~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/selinux/hooks.c

Version: ~ [ linux-5.4-rc7 ] ~ [ linux-5.3.11 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.84 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.154 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.201 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.201 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.77 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  *  NSA Security-Enhanced Linux (SELinux) security module
  3  *
  4  *  This file contains the SELinux hook function implementations.
  5  *
  6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
  7  *            Chris Vance, <cvance@nai.com>
  8  *            Wayne Salamon, <wsalamon@nai.com>
  9  *            James Morris <jmorris@redhat.com>
 10  *
 11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
 12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
 13  *                                         Eric Paris <eparis@redhat.com>
 14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
 15  *                          <dgoeddel@trustedcs.com>
 16  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
 17  *      Paul Moore <paul@paul-moore.com>
 18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
 19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
 20  *  Copyright (C) 2016 Mellanox Technologies
 21  *
 22  *      This program is free software; you can redistribute it and/or modify
 23  *      it under the terms of the GNU General Public License version 2,
 24  *      as published by the Free Software Foundation.
 25  */
 26 
 27 #include <linux/init.h>
 28 #include <linux/kd.h>
 29 #include <linux/kernel.h>
 30 #include <linux/tracehook.h>
 31 #include <linux/errno.h>
 32 #include <linux/sched/signal.h>
 33 #include <linux/sched/task.h>
 34 #include <linux/lsm_hooks.h>
 35 #include <linux/xattr.h>
 36 #include <linux/capability.h>
 37 #include <linux/unistd.h>
 38 #include <linux/mm.h>
 39 #include <linux/mman.h>
 40 #include <linux/slab.h>
 41 #include <linux/pagemap.h>
 42 #include <linux/proc_fs.h>
 43 #include <linux/swap.h>
 44 #include <linux/spinlock.h>
 45 #include <linux/syscalls.h>
 46 #include <linux/dcache.h>
 47 #include <linux/file.h>
 48 #include <linux/fdtable.h>
 49 #include <linux/namei.h>
 50 #include <linux/mount.h>
 51 #include <linux/netfilter_ipv4.h>
 52 #include <linux/netfilter_ipv6.h>
 53 #include <linux/tty.h>
 54 #include <net/icmp.h>
 55 #include <net/ip.h>             /* for local_port_range[] */
 56 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
 57 #include <net/inet_connection_sock.h>
 58 #include <net/net_namespace.h>
 59 #include <net/netlabel.h>
 60 #include <linux/uaccess.h>
 61 #include <asm/ioctls.h>
 62 #include <linux/atomic.h>
 63 #include <linux/bitops.h>
 64 #include <linux/interrupt.h>
 65 #include <linux/netdevice.h>    /* for network interface checks */
 66 #include <net/netlink.h>
 67 #include <linux/tcp.h>
 68 #include <linux/udp.h>
 69 #include <linux/dccp.h>
 70 #include <linux/quota.h>
 71 #include <linux/un.h>           /* for Unix socket types */
 72 #include <net/af_unix.h>        /* for Unix socket types */
 73 #include <linux/parser.h>
 74 #include <linux/nfs_mount.h>
 75 #include <net/ipv6.h>
 76 #include <linux/hugetlb.h>
 77 #include <linux/personality.h>
 78 #include <linux/audit.h>
 79 #include <linux/string.h>
 80 #include <linux/selinux.h>
 81 #include <linux/mutex.h>
 82 #include <linux/posix-timers.h>
 83 #include <linux/syslog.h>
 84 #include <linux/user_namespace.h>
 85 #include <linux/export.h>
 86 #include <linux/msg.h>
 87 #include <linux/shm.h>
 88 
 89 #include "avc.h"
 90 #include "objsec.h"
 91 #include "netif.h"
 92 #include "netnode.h"
 93 #include "netport.h"
 94 #include "ibpkey.h"
 95 #include "xfrm.h"
 96 #include "netlabel.h"
 97 #include "audit.h"
 98 #include "avc_ss.h"
 99 
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102 
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105 
106 static int __init enforcing_setup(char *str)
107 {
108         unsigned long enforcing;
109         if (!kstrtoul(str, 0, &enforcing))
110                 selinux_enforcing = enforcing ? 1 : 0;
111         return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115 
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118 
119 static int __init selinux_enabled_setup(char *str)
120 {
121         unsigned long enabled;
122         if (!kstrtoul(str, 0, &enabled))
123                 selinux_enabled = enabled ? 1 : 0;
124         return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130 
131 static struct kmem_cache *sel_inode_cache;
132 static struct kmem_cache *file_security_cache;
133 
134 /**
135  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136  *
137  * Description:
138  * This function checks the SECMARK reference counter to see if any SECMARK
139  * targets are currently configured, if the reference counter is greater than
140  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
141  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
142  * policy capability is enabled, SECMARK is always considered enabled.
143  *
144  */
145 static int selinux_secmark_enabled(void)
146 {
147         return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148 }
149 
150 /**
151  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152  *
153  * Description:
154  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
155  * (1) if any are enabled or false (0) if neither are enabled.  If the
156  * always_check_network policy capability is enabled, peer labeling
157  * is always considered enabled.
158  *
159  */
160 static int selinux_peerlbl_enabled(void)
161 {
162         return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
163 }
164 
165 static int selinux_netcache_avc_callback(u32 event)
166 {
167         if (event == AVC_CALLBACK_RESET) {
168                 sel_netif_flush();
169                 sel_netnode_flush();
170                 sel_netport_flush();
171                 synchronize_net();
172         }
173         return 0;
174 }
175 
176 static int selinux_lsm_notifier_avc_callback(u32 event)
177 {
178         if (event == AVC_CALLBACK_RESET) {
179                 sel_ib_pkey_flush();
180                 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
181         }
182 
183         return 0;
184 }
185 
186 /*
187  * initialise the security for the init task
188  */
189 static void cred_init_security(void)
190 {
191         struct cred *cred = (struct cred *) current->real_cred;
192         struct task_security_struct *tsec;
193 
194         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
195         if (!tsec)
196                 panic("SELinux:  Failed to initialize initial task.\n");
197 
198         tsec->osid = tsec->sid = SECINITSID_KERNEL;
199         cred->security = tsec;
200 }
201 
202 /*
203  * get the security ID of a set of credentials
204  */
205 static inline u32 cred_sid(const struct cred *cred)
206 {
207         const struct task_security_struct *tsec;
208 
209         tsec = cred->security;
210         return tsec->sid;
211 }
212 
213 /*
214  * get the objective security ID of a task
215  */
216 static inline u32 task_sid(const struct task_struct *task)
217 {
218         u32 sid;
219 
220         rcu_read_lock();
221         sid = cred_sid(__task_cred(task));
222         rcu_read_unlock();
223         return sid;
224 }
225 
226 /* Allocate and free functions for each kind of security blob. */
227 
228 static int inode_alloc_security(struct inode *inode)
229 {
230         struct inode_security_struct *isec;
231         u32 sid = current_sid();
232 
233         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
234         if (!isec)
235                 return -ENOMEM;
236 
237         spin_lock_init(&isec->lock);
238         INIT_LIST_HEAD(&isec->list);
239         isec->inode = inode;
240         isec->sid = SECINITSID_UNLABELED;
241         isec->sclass = SECCLASS_FILE;
242         isec->task_sid = sid;
243         isec->initialized = LABEL_INVALID;
244         inode->i_security = isec;
245 
246         return 0;
247 }
248 
249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
250 
251 /*
252  * Try reloading inode security labels that have been marked as invalid.  The
253  * @may_sleep parameter indicates when sleeping and thus reloading labels is
254  * allowed; when set to false, returns -ECHILD when the label is
255  * invalid.  The @opt_dentry parameter should be set to a dentry of the inode;
256  * when no dentry is available, set it to NULL instead.
257  */
258 static int __inode_security_revalidate(struct inode *inode,
259                                        struct dentry *opt_dentry,
260                                        bool may_sleep)
261 {
262         struct inode_security_struct *isec = inode->i_security;
263 
264         might_sleep_if(may_sleep);
265 
266         if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
267                 if (!may_sleep)
268                         return -ECHILD;
269 
270                 /*
271                  * Try reloading the inode security label.  This will fail if
272                  * @opt_dentry is NULL and no dentry for this inode can be
273                  * found; in that case, continue using the old label.
274                  */
275                 inode_doinit_with_dentry(inode, opt_dentry);
276         }
277         return 0;
278 }
279 
280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
281 {
282         return inode->i_security;
283 }
284 
285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
286 {
287         int error;
288 
289         error = __inode_security_revalidate(inode, NULL, !rcu);
290         if (error)
291                 return ERR_PTR(error);
292         return inode->i_security;
293 }
294 
295 /*
296  * Get the security label of an inode.
297  */
298 static struct inode_security_struct *inode_security(struct inode *inode)
299 {
300         __inode_security_revalidate(inode, NULL, true);
301         return inode->i_security;
302 }
303 
304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
305 {
306         struct inode *inode = d_backing_inode(dentry);
307 
308         return inode->i_security;
309 }
310 
311 /*
312  * Get the security label of a dentry's backing inode.
313  */
314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
315 {
316         struct inode *inode = d_backing_inode(dentry);
317 
318         __inode_security_revalidate(inode, dentry, true);
319         return inode->i_security;
320 }
321 
322 static void inode_free_rcu(struct rcu_head *head)
323 {
324         struct inode_security_struct *isec;
325 
326         isec = container_of(head, struct inode_security_struct, rcu);
327         kmem_cache_free(sel_inode_cache, isec);
328 }
329 
330 static void inode_free_security(struct inode *inode)
331 {
332         struct inode_security_struct *isec = inode->i_security;
333         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
334 
335         /*
336          * As not all inode security structures are in a list, we check for
337          * empty list outside of the lock to make sure that we won't waste
338          * time taking a lock doing nothing.
339          *
340          * The list_del_init() function can be safely called more than once.
341          * It should not be possible for this function to be called with
342          * concurrent list_add(), but for better safety against future changes
343          * in the code, we use list_empty_careful() here.
344          */
345         if (!list_empty_careful(&isec->list)) {
346                 spin_lock(&sbsec->isec_lock);
347                 list_del_init(&isec->list);
348                 spin_unlock(&sbsec->isec_lock);
349         }
350 
351         /*
352          * The inode may still be referenced in a path walk and
353          * a call to selinux_inode_permission() can be made
354          * after inode_free_security() is called. Ideally, the VFS
355          * wouldn't do this, but fixing that is a much harder
356          * job. For now, simply free the i_security via RCU, and
357          * leave the current inode->i_security pointer intact.
358          * The inode will be freed after the RCU grace period too.
359          */
360         call_rcu(&isec->rcu, inode_free_rcu);
361 }
362 
363 static int file_alloc_security(struct file *file)
364 {
365         struct file_security_struct *fsec;
366         u32 sid = current_sid();
367 
368         fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
369         if (!fsec)
370                 return -ENOMEM;
371 
372         fsec->sid = sid;
373         fsec->fown_sid = sid;
374         file->f_security = fsec;
375 
376         return 0;
377 }
378 
379 static void file_free_security(struct file *file)
380 {
381         struct file_security_struct *fsec = file->f_security;
382         file->f_security = NULL;
383         kmem_cache_free(file_security_cache, fsec);
384 }
385 
386 static int superblock_alloc_security(struct super_block *sb)
387 {
388         struct superblock_security_struct *sbsec;
389 
390         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
391         if (!sbsec)
392                 return -ENOMEM;
393 
394         mutex_init(&sbsec->lock);
395         INIT_LIST_HEAD(&sbsec->isec_head);
396         spin_lock_init(&sbsec->isec_lock);
397         sbsec->sb = sb;
398         sbsec->sid = SECINITSID_UNLABELED;
399         sbsec->def_sid = SECINITSID_FILE;
400         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
401         sb->s_security = sbsec;
402 
403         return 0;
404 }
405 
406 static void superblock_free_security(struct super_block *sb)
407 {
408         struct superblock_security_struct *sbsec = sb->s_security;
409         sb->s_security = NULL;
410         kfree(sbsec);
411 }
412 
413 static inline int inode_doinit(struct inode *inode)
414 {
415         return inode_doinit_with_dentry(inode, NULL);
416 }
417 
418 enum {
419         Opt_error = -1,
420         Opt_context = 1,
421         Opt_fscontext = 2,
422         Opt_defcontext = 3,
423         Opt_rootcontext = 4,
424         Opt_labelsupport = 5,
425         Opt_nextmntopt = 6,
426 };
427 
428 #define NUM_SEL_MNT_OPTS        (Opt_nextmntopt - 1)
429 
430 static const match_table_t tokens = {
431         {Opt_context, CONTEXT_STR "%s"},
432         {Opt_fscontext, FSCONTEXT_STR "%s"},
433         {Opt_defcontext, DEFCONTEXT_STR "%s"},
434         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
435         {Opt_labelsupport, LABELSUPP_STR},
436         {Opt_error, NULL},
437 };
438 
439 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
440 
441 static int may_context_mount_sb_relabel(u32 sid,
442                         struct superblock_security_struct *sbsec,
443                         const struct cred *cred)
444 {
445         const struct task_security_struct *tsec = cred->security;
446         int rc;
447 
448         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449                           FILESYSTEM__RELABELFROM, NULL);
450         if (rc)
451                 return rc;
452 
453         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454                           FILESYSTEM__RELABELTO, NULL);
455         return rc;
456 }
457 
458 static int may_context_mount_inode_relabel(u32 sid,
459                         struct superblock_security_struct *sbsec,
460                         const struct cred *cred)
461 {
462         const struct task_security_struct *tsec = cred->security;
463         int rc;
464         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465                           FILESYSTEM__RELABELFROM, NULL);
466         if (rc)
467                 return rc;
468 
469         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470                           FILESYSTEM__ASSOCIATE, NULL);
471         return rc;
472 }
473 
474 static int selinux_is_sblabel_mnt(struct super_block *sb)
475 {
476         struct superblock_security_struct *sbsec = sb->s_security;
477 
478         return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479                 sbsec->behavior == SECURITY_FS_USE_TRANS ||
480                 sbsec->behavior == SECURITY_FS_USE_TASK ||
481                 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
482                 /* Special handling. Genfs but also in-core setxattr handler */
483                 !strcmp(sb->s_type->name, "sysfs") ||
484                 !strcmp(sb->s_type->name, "pstore") ||
485                 !strcmp(sb->s_type->name, "debugfs") ||
486                 !strcmp(sb->s_type->name, "tracefs") ||
487                 !strcmp(sb->s_type->name, "rootfs") ||
488                 (selinux_policycap_cgroupseclabel &&
489                  (!strcmp(sb->s_type->name, "cgroup") ||
490                   !strcmp(sb->s_type->name, "cgroup2")));
491 }
492 
493 static int sb_finish_set_opts(struct super_block *sb)
494 {
495         struct superblock_security_struct *sbsec = sb->s_security;
496         struct dentry *root = sb->s_root;
497         struct inode *root_inode = d_backing_inode(root);
498         int rc = 0;
499 
500         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501                 /* Make sure that the xattr handler exists and that no
502                    error other than -ENODATA is returned by getxattr on
503                    the root directory.  -ENODATA is ok, as this may be
504                    the first boot of the SELinux kernel before we have
505                    assigned xattr values to the filesystem. */
506                 if (!(root_inode->i_opflags & IOP_XATTR)) {
507                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508                                "xattr support\n", sb->s_id, sb->s_type->name);
509                         rc = -EOPNOTSUPP;
510                         goto out;
511                 }
512 
513                 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
514                 if (rc < 0 && rc != -ENODATA) {
515                         if (rc == -EOPNOTSUPP)
516                                 printk(KERN_WARNING "SELinux: (dev %s, type "
517                                        "%s) has no security xattr handler\n",
518                                        sb->s_id, sb->s_type->name);
519                         else
520                                 printk(KERN_WARNING "SELinux: (dev %s, type "
521                                        "%s) getxattr errno %d\n", sb->s_id,
522                                        sb->s_type->name, -rc);
523                         goto out;
524                 }
525         }
526 
527         sbsec->flags |= SE_SBINITIALIZED;
528 
529         /*
530          * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
531          * leave the flag untouched because sb_clone_mnt_opts might be handing
532          * us a superblock that needs the flag to be cleared.
533          */
534         if (selinux_is_sblabel_mnt(sb))
535                 sbsec->flags |= SBLABEL_MNT;
536         else
537                 sbsec->flags &= ~SBLABEL_MNT;
538 
539         /* Initialize the root inode. */
540         rc = inode_doinit_with_dentry(root_inode, root);
541 
542         /* Initialize any other inodes associated with the superblock, e.g.
543            inodes created prior to initial policy load or inodes created
544            during get_sb by a pseudo filesystem that directly
545            populates itself. */
546         spin_lock(&sbsec->isec_lock);
547 next_inode:
548         if (!list_empty(&sbsec->isec_head)) {
549                 struct inode_security_struct *isec =
550                                 list_entry(sbsec->isec_head.next,
551                                            struct inode_security_struct, list);
552                 struct inode *inode = isec->inode;
553                 list_del_init(&isec->list);
554                 spin_unlock(&sbsec->isec_lock);
555                 inode = igrab(inode);
556                 if (inode) {
557                         if (!IS_PRIVATE(inode))
558                                 inode_doinit(inode);
559                         iput(inode);
560                 }
561                 spin_lock(&sbsec->isec_lock);
562                 goto next_inode;
563         }
564         spin_unlock(&sbsec->isec_lock);
565 out:
566         return rc;
567 }
568 
569 /*
570  * This function should allow an FS to ask what it's mount security
571  * options were so it can use those later for submounts, displaying
572  * mount options, or whatever.
573  */
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575                                 struct security_mnt_opts *opts)
576 {
577         int rc = 0, i;
578         struct superblock_security_struct *sbsec = sb->s_security;
579         char *context = NULL;
580         u32 len;
581         char tmp;
582 
583         security_init_mnt_opts(opts);
584 
585         if (!(sbsec->flags & SE_SBINITIALIZED))
586                 return -EINVAL;
587 
588         if (!ss_initialized)
589                 return -EINVAL;
590 
591         /* make sure we always check enough bits to cover the mask */
592         BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593 
594         tmp = sbsec->flags & SE_MNTMASK;
595         /* count the number of mount options for this sb */
596         for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
597                 if (tmp & 0x01)
598                         opts->num_mnt_opts++;
599                 tmp >>= 1;
600         }
601         /* Check if the Label support flag is set */
602         if (sbsec->flags & SBLABEL_MNT)
603                 opts->num_mnt_opts++;
604 
605         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606         if (!opts->mnt_opts) {
607                 rc = -ENOMEM;
608                 goto out_free;
609         }
610 
611         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612         if (!opts->mnt_opts_flags) {
613                 rc = -ENOMEM;
614                 goto out_free;
615         }
616 
617         i = 0;
618         if (sbsec->flags & FSCONTEXT_MNT) {
619                 rc = security_sid_to_context(sbsec->sid, &context, &len);
620                 if (rc)
621                         goto out_free;
622                 opts->mnt_opts[i] = context;
623                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
624         }
625         if (sbsec->flags & CONTEXT_MNT) {
626                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627                 if (rc)
628                         goto out_free;
629                 opts->mnt_opts[i] = context;
630                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
631         }
632         if (sbsec->flags & DEFCONTEXT_MNT) {
633                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634                 if (rc)
635                         goto out_free;
636                 opts->mnt_opts[i] = context;
637                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
638         }
639         if (sbsec->flags & ROOTCONTEXT_MNT) {
640                 struct dentry *root = sbsec->sb->s_root;
641                 struct inode_security_struct *isec = backing_inode_security(root);
642 
643                 rc = security_sid_to_context(isec->sid, &context, &len);
644                 if (rc)
645                         goto out_free;
646                 opts->mnt_opts[i] = context;
647                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
648         }
649         if (sbsec->flags & SBLABEL_MNT) {
650                 opts->mnt_opts[i] = NULL;
651                 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
652         }
653 
654         BUG_ON(i != opts->num_mnt_opts);
655 
656         return 0;
657 
658 out_free:
659         security_free_mnt_opts(opts);
660         return rc;
661 }
662 
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664                       u32 old_sid, u32 new_sid)
665 {
666         char mnt_flags = sbsec->flags & SE_MNTMASK;
667 
668         /* check if the old mount command had the same options */
669         if (sbsec->flags & SE_SBINITIALIZED)
670                 if (!(sbsec->flags & flag) ||
671                     (old_sid != new_sid))
672                         return 1;
673 
674         /* check if we were passed the same options twice,
675          * aka someone passed context=a,context=b
676          */
677         if (!(sbsec->flags & SE_SBINITIALIZED))
678                 if (mnt_flags & flag)
679                         return 1;
680         return 0;
681 }
682 
683 /*
684  * Allow filesystems with binary mount data to explicitly set mount point
685  * labeling information.
686  */
687 static int selinux_set_mnt_opts(struct super_block *sb,
688                                 struct security_mnt_opts *opts,
689                                 unsigned long kern_flags,
690                                 unsigned long *set_kern_flags)
691 {
692         const struct cred *cred = current_cred();
693         int rc = 0, i;
694         struct superblock_security_struct *sbsec = sb->s_security;
695         const char *name = sb->s_type->name;
696         struct dentry *root = sbsec->sb->s_root;
697         struct inode_security_struct *root_isec;
698         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699         u32 defcontext_sid = 0;
700         char **mount_options = opts->mnt_opts;
701         int *flags = opts->mnt_opts_flags;
702         int num_opts = opts->num_mnt_opts;
703 
704         mutex_lock(&sbsec->lock);
705 
706         if (!ss_initialized) {
707                 if (!num_opts) {
708                         /* Defer initialization until selinux_complete_init,
709                            after the initial policy is loaded and the security
710                            server is ready to handle calls. */
711                         goto out;
712                 }
713                 rc = -EINVAL;
714                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715                         "before the security server is initialized\n");
716                 goto out;
717         }
718         if (kern_flags && !set_kern_flags) {
719                 /* Specifying internal flags without providing a place to
720                  * place the results is not allowed */
721                 rc = -EINVAL;
722                 goto out;
723         }
724 
725         /*
726          * Binary mount data FS will come through this function twice.  Once
727          * from an explicit call and once from the generic calls from the vfs.
728          * Since the generic VFS calls will not contain any security mount data
729          * we need to skip the double mount verification.
730          *
731          * This does open a hole in which we will not notice if the first
732          * mount using this sb set explict options and a second mount using
733          * this sb does not set any security options.  (The first options
734          * will be used for both mounts)
735          */
736         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737             && (num_opts == 0))
738                 goto out;
739 
740         root_isec = backing_inode_security_novalidate(root);
741 
742         /*
743          * parse the mount options, check if they are valid sids.
744          * also check if someone is trying to mount the same sb more
745          * than once with different security options.
