netdevsim: avoid potential loop in nsim_dev_trap_report_work()
[platform/kernel/linux-rpi.git] / security / selinux / hooks.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  Security-Enhanced Linux (SELinux) security module
4  *
5  *  This file contains the SELinux hook function implementations.
6  *
7  *  Authors:  Stephen Smalley, <stephen.smalley.work@gmail.com>
8  *            Chris Vance, <cvance@nai.com>
9  *            Wayne Salamon, <wsalamon@nai.com>
10  *            James Morris <jmorris@redhat.com>
11  *
12  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14  *                                         Eric Paris <eparis@redhat.com>
15  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  *                          <dgoeddel@trustedcs.com>
17  *  Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18  *      Paul Moore <paul@paul-moore.com>
19  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
21  *  Copyright (C) 2016 Mellanox Technologies
22  */
23
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h>             /* for local_port_range[] */
55 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h>    /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h>           /* for Unix socket types */
73 #include <net/af_unix.h>        /* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h>   /* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 #include <linux/io_uring.h>
95
96 #include "avc.h"
97 #include "objsec.h"
98 #include "netif.h"
99 #include "netnode.h"
100 #include "netport.h"
101 #include "ibpkey.h"
102 #include "xfrm.h"
103 #include "netlabel.h"
104 #include "audit.h"
105 #include "avc_ss.h"
106
107 #define SELINUX_INODE_INIT_XATTRS 1
108
109 struct selinux_state selinux_state;
110
111 /* SECMARK reference count */
112 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
113
114 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
115 static int selinux_enforcing_boot __initdata;
116
117 static int __init enforcing_setup(char *str)
118 {
119         unsigned long enforcing;
120         if (!kstrtoul(str, 0, &enforcing))
121                 selinux_enforcing_boot = enforcing ? 1 : 0;
122         return 1;
123 }
124 __setup("enforcing=", enforcing_setup);
125 #else
126 #define selinux_enforcing_boot 1
127 #endif
128
129 int selinux_enabled_boot __initdata = 1;
130 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
131 static int __init selinux_enabled_setup(char *str)
132 {
133         unsigned long enabled;
134         if (!kstrtoul(str, 0, &enabled))
135                 selinux_enabled_boot = enabled ? 1 : 0;
136         return 1;
137 }
138 __setup("selinux=", selinux_enabled_setup);
139 #endif
140
141 static int __init checkreqprot_setup(char *str)
142 {
143         unsigned long checkreqprot;
144
145         if (!kstrtoul(str, 0, &checkreqprot)) {
146                 if (checkreqprot)
147                         pr_err("SELinux: checkreqprot set to 1 via kernel parameter.  This is no longer supported.\n");
148         }
149         return 1;
150 }
151 __setup("checkreqprot=", checkreqprot_setup);
152
153 /**
154  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
155  *
156  * Description:
157  * This function checks the SECMARK reference counter to see if any SECMARK
158  * targets are currently configured, if the reference counter is greater than
159  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
160  * enabled, false (0) if SECMARK is disabled.  If the always_check_network
161  * policy capability is enabled, SECMARK is always considered enabled.
162  *
163  */
164 static int selinux_secmark_enabled(void)
165 {
166         return (selinux_policycap_alwaysnetwork() ||
167                 atomic_read(&selinux_secmark_refcount));
168 }
169
170 /**
171  * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
172  *
173  * Description:
174  * This function checks if NetLabel or labeled IPSEC is enabled.  Returns true
175  * (1) if any are enabled or false (0) if neither are enabled.  If the
176  * always_check_network policy capability is enabled, peer labeling
177  * is always considered enabled.
178  *
179  */
180 static int selinux_peerlbl_enabled(void)
181 {
182         return (selinux_policycap_alwaysnetwork() ||
183                 netlbl_enabled() || selinux_xfrm_enabled());
184 }
185
186 static int selinux_netcache_avc_callback(u32 event)
187 {
188         if (event == AVC_CALLBACK_RESET) {
189                 sel_netif_flush();
190                 sel_netnode_flush();
191                 sel_netport_flush();
192                 synchronize_net();
193         }
194         return 0;
195 }
196
197 static int selinux_lsm_notifier_avc_callback(u32 event)
198 {
199         if (event == AVC_CALLBACK_RESET) {
200                 sel_ib_pkey_flush();
201                 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
202         }
203
204         return 0;
205 }
206
207 /*
208  * initialise the security for the init task
209  */
210 static void cred_init_security(void)
211 {
212         struct task_security_struct *tsec;
213
214         tsec = selinux_cred(unrcu_pointer(current->real_cred));
215         tsec->osid = tsec->sid = SECINITSID_KERNEL;
216 }
217
218 /*
219  * get the security ID of a set of credentials
220  */
221 static inline u32 cred_sid(const struct cred *cred)
222 {
223         const struct task_security_struct *tsec;
224
225         tsec = selinux_cred(cred);
226         return tsec->sid;
227 }
228
229 static void __ad_net_init(struct common_audit_data *ad,
230                           struct lsm_network_audit *net,
231                           int ifindex, struct sock *sk, u16 family)
232 {
233         ad->type = LSM_AUDIT_DATA_NET;
234         ad->u.net = net;
235         net->netif = ifindex;
236         net->sk = sk;
237         net->family = family;
238 }
239
240 static void ad_net_init_from_sk(struct common_audit_data *ad,
241                                 struct lsm_network_audit *net,
242                                 struct sock *sk)
243 {
244         __ad_net_init(ad, net, 0, sk, 0);
245 }
246
247 static void ad_net_init_from_iif(struct common_audit_data *ad,
248                                  struct lsm_network_audit *net,
249                                  int ifindex, u16 family)
250 {
251         __ad_net_init(ad, net, ifindex, NULL, family);
252 }
253
254 /*
255  * get the objective security ID of a task
256  */
257 static inline u32 task_sid_obj(const struct task_struct *task)
258 {
259         u32 sid;
260
261         rcu_read_lock();
262         sid = cred_sid(__task_cred(task));
263         rcu_read_unlock();
264         return sid;
265 }
266
267 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
268
269 /*
270  * Try reloading inode security labels that have been marked as invalid.  The
271  * @may_sleep parameter indicates when sleeping and thus reloading labels is
272  * allowed; when set to false, returns -ECHILD when the label is
273  * invalid.  The @dentry parameter should be set to a dentry of the inode.
274  */
275 static int __inode_security_revalidate(struct inode *inode,
276                                        struct dentry *dentry,
277                                        bool may_sleep)
278 {
279         struct inode_security_struct *isec = selinux_inode(inode);
280
281         might_sleep_if(may_sleep);
282
283         if (selinux_initialized() &&
284             isec->initialized != LABEL_INITIALIZED) {
285                 if (!may_sleep)
286                         return -ECHILD;
287
288                 /*
289                  * Try reloading the inode security label.  This will fail if
290                  * @opt_dentry is NULL and no dentry for this inode can be
291                  * found; in that case, continue using the old label.
292                  */
293                 inode_doinit_with_dentry(inode, dentry);
294         }
295         return 0;
296 }
297
298 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
299 {
300         return selinux_inode(inode);
301 }
302
303 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
304 {
305         int error;
306
307         error = __inode_security_revalidate(inode, NULL, !rcu);
308         if (error)
309                 return ERR_PTR(error);
310         return selinux_inode(inode);
311 }
312
313 /*
314  * Get the security label of an inode.
315  */
316 static struct inode_security_struct *inode_security(struct inode *inode)
317 {
318         __inode_security_revalidate(inode, NULL, true);
319         return selinux_inode(inode);
320 }
321
322 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
323 {
324         struct inode *inode = d_backing_inode(dentry);
325
326         return selinux_inode(inode);
327 }
328
329 /*
330  * Get the security label of a dentry's backing inode.
331  */
332 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
333 {
334         struct inode *inode = d_backing_inode(dentry);
335
336         __inode_security_revalidate(inode, dentry, true);
337         return selinux_inode(inode);
338 }
339
340 static void inode_free_security(struct inode *inode)
341 {
342         struct inode_security_struct *isec = selinux_inode(inode);
343         struct superblock_security_struct *sbsec;
344
345         if (!isec)
346                 return;
347         sbsec = selinux_superblock(inode->i_sb);
348         /*
349          * As not all inode security structures are in a list, we check for
350          * empty list outside of the lock to make sure that we won't waste
351          * time taking a lock doing nothing.
352          *
353          * The list_del_init() function can be safely called more than once.
354          * It should not be possible for this function to be called with
355          * concurrent list_add(), but for better safety against future changes
356          * in the code, we use list_empty_careful() here.
357          */
358         if (!list_empty_careful(&isec->list)) {
359                 spin_lock(&sbsec->isec_lock);
360                 list_del_init(&isec->list);
361                 spin_unlock(&sbsec->isec_lock);
362         }
363 }
364
365 struct selinux_mnt_opts {
366         u32 fscontext_sid;
367         u32 context_sid;
368         u32 rootcontext_sid;
369         u32 defcontext_sid;
370 };
371
372 static void selinux_free_mnt_opts(void *mnt_opts)
373 {
374         kfree(mnt_opts);
375 }
376
377 enum {
378         Opt_error = -1,
379         Opt_context = 0,
380         Opt_defcontext = 1,
381         Opt_fscontext = 2,
382         Opt_rootcontext = 3,
383         Opt_seclabel = 4,
384 };
385
386 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
387 static const struct {
388         const char *name;
389         int len;
390         int opt;
391         bool has_arg;
392 } tokens[] = {
393         A(context, true),
394         A(fscontext, true),
395         A(defcontext, true),
396         A(rootcontext, true),
397         A(seclabel, false),
398 };
399 #undef A
400
401 static int match_opt_prefix(char *s, int l, char **arg)
402 {
403         int i;
404
405         for (i = 0; i < ARRAY_SIZE(tokens); i++) {
406                 size_t len = tokens[i].len;
407                 if (len > l || memcmp(s, tokens[i].name, len))
408                         continue;
409                 if (tokens[i].has_arg) {
410                         if (len == l || s[len] != '=')
411                                 continue;
412                         *arg = s + len + 1;
413                 } else if (len != l)
414                         continue;
415                 return tokens[i].opt;
416         }
417         return Opt_error;
418 }
419
420 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
421
422 static int may_context_mount_sb_relabel(u32 sid,
423                         struct superblock_security_struct *sbsec,
424                         const struct cred *cred)
425 {
426         const struct task_security_struct *tsec = selinux_cred(cred);
427         int rc;
428
429         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
430                           FILESYSTEM__RELABELFROM, NULL);
431         if (rc)
432                 return rc;
433
434         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
435                           FILESYSTEM__RELABELTO, NULL);
436         return rc;
437 }
438
439 static int may_context_mount_inode_relabel(u32 sid,
440                         struct superblock_security_struct *sbsec,
441                         const struct cred *cred)
442 {
443         const struct task_security_struct *tsec = selinux_cred(cred);
444         int rc;
445         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
446                           FILESYSTEM__RELABELFROM, NULL);
447         if (rc)
448                 return rc;
449
450         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
451                           FILESYSTEM__ASSOCIATE, NULL);
452         return rc;
453 }
454
455 static int selinux_is_genfs_special_handling(struct super_block *sb)
456 {
457         /* Special handling. Genfs but also in-core setxattr handler */
458         return  !strcmp(sb->s_type->name, "sysfs") ||
459                 !strcmp(sb->s_type->name, "pstore") ||
460                 !strcmp(sb->s_type->name, "debugfs") ||
461                 !strcmp(sb->s_type->name, "tracefs") ||
462                 !strcmp(sb->s_type->name, "rootfs") ||
463                 (selinux_policycap_cgroupseclabel() &&
464                  (!strcmp(sb->s_type->name, "cgroup") ||
465                   !strcmp(sb->s_type->name, "cgroup2")));
466 }
467
468 static int selinux_is_sblabel_mnt(struct super_block *sb)
469 {
470         struct superblock_security_struct *sbsec = selinux_superblock(sb);
471
472         /*
473          * IMPORTANT: Double-check logic in this function when adding a new
474          * SECURITY_FS_USE_* definition!
475          */
476         BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
477
478         switch (sbsec->behavior) {
479         case SECURITY_FS_USE_XATTR:
480         case SECURITY_FS_USE_TRANS:
481         case SECURITY_FS_USE_TASK:
482         case SECURITY_FS_USE_NATIVE:
483                 return 1;
484
485         case SECURITY_FS_USE_GENFS:
486                 return selinux_is_genfs_special_handling(sb);
487
488         /* Never allow relabeling on context mounts */
489         case SECURITY_FS_USE_MNTPOINT:
490         case SECURITY_FS_USE_NONE:
491         default:
492                 return 0;
493         }
494 }
495
496 static int sb_check_xattr_support(struct super_block *sb)
497 {
498         struct superblock_security_struct *sbsec = selinux_superblock(sb);
499         struct dentry *root = sb->s_root;
500         struct inode *root_inode = d_backing_inode(root);
501         u32 sid;
502         int rc;
503
504         /*
505          * Make sure that the xattr handler exists and that no
506          * error other than -ENODATA is returned by getxattr on
507          * the root directory.  -ENODATA is ok, as this may be
508          * the first boot of the SELinux kernel before we have
509          * assigned xattr values to the filesystem.
510          */
511         if (!(root_inode->i_opflags & IOP_XATTR)) {
512                 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
513                         sb->s_id, sb->s_type->name);
514                 goto fallback;
515         }
516
517         rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
518         if (rc < 0 && rc != -ENODATA) {
519                 if (rc == -EOPNOTSUPP) {
520                         pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
521                                 sb->s_id, sb->s_type->name);
522                         goto fallback;
523                 } else {
524                         pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
525                                 sb->s_id, sb->s_type->name, -rc);
526                         return rc;
527                 }
528         }
529         return 0;
530
531 fallback:
532         /* No xattr support - try to fallback to genfs if possible. */
533         rc = security_genfs_sid(sb->s_type->name, "/",
534                                 SECCLASS_DIR, &sid);
535         if (rc)
536                 return -EOPNOTSUPP;
537
538         pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
539                 sb->s_id, sb->s_type->name);
540         sbsec->behavior = SECURITY_FS_USE_GENFS;
541         sbsec->sid = sid;
542         return 0;
543 }
544
545 static int sb_finish_set_opts(struct super_block *sb)
546 {
547         struct superblock_security_struct *sbsec = selinux_superblock(sb);
548         struct dentry *root = sb->s_root;
549         struct inode *root_inode = d_backing_inode(root);
550         int rc = 0;
551
552         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
553                 rc = sb_check_xattr_support(sb);
554                 if (rc)
555                         return rc;
556         }
557
558         sbsec->flags |= SE_SBINITIALIZED;
559
560         /*
561          * Explicitly set or clear SBLABEL_MNT.  It's not sufficient to simply
562          * leave the flag untouched because sb_clone_mnt_opts might be handing
563          * us a superblock that needs the flag to be cleared.
564          */
565         if (selinux_is_sblabel_mnt(sb))
566                 sbsec->flags |= SBLABEL_MNT;
567         else
568                 sbsec->flags &= ~SBLABEL_MNT;
569
570         /* Initialize the root inode. */
571         rc = inode_doinit_with_dentry(root_inode, root);
572
573         /* Initialize any other inodes associated with the superblock, e.g.
574            inodes created prior to initial policy load or inodes created
575            during get_sb by a pseudo filesystem that directly
576            populates itself. */
577         spin_lock(&sbsec->isec_lock);
578         while (!list_empty(&sbsec->isec_head)) {
579                 struct inode_security_struct *isec =
580                                 list_first_entry(&sbsec->isec_head,
581                                            struct inode_security_struct, list);
582                 struct inode *inode = isec->inode;
583                 list_del_init(&isec->list);
584                 spin_unlock(&sbsec->isec_lock);
585                 inode = igrab(inode);
586                 if (inode) {
587                         if (!IS_PRIVATE(inode))
588                                 inode_doinit_with_dentry(inode, NULL);
589                         iput(inode);
590                 }
591                 spin_lock(&sbsec->isec_lock);
592         }
593         spin_unlock(&sbsec->isec_lock);
594         return rc;
595 }
596
597 static int bad_option(struct superblock_security_struct *sbsec, char flag,
598                       u32 old_sid, u32 new_sid)
599 {
600         char mnt_flags = sbsec->flags & SE_MNTMASK;
601
602         /* check if the old mount command had the same options */
603         if (sbsec->flags & SE_SBINITIALIZED)
604                 if (!(sbsec->flags & flag) ||
605                     (old_sid != new_sid))
606                         return 1;
607
608         /* check if we were passed the same options twice,
609          * aka someone passed context=a,context=b
610          */
611         if (!(sbsec->flags & SE_SBINITIALIZED))
612                 if (mnt_flags & flag)
613                         return 1;
614         return 0;
615 }
616
617 /*
618  * Allow filesystems with binary mount data to explicitly set mount point
619  * labeling information.
620  */
621 static int selinux_set_mnt_opts(struct super_block *sb,
622                                 void *mnt_opts,
623                                 unsigned long kern_flags,
624                                 unsigned long *set_kern_flags)
625 {
626         const struct cred *cred = current_cred();
627         struct superblock_security_struct *sbsec = selinux_superblock(sb);
628         struct dentry *root = sb->s_root;
629         struct selinux_mnt_opts *opts = mnt_opts;
630         struct inode_security_struct *root_isec;
631         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
632         u32 defcontext_sid = 0;
633         int rc = 0;
634
635         /*
636          * Specifying internal flags without providing a place to
637          * place the results is not allowed
638          */
639         if (kern_flags && !set_kern_flags)
640                 return -EINVAL;
641
642         mutex_lock(&sbsec->lock);
643
644         if (!selinux_initialized()) {
645                 if (!opts) {
646                         /* Defer initialization until selinux_complete_init,
647                            after the initial policy is loaded and the security
648                            server is ready to handle calls. */
649                         if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
650                                 sbsec->flags |= SE_SBNATIVE;
651                                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
652                         }
653                         goto out;
654                 }
655                 rc = -EINVAL;
656                 pr_warn("SELinux: Unable to set superblock options "
657                         "before the security server is initialized\n");
658                 goto out;
659         }
660
661         /*
662          * Binary mount data FS will come through this function twice.  Once
663          * from an explicit call and once from the generic calls from the vfs.
664          * Since the generic VFS calls will not contain any security mount data
665          * we need to skip the double mount verification.
666          *
667          * This does open a hole in which we will not notice if the first
668          * mount using this sb set explicit options and a second mount using
669          * this sb does not set any security options.  (The first options
670          * will be used for both mounts)
671          */
672         if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
673             && !opts)
674                 goto out;
675
676         root_isec = backing_inode_security_novalidate(root);
677
678         /*
679          * parse the mount options, check if they are valid sids.
680          * also check if someone is trying to mount the same sb more
681          * than once with different security options.
682          */
683         if (opts) {
684                 if (opts->fscontext_sid) {
685                         fscontext_sid = opts->fscontext_sid;
686                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
687                                         fscontext_sid))
688                                 goto out_double_mount;
689                         sbsec->flags |= FSCONTEXT_MNT;
690                 }
691                 if (opts->context_sid) {
692                         context_sid = opts->context_sid;
693                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
694                                         context_sid))
695                                 goto out_double_mount;
696                         sbsec->flags |= CONTEXT_MNT;
697                 }
698                 if (opts->rootcontext_sid) {
699                         rootcontext_sid = opts->rootcontext_sid;
700                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
701                                         rootcontext_sid))
702                                 goto out_double_mount;
703                         sbsec->flags |= ROOTCONTEXT_MNT;
704                 }
705                 if (opts->defcontext_sid) {
706                         defcontext_sid = opts->defcontext_sid;
707                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
708                                         defcontext_sid))
709                                 goto out_double_mount;
710                         sbsec->flags |= DEFCONTEXT_MNT;
711                 }
712         }
713
714         if (sbsec->flags & SE_SBINITIALIZED) {
715                 /* previously mounted with options, but not on this attempt? */
716                 if ((sbsec->flags & SE_MNTMASK) && !opts)
717                         goto out_double_mount;
718                 rc = 0;
719                 goto out;
720         }
721
722         if (strcmp(sb->s_type->name, "proc") == 0)
723                 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
724
725         if (!strcmp(sb->s_type->name, "debugfs") ||
726             !strcmp(sb->s_type->name, "tracefs") ||
727             !strcmp(sb->s_type->name, "binder") ||
728             !strcmp(sb->s_type->name, "bpf") ||
729             !strcmp(sb->s_type->name, "pstore") ||
730             !strcmp(sb->s_type->name, "securityfs"))
731                 sbsec->flags |= SE_SBGENFS;
732
733         if (!strcmp(sb->s_type->name, "sysfs") ||
734             !strcmp(sb->s_type->name, "cgroup") ||
735             !strcmp(sb->s_type->name, "cgroup2"))
736                 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
737
738         if (!sbsec->behavior) {
739                 /*
740                  * Determine the labeling behavior to use for this
741                  * filesystem type.
742                  */
743                 rc = security_fs_use(sb);
744                 if (rc) {
745                         pr_warn("%s: security_fs_use(%s) returned %d\n",
746                                         __func__, sb->s_type->name, rc);
747                         goto out;
748                 }
749         }
750
751         /*
752          * If this is a user namespace mount and the filesystem type is not
753          * explicitly whitelisted, then no contexts are allowed on the command
754          * line and security labels must be ignored.
755          */
756         if (sb->s_user_ns != &init_user_ns &&
757             strcmp(sb->s_type->name, "tmpfs") &&
758             strcmp(sb->s_type->name, "ramfs") &&
759             strcmp(sb->s_type->name, "devpts") &&
760             strcmp(sb->s_type->name, "overlay")) {
761                 if (context_sid || fscontext_sid || rootcontext_sid ||
762                     defcontext_sid) {
763                         rc = -EACCES;
764                         goto out;
765                 }
766                 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
767                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
768                         rc = security_transition_sid(current_sid(),
769                                                      current_sid(),
770                                                      SECCLASS_FILE, NULL,
771                                                      &sbsec->mntpoint_sid);
772                         if (rc)
773                                 goto out;
774                 }
775                 goto out_set_opts;
776         }
777
778         /* sets the context of the superblock for the fs being mounted. */
779         if (fscontext_sid) {
780                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
781                 if (rc)
782                         goto out;
783
784                 sbsec->sid = fscontext_sid;
785         }
786
787         /*
788          * Switch to using mount point labeling behavior.
789          * sets the label used on all file below the mountpoint, and will set
790          * the superblock context if not already set.
791          */
792         if (sbsec->flags & SE_SBNATIVE) {
793                 /*
794                  * This means we are initializing a superblock that has been
795                  * mounted before the SELinux was initialized and the
796                  * filesystem requested native labeling. We had already
797                  * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
798                  * in the original mount attempt, so now we just need to set
799                  * the SECURITY_FS_USE_NATIVE behavior.
800                  */
801                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
802         } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
803                 sbsec->behavior = SECURITY_FS_USE_NATIVE;
804                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
805         }
806
807         if (context_sid) {
808                 if (!fscontext_sid) {
809                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
810                                                           cred);
811                         if (rc)
812                                 goto out;
813                         sbsec->sid = context_sid;
814                 } else {
815                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
816                                                              cred);
817                         if (rc)
818                                 goto out;
819                 }
820                 if (!rootcontext_sid)
821                         rootcontext_sid = context_sid;
822
823                 sbsec->mntpoint_sid = context_sid;
824                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
825         }
826
827         if (rootcontext_sid) {
828                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
829                                                      cred);
830                 if (rc)
831                         goto out;
832
833                 root_isec->sid = rootcontext_sid;
834                 root_isec->initialized = LABEL_INITIALIZED;
835         }
836
837         if (defcontext_sid) {
838                 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
839                         sbsec->behavior != SECURITY_FS_USE_NATIVE) {
840                         rc = -EINVAL;
841                         pr_warn("SELinux: defcontext option is "
842                                "invalid for this filesystem type\n");
843                         goto out;
844                 }
845
846                 if (defcontext_sid != sbsec->def_sid) {
847                         rc = may_context_mount_inode_relabel(defcontext_sid,
848                                                              sbsec, cred);
849                         if (rc)
850                                 goto out;
851                 }
852
853                 sbsec->def_sid = defcontext_sid;
854         }
855
856 out_set_opts:
857         rc = sb_finish_set_opts(sb);
858 out:
859         mutex_unlock(&sbsec->lock);
860         return rc;
861 out_double_mount:
862         rc = -EINVAL;
863         pr_warn("SELinux: mount invalid.  Same superblock, different "
864                "security settings for (dev %s, type %s)\n", sb->s_id,
865                sb->s_type->name);
866         goto out;
867 }
868
869 static int selinux_cmp_sb_context(const struct super_block *oldsb,
870                                     const struct super_block *newsb)
871 {
872         struct superblock_security_struct *old = selinux_superblock(oldsb);
873         struct superblock_security_struct *new = selinux_superblock(newsb);
874         char oldflags = old->flags & SE_MNTMASK;
875         char newflags = new->flags & SE_MNTMASK;
876
877         if (oldflags != newflags)
878                 goto mismatch;
879         if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
880                 goto mismatch;
881         if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
882                 goto mismatch;
883         if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
884                 goto mismatch;
885         if (oldflags & ROOTCONTEXT_MNT) {
886                 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
887                 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
888                 if (oldroot->sid != newroot->sid)
889                         goto mismatch;
890         }
891         return 0;
892 mismatch:
893         pr_warn("SELinux: mount invalid.  Same superblock, "
894                             "different security settings for (dev %s, "
895                             "type %s)\n", newsb->s_id, newsb->s_type->name);
896         return -EBUSY;
897 }
898
899 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
900                                         struct super_block *newsb,
901                                         unsigned long kern_flags,
902                                         unsigned long *set_kern_flags)
903 {
904         int rc = 0;
905         const struct superblock_security_struct *oldsbsec =
906                                                 selinux_superblock(oldsb);
907         struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
908
909         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
910         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
911         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
912
913         /*
914          * Specifying internal flags without providing a place to
915          * place the results is not allowed.
916          */
917         if (kern_flags && !set_kern_flags)
918                 return -EINVAL;
919
920         mutex_lock(&newsbsec->lock);
921
922         /*
923          * if the parent was able to be mounted it clearly had no special lsm
924          * mount options.  thus we can safely deal with this superblock later
925          */
926         if (!selinux_initialized()) {
927                 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
928                         newsbsec->flags |= SE_SBNATIVE;
929                         *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
930                 }
931                 goto out;
932         }
933
934         /* how can we clone if the old one wasn't set up?? */
935         BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
936
937         /* if fs is reusing a sb, make sure that the contexts match */
938         if (newsbsec->flags & SE_SBINITIALIZED) {
939                 mutex_unlock(&newsbsec->lock);
940                 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
941                         *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
942                 return selinux_cmp_sb_context(oldsb, newsb);
943         }
944
945         newsbsec->flags = oldsbsec->flags;
946
947         newsbsec->sid = oldsbsec->sid;
948         newsbsec->def_sid = oldsbsec->def_sid;
949         newsbsec->behavior = oldsbsec->behavior;
950
951         if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
952                 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
953                 rc = security_fs_use(newsb);
954                 if (rc)
955                         goto out;
956         }
957
958         if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
959                 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
960                 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
961         }
962
963         if (set_context) {
964                 u32 sid = oldsbsec->mntpoint_sid;
965
966                 if (!set_fscontext)
967                         newsbsec->sid = sid;
968                 if (!set_rootcontext) {
969                         struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
970                         newisec->sid = sid;
971                 }
972                 newsbsec->mntpoint_sid = sid;
973         }
974         if (set_rootcontext) {
975                 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
976                 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
977
978                 newisec->sid = oldisec->sid;
979         }
980
981         sb_finish_set_opts(newsb);
982 out:
983         mutex_unlock(&newsbsec->lock);
984         return rc;
985 }
986
987 /*
988  * NOTE: the caller is responsible for freeing the memory even if on error.
