3741        struct inode *inode = file_inode(file);
3742        struct inode_security_struct *isec;
3743        struct lsm_ioctlop_audit ioctl;
3744        u32 ssid = cred_sid(cred);
3745        int rc;
3746        u8 driver = cmd >> 8;
3747        u8 xperm = cmd & 0xff;
3748
3749        ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3750        ad.u.op = &ioctl;
3751        ad.u.op->cmd = cmd;
3752        ad.u.op->path = file->f_path;
3753
3754        if (ssid != fsec->sid) {
3755                rc = avc_has_perm(&selinux_state,
3756                                  ssid, fsec->sid,
3757                                SECCLASS_FD,
3758                                FD__USE,
3759                                &ad);
3760                if (rc)
3761                        goto out;
3762        }
3763
3764        if (unlikely(IS_PRIVATE(inode)))
3765                return 0;
3766
3767        isec = inode_security(inode);
3768        rc = avc_has_extended_perms(&selinux_state,
3769                                    ssid, isec->sid, isec->sclass,
3770                                    requested, driver, xperm, &ad);
3771out:
3772        return rc;
3773}
3774
3775static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3776                              unsigned long arg)
3777{
3778        const struct cred *cred = current_cred();
3779        int error = 0;
3780
3781        switch (cmd) {
3782        case FIONREAD:
3783        case FIBMAP:
3784        case FIGETBSZ:
3785        case FS_IOC_GETFLAGS:
3786        case FS_IOC_GETVERSION:
3787                error = file_has_perm(cred, file, FILE__GETATTR);
3788                break;
3789
3790        case FS_IOC_SETFLAGS:
3791        case FS_IOC_SETVERSION:
3792                error = file_has_perm(cred, file, FILE__SETATTR);
3793                break;
3794
3795        /* sys_ioctl() checks */
3796        case FIONBIO:
3797        case FIOASYNC:
3798                error = file_has_perm(cred, file, 0);
3799                break;
3800
3801        case KDSKBENT:
3802        case KDSKBSENT:
3803                error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3804                                            CAP_OPT_NONE, true);
3805                break;
3806
3807        /* default case assumes that the command will go
3808         * to the file's ioctl() function.
3809         */
3810        default:
3811                error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3812        }
3813        return error;
3814}
3815
3816static int default_noexec __ro_after_init;
3817
3818static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3819{
3820        const struct cred *cred = current_cred();
3821        u32 sid = cred_sid(cred);
3822        int rc = 0;
3823
3824        if (default_noexec &&
3825            (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3826                                   (!shared && (prot & PROT_WRITE)))) {
3827                /*
3828                 * We are making executable an anonymous mapping or a
3829                 * private file mapping that will also be writable.
3830                 * This has an additional check.