746          */
747         for (i = 0; i < num_opts; i++) {
748                 u32 sid;
749 
750                 if (flags[i] == SBLABEL_MNT)
751                         continue;
752                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
753                 if (rc) {
754                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755                                "(%s) failed for (dev %s, type %s) errno=%d\n",
756                                mount_options[i], sb->s_id, name, rc);
757                         goto out;
758                 }
759                 switch (flags[i]) {
760                 case FSCONTEXT_MNT:
761                         fscontext_sid = sid;
762 
763                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764                                         fscontext_sid))
765                                 goto out_double_mount;
766 
767                         sbsec->flags |= FSCONTEXT_MNT;
768                         break;
769                 case CONTEXT_MNT:
770                         context_sid = sid;
771 
772                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773                                         context_sid))
774                                 goto out_double_mount;
775 
776                         sbsec->flags |= CONTEXT_MNT;
777                         break;
778                 case ROOTCONTEXT_MNT:
779                         rootcontext_sid = sid;
780 
781                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782                                         rootcontext_sid))
783                                 goto out_double_mount;
784 
785                         sbsec->flags |= ROOTCONTEXT_MNT;
786 
787                         break;
788                 case DEFCONTEXT_MNT:
789                         defcontext_sid = sid;
790 
791                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792                                         defcontext_sid))
793                                 goto out_double_mount;
794 
795                         sbsec->flags |= DEFCONTEXT_MNT;
796 
797                         break;
798                 default:
799                         rc = -EINVAL;
800                         goto out;
801                 }
802         }
803 
804         if (sbsec->flags & SE_SBINITIALIZED) {
805                 /* previously mounted with options, but not on this attempt? */
806                 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807                         goto out_double_mount;
808                 rc = 0;
809                 goto out;
810         }
811 
812         if (strcmp(sb->s_type->name, "proc") == 0)
813                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814 
815         if (!strcmp(sb->s_type->name, "debugfs") ||
816             !strcmp(sb->s_type->name, "tracefs") ||
817             !strcmp(sb->s_type->name, "sysfs") ||
818             !strcmp(sb->s_type->name, "pstore"))
819                 sbsec->flags |= SE_SBGENFS;
820 
821         if (!sbsec->behavior) {
822                 /*
823                  * Determine the labeling behavior to use for this
824                  * filesystem type.
825                  */
826                 rc = security_fs_use(sb);
827                 if (rc) {
828                         printk(KERN_WARNING
829                                 "%s: security_fs_use(%s) returned %d\n",
830                                         __func__, sb->s_type->name, rc);
831                         goto out;
832                 }
833         }
834 
835         /*
836          * If this is a user namespace mount and the filesystem type is not
837          * explicitly whitelisted, then no contexts are allowed on the command
838          * line and security labels must be ignored.
839          */
840         if (sb->s_user_ns != &init_user_ns &&
841             strcmp(sb->s_type->name, "tmpfs") &&
842             strcmp(sb->s_type->name, "ramfs") &&
843             strcmp(sb->s_type->name, "devpts")) {
844                 if (context_sid || fscontext_sid || rootcontext_sid ||
845                     defcontext_sid) {
846                         rc = -EACCES;
847                         goto out;
848                 }
849                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
850                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
851                         rc = security_transition_sid(current_sid(), current_sid(),
852                                                      SECCLASS_FILE, NULL,
853                                                      &sbsec->mntpoint_sid);
854                         if (rc)
855                                 goto out;
856                 }
857                 goto out_set_opts;
858         }
859 
860         /* sets the context of the superblock for the fs being mounted. */
861         if (fscontext_sid) {
862                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
863                 if (rc)
864                         goto out;
865 
866                 sbsec->sid = fscontext_sid;
867         }
868 
869         /*
870          * Switch to using mount point labeling behavior.
871          * sets the label used on all file below the mountpoint, and will set
872          * the superblock context if not already set.
873          */
874         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
875                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
876                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
877         }
878 
879         if (context_sid) {
880                 if (!fscontext_sid) {
881                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
882                                                           cred);
883                         if (rc)
884                                 goto out;
885                         sbsec->sid = context_sid;
886                 } else {
887                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
888                                                              cred);
889                         if (rc)
890                                 goto out;
891                 }
892                 if (!rootcontext_sid)
893                         rootcontext_sid = context_sid;
894 
895                 sbsec->mntpoint_sid = context_sid;
896                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
897         }
898 
899         if (rootcontext_sid) {
900                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
901                                                      cred);
902                 if (rc)
903                         goto out;
904 
905                 root_isec->sid = rootcontext_sid;
906                 root_isec->initialized = LABEL_INITIALIZED;
907         }
908 
909         if (defcontext_sid) {
910                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
911                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
912                         rc = -EINVAL;
913                         printk(KERN_WARNING "SELinux: defcontext option is "
914                                "invalid for this filesystem type\n");
915                         goto out;
916                 }
917 
918                 if (defcontext_sid != sbsec->def_sid) {
919                         rc = may_context_mount_inode_relabel(defcontext_sid,
920                                                              sbsec, cred);
921                         if (rc)
922                                 goto out;
923                 }
924 
925                 sbsec->def_sid = defcontext_sid;
926         }
927 
928 out_set_opts:
929         rc = sb_finish_set_opts(sb);
930 out:
931         mutex_unlock(&sbsec->lock);
932         return rc;
933 out_double_mount:
934         rc = -EINVAL;
935         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
936                "security settings for (dev %s, type %s)\n", sb->s_id, name);
937         goto out;
938 }
939 
940 static int selinux_cmp_sb_context(const struct super_block *oldsb,
941                                     const struct super_block *newsb)
942 {
943         struct superblock_security_struct *old = oldsb->s_security;
944         struct superblock_security_struct *new = newsb->s_security;
945         char oldflags = old->flags & SE_MNTMASK;
946         char newflags = new->flags & SE_MNTMASK;
947 
948         if (oldflags != newflags)
949                 goto mismatch;
950         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
951                 goto mismatch;
952         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
953                 goto mismatch;
954         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
955                 goto mismatch;
956         if (oldflags & ROOTCONTEXT_MNT) {
957                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
958                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
959                 if (oldroot->sid != newroot->sid)
960                         goto mismatch;
961         }
962         return 0;
963 mismatch:
964         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, "
965                             "different security settings for (dev %s, "
966                             "type %s)\n", newsb->s_id, newsb->s_type->name);
967         return -EBUSY;
968 }
969 
970 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
971                                         struct super_block *newsb,
972                                         unsigned long kern_flags,
973                                         unsigned long *set_kern_flags)
974 {
975         int rc = 0;
976         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
977         struct superblock_security_struct *newsbsec = newsb->s_security;
978 
979         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
980         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
981         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
982 
983         /*
984          * if the parent was able to be mounted it clearly had no special lsm
985          * mount options.  thus we can safely deal with this superblock later
986          */
987         if (!ss_initialized)
988                 return 0;
989 
990         /*
991          * Specifying internal flags without providing a place to
992          * place the results is not allowed.
993          */
994         if (kern_flags && !set_kern_flags)
995                 return -EINVAL;
996 
997         /* how can we clone if the old one wasn't set up?? */
998         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
999 
1000         /* if fs is reusing a sb, make sure that the contexts match */
1001         if (newsbsec->flags & SE_SBINITIALIZED)
1002                 return selinux_cmp_sb_context(oldsb, newsb);
1003 
1004         mutex_lock(&newsbsec->lock);
1005 
1006         newsbsec->flags = oldsbsec->flags;
1007 
1008         newsbsec->sid = oldsbsec->sid;
1009         newsbsec->def_sid = oldsbsec->def_sid;
1010         newsbsec->behavior = oldsbsec->behavior;
1011 
1012         if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1013                 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1014                 rc = security_fs_use(newsb);
1015                 if (rc)
1016                         goto out;
1017         }
1018 
1019         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1020                 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1021                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1022         }
1023 
1024         if (set_context) {
1025                 u32 sid = oldsbsec->mntpoint_sid;
1026 
1027                 if (!set_fscontext)
1028                         newsbsec->sid = sid;
1029                 if (!set_rootcontext) {
1030                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1031                         newisec->sid = sid;
1032                 }
1033                 newsbsec->mntpoint_sid = sid;
1034         }
1035         if (set_rootcontext) {
1036                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1037                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1038 
1039                 newisec->sid = oldisec->sid;
1040         }
1041 
1042         sb_finish_set_opts(newsb);
1043 out:
1044         mutex_unlock(&newsbsec->lock);
1045         return rc;
1046 }
1047 
1048 static int selinux_parse_opts_str(char *options,
1049                                   struct security_mnt_opts *opts)
1050 {
1051         char *p;
1052         char *context = NULL, *defcontext = NULL;
1053         char *fscontext = NULL, *rootcontext = NULL;
1054         int rc, num_mnt_opts = 0;
1055 
1056         opts->num_mnt_opts = 0;
1057 
1058         /* Standard string-based options. */
1059         while ((p = strsep(&options, "|")) != NULL) {
1060                 int token;
1061                 substring_t args[MAX_OPT_ARGS];
1062 
1063                 if (!*p)
1064                         continue;
1065 
1066                 token = match_token(p, tokens, args);
1067 
1068                 switch (token) {
1069                 case Opt_context:
1070                         if (context || defcontext) {
1071                                 rc = -EINVAL;
1072                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1073                                 goto out_err;
1074                         }
1075                         context = match_strdup(&args[0]);
1076                         if (!context) {
1077                                 rc = -ENOMEM;
1078                                 goto out_err;
1079                         }
1080                         break;
1081 
1082                 case Opt_fscontext:
1083                         if (fscontext) {
1084                                 rc = -EINVAL;
1085                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1086                                 goto out_err;
1087                         }
1088                         fscontext = match_strdup(&args[0]);
1089                         if (!fscontext) {
1090                                 rc = -ENOMEM;
1091                                 goto out_err;
1092                         }
1093                         break;
1094 
1095                 case Opt_rootcontext:
1096                         if (rootcontext) {
1097                                 rc = -EINVAL;
1098                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1099                                 goto out_err;
1100                         }
1101                         rootcontext = match_strdup(&args[0]);
1102                         if (!rootcontext) {
1103                                 rc = -ENOMEM;
1104                                 goto out_err;
1105                         }
1106                         break;
1107 
1108                 case Opt_defcontext:
1109                         if (context || defcontext) {
1110                                 rc = -EINVAL;
1111                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1112                                 goto out_err;
1113                         }
1114                         defcontext = match_strdup(&args[0]);
1115                         if (!defcontext) {
1116                                 rc = -ENOMEM;
1117                                 goto out_err;
1118                         }
1119                         break;
1120                 case Opt_labelsupport:
1121                         break;
1122                 default:
1123                         rc = -EINVAL;
1124                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
1125                         goto out_err;
1126 
1127                 }
1128         }
1129 
1130         rc = -ENOMEM;
1131         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1132         if (!opts->mnt_opts)
1133                 goto out_err;
1134 
1135         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1136                                        GFP_KERNEL);
1137         if (!opts->mnt_opts_flags)
1138                 goto out_err;
1139 
1140         if (fscontext) {
1141                 opts->mnt_opts[num_mnt_opts] = fscontext;
1142                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1143         }
1144         if (context) {
1145                 opts->mnt_opts[num_mnt_opts] = context;
1146                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1147         }
1148         if (rootcontext) {
1149                 opts->mnt_opts[num_mnt_opts] = rootcontext;
1150                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1151         }
1152         if (defcontext) {
1153                 opts->mnt_opts[num_mnt_opts] = defcontext;
1154                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1155         }
1156 
1157         opts->num_mnt_opts = num_mnt_opts;
1158         return 0;
1159 
1160 out_err:
1161         security_free_mnt_opts(opts);
1162         kfree(context);
1163         kfree(defcontext);
1164         kfree(fscontext);
1165         kfree(rootcontext);
1166         return rc;
1167 }
1168 /*
1169  * string mount options parsing and call set the sbsec
1170  */
1171 static int superblock_doinit(struct super_block *sb, void *data)
1172 {
1173         int rc = 0;
1174         char *options = data;
1175         struct security_mnt_opts opts;
1176 
1177         security_init_mnt_opts(&opts);
1178 
1179         if (!data)
1180                 goto out;
1181 
1182         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1183 
1184         rc = selinux_parse_opts_str(options, &opts);
1185         if (rc)
1186                 goto out_err;
1187 
1188 out:
1189         rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1190 
1191 out_err:
1192         security_free_mnt_opts(&opts);
1193         return rc;
1194 }
1195 
1196 static void selinux_write_opts(struct seq_file *m,
1197                                struct security_mnt_opts *opts)
1198 {
1199         int i;
1200         char *prefix;
1201 
1202         for (i = 0; i < opts->num_mnt_opts; i++) {
1203                 char *has_comma;
1204 
1205                 if (opts->mnt_opts[i])
1206                         has_comma = strchr(opts->mnt_opts[i], ',');
1207                 else
1208                         has_comma = NULL;
1209 
1210                 switch (opts->mnt_opts_flags[i]) {
1211                 case CONTEXT_MNT:
1212                         prefix = CONTEXT_STR;
1213                         break;
1214                 case FSCONTEXT_MNT:
1215                         prefix = FSCONTEXT_STR;
1216                         break;
1217                 case ROOTCONTEXT_MNT:
1218                         prefix = ROOTCONTEXT_STR;
1219                         break;
1220                 case DEFCONTEXT_MNT:
1221                         prefix = DEFCONTEXT_STR;
1222                         break;
1223                 case SBLABEL_MNT:
1224                         seq_putc(m, ',');
1225                         seq_puts(m, LABELSUPP_STR);
1226                         continue;
1227                 default:
1228                         BUG();
1229                         return;
1230                 };
1231                 /* we need a comma before each option */
1232                 seq_putc(m, ',');
1233                 seq_puts(m, prefix);
1234                 if (has_comma)
1235                         seq_putc(m, '\"');
1236                 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1237                 if (has_comma)
1238                         seq_putc(m, '\"');
1239         }
1240 }
1241 
1242 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1243 {
1244         struct security_mnt_opts opts;
1245         int rc;
1246 
1247         rc = selinux_get_mnt_opts(sb, &opts);
1248         if (rc) {
1249                 /* before policy load we may get EINVAL, don't show anything */
1250                 if (rc == -EINVAL)
1251                         rc = 0;
1252                 return rc;
1253         }
1254 
1255         selinux_write_opts(m, &opts);
1256 
1257         security_free_mnt_opts(&opts);
1258 
1259         return rc;
1260 }
1261 
1262 static inline u16 inode_mode_to_security_class(umode_t mode)
1263 {
1264         switch (mode & S_IFMT) {
1265         case S_IFSOCK:
1266                 return SECCLASS_SOCK_FILE;
1267         case S_IFLNK:
1268                 return SECCLASS_LNK_FILE;
1269         case S_IFREG:
1270                 return SECCLASS_FILE;
1271         case S_IFBLK:
1272                 return SECCLASS_BLK_FILE;
1273         case S_IFDIR:
1274                 return SECCLASS_DIR;
1275         case S_IFCHR:
1276                 return SECCLASS_CHR_FILE;
1277         case S_IFIFO:
1278                 return SECCLASS_FIFO_FILE;
1279 
1280         }
1281 
1282         return SECCLASS_FILE;
1283 }
1284 
1285 static inline int default_protocol_stream(int protocol)
1286 {
1287         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1288 }
1289 
1290 static inline int default_protocol_dgram(int protocol)
1291 {
1292         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1293 }
1294 
1295 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1296 {
1297         int extsockclass = selinux_policycap_extsockclass;
1298 
1299         switch (family) {
1300         case PF_UNIX:
1301                 switch (type) {
1302                 case SOCK_STREAM:
1303                 case SOCK_SEQPACKET:
1304                         return SECCLASS_UNIX_STREAM_SOCKET;
1305                 case SOCK_DGRAM:
1306                         return SECCLASS_UNIX_DGRAM_SOCKET;
1307                 }
1308                 break;
1309         case PF_INET:
1310         case PF_INET6:
1311                 switch (type) {
1312                 case SOCK_STREAM:
1313                 case SOCK_SEQPACKET:
1314                         if (default_protocol_stream(protocol))
1315                                 return SECCLASS_TCP_SOCKET;
1316                         else if (extsockclass && protocol == IPPROTO_SCTP)
1317                                 return SECCLASS_SCTP_SOCKET;
1318                         else
1319                                 return SECCLASS_RAWIP_SOCKET;
1320                 case SOCK_DGRAM:
1321                         if (default_protocol_dgram(protocol))
1322                                 return SECCLASS_UDP_SOCKET;
1323                         else if (extsockclass && (protocol == IPPROTO_ICMP ||
1324                                                   protocol == IPPROTO_ICMPV6))
1325                                 return SECCLASS_ICMP_SOCKET;
1326                         else
1327                                 return SECCLASS_RAWIP_SOCKET;
1328                 case SOCK_DCCP:
1329                         return SECCLASS_DCCP_SOCKET;
1330                 default:
1331                         return SECCLASS_RAWIP_SOCKET;
1332                 }
1333                 break;
1334         case PF_NETLINK:
1335                 switch (protocol) {
1336                 case NETLINK_ROUTE:
1337                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1338                 case NETLINK_SOCK_DIAG:
1339                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1340                 case NETLINK_NFLOG:
1341                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1342                 case NETLINK_XFRM:
1343                         return SECCLASS_NETLINK_XFRM_SOCKET;
1344                 case NETLINK_SELINUX:
1345                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1346                 case NETLINK_ISCSI:
1347                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1348                 case NETLINK_AUDIT:
1349                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1350                 case NETLINK_FIB_LOOKUP:
1351                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1352                 case NETLINK_CONNECTOR:
1353                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1354                 case NETLINK_NETFILTER:
1355                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1356                 case NETLINK_DNRTMSG:
1357                         return SECCLASS_NETLINK_DNRT_SOCKET;
1358                 case NETLINK_KOBJECT_UEVENT:
1359                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1360                 case NETLINK_GENERIC:
1361                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1362                 case NETLINK_SCSITRANSPORT:
1363                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1364                 case NETLINK_RDMA:
1365                         return SECCLASS_NETLINK_RDMA_SOCKET;
1366                 case NETLINK_CRYPTO:
1367                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1368                 default:
1369                         return SECCLASS_NETLINK_SOCKET;
1370                 }
1371         case PF_PACKET:
1372                 return SECCLASS_PACKET_SOCKET;
1373         case PF_KEY:
1374                 return SECCLASS_KEY_SOCKET;
1375         case PF_APPLETALK:
1376                 return SECCLASS_APPLETALK_SOCKET;
1377         }
1378 
1379         if (extsockclass) {
1380                 switch (family) {
1381                 case PF_AX25:
1382                         return SECCLASS_AX25_SOCKET;
1383                 case PF_IPX:
1384                         return SECCLASS_IPX_SOCKET;
1385                 case PF_NETROM:
1386                         return SECCLASS_NETROM_SOCKET;
1387                 case PF_ATMPVC:
1388                         return SECCLASS_ATMPVC_SOCKET;
1389                 case PF_X25:
1390                         return SECCLASS_X25_SOCKET;
1391                 case PF_ROSE:
1392                         return SECCLASS_ROSE_SOCKET;
1393                 case PF_DECnet:
1394                         return SECCLASS_DECNET_SOCKET;
1395                 case PF_ATMSVC:
1396                         return SECCLASS_ATMSVC_SOCKET;
1397                 case PF_RDS:
1398                         return SECCLASS_RDS_SOCKET;
1399                 case PF_IRDA:
1400                         return SECCLASS_IRDA_SOCKET;
1401                 case PF_PPPOX:
1402                         return SECCLASS_PPPOX_SOCKET;
1403                 case PF_LLC:
1404                         return SECCLASS_LLC_SOCKET;
1405                 case PF_CAN:
1406                         return SECCLASS_CAN_SOCKET;
1407                 case PF_TIPC:
1408                         return SECCLASS_TIPC_SOCKET;
1409                 case PF_BLUETOOTH:
1410                         return SECCLASS_BLUETOOTH_SOCKET;
1411                 case PF_IUCV:
1412                         return SECCLASS_IUCV_SOCKET;
1413                 case PF_RXRPC:
1414                         return SECCLASS_RXRPC_SOCKET;
1415                 case PF_ISDN:
1416                         return SECCLASS_ISDN_SOCKET;
1417                 case PF_PHONET:
1418                         return SECCLASS_PHONET_SOCKET;
1419                 case PF_IEEE802154:
1420                         return SECCLASS_IEEE802154_SOCKET;
1421                 case PF_CAIF:
1422                         return SECCLASS_CAIF_SOCKET;
1423                 case PF_ALG:
1424                         return SECCLASS_ALG_SOCKET;
1425                 case PF_NFC:
1426                         return SECCLASS_NFC_SOCKET;
1427                 case PF_VSOCK:
1428                         return SECCLASS_VSOCK_SOCKET;
1429                 case PF_KCM:
1430                         return SECCLASS_KCM_SOCKET;
1431                 case PF_QIPCRTR:
1432                         return SECCLASS_QIPCRTR_SOCKET;
1433                 case PF_SMC:
1434                         return SECCLASS_SMC_SOCKET;
1435 #if PF_MAX > 44
1436 #error New address family defined, please update this function.
1437 #endif
1438                 }
1439         }
1440 
1441         return SECCLASS_SOCKET;
1442 }
1443 
1444 static int selinux_genfs_get_sid(struct dentry *dentry,
1445                                  u16 tclass,
1446                                  u16 flags,
1447                                  u32 *sid)
1448 {
1449         int rc;
1450         struct super_block *sb = dentry->d_sb;
1451         char *buffer, *path;
1452 
1453         buffer = (char *)__get_free_page(GFP_KERNEL);
1454         if (!buffer)
1455                 return -ENOMEM;
1456 
1457         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1458         if (IS_ERR(path))
1459                 rc = PTR_ERR(path);
1460         else {
1461                 if (flags & SE_SBPROC) {
1462                         /* each process gets a /proc/PID/ entry. Strip off the
1463                          * PID part to get a valid selinux labeling.
1464                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1465                         while (path[1] >= '' && path[1] <= '9') {
1466                                 path[1] = '/';
1467                                 path++;
1468                         }
1469                 }
1470                 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1471         }
1472         free_page((unsigned long)buffer);
1473         return rc;
1474 }
1475 
1476 /* The inode's security attributes must be initialized before first use. */
1477 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1478 {
1479         struct superblock_security_struct *sbsec = NULL;
1480         struct inode_security_struct *isec = inode->i_security;
1481         u32 task_sid, sid = 0;
1482         u16 sclass;
1483         struct dentry *dentry;
1484 #define INITCONTEXTLEN 255
1485         char *context = NULL;
1486         unsigned len = 0;
1487         int rc = 0;
1488 
1489         if (isec->initialized == LABEL_INITIALIZED)
1490                 return 0;
1491 
1492         spin_lock(&isec->lock);
1493         if (isec->initialized == LABEL_INITIALIZED)
1494                 goto out_unlock;
1495 
1496         if (isec->sclass == SECCLASS_FILE)
1497                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1498 
1499         sbsec = inode->i_sb->s_security;
1500         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1501                 /* Defer initialization until selinux_complete_init,
1502                    after the initial policy is loaded and the security
1503                    server is ready to handle calls. */
1504                 spin_lock(&sbsec->isec_lock);
1505                 if (list_empty(&isec->list))
1506                         list_add(&isec->list, &sbsec->isec_head);
1507                 spin_unlock(&sbsec->isec_lock);
1508                 goto out_unlock;
1509         }
1510 
1511         sclass = isec->sclass;
1512         task_sid = isec->task_sid;
1513         sid = isec->sid;
1514         isec->initialized = LABEL_PENDING;
1515         spin_unlock(&isec->lock);
1516 
1517         switch (sbsec->behavior) {
1518         case SECURITY_FS_USE_NATIVE:
1519                 break;
1520         case SECURITY_FS_USE_XATTR:
1521                 if (!(inode->i_opflags & IOP_XATTR)) {
1522                         sid = sbsec->def_sid;
1523                         break;
1524                 }
1525                 /* Need a dentry, since the xattr API requires one.