989  */
990 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
991 {
992         struct selinux_mnt_opts *opts = *mnt_opts;
993         u32 *dst_sid;
994         int rc;
995
996         if (token == Opt_seclabel)
997                 /* eaten and completely ignored */
998                 return 0;
999         if (!s)
1000                 return -EINVAL;
1001
1002         if (!selinux_initialized()) {
1003                 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1004                 return -EINVAL;
1005         }
1006
1007         if (!opts) {
1008                 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
1009                 if (!opts)
1010                         return -ENOMEM;
1011                 *mnt_opts = opts;
1012         }
1013
1014         switch (token) {
1015         case Opt_context:
1016                 if (opts->context_sid || opts->defcontext_sid)
1017                         goto err;
1018                 dst_sid = &opts->context_sid;
1019                 break;
1020         case Opt_fscontext:
1021                 if (opts->fscontext_sid)
1022                         goto err;
1023                 dst_sid = &opts->fscontext_sid;
1024                 break;
1025         case Opt_rootcontext:
1026                 if (opts->rootcontext_sid)
1027                         goto err;
1028                 dst_sid = &opts->rootcontext_sid;
1029                 break;
1030         case Opt_defcontext:
1031                 if (opts->context_sid || opts->defcontext_sid)
1032                         goto err;
1033                 dst_sid = &opts->defcontext_sid;
1034                 break;
1035         default:
1036                 WARN_ON(1);
1037                 return -EINVAL;
1038         }
1039         rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
1040         if (rc)
1041                 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1042                         s, rc);
1043         return rc;
1044
1045 err:
1046         pr_warn(SEL_MOUNT_FAIL_MSG);
1047         return -EINVAL;
1048 }
1049
1050 static int show_sid(struct seq_file *m, u32 sid)
1051 {
1052         char *context = NULL;
1053         u32 len;
1054         int rc;
1055
1056         rc = security_sid_to_context(sid, &context, &len);
1057         if (!rc) {
1058                 bool has_comma = strchr(context, ',');
1059
1060                 seq_putc(m, '=');
1061                 if (has_comma)
1062                         seq_putc(m, '\"');
1063                 seq_escape(m, context, "\"\n\\");
1064                 if (has_comma)
1065                         seq_putc(m, '\"');
1066         }
1067         kfree(context);
1068         return rc;
1069 }
1070
1071 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1072 {
1073         struct superblock_security_struct *sbsec = selinux_superblock(sb);
1074         int rc;
1075
1076         if (!(sbsec->flags & SE_SBINITIALIZED))
1077                 return 0;
1078
1079         if (!selinux_initialized())
1080                 return 0;
1081
1082         if (sbsec->flags & FSCONTEXT_MNT) {
1083                 seq_putc(m, ',');
1084                 seq_puts(m, FSCONTEXT_STR);
1085                 rc = show_sid(m, sbsec->sid);
1086                 if (rc)
1087                         return rc;
1088         }
1089         if (sbsec->flags & CONTEXT_MNT) {
1090                 seq_putc(m, ',');
1091                 seq_puts(m, CONTEXT_STR);
1092                 rc = show_sid(m, sbsec->mntpoint_sid);
1093                 if (rc)
1094                         return rc;
1095         }
1096         if (sbsec->flags & DEFCONTEXT_MNT) {
1097                 seq_putc(m, ',');
1098                 seq_puts(m, DEFCONTEXT_STR);
1099                 rc = show_sid(m, sbsec->def_sid);
1100                 if (rc)
1101                         return rc;
1102         }
1103         if (sbsec->flags & ROOTCONTEXT_MNT) {
1104                 struct dentry *root = sb->s_root;
1105                 struct inode_security_struct *isec = backing_inode_security(root);
1106                 seq_putc(m, ',');
1107                 seq_puts(m, ROOTCONTEXT_STR);
1108                 rc = show_sid(m, isec->sid);
1109                 if (rc)
1110                         return rc;
1111         }
1112         if (sbsec->flags & SBLABEL_MNT) {
1113                 seq_putc(m, ',');
1114                 seq_puts(m, SECLABEL_STR);
1115         }
1116         return 0;
1117 }
1118
1119 static inline u16 inode_mode_to_security_class(umode_t mode)
1120 {
1121         switch (mode & S_IFMT) {
1122         case S_IFSOCK:
1123                 return SECCLASS_SOCK_FILE;
1124         case S_IFLNK:
1125                 return SECCLASS_LNK_FILE;
1126         case S_IFREG:
1127                 return SECCLASS_FILE;
1128         case S_IFBLK:
1129                 return SECCLASS_BLK_FILE;
1130         case S_IFDIR:
1131                 return SECCLASS_DIR;
1132         case S_IFCHR:
1133                 return SECCLASS_CHR_FILE;
1134         case S_IFIFO:
1135                 return SECCLASS_FIFO_FILE;
1136
1137         }
1138
1139         return SECCLASS_FILE;
1140 }
1141
1142 static inline int default_protocol_stream(int protocol)
1143 {
1144         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1145                 protocol == IPPROTO_MPTCP);
1146 }
1147
1148 static inline int default_protocol_dgram(int protocol)
1149 {
1150         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1151 }
1152
1153 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1154 {
1155         bool extsockclass = selinux_policycap_extsockclass();
1156
1157         switch (family) {
1158         case PF_UNIX:
1159                 switch (type) {
1160                 case SOCK_STREAM:
1161                 case SOCK_SEQPACKET:
1162                         return SECCLASS_UNIX_STREAM_SOCKET;
1163                 case SOCK_DGRAM:
1164                 case SOCK_RAW:
1165                         return SECCLASS_UNIX_DGRAM_SOCKET;
1166                 }
1167                 break;
1168         case PF_INET:
1169         case PF_INET6:
1170                 switch (type) {
1171                 case SOCK_STREAM:
1172                 case SOCK_SEQPACKET:
1173                         if (default_protocol_stream(protocol))
1174                                 return SECCLASS_TCP_SOCKET;
1175                         else if (extsockclass && protocol == IPPROTO_SCTP)
1176                                 return SECCLASS_SCTP_SOCKET;
1177                         else
1178                                 return SECCLASS_RAWIP_SOCKET;
1179                 case SOCK_DGRAM:
1180                         if (default_protocol_dgram(protocol))
1181                                 return SECCLASS_UDP_SOCKET;
1182                         else if (extsockclass && (protocol == IPPROTO_ICMP ||
1183                                                   protocol == IPPROTO_ICMPV6))
1184                                 return SECCLASS_ICMP_SOCKET;
1185                         else
1186                                 return SECCLASS_RAWIP_SOCKET;
1187                 case SOCK_DCCP:
1188                         return SECCLASS_DCCP_SOCKET;
1189                 default:
1190                         return SECCLASS_RAWIP_SOCKET;
1191                 }
1192                 break;
1193         case PF_NETLINK:
1194                 switch (protocol) {
1195                 case NETLINK_ROUTE:
1196                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1197                 case NETLINK_SOCK_DIAG:
1198                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1199                 case NETLINK_NFLOG:
1200                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1201                 case NETLINK_XFRM:
1202                         return SECCLASS_NETLINK_XFRM_SOCKET;
1203                 case NETLINK_SELINUX:
1204                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1205                 case NETLINK_ISCSI:
1206                         return SECCLASS_NETLINK_ISCSI_SOCKET;
1207                 case NETLINK_AUDIT:
1208                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1209                 case NETLINK_FIB_LOOKUP:
1210                         return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1211                 case NETLINK_CONNECTOR:
1212                         return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1213                 case NETLINK_NETFILTER:
1214                         return SECCLASS_NETLINK_NETFILTER_SOCKET;
1215                 case NETLINK_DNRTMSG:
1216                         return SECCLASS_NETLINK_DNRT_SOCKET;
1217                 case NETLINK_KOBJECT_UEVENT:
1218                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1219                 case NETLINK_GENERIC:
1220                         return SECCLASS_NETLINK_GENERIC_SOCKET;
1221                 case NETLINK_SCSITRANSPORT:
1222                         return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1223                 case NETLINK_RDMA:
1224                         return SECCLASS_NETLINK_RDMA_SOCKET;
1225                 case NETLINK_CRYPTO:
1226                         return SECCLASS_NETLINK_CRYPTO_SOCKET;
1227                 default:
1228                         return SECCLASS_NETLINK_SOCKET;
1229                 }
1230         case PF_PACKET:
1231                 return SECCLASS_PACKET_SOCKET;
1232         case PF_KEY:
1233                 return SECCLASS_KEY_SOCKET;
1234         case PF_APPLETALK:
1235                 return SECCLASS_APPLETALK_SOCKET;
1236         }
1237
1238         if (extsockclass) {
1239                 switch (family) {
1240                 case PF_AX25:
1241                         return SECCLASS_AX25_SOCKET;
1242                 case PF_IPX:
1243                         return SECCLASS_IPX_SOCKET;
1244                 case PF_NETROM:
1245                         return SECCLASS_NETROM_SOCKET;
1246                 case PF_ATMPVC:
1247                         return SECCLASS_ATMPVC_SOCKET;
1248                 case PF_X25:
1249                         return SECCLASS_X25_SOCKET;
1250                 case PF_ROSE:
1251                         return SECCLASS_ROSE_SOCKET;
1252                 case PF_DECnet:
1253                         return SECCLASS_DECNET_SOCKET;
1254                 case PF_ATMSVC:
1255                         return SECCLASS_ATMSVC_SOCKET;
1256                 case PF_RDS:
1257                         return SECCLASS_RDS_SOCKET;
1258                 case PF_IRDA:
1259                         return SECCLASS_IRDA_SOCKET;
1260                 case PF_PPPOX:
1261                         return SECCLASS_PPPOX_SOCKET;
1262                 case PF_LLC:
1263                         return SECCLASS_LLC_SOCKET;
1264                 case PF_CAN:
1265                         return SECCLASS_CAN_SOCKET;
1266                 case PF_TIPC:
1267                         return SECCLASS_TIPC_SOCKET;
1268                 case PF_BLUETOOTH:
1269                         return SECCLASS_BLUETOOTH_SOCKET;
1270                 case PF_IUCV:
1271                         return SECCLASS_IUCV_SOCKET;
1272                 case PF_RXRPC:
1273                         return SECCLASS_RXRPC_SOCKET;
1274                 case PF_ISDN:
1275                         return SECCLASS_ISDN_SOCKET;
1276                 case PF_PHONET:
1277                         return SECCLASS_PHONET_SOCKET;
1278                 case PF_IEEE802154:
1279                         return SECCLASS_IEEE802154_SOCKET;
1280                 case PF_CAIF:
1281                         return SECCLASS_CAIF_SOCKET;
1282                 case PF_ALG:
1283                         return SECCLASS_ALG_SOCKET;
1284                 case PF_NFC:
1285                         return SECCLASS_NFC_SOCKET;
1286                 case PF_VSOCK:
1287                         return SECCLASS_VSOCK_SOCKET;
1288                 case PF_KCM:
1289                         return SECCLASS_KCM_SOCKET;
1290                 case PF_QIPCRTR:
1291                         return SECCLASS_QIPCRTR_SOCKET;
1292                 case PF_SMC:
1293                         return SECCLASS_SMC_SOCKET;
1294                 case PF_XDP:
1295                         return SECCLASS_XDP_SOCKET;
1296                 case PF_MCTP:
1297                         return SECCLASS_MCTP_SOCKET;
1298 #if PF_MAX > 46
1299 #error New address family defined, please update this function.
1300 #endif
1301                 }
1302         }
1303
1304         return SECCLASS_SOCKET;
1305 }
1306
1307 static int selinux_genfs_get_sid(struct dentry *dentry,
1308                                  u16 tclass,
1309                                  u16 flags,
1310                                  u32 *sid)
1311 {
1312         int rc;
1313         struct super_block *sb = dentry->d_sb;
1314         char *buffer, *path;
1315
1316         buffer = (char *)__get_free_page(GFP_KERNEL);
1317         if (!buffer)
1318                 return -ENOMEM;
1319
1320         path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1321         if (IS_ERR(path))
1322                 rc = PTR_ERR(path);
1323         else {
1324                 if (flags & SE_SBPROC) {
1325                         /* each process gets a /proc/PID/ entry. Strip off the
1326                          * PID part to get a valid selinux labeling.
1327                          * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1328                         while (path[1] >= '0' && path[1] <= '9') {
1329                                 path[1] = '/';
1330                                 path++;
1331                         }
1332                 }
1333                 rc = security_genfs_sid(sb->s_type->name,
1334                                         path, tclass, sid);
1335                 if (rc == -ENOENT) {
1336                         /* No match in policy, mark as unlabeled. */
1337                         *sid = SECINITSID_UNLABELED;
1338                         rc = 0;
1339                 }
1340         }
1341         free_page((unsigned long)buffer);
1342         return rc;
1343 }
1344
1345 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1346                                   u32 def_sid, u32 *sid)
1347 {
1348 #define INITCONTEXTLEN 255
1349         char *context;
1350         unsigned int len;
1351         int rc;
1352
1353         len = INITCONTEXTLEN;
1354         context = kmalloc(len + 1, GFP_NOFS);
1355         if (!context)
1356                 return -ENOMEM;
1357
1358         context[len] = '\0';
1359         rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1360         if (rc == -ERANGE) {
1361                 kfree(context);
1362
1363                 /* Need a larger buffer.  Query for the right size. */
1364                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1365                 if (rc < 0)
1366                         return rc;
1367
1368                 len = rc;
1369                 context = kmalloc(len + 1, GFP_NOFS);
1370                 if (!context)
1371                         return -ENOMEM;
1372
1373                 context[len] = '\0';
1374                 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1375                                     context, len);
1376         }
1377         if (rc < 0) {
1378                 kfree(context);
1379                 if (rc != -ENODATA) {
1380                         pr_warn("SELinux: %s:  getxattr returned %d for dev=%s ino=%ld\n",
1381                                 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1382                         return rc;
1383                 }
1384                 *sid = def_sid;
1385                 return 0;
1386         }
1387
1388         rc = security_context_to_sid_default(context, rc, sid,
1389                                              def_sid, GFP_NOFS);
1390         if (rc) {
1391                 char *dev = inode->i_sb->s_id;
1392                 unsigned long ino = inode->i_ino;
1393
1394                 if (rc == -EINVAL) {
1395                         pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s.  This indicates you may need to relabel the inode or the filesystem in question.\n",
1396                                               ino, dev, context);
1397                 } else {
1398                         pr_warn("SELinux: %s:  context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1399                                 __func__, context, -rc, dev, ino);
1400                 }
1401         }
1402         kfree(context);
1403         return 0;
1404 }
1405
1406 /* The inode's security attributes must be initialized before first use. */
1407 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1408 {
1409         struct superblock_security_struct *sbsec = NULL;
1410         struct inode_security_struct *isec = selinux_inode(inode);
1411         u32 task_sid, sid = 0;
1412         u16 sclass;
1413         struct dentry *dentry;
1414         int rc = 0;
1415
1416         if (isec->initialized == LABEL_INITIALIZED)
1417                 return 0;
1418
1419         spin_lock(&isec->lock);
1420         if (isec->initialized == LABEL_INITIALIZED)
1421                 goto out_unlock;
1422
1423         if (isec->sclass == SECCLASS_FILE)
1424                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1425
1426         sbsec = selinux_superblock(inode->i_sb);
1427         if (!(sbsec->flags & SE_SBINITIALIZED)) {
1428                 /* Defer initialization until selinux_complete_init,
1429                    after the initial policy is loaded and the security
1430                    server is ready to handle calls. */
1431                 spin_lock(&sbsec->isec_lock);
1432                 if (list_empty(&isec->list))
1433                         list_add(&isec->list, &sbsec->isec_head);
1434                 spin_unlock(&sbsec->isec_lock);
1435                 goto out_unlock;
1436         }
1437
1438         sclass = isec->sclass;
1439         task_sid = isec->task_sid;
1440         sid = isec->sid;
1441         isec->initialized = LABEL_PENDING;
1442         spin_unlock(&isec->lock);
1443
1444         switch (sbsec->behavior) {
1445         /*
1446          * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1447          * via xattr when called from delayed_superblock_init().
1448          */
1449         case SECURITY_FS_USE_NATIVE:
1450         case SECURITY_FS_USE_XATTR:
1451                 if (!(inode->i_opflags & IOP_XATTR)) {
1452                         sid = sbsec->def_sid;
1453                         break;
1454                 }
1455                 /* Need a dentry, since the xattr API requires one.
1456                    Life would be simpler if we could just pass the inode. */
1457                 if (opt_dentry) {
1458                         /* Called from d_instantiate or d_splice_alias. */
1459                         dentry = dget(opt_dentry);
1460                 } else {
1461                         /*
1462                          * Called from selinux_complete_init, try to find a dentry.
1463                          * Some filesystems really want a connected one, so try
1464                          * that first.  We could split SECURITY_FS_USE_XATTR in
1465                          * two, depending upon that...
1466                          */
1467                         dentry = d_find_alias(inode);
1468                         if (!dentry)
1469                                 dentry = d_find_any_alias(inode);
1470                 }
1471                 if (!dentry) {
1472                         /*
1473                          * this is can be hit on boot when a file is accessed
1474                          * before the policy is loaded.  When we load policy we
1475                          * may find inodes that have no dentry on the
1476                          * sbsec->isec_head list.  No reason to complain as these
1477                          * will get fixed up the next time we go through
1478                          * inode_doinit with a dentry, before these inodes could
1479                          * be used again by userspace.
1480                          */
1481                         goto out_invalid;
1482                 }
1483
1484                 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1485                                             &sid);
1486                 dput(dentry);
1487                 if (rc)
1488                         goto out;
1489                 break;
1490         case SECURITY_FS_USE_TASK:
1491                 sid = task_sid;
1492                 break;
1493         case SECURITY_FS_USE_TRANS:
1494                 /* Default to the fs SID. */
1495                 sid = sbsec->sid;
1496
1497                 /* Try to obtain a transition SID. */
1498                 rc = security_transition_sid(task_sid, sid,
1499                                              sclass, NULL, &sid);
1500                 if (rc)
1501                         goto out;
1502                 break;
1503         case SECURITY_FS_USE_MNTPOINT:
1504                 sid = sbsec->mntpoint_sid;
1505                 break;
1506         default:
1507                 /* Default to the fs superblock SID. */
1508                 sid = sbsec->sid;
1509
1510                 if ((sbsec->flags & SE_SBGENFS) &&
1511                      (!S_ISLNK(inode->i_mode) ||
1512                       selinux_policycap_genfs_seclabel_symlinks())) {
1513                         /* We must have a dentry to determine the label on
1514                          * procfs inodes */
1515                         if (opt_dentry) {
1516                                 /* Called from d_instantiate or
1517                                  * d_splice_alias. */
1518                                 dentry = dget(opt_dentry);
1519                         } else {
1520                                 /* Called from selinux_complete_init, try to
1521                                  * find a dentry.  Some filesystems really want
1522                                  * a connected one, so try that first.
1523                                  */
1524                                 dentry = d_find_alias(inode);
1525                                 if (!dentry)
1526                                         dentry = d_find_any_alias(inode);
1527                         }
1528                         /*
1529                          * This can be hit on boot when a file is accessed
1530                          * before the policy is loaded.  When we load policy we
1531                          * may find inodes that have no dentry on the
1532                          * sbsec->isec_head list.  No reason to complain as
1533                          * these will get fixed up the next time we go through
1534                          * inode_doinit() with a dentry, before these inodes
1535                          * could be used again by userspace.
1536                          */
1537                         if (!dentry)
1538                                 goto out_invalid;
1539                         rc = selinux_genfs_get_sid(dentry, sclass,
1540                                                    sbsec->flags, &sid);
1541                         if (rc) {
1542                                 dput(dentry);
1543                                 goto out;
1544                         }
1545
1546                         if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1547                             (inode->i_opflags & IOP_XATTR)) {
1548                                 rc = inode_doinit_use_xattr(inode, dentry,
1549                                                             sid, &sid);
1550                                 if (rc) {
1551                                         dput(dentry);
1552                                         goto out;
1553                                 }
1554                         }
1555                         dput(dentry);
1556                 }
1557                 break;
1558         }
1559
1560 out:
1561         spin_lock(&isec->lock);
1562         if (isec->initialized == LABEL_PENDING) {
1563                 if (rc) {
1564                         isec->initialized = LABEL_INVALID;
1565                         goto out_unlock;
1566                 }
1567                 isec->initialized = LABEL_INITIALIZED;
1568                 isec->sid = sid;
1569         }
1570
1571 out_unlock:
1572         spin_unlock(&isec->lock);
1573         return rc;
1574
1575 out_invalid:
1576         spin_lock(&isec->lock);
1577         if (isec->initialized == LABEL_PENDING) {
1578                 isec->initialized = LABEL_INVALID;
1579                 isec->sid = sid;
1580         }
1581         spin_unlock(&isec->lock);
1582         return 0;
1583 }
1584
1585 /* Convert a Linux signal to an access vector. */
1586 static inline u32 signal_to_av(int sig)
1587 {
1588         u32 perm = 0;
1589
1590         switch (sig) {
1591         case SIGCHLD:
1592                 /* Commonly granted from child to parent. */
1593                 perm = PROCESS__SIGCHLD;
1594                 break;
1595         case SIGKILL:
1596                 /* Cannot be caught or ignored */
1597                 perm = PROCESS__SIGKILL;
1598                 break;
1599         case SIGSTOP:
1600                 /* Cannot be caught or ignored */
1601                 perm = PROCESS__SIGSTOP;
1602                 break;
1603         default:
1604                 /* All other signals. */
1605                 perm = PROCESS__SIGNAL;
1606                 break;
1607         }
1608
1609         return perm;
1610 }
1611
1612 #if CAP_LAST_CAP > 63
1613 #error Fix SELinux to handle capabilities > 63.
1614 #endif
1615
1616 /* Check whether a task is allowed to use a capability. */
1617 static int cred_has_capability(const struct cred *cred,
1618                                int cap, unsigned int opts, bool initns)
1619 {
1620         struct common_audit_data ad;
1621         struct av_decision avd;
1622         u16 sclass;
1623         u32 sid = cred_sid(cred);
1624         u32 av = CAP_TO_MASK(cap);
1625         int rc;
1626
1627         ad.type = LSM_AUDIT_DATA_CAP;
1628         ad.u.cap = cap;
1629
1630         switch (CAP_TO_INDEX(cap)) {
1631         case 0:
1632                 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1633                 break;
1634         case 1:
1635                 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1636                 break;
1637         default:
1638                 pr_err("SELinux:  out of range capability %d\n", cap);
1639                 BUG();
1640                 return -EINVAL;
1641         }
1642
1643         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1644         if (!(opts & CAP_OPT_NOAUDIT)) {
1645                 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1646                 if (rc2)
1647                         return rc2;
1648         }
1649         return rc;
1650 }
1651
1652 /* Check whether a task has a particular permission to an inode.
1653    The 'adp' parameter is optional and allows other audit
1654    data to be passed (e.g. the dentry). */
1655 static int inode_has_perm(const struct cred *cred,
1656                           struct inode *inode,
1657                           u32 perms,
1658                           struct common_audit_data *adp)
1659 {
1660         struct inode_security_struct *isec;
1661         u32 sid;
1662
1663         if (unlikely(IS_PRIVATE(inode)))
1664                 return 0;
1665
1666         sid = cred_sid(cred);
1667         isec = selinux_inode(inode);
1668
1669         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1670 }
1671
1672 /* Same as inode_has_perm, but pass explicit audit data containing
1673    the dentry to help the auditing code to more easily generate the
1674    pathname if needed. */
1675 static inline int dentry_has_perm(const struct cred *cred,
1676                                   struct dentry *dentry,
1677                                   u32 av)
1678 {
1679         struct inode *inode = d_backing_inode(dentry);
1680         struct common_audit_data ad;
1681
1682         ad.type = LSM_AUDIT_DATA_DENTRY;
1683         ad.u.dentry = dentry;
1684         __inode_security_revalidate(inode, dentry, true);
1685         return inode_has_perm(cred, inode, av, &ad);
1686 }
1687
1688 /* Same as inode_has_perm, but pass explicit audit data containing
1689    the path to help the auditing code to more easily generate the
1690    pathname if needed. */
1691 static inline int path_has_perm(const struct cred *cred,
1692                                 const struct path *path,
1693                                 u32 av)
1694 {
1695         struct inode *inode = d_backing_inode(path->dentry);
1696         struct common_audit_data ad;
1697
1698         ad.type = LSM_AUDIT_DATA_PATH;
1699         ad.u.path = *path;
1700         __inode_security_revalidate(inode, path->dentry, true);
1701         return inode_has_perm(cred, inode, av, &ad);
1702 }
1703
1704 /* Same as path_has_perm, but uses the inode from the file struct. */
1705 static inline int file_path_has_perm(const struct cred *cred,
1706                                      struct file *file,
1707                                      u32 av)
1708 {
1709         struct common_audit_data ad;
1710
1711         ad.type = LSM_AUDIT_DATA_FILE;
1712         ad.u.file = file;
1713         return inode_has_perm(cred, file_inode(file), av, &ad);
1714 }
1715
1716 #ifdef CONFIG_BPF_SYSCALL
1717 static int bpf_fd_pass(const struct file *file, u32 sid);
1718 #endif
1719
1720 /* Check whether a task can use an open file descriptor to
1721    access an inode in a given way.  Check access to the
1722    descriptor itself, and then use dentry_has_perm to
1723    check a particular permission to the file.
1724    Access to the descriptor is implicitly granted if it
1725    has the same SID as the process.  If av is zero, then
1726    access to the file is not checked, e.g. for cases
1727    where only the descriptor is affected like seek. */
1728 static int file_has_perm(const struct cred *cred,
1729                          struct file *file,
1730                          u32 av)
1731 {
1732         struct file_security_struct *fsec = selinux_file(file);
1733         struct inode *inode = file_inode(file);
1734         struct common_audit_data ad;
1735         u32 sid = cred_sid(cred);
1736         int rc;
1737
1738         ad.type = LSM_AUDIT_DATA_FILE;
1739         ad.u.file = file;
1740
1741         if (sid != fsec->sid) {
1742                 rc = avc_has_perm(sid, fsec->sid,
1743                                   SECCLASS_FD,
1744                                   FD__USE,
1745                                   &ad);
1746                 if (rc)
1747                         goto out;
1748         }
1749
1750 #ifdef CONFIG_BPF_SYSCALL
1751         rc = bpf_fd_pass(file, cred_sid(cred));
1752         if (rc)
1753                 return rc;
1754 #endif
1755
1756         /* av is zero if only checking access to the descriptor. */
1757         rc = 0;
1758         if (av)
1759                 rc = inode_has_perm(cred, inode, av, &ad);
1760
1761 out:
1762         return rc;
1763 }
1764
1765 /*
1766  * Determine the label for an inode that might be unioned.