3831                 */
3832                rc = avc_has_perm(&selinux_state,
3833                                  sid, sid, SECCLASS_PROCESS,
3834                                  PROCESS__EXECMEM, NULL);
3835                if (rc)
3836                        goto error;
3837        }
3838
3839        if (file) {
3840                /* read access is always possible with a mapping */
3841                u32 av = FILE__READ;
3842
3843                /* write access only matters if the mapping is shared */
3844                if (shared && (prot & PROT_WRITE))
3845                        av |= FILE__WRITE;
3846
3847                if (prot & PROT_EXEC)
3848                        av |= FILE__EXECUTE;
3849
3850                return file_has_perm(cred, file, av);
3851        }
3852
3853error:
3854        return rc;
3855}
3856
3857static int selinux_mmap_addr(unsigned long addr)
3858{
3859        int rc = 0;
3860
3861        if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3862                u32 sid = current_sid();
3863                rc = avc_has_perm(&selinux_state,
3864                                  sid, sid, SECCLASS_MEMPROTECT,
3865                                  MEMPROTECT__MMAP_ZERO, NULL);
3866        }
3867
3868        return rc;
3869}
3870
3871static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3872                             unsigned long prot, unsigned long flags)
3873{
3874        struct common_audit_data ad;
3875        int rc;
3876
3877        if (file) {
3878                ad.type = LSM_AUDIT_DATA_FILE;
3879                ad.u.file = file;
3880                rc = inode_has_perm(current_cred(), file_inode(file),
3881                                    FILE__MAP, &ad);
3882                if (rc)
3883                        return rc;
3884        }
3885
3886        if (checkreqprot_get(&selinux_state))
3887                prot = reqprot;
3888
3889        return file_map_prot_check(file, prot,
3890                                   (flags & MAP_TYPE) == MAP_SHARED);
3891}
3892
3893static int selinux_file_mprotect(struct vm_area_struct *vma,
3894                                 unsigned long reqprot,
3895                                 unsigned long prot)
3896{
3897        const struct cred *cred = current_cred();
3898        u32 sid = cred_sid(cred);
3899
3900        if (checkreqprot_get(&selinux_state))
3901                prot = reqprot;
3902
3903        if (default_noexec &&
3904            (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3905                int rc = 0;
3906                if (vma->vm_start >= vma->vm_mm->start_brk &&
3907                    vma->vm_end <= vma->vm_mm->brk) {
3908                        rc = avc_has_perm(&selinux_state,
3909                                          sid, sid, SECCLASS_PROCESS,
3910                                          PROCESS__EXECHEAP, NULL);
3911                } else if (!vma->vm_file &&
3912                           ((vma->vm_start <= vma->vm_mm->start_stack &&
3913                             vma->vm_end >= vma->vm_mm->start_stack) ||
3914                            vma_is_stack_for_current(vma))) {
3915                        rc = avc_has_perm(&selinux_state,
3916                                          sid, sid, SECCLASS_PROCESS,
3917                                          PROCESS__EXECSTACK, NULL);
3918                } else if (vma->vm_file && vma->anon_vma) {
3919                        /*
3920                         * We are making executable a file mapping that has
3921                         * had some COW done. Since pages might have been
3922                         * written, check ability to execute the possibly
3923                         * modified content.  This typically should only
3924                         * occur for text relocations.
3925                         */
3926                        rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3927                }
3928                if (rc)
3929                        return rc;
3930        }
3931
3932        return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3933}
3934
3935static int selinux_file_lock(struct file *file, unsigned int cmd)
3936{
3937        const struct cred *cred = current_cred();
3938
3939        return file_has_perm(cred, file, FILE__LOCK);
3940}
3941
3942static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3943                              unsigned long arg)
3944{
3945        const struct cred *cred = current_cred();
3946        int err = 0;
3947
3948        switch (cmd) {
3949        case F_SETFL:
3950                if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3951                        err = file_has_perm(cred, file, FILE__WRITE);
3952                        break;