1526                    Life would be simpler if we could just pass the inode. */
1527                 if (opt_dentry) {
1528                         /* Called from d_instantiate or d_splice_alias. */
1529                         dentry = dget(opt_dentry);
1530                 } else {
1531                         /* Called from selinux_complete_init, try to find a dentry. */
1532                         dentry = d_find_alias(inode);
1533                 }
1534                 if (!dentry) {
1535                         /*
1536                          * this is can be hit on boot when a file is accessed
1537                          * before the policy is loaded.  When we load policy we
1538                          * may find inodes that have no dentry on the
1539                          * sbsec->isec_head list.  No reason to complain as these
1540                          * will get fixed up the next time we go through
1541                          * inode_doinit with a dentry, before these inodes could
1542                          * be used again by userspace.
1543                          */
1544                         goto out;
1545                 }
1546 
1547                 len = INITCONTEXTLEN;
1548                 context = kmalloc(len+1, GFP_NOFS);
1549                 if (!context) {
1550                         rc = -ENOMEM;
1551                         dput(dentry);
1552                         goto out;
1553                 }
1554                 context[len] = '\0';
1555                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1556                 if (rc == -ERANGE) {
1557                         kfree(context);
1558 
1559                         /* Need a larger buffer.  Query for the right size. */
1560                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1561                         if (rc < 0) {
1562                                 dput(dentry);
1563                                 goto out;
1564                         }
1565                         len = rc;
1566                         context = kmalloc(len+1, GFP_NOFS);
1567                         if (!context) {
1568                                 rc = -ENOMEM;
1569                                 dput(dentry);
1570                                 goto out;
1571                         }
1572                         context[len] = '\0';
1573                         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1574                 }
1575                 dput(dentry);
1576                 if (rc < 0) {
1577                         if (rc != -ENODATA) {
1578                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1579                                        "%d for dev=%s ino=%ld\n", __func__,
1580                                        -rc, inode->i_sb->s_id, inode->i_ino);
1581                                 kfree(context);
1582                                 goto out;
1583                         }
1584                         /* Map ENODATA to the default file SID */
1585                         sid = sbsec->def_sid;
1586                         rc = 0;
1587                 } else {
1588                         rc = security_context_to_sid_default(context, rc, &sid,
1589                                                              sbsec->def_sid,
1590                                                              GFP_NOFS);
1591                         if (rc) {
1592                                 char *dev = inode->i_sb->s_id;
1593                                 unsigned long ino = inode->i_ino;
1594 
1595                                 if (rc == -EINVAL) {
1596                                         if (printk_ratelimit())
1597                                                 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1598                                                         "context=%s.  This indicates you may need to relabel the inode or the "
1599                                                         "filesystem in question.\n", ino, dev, context);
1600                                 } else {
1601                                         printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1602                                                "returned %d for dev=%s ino=%ld\n",
1603                                                __func__, context, -rc, dev, ino);
1604                                 }
1605                                 kfree(context);
1606                                 /* Leave with the unlabeled SID */
1607                                 rc = 0;
1608                                 break;
1609                         }
1610                 }
1611                 kfree(context);
1612                 break;
1613         case SECURITY_FS_USE_TASK:
1614                 sid = task_sid;
1615                 break;
1616         case SECURITY_FS_USE_TRANS:
1617                 /* Default to the fs SID. */
1618                 sid = sbsec->sid;
1619 
1620                 /* Try to obtain a transition SID. */
1621                 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1622                 if (rc)
1623                         goto out;
1624                 break;
1625         case SECURITY_FS_USE_MNTPOINT:
1626                 sid = sbsec->mntpoint_sid;
1627                 break;
1628         default:
1629                 /* Default to the fs superblock SID. */
1630                 sid = sbsec->sid;
1631 
1632                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1633                         /* We must have a dentry to determine the label on
1634                          * procfs inodes */
1635                         if (opt_dentry)
1636                                 /* Called from d_instantiate or
1637                                  * d_splice_alias. */
1638                                 dentry = dget(opt_dentry);
1639                         else
1640                                 /* Called from selinux_complete_init, try to
1641                                  * find a dentry. */
1642                                 dentry = d_find_alias(inode);
1643                         /*
1644                          * This can be hit on boot when a file is accessed
1645                          * before the policy is loaded.  When we load policy we
1646                          * may find inodes that have no dentry on the
1647                          * sbsec->isec_head list.  No reason to complain as
1648                          * these will get fixed up the next time we go through
1649                          * inode_doinit() with a dentry, before these inodes
1650                          * could be used again by userspace.
1651                          */
1652                         if (!dentry)
1653                                 goto out;
1654                         rc = selinux_genfs_get_sid(dentry, sclass,
1655                                                    sbsec->flags, &sid);
1656                         dput(dentry);
1657                         if (rc)
1658                                 goto out;
1659                 }
1660                 break;
1661         }
1662 
1663 out:
1664         spin_lock(&isec->lock);
1665         if (isec->initialized == LABEL_PENDING) {
1666                 if (!sid || rc) {
1667                         isec->initialized = LABEL_INVALID;
1668                         goto out_unlock;
1669                 }
1670 
1671                 isec->initialized = LABEL_INITIALIZED;
1672                 isec->sid = sid;
1673         }
1674 
1675 out_unlock:
1676         spin_unlock(&isec->lock);
1677         return rc;
1678 }
1679 
1680 /* Convert a Linux signal to an access vector. */
1681 static inline u32 signal_to_av(int sig)
1682 {
1683         u32 perm = 0;
1684 
1685         switch (sig) {
1686         case SIGCHLD:
1687                 /* Commonly granted from child to parent. */
1688                 perm = PROCESS__SIGCHLD;
1689                 break;
1690         case SIGKILL:
1691                 /* Cannot be caught or ignored */
1692                 perm = PROCESS__SIGKILL;
1693                 break;
1694         case SIGSTOP:
1695                 /* Cannot be caught or ignored */
1696                 perm = PROCESS__SIGSTOP;
1697                 break;
1698         default:
1699                 /* All other signals. */
1700                 perm = PROCESS__SIGNAL;
1701                 break;
1702         }
1703 
1704         return perm;
1705 }
1706 
1707 #if CAP_LAST_CAP > 63
1708 #error Fix SELinux to handle capabilities > 63.
1709 #endif
1710 
1711 /* Check whether a task is allowed to use a capability. */
1712 static int cred_has_capability(const struct cred *cred,
1713                                int cap, int audit, bool initns)
1714 {
1715         struct common_audit_data ad;
1716         struct av_decision avd;
1717         u16 sclass;
1718         u32 sid = cred_sid(cred);
1719         u32 av = CAP_TO_MASK(cap);
1720         int rc;
1721 
1722         ad.type = LSM_AUDIT_DATA_CAP;
1723         ad.u.cap = cap;
1724 
1725         switch (CAP_TO_INDEX(cap)) {
1726         case 0:
1727                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1728                 break;
1729         case 1:
1730                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1731                 break;
1732         default:
1733                 printk(KERN_ERR
1734                        "SELinux:  out of range capability %d\n", cap);
1735                 BUG();
1736                 return -EINVAL;
1737         }
1738 
1739         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1740         if (audit == SECURITY_CAP_AUDIT) {
1741                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1742                 if (rc2)
1743                         return rc2;
1744         }
1745         return rc;
1746 }
1747 
1748 /* Check whether a task has a particular permission to an inode.
1749    The 'adp' parameter is optional and allows other audit
1750    data to be passed (e.g. the dentry). */
1751 static int inode_has_perm(const struct cred *cred,
1752                           struct inode *inode,
1753                           u32 perms,
1754                           struct common_audit_data *adp)
1755 {
1756         struct inode_security_struct *isec;
1757         u32 sid;
1758 
1759         validate_creds(cred);
1760 
1761         if (unlikely(IS_PRIVATE(inode)))
1762                 return 0;
1763 
1764         sid = cred_sid(cred);
1765         isec = inode->i_security;
1766 
1767         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1768 }
1769 
1770 /* Same as inode_has_perm, but pass explicit audit data containing
1771    the dentry to help the auditing code to more easily generate the
1772    pathname if needed. */
1773 static inline int dentry_has_perm(const struct cred *cred,
1774                                   struct dentry *dentry,
1775                                   u32 av)
1776 {
1777         struct inode *inode = d_backing_inode(dentry);
1778         struct common_audit_data ad;
1779 
1780         ad.type = LSM_AUDIT_DATA_DENTRY;
1781         ad.u.dentry = dentry;
1782         __inode_security_revalidate(inode, dentry, true);
1783         return inode_has_perm(cred, inode, av, &ad);
1784 }
1785 
1786 /* Same as inode_has_perm, but pass explicit audit data containing
1787    the path to help the auditing code to more easily generate the
1788    pathname if needed. */
1789 static inline int path_has_perm(const struct cred *cred,
1790                                 const struct path *path,
1791                                 u32 av)
1792 {
1793         struct inode *inode = d_backing_inode(path->dentry);
1794         struct common_audit_data ad;
1795 
1796         ad.type = LSM_AUDIT_DATA_PATH;
1797         ad.u.path = *path;
1798         __inode_security_revalidate(inode, path->dentry, true);
1799         return inode_has_perm(cred, inode, av, &ad);
1800 }
1801 
1802 /* Same as path_has_perm, but uses the inode from the file struct. */
1803 static inline int file_path_has_perm(const struct cred *cred,
1804                                      struct file *file,
1805                                      u32 av)
1806 {
1807         struct common_audit_data ad;
1808 
1809         ad.type = LSM_AUDIT_DATA_FILE;
1810         ad.u.file = file;
1811         return inode_has_perm(cred, file_inode(file), av, &ad);
1812 }
1813 
1814 /* Check whether a task can use an open file descriptor to
1815    access an inode in a given way.  Check access to the
1816    descriptor itself, and then use dentry_has_perm to
1817    check a particular permission to the file.
1818    Access to the descriptor is implicitly granted if it
1819    has the same SID as the process.  If av is zero, then
1820    access to the file is not checked, e.g. for cases
1821    where only the descriptor is affected like seek. */
1822 static int file_has_perm(const struct cred *cred,
1823                          struct file *file,
1824                          u32 av)
1825 {
1826         struct file_security_struct *fsec = file->f_security;
1827         struct inode *inode = file_inode(file);
1828         struct common_audit_data ad;
1829         u32 sid = cred_sid(cred);
1830         int rc;
1831 
1832         ad.type = LSM_AUDIT_DATA_FILE;
1833         ad.u.file = file;
1834 
1835         if (sid != fsec->sid) {
1836                 rc = avc_has_perm(sid, fsec->sid,
1837                                   SECCLASS_FD,
1838                                   FD__USE,
1839                                   &ad);
1840                 if (rc)
1841                         goto out;
1842         }
1843 
1844         /* av is zero if only checking access to the descriptor. */
1845         rc = 0;
1846         if (av)
1847                 rc = inode_has_perm(cred, inode, av, &ad);
1848 
1849 out:
1850         return rc;
1851 }
1852 
1853 /*
1854  * Determine the label for an inode that might be unioned.
1855  */
1856 static int
1857 selinux_determine_inode_label(const struct task_security_struct *tsec,
1858                                  struct inode *dir,
1859                                  const struct qstr *name, u16 tclass,
1860                                  u32 *_new_isid)
1861 {
1862         const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1863 
1864         if ((sbsec->flags & SE_SBINITIALIZED) &&
1865             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1866                 *_new_isid = sbsec->mntpoint_sid;
1867         } else if ((sbsec->flags & SBLABEL_MNT) &&
1868                    tsec->create_sid) {
1869                 *_new_isid = tsec->create_sid;
1870         } else {
1871                 const struct inode_security_struct *dsec = inode_security(dir);
1872                 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1873                                                name, _new_isid);
1874         }
1875 
1876         return 0;
1877 }
1878 
1879 /* Check whether a task can create a file. */
1880 static int may_create(struct inode *dir,
1881                       struct dentry *dentry,
1882                       u16 tclass)
1883 {
1884         const struct task_security_struct *tsec = current_security();
1885         struct inode_security_struct *dsec;
1886         struct superblock_security_struct *sbsec;
1887         u32 sid, newsid;
1888         struct common_audit_data ad;
1889         int rc;
1890 
1891         dsec = inode_security(dir);
1892         sbsec = dir->i_sb->s_security;
1893 
1894         sid = tsec->sid;
1895 
1896         ad.type = LSM_AUDIT_DATA_DENTRY;
1897         ad.u.dentry = dentry;
1898 
1899         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1900                           DIR__ADD_NAME | DIR__SEARCH,
1901                           &ad);
1902         if (rc)
1903                 return rc;
1904 
1905         rc = selinux_determine_inode_label(current_security(), dir,
1906                                            &dentry->d_name, tclass, &newsid);
1907         if (rc)
1908                 return rc;
1909 
1910         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1911         if (rc)
1912                 return rc;
1913 
1914         return avc_has_perm(newsid, sbsec->sid,
1915                             SECCLASS_FILESYSTEM,
1916                             FILESYSTEM__ASSOCIATE, &ad);
1917 }
1918 
1919 #define MAY_LINK        0
1920 #define MAY_UNLINK      1
1921 #define MAY_RMDIR       2
1922 
1923 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1924 static int may_link(struct inode *dir,
1925                     struct dentry *dentry,
1926                     int kind)
1927 
1928 {
1929         struct inode_security_struct *dsec, *isec;
1930         struct common_audit_data ad;
1931         u32 sid = current_sid();
1932         u32 av;
1933         int rc;
1934 
1935         dsec = inode_security(dir);
1936         isec = backing_inode_security(dentry);
1937 
1938         ad.type = LSM_AUDIT_DATA_DENTRY;
1939         ad.u.dentry = dentry;
1940 
1941         av = DIR__SEARCH;
1942         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1943         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1944         if (rc)
1945                 return rc;
1946 
1947         switch (kind) {
1948         case MAY_LINK:
1949                 av = FILE__LINK;
1950                 break;
1951         case MAY_UNLINK:
1952                 av = FILE__UNLINK;
1953                 break;
1954         case MAY_RMDIR:
1955                 av = DIR__RMDIR;
1956                 break;
1957         default:
1958                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1959                         __func__, kind);
1960                 return 0;
1961         }
1962 
1963         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1964         return rc;
1965 }
1966 
1967 static inline int may_rename(struct inode *old_dir,
1968                              struct dentry *old_dentry,
1969                              struct inode *new_dir,
1970                              struct dentry *new_dentry)
1971 {
1972         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1973         struct common_audit_data ad;
1974         u32 sid = current_sid();
1975         u32 av;
1976         int old_is_dir, new_is_dir;
1977         int rc;
1978 
1979         old_dsec = inode_security(old_dir);
1980         old_isec = backing_inode_security(old_dentry);
1981         old_is_dir = d_is_dir(old_dentry);
1982         new_dsec = inode_security(new_dir);
1983 
1984         ad.type = LSM_AUDIT_DATA_DENTRY;
1985 
1986         ad.u.dentry = old_dentry;
1987         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1988                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1989         if (rc)
1990                 return rc;
1991         rc = avc_has_perm(sid, old_isec->sid,
1992                           old_isec->sclass, FILE__RENAME, &ad);
1993         if (rc)
1994                 return rc;
1995         if (old_is_dir && new_dir != old_dir) {
1996                 rc = avc_has_perm(sid, old_isec->sid,
1997                                   old_isec->sclass, DIR__REPARENT, &ad);
1998                 if (rc)
1999                         return rc;
2000         }
2001 
2002         ad.u.dentry = new_dentry;
2003         av = DIR__ADD_NAME | DIR__SEARCH;
2004         if (d_is_positive(new_dentry))
2005                 av |= DIR__REMOVE_NAME;
2006         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2007         if (rc)
2008                 return rc;
2009         if (d_is_positive(new_dentry)) {
2010                 new_isec = backing_inode_security(new_dentry);
2011                 new_is_dir = d_is_dir(new_dentry);
2012                 rc = avc_has_perm(sid, new_isec->sid,
2013                                   new_isec->sclass,
2014                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2015                 if (rc)
2016                         return rc;
2017         }
2018 
2019         return 0;
2020 }
2021 
2022 /* Check whether a task can perform a filesystem operation. */
2023 static int superblock_has_perm(const struct cred *cred,
2024                                struct super_block *sb,
2025                                u32 perms,
2026                                struct common_audit_data *ad)
2027 {
2028         struct superblock_security_struct *sbsec;
2029         u32 sid = cred_sid(cred);
2030 
2031         sbsec = sb->s_security;
2032         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2033 }
2034 
2035 /* Convert a Linux mode and permission mask to an access vector. */
2036 static inline u32 file_mask_to_av(int mode, int mask)
2037 {
2038         u32 av = 0;
2039 
2040         if (!S_ISDIR(mode)) {
2041                 if (mask & MAY_EXEC)
2042                         av |= FILE__EXECUTE;
2043                 if (mask & MAY_READ)
2044                         av |= FILE__READ;
2045 
2046                 if (mask & MAY_APPEND)
2047                         av |= FILE__APPEND;
2048                 else if (mask & MAY_WRITE)
2049                         av |= FILE__WRITE;
2050 
2051         } else {
2052                 if (mask & MAY_EXEC)
2053                         av |= DIR__SEARCH;
2054                 if (mask & MAY_WRITE)
2055                         av |= DIR__WRITE;
2056                 if (mask & MAY_READ)
2057                         av |= DIR__READ;
2058         }
2059 
2060         return av;
2061 }
2062 
2063 /* Convert a Linux file to an access vector. */
2064 static inline u32 file_to_av(struct file *file)
2065 {
2066         u32 av = 0;
2067 
2068         if (file->f_mode & FMODE_READ)
2069                 av |= FILE__READ;
2070         if (file->f_mode & FMODE_WRITE) {
2071                 if (file->f_flags & O_APPEND)
2072                         av |= FILE__APPEND;
2073                 else
2074                         av |= FILE__WRITE;
2075         }
2076         if (!av) {
2077                 /*
2078                  * Special file opened with flags 3 for ioctl-only use.
2079                  */
2080                 av = FILE__IOCTL;
2081         }
2082 
2083         return av;
2084 }
2085 
2086 /*
2087  * Convert a file to an access vector and include the correct open
2088  * open permission.
2089  */
2090 static inline u32 open_file_to_av(struct file *file)
2091 {
2092         u32 av = file_to_av(file);
2093         struct inode *inode = file_inode(file);
2094 
2095         if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2096                 av |= FILE__OPEN;
2097 
2098         return av;
2099 }
2100 
2101 /* Hook functions begin here. */
2102 
2103 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2104 {
2105         u32 mysid = current_sid();
2106         u32 mgrsid = task_sid(mgr);
2107 
2108         return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2109                             BINDER__SET_CONTEXT_MGR, NULL);
2110 }
2111 
2112 static int selinux_binder_transaction(struct task_struct *from,
2113                                       struct task_struct *to)
2114 {
2115         u32 mysid = current_sid();
2116         u32 fromsid = task_sid(from);
2117         u32 tosid = task_sid(to);
2118         int rc;
2119 
2120         if (mysid != fromsid) {
2121                 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2122                                   BINDER__IMPERSONATE, NULL);
2123                 if (rc)
2124                         return rc;
2125         }
2126 
2127         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2128                             NULL);
2129 }
2130 
2131 static int selinux_binder_transfer_binder(struct task_struct *from,
2132                                           struct task_struct *to)
2133 {
2134         u32 fromsid = task_sid(from);
2135         u32 tosid = task_sid(to);
2136 
2137         return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2138                             NULL);
2139 }
2140 
2141 static int selinux_binder_transfer_file(struct task_struct *from,
2142                                         struct task_struct *to,
2143                                         struct file *file)
2144 {
2145         u32 sid = task_sid(to);
2146         struct file_security_struct *fsec = file->f_security;
2147         struct dentry *dentry = file->f_path.dentry;
2148         struct inode_security_struct *isec;
2149         struct common_audit_data ad;
2150         int rc;
2151 
2152         ad.type = LSM_AUDIT_DATA_PATH;
2153         ad.u.path = file->f_path;
2154 
2155         if (sid != fsec->sid) {
2156                 rc = avc_has_perm(sid, fsec->sid,
2157                                   SECCLASS_FD,
2158                                   FD__USE,
2159                                   &ad);
2160                 if (rc)
2161                         return rc;
2162         }
2163 
2164         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2165                 return 0;
2166 
2167         isec = backing_inode_security(dentry);
2168         return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2169                             &ad);
2170 }
2171 
2172 static int selinux_ptrace_access_check(struct task_struct *child,
2173                                      unsigned int mode)
2174 {
2175         u32 sid = current_sid();
2176         u32 csid = task_sid(child);
2177 
2178         if (mode & PTRACE_MODE_READ)
2179                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2180 
2181         return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2182 }
2183 
2184 static int selinux_ptrace_traceme(struct task_struct *parent)
2185 {
2186         return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2187                             PROCESS__PTRACE, NULL);
2188 }
2189 
2190 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2191                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2192 {
2193         return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2194                             PROCESS__GETCAP, NULL);
2195 }
2196 
2197 static int selinux_capset(struct cred *new, const struct cred *old,
2198                           const kernel_cap_t *effective,
2199                           const kernel_cap_t *inheritable,
2200                           const kernel_cap_t *permitted)
2201 {
2202         return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2203                             PROCESS__SETCAP, NULL);
2204 }
2205 
2206 /*
2207  * (This comment used to live with the selinux_task_setuid hook,
2208  * which was removed).
2209  *
2210  * Since setuid only affects the current process, and since the SELinux
2211  * controls are not based on the Linux identity attributes, SELinux does not
2212  * need to control this operation.  However, SELinux does control the use of
2213  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2214  */
2215 
2216 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2217                            int cap, int audit)
2218 {
2219         return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2220 }
2221 
2222 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2223 {
2224         const struct cred *cred = current_cred();
2225         int rc = 0;
2226 
2227         if (!sb)
2228                 return 0;
2229 
2230         switch (cmds) {
2231         case Q_SYNC:
2232         case Q_QUOTAON:
2233         case Q_QUOTAOFF:
2234         case Q_SETINFO:
2235         case Q_SETQUOTA:
2236                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2237                 break;
2238         case Q_GETFMT:
2239         case Q_GETINFO:
2240         case Q_GETQUOTA:
2241                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2242                 break;
2243         default:
2244                 rc = 0;  /* let the kernel handle invalid cmds */
2245                 break;
2246         }
2247         return rc;
2248 }
2249 
2250 static int selinux_quota_on(struct dentry *dentry)
2251 {
2252         const struct cred *cred = current_cred();
2253 
2254         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2255 }
2256 
2257 static int selinux_syslog(int type)
2258 {
2259         switch (type) {
2260         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2261         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2262                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2263                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2264         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2265         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2266         /* Set level of messages printed to console */
2267         case SYSLOG_ACTION_CONSOLE_LEVEL:
2268                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2269                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2270                                     NULL);
2271         }
2272         /* All other syslog types */
2273         return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2274                             SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2275 }
2276 
2277 /*
2278  * Check that a process has enough memory to allocate a new virtual
2279  * mapping. 0 means there is enough memory for the allocation to
2280  * succeed and -ENOMEM implies there is not.
2281  *
2282  * Do not audit the selinux permission check, as this is applied to all
2283  * processes that allocate mappings.