1767  */
1768 static int
1769 selinux_determine_inode_label(const struct task_security_struct *tsec,
1770                                  struct inode *dir,
1771                                  const struct qstr *name, u16 tclass,
1772                                  u32 *_new_isid)
1773 {
1774         const struct superblock_security_struct *sbsec =
1775                                                 selinux_superblock(dir->i_sb);
1776
1777         if ((sbsec->flags & SE_SBINITIALIZED) &&
1778             (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1779                 *_new_isid = sbsec->mntpoint_sid;
1780         } else if ((sbsec->flags & SBLABEL_MNT) &&
1781                    tsec->create_sid) {
1782                 *_new_isid = tsec->create_sid;
1783         } else {
1784                 const struct inode_security_struct *dsec = inode_security(dir);
1785                 return security_transition_sid(tsec->sid,
1786                                                dsec->sid, tclass,
1787                                                name, _new_isid);
1788         }
1789
1790         return 0;
1791 }
1792
1793 /* Check whether a task can create a file. */
1794 static int may_create(struct inode *dir,
1795                       struct dentry *dentry,
1796                       u16 tclass)
1797 {
1798         const struct task_security_struct *tsec = selinux_cred(current_cred());
1799         struct inode_security_struct *dsec;
1800         struct superblock_security_struct *sbsec;
1801         u32 sid, newsid;
1802         struct common_audit_data ad;
1803         int rc;
1804
1805         dsec = inode_security(dir);
1806         sbsec = selinux_superblock(dir->i_sb);
1807
1808         sid = tsec->sid;
1809
1810         ad.type = LSM_AUDIT_DATA_DENTRY;
1811         ad.u.dentry = dentry;
1812
1813         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1814                           DIR__ADD_NAME | DIR__SEARCH,
1815                           &ad);
1816         if (rc)
1817                 return rc;
1818
1819         rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1820                                            &newsid);
1821         if (rc)
1822                 return rc;
1823
1824         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1825         if (rc)
1826                 return rc;
1827
1828         return avc_has_perm(newsid, sbsec->sid,
1829                             SECCLASS_FILESYSTEM,
1830                             FILESYSTEM__ASSOCIATE, &ad);
1831 }
1832
1833 #define MAY_LINK        0
1834 #define MAY_UNLINK      1
1835 #define MAY_RMDIR       2
1836
1837 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1838 static int may_link(struct inode *dir,
1839                     struct dentry *dentry,
1840                     int kind)
1841
1842 {
1843         struct inode_security_struct *dsec, *isec;
1844         struct common_audit_data ad;
1845         u32 sid = current_sid();
1846         u32 av;
1847         int rc;
1848
1849         dsec = inode_security(dir);
1850         isec = backing_inode_security(dentry);
1851
1852         ad.type = LSM_AUDIT_DATA_DENTRY;
1853         ad.u.dentry = dentry;
1854
1855         av = DIR__SEARCH;
1856         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1857         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1858         if (rc)
1859                 return rc;
1860
1861         switch (kind) {
1862         case MAY_LINK:
1863                 av = FILE__LINK;
1864                 break;
1865         case MAY_UNLINK:
1866                 av = FILE__UNLINK;
1867                 break;
1868         case MAY_RMDIR:
1869                 av = DIR__RMDIR;
1870                 break;
1871         default:
1872                 pr_warn("SELinux: %s:  unrecognized kind %d\n",
1873                         __func__, kind);
1874                 return 0;
1875         }
1876
1877         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1878         return rc;
1879 }
1880
1881 static inline int may_rename(struct inode *old_dir,
1882                              struct dentry *old_dentry,
1883                              struct inode *new_dir,
1884                              struct dentry *new_dentry)
1885 {
1886         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1887         struct common_audit_data ad;
1888         u32 sid = current_sid();
1889         u32 av;
1890         int old_is_dir, new_is_dir;
1891         int rc;
1892
1893         old_dsec = inode_security(old_dir);
1894         old_isec = backing_inode_security(old_dentry);
1895         old_is_dir = d_is_dir(old_dentry);
1896         new_dsec = inode_security(new_dir);
1897
1898         ad.type = LSM_AUDIT_DATA_DENTRY;
1899
1900         ad.u.dentry = old_dentry;
1901         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1902                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1903         if (rc)
1904                 return rc;
1905         rc = avc_has_perm(sid, old_isec->sid,
1906                           old_isec->sclass, FILE__RENAME, &ad);
1907         if (rc)
1908                 return rc;
1909         if (old_is_dir && new_dir != old_dir) {
1910                 rc = avc_has_perm(sid, old_isec->sid,
1911                                   old_isec->sclass, DIR__REPARENT, &ad);
1912                 if (rc)
1913                         return rc;
1914         }
1915
1916         ad.u.dentry = new_dentry;
1917         av = DIR__ADD_NAME | DIR__SEARCH;
1918         if (d_is_positive(new_dentry))
1919                 av |= DIR__REMOVE_NAME;
1920         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1921         if (rc)
1922                 return rc;
1923         if (d_is_positive(new_dentry)) {
1924                 new_isec = backing_inode_security(new_dentry);
1925                 new_is_dir = d_is_dir(new_dentry);
1926                 rc = avc_has_perm(sid, new_isec->sid,
1927                                   new_isec->sclass,
1928                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1929                 if (rc)
1930                         return rc;
1931         }
1932
1933         return 0;
1934 }
1935
1936 /* Check whether a task can perform a filesystem operation. */
1937 static int superblock_has_perm(const struct cred *cred,
1938                                struct super_block *sb,
1939                                u32 perms,
1940                                struct common_audit_data *ad)
1941 {
1942         struct superblock_security_struct *sbsec;
1943         u32 sid = cred_sid(cred);
1944
1945         sbsec = selinux_superblock(sb);
1946         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1947 }
1948
1949 /* Convert a Linux mode and permission mask to an access vector. */
1950 static inline u32 file_mask_to_av(int mode, int mask)
1951 {
1952         u32 av = 0;
1953
1954         if (!S_ISDIR(mode)) {
1955                 if (mask & MAY_EXEC)
1956                         av |= FILE__EXECUTE;
1957                 if (mask & MAY_READ)
1958                         av |= FILE__READ;
1959
1960                 if (mask & MAY_APPEND)
1961                         av |= FILE__APPEND;
1962                 else if (mask & MAY_WRITE)
1963                         av |= FILE__WRITE;
1964
1965         } else {
1966                 if (mask & MAY_EXEC)
1967                         av |= DIR__SEARCH;
1968                 if (mask & MAY_WRITE)
1969                         av |= DIR__WRITE;
1970                 if (mask & MAY_READ)
1971                         av |= DIR__READ;
1972         }
1973
1974         return av;
1975 }
1976
1977 /* Convert a Linux file to an access vector. */
1978 static inline u32 file_to_av(const struct file *file)
1979 {
1980         u32 av = 0;
1981
1982         if (file->f_mode & FMODE_READ)
1983                 av |= FILE__READ;
1984         if (file->f_mode & FMODE_WRITE) {
1985                 if (file->f_flags & O_APPEND)
1986                         av |= FILE__APPEND;
1987                 else
1988                         av |= FILE__WRITE;
1989         }
1990         if (!av) {
1991                 /*
1992                  * Special file opened with flags 3 for ioctl-only use.
1993                  */
1994                 av = FILE__IOCTL;
1995         }
1996
1997         return av;
1998 }
1999
2000 /*
2001  * Convert a file to an access vector and include the correct
2002  * open permission.
2003  */
2004 static inline u32 open_file_to_av(struct file *file)
2005 {
2006         u32 av = file_to_av(file);
2007         struct inode *inode = file_inode(file);
2008
2009         if (selinux_policycap_openperm() &&
2010             inode->i_sb->s_magic != SOCKFS_MAGIC)
2011                 av |= FILE__OPEN;
2012
2013         return av;
2014 }
2015
2016 /* Hook functions begin here. */
2017
2018 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2019 {
2020         return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2021                             BINDER__SET_CONTEXT_MGR, NULL);
2022 }
2023
2024 static int selinux_binder_transaction(const struct cred *from,
2025                                       const struct cred *to)
2026 {
2027         u32 mysid = current_sid();
2028         u32 fromsid = cred_sid(from);
2029         u32 tosid = cred_sid(to);
2030         int rc;
2031
2032         if (mysid != fromsid) {
2033                 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2034                                   BINDER__IMPERSONATE, NULL);
2035                 if (rc)
2036                         return rc;
2037         }
2038
2039         return avc_has_perm(fromsid, tosid,
2040                             SECCLASS_BINDER, BINDER__CALL, NULL);
2041 }
2042
2043 static int selinux_binder_transfer_binder(const struct cred *from,
2044                                           const struct cred *to)
2045 {
2046         return avc_has_perm(cred_sid(from), cred_sid(to),
2047                             SECCLASS_BINDER, BINDER__TRANSFER,
2048                             NULL);
2049 }
2050
2051 static int selinux_binder_transfer_file(const struct cred *from,
2052                                         const struct cred *to,
2053                                         const struct file *file)
2054 {
2055         u32 sid = cred_sid(to);
2056         struct file_security_struct *fsec = selinux_file(file);
2057         struct dentry *dentry = file->f_path.dentry;
2058         struct inode_security_struct *isec;
2059         struct common_audit_data ad;
2060         int rc;
2061
2062         ad.type = LSM_AUDIT_DATA_PATH;
2063         ad.u.path = file->f_path;
2064
2065         if (sid != fsec->sid) {
2066                 rc = avc_has_perm(sid, fsec->sid,
2067                                   SECCLASS_FD,
2068                                   FD__USE,
2069                                   &ad);
2070                 if (rc)
2071                         return rc;
2072         }
2073
2074 #ifdef CONFIG_BPF_SYSCALL
2075         rc = bpf_fd_pass(file, sid);
2076         if (rc)
2077                 return rc;
2078 #endif
2079
2080         if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2081                 return 0;
2082
2083         isec = backing_inode_security(dentry);
2084         return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2085                             &ad);
2086 }
2087
2088 static int selinux_ptrace_access_check(struct task_struct *child,
2089                                        unsigned int mode)
2090 {
2091         u32 sid = current_sid();
2092         u32 csid = task_sid_obj(child);
2093
2094         if (mode & PTRACE_MODE_READ)
2095                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2096                                 NULL);
2097
2098         return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2099                         NULL);
2100 }
2101
2102 static int selinux_ptrace_traceme(struct task_struct *parent)
2103 {
2104         return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
2105                             SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2106 }
2107
2108 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
2109                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
2110 {
2111         return avc_has_perm(current_sid(), task_sid_obj(target),
2112                         SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
2113 }
2114
2115 static int selinux_capset(struct cred *new, const struct cred *old,
2116                           const kernel_cap_t *effective,
2117                           const kernel_cap_t *inheritable,
2118                           const kernel_cap_t *permitted)
2119 {
2120         return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2121                             PROCESS__SETCAP, NULL);
2122 }
2123
2124 /*
2125  * (This comment used to live with the selinux_task_setuid hook,
2126  * which was removed).
2127  *
2128  * Since setuid only affects the current process, and since the SELinux
2129  * controls are not based on the Linux identity attributes, SELinux does not
2130  * need to control this operation.  However, SELinux does control the use of
2131  * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2132  */
2133
2134 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2135                            int cap, unsigned int opts)
2136 {
2137         return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2138 }
2139
2140 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2141 {
2142         const struct cred *cred = current_cred();
2143         int rc = 0;
2144
2145         if (!sb)
2146                 return 0;
2147
2148         switch (cmds) {
2149         case Q_SYNC:
2150         case Q_QUOTAON:
2151         case Q_QUOTAOFF:
2152         case Q_SETINFO:
2153         case Q_SETQUOTA:
2154         case Q_XQUOTAOFF:
2155         case Q_XQUOTAON:
2156         case Q_XSETQLIM:
2157                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2158                 break;
2159         case Q_GETFMT:
2160         case Q_GETINFO:
2161         case Q_GETQUOTA:
2162         case Q_XGETQUOTA:
2163         case Q_XGETQSTAT:
2164         case Q_XGETQSTATV:
2165         case Q_XGETNEXTQUOTA:
2166                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2167                 break;
2168         default:
2169                 rc = 0;  /* let the kernel handle invalid cmds */
2170                 break;
2171         }
2172         return rc;
2173 }
2174
2175 static int selinux_quota_on(struct dentry *dentry)
2176 {
2177         const struct cred *cred = current_cred();
2178
2179         return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2180 }
2181
2182 static int selinux_syslog(int type)
2183 {
2184         switch (type) {
2185         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
2186         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2187                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2188                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2189         case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2190         case SYSLOG_ACTION_CONSOLE_ON:  /* Enable logging to console */
2191         /* Set level of messages printed to console */
2192         case SYSLOG_ACTION_CONSOLE_LEVEL:
2193                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2194                                     SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2195                                     NULL);
2196         }
2197         /* All other syslog types */
2198         return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2199                             SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2200 }
2201
2202 /*
2203  * Check that a process has enough memory to allocate a new virtual
2204  * mapping. 0 means there is enough memory for the allocation to
2205  * succeed and -ENOMEM implies there is not.
2206  *
2207  * Do not audit the selinux permission check, as this is applied to all
2208  * processes that allocate mappings.
2209  */
2210 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2211 {
2212         int rc, cap_sys_admin = 0;
2213
2214         rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2215                                  CAP_OPT_NOAUDIT, true);
2216         if (rc == 0)
2217                 cap_sys_admin = 1;
2218
2219         return cap_sys_admin;
2220 }
2221
2222 /* binprm security operations */
2223
2224 static u32 ptrace_parent_sid(void)
2225 {
2226         u32 sid = 0;
2227         struct task_struct *tracer;
2228
2229         rcu_read_lock();
2230         tracer = ptrace_parent(current);
2231         if (tracer)
2232                 sid = task_sid_obj(tracer);
2233         rcu_read_unlock();
2234
2235         return sid;
2236 }
2237
2238 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2239                             const struct task_security_struct *old_tsec,
2240                             const struct task_security_struct *new_tsec)
2241 {
2242         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2243         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2244         int rc;
2245         u32 av;
2246
2247         if (!nnp && !nosuid)
2248                 return 0; /* neither NNP nor nosuid */
2249
2250         if (new_tsec->sid == old_tsec->sid)
2251                 return 0; /* No change in credentials */
2252
2253         /*
2254          * If the policy enables the nnp_nosuid_transition policy capability,
2255          * then we permit transitions under NNP or nosuid if the
2256          * policy allows the corresponding permission between
2257          * the old and new contexts.
2258          */
2259         if (selinux_policycap_nnp_nosuid_transition()) {
2260                 av = 0;
2261                 if (nnp)
2262                         av |= PROCESS2__NNP_TRANSITION;
2263                 if (nosuid)
2264                         av |= PROCESS2__NOSUID_TRANSITION;
2265                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2266                                   SECCLASS_PROCESS2, av, NULL);
2267                 if (!rc)
2268                         return 0;
2269         }
2270
2271         /*
2272          * We also permit NNP or nosuid transitions to bounded SIDs,
2273          * i.e. SIDs that are guaranteed to only be allowed a subset
2274          * of the permissions of the current SID.
2275          */
2276         rc = security_bounded_transition(old_tsec->sid,
2277                                          new_tsec->sid);
2278         if (!rc)
2279                 return 0;
2280
2281         /*
2282          * On failure, preserve the errno values for NNP vs nosuid.
2283          * NNP:  Operation not permitted for caller.
2284          * nosuid:  Permission denied to file.
2285          */
2286         if (nnp)
2287                 return -EPERM;
2288         return -EACCES;
2289 }
2290
2291 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2292 {
2293         const struct task_security_struct *old_tsec;
2294         struct task_security_struct *new_tsec;
2295         struct inode_security_struct *isec;
2296         struct common_audit_data ad;
2297         struct inode *inode = file_inode(bprm->file);
2298         int rc;
2299
2300         /* SELinux context only depends on initial program or script and not
2301          * the script interpreter */
2302
2303         old_tsec = selinux_cred(current_cred());
2304         new_tsec = selinux_cred(bprm->cred);
2305         isec = inode_security(inode);
2306
2307         /* Default to the current task SID. */
2308         new_tsec->sid = old_tsec->sid;
2309         new_tsec->osid = old_tsec->sid;
2310
2311         /* Reset fs, key, and sock SIDs on execve. */
2312         new_tsec->create_sid = 0;
2313         new_tsec->keycreate_sid = 0;
2314         new_tsec->sockcreate_sid = 0;
2315
2316         if (old_tsec->exec_sid) {
2317                 new_tsec->sid = old_tsec->exec_sid;
2318                 /* Reset exec SID on execve. */
2319                 new_tsec->exec_sid = 0;
2320
2321                 /* Fail on NNP or nosuid if not an allowed transition. */
2322                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2323                 if (rc)
2324                         return rc;
2325         } else {
2326                 /* Check for a default transition on this program. */
2327                 rc = security_transition_sid(old_tsec->sid,
2328                                              isec->sid, SECCLASS_PROCESS, NULL,
2329                                              &new_tsec->sid);
2330                 if (rc)
2331                         return rc;
2332
2333                 /*
2334                  * Fallback to old SID on NNP or nosuid if not an allowed
2335                  * transition.
2336                  */
2337                 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2338                 if (rc)
2339                         new_tsec->sid = old_tsec->sid;
2340         }
2341
2342         ad.type = LSM_AUDIT_DATA_FILE;
2343         ad.u.file = bprm->file;
2344
2345         if (new_tsec->sid == old_tsec->sid) {
2346                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2347                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2348                 if (rc)
2349                         return rc;
2350         } else {
2351                 /* Check permissions for the transition. */
2352                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2353                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2354                 if (rc)
2355                         return rc;
2356
2357                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2358                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2359                 if (rc)
2360                         return rc;
2361
2362                 /* Check for shared state */
2363                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2364                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2365                                           SECCLASS_PROCESS, PROCESS__SHARE,
2366                                           NULL);
2367                         if (rc)
2368                                 return -EPERM;
2369                 }
2370
2371                 /* Make sure that anyone attempting to ptrace over a task that
2372                  * changes its SID has the appropriate permit */
2373                 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2374                         u32 ptsid = ptrace_parent_sid();
2375                         if (ptsid != 0) {
2376                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2377                                                   SECCLASS_PROCESS,
2378                                                   PROCESS__PTRACE, NULL);
2379                                 if (rc)
2380                                         return -EPERM;
2381                         }
2382                 }
2383
2384                 /* Clear any possibly unsafe personality bits on exec: */
2385                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2386
2387                 /* Enable secure mode for SIDs transitions unless
2388                    the noatsecure permission is granted between
2389                    the two SIDs, i.e. ahp returns 0. */
2390                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2391                                   SECCLASS_PROCESS, PROCESS__NOATSECURE,
2392                                   NULL);
2393                 bprm->secureexec |= !!rc;
2394         }
2395
2396         return 0;
2397 }
2398
2399 static int match_file(const void *p, struct file *file, unsigned fd)
2400 {
2401         return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2402 }
2403
2404 /* Derived from fs/exec.c:flush_old_files. */
2405 static inline void flush_unauthorized_files(const struct cred *cred,
2406                                             struct files_struct *files)
2407 {
2408         struct file *file, *devnull = NULL;
2409         struct tty_struct *tty;
2410         int drop_tty = 0;
2411         unsigned n;
2412
2413         tty = get_current_tty();
2414         if (tty) {
2415                 spin_lock(&tty->files_lock);
2416                 if (!list_empty(&tty->tty_files)) {
2417                         struct tty_file_private *file_priv;
2418
2419                         /* Revalidate access to controlling tty.
2420                            Use file_path_has_perm on the tty path directly
2421                            rather than using file_has_perm, as this particular
2422                            open file may belong to another process and we are
2423                            only interested in the inode-based check here. */
2424                         file_priv = list_first_entry(&tty->tty_files,
2425                                                 struct tty_file_private, list);
2426                         file = file_priv->file;
2427                         if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2428                                 drop_tty = 1;
2429                 }
2430                 spin_unlock(&tty->files_lock);
2431                 tty_kref_put(tty);
2432         }
2433         /* Reset controlling tty. */
2434         if (drop_tty)
2435                 no_tty();
2436
2437         /* Revalidate access to inherited open files. */
2438         n = iterate_fd(files, 0, match_file, cred);
2439         if (!n) /* none found? */
2440                 return;
2441
2442         devnull = dentry_open(&selinux_null, O_RDWR, cred);
2443         if (IS_ERR(devnull))
2444                 devnull = NULL;
2445         /* replace all the matching ones with this */
2446         do {
2447                 replace_fd(n - 1, devnull, 0);
2448         } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2449         if (devnull)
2450                 fput(devnull);
2451 }
2452
2453 /*
2454  * Prepare a process for imminent new credential changes due to exec
2455  */
2456 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2457 {
2458         struct task_security_struct *new_tsec;
2459         struct rlimit *rlim, *initrlim;
2460         int rc, i;
2461
2462         new_tsec = selinux_cred(bprm->cred);
2463         if (new_tsec->sid == new_tsec->osid)
2464                 return;
2465
2466         /* Close files for which the new task SID is not authorized. */
2467         flush_unauthorized_files(bprm->cred, current->files);
2468
2469         /* Always clear parent death signal on SID transitions. */
2470         current->pdeath_signal = 0;
2471
2472         /* Check whether the new SID can inherit resource limits from the old
2473          * SID.  If not, reset all soft limits to the lower of the current
2474          * task's hard limit and the init task's soft limit.
2475          *
2476          * Note that the setting of hard limits (even to lower them) can be
2477          * controlled by the setrlimit check.  The inclusion of the init task's
2478          * soft limit into the computation is to avoid resetting soft limits
2479          * higher than the default soft limit for cases where the default is
2480          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2481          */
2482         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2483                           PROCESS__RLIMITINH, NULL);
2484         if (rc) {
2485                 /* protect against do_prlimit() */
2486                 task_lock(current);
2487                 for (i = 0; i < RLIM_NLIMITS; i++) {
2488                         rlim = current->signal->rlim + i;
2489                         initrlim = init_task.signal->rlim + i;
2490                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2491                 }
2492                 task_unlock(current);
2493                 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2494                         update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2495         }
2496 }
2497
2498 /*
2499  * Clean up the process immediately after the installation of new credentials
2500  * due to exec
2501  */
2502 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2503 {
2504         const struct task_security_struct *tsec = selinux_cred(current_cred());
2505         u32 osid, sid;
2506         int rc;
2507
2508         osid = tsec->osid;
2509         sid = tsec->sid;
2510
2511         if (sid == osid)
2512                 return;
2513
2514         /* Check whether the new SID can inherit signal state from the old SID.
2515          * If not, clear itimers to avoid subsequent signal generation and
2516          * flush and unblock signals.
2517          *
2518          * This must occur _after_ the task SID has been updated so that any
2519          * kill done after the flush will be checked against the new SID.
2520          */
2521         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2522         if (rc) {
2523                 clear_itimer();
2524
2525                 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2526                 if (!fatal_signal_pending(current)) {
2527                         flush_sigqueue(&current->pending);
2528                         flush_sigqueue(&current->signal->shared_pending);
2529                         flush_signal_handlers(current, 1);
2530                         sigemptyset(&current->blocked);
2531                         recalc_sigpending();
2532                 }
2533                 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2534         }
2535
2536         /* Wake up the parent if it is waiting so that it can recheck
2537          * wait permission to the new task SID. */
2538         read_lock(&tasklist_lock);
2539         __wake_up_parent(current, unrcu_pointer(current->real_parent));
2540         read_unlock(&tasklist_lock);
2541 }
2542
2543 /* superblock security operations */
2544
2545 static int selinux_sb_alloc_security(struct super_block *sb)
2546 {
2547         struct superblock_security_struct *sbsec = selinux_superblock(sb);
2548
2549         mutex_init(&sbsec->lock);
2550         INIT_LIST_HEAD(&sbsec->isec_head);
2551         spin_lock_init(&sbsec->isec_lock);
2552         sbsec->sid = SECINITSID_UNLABELED;
2553         sbsec->def_sid = SECINITSID_FILE;
2554         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2555
2556         return 0;
2557 }
2558
2559 static inline int opt_len(const char *s)
2560 {
2561         bool open_quote = false;
2562         int len;
2563         char c;
2564
2565         for (len = 0; (c = s[len]) != '\0'; len++) {
2566                 if (c == '"')
2567                         open_quote = !open_quote;
2568                 if (c == ',' && !open_quote)
2569                         break;
2570         }
2571         return len;
2572 }
2573
2574 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2575 {
2576         char *from = options;
2577         char *to = options;
2578         bool first = true;
2579         int rc;
2580
2581         while (1) {
2582                 int len = opt_len(from);
2583                 int token;
2584                 char *arg = NULL;
2585
2586                 token = match_opt_prefix(from, len, &arg);
2587
2588                 if (token != Opt_error) {
2589                         char *p, *q;
2590
2591                         /* strip quotes */
2592                         if (arg) {
2593                                 for (p = q = arg; p < from + len; p++) {
2594                                         char c = *p;
2595                                         if (c != '"')
2596                                                 *q++ = c;
2597                                 }
2598                                 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2599                                 if (!arg) {
2600                                         rc = -ENOMEM;
2601                                         goto free_opt;
2602                                 }
2603                         }
2604                         rc = selinux_add_opt(token, arg, mnt_opts);
2605                         kfree(arg);
2606                         arg = NULL;
2607                         if (unlikely(rc)) {
2608                                 goto free_opt;
2609                         }
2610                 } else {
2611                         if (!first) {   // copy with preceding comma
2612                                 from--;
2613                                 len++;
2614                         }
2615                         if (to != from)
2616                                 memmove(to, from, len);
2617                         to += len;
2618                         first = false;
2619                 }
2620                 if (!from[len])
2621                         break;
2622                 from += len + 1;
2623         }
2624         *to = '\0';
2625         return 0;
2626
2627 free_opt:
2628         if (*mnt_opts) {
2629                 selinux_free_mnt_opts(*mnt_opts);
2630                 *mnt_opts = NULL;
2631         }
2632         return rc;
2633 }
2634
2635 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2636 {
2637         struct selinux_mnt_opts *opts = mnt_opts;
2638         struct superblock_security_struct *sbsec = selinux_superblock(sb);
2639
2640         /*
2641          * Superblock not initialized (i.e. no options) - reject if any
2642          * options specified, otherwise accept.
2643          */
2644         if (!(sbsec->flags & SE_SBINITIALIZED))
2645                 return opts ? 1 : 0;
2646
2647         /*
2648          * Superblock initialized and no options specified - reject if
2649          * superblock has any options set, otherwise accept.
2650          */
2651         if (!opts)
2652                 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2653
2654         if (opts->fscontext_sid) {
2655                 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2656                                opts->fscontext_sid))
2657                         return 1;
2658         }
2659         if (opts->context_sid) {
2660                 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2661                                opts->context_sid))
2662                         return 1;
2663         }
2664         if (opts->rootcontext_sid) {
2665                 struct inode_security_struct *root_isec;
2666
2667                 root_isec = backing_inode_security(sb->s_root);
2668                 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2669                                opts->rootcontext_sid))
2670                         return 1;
2671         }
2672         if (opts->defcontext_sid) {
2673                 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2674                                opts->defcontext_sid))
2675                         return 1;
2676         }
2677         return 0;
2678 }
2679
2680 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2681 {
2682         struct selinux_mnt_opts *opts = mnt_opts;
2683         struct superblock_security_struct *sbsec = selinux_superblock(sb);
2684
2685         if (!(sbsec->flags & SE_SBINITIALIZED))
2686                 return 0;
2687
2688         if (!opts)
2689                 return 0;
2690
2691         if (opts->fscontext_sid) {
2692                 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2693                                opts->fscontext_sid))
2694                         goto out_bad_option;
2695         }
2696         if (opts->context_sid) {
2697                 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2698                                opts->context_sid))
2699                         goto out_bad_option;
2700         }
2701         if (opts->rootcontext_sid) {
2702                 struct inode_security_struct *root_isec;
2703                 root_isec = backing_inode_security(sb->s_root);
2704                 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2705                                opts->rootcontext_sid))
2706                         goto out_bad_option;
2707         }
2708         if (opts->defcontext_sid) {
2709                 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2710                                opts->defcontext_sid))
2711                         goto out_bad_option;
2712         }
2713         return 0;
2714
2715 out_bad_option:
2716         pr_warn("SELinux: unable to change security options "
2717                "during remount (dev %s, type=%s)\n", sb->s_id,
2718                sb->s_type->name);
2719         return -EINVAL;
2720 }
2721
2722 static int selinux_sb_kern_mount(struct super_block *sb)
2723 {
2724         const struct cred *cred = current_cred();
2725         struct common_audit_data ad;
2726
2727         ad.type = LSM_AUDIT_DATA_DENTRY;
2728         ad.u.dentry = sb->s_root;
2729         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2730 }
2731
2732 static int selinux_sb_statfs(struct dentry *dentry)
2733 {
2734         const struct cred *cred = current_cred();
2735         struct common_audit_data ad;
2736
2737         ad.type = LSM_AUDIT_DATA_DENTRY;
2738         ad.u.dentry = dentry->d_sb->s_root;
2739         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2740 }
2741
2742 static int selinux_mount(const char *dev_name,
2743                          const struct path *path,
2744                          const char *type,
2745                          unsigned long flags,
2746                          void *data)
2747 {
2748         const struct cred *cred = current_cred();
2749
2750         if (flags & MS_REMOUNT)
2751                 return superblock_has_perm(cred, path->dentry->d_sb,
2752                                            FILESYSTEM__REMOUNT, NULL);
2753         else
2754                 return path_has_perm(cred, path, FILE__MOUNTON);
2755 }
2756
2757 static int selinux_move_mount(const struct path *from_path,
2758                               const struct path *to_path)
2759 {
2760         const struct cred *cred = current_cred();
2761
2762         return path_has_perm(cred, to_path, FILE__MOUNTON);
2763 }
2764
2765 static int selinux_umount(struct vfsmount *mnt, int flags)
2766 {
2767         const struct cred *cred = current_cred();
2768
2769         return superblock_has_perm(cred, mnt->mnt_sb,
2770                                    FILESYSTEM__UNMOUNT, NULL);
2771 }
2772
2773 static int selinux_fs_context_submount(struct fs_context *fc,
2774                                    struct super_block *reference)
2775 {
2776         const struct superblock_security_struct *sbsec = selinux_superblock(reference);
2777         struct selinux_mnt_opts *opts;
2778
2779         /*
2780          * Ensure that fc->security remains NULL when no options are set
2781          * as expected by selinux_set_mnt_opts().