3953                }
3954                fallthrough;
3955        case F_SETOWN:
3956        case F_SETSIG:
3957        case F_GETFL:
3958        case F_GETOWN:
3959        case F_GETSIG:
3960        case F_GETOWNER_UIDS:
3961                /* Just check FD__USE permission */
3962                err = file_has_perm(cred, file, 0);
3963                break;
3964        case F_GETLK:
3965        case F_SETLK:
3966        case F_SETLKW:
3967        case F_OFD_GETLK:
3968        case F_OFD_SETLK:
3969        case F_OFD_SETLKW:
3970#if BITS_PER_LONG == 32
3971        case F_GETLK64:
3972        case F_SETLK64:
3973        case F_SETLKW64:
3974#endif
3975                err = file_has_perm(cred, file, FILE__LOCK);
3976                break;
3977        }
3978
3979        return err;
3980}
3981
3982static void selinux_file_set_fowner(struct file *file)
3983{
3984        struct file_security_struct *fsec;
3985
3986        fsec = selinux_file(file);
3987        fsec->fown_sid = current_sid();
3988}
3989
3990static int selinux_file_send_sigiotask(struct task_struct *tsk,
3991                                       struct fown_struct *fown, int signum)
3992{
3993        struct file *file;
3994        u32 sid = task_sid_obj(tsk);
3995        u32 perm;
3996        struct file_security_struct *fsec;
3997
3998        /* struct fown_struct is never outside the context of a struct file */
3999        file = container_of(fown, struct file, f_owner);
4000
4001        fsec = selinux_file(file);
4002
4003        if (!signum)
4004                perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
4005        else
4006                perm = signal_to_av(signum);
4007
4008        return avc_has_perm(&selinux_state,
4009                            fsec->fown_sid, sid,
4010                            SECCLASS_PROCESS, perm, NULL);
4011}
4012
4013static int selinux_file_receive(struct file *file)
4014{
4015        const struct cred *cred = current_cred();
4016
4017        return file_has_perm(cred, file, file_to_av(file));
4018}
4019
4020static int selinux_file_open(struct file *file)
4021{
4022        struct file_security_struct *fsec;
4023        struct inode_security_struct *isec;
4024
4025        fsec = selinux_file(file);
4026        isec = inode_security(file_inode(file));
4027        /*
4028         * Save inode label and policy sequence number
4029         * at open-time so that selinux_file_permission
4030         * can determine whether revalidation is necessary.
4031         * Task label is already saved in the file security
4032         * struct as its SID.
4033         */
4034        fsec->isid = isec->sid;
4035        fsec->pseqno = avc_policy_seqno(&selinux_state);
4036        /*
4037         * Since the inode label or policy seqno may have changed
4038         * between the selinux_inode_permission check and the saving
4039         * of state above, recheck that access is still permitted.
4040         * Otherwise, access might never be revalidated against the
4041         * new inode label or new policy.
4042         * This check is not redundant - do not remove.
4043         */
4044        return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
4045}
4046
4047/* task security operations */
4048
4049static int selinux_task_alloc(struct task_struct *task,
4050                              unsigned long clone_flags)
4051{
4052        u32 sid = current_sid();
4053
4054        return avc_has_perm(&selinux_state,
4055                            sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
4056}
4057
4058/*
4059 * prepare a new set of credentials for modification
4060 */
4061static int selinux_cred_prepare(struct cred *new, const struct cred *old,
4062                                gfp_t gfp)
4063{
4064        const struct task_security_struct *old_tsec = selinux_cred(old);
4065        struct task_security_struct *tsec = selinux_cred(new);
4066
4067        *tsec = *old_tsec;
4068        return 0;
4069}
4070
4071/*
4072 * transfer the SELinux data to a blank set of creds
4073 */
4074static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4075{
4076        const struct task_security_struct *old_tsec = selinux_cred(old);
4077        struct task_security_struct *tsec = selinux_cred(new);
4078
4079        *tsec = *old_tsec;
4080}
4081
4082static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4083{
4084        *secid = cred_sid(c);
4085}
4086
4087/*
4088 * set the security data for a kernel service
4089 * - all the creation contexts are set to unlabelled
4090 */
4091static int selinux_kernel_act_as(struct cred *new, u32 secid)
4092{
4093        struct task_security_struct *tsec = selinux_cred(new);
4094        u32 sid = current_sid();
4095        int ret;
4096