2284  */
2285 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2286 {
2287         int rc, cap_sys_admin = 0;
2288 
2289         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2290                                  SECURITY_CAP_NOAUDIT, true);
2291         if (rc == 0)
2292                 cap_sys_admin = 1;
2293 
2294         return cap_sys_admin;
2295 }
2296 
2297 /* binprm security operations */
2298 
2299 static u32 ptrace_parent_sid(void)
2300 {
2301         u32 sid = 0;
2302         struct task_struct *tracer;
2303 
2304         rcu_read_lock();
2305         tracer = ptrace_parent(current);
2306         if (tracer)
2307                 sid = task_sid(tracer);
2308         rcu_read_unlock();
2309 
2310         return sid;
2311 }
2312 
2313 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2314                             const struct task_security_struct *old_tsec,
2315                             const struct task_security_struct *new_tsec)
2316 {
2317         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2318         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2319         int rc;
2320 
2321         if (!nnp && !nosuid)
2322                 return 0; /* neither NNP nor nosuid */
2323 
2324         if (new_tsec->sid == old_tsec->sid)
2325                 return 0; /* No change in credentials */
2326 
2327         /*
2328          * The only transitions we permit under NNP or nosuid
2329          * are transitions to bounded SIDs, i.e. SIDs that are
2330          * guaranteed to only be allowed a subset of the permissions
2331          * of the current SID.
2332          */
2333         rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2334         if (rc) {
2335                 /*
2336                  * On failure, preserve the errno values for NNP vs nosuid.
2337                  * NNP:  Operation not permitted for caller.
2338                  * nosuid:  Permission denied to file.
2339                  */
2340                 if (nnp)
2341                         return -EPERM;
2342                 else
2343                         return -EACCES;
2344         }
2345         return 0;
2346 }
2347 
2348 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2349 {
2350         const struct task_security_struct *old_tsec;
2351         struct task_security_struct *new_tsec;
2352         struct inode_security_struct *isec;
2353         struct common_audit_data ad;
2354         struct inode *inode = file_inode(bprm->file);
2355         int rc;
2356 
2357         /* SELinux context only depends on initial program or script and not
2358          * the script interpreter */
2359         if (bprm->cred_prepared)
2360                 return 0;
2361 
2362         old_tsec = current_security();
2363         new_tsec = bprm->cred->security;
2364         isec = inode_security(inode);
2365 
2366         /* Default to the current task SID. */
2367         new_tsec->sid = old_tsec->sid;
2368         new_tsec->osid = old_tsec->sid;
2369 
2370         /* Reset fs, key, and sock SIDs on execve. */
2371         new_tsec->create_sid = 0;
2372         new_tsec->keycreate_sid = 0;
2373         new_tsec->sockcreate_sid = 0;
2374 
2375         if (old_tsec->exec_sid) {
2376                 new_tsec->sid = old_tsec->exec_sid;
2377                 /* Reset exec SID on execve. */
2378                 new_tsec->exec_sid = 0;
2379 
2380                 /* Fail on NNP or nosuid if not an allowed transition. */
2381                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2382                 if (rc)
2383                         return rc;
2384         } else {
2385                 /* Check for a default transition on this program. */
2386                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2387                                              SECCLASS_PROCESS, NULL,
2388                                              &new_tsec->sid);
2389                 if (rc)
2390                         return rc;
2391 
2392                 /*
2393                  * Fallback to old SID on NNP or nosuid if not an allowed
2394                  * transition.
2395                  */
2396                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2397                 if (rc)
2398                         new_tsec->sid = old_tsec->sid;
2399         }
2400 
2401         ad.type = LSM_AUDIT_DATA_FILE;
2402         ad.u.file = bprm->file;
2403 
2404         if (new_tsec->sid == old_tsec->sid) {
2405                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2406                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2407                 if (rc)
2408                         return rc;
2409         } else {
2410                 /* Check permissions for the transition. */
2411                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2412                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2413                 if (rc)
2414                         return rc;
2415 
2416                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2417                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2418                 if (rc)
2419                         return rc;
2420 
2421                 /* Check for shared state */
2422                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2423                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2424                                           SECCLASS_PROCESS, PROCESS__SHARE,
2425                                           NULL);
2426                         if (rc)
2427                                 return -EPERM;
2428                 }
2429 
2430                 /* Make sure that anyone attempting to ptrace over a task that
2431                  * changes its SID has the appropriate permit */
2432                 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2433                         u32 ptsid = ptrace_parent_sid();
2434                         if (ptsid != 0) {
2435                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2436                                                   SECCLASS_PROCESS,
2437                                                   PROCESS__PTRACE, NULL);
2438                                 if (rc)
2439                                         return -EPERM;
2440                         }
2441                 }
2442 
2443                 /* Clear any possibly unsafe personality bits on exec: */
2444                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2445         }
2446 
2447         return 0;
2448 }
2449 
2450 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2451 {
2452         const struct task_security_struct *tsec = current_security();
2453         u32 sid, osid;
2454         int atsecure = 0;
2455 
2456         sid = tsec->sid;
2457         osid = tsec->osid;
2458 
2459         if (osid != sid) {
2460                 /* Enable secure mode for SIDs transitions unless
2461                    the noatsecure permission is granted between
2462                    the two SIDs, i.e. ahp returns 0. */
2463                 atsecure = avc_has_perm(osid, sid,
2464                                         SECCLASS_PROCESS,
2465                                         PROCESS__NOATSECURE, NULL);
2466         }
2467 
2468         return !!atsecure;
2469 }
2470 
2471 static int match_file(const void *p, struct file *file, unsigned fd)
2472 {
2473         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2474 }
2475 
2476 /* Derived from fs/exec.c:flush_old_files. */
2477 static inline void flush_unauthorized_files(const struct cred *cred,
2478                                             struct files_struct *files)
2479 {
2480         struct file *file, *devnull = NULL;
2481         struct tty_struct *tty;
2482         int drop_tty = 0;
2483         unsigned n;
2484 
2485         tty = get_current_tty();
2486         if (tty) {
2487                 spin_lock(&tty->files_lock);
2488                 if (!list_empty(&tty->tty_files)) {
2489                         struct tty_file_private *file_priv;
2490 
2491                         /* Revalidate access to controlling tty.
2492                            Use file_path_has_perm on the tty path directly
2493                            rather than using file_has_perm, as this particular
2494                            open file may belong to another process and we are
2495                            only interested in the inode-based check here. */
2496                         file_priv = list_first_entry(&tty->tty_files,
2497                                                 struct tty_file_private, list);
2498                         file = file_priv->file;
2499                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2500                                 drop_tty = 1;
2501                 }
2502                 spin_unlock(&tty->files_lock);
2503                 tty_kref_put(tty);
2504         }
2505         /* Reset controlling tty. */
2506         if (drop_tty)
2507                 no_tty();
2508 
2509         /* Revalidate access to inherited open files. */
2510         n = iterate_fd(files, 0, match_file, cred);
2511         if (!n) /* none found? */
2512                 return;
2513 
2514         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2515         if (IS_ERR(devnull))
2516                 devnull = NULL;
2517         /* replace all the matching ones with this */
2518         do {
2519                 replace_fd(n - 1, devnull, 0);
2520         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2521         if (devnull)
2522                 fput(devnull);
2523 }
2524 
2525 /*
2526  * Prepare a process for imminent new credential changes due to exec
2527  */
2528 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2529 {
2530         struct task_security_struct *new_tsec;
2531         struct rlimit *rlim, *initrlim;
2532         int rc, i;
2533 
2534         new_tsec = bprm->cred->security;
2535         if (new_tsec->sid == new_tsec->osid)
2536                 return;
2537 
2538         /* Close files for which the new task SID is not authorized. */
2539         flush_unauthorized_files(bprm->cred, current->files);
2540 
2541         /* Always clear parent death signal on SID transitions. */
2542         current->pdeath_signal = 0;
2543 
2544         /* Check whether the new SID can inherit resource limits from the old
2545          * SID.  If not, reset all soft limits to the lower of the current
2546          * task's hard limit and the init task's soft limit.
2547          *
2548          * Note that the setting of hard limits (even to lower them) can be
2549          * controlled by the setrlimit check.  The inclusion of the init task's
2550          * soft limit into the computation is to avoid resetting soft limits
2551          * higher than the default soft limit for cases where the default is
2552          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2553          */
2554         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2555                           PROCESS__RLIMITINH, NULL);
2556         if (rc) {
2557                 /* protect against do_prlimit() */
2558                 task_lock(current);
2559                 for (i = 0; i < RLIM_NLIMITS; i++) {
2560                         rlim = current->signal->rlim + i;
2561                         initrlim = init_task.signal->rlim + i;
2562                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2563                 }
2564                 task_unlock(current);
2565                 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2566                         update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2567         }
2568 }
2569 
2570 /*
2571  * Clean up the process immediately after the installation of new credentials
2572  * due to exec
2573  */
2574 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2575 {
2576         const struct task_security_struct *tsec = current_security();
2577         struct itimerval itimer;
2578         u32 osid, sid;
2579         int rc, i;
2580 
2581         osid = tsec->osid;
2582         sid = tsec->sid;
2583 
2584         if (sid == osid)
2585                 return;
2586 
2587         /* Check whether the new SID can inherit signal state from the old SID.
2588          * If not, clear itimers to avoid subsequent signal generation and
2589          * flush and unblock signals.
2590          *
2591          * This must occur _after_ the task SID has been updated so that any
2592          * kill done after the flush will be checked against the new SID.
2593          */
2594         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2595         if (rc) {
2596                 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2597                         memset(&itimer, 0, sizeof itimer);
2598                         for (i = 0; i < 3; i++)
2599                                 do_setitimer(i, &itimer, NULL);
2600                 }
2601                 spin_lock_irq(&current->sighand->siglock);
2602                 if (!fatal_signal_pending(current)) {
2603                         flush_sigqueue(&current->pending);
2604                         flush_sigqueue(&current->signal->shared_pending);
2605                         flush_signal_handlers(current, 1);
2606                         sigemptyset(&current->blocked);
2607                         recalc_sigpending();
2608                 }
2609                 spin_unlock_irq(&current->sighand->siglock);
2610         }
2611 
2612         /* Wake up the parent if it is waiting so that it can recheck
2613          * wait permission to the new task SID. */
2614         read_lock(&tasklist_lock);
2615         __wake_up_parent(current, current->real_parent);
2616         read_unlock(&tasklist_lock);
2617 }
2618 
2619 /* superblock security operations */
2620 
2621 static int selinux_sb_alloc_security(struct super_block *sb)
2622 {
2623         return superblock_alloc_security(sb);
2624 }
2625 
2626 static void selinux_sb_free_security(struct super_block *sb)
2627 {
2628         superblock_free_security(sb);
2629 }
2630 
2631 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2632 {
2633         if (plen > olen)
2634                 return 0;
2635 
2636         return !memcmp(prefix, option, plen);
2637 }
2638 
2639 static inline int selinux_option(char *option, int len)
2640 {
2641         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2642                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2643                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2644                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2645                 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2646 }
2647 
2648 static inline void take_option(char **to, char *from, int *first, int len)
2649 {
2650         if (!*first) {
2651                 **to = ',';
2652                 *to += 1;
2653         } else
2654                 *first = 0;
2655         memcpy(*to, from, len);
2656         *to += len;
2657 }
2658 
2659 static inline void take_selinux_option(char **to, char *from, int *first,
2660                                        int len)
2661 {
2662         int current_size = 0;
2663 
2664         if (!*first) {
2665                 **to = '|';
2666                 *to += 1;
2667         } else
2668                 *first = 0;
2669 
2670         while (current_size < len) {
2671                 if (*from != '"') {
2672                         **to = *from;
2673                         *to += 1;
2674                 }
2675                 from += 1;
2676                 current_size += 1;
2677         }
2678 }
2679 
2680 static int selinux_sb_copy_data(char *orig, char *copy)
2681 {
2682         int fnosec, fsec, rc = 0;
2683         char *in_save, *in_curr, *in_end;
2684         char *sec_curr, *nosec_save, *nosec;
2685         int open_quote = 0;
2686 
2687         in_curr = orig;
2688         sec_curr = copy;
2689 
2690         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2691         if (!nosec) {
2692                 rc = -ENOMEM;
2693                 goto out;
2694         }
2695 
2696         nosec_save = nosec;
2697         fnosec = fsec = 1;
2698         in_save = in_end = orig;
2699 
2700         do {
2701                 if (*in_end == '"')
2702                         open_quote = !open_quote;
2703                 if ((*in_end == ',' && open_quote == 0) ||
2704                                 *in_end == '\0') {
2705                         int len = in_end - in_curr;
2706 
2707                         if (selinux_option(in_curr, len))
2708                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2709                         else
2710                                 take_option(&nosec, in_curr, &fnosec, len);
2711 
2712                         in_curr = in_end + 1;
2713                 }
2714         } while (*in_end++);
2715 
2716         strcpy(in_save, nosec_save);
2717         free_page((unsigned long)nosec_save);
2718 out:
2719         return rc;
2720 }
2721 
2722 static int selinux_sb_remount(struct super_block *sb, void *data)
2723 {
2724         int rc, i, *flags;
2725         struct security_mnt_opts opts;
2726         char *secdata, **mount_options;
2727         struct superblock_security_struct *sbsec = sb->s_security;
2728 
2729         if (!(sbsec->flags & SE_SBINITIALIZED))
2730                 return 0;
2731 
2732         if (!data)
2733                 return 0;
2734 
2735         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2736                 return 0;
2737 
2738         security_init_mnt_opts(&opts);
2739         secdata = alloc_secdata();
2740         if (!secdata)
2741                 return -ENOMEM;
2742         rc = selinux_sb_copy_data(data, secdata);
2743         if (rc)
2744                 goto out_free_secdata;
2745 
2746         rc = selinux_parse_opts_str(secdata, &opts);
2747         if (rc)
2748                 goto out_free_secdata;
2749 
2750         mount_options = opts.mnt_opts;
2751         flags = opts.mnt_opts_flags;
2752 
2753         for (i = 0; i < opts.num_mnt_opts; i++) {
2754                 u32 sid;
2755 
2756                 if (flags[i] == SBLABEL_MNT)
2757                         continue;
2758                 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2759                 if (rc) {
2760                         printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2761                                "(%s) failed for (dev %s, type %s) errno=%d\n",
2762                                mount_options[i], sb->s_id, sb->s_type->name, rc);
2763                         goto out_free_opts;
2764                 }
2765                 rc = -EINVAL;
2766                 switch (flags[i]) {
2767                 case FSCONTEXT_MNT:
2768                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2769                                 goto out_bad_option;
2770                         break;
2771                 case CONTEXT_MNT:
2772                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2773                                 goto out_bad_option;
2774                         break;
2775                 case ROOTCONTEXT_MNT: {
2776                         struct inode_security_struct *root_isec;
2777                         root_isec = backing_inode_security(sb->s_root);
2778 
2779                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2780                                 goto out_bad_option;
2781                         break;
2782                 }
2783                 case DEFCONTEXT_MNT:
2784                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2785                                 goto out_bad_option;
2786                         break;
2787                 default:
2788                         goto out_free_opts;
2789                 }
2790         }
2791 
2792         rc = 0;
2793 out_free_opts:
2794         security_free_mnt_opts(&opts);
2795 out_free_secdata:
2796         free_secdata(secdata);
2797         return rc;
2798 out_bad_option:
2799         printk(KERN_WARNING "SELinux: unable to change security options "
2800                "during remount (dev %s, type=%s)\n", sb->s_id,
2801                sb->s_type->name);
2802         goto out_free_opts;
2803 }
2804 
2805 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2806 {
2807         const struct cred *cred = current_cred();
2808         struct common_audit_data ad;
2809         int rc;
2810 
2811         rc = superblock_doinit(sb, data);
2812         if (rc)
2813                 return rc;
2814 
2815         /* Allow all mounts performed by the kernel */
2816         if (flags & MS_KERNMOUNT)
2817                 return 0;
2818 
2819         ad.type = LSM_AUDIT_DATA_DENTRY;
2820         ad.u.dentry = sb->s_root;
2821         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2822 }
2823 
2824 static int selinux_sb_statfs(struct dentry *dentry)
2825 {
2826         const struct cred *cred = current_cred();
2827         struct common_audit_data ad;
2828 
2829         ad.type = LSM_AUDIT_DATA_DENTRY;
2830         ad.u.dentry = dentry->d_sb->s_root;
2831         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2832 }
2833 
2834 static int selinux_mount(const char *dev_name,
2835                          const struct path *path,
2836                          const char *type,
2837                          unsigned long flags,
2838                          void *data)
2839 {
2840         const struct cred *cred = current_cred();
2841 
2842         if (flags & MS_REMOUNT)
2843                 return superblock_has_perm(cred, path->dentry->d_sb,
2844                                            FILESYSTEM__REMOUNT, NULL);
2845         else
2846                 return path_has_perm(cred, path, FILE__MOUNTON);
2847 }
2848 
2849 static int selinux_umount(struct vfsmount *mnt, int flags)
2850 {
2851         const struct cred *cred = current_cred();
2852 
2853         return superblock_has_perm(cred, mnt->mnt_sb,
2854                                    FILESYSTEM__UNMOUNT, NULL);
2855 }
2856 
2857 /* inode security operations */
2858 
2859 static int selinux_inode_alloc_security(struct inode *inode)
2860 {
2861         return inode_alloc_security(inode);
2862 }
2863 
2864 static void selinux_inode_free_security(struct inode *inode)
2865 {
2866         inode_free_security(inode);
2867 }
2868 
2869 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2870                                         const struct qstr *name, void **ctx,
2871                                         u32 *ctxlen)
2872 {
2873         u32 newsid;
2874         int rc;
2875 
2876         rc = selinux_determine_inode_label(current_security(),
2877                                            d_inode(dentry->d_parent), name,
2878                                            inode_mode_to_security_class(mode),
2879                                            &newsid);
2880         if (rc)
2881                 return rc;
2882 
2883         return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2884 }
2885 
2886 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2887                                           struct qstr *name,
2888                                           const struct cred *old,
2889                                           struct cred *new)
2890 {
2891         u32 newsid;
2892         int rc;
2893         struct task_security_struct *tsec;
2894 
2895         rc = selinux_determine_inode_label(old->security,
2896                                            d_inode(dentry->d_parent), name,
2897                                            inode_mode_to_security_class(mode),
2898                                            &newsid);
2899         if (rc)
2900                 return rc;
2901 
2902         tsec = new->security;
2903         tsec->create_sid = newsid;
2904         return 0;
2905 }
2906 
2907 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2908                                        const struct qstr *qstr,
2909                                        const char **name,
2910                                        void **value, size_t *len)
2911 {
2912         const struct task_security_struct *tsec = current_security();
2913         struct superblock_security_struct *sbsec;
2914         u32 sid, newsid, clen;
2915         int rc;
2916         char *context;
2917 
2918         sbsec = dir->i_sb->s_security;
2919 
2920         sid = tsec->sid;
2921         newsid = tsec->create_sid;
2922 
2923         rc = selinux_determine_inode_label(current_security(),
2924                 dir, qstr,
2925                 inode_mode_to_security_class(inode->i_mode),
2926                 &newsid);
2927         if (rc)
2928                 return rc;
2929 
2930         /* Possibly defer initialization to selinux_complete_init. */
2931         if (sbsec->flags & SE_SBINITIALIZED) {
2932                 struct inode_security_struct *isec = inode->i_security;
2933                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2934                 isec->sid = newsid;
2935                 isec->initialized = LABEL_INITIALIZED;
2936         }
2937 
2938         if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2939                 return -EOPNOTSUPP;
2940 
2941         if (name)
2942                 *name = XATTR_SELINUX_SUFFIX;
2943 
2944         if (value && len) {
2945                 rc = security_sid_to_context_force(newsid, &context, &clen);
2946                 if (rc)
2947                         return rc;
2948                 *value = context;
2949                 *len = clen;
2950         }
2951 
2952         return 0;
2953 }
2954 
2955 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2956 {
2957         return may_create(dir, dentry, SECCLASS_FILE);
2958 }
2959 
2960 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2961 {
2962         return may_link(dir, old_dentry, MAY_LINK);
2963 }
2964 
2965 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2966 {
2967         return may_link(dir, dentry, MAY_UNLINK);
2968 }
2969 
2970 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2971 {
2972         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2973 }
2974 
2975 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2976 {
2977         return may_create(dir, dentry, SECCLASS_DIR);
2978 }
2979 
2980 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2981 {
2982         return may_link(dir, dentry, MAY_RMDIR);
2983 }
2984 
2985 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2986 {
2987         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2988 }
2989 
2990 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2991                                 struct inode *new_inode, struct dentry *new_dentry)
2992 {
2993         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2994 }
2995 
2996 static int selinux_inode_readlink(struct dentry *dentry)
2997 {
2998         const struct cred *cred = current_cred();
2999 
3000         return dentry_has_perm(cred, dentry, FILE__READ);
3001 }
3002 
3003 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3004                                      bool rcu)
3005 {
3006         const struct cred *cred = current_cred();
3007         struct common_audit_data ad;
3008         struct inode_security_struct *isec;
3009         u32 sid;
3010 
3011         validate_creds(cred);
3012 
3013         ad.type = LSM_AUDIT_DATA_DENTRY;
3014         ad.u.dentry = dentry;
3015         sid = cred_sid(cred);
3016         isec = inode_security_rcu(inode, rcu);
3017         if (IS_ERR(isec))
3018                 return PTR_ERR(isec);
3019 
3020         return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3021                                   rcu ? MAY_NOT_BLOCK : 0);
3022 }
3023 
3024 static noinline int audit_inode_permission(struct inode *inode,
3025                                            u32 perms, u32 audited, u32 denied,
3026                                            int result,
3027                                            unsigned flags)
3028 {
3029         struct common_audit_data ad;
3030         struct inode_security_struct *isec = inode->i_security;
3031         int rc;
3032 
3033         ad.type = LSM_AUDIT_DATA_INODE;
3034         ad.u.inode = inode;
3035 
3036         rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3037                             audited, denied, result, &ad, flags);
3038         if (rc)
3039                 return rc;
3040         return 0;
3041 }
3042 
3043 static int selinux_inode_permission(struct inode *inode, int mask)
3044 {
3045         const struct cred *cred = current_cred();
3046         u32 perms;
3047         bool from_access;
3048         unsigned flags = mask & MAY_NOT_BLOCK;
3049         struct inode_security_struct *isec;
3050         u32 sid;
3051         struct av_decision avd;
3052         int rc, rc2;
3053         u32 audited, denied;
3054 
3055         from_access = mask & MAY_ACCESS;
3056         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3057 
3058         /* No permission to check.  Existence test. */
3059         if (!mask)
3060                 return 0;
3061 
3062         validate_creds(cred);
3063 
3064         if (unlikely(IS_PRIVATE(inode)))
3065                 return 0;
3066 
3067         perms = file_mask_to_av(inode->i_mode, mask);
3068 
3069         sid = cred_sid(cred);
3070         isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3071         if (IS_ERR(isec))
3072                 return PTR_ERR(isec);
3073 
3074         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3075         audited = avc_audit_required(perms, &avd, rc,
3076                                      from_access ? FILE__AUDIT_ACCESS : 0,
3077                                      &denied);
3078         if (likely(!audited))
3079                 return rc;
3080 
3081         rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3082         if (rc2)
3083                 return rc2;
3084         return rc;
3085 }
3086 
3087 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3088 {
3089         const struct cred *cred = current_cred();
3090         struct inode *inode = d_backing_inode(dentry);
3091         unsigned int ia_valid = iattr->ia_valid;
3092         __u32 av = FILE__WRITE;
3093 
3094         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3095         if (ia_valid & ATTR_FORCE) {
3096                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3097                               ATTR_FORCE);
3098                 if (!ia_valid)
3099                         return 0;
3100         }
3101 
3102         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3103                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3104                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3105 
3106         if (selinux_policycap_openperm &&
3107             inode->i_sb->s_magic != SOCKFS_MAGIC &&
3108             (ia_valid & ATTR_SIZE) &&
3109             !(ia_valid & ATTR_FILE))
3110                 av |= FILE__OPEN;
3111 
3112         return dentry_has_perm(cred, dentry, av);
3113 }
3114 
3115 static int selinux_inode_getattr(const struct path *path)
3116 {
3117         return path_has_perm(current_cred(), path, FILE__GETATTR);
3118 }
3119 
3120 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3121 {
3122         const struct cred *cred = current_cred();
3123 
3124         if (!strncmp(name, XATTR_SECURITY_PREFIX,
3125                      sizeof XATTR_SECURITY_PREFIX - 1)) {
3126                 if (!strcmp(name, XATTR_NAME_CAPS)) {
3127                         if (!capable(CAP_SETFCAP))
3128                                 return -EPERM;
3129                 } else if (!capable(CAP_SYS_ADMIN)) {
3130                         /* A different attribute in the security namespace.