2782          */
2783         if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2784                 return 0;
2785
2786         opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2787         if (!opts)
2788                 return -ENOMEM;
2789
2790         if (sbsec->flags & FSCONTEXT_MNT)
2791                 opts->fscontext_sid = sbsec->sid;
2792         if (sbsec->flags & CONTEXT_MNT)
2793                 opts->context_sid = sbsec->mntpoint_sid;
2794         if (sbsec->flags & DEFCONTEXT_MNT)
2795                 opts->defcontext_sid = sbsec->def_sid;
2796         fc->security = opts;
2797         return 0;
2798 }
2799
2800 static int selinux_fs_context_dup(struct fs_context *fc,
2801                                   struct fs_context *src_fc)
2802 {
2803         const struct selinux_mnt_opts *src = src_fc->security;
2804
2805         if (!src)
2806                 return 0;
2807
2808         fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2809         return fc->security ? 0 : -ENOMEM;
2810 }
2811
2812 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2813         fsparam_string(CONTEXT_STR,     Opt_context),
2814         fsparam_string(DEFCONTEXT_STR,  Opt_defcontext),
2815         fsparam_string(FSCONTEXT_STR,   Opt_fscontext),
2816         fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2817         fsparam_flag  (SECLABEL_STR,    Opt_seclabel),
2818         {}
2819 };
2820
2821 static int selinux_fs_context_parse_param(struct fs_context *fc,
2822                                           struct fs_parameter *param)
2823 {
2824         struct fs_parse_result result;
2825         int opt;
2826
2827         opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2828         if (opt < 0)
2829                 return opt;
2830
2831         return selinux_add_opt(opt, param->string, &fc->security);
2832 }
2833
2834 /* inode security operations */
2835
2836 static int selinux_inode_alloc_security(struct inode *inode)
2837 {
2838         struct inode_security_struct *isec = selinux_inode(inode);
2839         u32 sid = current_sid();
2840
2841         spin_lock_init(&isec->lock);
2842         INIT_LIST_HEAD(&isec->list);
2843         isec->inode = inode;
2844         isec->sid = SECINITSID_UNLABELED;
2845         isec->sclass = SECCLASS_FILE;
2846         isec->task_sid = sid;
2847         isec->initialized = LABEL_INVALID;
2848
2849         return 0;
2850 }
2851
2852 static void selinux_inode_free_security(struct inode *inode)
2853 {
2854         inode_free_security(inode);
2855 }
2856
2857 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2858                                         const struct qstr *name,
2859                                         const char **xattr_name, void **ctx,
2860                                         u32 *ctxlen)
2861 {
2862         u32 newsid;
2863         int rc;
2864
2865         rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2866                                            d_inode(dentry->d_parent), name,
2867                                            inode_mode_to_security_class(mode),
2868                                            &newsid);
2869         if (rc)
2870                 return rc;
2871
2872         if (xattr_name)
2873                 *xattr_name = XATTR_NAME_SELINUX;
2874
2875         return security_sid_to_context(newsid, (char **)ctx,
2876                                        ctxlen);
2877 }
2878
2879 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2880                                           struct qstr *name,
2881                                           const struct cred *old,
2882                                           struct cred *new)
2883 {
2884         u32 newsid;
2885         int rc;
2886         struct task_security_struct *tsec;
2887
2888         rc = selinux_determine_inode_label(selinux_cred(old),
2889                                            d_inode(dentry->d_parent), name,
2890                                            inode_mode_to_security_class(mode),
2891                                            &newsid);
2892         if (rc)
2893                 return rc;
2894
2895         tsec = selinux_cred(new);
2896         tsec->create_sid = newsid;
2897         return 0;
2898 }
2899
2900 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2901                                        const struct qstr *qstr,
2902                                        struct xattr *xattrs, int *xattr_count)
2903 {
2904         const struct task_security_struct *tsec = selinux_cred(current_cred());
2905         struct superblock_security_struct *sbsec;
2906         struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
2907         u32 newsid, clen;
2908         int rc;
2909         char *context;
2910
2911         sbsec = selinux_superblock(dir->i_sb);
2912
2913         newsid = tsec->create_sid;
2914
2915         rc = selinux_determine_inode_label(tsec, dir, qstr,
2916                 inode_mode_to_security_class(inode->i_mode),
2917                 &newsid);
2918         if (rc)
2919                 return rc;
2920
2921         /* Possibly defer initialization to selinux_complete_init. */
2922         if (sbsec->flags & SE_SBINITIALIZED) {
2923                 struct inode_security_struct *isec = selinux_inode(inode);
2924                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2925                 isec->sid = newsid;
2926                 isec->initialized = LABEL_INITIALIZED;
2927         }
2928
2929         if (!selinux_initialized() ||
2930             !(sbsec->flags & SBLABEL_MNT))
2931                 return -EOPNOTSUPP;
2932
2933         if (xattr) {
2934                 rc = security_sid_to_context_force(newsid,
2935                                                    &context, &clen);
2936                 if (rc)
2937                         return rc;
2938                 xattr->value = context;
2939                 xattr->value_len = clen;
2940                 xattr->name = XATTR_SELINUX_SUFFIX;
2941         }
2942
2943         return 0;
2944 }
2945
2946 static int selinux_inode_init_security_anon(struct inode *inode,
2947                                             const struct qstr *name,
2948                                             const struct inode *context_inode)
2949 {
2950         const struct task_security_struct *tsec = selinux_cred(current_cred());
2951         struct common_audit_data ad;
2952         struct inode_security_struct *isec;
2953         int rc;
2954
2955         if (unlikely(!selinux_initialized()))
2956                 return 0;
2957
2958         isec = selinux_inode(inode);
2959
2960         /*
2961          * We only get here once per ephemeral inode.  The inode has
2962          * been initialized via inode_alloc_security but is otherwise
2963          * untouched.
2964          */
2965
2966         if (context_inode) {
2967                 struct inode_security_struct *context_isec =
2968                         selinux_inode(context_inode);
2969                 if (context_isec->initialized != LABEL_INITIALIZED) {
2970                         pr_err("SELinux:  context_inode is not initialized\n");
2971                         return -EACCES;
2972                 }
2973
2974                 isec->sclass = context_isec->sclass;
2975                 isec->sid = context_isec->sid;
2976         } else {
2977                 isec->sclass = SECCLASS_ANON_INODE;
2978                 rc = security_transition_sid(
2979                         tsec->sid, tsec->sid,
2980                         isec->sclass, name, &isec->sid);
2981                 if (rc)
2982                         return rc;
2983         }
2984
2985         isec->initialized = LABEL_INITIALIZED;
2986         /*
2987          * Now that we've initialized security, check whether we're
2988          * allowed to actually create this type of anonymous inode.
2989          */
2990
2991         ad.type = LSM_AUDIT_DATA_ANONINODE;
2992         ad.u.anonclass = name ? (const char *)name->name : "?";
2993
2994         return avc_has_perm(tsec->sid,
2995                             isec->sid,
2996                             isec->sclass,
2997                             FILE__CREATE,
2998                             &ad);
2999 }
3000
3001 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3002 {
3003         return may_create(dir, dentry, SECCLASS_FILE);
3004 }
3005
3006 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3007 {
3008         return may_link(dir, old_dentry, MAY_LINK);
3009 }
3010
3011 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3012 {
3013         return may_link(dir, dentry, MAY_UNLINK);
3014 }
3015
3016 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3017 {
3018         return may_create(dir, dentry, SECCLASS_LNK_FILE);
3019 }
3020
3021 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3022 {
3023         return may_create(dir, dentry, SECCLASS_DIR);
3024 }
3025
3026 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3027 {
3028         return may_link(dir, dentry, MAY_RMDIR);
3029 }
3030
3031 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3032 {
3033         return may_create(dir, dentry, inode_mode_to_security_class(mode));
3034 }
3035
3036 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3037                                 struct inode *new_inode, struct dentry *new_dentry)
3038 {
3039         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3040 }
3041
3042 static int selinux_inode_readlink(struct dentry *dentry)
3043 {
3044         const struct cred *cred = current_cred();
3045
3046         return dentry_has_perm(cred, dentry, FILE__READ);
3047 }
3048
3049 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3050                                      bool rcu)
3051 {
3052         const struct cred *cred = current_cred();
3053         struct common_audit_data ad;
3054         struct inode_security_struct *isec;
3055         u32 sid;
3056
3057         ad.type = LSM_AUDIT_DATA_DENTRY;
3058         ad.u.dentry = dentry;
3059         sid = cred_sid(cred);
3060         isec = inode_security_rcu(inode, rcu);
3061         if (IS_ERR(isec))
3062                 return PTR_ERR(isec);
3063
3064         return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
3065 }
3066
3067 static noinline int audit_inode_permission(struct inode *inode,
3068                                            u32 perms, u32 audited, u32 denied,
3069                                            int result)
3070 {
3071         struct common_audit_data ad;
3072         struct inode_security_struct *isec = selinux_inode(inode);
3073
3074         ad.type = LSM_AUDIT_DATA_INODE;
3075         ad.u.inode = inode;
3076
3077         return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3078                             audited, denied, result, &ad);
3079 }
3080
3081 static int selinux_inode_permission(struct inode *inode, int mask)
3082 {
3083         const struct cred *cred = current_cred();
3084         u32 perms;
3085         bool from_access;
3086         bool no_block = mask & MAY_NOT_BLOCK;
3087         struct inode_security_struct *isec;
3088         u32 sid;
3089         struct av_decision avd;
3090         int rc, rc2;
3091         u32 audited, denied;
3092
3093         from_access = mask & MAY_ACCESS;
3094         mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3095
3096         /* No permission to check.  Existence test. */
3097         if (!mask)
3098                 return 0;
3099
3100         if (unlikely(IS_PRIVATE(inode)))
3101                 return 0;
3102
3103         perms = file_mask_to_av(inode->i_mode, mask);
3104
3105         sid = cred_sid(cred);
3106         isec = inode_security_rcu(inode, no_block);
3107         if (IS_ERR(isec))
3108                 return PTR_ERR(isec);
3109
3110         rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0,
3111                                   &avd);
3112         audited = avc_audit_required(perms, &avd, rc,
3113                                      from_access ? FILE__AUDIT_ACCESS : 0,
3114                                      &denied);
3115         if (likely(!audited))
3116                 return rc;
3117
3118         rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3119         if (rc2)
3120                 return rc2;
3121         return rc;
3122 }
3123
3124 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3125 {
3126         const struct cred *cred = current_cred();
3127         struct inode *inode = d_backing_inode(dentry);
3128         unsigned int ia_valid = iattr->ia_valid;
3129         __u32 av = FILE__WRITE;
3130
3131         /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3132         if (ia_valid & ATTR_FORCE) {
3133                 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3134                               ATTR_FORCE);
3135                 if (!ia_valid)
3136                         return 0;
3137         }
3138
3139         if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3140                         ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3141                 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3142
3143         if (selinux_policycap_openperm() &&
3144             inode->i_sb->s_magic != SOCKFS_MAGIC &&
3145             (ia_valid & ATTR_SIZE) &&
3146             !(ia_valid & ATTR_FILE))
3147                 av |= FILE__OPEN;
3148
3149         return dentry_has_perm(cred, dentry, av);
3150 }
3151
3152 static int selinux_inode_getattr(const struct path *path)
3153 {
3154         return path_has_perm(current_cred(), path, FILE__GETATTR);
3155 }
3156
3157 static bool has_cap_mac_admin(bool audit)
3158 {
3159         const struct cred *cred = current_cred();
3160         unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3161
3162         if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3163                 return false;
3164         if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3165                 return false;
3166         return true;
3167 }
3168
3169 static int selinux_inode_setxattr(struct mnt_idmap *idmap,
3170                                   struct dentry *dentry, const char *name,
3171                                   const void *value, size_t size, int flags)
3172 {
3173         struct inode *inode = d_backing_inode(dentry);
3174         struct inode_security_struct *isec;
3175         struct superblock_security_struct *sbsec;
3176         struct common_audit_data ad;
3177         u32 newsid, sid = current_sid();
3178         int rc = 0;
3179
3180         if (strcmp(name, XATTR_NAME_SELINUX)) {
3181                 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3182                 if (rc)
3183                         return rc;
3184
3185                 /* Not an attribute we recognize, so just check the
3186                    ordinary setattr permission. */
3187                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3188         }
3189
3190         if (!selinux_initialized())
3191                 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3192
3193         sbsec = selinux_superblock(inode->i_sb);
3194         if (!(sbsec->flags & SBLABEL_MNT))
3195                 return -EOPNOTSUPP;
3196
3197         if (!inode_owner_or_capable(idmap, inode))
3198                 return -EPERM;
3199
3200         ad.type = LSM_AUDIT_DATA_DENTRY;
3201         ad.u.dentry = dentry;
3202
3203         isec = backing_inode_security(dentry);
3204         rc = avc_has_perm(sid, isec->sid, isec->sclass,
3205                           FILE__RELABELFROM, &ad);
3206         if (rc)
3207                 return rc;
3208
3209         rc = security_context_to_sid(value, size, &newsid,
3210                                      GFP_KERNEL);
3211         if (rc == -EINVAL) {
3212                 if (!has_cap_mac_admin(true)) {
3213                         struct audit_buffer *ab;
3214                         size_t audit_size;
3215
3216                         /* We strip a nul only if it is at the end, otherwise the
3217                          * context contains a nul and we should audit that */
3218                         if (value) {
3219                                 const char *str = value;
3220
3221                                 if (str[size - 1] == '\0')
3222                                         audit_size = size - 1;
3223                                 else
3224                                         audit_size = size;
3225                         } else {
3226                                 audit_size = 0;
3227                         }
3228                         ab = audit_log_start(audit_context(),
3229                                              GFP_ATOMIC, AUDIT_SELINUX_ERR);
3230                         if (!ab)
3231                                 return rc;
3232                         audit_log_format(ab, "op=setxattr invalid_context=");
3233                         audit_log_n_untrustedstring(ab, value, audit_size);
3234                         audit_log_end(ab);
3235
3236                         return rc;
3237                 }
3238                 rc = security_context_to_sid_force(value,
3239                                                    size, &newsid);
3240         }
3241         if (rc)
3242                 return rc;
3243
3244         rc = avc_has_perm(sid, newsid, isec->sclass,
3245                           FILE__RELABELTO, &ad);
3246         if (rc)
3247                 return rc;
3248
3249         rc = security_validate_transition(isec->sid, newsid,
3250                                           sid, isec->sclass);
3251         if (rc)
3252                 return rc;
3253
3254         return avc_has_perm(newsid,
3255                             sbsec->sid,
3256                             SECCLASS_FILESYSTEM,
3257                             FILESYSTEM__ASSOCIATE,
3258                             &ad);
3259 }
3260
3261 static int selinux_inode_set_acl(struct mnt_idmap *idmap,
3262                                  struct dentry *dentry, const char *acl_name,
3263                                  struct posix_acl *kacl)
3264 {
3265         return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3266 }
3267
3268 static int selinux_inode_get_acl(struct mnt_idmap *idmap,
3269                                  struct dentry *dentry, const char *acl_name)
3270 {
3271         return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3272 }
3273
3274 static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
3275                                     struct dentry *dentry, const char *acl_name)
3276 {
3277         return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3278 }
3279
3280 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3281                                         const void *value, size_t size,
3282                                         int flags)
3283 {
3284         struct inode *inode = d_backing_inode(dentry);
3285         struct inode_security_struct *isec;
3286         u32 newsid;
3287         int rc;
3288
3289         if (strcmp(name, XATTR_NAME_SELINUX)) {
3290                 /* Not an attribute we recognize, so nothing to do. */
3291                 return;
3292         }
3293
3294         if (!selinux_initialized()) {
3295                 /* If we haven't even been initialized, then we can't validate
3296                  * against a policy, so leave the label as invalid. It may
3297                  * resolve to a valid label on the next revalidation try if
3298                  * we've since initialized.
3299                  */
3300                 return;
3301         }
3302
3303         rc = security_context_to_sid_force(value, size,
3304                                            &newsid);
3305         if (rc) {
3306                 pr_err("SELinux:  unable to map context to SID"
3307                        "for (%s, %lu), rc=%d\n",
3308                        inode->i_sb->s_id, inode->i_ino, -rc);
3309                 return;
3310         }
3311
3312         isec = backing_inode_security(dentry);
3313         spin_lock(&isec->lock);
3314         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3315         isec->sid = newsid;
3316         isec->initialized = LABEL_INITIALIZED;
3317         spin_unlock(&isec->lock);
3318 }
3319
3320 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3321 {
3322         const struct cred *cred = current_cred();
3323
3324         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3325 }
3326
3327 static int selinux_inode_listxattr(struct dentry *dentry)
3328 {
3329         const struct cred *cred = current_cred();
3330
3331         return dentry_has_perm(cred, dentry, FILE__GETATTR);
3332 }
3333
3334 static int selinux_inode_removexattr(struct mnt_idmap *idmap,
3335                                      struct dentry *dentry, const char *name)
3336 {
3337         if (strcmp(name, XATTR_NAME_SELINUX)) {
3338                 int rc = cap_inode_removexattr(idmap, dentry, name);
3339                 if (rc)
3340                         return rc;
3341
3342                 /* Not an attribute we recognize, so just check the
3343                    ordinary setattr permission. */
3344                 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3345         }
3346
3347         if (!selinux_initialized())
3348                 return 0;
3349
3350         /* No one is allowed to remove a SELinux security label.
3351            You can change the label, but all data must be labeled. */
3352         return -EACCES;
3353 }
3354
3355 static int selinux_path_notify(const struct path *path, u64 mask,
3356                                                 unsigned int obj_type)
3357 {
3358         int ret;
3359         u32 perm;
3360
3361         struct common_audit_data ad;
3362
3363         ad.type = LSM_AUDIT_DATA_PATH;
3364         ad.u.path = *path;
3365
3366         /*
3367          * Set permission needed based on the type of mark being set.
3368          * Performs an additional check for sb watches.
3369          */
3370         switch (obj_type) {
3371         case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3372                 perm = FILE__WATCH_MOUNT;
3373                 break;
3374         case FSNOTIFY_OBJ_TYPE_SB:
3375                 perm = FILE__WATCH_SB;
3376                 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3377                                                 FILESYSTEM__WATCH, &ad);
3378                 if (ret)
3379                         return ret;
3380                 break;
3381         case FSNOTIFY_OBJ_TYPE_INODE:
3382                 perm = FILE__WATCH;
3383                 break;
3384         default:
3385                 return -EINVAL;
3386         }
3387
3388         /* blocking watches require the file:watch_with_perm permission */
3389         if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3390                 perm |= FILE__WATCH_WITH_PERM;
3391
3392         /* watches on read-like events need the file:watch_reads permission */
3393         if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3394                 perm |= FILE__WATCH_READS;
3395
3396         return path_has_perm(current_cred(), path, perm);
3397 }
3398
3399 /*
3400  * Copy the inode security context value to the user.
3401  *
3402  * Permission check is handled by selinux_inode_getxattr hook.
3403  */
3404 static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
3405                                      struct inode *inode, const char *name,
3406                                      void **buffer, bool alloc)
3407 {
3408         u32 size;
3409         int error;
3410         char *context = NULL;
3411         struct inode_security_struct *isec;
3412
3413         /*
3414          * If we're not initialized yet, then we can't validate contexts, so
3415          * just let vfs_getxattr fall back to using the on-disk xattr.
3416          */
3417         if (!selinux_initialized() ||
3418             strcmp(name, XATTR_SELINUX_SUFFIX))
3419                 return -EOPNOTSUPP;
3420
3421         /*
3422          * If the caller has CAP_MAC_ADMIN, then get the raw context
3423          * value even if it is not defined by current policy; otherwise,
3424          * use the in-core value under current policy.
3425          * Use the non-auditing forms of the permission checks since
3426          * getxattr may be called by unprivileged processes commonly
3427          * and lack of permission just means that we fall back to the
3428          * in-core context value, not a denial.
3429          */
3430         isec = inode_security(inode);
3431         if (has_cap_mac_admin(false))
3432                 error = security_sid_to_context_force(isec->sid, &context,
3433                                                       &size);
3434         else
3435                 error = security_sid_to_context(isec->sid,
3436                                                 &context, &size);
3437         if (error)
3438                 return error;
3439         error = size;
3440         if (alloc) {
3441                 *buffer = context;
3442                 goto out_nofree;
3443         }
3444         kfree(context);
3445 out_nofree:
3446         return error;
3447 }
3448
3449 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3450                                      const void *value, size_t size, int flags)
3451 {
3452         struct inode_security_struct *isec = inode_security_novalidate(inode);
3453         struct superblock_security_struct *sbsec;
3454         u32 newsid;
3455         int rc;
3456
3457         if (strcmp(name, XATTR_SELINUX_SUFFIX))
3458                 return -EOPNOTSUPP;
3459
3460         sbsec = selinux_superblock(inode->i_sb);
3461         if (!(sbsec->flags & SBLABEL_MNT))
3462                 return -EOPNOTSUPP;
3463
3464         if (!value || !size)
3465                 return -EACCES;
3466
3467         rc = security_context_to_sid(value, size, &newsid,
3468                                      GFP_KERNEL);
3469         if (rc)
3470                 return rc;
3471
3472         spin_lock(&isec->lock);
3473         isec->sclass = inode_mode_to_security_class(inode->i_mode);
3474         isec->sid = newsid;
3475         isec->initialized = LABEL_INITIALIZED;
3476         spin_unlock(&isec->lock);
3477         return 0;
3478 }
3479
3480 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3481 {
3482         const int len = sizeof(XATTR_NAME_SELINUX);
3483
3484         if (!selinux_initialized())
3485                 return 0;
3486
3487         if (buffer && len <= buffer_size)
3488                 memcpy(buffer, XATTR_NAME_SELINUX, len);
3489         return len;
3490 }
3491
3492 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3493 {
3494         struct inode_security_struct *isec = inode_security_novalidate(inode);
3495         *secid = isec->sid;
3496 }
3497
3498 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3499 {
3500         u32 sid;
3501         struct task_security_struct *tsec;
3502         struct cred *new_creds = *new;
3503
3504         if (new_creds == NULL) {
3505                 new_creds = prepare_creds();
3506                 if (!new_creds)
3507                         return -ENOMEM;
3508         }
3509
3510         tsec = selinux_cred(new_creds);
3511         /* Get label from overlay inode and set it in create_sid */
3512         selinux_inode_getsecid(d_inode(src), &sid);
3513         tsec->create_sid = sid;
3514         *new = new_creds;
3515         return 0;
3516 }
3517
3518 static int selinux_inode_copy_up_xattr(const char *name)
3519 {
3520         /* The copy_up hook above sets the initial context on an inode, but we
3521          * don't then want to overwrite it by blindly copying all the lower
3522          * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
3523          */
3524         if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3525                 return 1; /* Discard */
3526         /*
3527          * Any other attribute apart from SELINUX is not claimed, supported
3528          * by selinux.
3529          */
3530         return -EOPNOTSUPP;
3531 }
3532
3533 /* kernfs node operations */
3534
3535 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3536                                         struct kernfs_node *kn)
3537 {
3538         const struct task_security_struct *tsec = selinux_cred(current_cred());
3539         u32 parent_sid, newsid, clen;
3540         int rc;
3541         char *context;
3542
3543         rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3544         if (rc == -ENODATA)
3545                 return 0;
3546         else if (rc < 0)
3547                 return rc;
3548
3549         clen = (u32)rc;
3550         context = kmalloc(clen, GFP_KERNEL);
3551         if (!context)
3552                 return -ENOMEM;
3553
3554         rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3555         if (rc < 0) {
3556                 kfree(context);
3557                 return rc;
3558         }
3559
3560         rc = security_context_to_sid(context, clen, &parent_sid,
3561                                      GFP_KERNEL);
3562         kfree(context);
3563         if (rc)
3564                 return rc;
3565
3566         if (tsec->create_sid) {
3567                 newsid = tsec->create_sid;
3568         } else {
3569                 u16 secclass = inode_mode_to_security_class(kn->mode);
3570                 struct qstr q;
3571
3572                 q.name = kn->name;
3573                 q.hash_len = hashlen_string(kn_dir, kn->name);
3574
3575                 rc = security_transition_sid(tsec->sid,
3576                                              parent_sid, secclass, &q,
3577                                              &newsid);
3578                 if (rc)
3579                         return rc;
3580         }
3581
3582         rc = security_sid_to_context_force(newsid,
3583                                            &context, &clen);
3584         if (rc)
3585                 return rc;
3586
3587         rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3588                               XATTR_CREATE);
3589         kfree(context);
3590         return rc;
3591 }
3592
3593
3594 /* file security operations */
3595
3596 static int selinux_revalidate_file_permission(struct file *file, int mask)
3597 {
3598         const struct cred *cred = current_cred();
3599         struct inode *inode = file_inode(file);
3600
3601         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3602         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3603                 mask |= MAY_APPEND;
3604
3605         return file_has_perm(cred, file,
3606                              file_mask_to_av(inode->i_mode, mask));
3607 }
3608
3609 static int selinux_file_permission(struct file *file, int mask)
3610 {
3611         struct inode *inode = file_inode(file);
3612         struct file_security_struct *fsec = selinux_file(file);
3613         struct inode_security_struct *isec;
3614         u32 sid = current_sid();
3615
3616         if (!mask)
3617                 /* No permission to check.  Existence test. */
3618                 return 0;
3619
3620         isec = inode_security(inode);
3621         if (sid == fsec->sid && fsec->isid == isec->sid &&
3622             fsec->pseqno == avc_policy_seqno())
3623                 /* No change since file_open check. */
3624                 return 0;
3625
3626         return selinux_revalidate_file_permission(file, mask);
3627 }
3628
3629 static int selinux_file_alloc_security(struct file *file)
3630 {
3631         struct file_security_struct *fsec = selinux_file(file);
3632         u32 sid = current_sid();
3633
3634         fsec->sid = sid;
3635         fsec->fown_sid = sid;
3636
3637         return 0;
3638 }
3639
3640 /*
3641  * Check whether a task has the ioctl permission and cmd
3642  * operation to an inode.