4097        ret = avc_has_perm(&selinux_state,
4098                           sid, secid,
4099                           SECCLASS_KERNEL_SERVICE,
4100                           KERNEL_SERVICE__USE_AS_OVERRIDE,
4101                           NULL);
4102        if (ret == 0) {
4103                tsec->sid = secid;
4104                tsec->create_sid = 0;
4105                tsec->keycreate_sid = 0;
4106                tsec->sockcreate_sid = 0;
4107        }
4108        return ret;
4109}
4110
4111/*
4112 * set the file creation context in a security record to the same as the
4113 * objective context of the specified inode
4114 */
4115static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4116{
4117        struct inode_security_struct *isec = inode_security(inode);
4118        struct task_security_struct *tsec = selinux_cred(new);
4119        u32 sid = current_sid();
4120        int ret;
4121
4122        ret = avc_has_perm(&selinux_state,
4123                           sid, isec->sid,
4124                           SECCLASS_KERNEL_SERVICE,
4125                           KERNEL_SERVICE__CREATE_FILES_AS,
4126                           NULL);
4127
4128        if (ret == 0)
4129                tsec->create_sid = isec->sid;
4130        return ret;
4131}
4132
4133static int selinux_kernel_module_request(char *kmod_name)
4134{
4135        struct common_audit_data ad;
4136
4137        ad.type = LSM_AUDIT_DATA_KMOD;
4138        ad.u.kmod_name = kmod_name;
4139
4140        return avc_has_perm(&selinux_state,
4141                            current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4142                            SYSTEM__MODULE_REQUEST, &ad);
4143}
4144
4145static int selinux_kernel_module_from_file(struct file *file)
4146{
4147        struct common_audit_data ad;
4148        struct inode_security_struct *isec;
4149        struct file_security_struct *fsec;
4150        u32 sid = current_sid();
4151        int rc;
4152
4153        /* init_module */
4154        if (file == NULL)
4155                return avc_has_perm(&selinux_state,
4156                                    sid, sid, SECCLASS_SYSTEM,
4157                                        SYSTEM__MODULE_LOAD, NULL);
4158
4159        /* finit_module */
4160
4161        ad.type = LSM_AUDIT_DATA_FILE;
4162        ad.u.file = file;
4163
4164        fsec = selinux_file(file);
4165        if (sid != fsec->sid) {
4166                rc = avc_has_perm(&selinux_state,
4167                                  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4168                if (rc)
4169                        return rc;
4170        }
4171
4172        isec = inode_security(file_inode(file));
4173        return avc_has_perm(&selinux_state,
4174                            sid, isec->sid, SECCLASS_SYSTEM,
4175                                SYSTEM__MODULE_LOAD, &ad);
4176}
4177
4178static int selinux_kernel_read_file(struct file *file,
4179                                    enum kernel_read_file_id id,
4180                                    bool contents)
4181{
4182        int rc = 0;
4183
4184        switch (id) {
4185        case READING_MODULE:
4186                rc = selinux_kernel_module_from_file(contents ? file : NULL);
4187                break;
4188        default:
4189                break;
4190        }
4191
4192        return rc;
4193}
4194
4195static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4196{
4197        int rc = 0;
4198
4199        switch (id) {
4200        case LOADING_MODULE:
4201                rc = selinux_kernel_module_from_file(NULL);
4202                break;
4203        default:
4204                break;
4205        }
4206
4207        return rc;
4208}
4209
4210static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4211{
4212        return avc_has_perm(&selinux_state,
4213                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4214                            PROCESS__SETPGID, NULL);
4215}
4216
4217static int selinux_task_getpgid(struct task_struct *p)
4218{
4219        return avc_has_perm(&selinux_state,
4220                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4221                            PROCESS__GETPGID, NULL);
4222}
4223
4224static int selinux_task_getsid(struct task_struct *p)
4225{
4226        return avc_has_perm(&selinux_state,
4227                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4228                            PROCESS__GETSESSION, NULL);
4229}
4230
4231static void selinux_task_getsecid_subj(struct task_struct *p, u32 *secid)
4232{
4233        *secid = task_sid_subj(p);
4234}
4235
4236static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4237{
4238        *secid = task_sid_obj(p);
4239}
4240
4241static int selinux_task_setnice(struct task_struct *p, int nice)