3131                            Restrict to administrator. */
3132                         return -EPERM;
3133                 }
3134         }
3135 
3136         /* Not an attribute we recognize, so just check the
3137            ordinary setattr permission. */
3138         return dentry_has_perm(cred, dentry, FILE__SETATTR);
3139 }
3140 
3141 static bool has_cap_mac_admin(bool audit)
3142 {
3143         const struct cred *cred = current_cred();
3144         int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3145 
3146         if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3147                 return false;
3148         if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3149                 return false;
3150         return true;
3151 }
3152 
3153 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3154                                   const void *value, size_t size, int flags)
3155 {
3156         struct inode *inode = d_backing_inode(dentry);
3157         struct inode_security_struct *isec;
3158         struct superblock_security_struct *sbsec;
3159         struct common_audit_data ad;
3160         u32 newsid, sid = current_sid();
3161         int rc = 0;
3162 
3163         if (strcmp(name, XATTR_NAME_SELINUX))
3164                 return selinux_inode_setotherxattr(dentry, name);
3165 
3166         sbsec = inode->i_sb->s_security;
3167         if (!(sbsec->flags & SBLABEL_MNT))
3168                 return -EOPNOTSUPP;
3169 
3170         if (!inode_owner_or_capable(inode))
3171                 return -EPERM;
3172 
3173         ad.type = LSM_AUDIT_DATA_DENTRY;
3174         ad.u.dentry = dentry;
3175 
3176         isec = backing_inode_security(dentry);
3177         rc = avc_has_perm(sid, isec->sid, isec->sclass,
3178                           FILE__RELABELFROM, &ad);
3179         if (rc)
3180                 return rc;
3181 
3182         rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3183         if (rc == -EINVAL) {
3184                 if (!has_cap_mac_admin(true)) {
3185                         struct audit_buffer *ab;
3186                         size_t audit_size;
3187                         const char *str;
3188 
3189                         /* We strip a nul only if it is at the end, otherwise the
3190                          * context contains a nul and we should audit that */
3191                         if (value) {
3192                                 str = value;
3193                                 if (str[size - 1] == '\0')
3194                                         audit_size = size - 1;
3195                                 else
3196                                         audit_size = size;
3197                         } else {
3198                                 str = "";
3199                                 audit_size = 0;
3200                         }
3201                         ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3202                         audit_log_format(ab, "op=setxattr invalid_context=");
3203                         audit_log_n_untrustedstring(ab, value, audit_size);
3204                         audit_log_end(ab);
3205 
3206                         return rc;
3207                 }
3208                 rc = security_context_to_sid_force(value, size, &newsid);
3209         }
3210         if (rc)
3211                 return rc;
3212 
3213         rc = avc_has_perm(sid, newsid, isec->sclass,
3214                           FILE__RELABELTO, &ad);
3215         if (rc)
3216                 return rc;
3217 
3218         rc = security_validate_transition(isec->sid, newsid, sid,
3219                                           isec->sclass);
3220         if (rc)
3221                 return rc;
3222 
3223         return avc_has_perm(newsid,
3224                             sbsec->sid,
3225                             SECCLASS_FILESYSTEM,
3226                             FILESYSTEM__ASSOCIATE,
3227                             &ad);
3228 }
3229 
3230 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3231                                         const void *value, size_t size,
3232                                         int flags)
3233 {
3234         struct inode *inode = d_backing_inode(dentry);
3235         struct inode_security_struct *isec;
3236         u32 newsid;
3237         int rc;
3238 
3239         if (strcmp(name, XATTR_NAME_SELINUX)) {
3240                 /* Not an attribute we recognize, so nothing to do. */
3241                 return;
3242         }
3243 
3244         rc = security_context_to_sid_force(value, size, &newsid);
3245         if (rc) {
3246                 printk(KERN_ERR "SELinux:  unable to map context to SID"
3247                        "for (%s, %lu), rc=%d\n",
3248                        inode->i_sb->s_id, inode->i_ino, -rc);
3249                 return;
3250         }
3251 
3252         isec = backing_inode_security(dentry);
3253         spin_lock(&isec->lock);
3254         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3255         isec->sid = newsid;
3256         isec->initialized = LABEL_INITIALIZED;
3257         spin_unlock(&isec->lock);
3258 
3259         return;
3260 }
3261 
3262 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3263 {
3264         const struct cred *cred = current_cred();
3265 
3266         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3267 }
3268 
3269 static int selinux_inode_listxattr(struct dentry *dentry)
3270 {
3271         const struct cred *cred = current_cred();
3272 
3273         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3274 }
3275 
3276 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3277 {
3278         if (strcmp(name, XATTR_NAME_SELINUX))
3279                 return selinux_inode_setotherxattr(dentry, name);
3280 
3281         /* No one is allowed to remove a SELinux security label.
3282            You can change the label, but all data must be labeled. */
3283         return -EACCES;
3284 }
3285 
3286 /*
3287  * Copy the inode security context value to the user.
3288  *
3289  * Permission check is handled by selinux_inode_getxattr hook.
3290  */
3291 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3292 {
3293         u32 size;
3294         int error;
3295         char *context = NULL;
3296         struct inode_security_struct *isec;
3297 
3298         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3299                 return -EOPNOTSUPP;
3300 
3301         /*
3302          * If the caller has CAP_MAC_ADMIN, then get the raw context
3303          * value even if it is not defined by current policy; otherwise,
3304          * use the in-core value under current policy.
3305          * Use the non-auditing forms of the permission checks since
3306          * getxattr may be called by unprivileged processes commonly
3307          * and lack of permission just means that we fall back to the
3308          * in-core context value, not a denial.
3309          */
3310         isec = inode_security(inode);
3311         if (has_cap_mac_admin(false))
3312                 error = security_sid_to_context_force(isec->sid, &context,
3313                                                       &size);
3314         else
3315                 error = security_sid_to_context(isec->sid, &context, &size);
3316         if (error)
3317                 return error;
3318         error = size;
3319         if (alloc) {
3320                 *buffer = context;
3321                 goto out_nofree;
3322         }
3323         kfree(context);
3324 out_nofree:
3325         return error;
3326 }
3327 
3328 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3329                                      const void *value, size_t size, int flags)
3330 {
3331         struct inode_security_struct *isec = inode_security_novalidate(inode);
3332         u32 newsid;
3333         int rc;
3334 
3335         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3336                 return -EOPNOTSUPP;
3337 
3338         if (!value || !size)
3339                 return -EACCES;
3340 
3341         rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3342         if (rc)
3343                 return rc;
3344 
3345         spin_lock(&isec->lock);
3346         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3347         isec->sid = newsid;
3348         isec->initialized = LABEL_INITIALIZED;
3349         spin_unlock(&isec->lock);
3350         return 0;
3351 }
3352 
3353 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3354 {
3355         const int len = sizeof(XATTR_NAME_SELINUX);
3356         if (buffer && len <= buffer_size)
3357                 memcpy(buffer, XATTR_NAME_SELINUX, len);
3358         return len;
3359 }
3360 
3361 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3362 {
3363         struct inode_security_struct *isec = inode_security_novalidate(inode);
3364         *secid = isec->sid;
3365 }
3366 
3367 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3368 {
3369         u32 sid;
3370         struct task_security_struct *tsec;
3371         struct cred *new_creds = *new;
3372 
3373         if (new_creds == NULL) {
3374                 new_creds = prepare_creds();
3375                 if (!new_creds)
3376                         return -ENOMEM;
3377         }
3378 
3379         tsec = new_creds->security;
3380         /* Get label from overlay inode and set it in create_sid */
3381         selinux_inode_getsecid(d_inode(src), &sid);
3382         tsec->create_sid = sid;
3383         *new = new_creds;
3384         return 0;
3385 }
3386 
3387 static int selinux_inode_copy_up_xattr(const char *name)
3388 {
3389         /* The copy_up hook above sets the initial context on an inode, but we
3390          * don't then want to overwrite it by blindly copying all the lower
3391          * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3392          */
3393         if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3394                 return 1; /* Discard */
3395         /*
3396          * Any other attribute apart from SELINUX is not claimed, supported
3397          * by selinux.
3398          */
3399         return -EOPNOTSUPP;
3400 }
3401 
3402 /* file security operations */
3403 
3404 static int selinux_revalidate_file_permission(struct file *file, int mask)
3405 {
3406         const struct cred *cred = current_cred();
3407         struct inode *inode = file_inode(file);
3408 
3409         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3410         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3411                 mask |= MAY_APPEND;
3412 
3413         return file_has_perm(cred, file,
3414                              file_mask_to_av(inode->i_mode, mask));
3415 }
3416 
3417 static int selinux_file_permission(struct file *file, int mask)
3418 {
3419         struct inode *inode = file_inode(file);
3420         struct file_security_struct *fsec = file->f_security;
3421         struct inode_security_struct *isec;
3422         u32 sid = current_sid();
3423 
3424         if (!mask)
3425                 /* No permission to check.  Existence test. */
3426                 return 0;
3427 
3428         isec = inode_security(inode);
3429         if (sid == fsec->sid && fsec->isid == isec->sid &&
3430             fsec->pseqno == avc_policy_seqno())
3431                 /* No change since file_open check. */
3432                 return 0;
3433 
3434         return selinux_revalidate_file_permission(file, mask);
3435 }
3436 
3437 static int selinux_file_alloc_security(struct file *file)
3438 {
3439         return file_alloc_security(file);
3440 }
3441 
3442 static void selinux_file_free_security(struct file *file)
3443 {
3444         file_free_security(file);
3445 }
3446 
3447 /*
3448  * Check whether a task has the ioctl permission and cmd
3449  * operation to an inode.
3450  */
3451 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3452                 u32 requested, u16 cmd)
3453 {
3454         struct common_audit_data ad;
3455         struct file_security_struct *fsec = file->f_security;
3456         struct inode *inode = file_inode(file);
3457         struct inode_security_struct *isec;
3458         struct lsm_ioctlop_audit ioctl;
3459         u32 ssid = cred_sid(cred);
3460         int rc;
3461         u8 driver = cmd >> 8;
3462         u8 xperm = cmd & 0xff;
3463 
3464         ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3465         ad.u.op = &ioctl;
3466         ad.u.op->cmd = cmd;
3467         ad.u.op->path = file->f_path;
3468 
3469         if (ssid != fsec->sid) {
3470                 rc = avc_has_perm(ssid, fsec->sid,
3471                                 SECCLASS_FD,
3472                                 FD__USE,
3473                                 &ad);
3474                 if (rc)
3475                         goto out;
3476         }
3477 
3478         if (unlikely(IS_PRIVATE(inode)))
3479                 return 0;
3480 
3481         isec = inode_security(inode);
3482         rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3483                         requested, driver, xperm, &ad);
3484 out:
3485         return rc;
3486 }
3487 
3488 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3489                               unsigned long arg)
3490 {
3491         const struct cred *cred = current_cred();
3492         int error = 0;
3493 
3494         switch (cmd) {
3495         case FIONREAD:
3496         /* fall through */
3497         case FIBMAP:
3498         /* fall through */
3499         case FIGETBSZ:
3500         /* fall through */
3501         case FS_IOC_GETFLAGS:
3502         /* fall through */
3503         case FS_IOC_GETVERSION:
3504                 error = file_has_perm(cred, file, FILE__GETATTR);
3505                 break;
3506 
3507         case FS_IOC_SETFLAGS:
3508         /* fall through */
3509         case FS_IOC_SETVERSION:
3510                 error = file_has_perm(cred, file, FILE__SETATTR);
3511                 break;
3512 
3513         /* sys_ioctl() checks */
3514         case FIONBIO:
3515         /* fall through */
3516         case FIOASYNC:
3517                 error = file_has_perm(cred, file, 0);
3518                 break;
3519 
3520         case KDSKBENT:
3521         case KDSKBSENT:
3522                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3523                                             SECURITY_CAP_AUDIT, true);
3524                 break;
3525 
3526         /* default case assumes that the command will go
3527          * to the file's ioctl() function.
3528          */
3529         default:
3530                 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3531         }
3532         return error;
3533 }
3534 
3535 static int default_noexec;
3536 
3537 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3538 {
3539         const struct cred *cred = current_cred();
3540         u32 sid = cred_sid(cred);
3541         int rc = 0;
3542 
3543         if (default_noexec &&
3544             (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3545                                    (!shared && (prot & PROT_WRITE)))) {
3546                 /*
3547                  * We are making executable an anonymous mapping or a
3548                  * private file mapping that will also be writable.
3549                  * This has an additional check.
3550                  */
3551                 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3552                                   PROCESS__EXECMEM, NULL);
3553                 if (rc)
3554                         goto error;
3555         }
3556 
3557         if (file) {
3558                 /* read access is always possible with a mapping */
3559                 u32 av = FILE__READ;
3560 
3561                 /* write access only matters if the mapping is shared */
3562                 if (shared && (prot & PROT_WRITE))
3563                         av |= FILE__WRITE;
3564 
3565                 if (prot & PROT_EXEC)
3566                         av |= FILE__EXECUTE;
3567 
3568                 return file_has_perm(cred, file, av);
3569         }
3570 
3571 error:
3572         return rc;
3573 }
3574 
3575 static int selinux_mmap_addr(unsigned long addr)
3576 {
3577         int rc = 0;
3578 
3579         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3580                 u32 sid = current_sid();
3581                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3582                                   MEMPROTECT__MMAP_ZERO, NULL);
3583         }
3584 
3585         return rc;
3586 }
3587 
3588 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3589                              unsigned long prot, unsigned long flags)
3590 {
3591         struct common_audit_data ad;
3592         int rc;
3593 
3594         if (file) {
3595                 ad.type = LSM_AUDIT_DATA_FILE;
3596                 ad.u.file = file;
3597                 rc = inode_has_perm(current_cred(), file_inode(file),
3598                                     FILE__MAP, &ad);
3599                 if (rc)
3600                         return rc;
3601         }
3602 
3603         if (selinux_checkreqprot)
3604                 prot = reqprot;
3605 
3606         return file_map_prot_check(file, prot,
3607                                    (flags & MAP_TYPE) == MAP_SHARED);
3608 }
3609 
3610 static int selinux_file_mprotect(struct vm_area_struct *vma,
3611                                  unsigned long reqprot,
3612                                  unsigned long prot)
3613 {
3614         const struct cred *cred = current_cred();
3615         u32 sid = cred_sid(cred);
3616 
3617         if (selinux_checkreqprot)
3618                 prot = reqprot;
3619 
3620         if (default_noexec &&
3621             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3622                 int rc = 0;
3623                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3624                     vma->vm_end <= vma->vm_mm->brk) {
3625                         rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3626                                           PROCESS__EXECHEAP, NULL);
3627                 } else if (!vma->vm_file &&
3628                            ((vma->vm_start <= vma->vm_mm->start_stack &&
3629                              vma->vm_end >= vma->vm_mm->start_stack) ||
3630                             vma_is_stack_for_current(vma))) {
3631                         rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3632                                           PROCESS__EXECSTACK, NULL);
3633                 } else if (vma->vm_file && vma->anon_vma) {
3634                         /*
3635                          * We are making executable a file mapping that has
3636                          * had some COW done. Since pages might have been
3637                          * written, check ability to execute the possibly
3638                          * modified content.  This typically should only
3639                          * occur for text relocations.
3640                          */
3641                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3642                 }
3643                 if (rc)
3644                         return rc;
3645         }
3646 
3647         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3648 }
3649 
3650 static int selinux_file_lock(struct file *file, unsigned int cmd)
3651 {
3652         const struct cred *cred = current_cred();
3653 
3654         return file_has_perm(cred, file, FILE__LOCK);
3655 }
3656 
3657 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3658                               unsigned long arg)
3659 {
3660         const struct cred *cred = current_cred();
3661         int err = 0;
3662 
3663         switch (cmd) {
3664         case F_SETFL:
3665                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3666                         err = file_has_perm(cred, file, FILE__WRITE);
3667                         break;
3668                 }
3669                 /* fall through */
3670         case F_SETOWN:
3671         case F_SETSIG:
3672         case F_GETFL:
3673         case F_GETOWN:
3674         case F_GETSIG:
3675         case F_GETOWNER_UIDS:
3676                 /* Just check FD__USE permission */
3677                 err = file_has_perm(cred, file, 0);
3678                 break;
3679         case F_GETLK:
3680         case F_SETLK:
3681         case F_SETLKW:
3682         case F_OFD_GETLK:
3683         case F_OFD_SETLK:
3684         case F_OFD_SETLKW:
3685 #if BITS_PER_LONG == 32
3686         case F_GETLK64:
3687         case F_SETLK64:
3688         case F_SETLKW64:
3689 #endif
3690                 err = file_has_perm(cred, file, FILE__LOCK);
3691                 break;
3692         }
3693 
3694         return err;
3695 }
3696 
3697 static void selinux_file_set_fowner(struct file *file)
3698 {
3699         struct file_security_struct *fsec;
3700 
3701         fsec = file->f_security;
3702         fsec->fown_sid = current_sid();
3703 }
3704 
3705 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3706                                        struct fown_struct *fown, int signum)
3707 {
3708         struct file *file;
3709         u32 sid = task_sid(tsk);
3710         u32 perm;
3711         struct file_security_struct *fsec;
3712 
3713         /* struct fown_struct is never outside the context of a struct file */
3714         file = container_of(fown, struct file, f_owner);
3715 
3716         fsec = file->f_security;
3717 
3718         if (!signum)
3719                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3720         else
3721                 perm = signal_to_av(signum);
3722 
3723         return avc_has_perm(fsec->fown_sid, sid,
3724                             SECCLASS_PROCESS, perm, NULL);
3725 }
3726 
3727 static int selinux_file_receive(struct file *file)
3728 {
3729         const struct cred *cred = current_cred();
3730 
3731         return file_has_perm(cred, file, file_to_av(file));
3732 }
3733 
3734 static int selinux_file_open(struct file *file, const struct cred *cred)
3735 {
3736         struct file_security_struct *fsec;
3737         struct inode_security_struct *isec;
3738 
3739         fsec = file->f_security;
3740         isec = inode_security(file_inode(file));
3741         /*
3742          * Save inode label and policy sequence number
3743          * at open-time so that selinux_file_permission
3744          * can determine whether revalidation is necessary.
3745          * Task label is already saved in the file security
3746          * struct as its SID.
3747          */
3748         fsec->isid = isec->sid;
3749         fsec->pseqno = avc_policy_seqno();
3750         /*
3751          * Since the inode label or policy seqno may have changed
3752          * between the selinux_inode_permission check and the saving
3753          * of state above, recheck that access is still permitted.
3754          * Otherwise, access might never be revalidated against the
3755          * new inode label or new policy.
3756          * This check is not redundant - do not remove.
3757          */
3758         return file_path_has_perm(cred, file, open_file_to_av(file));
3759 }
3760 
3761 /* task security operations */
3762 
3763 static int selinux_task_alloc(struct task_struct *task,
3764                               unsigned long clone_flags)
3765 {
3766         u32 sid = current_sid();
3767 
3768         return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3769 }
3770 
3771 /*
3772  * allocate the SELinux part of blank credentials
3773  */
3774 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3775 {
3776         struct task_security_struct *tsec;
3777 
3778         tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3779         if (!tsec)
3780                 return -ENOMEM;
3781 
3782         cred->security = tsec;
3783         return 0;
3784 }
3785 
3786 /*
3787  * detach and free the LSM part of a set of credentials
3788  */
3789 static void selinux_cred_free(struct cred *cred)
3790 {
3791         struct task_security_struct *tsec = cred->security;
3792 
3793         /*
3794          * cred->security == NULL if security_cred_alloc_blank() or
3795          * security_prepare_creds() returned an error.