3643  */
3644 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3645                 u32 requested, u16 cmd)
3646 {
3647         struct common_audit_data ad;
3648         struct file_security_struct *fsec = selinux_file(file);
3649         struct inode *inode = file_inode(file);
3650         struct inode_security_struct *isec;
3651         struct lsm_ioctlop_audit ioctl;
3652         u32 ssid = cred_sid(cred);
3653         int rc;
3654         u8 driver = cmd >> 8;
3655         u8 xperm = cmd & 0xff;
3656
3657         ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3658         ad.u.op = &ioctl;
3659         ad.u.op->cmd = cmd;
3660         ad.u.op->path = file->f_path;
3661
3662         if (ssid != fsec->sid) {
3663                 rc = avc_has_perm(ssid, fsec->sid,
3664                                 SECCLASS_FD,
3665                                 FD__USE,
3666                                 &ad);
3667                 if (rc)
3668                         goto out;
3669         }
3670
3671         if (unlikely(IS_PRIVATE(inode)))
3672                 return 0;
3673
3674         isec = inode_security(inode);
3675         rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3676                                     requested, driver, xperm, &ad);
3677 out:
3678         return rc;
3679 }
3680
3681 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3682                               unsigned long arg)
3683 {
3684         const struct cred *cred = current_cred();
3685         int error = 0;
3686
3687         switch (cmd) {
3688         case FIONREAD:
3689         case FIBMAP:
3690         case FIGETBSZ:
3691         case FS_IOC_GETFLAGS:
3692         case FS_IOC_GETVERSION:
3693                 error = file_has_perm(cred, file, FILE__GETATTR);
3694                 break;
3695
3696         case FS_IOC_SETFLAGS:
3697         case FS_IOC_SETVERSION:
3698                 error = file_has_perm(cred, file, FILE__SETATTR);
3699                 break;
3700
3701         /* sys_ioctl() checks */
3702         case FIONBIO:
3703         case FIOASYNC:
3704                 error = file_has_perm(cred, file, 0);
3705                 break;
3706
3707         case KDSKBENT:
3708         case KDSKBSENT:
3709                 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3710                                             CAP_OPT_NONE, true);
3711                 break;
3712
3713         case FIOCLEX:
3714         case FIONCLEX:
3715                 if (!selinux_policycap_ioctl_skip_cloexec())
3716                         error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3717                 break;
3718
3719         /* default case assumes that the command will go
3720          * to the file's ioctl() function.
3721          */
3722         default:
3723                 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3724         }
3725         return error;
3726 }
3727
3728 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3729                               unsigned long arg)
3730 {
3731         /*
3732          * If we are in a 64-bit kernel running 32-bit userspace, we need to
3733          * make sure we don't compare 32-bit flags to 64-bit flags.
3734          */
3735         switch (cmd) {
3736         case FS_IOC32_GETFLAGS:
3737                 cmd = FS_IOC_GETFLAGS;
3738                 break;
3739         case FS_IOC32_SETFLAGS:
3740                 cmd = FS_IOC_SETFLAGS;
3741                 break;
3742         case FS_IOC32_GETVERSION:
3743                 cmd = FS_IOC_GETVERSION;
3744                 break;
3745         case FS_IOC32_SETVERSION:
3746                 cmd = FS_IOC_SETVERSION;
3747                 break;
3748         default:
3749                 break;
3750         }
3751
3752         return selinux_file_ioctl(file, cmd, arg);
3753 }
3754
3755 static int default_noexec __ro_after_init;
3756
3757 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3758 {
3759         const struct cred *cred = current_cred();
3760         u32 sid = cred_sid(cred);
3761         int rc = 0;
3762
3763         if (default_noexec &&
3764             (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3765                                    (!shared && (prot & PROT_WRITE)))) {
3766                 /*
3767                  * We are making executable an anonymous mapping or a
3768                  * private file mapping that will also be writable.
3769                  * This has an additional check.
3770                  */
3771                 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3772                                   PROCESS__EXECMEM, NULL);
3773                 if (rc)
3774                         goto error;
3775         }
3776
3777         if (file) {
3778                 /* read access is always possible with a mapping */
3779                 u32 av = FILE__READ;
3780
3781                 /* write access only matters if the mapping is shared */
3782                 if (shared && (prot & PROT_WRITE))
3783                         av |= FILE__WRITE;
3784
3785                 if (prot & PROT_EXEC)
3786                         av |= FILE__EXECUTE;
3787
3788                 return file_has_perm(cred, file, av);
3789         }
3790
3791 error:
3792         return rc;
3793 }
3794
3795 static int selinux_mmap_addr(unsigned long addr)
3796 {
3797         int rc = 0;
3798
3799         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3800                 u32 sid = current_sid();
3801                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3802                                   MEMPROTECT__MMAP_ZERO, NULL);
3803         }
3804
3805         return rc;
3806 }
3807
3808 static int selinux_mmap_file(struct file *file,
3809                              unsigned long reqprot __always_unused,
3810                              unsigned long prot, unsigned long flags)
3811 {
3812         struct common_audit_data ad;
3813         int rc;
3814
3815         if (file) {
3816                 ad.type = LSM_AUDIT_DATA_FILE;
3817                 ad.u.file = file;
3818                 rc = inode_has_perm(current_cred(), file_inode(file),
3819                                     FILE__MAP, &ad);
3820                 if (rc)
3821                         return rc;
3822         }
3823
3824         return file_map_prot_check(file, prot,
3825                                    (flags & MAP_TYPE) == MAP_SHARED);
3826 }
3827
3828 static int selinux_file_mprotect(struct vm_area_struct *vma,
3829                                  unsigned long reqprot __always_unused,
3830                                  unsigned long prot)
3831 {
3832         const struct cred *cred = current_cred();
3833         u32 sid = cred_sid(cred);
3834
3835         if (default_noexec &&
3836             (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3837                 int rc = 0;
3838                 if (vma_is_initial_heap(vma)) {
3839                         rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3840                                           PROCESS__EXECHEAP, NULL);
3841                 } else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
3842                             vma_is_stack_for_current(vma))) {
3843                         rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3844                                           PROCESS__EXECSTACK, NULL);
3845                 } else if (vma->vm_file && vma->anon_vma) {
3846                         /*
3847                          * We are making executable a file mapping that has
3848                          * had some COW done. Since pages might have been
3849                          * written, check ability to execute the possibly
3850                          * modified content.  This typically should only
3851                          * occur for text relocations.
3852                          */
3853                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3854                 }
3855                 if (rc)
3856                         return rc;
3857         }
3858
3859         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3860 }
3861
3862 static int selinux_file_lock(struct file *file, unsigned int cmd)
3863 {
3864         const struct cred *cred = current_cred();
3865
3866         return file_has_perm(cred, file, FILE__LOCK);
3867 }
3868
3869 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3870                               unsigned long arg)
3871 {
3872         const struct cred *cred = current_cred();
3873         int err = 0;
3874
3875         switch (cmd) {
3876         case F_SETFL:
3877                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3878                         err = file_has_perm(cred, file, FILE__WRITE);
3879                         break;
3880                 }
3881                 fallthrough;
3882         case F_SETOWN:
3883         case F_SETSIG:
3884         case F_GETFL:
3885         case F_GETOWN:
3886         case F_GETSIG:
3887         case F_GETOWNER_UIDS:
3888                 /* Just check FD__USE permission */
3889                 err = file_has_perm(cred, file, 0);
3890                 break;
3891         case F_GETLK:
3892         case F_SETLK:
3893         case F_SETLKW:
3894         case F_OFD_GETLK:
3895         case F_OFD_SETLK:
3896         case F_OFD_SETLKW:
3897 #if BITS_PER_LONG == 32
3898         case F_GETLK64:
3899         case F_SETLK64:
3900         case F_SETLKW64:
3901 #endif
3902                 err = file_has_perm(cred, file, FILE__LOCK);
3903                 break;
3904         }
3905
3906         return err;
3907 }
3908
3909 static void selinux_file_set_fowner(struct file *file)
3910 {
3911         struct file_security_struct *fsec;
3912
3913         fsec = selinux_file(file);
3914         fsec->fown_sid = current_sid();
3915 }
3916
3917 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3918                                        struct fown_struct *fown, int signum)
3919 {
3920         struct file *file;
3921         u32 sid = task_sid_obj(tsk);
3922         u32 perm;
3923         struct file_security_struct *fsec;
3924
3925         /* struct fown_struct is never outside the context of a struct file */
3926         file = container_of(fown, struct file, f_owner);
3927
3928         fsec = selinux_file(file);
3929
3930         if (!signum)
3931                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3932         else
3933                 perm = signal_to_av(signum);
3934
3935         return avc_has_perm(fsec->fown_sid, sid,
3936                             SECCLASS_PROCESS, perm, NULL);
3937 }
3938
3939 static int selinux_file_receive(struct file *file)
3940 {
3941         const struct cred *cred = current_cred();
3942
3943         return file_has_perm(cred, file, file_to_av(file));
3944 }
3945
3946 static int selinux_file_open(struct file *file)
3947 {
3948         struct file_security_struct *fsec;
3949         struct inode_security_struct *isec;
3950
3951         fsec = selinux_file(file);
3952         isec = inode_security(file_inode(file));
3953         /*
3954          * Save inode label and policy sequence number
3955          * at open-time so that selinux_file_permission
3956          * can determine whether revalidation is necessary.
3957          * Task label is already saved in the file security
3958          * struct as its SID.
3959          */
3960         fsec->isid = isec->sid;
3961         fsec->pseqno = avc_policy_seqno();
3962         /*
3963          * Since the inode label or policy seqno may have changed
3964          * between the selinux_inode_permission check and the saving
3965          * of state above, recheck that access is still permitted.
3966          * Otherwise, access might never be revalidated against the
3967          * new inode label or new policy.
3968          * This check is not redundant - do not remove.
3969          */
3970         return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3971 }
3972
3973 /* task security operations */
3974
3975 static int selinux_task_alloc(struct task_struct *task,
3976                               unsigned long clone_flags)
3977 {
3978         u32 sid = current_sid();
3979
3980         return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3981 }
3982
3983 /*
3984  * prepare a new set of credentials for modification
3985  */
3986 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3987                                 gfp_t gfp)
3988 {
3989         const struct task_security_struct *old_tsec = selinux_cred(old);
3990         struct task_security_struct *tsec = selinux_cred(new);
3991
3992         *tsec = *old_tsec;
3993         return 0;
3994 }
3995
3996 /*
3997  * transfer the SELinux data to a blank set of creds
3998  */
3999 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4000 {
4001         const struct task_security_struct *old_tsec = selinux_cred(old);
4002         struct task_security_struct *tsec = selinux_cred(new);
4003
4004         *tsec = *old_tsec;
4005 }
4006
4007 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4008 {
4009         *secid = cred_sid(c);
4010 }
4011
4012 /*
4013  * set the security data for a kernel service
4014  * - all the creation contexts are set to unlabelled
4015  */
4016 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4017 {
4018         struct task_security_struct *tsec = selinux_cred(new);
4019         u32 sid = current_sid();
4020         int ret;
4021
4022         ret = avc_has_perm(sid, secid,
4023                            SECCLASS_KERNEL_SERVICE,
4024                            KERNEL_SERVICE__USE_AS_OVERRIDE,
4025                            NULL);
4026         if (ret == 0) {
4027                 tsec->sid = secid;
4028                 tsec->create_sid = 0;
4029                 tsec->keycreate_sid = 0;
4030                 tsec->sockcreate_sid = 0;
4031         }
4032         return ret;
4033 }
4034
4035 /*
4036  * set the file creation context in a security record to the same as the
4037  * objective context of the specified inode
4038  */
4039 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4040 {
4041         struct inode_security_struct *isec = inode_security(inode);
4042         struct task_security_struct *tsec = selinux_cred(new);
4043         u32 sid = current_sid();
4044         int ret;
4045
4046         ret = avc_has_perm(sid, isec->sid,
4047                            SECCLASS_KERNEL_SERVICE,
4048                            KERNEL_SERVICE__CREATE_FILES_AS,
4049                            NULL);
4050
4051         if (ret == 0)
4052                 tsec->create_sid = isec->sid;
4053         return ret;
4054 }
4055
4056 static int selinux_kernel_module_request(char *kmod_name)
4057 {
4058         struct common_audit_data ad;
4059
4060         ad.type = LSM_AUDIT_DATA_KMOD;
4061         ad.u.kmod_name = kmod_name;
4062
4063         return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4064                             SYSTEM__MODULE_REQUEST, &ad);
4065 }
4066
4067 static int selinux_kernel_module_from_file(struct file *file)
4068 {
4069         struct common_audit_data ad;
4070         struct inode_security_struct *isec;
4071         struct file_security_struct *fsec;
4072         u32 sid = current_sid();
4073         int rc;
4074
4075         /* init_module */
4076         if (file == NULL)
4077                 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
4078                                         SYSTEM__MODULE_LOAD, NULL);
4079
4080         /* finit_module */
4081
4082         ad.type = LSM_AUDIT_DATA_FILE;
4083         ad.u.file = file;
4084
4085         fsec = selinux_file(file);
4086         if (sid != fsec->sid) {
4087                 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4088                 if (rc)
4089                         return rc;
4090         }
4091
4092         isec = inode_security(file_inode(file));
4093         return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
4094                                 SYSTEM__MODULE_LOAD, &ad);
4095 }
4096
4097 static int selinux_kernel_read_file(struct file *file,
4098                                     enum kernel_read_file_id id,
4099                                     bool contents)
4100 {
4101         int rc = 0;
4102
4103         switch (id) {
4104         case READING_MODULE:
4105                 rc = selinux_kernel_module_from_file(contents ? file : NULL);
4106                 break;
4107         default:
4108                 break;
4109         }
4110
4111         return rc;
4112 }
4113
4114 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4115 {
4116         int rc = 0;
4117
4118         switch (id) {
4119         case LOADING_MODULE:
4120                 rc = selinux_kernel_module_from_file(NULL);
4121                 break;
4122         default:
4123                 break;
4124         }
4125
4126         return rc;
4127 }
4128
4129 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4130 {
4131         return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4132                             PROCESS__SETPGID, NULL);
4133 }
4134
4135 static int selinux_task_getpgid(struct task_struct *p)
4136 {
4137         return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4138                             PROCESS__GETPGID, NULL);
4139 }
4140
4141 static int selinux_task_getsid(struct task_struct *p)
4142 {
4143         return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4144                             PROCESS__GETSESSION, NULL);
4145 }
4146
4147 static void selinux_current_getsecid_subj(u32 *secid)
4148 {
4149         *secid = current_sid();
4150 }
4151
4152 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
4153 {
4154         *secid = task_sid_obj(p);
4155 }
4156
4157 static int selinux_task_setnice(struct task_struct *p, int nice)
4158 {
4159         return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4160                             PROCESS__SETSCHED, NULL);
4161 }
4162
4163 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4164 {
4165         return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4166                             PROCESS__SETSCHED, NULL);
4167 }
4168
4169 static int selinux_task_getioprio(struct task_struct *p)
4170 {
4171         return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4172                             PROCESS__GETSCHED, NULL);
4173 }
4174
4175 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4176                                 unsigned int flags)
4177 {
4178         u32 av = 0;
4179
4180         if (!flags)
4181                 return 0;
4182         if (flags & LSM_PRLIMIT_WRITE)
4183                 av |= PROCESS__SETRLIMIT;
4184         if (flags & LSM_PRLIMIT_READ)
4185                 av |= PROCESS__GETRLIMIT;
4186         return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4187                             SECCLASS_PROCESS, av, NULL);
4188 }
4189
4190 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4191                 struct rlimit *new_rlim)
4192 {
4193         struct rlimit *old_rlim = p->signal->rlim + resource;
4194
4195         /* Control the ability to change the hard limit (whether
4196            lowering or raising it), so that the hard limit can
4197            later be used as a safe reset point for the soft limit
4198            upon context transitions.  See selinux_bprm_committing_creds. */
4199         if (old_rlim->rlim_max != new_rlim->rlim_max)
4200                 return avc_has_perm(current_sid(), task_sid_obj(p),
4201                                     SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4202
4203         return 0;
4204 }
4205
4206 static int selinux_task_setscheduler(struct task_struct *p)
4207 {
4208         return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4209                             PROCESS__SETSCHED, NULL);
4210 }
4211
4212 static int selinux_task_getscheduler(struct task_struct *p)
4213 {
4214         return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4215                             PROCESS__GETSCHED, NULL);
4216 }
4217
4218 static int selinux_task_movememory(struct task_struct *p)
4219 {
4220         return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4221                             PROCESS__SETSCHED, NULL);
4222 }
4223
4224 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4225                                 int sig, const struct cred *cred)
4226 {
4227         u32 secid;
4228         u32 perm;
4229
4230         if (!sig)
4231                 perm = PROCESS__SIGNULL; /* null signal; existence test */
4232         else
4233                 perm = signal_to_av(sig);
4234         if (!cred)
4235                 secid = current_sid();
4236         else
4237                 secid = cred_sid(cred);
4238         return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4239 }
4240
4241 static void selinux_task_to_inode(struct task_struct *p,
4242                                   struct inode *inode)
4243 {
4244         struct inode_security_struct *isec = selinux_inode(inode);
4245         u32 sid = task_sid_obj(p);
4246
4247         spin_lock(&isec->lock);
4248         isec->sclass = inode_mode_to_security_class(inode->i_mode);
4249         isec->sid = sid;
4250         isec->initialized = LABEL_INITIALIZED;
4251         spin_unlock(&isec->lock);
4252 }
4253
4254 static int selinux_userns_create(const struct cred *cred)
4255 {
4256         u32 sid = current_sid();
4257
4258         return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE,
4259                         USER_NAMESPACE__CREATE, NULL);
4260 }
4261
4262 /* Returns error only if unable to parse addresses */
4263 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4264                         struct common_audit_data *ad, u8 *proto)
4265 {
4266         int offset, ihlen, ret = -EINVAL;
4267         struct iphdr _iph, *ih;
4268
4269         offset = skb_network_offset(skb);
4270         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4271         if (ih == NULL)
4272                 goto out;
4273
4274         ihlen = ih->ihl * 4;
4275         if (ihlen < sizeof(_iph))
4276                 goto out;
4277
4278         ad->u.net->v4info.saddr = ih->saddr;
4279         ad->u.net->v4info.daddr = ih->daddr;
4280         ret = 0;
4281
4282         if (proto)
4283                 *proto = ih->protocol;
4284
4285         switch (ih->protocol) {
4286         case IPPROTO_TCP: {
4287                 struct tcphdr _tcph, *th;
4288
4289                 if (ntohs(ih->frag_off) & IP_OFFSET)
4290                         break;
4291
4292                 offset += ihlen;
4293                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4294                 if (th == NULL)
4295                         break;
4296
4297                 ad->u.net->sport = th->source;
4298                 ad->u.net->dport = th->dest;
4299                 break;
4300         }
4301
4302         case IPPROTO_UDP: {
4303                 struct udphdr _udph, *uh;
4304
4305                 if (ntohs(ih->frag_off) & IP_OFFSET)
4306                         break;
4307
4308                 offset += ihlen;
4309                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4310                 if (uh == NULL)
4311                         break;
4312
4313                 ad->u.net->sport = uh->source;
4314                 ad->u.net->dport = uh->dest;
4315                 break;
4316         }
4317
4318         case IPPROTO_DCCP: {
4319                 struct dccp_hdr _dccph, *dh;
4320
4321                 if (ntohs(ih->frag_off) & IP_OFFSET)
4322                         break;
4323
4324                 offset += ihlen;
4325                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4326                 if (dh == NULL)
4327                         break;
4328
4329                 ad->u.net->sport = dh->dccph_sport;
4330                 ad->u.net->dport = dh->dccph_dport;
4331                 break;
4332         }
4333
4334 #if IS_ENABLED(CONFIG_IP_SCTP)
4335         case IPPROTO_SCTP: {
4336                 struct sctphdr _sctph, *sh;
4337
4338                 if (ntohs(ih->frag_off) & IP_OFFSET)
4339                         break;
4340
4341                 offset += ihlen;
4342                 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4343                 if (sh == NULL)
4344                         break;
4345
4346                 ad->u.net->sport = sh->source;
4347                 ad->u.net->dport = sh->dest;
4348                 break;
4349         }
4350 #endif
4351         default:
4352                 break;
4353         }
4354 out:
4355         return ret;
4356 }
4357
4358 #if IS_ENABLED(CONFIG_IPV6)
4359
4360 /* Returns error only if unable to parse addresses */
4361 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4362                         struct common_audit_data *ad, u8 *proto)
4363 {
4364         u8 nexthdr;
4365         int ret = -EINVAL, offset;
4366         struct ipv6hdr _ipv6h, *ip6;
4367         __be16 frag_off;
4368
4369         offset = skb_network_offset(skb);
4370         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4371         if (ip6 == NULL)
4372                 goto out;
4373
4374         ad->u.net->v6info.saddr = ip6->saddr;
4375         ad->u.net->v6info.daddr = ip6->daddr;
4376         ret = 0;
4377
4378         nexthdr = ip6->nexthdr;
4379         offset += sizeof(_ipv6h);
4380         offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4381         if (offset < 0)
4382                 goto out;
4383
4384         if (proto)
4385                 *proto = nexthdr;
4386
4387         switch (nexthdr) {
4388         case IPPROTO_TCP: {
4389                 struct tcphdr _tcph, *th;
4390
4391                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4392                 if (th == NULL)
4393                         break;
4394
4395                 ad->u.net->sport = th->source;
4396                 ad->u.net->dport = th->dest;
4397                 break;
4398         }
4399
4400         case IPPROTO_UDP: {
4401                 struct udphdr _udph, *uh;
4402
4403                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4404                 if (uh == NULL)
4405                         break;
4406
4407                 ad->u.net->sport = uh->source;
4408                 ad->u.net->dport = uh->dest;
4409                 break;
4410         }
4411
4412         case IPPROTO_DCCP: {
4413                 struct dccp_hdr _dccph, *dh;
4414
4415                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4416                 if (dh == NULL)
4417                         break;
4418
4419                 ad->u.net->sport = dh->dccph_sport;
4420                 ad->u.net->dport = dh->dccph_dport;
4421                 break;
4422         }
4423
4424 #if IS_ENABLED(CONFIG_IP_SCTP)
4425         case IPPROTO_SCTP: {
4426                 struct sctphdr _sctph, *sh;
4427
4428                 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4429                 if (sh == NULL)
4430                         break;
4431
4432                 ad->u.net->sport = sh->source;
4433                 ad->u.net->dport = sh->dest;
4434                 break;
4435         }
4436 #endif
4437         /* includes fragments */
4438         default:
4439                 break;
4440         }
4441 out:
4442         return ret;
4443 }
4444
4445 #endif /* IPV6 */
4446
4447 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4448                              char **_addrp, int src, u8 *proto)
4449 {
4450         char *addrp;
4451         int ret;
4452
4453         switch (ad->u.net->family) {
4454         case PF_INET:
4455                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4456                 if (ret)
4457                         goto parse_error;
4458                 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4459                                        &ad->u.net->v4info.daddr);
4460                 goto okay;
4461
4462 #if IS_ENABLED(CONFIG_IPV6)
4463         case PF_INET6:
4464                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4465                 if (ret)
4466                         goto parse_error;
4467                 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4468                                        &ad->u.net->v6info.daddr);
4469                 goto okay;
4470 #endif  /* IPV6 */
4471         default:
4472                 addrp = NULL;
4473                 goto okay;
4474         }
4475
4476 parse_error:
4477         pr_warn(
4478                "SELinux: failure in selinux_parse_skb(),"
4479                " unable to parse packet\n");
4480         return ret;
4481
4482 okay:
4483         if (_addrp)
4484                 *_addrp = addrp;
4485         return 0;
4486 }
4487
4488 /**
4489  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4490  * @skb: the packet
4491  * @family: protocol family
4492  * @sid: the packet's peer label SID
4493  *
4494  * Description:
4495  * Check the various different forms of network peer labeling and determine
4496  * the peer label/SID for the packet; most of the magic actually occurs in
4497  * the security server function security_net_peersid_cmp().  The function
4498  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4499  * or -EACCES if @sid is invalid due to inconsistencies with the different
4500  * peer labels.
4501  *
4502  */
4503 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4504 {
4505         int err;
4506         u32 xfrm_sid;
4507         u32 nlbl_sid;
4508         u32 nlbl_type;
4509
4510         err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4511         if (unlikely(err))
4512                 return -EACCES;
4513         err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4514         if (unlikely(err))
4515                 return -EACCES;
4516
4517         err = security_net_peersid_resolve(nlbl_sid,
4518                                            nlbl_type, xfrm_sid, sid);
4519         if (unlikely(err)) {
4520                 pr_warn(
4521                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
4522                        " unable to determine packet's peer label\n");
4523                 return -EACCES;
4524         }
4525
4526         return 0;
4527 }
4528
4529 /**
4530  * selinux_conn_sid - Determine the child socket label for a connection
4531  * @sk_sid: the parent socket's SID
4532  * @skb_sid: the packet's SID
4533  * @conn_sid: the resulting connection SID
4534  *
4535  * If @skb_sid is valid then the user:role:type information from @sk_sid is
4536  * combined with the MLS information from @skb_sid in order to create
4537  * @conn_sid.  If @skb_sid is not valid then @conn_sid is simply a copy
4538  * of @sk_sid.  Returns zero on success, negative values on failure.
4539  *
4540  */
4541 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4542 {
4543         int err = 0;
4544
4545         if (skb_sid != SECSID_NULL)
4546                 err = security_sid_mls_copy(sk_sid, skb_sid,
4547                                             conn_sid);
4548         else
4549                 *conn_sid = sk_sid;
4550
4551         return err;
4552 }
4553
4554 /* socket security operations */
4555
4556 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4557                                  u16 secclass, u32 *socksid)
4558 {
4559         if (tsec->sockcreate_sid > SECSID_NULL) {
4560                 *socksid = tsec->sockcreate_sid;
4561                 return 0;
4562         }
4563
4564         return security_transition_sid(tsec->sid, tsec->sid,
4565                                        secclass, NULL, socksid);
4566 }
4567
4568 static int sock_has_perm(struct sock *sk, u32 perms)
4569 {
4570         struct sk_security_struct *sksec = sk->sk_security;
4571         struct common_audit_data ad;
4572         struct lsm_network_audit net;
4573
4574         if (sksec->sid == SECINITSID_KERNEL)
4575                 return 0;
4576
4577         ad_net_init_from_sk(&ad, &net, sk);
4578
4579         return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4580                             &ad);
4581 }
4582
4583 static int selinux_socket_create(int family, int type,
4584                                  int protocol, int kern)
4585 {
4586         const struct task_security_struct *tsec = selinux_cred(current_cred());
4587         u32 newsid;
4588         u16 secclass;
4589         int rc;
4590
4591         if (kern)
4592                 return 0;
4593
4594         secclass = socket_type_to_security_class(family, type, protocol);
4595         rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4596         if (rc)
4597                 return rc;
4598
4599         return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4600 }
4601
4602 static int selinux_socket_post_create(struct socket *sock, int family,
4603                                       int type, int protocol, int kern)
4604 {
4605         const struct task_security_struct *tsec = selinux_cred(current_cred());
4606         struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4607         struct sk_security_struct *sksec;
4608         u16 sclass = socket_type_to_security_class(family, type, protocol);
4609         u32 sid = SECINITSID_KERNEL;
4610         int err = 0;
4611
4612         if (!kern) {
4613                 err = socket_sockcreate_sid(tsec, sclass, &sid);
4614                 if (err)
4615                         return err;
4616         }
4617
4618         isec->sclass = sclass;
4619         isec->sid = sid;
4620         isec->initialized = LABEL_INITIALIZED;
4621
4622         if (sock->sk) {
4623                 sksec = sock->sk->sk_security;
4624                 sksec->sclass = sclass;
4625                 sksec->sid = sid;
4626                 /* Allows detection of the first association on this socket */
4627                 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4628                         sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4629
4630                 err = selinux_netlbl_socket_post_create(sock->sk, family);
4631         }
4632
4633         return err;
4634 }
4635
4636 static int selinux_socket_socketpair(struct socket *socka,
4637                                      struct socket *sockb)
4638 {
4639         struct sk_security_struct *sksec_a = socka->sk->sk_security;
4640         struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4641
4642         sksec_a->peer_sid = sksec_b->sid;
4643         sksec_b->peer_sid = sksec_a->sid;
4644
4645         return 0;
4646 }
4647
4648 /* Range of port numbers used to automatically bind.