4242{
4243        return avc_has_perm(&selinux_state,
4244                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4245                            PROCESS__SETSCHED, NULL);
4246}
4247
4248static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4249{
4250        return avc_has_perm(&selinux_state,
4251                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4252                            PROCESS__SETSCHED, NULL);
4253}
4254
4255static int selinux_task_getioprio(struct task_struct *p)
4256{
4257        return avc_has_perm(&selinux_state,
4258                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4259                            PROCESS__GETSCHED, NULL);
4260}
4261
4262static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4263                                unsigned int flags)
4264{
4265        u32 av = 0;
4266
4267        if (!flags)
4268                return 0;
4269        if (flags & LSM_PRLIMIT_WRITE)
4270                av |= PROCESS__SETRLIMIT;
4271        if (flags & LSM_PRLIMIT_READ)
4272                av |= PROCESS__GETRLIMIT;
4273        return avc_has_perm(&selinux_state,
4274                            cred_sid(cred), cred_sid(tcred),
4275                            SECCLASS_PROCESS, av, NULL);
4276}
4277
4278static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4279                struct rlimit *new_rlim)
4280{
4281        struct rlimit *old_rlim = p->signal->rlim + resource;
4282
4283        /* Control the ability to change the hard limit (whether
4284           lowering or raising it), so that the hard limit can
4285           later be used as a safe reset point for the soft limit
4286           upon context transitions.  See selinux_bprm_committing_creds. */
4287        if (old_rlim->rlim_max != new_rlim->rlim_max)
4288                return avc_has_perm(&selinux_state,
4289                                    current_sid(), task_sid_obj(p),
4290                                    SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4291
4292        return 0;
4293}
4294
4295static int selinux_task_setscheduler(struct task_struct *p)
4296{
4297        return avc_has_perm(&selinux_state,
4298                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4299                            PROCESS__SETSCHED, NULL);
4300}
4301
4302static int selinux_task_getscheduler(struct task_struct *p)
4303{
4304        return avc_has_perm(&selinux_state,
4305                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4306                            PROCESS__GETSCHED, NULL);
4307}
4308
4309static int selinux_task_movememory(struct task_struct *p)
4310{
4311        return avc_has_perm(&selinux_state,
4312                            current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4313                            PROCESS__SETSCHED, NULL);
4314}
4315
4316static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4317                                int sig, const struct cred *cred)
4318{
4319        u32 secid;
4320        u32 perm;
4321
4322        if (!sig)
4323                perm = PROCESS__SIGNULL; /* null signal; existence test */
4324        else
4325                perm = signal_to_av(sig);
4326        if (!cred)
4327                secid = current_sid();
4328        else
4329                secid = cred_sid(cred);
4330        return avc_has_perm(&selinux_state,
4331                            secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4332}
4333
4334static void selinux_task_to_inode(struct task_struct *p,
4335                                  struct inode *inode)
4336{
4337        struct inode_security_struct *isec = selinux_inode(inode);
4338        u32 sid = task_sid_obj(p);
4339
4340        spin_lock(&isec->lock);
4341        isec->sclass = inode_mode_to_security_class(inode->i_mode);
4342        isec->sid = sid;
4343        isec->initialized = LABEL_INITIALIZED;
4344        spin_unlock(&isec->lock);
4345}
4346
4347/* Returns error only if unable to parse addresses */
4348static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4349                        struct common_audit_data *ad, u8 *proto)
4350{
4351        int offset, ihlen, ret = -EINVAL;
4352        struct iphdr _iph, *ih;
4353
4354        offset = skb_network_offset(skb);
4355        ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4356        if (ih == NULL)
4357                goto out;
4358
4359        ihlen = ih->ihl * 4;
4360        if (ihlen < sizeof(_iph))
4361                goto out;
4362
4363        ad->u.net->v4info.saddr = ih->saddr;
4364        ad->u.net->v4info.daddr = ih->daddr;
4365        ret = 0;
4366
4367        if (proto)
4368                *proto = ih->protocol;
4369
4370        switch (ih->