3796          */
3797         BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3798         cred->security = (void *) 0x7UL;
3799         kfree(tsec);
3800 }
3801 
3802 /*
3803  * prepare a new set of credentials for modification
3804  */
3805 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3806                                 gfp_t gfp)
3807 {
3808         const struct task_security_struct *old_tsec;
3809         struct task_security_struct *tsec;
3810 
3811         old_tsec = old->security;
3812 
3813         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3814         if (!tsec)
3815                 return -ENOMEM;
3816 
3817         new->security = tsec;
3818         return 0;
3819 }
3820 
3821 /*
3822  * transfer the SELinux data to a blank set of creds
3823  */
3824 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3825 {
3826         const struct task_security_struct *old_tsec = old->security;
3827         struct task_security_struct *tsec = new->security;
3828 
3829         *tsec = *old_tsec;
3830 }
3831 
3832 /*
3833  * set the security data for a kernel service
3834  * - all the creation contexts are set to unlabelled
3835  */
3836 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3837 {
3838         struct task_security_struct *tsec = new->security;
3839         u32 sid = current_sid();
3840         int ret;
3841 
3842         ret = avc_has_perm(sid, secid,
3843                            SECCLASS_KERNEL_SERVICE,
3844                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3845                            NULL);
3846         if (ret == 0) {
3847                 tsec->sid = secid;
3848                 tsec->create_sid = 0;
3849                 tsec->keycreate_sid = 0;
3850                 tsec->sockcreate_sid = 0;
3851         }
3852         return ret;
3853 }
3854 
3855 /*
3856  * set the file creation context in a security record to the same as the
3857  * objective context of the specified inode
3858  */
3859 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3860 {
3861         struct inode_security_struct *isec = inode_security(inode);
3862         struct task_security_struct *tsec = new->security;
3863         u32 sid = current_sid();
3864         int ret;
3865 
3866         ret = avc_has_perm(sid, isec->sid,
3867                            SECCLASS_KERNEL_SERVICE,
3868                            KERNEL_SERVICE__CREATE_FILES_AS,
3869                            NULL);
3870 
3871         if (ret == 0)
3872                 tsec->create_sid = isec->sid;
3873         return ret;
3874 }
3875 
3876 static int selinux_kernel_module_request(char *kmod_name)
3877 {
3878         struct common_audit_data ad;
3879 
3880         ad.type = LSM_AUDIT_DATA_KMOD;
3881         ad.u.kmod_name = kmod_name;
3882 
3883         return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3884                             SYSTEM__MODULE_REQUEST, &ad);
3885 }
3886 
3887 static int selinux_kernel_module_from_file(struct file *file)
3888 {
3889         struct common_audit_data ad;
3890         struct inode_security_struct *isec;
3891         struct file_security_struct *fsec;
3892         u32 sid = current_sid();
3893         int rc;
3894 
3895         /* init_module */
3896         if (file == NULL)
3897                 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3898                                         SYSTEM__MODULE_LOAD, NULL);
3899 
3900         /* finit_module */
3901 
3902         ad.type = LSM_AUDIT_DATA_FILE;
3903         ad.u.file = file;
3904 
3905         fsec = file->f_security;
3906         if (sid != fsec->sid) {
3907                 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3908                 if (rc)
3909                         return rc;
3910         }
3911 
3912         isec = inode_security(file_inode(file));
3913         return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3914                                 SYSTEM__MODULE_LOAD, &ad);
3915 }
3916 
3917 static int selinux_kernel_read_file(struct file *file,
3918                                     enum kernel_read_file_id id)
3919 {
3920         int rc = 0;
3921 
3922         switch (id) {
3923         case READING_MODULE:
3924                 rc = selinux_kernel_module_from_file(file);
3925                 break;
3926         default:
3927                 break;
3928         }
3929 
3930         return rc;
3931 }
3932 
3933 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3934 {
3935         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3936                             PROCESS__SETPGID, NULL);
3937 }
3938 
3939 static int selinux_task_getpgid(struct task_struct *p)
3940 {
3941         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3942                             PROCESS__GETPGID, NULL);
3943 }
3944 
3945 static int selinux_task_getsid(struct task_struct *p)
3946 {
3947         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3948                             PROCESS__GETSESSION, NULL);
3949 }
3950 
3951 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3952 {
3953         *secid = task_sid(p);
3954 }
3955 
3956 static int selinux_task_setnice(struct task_struct *p, int nice)
3957 {
3958         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3959                             PROCESS__SETSCHED, NULL);
3960 }
3961 
3962 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3963 {
3964         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3965                             PROCESS__SETSCHED, NULL);
3966 }
3967 
3968 static int selinux_task_getioprio(struct task_struct *p)
3969 {
3970         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3971                             PROCESS__GETSCHED, NULL);
3972 }
3973 
3974 int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3975                          unsigned int flags)
3976 {
3977         u32 av = 0;
3978 
3979         if (!flags)
3980                 return 0;
3981         if (flags & LSM_PRLIMIT_WRITE)
3982                 av |= PROCESS__SETRLIMIT;
3983         if (flags & LSM_PRLIMIT_READ)
3984                 av |= PROCESS__GETRLIMIT;
3985         return avc_has_perm(cred_sid(cred), cred_sid(tcred),
3986                             SECCLASS_PROCESS, av, NULL);
3987 }
3988 
3989 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3990                 struct rlimit *new_rlim)
3991 {
3992         struct rlimit *old_rlim = p->signal->rlim + resource;
3993 
3994         /* Control the ability to change the hard limit (whether
3995            lowering or raising it), so that the hard limit can
3996            later be used as a safe reset point for the soft limit
3997            upon context transitions.  See selinux_bprm_committing_creds. */
3998         if (old_rlim->rlim_max != new_rlim->rlim_max)
3999                 return avc_has_perm(current_sid(), task_sid(p),
4000                                     SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4001 
4002         return 0;
4003 }
4004 
4005 static int selinux_task_setscheduler(struct task_struct *p)
4006 {
4007         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4008                             PROCESS__SETSCHED, NULL);
4009 }
4010 
4011 static int selinux_task_getscheduler(struct task_struct *p)
4012 {
4013         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4014                             PROCESS__GETSCHED, NULL);
4015 }
4016 
4017 static int selinux_task_movememory(struct task_struct *p)
4018 {
4019         return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4020                             PROCESS__SETSCHED, NULL);
4021 }
4022 
4023 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4024                                 int sig, u32 secid)
4025 {
4026         u32 perm;
4027 
4028         if (!sig)
4029                 perm = PROCESS__SIGNULL; /* null signal; existence test */
4030         else
4031                 perm = signal_to_av(sig);
4032         if (!secid)
4033                 secid = current_sid();
4034         return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4035 }
4036 
4037 static void selinux_task_to_inode(struct task_struct *p,
4038                                   struct inode *inode)
4039 {
4040         struct inode_security_struct *isec = inode->i_security;
4041         u32 sid = task_sid(p);
4042 
4043         spin_lock(&isec->lock);
4044         isec->sclass = inode_mode_to_security_class(inode->i_mode);
4045         isec->sid = sid;
4046         isec->initialized = LABEL_INITIALIZED;
4047         spin_unlock(&isec->lock);
4048 }
4049 
4050 /* Returns error only if unable to parse addresses */
4051 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4052                         struct common_audit_data *ad, u8 *proto)
4053 {
4054         int offset, ihlen, ret = -EINVAL;
4055         struct iphdr _iph, *ih;
4056 
4057         offset = skb_network_offset(skb);
4058         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4059         if (ih == NULL)
4060                 goto out;
4061 
4062         ihlen = ih->ihl * 4;
4063         if (ihlen < sizeof(_iph))
4064                 goto out;
4065 
4066         ad->u.net->v4info.saddr = ih->saddr;
4067         ad->u.net->v4info.daddr = ih->daddr;
4068         ret = 0;
4069 
4070         if (proto)
4071                 *proto = ih->protocol;
4072 
4073         switch (ih->protocol) {
4074         case IPPROTO_TCP: {
4075                 struct tcphdr _tcph, *th;
4076 
4077                 if (ntohs(ih->frag_off) & IP_OFFSET)
4078                         break;
4079 
4080                 offset += ihlen;
4081                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4082                 if (th == NULL)
4083                         break;
4084 
4085                 ad->u.net->sport = th->source;
4086                 ad->u.net->dport = th->dest;
4087                 break;
4088         }
4089 
4090         case IPPROTO_UDP: {
4091                 struct udphdr _udph, *uh;
4092 
4093                 if (ntohs(ih->frag_off) & IP_OFFSET)
4094                         break;
4095 
4096                 offset += ihlen;
4097                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4098                 if (uh == NULL)
4099                         break;
4100 
4101                 ad->u.net->sport = uh->source;
4102                 ad->u.net->dport = uh->dest;
4103                 break;
4104         }
4105 
4106         case IPPROTO_DCCP: {
4107                 struct dccp_hdr _dccph, *dh;
4108 
4109                 if (ntohs(ih->frag_off) & IP_OFFSET)
4110                         break;
4111 
4112                 offset += ihlen;
4113                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4114                 if (dh == NULL)
4115                         break;
4116 
4117                 ad->u.net->sport = dh->dccph_sport;
4118                 ad->u.net->dport = dh->dccph_dport;
4119                 break;
4120         }
4121 
4122         default:
4123                 break;
4124         }
4125 out:
4126         return ret;
4127 }
4128 
4129 #if IS_ENABLED(CONFIG_IPV6)
4130 
4131 /* Returns error only if unable to parse addresses */
4132 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4133                         struct common_audit_data *ad, u8 *proto)
4134 {
4135         u8 nexthdr;
4136         int ret = -EINVAL, offset;
4137         struct ipv6hdr _ipv6h, *ip6;
4138         __be16 frag_off;
4139 
4140         offset = skb_network_offset(skb);
4141         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4142         if (ip6 == NULL)
4143                 goto out;
4144 
4145         ad->u.net->v6info.saddr = ip6->saddr;
4146         ad->u.net->v6info.daddr = ip6->daddr;
4147         ret = 0;
4148 
4149         nexthdr = ip6->nexthdr;
4150         offset += sizeof(_ipv6h);
4151         offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4152         if (offset < 0)
4153                 goto out;
4154 
4155         if (proto)
4156                 *proto = nexthdr;
4157 
4158         switch (nexthdr) {
4159         case IPPROTO_TCP: {
4160                 struct tcphdr _tcph, *th;
4161 
4162                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4163                 if (th == NULL)
4164                         break;
4165 
4166                 ad->u.net->sport = th->source;
4167                 ad->u.net->dport = th->dest;
4168                 break;
4169         }
4170 
4171         case IPPROTO_UDP: {
4172                 struct udphdr _udph, *uh;
4173 
4174                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4175                 if (uh == NULL)
4176                         break;
4177 
4178                 ad->u.net->sport = uh->source;
4179                 ad->u.net->dport = uh->dest;
4180                 break;
4181         }
4182 
4183         case IPPROTO_DCCP: {
4184                 struct dccp_hdr _dccph, *dh;
4185 
4186                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4187                 if (dh == NULL)
4188                         break;
4189 
4190                 ad->u.net->sport = dh->dccph_sport;
4191                 ad->u.net->dport = dh->dccph_dport;
4192                 break;
4193         }
4194 
4195         /* includes fragments */
4196         default:
4197                 break;
4198         }
4199 out:
4200         return ret;
4201 }
4202 
4203 #endif /* IPV6 */
4204 
4205 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4206                              char **_addrp, int src, u8 *proto)
4207 {
4208         char *addrp;
4209         int ret;
4210 
4211         switch (ad->u.net->family) {
4212         case PF_INET:
4213                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4214                 if (ret)
4215                         goto parse_error;
4216                 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4217                                        &ad->u.net->v4info.daddr);
4218                 goto okay;
4219 
4220 #if IS_ENABLED(CONFIG_IPV6)
4221         case PF_INET6:
4222                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4223                 if (ret)
4224                         goto parse_error;
4225                 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4226                                        &ad->u.net->v6info.daddr);
4227                 goto okay;
4228 #endif  /* IPV6 */
4229         default:
4230                 addrp = NULL;
4231                 goto okay;
4232         }
4233 
4234 parse_error:
4235         printk(KERN_WARNING
4236                "SELinux: failure in selinux_parse_skb(),"
4237                " unable to parse packet\n");
4238         return ret;
4239 
4240 okay:
4241         if (_addrp)
4242                 *_addrp = addrp;
4243         return 0;
4244 }
4245 
4246 /**
4247  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4248  * @skb: the packet
4249  * @family: protocol family
4250  * @sid: the packet's peer label SID
4251  *
4252  * Description:
4253  * Check the various different forms of network peer labeling and determine
4254  * the peer label/SID for the packet; most of the magic actually occurs in
4255  * the security server function security_net_peersid_cmp().  The function
4256  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4257  * or -EACCES if @sid is invalid due to inconsistencies with the different
4258  * peer labels.
4259  *
4260  */
4261 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4262 {
4263         int err;
4264         u32 xfrm_sid;
4265         u32 nlbl_sid;
4266         u32 nlbl_type;
4267 
4268         err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4269         if (unlikely(err))
4270                 return -EACCES;
4271         err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4272         if (unlikely(err))
4273                 return -EACCES;
4274 
4275         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4276         if (unlikely(err)) {
4277                 printk(KERN_WARNING
4278                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
4279                        " unable to determine packet's peer label\n");
4280                 return -EACCES;
4281         }
4282 
4283         return 0;
4284 }
4285 
4286 /**
4287  * selinux_conn_sid - Determine the child socket label for a connection
4288  * @sk_sid: the parent socket's SID
4289  * @skb_sid: the packet's SID
4290  * @conn_sid: the resulting connection SID
4291  *
4292  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4293  * combined with the MLS information from @skb_sid in order to create
4294  * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
4295  * of @sk_sid.  Returns zero on success, negative values on failure.
4296  *
4297  */
4298 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4299 {
4300         int err = 0;
4301 
4302         if (skb_sid != SECSID_NULL)
4303                 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4304         else
4305                 *conn_sid = sk_sid;
4306 
4307         return err;
4308 }
4309 
4310 /* socket security operations */
4311 
4312 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4313                                  u16 secclass, u32 *socksid)
4314 {
4315         if (tsec->sockcreate_sid > SECSID_NULL) {
4316                 *socksid = tsec->sockcreate_sid;
4317                 return 0;
4318         }
4319 
4320         return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4321                                        socksid);
4322 }
4323 
4324 static int sock_has_perm(struct sock *sk, u32 perms)
4325 {
4326         struct sk_security_struct *sksec = sk->sk_security;
4327         struct common_audit_data ad;
4328         struct lsm_network_audit net = {0,};
4329 
4330         if (sksec->sid == SECINITSID_KERNEL)
4331                 return 0;
4332 
4333         ad.type = LSM_AUDIT_DATA_NET;
4334         ad.u.net = &net;
4335         ad.u.net->sk = sk;
4336 
4337         return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4338                             &ad);
4339 }
4340 
4341 static int selinux_socket_create(int family, int type,
4342                                  int protocol, int kern)
4343 {
4344         const struct task_security_struct *tsec = current_security();
4345         u32 newsid;
4346         u16 secclass;
4347         int rc;
4348 
4349         if (kern)
4350                 return 0;
4351 
4352         secclass = socket_type_to_security_class(family, type, protocol);
4353         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4354         if (rc)
4355                 return rc;
4356 
4357         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4358 }
4359 
4360 static int selinux_socket_post_create(struct socket *sock, int family,
4361                                       int type, int protocol, int kern)
4362 {
4363         const struct task_security_struct *tsec = current_security();
4364         struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4365         struct sk_security_struct *sksec;
4366         u16 sclass = socket_type_to_security_class(family, type, protocol);
4367         u32 sid = SECINITSID_KERNEL;
4368         int err = 0;
4369 
4370         if (!kern) {
4371                 err = socket_sockcreate_sid(tsec, sclass, &sid);
4372                 if (err)
4373                         return err;
4374         }
4375 
4376         isec->sclass = sclass;
4377         isec->sid = sid;
4378         isec->initialized = LABEL_INITIALIZED;
4379 
4380         if (sock->sk) {
4381                 sksec = sock->sk->sk_security;
4382                 sksec->sclass = sclass;
4383                 sksec->sid = sid;
4384                 err = selinux_netlbl_socket_post_create(sock->sk, family);
4385         }
4386 
4387         return err;
4388 }
4389 
4390 /* Range of port numbers used to automatically bind.
4391    Need to determine whether we should perform a name_bind
4392    permission check between the socket and the port number. */
4393 
4394 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4395 {
4396         struct sock *sk = sock->sk;
4397         u16 family;
4398         int err;
4399 
4400         err = sock_has_perm(sk, SOCKET__BIND);
4401         if (err)
4402                 goto out;
4403 
4404         /*
4405          * If PF_INET or PF_INET6, check name_bind permission for the port.
4406          * Multiple address binding for SCTP is not supported yet: we just
4407          * check the first address now.
4408          */
4409         family = sk->sk_family;
4410         if (family == PF_INET || family == PF_INET6) {
4411                 char *addrp;
4412                 struct sk_security_struct *sksec = sk->sk_security;
4413                 struct common_audit_data ad;
4414                 struct lsm_network_audit net = {0,};
4415                 struct sockaddr_in *addr4 = NULL;
4416                 struct sockaddr_in6 *addr6 = NULL;
4417                 unsigned short snum;
4418                 u32 sid, node_perm;
4419 
4420                 if (family == PF_INET) {
4421                         if (addrlen < sizeof(struct sockaddr_in)) {
4422                                 err = -EINVAL;
4423                                 goto out;
4424                         }
4425                         addr4 = (struct sockaddr_in *)address;
4426                         snum = ntohs(addr4->sin_port);
4427                         addrp = (char *)&addr4->sin_addr.s_addr;
4428                 } else {
4429                         if (addrlen < SIN6_LEN_RFC2133) {
4430                                 err = -EINVAL;
4431                                 goto out;
4432                         }
4433                         addr6 = (struct sockaddr_in6 *)address;
4434                         snum = ntohs(addr6->sin6_port);
4435                         addrp = (char *)&addr6->sin6_addr.s6_addr;
4436                 }
4437 
4438                 if (snum) {
4439                         int low, high;
4440 
4441                         inet_get_local_port_range(sock_net(sk), &low, &high);
4442 
4443                         if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4444                             snum > high) {
4445                                 err = sel_netport_sid(sk->sk_protocol,
4446                                                       snum, &sid);
4447                                 if (err)
4448                                         goto out;
4449                                 ad.type = LSM_AUDIT_DATA_NET;
4450                                 ad.u.net = &net;
4451                                 ad.u.net->sport = htons(snum);
4452                                 ad.u.net->family = family;
4453                                 err = avc_has_perm(sksec->sid, sid,
4454                                                    sksec->sclass,
4455                                                    SOCKET__NAME_BIND, &ad);
4456                                 if (err)
4457                                         goto out;
4458                         }
4459                 }
4460 
4461                 switch (sksec->sclass) {
4462                 case SECCLASS_TCP_SOCKET:
4463                         node_perm = TCP_SOCKET__NODE_BIND;
4464                         break;
4465 
4466                 case SECCLASS_UDP_SOCKET:
4467                         node_perm = UDP_SOCKET__NODE_BIND;
4468                         break;
4469 
4470                 case SECCLASS_DCCP_SOCKET:
4471                         node_perm = DCCP_SOCKET__NODE_BIND;
4472                         break;
4473 
4474                 default:
4475                         node_perm = RAWIP_SOCKET__NODE_BIND;
4476                         break;
4477                 }
4478 
4479                 err = sel_netnode_sid(addrp, family, &sid);
4480                 if (err)
4481                         goto out;
4482 
4483                 ad.type = LSM_AUDIT_DATA_NET;
4484                 ad.u.net = &net;
4485                 ad.u.net->sport = htons(snum);
4486                 ad.u.net->family = family;
4487 
4488                 if (family == PF_INET)
4489                         ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4490                 else
4491                         ad.u.net->v6info.saddr = addr6->sin6_addr;
4492 
4493                 err = avc_has_perm(sksec->sid, sid,
4494                                    sksec->sclass, node_perm, &ad);
4495                 if (err)
4496                         goto out;
4497         }
4498 out:
4499         return err;
4500 }
4501 
4502 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4503 {
4504         struct sock *sk = sock->sk;
4505         struct sk_security_struct *sksec = sk->sk_security;
4506         int err;
4507 
4508         err = sock_has_perm(sk, SOCKET__CONNECT);
4509         if (err)
4510                 return err;
4511 
4512         /*
4513          * If a TCP or DCCP socket, check name_connect permission for the port.