4649    Need to determine whether we should perform a name_bind
4650    permission check between the socket and the port number. */
4651
4652 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4653 {
4654         struct sock *sk = sock->sk;
4655         struct sk_security_struct *sksec = sk->sk_security;
4656         u16 family;
4657         int err;
4658
4659         err = sock_has_perm(sk, SOCKET__BIND);
4660         if (err)
4661                 goto out;
4662
4663         /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4664         family = sk->sk_family;
4665         if (family == PF_INET || family == PF_INET6) {
4666                 char *addrp;
4667                 struct common_audit_data ad;
4668                 struct lsm_network_audit net = {0,};
4669                 struct sockaddr_in *addr4 = NULL;
4670                 struct sockaddr_in6 *addr6 = NULL;
4671                 u16 family_sa;
4672                 unsigned short snum;
4673                 u32 sid, node_perm;
4674
4675                 /*
4676                  * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4677                  * that validates multiple binding addresses. Because of this
4678                  * need to check address->sa_family as it is possible to have
4679                  * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4680                  */
4681                 if (addrlen < offsetofend(struct sockaddr, sa_family))
4682                         return -EINVAL;
4683                 family_sa = address->sa_family;
4684                 switch (family_sa) {
4685                 case AF_UNSPEC:
4686                 case AF_INET:
4687                         if (addrlen < sizeof(struct sockaddr_in))
4688                                 return -EINVAL;
4689                         addr4 = (struct sockaddr_in *)address;
4690                         if (family_sa == AF_UNSPEC) {
4691                                 if (family == PF_INET6) {
4692                                         /* Length check from inet6_bind_sk() */
4693                                         if (addrlen < SIN6_LEN_RFC2133)
4694                                                 return -EINVAL;
4695                                         /* Family check from __inet6_bind() */
4696                                         goto err_af;
4697                                 }
4698                                 /* see __inet_bind(), we only want to allow
4699                                  * AF_UNSPEC if the address is INADDR_ANY
4700                                  */
4701                                 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4702                                         goto err_af;
4703                                 family_sa = AF_INET;
4704                         }
4705                         snum = ntohs(addr4->sin_port);
4706                         addrp = (char *)&addr4->sin_addr.s_addr;
4707                         break;
4708                 case AF_INET6:
4709                         if (addrlen < SIN6_LEN_RFC2133)
4710                                 return -EINVAL;
4711                         addr6 = (struct sockaddr_in6 *)address;
4712                         snum = ntohs(addr6->sin6_port);
4713                         addrp = (char *)&addr6->sin6_addr.s6_addr;
4714                         break;
4715                 default:
4716                         goto err_af;
4717                 }
4718
4719                 ad.type = LSM_AUDIT_DATA_NET;
4720                 ad.u.net = &net;
4721                 ad.u.net->sport = htons(snum);
4722                 ad.u.net->family = family_sa;
4723
4724                 if (snum) {
4725                         int low, high;
4726
4727                         inet_get_local_port_range(sock_net(sk), &low, &high);
4728
4729                         if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4730                             snum < low || snum > high) {
4731                                 err = sel_netport_sid(sk->sk_protocol,
4732                                                       snum, &sid);
4733                                 if (err)
4734                                         goto out;
4735                                 err = avc_has_perm(sksec->sid, sid,
4736                                                    sksec->sclass,
4737                                                    SOCKET__NAME_BIND, &ad);
4738                                 if (err)
4739                                         goto out;
4740                         }
4741                 }
4742
4743                 switch (sksec->sclass) {
4744                 case SECCLASS_TCP_SOCKET:
4745                         node_perm = TCP_SOCKET__NODE_BIND;
4746                         break;
4747
4748                 case SECCLASS_UDP_SOCKET:
4749                         node_perm = UDP_SOCKET__NODE_BIND;
4750                         break;
4751
4752                 case SECCLASS_DCCP_SOCKET:
4753                         node_perm = DCCP_SOCKET__NODE_BIND;
4754                         break;
4755
4756                 case SECCLASS_SCTP_SOCKET:
4757                         node_perm = SCTP_SOCKET__NODE_BIND;
4758                         break;
4759
4760                 default:
4761                         node_perm = RAWIP_SOCKET__NODE_BIND;
4762                         break;
4763                 }
4764
4765                 err = sel_netnode_sid(addrp, family_sa, &sid);
4766                 if (err)
4767                         goto out;
4768
4769                 if (family_sa == AF_INET)
4770                         ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4771                 else
4772                         ad.u.net->v6info.saddr = addr6->sin6_addr;
4773
4774                 err = avc_has_perm(sksec->sid, sid,
4775                                    sksec->sclass, node_perm, &ad);
4776                 if (err)
4777                         goto out;
4778         }
4779 out:
4780         return err;
4781 err_af:
4782         /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4783         if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4784                 return -EINVAL;
4785         return -EAFNOSUPPORT;
4786 }
4787
4788 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4789  * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4790  */
4791 static int selinux_socket_connect_helper(struct socket *sock,
4792                                          struct sockaddr *address, int addrlen)
4793 {
4794         struct sock *sk = sock->sk;
4795         struct sk_security_struct *sksec = sk->sk_security;
4796         int err;
4797
4798         err = sock_has_perm(sk, SOCKET__CONNECT);
4799         if (err)
4800                 return err;
4801         if (addrlen < offsetofend(struct sockaddr, sa_family))
4802                 return -EINVAL;
4803
4804         /* connect(AF_UNSPEC) has special handling, as it is a documented
4805          * way to disconnect the socket
4806          */
4807         if (address->sa_family == AF_UNSPEC)
4808                 return 0;
4809
4810         /*
4811          * If a TCP, DCCP or SCTP socket, check name_connect permission
4812          * for the port.
4813          */
4814         if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4815             sksec->sclass == SECCLASS_DCCP_SOCKET ||
4816             sksec->sclass == SECCLASS_SCTP_SOCKET) {
4817                 struct common_audit_data ad;
4818                 struct lsm_network_audit net = {0,};
4819                 struct sockaddr_in *addr4 = NULL;
4820                 struct sockaddr_in6 *addr6 = NULL;
4821                 unsigned short snum;
4822                 u32 sid, perm;
4823
4824                 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4825                  * that validates multiple connect addresses. Because of this
4826                  * need to check address->sa_family as it is possible to have
4827                  * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4828                  */
4829                 switch (address->sa_family) {
4830                 case AF_INET:
4831                         addr4 = (struct sockaddr_in *)address;
4832                         if (addrlen < sizeof(struct sockaddr_in))
4833                                 return -EINVAL;
4834                         snum = ntohs(addr4->sin_port);
4835                         break;
4836                 case AF_INET6:
4837                         addr6 = (struct sockaddr_in6 *)address;
4838                         if (addrlen < SIN6_LEN_RFC2133)
4839                                 return -EINVAL;
4840                         snum = ntohs(addr6->sin6_port);
4841                         break;
4842                 default:
4843                         /* Note that SCTP services expect -EINVAL, whereas
4844                          * others expect -EAFNOSUPPORT.
4845                          */
4846                         if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4847                                 return -EINVAL;
4848                         else
4849                                 return -EAFNOSUPPORT;
4850                 }
4851
4852                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4853                 if (err)
4854                         return err;
4855
4856                 switch (sksec->sclass) {
4857                 case SECCLASS_TCP_SOCKET:
4858                         perm = TCP_SOCKET__NAME_CONNECT;
4859                         break;
4860                 case SECCLASS_DCCP_SOCKET:
4861                         perm = DCCP_SOCKET__NAME_CONNECT;
4862                         break;
4863                 case SECCLASS_SCTP_SOCKET:
4864                         perm = SCTP_SOCKET__NAME_CONNECT;
4865                         break;
4866                 }
4867
4868                 ad.type = LSM_AUDIT_DATA_NET;
4869                 ad.u.net = &net;
4870                 ad.u.net->dport = htons(snum);
4871                 ad.u.net->family = address->sa_family;
4872                 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4873                 if (err)
4874                         return err;
4875         }
4876
4877         return 0;
4878 }
4879
4880 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4881 static int selinux_socket_connect(struct socket *sock,
4882                                   struct sockaddr *address, int addrlen)
4883 {
4884         int err;
4885         struct sock *sk = sock->sk;
4886
4887         err = selinux_socket_connect_helper(sock, address, addrlen);
4888         if (err)
4889                 return err;
4890
4891         return selinux_netlbl_socket_connect(sk, address);
4892 }
4893
4894 static int selinux_socket_listen(struct socket *sock, int backlog)
4895 {
4896         return sock_has_perm(sock->sk, SOCKET__LISTEN);
4897 }
4898
4899 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4900 {
4901         int err;
4902         struct inode_security_struct *isec;
4903         struct inode_security_struct *newisec;
4904         u16 sclass;
4905         u32 sid;
4906
4907         err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4908         if (err)
4909                 return err;
4910
4911         isec = inode_security_novalidate(SOCK_INODE(sock));
4912         spin_lock(&isec->lock);
4913         sclass = isec->sclass;
4914         sid = isec->sid;
4915         spin_unlock(&isec->lock);
4916
4917         newisec = inode_security_novalidate(SOCK_INODE(newsock));
4918         newisec->sclass = sclass;
4919         newisec->sid = sid;
4920         newisec->initialized = LABEL_INITIALIZED;
4921
4922         return 0;
4923 }
4924
4925 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4926                                   int size)
4927 {
4928         return sock_has_perm(sock->sk, SOCKET__WRITE);
4929 }
4930
4931 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4932                                   int size, int flags)
4933 {
4934         return sock_has_perm(sock->sk, SOCKET__READ);
4935 }
4936
4937 static int selinux_socket_getsockname(struct socket *sock)
4938 {
4939         return sock_has_perm(sock->sk, SOCKET__GETATTR);
4940 }
4941
4942 static int selinux_socket_getpeername(struct socket *sock)
4943 {
4944         return sock_has_perm(sock->sk, SOCKET__GETATTR);
4945 }
4946
4947 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4948 {
4949         int err;
4950
4951         err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4952         if (err)
4953                 return err;
4954
4955         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4956 }
4957
4958 static int selinux_socket_getsockopt(struct socket *sock, int level,
4959                                      int optname)
4960 {
4961         return sock_has_perm(sock->sk, SOCKET__GETOPT);
4962 }
4963
4964 static int selinux_socket_shutdown(struct socket *sock, int how)
4965 {
4966         return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4967 }
4968
4969 static int selinux_socket_unix_stream_connect(struct sock *sock,
4970                                               struct sock *other,
4971                                               struct sock *newsk)
4972 {
4973         struct sk_security_struct *sksec_sock = sock->sk_security;
4974         struct sk_security_struct *sksec_other = other->sk_security;
4975         struct sk_security_struct *sksec_new = newsk->sk_security;
4976         struct common_audit_data ad;
4977         struct lsm_network_audit net;
4978         int err;
4979
4980         ad_net_init_from_sk(&ad, &net, other);
4981
4982         err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4983                            sksec_other->sclass,
4984                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4985         if (err)
4986                 return err;
4987
4988         /* server child socket */
4989         sksec_new->peer_sid = sksec_sock->sid;
4990         err = security_sid_mls_copy(sksec_other->sid,
4991                                     sksec_sock->sid, &sksec_new->sid);
4992         if (err)
4993                 return err;
4994
4995         /* connecting socket */
4996         sksec_sock->peer_sid = sksec_new->sid;
4997
4998         return 0;
4999 }
5000
5001 static int selinux_socket_unix_may_send(struct socket *sock,
5002                                         struct socket *other)
5003 {
5004         struct sk_security_struct *ssec = sock->sk->sk_security;
5005         struct sk_security_struct *osec = other->sk->sk_security;
5006         struct common_audit_data ad;
5007         struct lsm_network_audit net;
5008
5009         ad_net_init_from_sk(&ad, &net, other->sk);
5010
5011         return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5012                             &ad);
5013 }
5014
5015 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5016                                     char *addrp, u16 family, u32 peer_sid,
5017                                     struct common_audit_data *ad)
5018 {
5019         int err;
5020         u32 if_sid;
5021         u32 node_sid;
5022
5023         err = sel_netif_sid(ns, ifindex, &if_sid);
5024         if (err)
5025                 return err;
5026         err = avc_has_perm(peer_sid, if_sid,
5027                            SECCLASS_NETIF, NETIF__INGRESS, ad);
5028         if (err)
5029                 return err;
5030
5031         err = sel_netnode_sid(addrp, family, &node_sid);
5032         if (err)
5033                 return err;
5034         return avc_has_perm(peer_sid, node_sid,
5035                             SECCLASS_NODE, NODE__RECVFROM, ad);
5036 }
5037
5038 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5039                                        u16 family)
5040 {
5041         int err = 0;
5042         struct sk_security_struct *sksec = sk->sk_security;
5043         u32 sk_sid = sksec->sid;
5044         struct common_audit_data ad;
5045         struct lsm_network_audit net;
5046         char *addrp;
5047
5048         ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5049         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5050         if (err)
5051                 return err;
5052
5053         if (selinux_secmark_enabled()) {
5054                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5055                                    PACKET__RECV, &ad);
5056                 if (err)
5057                         return err;
5058         }
5059
5060         err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5061         if (err)
5062                 return err;
5063         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5064
5065         return err;
5066 }
5067
5068 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5069 {
5070         int err, peerlbl_active, secmark_active;
5071         struct sk_security_struct *sksec = sk->sk_security;
5072         u16 family = sk->sk_family;
5073         u32 sk_sid = sksec->sid;
5074         struct common_audit_data ad;
5075         struct lsm_network_audit net;
5076         char *addrp;
5077
5078         if (family != PF_INET && family != PF_INET6)
5079                 return 0;
5080
5081         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5082         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5083                 family = PF_INET;
5084
5085         /* If any sort of compatibility mode is enabled then handoff processing
5086          * to the selinux_sock_rcv_skb_compat() function to deal with the
5087          * special handling.  We do this in an attempt to keep this function
5088          * as fast and as clean as possible. */
5089         if (!selinux_policycap_netpeer())
5090                 return selinux_sock_rcv_skb_compat(sk, skb, family);
5091
5092         secmark_active = selinux_secmark_enabled();
5093         peerlbl_active = selinux_peerlbl_enabled();
5094         if (!secmark_active && !peerlbl_active)
5095                 return 0;
5096
5097         ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5098         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5099         if (err)
5100                 return err;
5101
5102         if (peerlbl_active) {
5103                 u32 peer_sid;
5104
5105                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5106                 if (err)
5107                         return err;
5108                 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5109                                                addrp, family, peer_sid, &ad);
5110                 if (err) {
5111                         selinux_netlbl_err(skb, family, err, 0);
5112                         return err;
5113                 }
5114                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
5115                                    PEER__RECV, &ad);
5116                 if (err) {
5117                         selinux_netlbl_err(skb, family, err, 0);
5118                         return err;
5119                 }
5120         }
5121
5122         if (secmark_active) {
5123                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5124                                    PACKET__RECV, &ad);
5125                 if (err)
5126                         return err;
5127         }
5128
5129         return err;
5130 }
5131
5132 static int selinux_socket_getpeersec_stream(struct socket *sock,
5133                                             sockptr_t optval, sockptr_t optlen,
5134                                             unsigned int len)
5135 {
5136         int err = 0;
5137         char *scontext = NULL;
5138         u32 scontext_len;
5139         struct sk_security_struct *sksec = sock->sk->sk_security;
5140         u32 peer_sid = SECSID_NULL;
5141
5142         if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5143             sksec->sclass == SECCLASS_TCP_SOCKET ||
5144             sksec->sclass == SECCLASS_SCTP_SOCKET)
5145                 peer_sid = sksec->peer_sid;
5146         if (peer_sid == SECSID_NULL)
5147                 return -ENOPROTOOPT;
5148
5149         err = security_sid_to_context(peer_sid, &scontext,
5150                                       &scontext_len);
5151         if (err)
5152                 return err;
5153         if (scontext_len > len) {
5154                 err = -ERANGE;
5155                 goto out_len;
5156         }
5157
5158         if (copy_to_sockptr(optval, scontext, scontext_len))
5159                 err = -EFAULT;
5160 out_len:
5161         if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
5162                 err = -EFAULT;
5163         kfree(scontext);
5164         return err;
5165 }
5166
5167 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5168 {
5169         u32 peer_secid = SECSID_NULL;
5170         u16 family;
5171         struct inode_security_struct *isec;
5172
5173         if (skb && skb->protocol == htons(ETH_P_IP))
5174                 family = PF_INET;
5175         else if (skb && skb->protocol == htons(ETH_P_IPV6))
5176                 family = PF_INET6;
5177         else if (sock)
5178                 family = sock->sk->sk_family;
5179         else
5180                 goto out;
5181
5182         if (sock && family == PF_UNIX) {
5183                 isec = inode_security_novalidate(SOCK_INODE(sock));
5184                 peer_secid = isec->sid;
5185         } else if (skb)
5186                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5187
5188 out:
5189         *secid = peer_secid;
5190         if (peer_secid == SECSID_NULL)
5191                 return -EINVAL;
5192         return 0;
5193 }
5194
5195 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5196 {
5197         struct sk_security_struct *sksec;
5198
5199         sksec = kzalloc(sizeof(*sksec), priority);
5200         if (!sksec)
5201                 return -ENOMEM;
5202
5203         sksec->peer_sid = SECINITSID_UNLABELED;
5204         sksec->sid = SECINITSID_UNLABELED;
5205         sksec->sclass = SECCLASS_SOCKET;
5206         selinux_netlbl_sk_security_reset(sksec);
5207         sk->sk_security = sksec;
5208
5209         return 0;
5210 }
5211
5212 static void selinux_sk_free_security(struct sock *sk)
5213 {
5214         struct sk_security_struct *sksec = sk->sk_security;
5215
5216         sk->sk_security = NULL;
5217         selinux_netlbl_sk_security_free(sksec);
5218         kfree(sksec);
5219 }
5220
5221 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5222 {
5223         struct sk_security_struct *sksec = sk->sk_security;
5224         struct sk_security_struct *newsksec = newsk->sk_security;
5225
5226         newsksec->sid = sksec->sid;
5227         newsksec->peer_sid = sksec->peer_sid;
5228         newsksec->sclass = sksec->sclass;
5229
5230         selinux_netlbl_sk_security_reset(newsksec);
5231 }
5232
5233 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid)
5234 {
5235         if (!sk)
5236                 *secid = SECINITSID_ANY_SOCKET;
5237         else {
5238                 const struct sk_security_struct *sksec = sk->sk_security;
5239
5240                 *secid = sksec->sid;
5241         }
5242 }
5243
5244 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5245 {
5246         struct inode_security_struct *isec =
5247                 inode_security_novalidate(SOCK_INODE(parent));
5248         struct sk_security_struct *sksec = sk->sk_security;
5249
5250         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5251             sk->sk_family == PF_UNIX)
5252                 isec->sid = sksec->sid;
5253         sksec->sclass = isec->sclass;
5254 }
5255
5256 /*
5257  * Determines peer_secid for the asoc and updates socket's peer label
5258  * if it's the first association on the socket.
5259  */
5260 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5261                                           struct sk_buff *skb)
5262 {
5263         struct sock *sk = asoc->base.sk;
5264         u16 family = sk->sk_family;
5265         struct sk_security_struct *sksec = sk->sk_security;
5266         struct common_audit_data ad;
5267         struct lsm_network_audit net;
5268         int err;
5269
5270         /* handle mapped IPv4 packets arriving via IPv6 sockets */
5271         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5272                 family = PF_INET;
5273
5274         if (selinux_peerlbl_enabled()) {
5275                 asoc->peer_secid = SECSID_NULL;
5276
5277                 /* This will return peer_sid = SECSID_NULL if there are
5278                  * no peer labels, see security_net_peersid_resolve().
5279                  */
5280                 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5281                 if (err)
5282                         return err;
5283
5284                 if (asoc->peer_secid == SECSID_NULL)
5285                         asoc->peer_secid = SECINITSID_UNLABELED;
5286         } else {
5287                 asoc->peer_secid = SECINITSID_UNLABELED;
5288         }
5289
5290         if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5291                 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5292
5293                 /* Here as first association on socket. As the peer SID
5294                  * was allowed by peer recv (and the netif/node checks),
5295                  * then it is approved by policy and used as the primary
5296                  * peer SID for getpeercon(3).
5297                  */
5298                 sksec->peer_sid = asoc->peer_secid;
5299         } else if (sksec->peer_sid != asoc->peer_secid) {
5300                 /* Other association peer SIDs are checked to enforce
5301                  * consistency among the peer SIDs.
5302                  */
5303                 ad_net_init_from_sk(&ad, &net, asoc->base.sk);
5304                 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
5305                                    sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5306                                    &ad);
5307                 if (err)
5308                         return err;
5309         }
5310         return 0;
5311 }
5312
5313 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5314  * happens on an incoming connect(2), sctp_connectx(3) or
5315  * sctp_sendmsg(3) (with no association already present).
5316  */
5317 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5318                                       struct sk_buff *skb)
5319 {
5320         struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5321         u32 conn_sid;
5322         int err;
5323
5324         if (!selinux_policycap_extsockclass())
5325                 return 0;
5326
5327         err = selinux_sctp_process_new_assoc(asoc, skb);
5328         if (err)
5329                 return err;
5330
5331         /* Compute the MLS component for the connection and store
5332          * the information in asoc. This will be used by SCTP TCP type
5333          * sockets and peeled off connections as they cause a new
5334          * socket to be generated. selinux_sctp_sk_clone() will then
5335          * plug this into the new socket.
5336          */
5337         err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5338         if (err)
5339                 return err;
5340
5341         asoc->secid = conn_sid;
5342
5343         /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5344         return selinux_netlbl_sctp_assoc_request(asoc, skb);
5345 }
5346
5347 /* Called when SCTP receives a COOKIE ACK chunk as the final
5348  * response to an association request (initited by us).
5349  */
5350 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5351                                           struct sk_buff *skb)
5352 {
5353         struct sk_security_struct *sksec = asoc->base.sk->sk_security;
5354
5355         if (!selinux_policycap_extsockclass())
5356                 return 0;
5357
5358         /* Inherit secid from the parent socket - this will be picked up
5359          * by selinux_sctp_sk_clone() if the association gets peeled off
5360          * into a new socket.
5361          */
5362         asoc->secid = sksec->sid;
5363
5364         return selinux_sctp_process_new_assoc(asoc, skb);
5365 }
5366
5367 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5368  * based on their @optname.
5369  */
5370 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5371                                      struct sockaddr *address,
5372                                      int addrlen)
5373 {
5374         int len, err = 0, walk_size = 0;
5375         void *addr_buf;
5376         struct sockaddr *addr;
5377         struct socket *sock;
5378
5379         if (!selinux_policycap_extsockclass())
5380                 return 0;
5381
5382         /* Process one or more addresses that may be IPv4 or IPv6 */
5383         sock = sk->sk_socket;
5384         addr_buf = address;
5385
5386         while (walk_size < addrlen) {
5387                 if (walk_size + sizeof(sa_family_t) > addrlen)
5388                         return -EINVAL;
5389
5390                 addr = addr_buf;
5391                 switch (addr->sa_family) {
5392                 case AF_UNSPEC:
5393                 case AF_INET:
5394                         len = sizeof(struct sockaddr_in);
5395                         break;
5396                 case AF_INET6:
5397                         len = sizeof(struct sockaddr_in6);
5398                         break;
5399                 default:
5400                         return -EINVAL;
5401                 }
5402
5403                 if (walk_size + len > addrlen)
5404                         return -EINVAL;
5405
5406                 err = -EINVAL;
5407                 switch (optname) {
5408                 /* Bind checks */
5409                 case SCTP_PRIMARY_ADDR:
5410                 case SCTP_SET_PEER_PRIMARY_ADDR:
5411                 case SCTP_SOCKOPT_BINDX_ADD:
5412                         err = selinux_socket_bind(sock, addr, len);
5413                         break;
5414                 /* Connect checks */
5415                 case SCTP_SOCKOPT_CONNECTX:
5416                 case SCTP_PARAM_SET_PRIMARY:
5417                 case SCTP_PARAM_ADD_IP:
5418                 case SCTP_SENDMSG_CONNECT:
5419                         err = selinux_socket_connect_helper(sock, addr, len);
5420                         if (err)
5421                                 return err;
5422
5423                         /* As selinux_sctp_bind_connect() is called by the
5424                          * SCTP protocol layer, the socket is already locked,
5425                          * therefore selinux_netlbl_socket_connect_locked()
5426                          * is called here. The situations handled are:
5427                          * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5428                          * whenever a new IP address is added or when a new
5429                          * primary address is selected.
5430                          * Note that an SCTP connect(2) call happens before
5431                          * the SCTP protocol layer and is handled via
5432                          * selinux_socket_connect().
5433                          */
5434                         err = selinux_netlbl_socket_connect_locked(sk, addr);
5435                         break;
5436                 }
5437
5438                 if (err)
5439                         return err;
5440
5441                 addr_buf += len;
5442                 walk_size += len;
5443         }
5444
5445         return 0;
5446 }
5447
5448 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5449 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5450                                   struct sock *newsk)
5451 {
5452         struct sk_security_struct *sksec = sk->sk_security;
5453         struct sk_security_struct *newsksec = newsk->sk_security;
5454
5455         /* If policy does not support SECCLASS_SCTP_SOCKET then call
5456          * the non-sctp clone version.
5457          */
5458         if (!selinux_policycap_extsockclass())
5459                 return selinux_sk_clone_security(sk, newsk);
5460
5461         newsksec->sid = asoc->secid;
5462         newsksec->peer_sid = asoc->peer_secid;
5463         newsksec->sclass = sksec->sclass;
5464         selinux_netlbl_sctp_sk_clone(sk, newsk);
5465 }
5466
5467 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
5468 {
5469         struct sk_security_struct *ssksec = ssk->sk_security;
5470         struct sk_security_struct *sksec = sk->sk_security;
5471
5472         ssksec->sclass = sksec->sclass;
5473         ssksec->sid = sksec->sid;
5474
5475         /* replace the existing subflow label deleting the existing one
5476          * and re-recreating a new label using the updated context
5477          */
5478         selinux_netlbl_sk_security_free(ssksec);
5479         return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
5480 }
5481
5482 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5483                                      struct request_sock *req)
5484 {
5485         struct sk_security_struct *sksec = sk->sk_security;
5486         int err;
5487         u16 family = req->rsk_ops->family;
5488         u32 connsid;
5489         u32 peersid;
5490
5491         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5492         if (err)
5493                 return err;
5494         err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5495         if (err)
5496                 return err;
5497         req->secid = connsid;
5498         req->peer_secid = peersid;
5499
5500         return selinux_netlbl_inet_conn_request(req, family);
5501 }
5502
5503 static void selinux_inet_csk_clone(struct sock *newsk,
5504                                    const struct request_sock *req)
5505 {
5506         struct sk_security_struct *newsksec = newsk->sk_security;
5507
5508         newsksec->sid = req->secid;
5509         newsksec->peer_sid = req->peer_secid;
5510         /* NOTE: Ideally, we should also get the isec->sid for the
5511            new socket in sync, but we don't have the isec available yet.