4514          */
4515         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4516             sksec->sclass == SECCLASS_DCCP_SOCKET) {
4517                 struct common_audit_data ad;
4518                 struct lsm_network_audit net = {0,};
4519                 struct sockaddr_in *addr4 = NULL;
4520                 struct sockaddr_in6 *addr6 = NULL;
4521                 unsigned short snum;
4522                 u32 sid, perm;
4523 
4524                 if (sk->sk_family == PF_INET) {
4525                         addr4 = (struct sockaddr_in *)address;
4526                         if (addrlen < sizeof(struct sockaddr_in))
4527                                 return -EINVAL;
4528                         snum = ntohs(addr4->sin_port);
4529                 } else {
4530                         addr6 = (struct sockaddr_in6 *)address;
4531                         if (addrlen < SIN6_LEN_RFC2133)
4532                                 return -EINVAL;
4533                         snum = ntohs(addr6->sin6_port);
4534                 }
4535 
4536                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4537                 if (err)
4538                         goto out;
4539 
4540                 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4541                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4542 
4543                 ad.type = LSM_AUDIT_DATA_NET;
4544                 ad.u.net = &net;
4545                 ad.u.net->dport = htons(snum);
4546                 ad.u.net->family = sk->sk_family;
4547                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4548                 if (err)
4549                         goto out;
4550         }
4551 
4552         err = selinux_netlbl_socket_connect(sk, address);
4553 
4554 out:
4555         return err;
4556 }
4557 
4558 static int selinux_socket_listen(struct socket *sock, int backlog)
4559 {
4560         return sock_has_perm(sock->sk, SOCKET__LISTEN);
4561 }
4562 
4563 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4564 {
4565         int err;
4566         struct inode_security_struct *isec;
4567         struct inode_security_struct *newisec;
4568         u16 sclass;
4569         u32 sid;
4570 
4571         err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4572         if (err)
4573                 return err;
4574 
4575         isec = inode_security_novalidate(SOCK_INODE(sock));
4576         spin_lock(&isec->lock);
4577         sclass = isec->sclass;
4578         sid = isec->sid;
4579         spin_unlock(&isec->lock);
4580 
4581         newisec = inode_security_novalidate(SOCK_INODE(newsock));
4582         newisec->sclass = sclass;
4583         newisec->sid = sid;
4584         newisec->initialized = LABEL_INITIALIZED;
4585 
4586         return 0;
4587 }
4588 
4589 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4590                                   int size)
4591 {
4592         return sock_has_perm(sock->sk, SOCKET__WRITE);
4593 }
4594 
4595 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4596                                   int size, int flags)
4597 {
4598         return sock_has_perm(sock->sk, SOCKET__READ);
4599 }
4600 
4601 static int selinux_socket_getsockname(struct socket *sock)
4602 {
4603         return sock_has_perm(sock->sk, SOCKET__GETATTR);
4604 }
4605 
4606 static int selinux_socket_getpeername(struct socket *sock)
4607 {
4608         return sock_has_perm(sock->sk, SOCKET__GETATTR);
4609 }
4610 
4611 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4612 {
4613         int err;
4614 
4615         err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4616         if (err)
4617                 return err;
4618 
4619         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4620 }
4621 
4622 static int selinux_socket_getsockopt(struct socket *sock, int level,
4623                                      int optname)
4624 {
4625         return sock_has_perm(sock->sk, SOCKET__GETOPT);
4626 }
4627 
4628 static int selinux_socket_shutdown(struct socket *sock, int how)
4629 {
4630         return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4631 }
4632 
4633 static int selinux_socket_unix_stream_connect(struct sock *sock,
4634                                               struct sock *other,
4635                                               struct sock *newsk)
4636 {
4637         struct sk_security_struct *sksec_sock = sock->sk_security;
4638         struct sk_security_struct *sksec_other = other->sk_security;
4639         struct sk_security_struct *sksec_new = newsk->sk_security;
4640         struct common_audit_data ad;
4641         struct lsm_network_audit net = {0,};
4642         int err;
4643 
4644         ad.type = LSM_AUDIT_DATA_NET;
4645         ad.u.net = &net;
4646         ad.u.net->sk = other;
4647 
4648         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4649                            sksec_other->sclass,
4650                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4651         if (err)
4652                 return err;
4653 
4654         /* server child socket */
4655         sksec_new->peer_sid = sksec_sock->sid;
4656         err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4657                                     &sksec_new->sid);
4658         if (err)
4659                 return err;
4660 
4661         /* connecting socket */
4662         sksec_sock->peer_sid = sksec_new->sid;
4663 
4664         return 0;
4665 }
4666 
4667 static int selinux_socket_unix_may_send(struct socket *sock,
4668                                         struct socket *other)
4669 {
4670         struct sk_security_struct *ssec = sock->sk->sk_security;
4671         struct sk_security_struct *osec = other->sk->sk_security;
4672         struct common_audit_data ad;
4673         struct lsm_network_audit net = {0,};
4674 
4675         ad.type = LSM_AUDIT_DATA_NET;
4676         ad.u.net = &net;
4677         ad.u.net->sk = other->sk;
4678 
4679         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4680                             &ad);
4681 }
4682 
4683 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4684                                     char *addrp, u16 family, u32 peer_sid,
4685                                     struct common_audit_data *ad)
4686 {
4687         int err;
4688         u32 if_sid;
4689         u32 node_sid;
4690 
4691         err = sel_netif_sid(ns, ifindex, &if_sid);
4692         if (err)
4693                 return err;
4694         err = avc_has_perm(peer_sid, if_sid,
4695                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4696         if (err)
4697                 return err;
4698 
4699         err = sel_netnode_sid(addrp, family, &node_sid);
4700         if (err)
4701                 return err;
4702         return avc_has_perm(peer_sid, node_sid,
4703                             SECCLASS_NODE, NODE__RECVFROM, ad);
4704 }
4705 
4706 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4707                                        u16 family)
4708 {
4709         int err = 0;
4710         struct sk_security_struct *sksec = sk->sk_security;
4711         u32 sk_sid = sksec->sid;
4712         struct common_audit_data ad;
4713         struct lsm_network_audit net = {0,};
4714         char *addrp;
4715 
4716         ad.type = LSM_AUDIT_DATA_NET;
4717         ad.u.net = &net;
4718         ad.u.net->netif = skb->skb_iif;
4719         ad.u.net->family = family;
4720         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4721         if (err)
4722                 return err;
4723 
4724         if (selinux_secmark_enabled()) {
4725                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4726                                    PACKET__RECV, &ad);
4727                 if (err)
4728                         return err;
4729         }
4730 
4731         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4732         if (err)
4733                 return err;
4734         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4735 
4736         return err;
4737 }
4738 
4739 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4740 {
4741         int err;
4742         struct sk_security_struct *sksec = sk->sk_security;
4743         u16 family = sk->sk_family;
4744         u32 sk_sid = sksec->sid;
4745         struct common_audit_data ad;
4746         struct lsm_network_audit net = {0,};
4747         char *addrp;
4748         u8 secmark_active;
4749         u8 peerlbl_active;
4750 
4751         if (family != PF_INET && family != PF_INET6)
4752                 return 0;
4753 
4754         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4755         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4756                 family = PF_INET;
4757 
4758         /* If any sort of compatibility mode is enabled then handoff processing
4759          * to the selinux_sock_rcv_skb_compat() function to deal with the
4760          * special handling.  We do this in an attempt to keep this function
4761          * as fast and as clean as possible. */
4762         if (!selinux_policycap_netpeer)
4763                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4764 
4765         secmark_active = selinux_secmark_enabled();
4766         peerlbl_active = selinux_peerlbl_enabled();
4767         if (!secmark_active && !peerlbl_active)
4768                 return 0;
4769 
4770         ad.type = LSM_AUDIT_DATA_NET;
4771         ad.u.net = &net;
4772         ad.u.net->netif = skb->skb_iif;
4773         ad.u.net->family = family;
4774         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4775         if (err)
4776                 return err;
4777 
4778         if (peerlbl_active) {
4779                 u32 peer_sid;
4780 
4781                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4782                 if (err)
4783                         return err;
4784                 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4785                                                addrp, family, peer_sid, &ad);
4786                 if (err) {
4787                         selinux_netlbl_err(skb, family, err, 0);
4788                         return err;
4789                 }
4790                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4791                                    PEER__RECV, &ad);
4792                 if (err) {
4793                         selinux_netlbl_err(skb, family, err, 0);
4794                         return err;
4795                 }
4796         }
4797 
4798         if (secmark_active) {
4799                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4800                                    PACKET__RECV, &ad);
4801                 if (err)
4802                         return err;
4803         }
4804 
4805         return err;
4806 }
4807 
4808 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4809                                             int __user *optlen, unsigned len)
4810 {
4811         int err = 0;
4812         char *scontext;
4813         u32 scontext_len;
4814         struct sk_security_struct *sksec = sock->sk->sk_security;
4815         u32 peer_sid = SECSID_NULL;
4816 
4817         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4818             sksec->sclass == SECCLASS_TCP_SOCKET)
4819                 peer_sid = sksec->peer_sid;
4820         if (peer_sid == SECSID_NULL)
4821                 return -ENOPROTOOPT;
4822 
4823         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4824         if (err)
4825                 return err;
4826 
4827         if (scontext_len > len) {
4828                 err = -ERANGE;
4829                 goto out_len;
4830         }
4831 
4832         if (copy_to_user(optval, scontext, scontext_len))
4833                 err = -EFAULT;
4834 
4835 out_len:
4836         if (put_user(scontext_len, optlen))
4837                 err = -EFAULT;
4838         kfree(scontext);
4839         return err;
4840 }
4841 
4842 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4843 {
4844         u32 peer_secid = SECSID_NULL;
4845         u16 family;
4846         struct inode_security_struct *isec;
4847 
4848         if (skb && skb->protocol == htons(ETH_P_IP))
4849                 family = PF_INET;
4850         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4851                 family = PF_INET6;
4852         else if (sock)
4853                 family = sock->sk->sk_family;
4854         else
4855                 goto out;
4856 
4857         if (sock && family == PF_UNIX) {
4858                 isec = inode_security_novalidate(SOCK_INODE(sock));
4859                 peer_secid = isec->sid;
4860         } else if (skb)
4861                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4862 
4863 out:
4864         *secid = peer_secid;
4865         if (peer_secid == SECSID_NULL)
4866                 return -EINVAL;
4867         return 0;
4868 }
4869 
4870 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4871 {
4872         struct sk_security_struct *sksec;
4873 
4874         sksec = kzalloc(sizeof(*sksec), priority);
4875         if (!sksec)
4876                 return -ENOMEM;
4877 
4878         sksec->peer_sid = SECINITSID_UNLABELED;
4879         sksec->sid = SECINITSID_UNLABELED;
4880         sksec->sclass = SECCLASS_SOCKET;
4881         selinux_netlbl_sk_security_reset(sksec);
4882         sk->sk_security = sksec;
4883 
4884         return 0;
4885 }
4886 
4887 static void selinux_sk_free_security(struct sock *sk)
4888 {
4889         struct sk_security_struct *sksec = sk->sk_security;
4890 
4891         sk->sk_security = NULL;
4892         selinux_netlbl_sk_security_free(sksec);
4893         kfree(sksec);
4894 }
4895 
4896 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4897 {
4898         struct sk_security_struct *sksec = sk->sk_security;
4899         struct sk_security_struct *newsksec = newsk->sk_security;
4900 
4901         newsksec->sid = sksec->sid;
4902         newsksec->peer_sid = sksec->peer_sid;
4903         newsksec->sclass = sksec->sclass;
4904 
4905         selinux_netlbl_sk_security_reset(newsksec);
4906 }
4907 
4908 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4909 {
4910         if (!sk)
4911                 *secid = SECINITSID_ANY_SOCKET;
4912         else {
4913                 struct sk_security_struct *sksec = sk->sk_security;
4914 
4915                 *secid = sksec->sid;
4916         }
4917 }
4918 
4919 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4920 {
4921         struct inode_security_struct *isec =
4922                 inode_security_novalidate(SOCK_INODE(parent));
4923         struct sk_security_struct *sksec = sk->sk_security;
4924 
4925         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4926             sk->sk_family == PF_UNIX)
4927                 isec->sid = sksec->sid;
4928         sksec->sclass = isec->sclass;
4929 }
4930 
4931 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4932                                      struct request_sock *req)
4933 {
4934         struct sk_security_struct *sksec = sk->sk_security;
4935         int err;
4936         u16 family = req->rsk_ops->family;
4937         u32 connsid;
4938         u32 peersid;
4939 
4940         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4941         if (err)
4942                 return err;
4943         err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4944         if (err)
4945                 return err;
4946         req->secid = connsid;
4947         req->peer_secid = peersid;
4948 
4949         return selinux_netlbl_inet_conn_request(req, family);
4950 }
4951 
4952 static void selinux_inet_csk_clone(struct sock *newsk,
4953                                    const struct request_sock *req)
4954 {
4955         struct sk_security_struct *newsksec = newsk->sk_security;
4956 
4957         newsksec->sid = req->secid;
4958         newsksec->peer_sid = req->peer_secid;
4959         /* NOTE: Ideally, we should also get the isec->sid for the
4960            new socket in sync, but we don't have the isec available yet.
4961            So we will wait until sock_graft to do it, by which
4962            time it will have been created and available. */
4963 
4964         /* We don't need to take any sort of lock here as we are the only
4965          * thread with access to newsksec */
4966         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4967 }
4968 
4969 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4970 {
4971         u16 family = sk->sk_family;
4972         struct sk_security_struct *sksec = sk->sk_security;
4973 
4974         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4975         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4976                 family = PF_INET;
4977 
4978         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4979 }
4980 
4981 static int selinux_secmark_relabel_packet(u32 sid)
4982 {
4983         const struct task_security_struct *__tsec;
4984         u32 tsid;
4985 
4986         __tsec = current_security();
4987         tsid = __tsec->sid;
4988 
4989         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4990 }
4991 
4992 static void selinux_secmark_refcount_inc(void)
4993 {
4994         atomic_inc(&selinux_secmark_refcount);
4995 }
4996 
4997 static void selinux_secmark_refcount_dec(void)
4998 {
4999         atomic_dec(&selinux_secmark_refcount);
5000 }
5001 
5002 static void selinux_req_classify_flow(const struct request_sock *req,
5003                                       struct flowi *fl)
5004 {
5005         fl->flowi_secid = req->secid;
5006 }
5007 
5008 static int selinux_tun_dev_alloc_security(void **security)
5009 {
5010         struct tun_security_struct *tunsec;
5011 
5012         tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5013         if (!tunsec)
5014                 return -ENOMEM;
5015         tunsec->sid = current_sid();
5016 
5017         *security = tunsec;
5018         return 0;
5019 }
5020 
5021 static void selinux_tun_dev_free_security(void *security)
5022 {
5023         kfree(security);
5024 }
5025 
5026 static int selinux_tun_dev_create(void)
5027 {
5028         u32 sid = current_sid();
5029 
5030         /* we aren't taking into account the "sockcreate" SID since the socket
5031          * that is being created here is not a socket in the traditional sense,
5032          * instead it is a private sock, accessible only to the kernel, and
5033          * representing a wide range of network traffic spanning multiple
5034          * connections unlike traditional sockets - check the TUN driver to
5035          * get a better understanding of why this socket is special */
5036 
5037         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5038                             NULL);
5039 }
5040 
5041 static int selinux_tun_dev_attach_queue(void *security)
5042 {
5043         struct tun_security_struct *tunsec = security;
5044 
5045         return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5046                             TUN_SOCKET__ATTACH_QUEUE, NULL);
5047 }
5048 
5049 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5050 {
5051         struct tun_security_struct *tunsec = security;
5052         struct sk_security_struct *sksec = sk->sk_security;
5053 
5054         /* we don't currently perform any NetLabel based labeling here and it
5055          * isn't clear that we would want to do so anyway; while we could apply
5056          * labeling without the support of the TUN user the resulting labeled
5057          * traffic from the other end of the connection would almost certainly
5058          * cause confusion to the TUN user that had no idea network labeling
5059          * protocols were being used */
5060 
5061         sksec->sid = tunsec->sid;
5062         sksec->sclass = SECCLASS_TUN_SOCKET;
5063 
5064         return 0;
5065 }
5066 
5067 static int selinux_tun_dev_open(void *security)
5068 {
5069         struct tun_security_struct *tunsec = security;
5070         u32 sid = current_sid();
5071         int err;
5072 
5073         err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5074                            TUN_SOCKET__RELABELFROM, NULL);
5075         if (err)
5076                 return err;
5077         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5078                            TUN_SOCKET__RELABELTO, NULL);
5079         if (err)
5080                 return err;
5081         tunsec->sid = sid;
5082 
5083         return 0;
5084 }
5085 
5086 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5087 {
5088         int err = 0;
5089         u32 perm;
5090         struct nlmsghdr *nlh;
5091         struct sk_security_struct *sksec = sk->sk_security;
5092 
5093         if (skb->len < NLMSG_HDRLEN) {
5094                 err = -EINVAL;
5095                 goto out;
5096         }
5097         nlh = nlmsg_hdr(skb);
5098 
5099         err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5100         if (err) {
5101                 if (err == -EINVAL) {
5102                         pr_warn_ratelimited("SELinux: unrecognized netlink"
5103                                " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5104                                " pig=%d comm=%s\n",
5105                                sk->sk_protocol, nlh->nlmsg_type,
5106                                secclass_map[sksec->sclass - 1].name,
5107                                task_pid_nr(current), current->comm);
5108                         if (!selinux_enforcing || security_get_allow_unknown())
5109                                 err = 0;
5110                 }
5111 
5112                 /* Ignore */
5113                 if (err == -ENOENT)
5114                         err = 0;
5115                 goto out;
5116         }
5117 
5118         err = sock_has_perm(sk, perm);
5119 out:
5120         return err;
5121 }
5122 
5123 #ifdef CONFIG_NETFILTER
5124 
5125 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5126                                        const struct net_device *indev,
5127                                        u16 family)
5128 {
5129         int err;
5130         char *addrp;
5131         u32 peer_sid;
5132         struct common_audit_data ad;
5133         struct lsm_network_audit net = {0,};
5134         u8 secmark_active;
5135         u8 netlbl_active;
5136         u8 peerlbl_active;
5137 
5138         if (!selinux_policycap_netpeer)
5139                 return NF_ACCEPT;
5140 
5141         secmark_active = selinux_secmark_enabled();
5142         netlbl_active = netlbl_enabled();
5143         peerlbl_active = selinux_peerlbl_enabled();
5144         if (!secmark_active && !peerlbl_active)
5145                 return NF_ACCEPT;
5146 
5147         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5148                 return NF_DROP;
5149 
5150         ad.type = LSM_AUDIT_DATA_NET;
5151         ad.u.net = &net;
5152         ad.u.net->netif = indev->ifindex;
5153         ad.u.net->family = family;
5154         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5155                 return NF_DROP;
5156 
5157         if (peerlbl_active) {
5158                 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5159                                                addrp, family, peer_sid, &ad);
5160                 if (err) {
5161                         selinux_netlbl_err(skb, family, err, 1);
5162                         return NF_DROP;
5163                 }
5164         }
5165 
5166         if (secmark_active)
5167                 if (avc_has_perm(peer_sid, skb->secmark,
5168                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5169                         return NF_DROP;
5170 
5171         if (netlbl_active)
5172                 /* we do this in the FORWARD path and not the POST_ROUTING
5173                  * path because we want to make sure we apply the necessary
5174                  * labeling before IPsec is applied so we can leverage AH
5175                  * protection */
5176                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5177                         return NF_DROP;
5178 
5179         return NF_ACCEPT;
5180 }
5181 
5182 static unsigned int selinux_ipv4_forward(void *priv,
5183                                          struct sk_buff *skb,
5184                                          const struct nf_hook_state *state)
5185 {
5186         return selinux_ip_forward(skb, state->in, PF_INET);
5187 }
5188 
5189 #if IS_ENABLED(CONFIG_IPV6)
5190 static unsigned int selinux_ipv6_forward(void *priv,
5191                                          struct sk_buff *skb,
5192                                          const struct nf_hook_state *state)
5193 {
5194         return selinux_ip_forward(skb, state->in, PF_INET6);
5195 }
5196 #endif  /* IPV6 */
5197 
5198 static unsigned int selinux_ip_output(struct sk_buff *skb,
5199                                       u16 family)
5200 {
5201         struct sock *sk;
5202         u32 sid;
5203 
5204         if (!netlbl_enabled())
5205                 return NF_ACCEPT;
5206 
5207         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5208          * because we want to make sure we apply the necessary labeling
5209          * before IPsec is applied so we can leverage AH protection */
5210         sk = skb->sk;
5211         if (sk) {
5212                 struct sk_security_struct *sksec;
5213 
5214                 if (sk_listener(sk))
5215                         /* if the socket is the listening state then this
5216                          * packet is a SYN-ACK packet which means it needs to
5217                          * be labeled based on the connection/request_sock and
5218                          * not the parent socket.  unfortunately, we can't
5219                          * lookup the request_sock yet as it isn't queued on
5220                          * the parent socket until after the SYN-ACK is sent.
5221                          * the "solution" is to simply pass the packet as-is
5222                          * as any IP option based labeling should be copied
5223                          * from the initial connection request (in the IP
5224                          * layer).  it is far from ideal, but until we get a
5225                          * security label in the packet itself this is the
5226                          * best we can do. */
5227                         return NF_ACCEPT;
5228 
5229                 /* standard practice, label using the parent socket */
5230                 sksec = sk->sk_security;
5231                 sid = sksec->sid;
5232         } else
5233                 sid = SECINITSID_KERNEL;
5234         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5235                 return NF_DROP;
5236 
5237         return NF_ACCEPT;
5238 }
5239 
5240 static unsigned int selinux_ipv4_output(void *priv,
5241                                         struct sk_buff *skb,
5242                                         const struct nf_hook_state *state)
5243 {
5244         return selinux_ip_output(skb, PF_INET);
5245 }
5246 
5247 #if IS_ENABLED(CONFIG_IPV6)
5248 static unsigned int selinux_ipv6_output(void *priv,
5249                                         struct sk_buff *skb,
5250                                         const struct nf_hook_state *state)
5251 {
5252         return selinux_ip_output(skb, PF_INET6);
5253 }
5254 #endif  /* IPV6 */
5255 
5256 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5257                                                 int ifindex,
5258                                                 u16 family)
5259 {
5260         struct sock *sk = skb_to_full_sk(skb);
5261         struct sk_security_struct *sksec;
5262         struct common_audit_data ad;
5263         struct lsm_network_audit net = {0,};
5264         char *addrp;
5265         u8 proto;
5266 
5267         if (sk == NULL)
5268                 return NF_ACCEPT;
5269         sksec = sk->sk_security;
5270 
5271         ad.type = LSM_AUDIT_DATA_NET;
5272         ad.u.net = &net;
5273         ad.u.net->netif = ifindex;
5274         ad.u.net->family = family;
5275         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5276                 return NF_DROP;
5277 
5278         if (selinux_secmark_enabled())
5279                 if (avc_has_perm(sksec->sid, skb->secmark,
5280                                  SECCLASS_PACKET, PACKET__SEND, &ad))
5281                         return NF_DROP_ERR(-ECONNREFUSED);
5282 
5283         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5284                 return NF_DROP_ERR(-ECONNREFUSED);
5285 
5286         return NF_ACCEPT;
5287 }
5288 
5289 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5290                                          const struct net_device *outdev,
5291                                          u16 family)
5292 {
5293         u32 secmark_perm;
5294         u32 peer_sid;
5295         int ifindex = outdev->ifindex;
5296         struct sock *sk;
5297         struct common_audit_data ad;
5298         struct lsm_network_audit net = {0,};
5299         char *addrp;
5300         u8 secmark_active;
5301         u8 peerlbl_active;
5302 
5303         /* If any sort of compatibility mode is enabled then handoff processing
5304          * to the selinux_ip_postroute_compat() function to deal with the
5305          * special handling.  We do this in an attempt to keep this function
5306          * as fast and as clean as possible. */
5307         if (!selinux_policycap_netpeer)
5308                 return selinux_ip_postroute_compat(skb, ifindex, family);
5309 
5310         secmark_active = selinux_secmark_enabled();
5311         peerlbl_active = selinux_peerlbl_enabled();
5312         if (!secmark_active && !peerlbl_active)
5313                 return NF_ACCEPT;
5314 
5315         sk = skb_to_full_sk(skb);
5316 
5317 #ifdef CONFIG_XFRM
5318         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5319          * packet transformation so allow the packet to pass without any checks
5320          * since we'll have another chance to perform access control checks
5321          * when the packet is on it's final way out.
5322          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5323          *       is NULL, in this case go ahead and apply access control.
5324          * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5325          *       TCP listening state we cannot wait until the XFRM processing
5326          *       is done as we will miss out on the SA label if we do;
5327          *       unfortunately, this means more work, but it is only once per
5328          *       connection. */
5329         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5330             !(sk && sk_listener(sk)))
5331                 return NF_ACCEPT;
5332 #endif
5333 
5334         if (sk == NULL) {
5335                 /* Without an associated socket the packet is either coming
5336                  * from the kernel or it is being forwarded; check the packet
5337                  * to determine which and if the packet is being forwarded
5338                  * query the packet directly to determine the security label. */
5339                 if (skb->skb_iif) {
5340                         secmark_perm = PACKET__FORWARD_OUT;
5341                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5342                                 return NF_DROP;
5343                 } else {
5344                         secmark_perm = PACKET__SEND;
5345                         peer_sid = SECINITSID_KERNEL;
5346                 }
5347         } else if (sk_listener(sk)) {
5348                 /* Locally generated packet but the associated socket is in the
5349                  * listening state which means this is a SYN-ACK packet.  In
5350                  * this particular case the correct security label is assigned
5351                  * to the connection/request_sock but unfortunately we can't
5352                  * query the request_sock as it isn't queued on the parent
5353                  * socket until after the SYN-ACK packet is sent; the only
5354                  * viable choice is to regenerate the label like we do in
5355                  * selinux_inet_conn_request().  See also selinux_ip_output()
5356                  * for similar problems. */
5357                 u32 skb_sid;
5358                 struct sk_security_struct *sksec;
5359 
5360                 sksec = sk->sk_security;
5361                 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5362                         return NF_DROP;
5363                 /* At this point, if the returned skb peerlbl is SECSID_NULL
5364                  * and the packet has been through at least one XFRM
5365                  * transformation then we must be dealing with the "final"
5366                  * form of labeled IPsec packet; since we've already applied
5367                  * all of our access controls on this packet we can safely
5368                  * pass the packet. */
5369                 if (skb_sid == SECSID_NULL) {
5370                         switch (family) {
5371                         case PF_INET:
5372                                 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5373                                         return NF_ACCEPT;
5374                                 break;
5375                         case PF_INET6:
5376                                 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5377                                         return NF_ACCEPT;
5378                                 break;
5379                         default:
5380                                 return NF_DROP_ERR(-ECONNREFUSED);
5381                         }
5382                 }
5383                 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5384                         return NF_DROP;
5385                 secmark_perm = PACKET__SEND;
5386         } else {
5387                 /* Locally generated packet, fetch the security label from the
5388                  * associated socket. */
5389                 struct sk_security_struct *sksec = sk->sk_security;
5390                 peer_sid = sksec->sid;
5391                 secmark_perm = PACKET__SEND;
5392         }
5393 
5394         ad.type = LSM_AUDIT_DATA_NET;
5395         ad.u.net = &net;
5396         ad.u.net->netif = ifindex;
5397         ad.u.net->family = family;
5398         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5399                 return NF_DROP;
5400 
5401         if (secmark_active)
5402                 if (avc_has_perm(peer_sid, skb->secmark,
5403                                  SECCLASS_PACKET, secmark_perm, &ad))
5404                         return NF_DROP_ERR(-ECONNREFUSED);
5405 
5406         if (peerlbl_active) {
5407                 u32 if_sid;
5408                 u32 node_sid;
5409 
5410                 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5411                         return NF_DROP;
5412                 if (avc_has_perm(peer_sid, if_sid,
5413                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
5414                         return NF_DROP_ERR(-ECONNREFUSED);
5415 
5416                 if (sel_netnode_sid(addrp, family, &node_sid))
5417                         return NF_DROP;
5418                 if (avc_has_perm(peer_sid, node_sid,
5419                                  SECCLASS_NODE, NODE__SENDTO, &ad))
5420                         return NF_DROP_ERR(-ECONNREFUSED);
5421         }
5422 
5423         return NF_ACCEPT;
5424 }
5425 
5426 static unsigned int selinux_ipv4_postroute(void *priv,
5427                                            struct sk_buff *skb,
5428                                            const struct nf_hook_state *state)
5429 {
5430         return selinux_ip_postroute(skb, state->out, PF_INET);
5431 }
5432 
5433 #if IS_ENABLED(CONFIG_IPV6)
5434 static unsigned int selinux_ipv6_postroute(void *priv,
5435                                            struct sk_buff *skb,
5436                                            const struct nf_hook_state *state)
5437 {
5438         return selinux_ip_postroute(skb, state->out, PF_INET6);
5439 }
5440 #endif  /* IPV6 */
5441 
5442 #endif  /* CONFIG_NETFILTER */
5443 
5444 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5445 {
5446         return selinux_nlmsg_perm(sk, skb);
5447 }
5448 
5449 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5450                               u16 sclass)
5451 {
5452         struct ipc_security_struct *isec;
5453 
5454         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5455         if (!isec)
5456                 return -ENOMEM;
5457 
5458         isec->sclass = sclass;
5459         isec->sid = current_sid();
5460         perm->security = isec;
5461 
5462         return 0;
5463 }
5464 
5465 static void ipc_free_security(struct kern_ipc_perm *perm)
5466 {
5467         struct ipc_security_struct *isec = perm->security;
5468         perm->security = NULL;
5469         kfree(isec);
5470 }
5471 
5472 static int msg_msg_alloc_security(struct msg_msg *msg)
5473 {
5474         struct msg_security_struct *msec;
5475 
5476         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5477         if (!msec)
5478                 return -ENOMEM;
5479 
5480         msec->sid = SECINITSID_UNLABELED;
5481         msg->security = msec;
5482 
5483         return 0;
5484 }
5485 
5486 static void msg_msg_free_security(struct msg_msg *msg)
5487 {
5488         struct msg_security_struct *msec = msg->security;
5489 
5490         msg->security = NULL;
5491         kfree(msec);
5492 }
5493 
5494 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5495                         u32 perms)
5496 {
5497         struct ipc_security_struct *isec;
5498         struct common_audit_data ad;
5499         u32 sid = current_sid();
5500 
5501         isec = ipc_perms->security;
5502 
5503         ad.type = LSM_AUDIT_DATA_IPC;
5504         ad.u.ipc_id = ipc_perms->key;
5505 
5506         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5507 }
5508 
5509 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5510 {
5511         return msg_msg_alloc_security(msg);
5512 }
5513 
5514 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5515 {
5516         msg_msg_free_security(msg);
5517 }
5518 
5519 /* message queue security operations */
5520 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5521 {
5522         struct ipc_security_struct *isec;
5523         struct common_audit_data ad;
5524         u32 sid = current_sid();
5525         int rc;
5526 
5527         rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
5528         if (rc)
5529                 return rc;
5530 
5531         isec = msq->q_perm.security;
5532 
5533         ad.type = LSM_AUDIT_DATA_IPC;
5534         ad.u.ipc_id = msq->q_perm.key;
5535 
5536         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5537                           MSGQ__CREATE, &ad);
5538         if (rc) {
5539                 ipc_free_security(&msq->q_perm);
5540                 return rc;
5541         }
5542         return 0;
5543 }
5544 
5545 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5546 {
5547         ipc_free_security(&msq->q_perm);
5548 }
5549 
5550 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5551 {
5552         struct ipc_security_struct *isec;
5553         struct common_audit_data ad;
5554         u32 sid = current_sid();
5555 
5556         isec = msq->q_perm.security;
5557 
5558         ad.type = LSM_AUDIT_DATA_IPC;
5559         ad.u.ipc_id = msq->q_perm.key;
5560 
5561         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5562                             MSGQ__ASSOCIATE, &ad);
5563 }
5564 
5565 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5566 {
5567         int err;
5568         int perms;
5569 
5570         switch (cmd) {
5571         case IPC_INFO:
5572         case MSG_INFO:
5573                 /* No specific object, just general system-wide information. */
5574                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5575                                     SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5576         case IPC_STAT:
5577         case MSG_STAT:
5578                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5579                 break;
5580         case IPC_SET:
5581                 perms = MSGQ__SETATTR;
5582                 break;
5583         case IPC_RMID:
5584                 perms = MSGQ__DESTROY;
5585                 break;
5586         default:
5587                 return 0;
5588         }
5589 
5590         err = ipc_has_perm(&msq->q_perm, perms);
5591         return err;
5592 }
5593 
5594 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5595 {
5596         struct ipc_security_struct *isec;
5597         struct msg_security_struct *msec;
5598         struct common_audit_data ad;
5599         u32 sid = current_sid();
5600         int rc;
5601 
5602         isec = msq->q_perm.security;
5603         msec = msg->security;
5604 
5605         /*
5606          * First time through, need to assign label to the message
5607          */
5608         if (msec->sid == SECINITSID_UNLABELED) {
5609                 /*
5610                  * Compute new sid based on current process and
5611                  * message queue this message will be stored in
5612                  */
5613                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5614                                              NULL, &msec->sid);
5615                 if (rc)
5616                         return rc;
5617         }
5618 
5619         ad.type = LSM_AUDIT_DATA_IPC;
5620         ad.u.ipc_id = msq->q_perm.key;
5621 
5622         /* Can this process write to the queue? */
5623         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5624                           MSGQ__WRITE, &ad);
5625         if (!rc)
5626                 /* Can this process send the message */
5627                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5628                                   MSG__SEND, &ad);
5629         if (!rc)
5630                 /* Can the message be put in the queue? */
5631                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5632                                   MSGQ__ENQUEUE, &ad);
5633 
5634         return rc;
5635 }
5636 
5637 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5638                                     struct task_struct *target,
5639                                     long type, int mode)
5640 {
5641         struct ipc_security_struct *isec;
5642         struct msg_security_struct *msec;
5643         struct common_audit_data ad;
5644         u32 sid = task_sid(target);
5645         int rc;
5646 
5647         isec = msq->q_perm.security;
5648         msec = msg->security;
5649 
5650         ad.type = LSM_AUDIT_DATA_IPC;
5651         ad.u.ipc_id = msq->q_perm.key;
5652 
5653         rc = avc_has_perm(sid, isec->sid,
5654                           SECCLASS_MSGQ, MSGQ__READ, &ad);
5655         if (!rc)
5656                 rc = avc_has_perm(sid, msec->sid,
5657                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
5658         return rc;
5659 }
5660 
5661 /* Shared Memory security operations */
5662 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5663 {
5664         struct ipc_security_struct *isec;
5665         struct common_audit_data ad;
5666         u32 sid = current_sid();
5667         int rc;
5668 
5669         rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
5670         if (rc)
5671                 return rc;
5672 
5673         isec = shp->shm_perm.security;
5674 
5675         ad.type = LSM_AUDIT_DATA_IPC;
5676         ad.u.ipc_id = shp->shm_perm.key;
5677 
5678         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5679                           SHM__CREATE, &ad);
5680         if (rc) {
5681                 ipc_free_security(&shp->shm_perm);
5682                 return rc;
5683         }
5684         return 0;
5685 }
5686 
5687 static void selinux_shm_free_security(struct shmid_kernel *shp)
5688 {
5689         ipc_free_security(&shp->shm_perm);
5690 }
5691 
5692 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5693 {
5694         struct ipc_security_struct *isec;
5695         struct common_audit_data ad;
5696         u32 sid = current_sid();
5697 
5698         isec = shp->shm_perm.security;
5699 
5700         ad.type = LSM_AUDIT_DATA_IPC;
5701         ad.u.ipc_id = shp->shm_perm.key;
5702 
5703         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5704                             SHM__ASSOCIATE, &ad);
5705 }
5706 
5707 /* Note, at this point, shp is locked down */
5708 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5709 {
5710         int perms;
5711         int err;
5712 
5713         switch (cmd) {
5714         case IPC_INFO:
5715         case SHM_INFO:
5716                 /* No specific object, just general system-wide information. */
5717                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5718                                     SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5719         case IPC_STAT:
5720         case SHM_STAT:
5721                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5722                 break;
5723         case IPC_SET:
5724                 perms = SHM__SETATTR;
5725                 break;
5726         case SHM_LOCK:
5727         case SHM_UNLOCK:
5728                 perms = SHM__LOCK;
5729                 break;
5730         case IPC_RMID:
5731                 perms = SHM__DESTROY;
5732                 break;
5733         default:
5734                 return 0;
5735         }
5736 
5737         err = ipc_has_perm(&shp->shm_perm, perms);
5738         return err;
5739 }
5740 
5741 static int selinux_shm_shmat(struct shmid_kernel *shp,
5742                              char __user *shmaddr, int shmflg)
5743 {
5744         u32 perms;
5745 
5746         if (shmflg & SHM_RDONLY)
5747                 perms = SHM__READ;
5748         else
5749                 perms = SHM__READ | SHM__WRITE;
5750 
5751         return ipc_has_perm(&shp->shm_perm, perms);
5752 }
5753 
5754 /* Semaphore security operations */
5755 static int selinux_sem_alloc_security(struct sem_array *sma)
5756 {
5757         struct ipc_security_struct *isec;
5758         struct common_audit_data ad;
5759         u32 sid = current_sid();
5760         int rc;
5761 
5762         rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
5763         if (rc)
5764                 return rc;
5765 
5766         isec = sma->sem_perm.security;
5767 
5768         ad.type = LSM_AUDIT_DATA_IPC;
5769         ad.u.ipc_id = sma->sem_perm.key;
5770 
5771         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5772                           SEM__CREATE, &ad);
5773         if (rc) {
5774                 ipc_free_security(&sma->sem_perm);
5775                 return rc;
5776         }
5777         return 0;
5778 }
5779 
5780 static void selinux_sem_free_security(struct sem_array *sma)
5781 {
5782         ipc_free_security(&sma->sem_perm);
5783 }
5784 
5785 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5786 {
5787         struct ipc_security_struct *isec;
5788         struct common_audit_data ad;
5789         u32 sid = current_sid();
5790 
5791         isec = sma->sem_perm.security;
5792 
5793         ad.type = LSM_AUDIT_DATA_IPC;
5794         ad.u.ipc_id = sma->sem_perm.key;
5795 
5796         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5797                             SEM__ASSOCIATE, &ad);
5798 }
5799 
5800 /* Note, at this point, sma is locked down */
5801 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5802 {
5803         int err;
5804         u32 perms;
5805 
5806         switch (cmd) {
5807         case IPC_INFO:
5808         case SEM_INFO:
5809                 /* No specific object, just general system-wide information. */
5810                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5811                                     SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5812         case GETPID:
5813         case GETNCNT:
5814         case GETZCNT:
5815                 perms = SEM__GETATTR;
5816                 break;
5817         case GETVAL:
5818         case GETALL:
5819                 perms = SEM__READ;
5820                 break;
5821         case SETVAL:
5822         case SETALL:
5823                 perms = SEM__WRITE;
5824                 break;
5825         case IPC_RMID:
5826                 perms = SEM__DESTROY;
5827                 break;
5828         case IPC_SET:
5829                 perms = SEM__SETATTR;
5830                 break;
5831         case IPC_STAT:
5832         case SEM_STAT:
5833                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5834                 break;
5835         default:
5836                 return 0;
5837         }
5838 
5839         err = ipc_has_perm(&sma->sem_perm, perms);
5840         return err;
5841 }
5842 
5843 static int selinux_sem_semop(struct sem_array *sma,
5844                              struct sembuf *sops, unsigned nsops, int alter)
5845 {
5846         u32 perms;
5847 
5848         if (alter)
5849                 perms = SEM__READ | SEM__WRITE;
5850         else
5851                 perms = SEM__READ;
5852 
5853         return ipc_has_perm(&sma->sem_perm, perms);
5854 }
5855 
5856 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5857 {
5858         u32 av = 0;
5859 
5860         av = 0;
5861         if (flag & S_IRUGO)
5862                 av |= IPC__UNIX_READ;
5863         if (flag & S_IWUGO)
5864                 av |= IPC__UNIX_WRITE;
5865 
5866         if (av == 0)
5867                 return 0;
5868 
5869         return ipc_has_perm(ipcp, av);
5870 }
5871 
5872 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5873 {
5874         struct ipc_security_struct *isec = ipcp->security;
5875         *secid = isec->sid;
5876 }
5877 
5878 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5879 {
5880         if (inode)
5881                 inode_doinit_with_dentry(inode, dentry);
5882 }
5883 
5884 static int selinux_getprocattr(struct task_struct *p,
5885                                char *name, char **value)
5886 {
5887         const struct task_security_struct *__tsec;
5888         u32 sid;
5889         int error;
5890         unsigned len;
5891 
5892         rcu_read_lock();
5893         __tsec = __task_cred(p)->security;
5894 
5895         if (current != p) {
5896                 error = avc_has_perm(current_sid(), __tsec->sid,
5897                                      SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5898                 if (error)
5899                         goto bad;
5900         }
5901 
5902         if (!strcmp(name, "current"))
5903                 sid = __tsec->sid;
5904         else if (!strcmp(name, "prev"))
5905                 sid = __tsec->osid;
5906         else if (!strcmp(name, "exec"))
5907                 sid = __tsec->exec_sid;
5908         else if (!strcmp(name, "fscreate"))
5909                 sid = __tsec->create_sid;
5910         else if (!strcmp(name, "keycreate"))
5911                 sid = __tsec->keycreate_sid;
5912         else if (!strcmp(name, "sockcreate"))
5913                 sid = __tsec->sockcreate_sid;
5914         else {
5915                 error = -EINVAL;
5916                 goto bad;
5917         }
5918         rcu_read_unlock();
5919 
5920         if (!sid)
5921                 return 0;
5922 
5923         error = security_sid_to_context(sid, value, &len);
5924         if (error)
5925                 return error;
5926         return len;
5927 
5928 bad:
5929         rcu_read_unlock();
5930         return error;
5931 }
5932 
5933 static int selinux_setprocattr(const char *name, void *value, size_t size)
5934 {
5935         struct task_security_struct *tsec;
5936         struct cred *new;
5937         u32 mysid = current_sid(), sid = 0, ptsid;
5938         int error;
5939         char *str = value;
5940 
5941         /*
5942          * Basic control over ability to set these attributes at all.
5943          */
5944         if (!strcmp(name, "exec"))
5945                 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5946                                      PROCESS__SETEXEC, NULL);
5947         else if (!strcmp(name, "fscreate"))
5948                 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5949                                      PROCESS__SETFSCREATE, NULL);
5950         else if (!strcmp(name, "keycreate"))
5951                 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5952                                      PROCESS__SETKEYCREATE, NULL);
5953         else if (!strcmp(name, "sockcreate"))
5954                 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5955                                      PROCESS__SETSOCKCREATE, NULL);
5956         else if (!strcmp(name, "current"))
5957                 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5958                                      PROCESS__SETCURRENT, NULL);
5959         else
5960                 error = -EINVAL;
5961         if (error)
5962                 return error;
5963 
5964         /* Obtain a SID for the context, if one was specified. */
5965         if (size && str[0] && str[0] != '\n') {
5966                 if (str[size-1] == '\n') {
5967                         str[size-1] = 0;
5968                         size--;
5969                 }
5970                 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5971                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5972                         if (!has_cap_mac_admin(true)) {
5973                                 struct audit_buffer *ab;
5974                                 size_t audit_size;
5975 
5976                                 /* We strip a nul only if it is at the end, otherwise the
5977                                  * context contains a nul and we should audit that */
5978                                 if (str[size - 1] == '\0')
5979                                         audit_size = size - 1;
5980                                 else
5981                                         audit_size = size;
5982                                 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5983                                 audit_log_format(ab, "op=fscreate invalid_context=");
5984                                 audit_log_n_untrustedstring(ab, value, audit_size);
5985                                 audit_log_end(ab);
5986 
5987                                 return error;
5988                         }
5989                         error = security_context_to_sid_force(value, size,
5990                                                               &sid);
5991                 }
5992                 if (error)
5993                         return error;
5994         }
5995 
5996         new = prepare_creds();
5997         if (!new)
5998                 return -ENOMEM;
5999 
6000         /* Permission checking based on the specified context is
6001            performed during the actual operation (execve,
6002            open/mkdir/...), when we know the full context of the
6003            operation.  See selinux_bprm_set_creds for the execve
6004            checks and may_create for the file creation checks. The
6005            operation will then fail if the context is not permitted. */
6006         tsec = new->security;
6007         if (!strcmp(name, "exec")) {
6008                 tsec->exec_sid = sid;
6009         } else if (!strcmp(name, "fscreate")) {
6010                 tsec->create_sid = sid;
6011         } else if (!strcmp(name, "keycreate")) {
6012                 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
6013                                      NULL);
6014                 if (error)
6015                         goto abort_change;
6016                 tsec->keycreate_sid = sid;
6017         } else if (!strcmp(name, "sockcreate")) {
6018                 tsec->sockcreate_sid = sid;
6019         } else if (!strcmp(name, "current")) {
6020                 error = -EINVAL;
6021                 if (sid == 0)
6022                         goto abort_change;
6023 
6024                 /* Only allow single threaded processes to change context */
6025                 error = -EPERM;
6026                 if (!current_is_single_threaded()) {
6027                         error = security_bounded_transition(tsec->sid, sid);
6028                         if (error)
6029                                 goto abort_change;
6030                 }
6031 
6032                 /* Check permissions for the transition. */
6033                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6034                                      PROCESS__DYNTRANSITION, NULL);
6035                 if (error)
6036                         goto abort_change;
6037 
6038                 /* Check for ptracing, and update the task SID if ok.
6039                    Otherwise, leave SID unchanged and fail. */
6040                 ptsid = ptrace_parent_sid();
6041                 if (ptsid != 0) {
6042                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6043                                              PROCESS__PTRACE, NULL);
6044                         if (error)
6045                                 goto abort_change;
6046                 }
6047 
6048                 tsec->sid = sid;
6049         } else {
6050                 error = -EINVAL;
6051                 goto abort_change;
6052         }
6053 
6054         commit_creds(new);
6055         return size;
6056 
6057 abort_change:
6058         abort_creds(new);
6059         return error;
6060 }
6061 
6062 static int selinux_ismaclabel(const char *name)
6063 {
6064         return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6065 }
6066 
6067 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6068 {
6069         return security_sid_to_context(secid, secdata, seclen);
6070 }
6071 
6072 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6073 {
6074         return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
6075 }
6076 
6077 static void selinux_release_secctx(char *secdata, u32 seclen)
6078 {
6079         kfree(secdata);
6080 }
6081 
6082 static void selinux_inode_invalidate_secctx(struct inode *inode)
6083 {
6084         struct inode_security_struct *isec = inode->i_security;
6085 
6086         spin_lock(&isec->lock);
6087         isec->initialized = LABEL_INVALID;
6088         spin_unlock(&isec->lock);
6089 }
6090 
6091 /*
6092  *      called with inode->i_mutex locked
6093  */
6094 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6095 {
6096         return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6097 }
6098 
6099 /*
6100  *      called with inode->i_mutex locked
6101  */
6102 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6103 {
6104         return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6105 }
6106 
6107 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6108 {
6109         int len = 0;
6110         len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6111                                                 ctx, true);
6112         if (len < 0)
6113                 return len;
6114         *ctxlen = len;
6115         return 0;
6116 }
6117 #ifdef CONFIG_KEYS
6118 
6119 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6120                              unsigned long flags)
6121 {
6122         const struct task_security_struct *tsec;
6123         struct key_security_struct *ksec;
6124 
6125         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6126         if (!ksec)
6127                 return -ENOMEM;
6128 
6129         tsec = cred->security;
6130         if (tsec->keycreate_sid)
6131                 ksec->sid = tsec->keycreate_sid;
6132         else
6133                 ksec->sid = tsec->sid;
6134 
6135         k->security = ksec;
6136         return 0;
6137 }
6138 
6139 static void selinux_key_free(struct key *k)
6140 {
6141         struct key_security_struct *ksec = k->security;
6142 
6143         k->security = NULL;
6144         kfree(ksec);
6145 }
6146 
6147 static int selinux_key_permission(key_ref_t key_ref,
6148                                   const struct cred *cred,
6149                                   unsigned perm)
6150 {
6151         struct key *key;
6152         struct key_security_struct *ksec;
6153         u32 sid;
6154 
6155         /* if no specific permissions are requested, we skip the
6156            permission check. No serious, additional covert channels
6157            appear to be created. */
6158         if (perm == 0)
6159                 return 0;
6160 
6161         sid = cred_sid(cred);
6162 
6163         key = key_ref_to_ptr(key_ref);
6164         ksec = key->security;
6165 
6166         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6167 }
6168 
6169 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6170 {
6171         struct key_security_struct *ksec = key->security;
6172         char *context = NULL;
6173         unsigned len;
6174         int rc;
6175 
6176         rc = security_sid_to_context(ksec->sid, &context, &len);
6177         if (!rc)
6178                 rc = len;
6179         *_buffer = context;
6180         return rc;
6181 }
6182 #endif
6183 
6184 #ifdef CONFIG_SECURITY_INFINIBAND
6185 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6186 {
6187         struct common_audit_data ad;
6188         int err;
6189         u32 sid = 0;
6190         struct ib_security_struct *sec = ib_sec;
6191         struct lsm_ibpkey_audit ibpkey;
6192 
6193         err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6194         if (err)
6195                 return err;
6196 
6197         ad.type = LSM_AUDIT_DATA_IBPKEY;
6198         ibpkey.subnet_prefix = subnet_prefix;
6199         ibpkey.pkey = pkey_val;
6200         ad.u.ibpkey = &ibpkey;
6201         return avc_has_perm(sec->sid, sid,
6202                             SECCLASS_INFINIBAND_PKEY,
6203                             INFINIBAND_PKEY__ACCESS, &ad);
6204 }
6205 
6206 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6207                                             u8 port_num)
6208 {
6209         struct common_audit_data ad;
6210         int err;
6211         u32 sid = 0;
6212         struct ib_security_struct *sec = ib_sec;
6213         struct lsm_ibendport_audit ibendport;
6214 
6215         err = security_ib_endport_sid(dev_name, port_num, &sid);
6216 
6217         if (err)
6218                 return err;
6219 
6220         ad.type = LSM_AUDIT_DATA_IBENDPORT;
6221         strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6222         ibendport.port = port_num;
6223         ad.u.ibendport = &ibendport;
6224         return avc_has_perm(sec->sid, sid,
6225                             SECCLASS_INFINIBAND_ENDPORT,
6226                             INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6227 }
6228 
6229 static int selinux_ib_alloc_security(void **ib_sec)
6230 {
6231         struct ib_security_struct *sec;
6232 
6233         sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6234         if (!sec)
6235                 return -ENOMEM;
6236         sec->sid = current_sid();
6237 
6238         *ib_sec = sec;
6239         return 0;
6240 }
6241 
6242 static void selinux_ib_free_security(void *ib_sec)
6243 {
6244         kfree(ib_sec);
6245 }
6246 #endif
6247 
6248 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6249         LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6250         LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6251         LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6252         LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6253 
6254         LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6255         LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6256         LSM_HOOK_INIT(capget, selinux_capget),
6257         LSM_HOOK_INIT(capset, selinux_capset),
6258         LSM_HOOK_INIT(capable, selinux_capable),
6259         LSM_HOOK_INIT(quotactl, selinux_quotactl),
6260         LSM_HOOK_INIT(quota_on, selinux_quota_on),
6261         LSM_HOOK_INIT(syslog, selinux_syslog),
6262         LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6263 
6264         LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6265 
6266         LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6267         LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6268         LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6269         LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6270 
6271         LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6272         LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6273         LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6274         LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6275         LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6276         LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6277         LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6278         LSM_HOOK_INIT(sb_mount, selinux_mount),
6279         LSM_HOOK_INIT(sb_umount, selinux_umount),
6280         LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6281         LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6282         LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6283 
6284         LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6285         LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6286 
6287         LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6288         LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6289         LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6290         LSM_HOOK_INIT(inode_create, selinux_inode_create),
6291         LSM_HOOK_INIT(inode_link, selinux_inode_link),
6292         LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6293         LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6294         LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6295         LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6296         LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6297         LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6298         LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6299         LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6300         LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6301         LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6302         LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6303         LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6304         LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6305         LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6306         LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6307         LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6308         LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6309