5512            So we will wait until sock_graft to do it, by which
5513            time it will have been created and available. */
5514
5515         /* We don't need to take any sort of lock here as we are the only
5516          * thread with access to newsksec */
5517         selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5518 }
5519
5520 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5521 {
5522         u16 family = sk->sk_family;
5523         struct sk_security_struct *sksec = sk->sk_security;
5524
5525         /* handle mapped IPv4 packets arriving via IPv6 sockets */
5526         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5527                 family = PF_INET;
5528
5529         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5530 }
5531
5532 static int selinux_secmark_relabel_packet(u32 sid)
5533 {
5534         const struct task_security_struct *tsec;
5535         u32 tsid;
5536
5537         tsec = selinux_cred(current_cred());
5538         tsid = tsec->sid;
5539
5540         return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5541                             NULL);
5542 }
5543
5544 static void selinux_secmark_refcount_inc(void)
5545 {
5546         atomic_inc(&selinux_secmark_refcount);
5547 }
5548
5549 static void selinux_secmark_refcount_dec(void)
5550 {
5551         atomic_dec(&selinux_secmark_refcount);
5552 }
5553
5554 static void selinux_req_classify_flow(const struct request_sock *req,
5555                                       struct flowi_common *flic)
5556 {
5557         flic->flowic_secid = req->secid;
5558 }
5559
5560 static int selinux_tun_dev_alloc_security(void **security)
5561 {
5562         struct tun_security_struct *tunsec;
5563
5564         tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5565         if (!tunsec)
5566                 return -ENOMEM;
5567         tunsec->sid = current_sid();
5568
5569         *security = tunsec;
5570         return 0;
5571 }
5572
5573 static void selinux_tun_dev_free_security(void *security)
5574 {
5575         kfree(security);
5576 }
5577
5578 static int selinux_tun_dev_create(void)
5579 {
5580         u32 sid = current_sid();
5581
5582         /* we aren't taking into account the "sockcreate" SID since the socket
5583          * that is being created here is not a socket in the traditional sense,
5584          * instead it is a private sock, accessible only to the kernel, and
5585          * representing a wide range of network traffic spanning multiple
5586          * connections unlike traditional sockets - check the TUN driver to
5587          * get a better understanding of why this socket is special */
5588
5589         return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5590                             NULL);
5591 }
5592
5593 static int selinux_tun_dev_attach_queue(void *security)
5594 {
5595         struct tun_security_struct *tunsec = security;
5596
5597         return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5598                             TUN_SOCKET__ATTACH_QUEUE, NULL);
5599 }
5600
5601 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5602 {
5603         struct tun_security_struct *tunsec = security;
5604         struct sk_security_struct *sksec = sk->sk_security;
5605
5606         /* we don't currently perform any NetLabel based labeling here and it
5607          * isn't clear that we would want to do so anyway; while we could apply
5608          * labeling without the support of the TUN user the resulting labeled
5609          * traffic from the other end of the connection would almost certainly
5610          * cause confusion to the TUN user that had no idea network labeling
5611          * protocols were being used */
5612
5613         sksec->sid = tunsec->sid;
5614         sksec->sclass = SECCLASS_TUN_SOCKET;
5615
5616         return 0;
5617 }
5618
5619 static int selinux_tun_dev_open(void *security)
5620 {
5621         struct tun_security_struct *tunsec = security;
5622         u32 sid = current_sid();
5623         int err;
5624
5625         err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5626                            TUN_SOCKET__RELABELFROM, NULL);
5627         if (err)
5628                 return err;
5629         err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5630                            TUN_SOCKET__RELABELTO, NULL);
5631         if (err)
5632                 return err;
5633         tunsec->sid = sid;
5634
5635         return 0;
5636 }
5637
5638 #ifdef CONFIG_NETFILTER
5639
5640 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5641                                        const struct nf_hook_state *state)
5642 {
5643         int ifindex;
5644         u16 family;
5645         char *addrp;
5646         u32 peer_sid;
5647         struct common_audit_data ad;
5648         struct lsm_network_audit net;
5649         int secmark_active, peerlbl_active;
5650
5651         if (!selinux_policycap_netpeer())
5652                 return NF_ACCEPT;
5653
5654         secmark_active = selinux_secmark_enabled();
5655         peerlbl_active = selinux_peerlbl_enabled();
5656         if (!secmark_active && !peerlbl_active)
5657                 return NF_ACCEPT;
5658
5659         family = state->pf;
5660         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5661                 return NF_DROP;
5662
5663         ifindex = state->in->ifindex;
5664         ad_net_init_from_iif(&ad, &net, ifindex, family);
5665         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5666                 return NF_DROP;
5667
5668         if (peerlbl_active) {
5669                 int err;
5670
5671                 err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5672                                                addrp, family, peer_sid, &ad);
5673                 if (err) {
5674                         selinux_netlbl_err(skb, family, err, 1);
5675                         return NF_DROP;
5676                 }
5677         }
5678
5679         if (secmark_active)
5680                 if (avc_has_perm(peer_sid, skb->secmark,
5681                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5682                         return NF_DROP;
5683
5684         if (netlbl_enabled())
5685                 /* we do this in the FORWARD path and not the POST_ROUTING
5686                  * path because we want to make sure we apply the necessary
5687                  * labeling before IPsec is applied so we can leverage AH
5688                  * protection */
5689                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5690                         return NF_DROP;
5691
5692         return NF_ACCEPT;
5693 }
5694
5695 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5696                                       const struct nf_hook_state *state)
5697 {
5698         struct sock *sk;
5699         u32 sid;
5700
5701         if (!netlbl_enabled())
5702                 return NF_ACCEPT;
5703
5704         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5705          * because we want to make sure we apply the necessary labeling
5706          * before IPsec is applied so we can leverage AH protection */
5707         sk = skb->sk;
5708         if (sk) {
5709                 struct sk_security_struct *sksec;
5710
5711                 if (sk_listener(sk))
5712                         /* if the socket is the listening state then this
5713                          * packet is a SYN-ACK packet which means it needs to
5714                          * be labeled based on the connection/request_sock and
5715                          * not the parent socket.  unfortunately, we can't
5716                          * lookup the request_sock yet as it isn't queued on
5717                          * the parent socket until after the SYN-ACK is sent.
5718                          * the "solution" is to simply pass the packet as-is
5719                          * as any IP option based labeling should be copied
5720                          * from the initial connection request (in the IP
5721                          * layer).  it is far from ideal, but until we get a
5722                          * security label in the packet itself this is the
5723                          * best we can do. */
5724                         return NF_ACCEPT;
5725
5726                 /* standard practice, label using the parent socket */
5727                 sksec = sk->sk_security;
5728                 sid = sksec->sid;
5729         } else
5730                 sid = SECINITSID_KERNEL;
5731         if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5732                 return NF_DROP;
5733
5734         return NF_ACCEPT;
5735 }
5736
5737
5738 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5739                                         const struct nf_hook_state *state)
5740 {
5741         struct sock *sk;
5742         struct sk_security_struct *sksec;
5743         struct common_audit_data ad;
5744         struct lsm_network_audit net;
5745         u8 proto = 0;
5746
5747         sk = skb_to_full_sk(skb);
5748         if (sk == NULL)
5749                 return NF_ACCEPT;
5750         sksec = sk->sk_security;
5751
5752         ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf);
5753         if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5754                 return NF_DROP;
5755
5756         if (selinux_secmark_enabled())
5757                 if (avc_has_perm(sksec->sid, skb->secmark,
5758                                  SECCLASS_PACKET, PACKET__SEND, &ad))
5759                         return NF_DROP_ERR(-ECONNREFUSED);
5760
5761         if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5762                 return NF_DROP_ERR(-ECONNREFUSED);
5763
5764         return NF_ACCEPT;
5765 }
5766
5767 static unsigned int selinux_ip_postroute(void *priv,
5768                                          struct sk_buff *skb,
5769                                          const struct nf_hook_state *state)
5770 {
5771         u16 family;
5772         u32 secmark_perm;
5773         u32 peer_sid;
5774         int ifindex;
5775         struct sock *sk;
5776         struct common_audit_data ad;
5777         struct lsm_network_audit net;
5778         char *addrp;
5779         int secmark_active, peerlbl_active;
5780
5781         /* If any sort of compatibility mode is enabled then handoff processing
5782          * to the selinux_ip_postroute_compat() function to deal with the
5783          * special handling.  We do this in an attempt to keep this function
5784          * as fast and as clean as possible. */
5785         if (!selinux_policycap_netpeer())
5786                 return selinux_ip_postroute_compat(skb, state);
5787
5788         secmark_active = selinux_secmark_enabled();
5789         peerlbl_active = selinux_peerlbl_enabled();
5790         if (!secmark_active && !peerlbl_active)
5791                 return NF_ACCEPT;
5792
5793         sk = skb_to_full_sk(skb);
5794
5795 #ifdef CONFIG_XFRM
5796         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5797          * packet transformation so allow the packet to pass without any checks
5798          * since we'll have another chance to perform access control checks
5799          * when the packet is on it's final way out.
5800          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5801          *       is NULL, in this case go ahead and apply access control.
5802          * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5803          *       TCP listening state we cannot wait until the XFRM processing
5804          *       is done as we will miss out on the SA label if we do;
5805          *       unfortunately, this means more work, but it is only once per
5806          *       connection. */
5807         if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5808             !(sk && sk_listener(sk)))
5809                 return NF_ACCEPT;
5810 #endif
5811
5812         family = state->pf;
5813         if (sk == NULL) {
5814                 /* Without an associated socket the packet is either coming
5815                  * from the kernel or it is being forwarded; check the packet
5816                  * to determine which and if the packet is being forwarded
5817                  * query the packet directly to determine the security label. */
5818                 if (skb->skb_iif) {
5819                         secmark_perm = PACKET__FORWARD_OUT;
5820                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5821                                 return NF_DROP;
5822                 } else {
5823                         secmark_perm = PACKET__SEND;
5824                         peer_sid = SECINITSID_KERNEL;
5825                 }
5826         } else if (sk_listener(sk)) {
5827                 /* Locally generated packet but the associated socket is in the
5828                  * listening state which means this is a SYN-ACK packet.  In
5829                  * this particular case the correct security label is assigned
5830                  * to the connection/request_sock but unfortunately we can't
5831                  * query the request_sock as it isn't queued on the parent
5832                  * socket until after the SYN-ACK packet is sent; the only
5833                  * viable choice is to regenerate the label like we do in
5834                  * selinux_inet_conn_request().  See also selinux_ip_output()
5835                  * for similar problems. */
5836                 u32 skb_sid;
5837                 struct sk_security_struct *sksec;
5838
5839                 sksec = sk->sk_security;
5840                 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5841                         return NF_DROP;
5842                 /* At this point, if the returned skb peerlbl is SECSID_NULL
5843                  * and the packet has been through at least one XFRM
5844                  * transformation then we must be dealing with the "final"
5845                  * form of labeled IPsec packet; since we've already applied
5846                  * all of our access controls on this packet we can safely
5847                  * pass the packet. */
5848                 if (skb_sid == SECSID_NULL) {
5849                         switch (family) {
5850                         case PF_INET:
5851                                 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5852                                         return NF_ACCEPT;
5853                                 break;
5854                         case PF_INET6:
5855                                 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5856                                         return NF_ACCEPT;
5857                                 break;
5858                         default:
5859                                 return NF_DROP_ERR(-ECONNREFUSED);
5860                         }
5861                 }
5862                 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5863                         return NF_DROP;
5864                 secmark_perm = PACKET__SEND;
5865         } else {
5866                 /* Locally generated packet, fetch the security label from the
5867                  * associated socket. */
5868                 struct sk_security_struct *sksec = sk->sk_security;
5869                 peer_sid = sksec->sid;
5870                 secmark_perm = PACKET__SEND;
5871         }
5872
5873         ifindex = state->out->ifindex;
5874         ad_net_init_from_iif(&ad, &net, ifindex, family);
5875         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5876                 return NF_DROP;
5877
5878         if (secmark_active)
5879                 if (avc_has_perm(peer_sid, skb->secmark,
5880                                  SECCLASS_PACKET, secmark_perm, &ad))
5881                         return NF_DROP_ERR(-ECONNREFUSED);
5882
5883         if (peerlbl_active) {
5884                 u32 if_sid;
5885                 u32 node_sid;
5886
5887                 if (sel_netif_sid(state->net, ifindex, &if_sid))
5888                         return NF_DROP;
5889                 if (avc_has_perm(peer_sid, if_sid,
5890                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
5891                         return NF_DROP_ERR(-ECONNREFUSED);
5892
5893                 if (sel_netnode_sid(addrp, family, &node_sid))
5894                         return NF_DROP;
5895                 if (avc_has_perm(peer_sid, node_sid,
5896                                  SECCLASS_NODE, NODE__SENDTO, &ad))
5897                         return NF_DROP_ERR(-ECONNREFUSED);
5898         }
5899
5900         return NF_ACCEPT;
5901 }
5902 #endif  /* CONFIG_NETFILTER */
5903
5904 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5905 {
5906         int rc = 0;
5907         unsigned int msg_len;
5908         unsigned int data_len = skb->len;
5909         unsigned char *data = skb->data;
5910         struct nlmsghdr *nlh;
5911         struct sk_security_struct *sksec = sk->sk_security;
5912         u16 sclass = sksec->sclass;
5913         u32 perm;
5914
5915         while (data_len >= nlmsg_total_size(0)) {
5916                 nlh = (struct nlmsghdr *)data;
5917
5918                 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
5919                  *       users which means we can't reject skb's with bogus
5920                  *       length fields; our solution is to follow what
5921                  *       netlink_rcv_skb() does and simply skip processing at
5922                  *       messages with length fields that are clearly junk
5923                  */
5924                 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
5925                         return 0;
5926
5927                 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
5928                 if (rc == 0) {
5929                         rc = sock_has_perm(sk, perm);
5930                         if (rc)
5931                                 return rc;
5932                 } else if (rc == -EINVAL) {
5933                         /* -EINVAL is a missing msg/perm mapping */
5934                         pr_warn_ratelimited("SELinux: unrecognized netlink"
5935                                 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5936                                 " pid=%d comm=%s\n",
5937                                 sk->sk_protocol, nlh->nlmsg_type,
5938                                 secclass_map[sclass - 1].name,
5939                                 task_pid_nr(current), current->comm);
5940                         if (enforcing_enabled() &&
5941                             !security_get_allow_unknown())
5942                                 return rc;
5943                         rc = 0;
5944                 } else if (rc == -ENOENT) {
5945                         /* -ENOENT is a missing socket/class mapping, ignore */
5946                         rc = 0;
5947                 } else {
5948                         return rc;
5949                 }
5950
5951                 /* move to the next message after applying netlink padding */
5952                 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
5953                 if (msg_len >= data_len)
5954                         return 0;
5955                 data_len -= msg_len;
5956                 data += msg_len;
5957         }
5958
5959         return rc;
5960 }
5961
5962 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5963 {
5964         isec->sclass = sclass;
5965         isec->sid = current_sid();
5966 }
5967
5968 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5969                         u32 perms)
5970 {
5971         struct ipc_security_struct *isec;
5972         struct common_audit_data ad;
5973         u32 sid = current_sid();
5974
5975         isec = selinux_ipc(ipc_perms);
5976
5977         ad.type = LSM_AUDIT_DATA_IPC;
5978         ad.u.ipc_id = ipc_perms->key;
5979
5980         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5981 }
5982
5983 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5984 {
5985         struct msg_security_struct *msec;
5986
5987         msec = selinux_msg_msg(msg);
5988         msec->sid = SECINITSID_UNLABELED;
5989
5990         return 0;
5991 }
5992
5993 /* message queue security operations */
5994 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5995 {
5996         struct ipc_security_struct *isec;
5997         struct common_audit_data ad;
5998         u32 sid = current_sid();
5999
6000         isec = selinux_ipc(msq);
6001         ipc_init_security(isec, SECCLASS_MSGQ);
6002
6003         ad.type = LSM_AUDIT_DATA_IPC;
6004         ad.u.ipc_id = msq->key;
6005
6006         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6007                             MSGQ__CREATE, &ad);
6008 }
6009
6010 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6011 {
6012         struct ipc_security_struct *isec;
6013         struct common_audit_data ad;
6014         u32 sid = current_sid();
6015
6016         isec = selinux_ipc(msq);
6017
6018         ad.type = LSM_AUDIT_DATA_IPC;
6019         ad.u.ipc_id = msq->key;
6020
6021         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6022                             MSGQ__ASSOCIATE, &ad);
6023 }
6024
6025 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6026 {
6027         u32 perms;
6028
6029         switch (cmd) {
6030         case IPC_INFO:
6031         case MSG_INFO:
6032                 /* No specific object, just general system-wide information. */
6033                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6034                                     SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6035         case IPC_STAT:
6036         case MSG_STAT:
6037         case MSG_STAT_ANY:
6038                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6039                 break;
6040         case IPC_SET:
6041                 perms = MSGQ__SETATTR;
6042                 break;
6043         case IPC_RMID:
6044                 perms = MSGQ__DESTROY;
6045                 break;
6046         default:
6047                 return 0;
6048         }
6049
6050         return ipc_has_perm(msq, perms);
6051 }
6052
6053 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6054 {
6055         struct ipc_security_struct *isec;
6056         struct msg_security_struct *msec;
6057         struct common_audit_data ad;
6058         u32 sid = current_sid();
6059         int rc;
6060
6061         isec = selinux_ipc(msq);
6062         msec = selinux_msg_msg(msg);
6063
6064         /*
6065          * First time through, need to assign label to the message
6066          */
6067         if (msec->sid == SECINITSID_UNLABELED) {
6068                 /*
6069                  * Compute new sid based on current process and
6070                  * message queue this message will be stored in
6071                  */
6072                 rc = security_transition_sid(sid, isec->sid,
6073                                              SECCLASS_MSG, NULL, &msec->sid);
6074                 if (rc)
6075                         return rc;
6076         }
6077
6078         ad.type = LSM_AUDIT_DATA_IPC;
6079         ad.u.ipc_id = msq->key;
6080
6081         /* Can this process write to the queue? */
6082         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6083                           MSGQ__WRITE, &ad);
6084         if (!rc)
6085                 /* Can this process send the message */
6086                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
6087                                   MSG__SEND, &ad);
6088         if (!rc)
6089                 /* Can the message be put in the queue? */
6090                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
6091                                   MSGQ__ENQUEUE, &ad);
6092
6093         return rc;
6094 }
6095
6096 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6097                                     struct task_struct *target,
6098                                     long type, int mode)
6099 {
6100         struct ipc_security_struct *isec;
6101         struct msg_security_struct *msec;
6102         struct common_audit_data ad;
6103         u32 sid = task_sid_obj(target);
6104         int rc;
6105
6106         isec = selinux_ipc(msq);
6107         msec = selinux_msg_msg(msg);
6108
6109         ad.type = LSM_AUDIT_DATA_IPC;
6110         ad.u.ipc_id = msq->key;
6111
6112         rc = avc_has_perm(sid, isec->sid,
6113                           SECCLASS_MSGQ, MSGQ__READ, &ad);
6114         if (!rc)
6115                 rc = avc_has_perm(sid, msec->sid,
6116                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
6117         return rc;
6118 }
6119
6120 /* Shared Memory security operations */
6121 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6122 {
6123         struct ipc_security_struct *isec;
6124         struct common_audit_data ad;
6125         u32 sid = current_sid();
6126
6127         isec = selinux_ipc(shp);
6128         ipc_init_security(isec, SECCLASS_SHM);
6129
6130         ad.type = LSM_AUDIT_DATA_IPC;
6131         ad.u.ipc_id = shp->key;
6132
6133         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6134                             SHM__CREATE, &ad);
6135 }
6136
6137 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6138 {
6139         struct ipc_security_struct *isec;
6140         struct common_audit_data ad;
6141         u32 sid = current_sid();
6142
6143         isec = selinux_ipc(shp);
6144
6145         ad.type = LSM_AUDIT_DATA_IPC;
6146         ad.u.ipc_id = shp->key;
6147
6148         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6149                             SHM__ASSOCIATE, &ad);
6150 }
6151
6152 /* Note, at this point, shp is locked down */
6153 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6154 {
6155         u32 perms;
6156
6157         switch (cmd) {
6158         case IPC_INFO:
6159         case SHM_INFO:
6160                 /* No specific object, just general system-wide information. */
6161                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6162                                     SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6163         case IPC_STAT:
6164         case SHM_STAT:
6165         case SHM_STAT_ANY:
6166                 perms = SHM__GETATTR | SHM__ASSOCIATE;
6167                 break;
6168         case IPC_SET:
6169                 perms = SHM__SETATTR;
6170                 break;
6171         case SHM_LOCK:
6172         case SHM_UNLOCK:
6173                 perms = SHM__LOCK;
6174                 break;
6175         case IPC_RMID:
6176                 perms = SHM__DESTROY;
6177                 break;
6178         default:
6179                 return 0;
6180         }
6181
6182         return ipc_has_perm(shp, perms);
6183 }
6184
6185 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6186                              char __user *shmaddr, int shmflg)
6187 {
6188         u32 perms;
6189
6190         if (shmflg & SHM_RDONLY)
6191                 perms = SHM__READ;
6192         else
6193                 perms = SHM__READ | SHM__WRITE;
6194
6195         return ipc_has_perm(shp, perms);
6196 }
6197
6198 /* Semaphore security operations */
6199 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6200 {
6201         struct ipc_security_struct *isec;
6202         struct common_audit_data ad;
6203         u32 sid = current_sid();
6204
6205         isec = selinux_ipc(sma);
6206         ipc_init_security(isec, SECCLASS_SEM);
6207
6208         ad.type = LSM_AUDIT_DATA_IPC;
6209         ad.u.ipc_id = sma->key;
6210
6211         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6212                             SEM__CREATE, &ad);
6213 }
6214
6215 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6216 {
6217         struct ipc_security_struct *isec;
6218         struct common_audit_data ad;
6219         u32 sid = current_sid();
6220
6221         isec = selinux_ipc(sma);
6222
6223         ad.type = LSM_AUDIT_DATA_IPC;
6224         ad.u.ipc_id = sma->key;
6225
6226         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6227                             SEM__ASSOCIATE, &ad);
6228 }
6229
6230 /* Note, at this point, sma is locked down */
6231 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6232 {
6233         int err;
6234         u32 perms;
6235
6236         switch (cmd) {
6237         case IPC_INFO:
6238         case SEM_INFO:
6239                 /* No specific object, just general system-wide information. */
6240                 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6241                                     SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6242         case GETPID:
6243         case GETNCNT:
6244         case GETZCNT:
6245                 perms = SEM__GETATTR;
6246                 break;
6247         case GETVAL:
6248         case GETALL:
6249                 perms = SEM__READ;
6250                 break;
6251         case SETVAL:
6252         case SETALL:
6253                 perms = SEM__WRITE;
6254                 break;
6255         case IPC_RMID:
6256                 perms = SEM__DESTROY;
6257                 break;
6258         case IPC_SET:
6259                 perms = SEM__SETATTR;
6260                 break;
6261         case IPC_STAT:
6262         case SEM_STAT:
6263         case SEM_STAT_ANY:
6264                 perms = SEM__GETATTR | SEM__ASSOCIATE;
6265                 break;
6266         default:
6267                 return 0;
6268         }
6269
6270         err = ipc_has_perm(sma, perms);
6271         return err;
6272 }
6273
6274 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6275                              struct sembuf *sops, unsigned nsops, int alter)
6276 {
6277         u32 perms;
6278
6279         if (alter)
6280                 perms = SEM__READ | SEM__WRITE;
6281         else
6282                 perms = SEM__READ;
6283
6284         return ipc_has_perm(sma, perms);
6285 }
6286
6287 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6288 {
6289         u32 av = 0;
6290
6291         av = 0;
6292         if (flag & S_IRUGO)
6293                 av |= IPC__UNIX_READ;
6294         if (flag & S_IWUGO)
6295                 av |= IPC__UNIX_WRITE;
6296
6297         if (av == 0)
6298                 return 0;
6299
6300         return ipc_has_perm(ipcp, av);
6301 }
6302
6303 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6304 {
6305         struct ipc_security_struct *isec = selinux_ipc(ipcp);
6306         *secid = isec->sid;
6307 }
6308
6309 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6310 {
6311         if (inode)
6312                 inode_doinit_with_dentry(inode, dentry);
6313 }
6314
6315 static int selinux_getprocattr(struct task_struct *p,
6316                                const char *name, char **value)
6317 {
6318         const struct task_security_struct *__tsec;
6319         u32 sid;
6320         int error;
6321         unsigned len;
6322
6323         rcu_read_lock();
6324         __tsec = selinux_cred(__task_cred(p));
6325
6326         if (current != p) {
6327                 error = avc_has_perm(current_sid(), __tsec->sid,
6328                                      SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6329                 if (error)
6330                         goto bad;
6331         }
6332
6333         if (!strcmp(name, "current"))
6334                 sid = __tsec->sid;
6335         else if (!strcmp(name, "prev"))
6336                 sid = __tsec->osid;
6337         else if (!strcmp(name, "exec"))
6338                 sid = __tsec->exec_sid;
6339         else if (!strcmp(name, "fscreate"))
6340                 sid = __tsec->create_sid;
6341         else if (!strcmp(name, "keycreate"))
6342                 sid = __tsec->keycreate_sid;
6343         else if (!strcmp(name, "sockcreate"))
6344                 sid = __tsec->sockcreate_sid;
6345         else {
6346                 error = -EINVAL;
6347                 goto bad;
6348         }
6349         rcu_read_unlock();
6350
6351         if (!sid)
6352                 return 0;
6353
6354         error = security_sid_to_context(sid, value, &len);
6355         if (error)
6356                 return error;
6357         return len;
6358
6359 bad:
6360         rcu_read_unlock();
6361         return error;
6362 }
6363
6364 static int selinux_setprocattr(const char *name, void *value, size_t size)
6365 {
6366         struct task_security_struct *tsec;
6367         struct cred *new;
6368         u32 mysid = current_sid(), sid = 0, ptsid;
6369         int error;
6370         char *str = value;
6371
6372         /*
6373          * Basic control over ability to set these attributes at all.
6374          */
6375         if (!strcmp(name, "exec"))
6376                 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6377                                      PROCESS__SETEXEC, NULL);
6378         else if (!strcmp(name, "fscreate"))
6379                 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6380                                      PROCESS__SETFSCREATE, NULL);
6381         else if (!strcmp(name, "keycreate"))
6382                 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6383                                      PROCESS__SETKEYCREATE, NULL);
6384         else if (!strcmp(name, "sockcreate"))
6385                 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6386                                      PROCESS__SETSOCKCREATE, NULL);
6387         else if (!strcmp(name, "current"))
6388                 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6389                                      PROCESS__SETCURRENT, NULL);
6390         else
6391                 error = -EINVAL;
6392         if (error)
6393                 return error;
6394
6395         /* Obtain a SID for the context, if one was specified. */
6396         if (size && str[0] && str[0] != '\n') {
6397                 if (str[size-1] == '\n') {
6398                         str[size-1] = 0;
6399                         size--;
6400                 }
6401                 error = security_context_to_sid(value, size,
6402                                                 &sid, GFP_KERNEL);
6403                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6404                         if (!has_cap_mac_admin(true)) {
6405                                 struct audit_buffer *ab;
6406                                 size_t audit_size;
6407
6408                                 /* We strip a nul only if it is at the end, otherwise the
6409                                  * context contains a nul and we should audit that */
6410                                 if (str[size - 1] == '\0')
6411                                         audit_size = size - 1;
6412                                 else
6413                                         audit_size = size;
6414                                 ab = audit_log_start(audit_context(),
6415                                                      GFP_ATOMIC,
6416                                                      AUDIT_SELINUX_ERR);
6417                                 if (!ab)
6418                                         return error;
6419                                 audit_log_format(ab, "op=fscreate invalid_context=");
6420                                 audit_log_n_untrustedstring(ab, value, audit_size);
6421                                 audit_log_end(ab);
6422
6423                                 return error;
6424                         }
6425                         error = security_context_to_sid_force(value, size,
6426                                                         &sid);
6427                 }
6428                 if (error)
6429                         return error;
6430         }
6431
6432         new = prepare_creds();
6433         if (!new)
6434                 return -ENOMEM;
6435
6436         /* Permission checking based on the specified context is
6437            performed during the actual operation (execve,
6438            open/mkdir/...), when we know the full context of the
6439            operation.  See selinux_bprm_creds_for_exec for the execve
6440            checks and may_create for the file creation checks. The
6441            operation will then fail if the context is not permitted. */
6442         tsec = selinux_cred(new);
6443         if (!strcmp(name, "exec")) {
6444                 tsec->exec_sid = sid;
6445         } else if (!strcmp(name, "fscreate")) {
6446                 tsec->create_sid = sid;
6447         } else if (!strcmp(name, "keycreate")) {
6448                 if (sid) {
6449                         error = avc_has_perm(mysid, sid,
6450                                              SECCLASS_KEY, KEY__CREATE, NULL);
6451                         if (error)
6452                                 goto abort_change;
6453                 }
6454                 tsec->keycreate_sid = sid;
6455         } else if (!strcmp(name, "sockcreate")) {
6456                 tsec->sockcreate_sid = sid;
6457         } else if (!strcmp(name, "current")) {
6458                 error = -EINVAL;
6459                 if (sid == 0)
6460                         goto abort_change;
6461
6462                 /* Only allow single threaded processes to change context */
6463                 if (!current_is_single_threaded()) {
6464                         error = security_bounded_transition(tsec->sid, sid);
6465                         if (error)
6466                                 goto abort_change;
6467                 }
6468
6469                 /* Check permissions for the transition. */
6470                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6471                                      PROCESS__DYNTRANSITION, NULL);
6472                 if (error)
6473                         goto abort_change;
6474
6475                 /* Check for ptracing, and update the task SID if ok.
6476                    Otherwise, leave SID unchanged and fail. */
6477                 ptsid = ptrace_parent_sid();
6478                 if (ptsid != 0) {
6479                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6480                                              PROCESS__PTRACE, NULL);
6481                         if (error)
6482                                 goto abort_change;
6483                 }
6484
6485                 tsec->sid = sid;
6486         } else {
6487                 error = -EINVAL;
6488                 goto abort_change;
6489         }
6490
6491         commit_creds(new);
6492         return size;
6493
6494 abort_change:
6495         abort_creds(new);
6496         return error;
6497 }
6498
6499 static int selinux_ismaclabel(const char *name)
6500 {
6501         return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6502 }
6503
6504 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6505 {
6506         return security_sid_to_context(secid,
6507                                        secdata, seclen);
6508 }
6509
6510 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6511 {
6512         return security_context_to_sid(secdata, seclen,
6513                                        secid, GFP_KERNEL);
6514 }
6515
6516 static void selinux_release_secctx(char *secdata, u32 seclen)
6517 {
6518         kfree(secdata);
6519 }
6520
6521 static void selinux_inode_invalidate_secctx(struct inode *inode)
6522 {
6523         struct inode_security_struct *isec = selinux_inode(inode);
6524
6525         spin_lock(&isec->lock);
6526         isec->initialized = LABEL_INVALID;
6527         spin_unlock(&isec->lock);
6528 }
6529
6530 /*
6531  *      called with inode->i_mutex locked
6532  */
6533 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6534 {
6535         int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6536                                            ctx, ctxlen, 0);
6537         /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6538         return rc == -EOPNOTSUPP ? 0 : rc;
6539 }
6540
6541 /*
6542  *      called with inode->i_mutex locked
6543  */
6544 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6545 {
6546         return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
6547                                      ctx, ctxlen, 0);
6548 }
6549
6550 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6551 {
6552         int len = 0;
6553         len = selinux_inode_getsecurity(&nop_mnt_idmap, inode,
6554                                         XATTR_SELINUX_SUFFIX, ctx, true);
6555         if (len < 0)
6556                 return len;
6557         *ctxlen = len;
6558         return 0;
6559 }
6560 #ifdef CONFIG_KEYS
6561
6562 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6563                              unsigned long flags)
6564 {
6565         const struct task_security_struct *tsec;
6566         struct key_security_struct *ksec;
6567
6568         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6569         if (!ksec)
6570                 return -ENOMEM;
6571
6572         tsec = selinux_cred(cred);
6573         if (tsec->keycreate_sid)
6574                 ksec->sid = tsec->keycreate_sid;
6575         else
6576                 ksec->sid = tsec->sid;
6577
6578         k->security = ksec;
6579         return 0;
6580 }
6581
6582 static void selinux_key_free(struct key *k)
6583 {
6584         struct key_security_struct *ksec = k->security;
6585
6586         k->security = NULL;
6587         kfree(ksec);
6588 }
6589
6590 static int selinux_key_permission(key_ref_t key_ref,
6591                                   const struct cred *cred,
6592                                   enum key_need_perm need_perm)
6593 {
6594         struct key *key;
6595         struct key_security_struct *ksec;
6596         u32 perm, sid;
6597
6598         switch (need_perm) {
6599         case KEY_NEED_VIEW:
6600                 perm = KEY__VIEW;
6601                 break;
6602         case KEY_NEED_READ:
6603                 perm = KEY__READ;
6604                 break;
6605         case KEY_NEED_WRITE:
6606                 perm = KEY__WRITE;
6607                 break;
6608         case KEY_NEED_SEARCH:
6609                 perm = KEY__SEARCH;
6610                 break;
6611         case KEY_NEED_LINK:
6612                 perm = KEY__LINK;
6613                 break;
6614         case KEY_NEED_SETATTR:
6615                 perm = KEY__SETATTR;
6616                 break;
6617         case KEY_NEED_UNLINK:
6618         case KEY_SYSADMIN_OVERRIDE:
6619         case KEY_AUTHTOKEN_OVERRIDE:
6620         case KEY_DEFER_PERM_CHECK:
6621                 return 0;
6622         default:
6623                 WARN_ON(1);
6624                 return -EPERM;
6625
6626         }
6627
6628         sid = cred_sid(cred);
6629         key = key_ref_to_ptr(key_ref);
6630         ksec = key->security;
6631
6632         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6633 }
6634
6635 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6636 {
6637         struct key_security_struct *ksec = key->security;
6638         char *context = NULL;
6639         unsigned len;
6640         int rc;
6641
6642         rc = security_sid_to_context(ksec->sid,
6643                                      &context, &len);
6644         if (!rc)
6645                 rc = len;
6646         *_buffer = context;
6647         return rc;
6648 }
6649
6650 #ifdef CONFIG_KEY_NOTIFICATIONS
6651 static int selinux_watch_key(struct key *key)
6652 {
6653         struct key_security_struct *ksec = key->security;
6654         u32 sid = current_sid();
6655
6656         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6657 }
6658 #endif
6659 #endif
6660
6661 #ifdef CONFIG_SECURITY_INFINIBAND
6662 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6663 {
6664         struct common_audit_data ad;
6665         int err;
6666         u32 sid = 0;
6667         struct ib_security_struct *sec = ib_sec;
6668         struct lsm_ibpkey_audit ibpkey;
6669
6670         err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6671         if (err)
6672                 return err;
6673
6674         ad.type = LSM_AUDIT_DATA_IBPKEY;
6675         ibpkey.subnet_prefix = subnet_prefix;
6676         ibpkey.pkey = pkey_val;
6677         ad.u.ibpkey = &ibpkey;
6678         return avc_has_perm(sec->sid, sid,
6679                             SECCLASS_INFINIBAND_PKEY,
6680                             INFINIBAND_PKEY__ACCESS, &ad);
6681 }
6682
6683 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6684                                             u8 port_num)
6685 {
6686         struct common_audit_data ad;
6687         int err;
6688         u32 sid = 0;
6689         struct ib_security_struct *sec = ib_sec;
6690         struct lsm_ibendport_audit ibendport;
6691
6692         err = security_ib_endport_sid(dev_name, port_num,
6693                                       &sid);
6694
6695         if (err)
6696                 return err;
6697
6698         ad.type = LSM_AUDIT_DATA_IBENDPORT;
6699         ibendport.dev_name = dev_name;
6700         ibendport.port = port_num;
6701         ad.u.ibendport = &ibendport;
6702         return avc_has_perm(sec->sid, sid,
6703                             SECCLASS_INFINIBAND_ENDPORT,
6704                             INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6705 }
6706
6707 static int selinux_ib_alloc_security(void **ib_sec)
6708 {
6709         struct ib_security_struct *sec;
6710
6711         sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6712         if (!sec)
6713                 return -ENOMEM;
6714         sec->sid = current_sid();
6715
6716         *ib_sec = sec;
6717         return 0;
6718 }
6719
6720 static void selinux_ib_free_security(void *ib_sec)
6721 {
6722         kfree(ib_sec);
6723 }
6724 #endif
6725
6726 #ifdef CONFIG_BPF_SYSCALL
6727 static int selinux_bpf(int cmd, union bpf_attr *attr,
6728                                      unsigned int size)
6729 {
6730         u32 sid = current_sid();
6731         int ret;
6732
6733         switch (cmd) {
6734         case BPF_MAP_CREATE:
6735                 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6736                                    NULL);
6737                 break;
6738         case BPF_PROG_LOAD:
6739                 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6740                                    NULL);
6741                 break;
6742         default:
6743                 ret = 0;
6744                 break;
6745         }
6746
6747         return ret;
6748 }
6749
6750 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6751 {
6752         u32 av = 0;
6753
6754         if (fmode & FMODE_READ)
6755                 av |= BPF__MAP_READ;
6756         if (fmode & FMODE_WRITE)
6757                 av |= BPF__MAP_WRITE;
6758         return av;
6759 }
6760
6761 /* This function will check the file pass through unix socket or binder to see
6762  * if it is a bpf related object. And apply corresponding checks on the bpf
6763  * object based on the type. The bpf maps and programs, not like other files and
6764  * socket, are using a shared anonymous inode inside the kernel as their inode.
6765  * So checking that inode cannot identify if the process have privilege to
6766  * access the bpf object and that's why we have to add this additional check in
6767  * selinux_file_receive and selinux_binder_transfer_files.
6768  */
6769 static int bpf_fd_pass(const struct file *file, u32 sid)
6770 {
6771         struct bpf_security_struct *bpfsec;
6772         struct bpf_prog *prog;
6773         struct bpf_map *map;
6774         int ret;
6775
6776         if (file->f_op == &bpf_map_fops) {
6777                 map = file->private_data;
6778                 bpfsec = map->security;
6779                 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6780                                    bpf_map_fmode_to_av(file->f_mode), NULL);
6781                 if (ret)
6782                         return ret;
6783         } else if (file->f_op == &bpf_prog_fops) {
6784                 prog = file->private_data;
6785                 bpfsec = prog->aux->security;
6786                 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6787                                    BPF__PROG_RUN, NULL);
6788                 if (ret)
6789                         return ret;
6790         }
6791         return 0;
6792 }
6793
6794 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6795 {
6796         u32 sid = current_sid();
6797         struct bpf_security_struct *bpfsec;
6798
6799         bpfsec = map->security;
6800         return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6801                             bpf_map_fmode_to_av(fmode), NULL);
6802 }
6803
6804 static int selinux_bpf_prog(struct bpf_prog *prog)
6805 {
6806         u32 sid = current_sid();
6807         struct bpf_security_struct *bpfsec;
6808
6809         bpfsec = prog->aux->security;
6810         return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6811                             BPF__PROG_RUN, NULL);
6812 }
6813
6814 static int selinux_bpf_map_alloc(struct bpf_map *map)
6815 {
6816         struct bpf_security_struct *bpfsec;
6817
6818         bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6819         if (!bpfsec)
6820                 return -ENOMEM;
6821
6822         bpfsec->sid = current_sid();
6823         map->security = bpfsec;
6824
6825         return 0;
6826 }
6827
6828 static void selinux_bpf_map_free(struct bpf_map *map)
6829 {
6830         struct bpf_security_struct *bpfsec = map->security;
6831
6832         map->security = NULL;
6833         kfree(bpfsec);
6834 }
6835
6836 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6837 {
6838         struct bpf_security_struct *bpfsec;
6839
6840         bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6841         if (!bpfsec)
6842                 return -ENOMEM;
6843
6844         bpfsec->sid = current_sid();
6845         aux->security = bpfsec;
6846
6847         return 0;
6848 }
6849
6850 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6851 {
6852         struct bpf_security_struct *bpfsec = aux->security;
6853
6854         aux->security = NULL;
6855         kfree(bpfsec);
6856 }
6857 #endif
6858
6859 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
6860         .lbs_cred = sizeof(struct task_security_struct),
6861         .lbs_file = sizeof(struct file_security_struct),
6862         .lbs_inode = sizeof(struct inode_security_struct),
6863         .lbs_ipc = sizeof(struct ipc_security_struct),
6864         .lbs_msg_msg = sizeof(struct msg_security_struct),
6865         .lbs_superblock = sizeof(struct superblock_security_struct),
6866         .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
6867 };
6868
6869 #ifdef CONFIG_PERF_EVENTS
6870 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6871 {
6872         u32 requested, sid = current_sid();
6873
6874         if (type == PERF_SECURITY_OPEN)
6875                 requested = PERF_EVENT__OPEN;
6876         else if (type == PERF_SECURITY_CPU)
6877                 requested = PERF_EVENT__CPU;
6878         else if (type == PERF_SECURITY_KERNEL)
6879                 requested = PERF_EVENT__KERNEL;
6880         else if (type == PERF_SECURITY_TRACEPOINT)
6881                 requested = PERF_EVENT__TRACEPOINT;
6882         else
6883                 return -EINVAL;
6884
6885         return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT,
6886                             requested, NULL);
6887 }
6888
6889 static int selinux_perf_event_alloc(struct perf_event *event)
6890 {
6891         struct perf_event_security_struct *perfsec;
6892
6893         perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6894         if (!perfsec)
6895                 return -ENOMEM;
6896
6897         perfsec->sid = current_sid();
6898         event->security = perfsec;
6899
6900         return 0;
6901 }
6902
6903 static void selinux_perf_event_free(struct perf_event *event)
6904 {
6905         struct perf_event_security_struct *perfsec = event->security;
6906
6907         event->security = NULL;
6908         kfree(perfsec);
6909 }
6910
6911 static int selinux_perf_event_read(struct perf_event *event)
6912 {
6913         struct perf_event_security_struct *perfsec = event->security;
6914         u32 sid = current_sid();
6915
6916         return avc_has_perm(sid, perfsec->sid,
6917                             SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6918 }
6919
6920 static int selinux_perf_event_write(struct perf_event *event)
6921 {
6922         struct perf_event_security_struct *perfsec = event->security;
6923         u32 sid = current_sid();
6924
6925         return avc_has_perm(sid, perfsec->sid,
6926                             SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6927 }
6928 #endif
6929
6930 #ifdef CONFIG_IO_URING
6931 /**
6932  * selinux_uring_override_creds - check the requested cred override
6933  * @new: the target creds
6934  *
6935  * Check to see if the current task is allowed to override it's credentials
6936  * to service an io_uring operation.
6937  */
6938 static int selinux_uring_override_creds(const struct cred *new)
6939 {
6940         return avc_has_perm(current_sid(), cred_sid(new),
6941                             SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
6942 }
6943
6944 /**
6945  * selinux_uring_sqpoll - check if a io_uring polling thread can be created
6946  *
6947  * Check to see if the current task is allowed to create a new io_uring
6948  * kernel polling thread.
6949  */
6950 static int selinux_uring_sqpoll(void)
6951 {
6952         u32 sid = current_sid();
6953
6954         return avc_has_perm(sid, sid,
6955                             SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
6956 }
6957
6958 /**
6959  * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
6960  * @ioucmd: the io_uring command structure
6961  *
6962  * Check to see if the current domain is allowed to execute an
6963  * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
6964  *
6965  */
6966 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
6967 {
6968         struct file *file = ioucmd->file;
6969         struct inode *inode = file_inode(file);
6970         struct inode_security_struct *isec = selinux_inode(inode);
6971         struct common_audit_data ad;
6972
6973         ad.type = LSM_AUDIT_DATA_FILE;
6974         ad.u.file = file;
6975
6976         return avc_has_perm(current_sid(), isec->sid,
6977                             SECCLASS_IO_URING, IO_URING__CMD, &ad);
6978 }
6979 #endif /* CONFIG_IO_URING */
6980
6981 /*
6982  * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
6983  * 1. any hooks that don't belong to (2.) or (3.) below,
6984  * 2. hooks that both access structures allocated by other hooks, and allocate
6985  *    structures that can be later accessed by other hooks (mostly "cloning"
6986  *    hooks),
6987  * 3. hooks that only allocate structures that can be later accessed by other
6988  *    hooks ("allocating" hooks).
6989  *
6990  * Please follow block comment delimiters in the list to keep this order.
6991  */
6992 static struct security_hook_list selinux_hooks[] __ro_after_init = {
6993         LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6994         LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6995         LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6996         LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6997
6998         LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6999         LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7000         LSM_HOOK_INIT(capget, selinux_capget),
7001         LSM_HOOK_INIT(capset, selinux_capset),
7002         LSM_HOOK_INIT(capable, selinux_capable),
7003         LSM_HOOK_INIT(quotactl, selinux_quotactl),
7004         LSM_HOOK_INIT(quota_on, selinux_quota_on),
7005         LSM_HOOK_INIT(syslog, selinux_syslog),
7006         LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7007
7008         LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7009
7010         LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7011         LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7012         LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7013
7014         LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7015         LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7016         LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7017         LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7018         LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7019         LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7020         LSM_HOOK_INIT(sb_mount, selinux_mount),
7021         LSM_HOOK_INIT(sb_umount, selinux_umount),
7022         LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7023         LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7024
7025         LSM_HOOK_INIT(move_mount, selinux_move_mount),
7026
7027         LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7028         LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7029
7030         LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7031         LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7032         LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7033         LSM_HOOK_INIT(inode_create, selinux_inode_create),
7034         LSM_HOOK_INIT(inode_link, selinux_inode_link),
7035         LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7036         LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7037         LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7038         LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7039         LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7040         LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7041         LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7042         LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7043         LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7044         LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7045         LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7046         LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7047         LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7048         LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7049         LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7050         LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7051         LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
7052         LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
7053         LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
7054         LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7055         LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7056         LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7057         LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
7058         LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7059         LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7060         LSM_HOOK_INIT(path_notify, selinux_path_notify),
7061
7062         LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7063
7064         LSM_HOOK_INIT(file_permission, selinux_file_permission),
7065         LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7066         LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7067         LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
7068         LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7069         LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7070         LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7071         LSM_HOOK_INIT(file_lock, selinux_file_lock),
7072         LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7073         LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7074         LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7075         LSM_HOOK_INIT(file_receive, selinux_file_receive),
7076
7077         LSM_HOOK_INIT(file_open, selinux_file_open),
7078
7079         LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7080         LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7081         LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7082         LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7083         LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7084         LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7085         LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7086         LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7087         LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7088         LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7089         LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7090         LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7091         LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
7092         LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
7093         LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7094         LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7095         LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7096         LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7097         LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7098         LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7099         LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7100         LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7101         LSM_HOOK_INIT(task_kill, selinux_task_kill),
7102         LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7103         LSM_HOOK_INIT(userns_create, selinux_userns_create),
7104
7105         LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7106         LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7107
7108         LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7109         LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7110         LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7111         LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7112
7113         LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7114         LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7115         LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7116
7117         LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7118         LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7119         LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7120
7121         LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7122
7123         LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7124         LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7125
7126         LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7127         LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7128         LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7129         LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7130         LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7131         LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7132
7133         LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7134         LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7135
7136         LSM_HOOK_INIT(socket_create, selinux_socket_create),
7137         LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7138         LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7139         LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7140         LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7141         LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7142         LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7143         LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7144         LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7145         LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7146         LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7147         LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7148         LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7149         LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7150         LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7151         LSM_HOOK_INIT(socket_getpeersec_stream,
7152                         selinux_socket_getpeersec_stream),
7153         LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7154         LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7155         LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7156         LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7157         LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7158         LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7159         LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7160         LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7161         LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7162         LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
7163         LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7164         LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7165         LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7166         LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7167         LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7168         LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7169         LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7170         LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7171         LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7172         LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7173         LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7174         LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7175 #ifdef CONFIG_SECURITY_INFINIBAND
7176         LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7177         LSM_HOOK_INIT(ib_endport_manage_subnet,
7178                       selinux_ib_endport_manage_subnet),
7179         LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7180 #endif
7181 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7182         LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7183         LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7184         LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7185         LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7186         LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7187         LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7188                         selinux_xfrm_state_pol_flow_match),
7189         LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7190 #endif
7191
7192 #ifdef CONFIG_KEYS
7193         LSM_HOOK_INIT(key_free, selinux_key_free),
7194         LSM_HOOK_INIT(key_permission, selinux_key_permission),
7195         LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7196 #ifdef CONFIG_KEY_NOTIFICATIONS
7197         LSM_HOOK_INIT(watch_key, selinux_watch_key),
7198 #endif
7199 #endif
7200
7201 #ifdef CONFIG_AUDIT
7202         LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7203         LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7204         LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7205 #endif
7206
7207 #ifdef CONFIG_BPF_SYSCALL
7208         LSM_HOOK_INIT(bpf, selinux_bpf),
7209         LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7210         LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7211         LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7212         LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7213 #endif
7214
7215 #ifdef CONFIG_PERF_EVENTS
7216         LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7217         LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7218         LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7219         LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7220 #endif
7221
7222 #ifdef CONFIG_IO_URING
7223         LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7224         LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7225         LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7226 #endif
7227
7228         /*
7229          * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7230          */
7231         LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount),
7232         LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7233         LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7234         LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7235 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7236         LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7237 #endif
7238
7239         /*
7240          * PUT "ALLOCATING" HOOKS HERE
7241          */
7242         LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7243         LSM_HOOK_INIT(msg_queue_alloc_security,
7244                       selinux_msg_queue_alloc_security),
7245         LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7246         LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7247         LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7248         LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7249         LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7250         LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7251         LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7252         LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7253 #ifdef CONFIG_SECURITY_INFINIBAND
7254         LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7255 #endif
7256 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7257         LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7258         LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7259         LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7260                       selinux_xfrm_state_alloc_acquire),
7261 #endif
7262 #ifdef CONFIG_KEYS
7263         LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7264 #endif
7265 #ifdef CONFIG_AUDIT
7266         LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7267 #endif
7268 #ifdef CONFIG_BPF_SYSCALL
7269         LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7270         LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7271 #endif
7272 #ifdef CONFIG_PERF_EVENTS
7273         LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7274 #endif
7275 };
7276
7277 static __init int selinux_init(void)
7278 {
7279         pr_info("SELinux:  Initializing.\n");
7280
7281         memset(&selinux_state, 0, sizeof(selinux_state));
7282         enforcing_set(selinux_enforcing_boot);
7283         selinux_avc_init();
7284         mutex_init(&selinux_state.status_lock);
7285         mutex_init(&selinux_state.policy_mutex);
7286
7287         /* Set the security state for the initial task. */
7288         cred_init_security();
7289
7290         default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7291         if (!default_noexec)
7292                 pr_notice("SELinux:  virtual memory is executable by default\n");
7293
7294         avc_init();
7295
7296         avtab_cache_init();
7297
7298         ebitmap_cache_init();
7299
7300         hashtab_cache_init();
7301
7302         security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7303
7304         if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7305                 panic("SELinux: Unable to register AVC netcache callback\n");
7306
7307         if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7308                 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7309
7310         if (selinux_enforcing_boot)
7311                 pr_debug("SELinux:  Starting in enforcing mode\n");
7312         else
7313                 pr_debug("SELinux:  Starting in permissive mode\n");
7314
7315         fs_validate_description("selinux", selinux_fs_parameters);
7316
7317         return 0;
7318 }
7319
7320 static void delayed_superblock_init(struct super_block *sb, void *unused)
7321 {
7322         selinux_set_mnt_opts(sb, NULL, 0, NULL);
7323 }
7324
7325 void selinux_complete_init(void)
7326 {
7327         pr_debug("SELinux:  Completing initialization.\n");
7328
7329         /* Set up any superblocks initialized prior to the policy load. */
7330         pr_debug("SELinux:  Setting up existing superblocks.\n");
7331         iterate_supers(delayed_superblock_init, NULL);
7332 }
7333
7334 /* SELinux requires early initialization in order to label
7335    all processes and objects when they are created. */
7336 DEFINE_LSM(selinux) = {
7337         .name = "selinux",
7338         .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7339         .enabled = &selinux_enabled_boot,
7340         .blobs = &selinux_blob_sizes,
7341         .init = selinux_init,
7342 };
7343
7344 #if defined(CONFIG_NETFILTER)
7345 static const struct nf_hook_ops selinux_nf_ops[] = {
7346         {
7347                 .hook =         selinux_ip_postroute,
7348                 .pf =           NFPROTO_IPV4,
7349                 .hooknum =      NF_INET_POST_ROUTING,
7350                 .priority =     NF_IP_PRI_SELINUX_LAST,
7351         },
7352         {
7353                 .hook =         selinux_ip_forward,
7354                 .pf =           NFPROTO_IPV4,
7355                 .hooknum =      NF_INET_FORWARD,
7356                 .priority =     NF_IP_PRI_SELINUX_FIRST,
7357         },
7358         {
7359                 .hook =         selinux_ip_output,
7360                 .pf =           NFPROTO_IPV4,
7361                 .hooknum =      NF_INET_LOCAL_OUT,
7362                 .priority =     NF_IP_PRI_SELINUX_FIRST,
7363         },
7364 #if IS_ENABLED(CONFIG_IPV6)
7365         {
7366                 .hook =         selinux_ip_postroute,
7367                 .pf =           NFPROTO_IPV6,
7368                 .hooknum =      NF_INET_POST_ROUTING,
7369                 .priority =     NF_IP6_PRI_SELINUX_LAST,
7370         },
7371         {
7372                 .hook =         selinux_ip_forward,
7373                 .pf =           NFPROTO_IPV6,
7374                 .hooknum =      NF_INET_FORWARD,
7375                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
7376         },
7377         {
7378                 .hook =         selinux_ip_output,
7379                 .pf =           NFPROTO_IPV6,
7380                 .hooknum =      NF_INET_LOCAL_OUT,
7381                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
7382         },
7383 #endif  /* IPV6 */
7384 };
7385
7386 static int __net_init selinux_nf_register(struct net *net)
7387 {
7388         return nf_register_net_hooks(net, selinux_nf_ops,
7389                                      ARRAY_SIZE(selinux_nf_ops));
7390 }
7391
7392 static void __net_exit selinux_nf_unregister(struct net *net)
7393 {
7394         nf_unregister_net_hooks(net, selinux_nf_ops,
7395                                 ARRAY_SIZE(selinux_nf_ops));
7396 }
7397
7398 static struct pernet_operations selinux_net_ops = {
7399         .init = selinux_nf_register,
7400         .exit = selinux_nf_unregister,
7401 };
7402
7403 static int __init selinux_nf_ip_init(void)
7404 {
7405         int err;
7406
7407         if (!selinux_enabled_boot)
7408                 return 0;
7409
7410         pr_debug("SELinux:  Registering netfilter hooks\n");
7411
7412         err = register_pernet_subsys(&selinux_net_ops);
7413         if (err)
7414                 panic("SELinux: register_pernet_subsys: error %d\n", err);
7415
7416         return 0;
7417 }
7418 __initcall(selinux_nf_ip_init);
7419 #endif /* CONFIG_NETFILTER */