xref: /kernel/linux/linux-6.6/security/selinux/hooks.c

344 	struct superblock_security_struct *sbsec;
348 	sbsec = selinux_superblock(inode->i_sb);
360 		spin_lock(&sbsec->isec_lock);
362 		spin_unlock(&sbsec->isec_lock);
424 			struct superblock_security_struct *sbsec,
430 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
441 			struct superblock_security_struct *sbsec,
446 	rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
451 	rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
479 	switch (sbsec->behavior) {
499 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
541 	sbsec->behavior = SECURITY_FS_USE_GENFS;
542 	sbsec->sid = sid;
548 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
553 	if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
559 	sbsec->flags |= SE_SBINITIALIZED;
567 		sbsec->flags |= SBLABEL_MNT;
569 		sbsec->flags &= ~SBLABEL_MNT;
578 	spin_lock(&sbsec->isec_lock);
579 	while (!list_empty(&sbsec->isec_head)) {
581 				list_first_entry(&sbsec->isec_head,
585 		spin_unlock(&sbsec->isec_lock);
592 		spin_lock(&sbsec->isec_lock);
594 	spin_unlock(&sbsec->isec_lock);
598 static int bad_option(struct superblock_security_struct *sbsec, char flag,
601 	char mnt_flags = sbsec->flags & SE_MNTMASK;
604 	if (sbsec->flags & SE_SBINITIALIZED)
605 		if (!(sbsec->flags & flag) ||
612 	if (!(sbsec->flags & SE_SBINITIALIZED))
628 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
643 	mutex_lock(&sbsec->lock);
651 				sbsec->flags |= SE_SBNATIVE;
673 	if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
687 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
690 			sbsec->flags |= FSCONTEXT_MNT;
694 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
697 			sbsec->flags |= CONTEXT_MNT;
701 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
704 			sbsec->flags |= ROOTCONTEXT_MNT;
708 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
711 			sbsec->flags |= DEFCONTEXT_MNT;
715 	if (sbsec->flags & SE_SBINITIALIZED) {
717 		if ((sbsec->flags & SE_MNTMASK) && !opts)
724 		sbsec->flags |= SE_SBPROC | SE_SBGENFS;
732 		sbsec->flags |= SE_SBGENFS;
737 		sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
739 	if (!sbsec->behavior) {
767 		if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
768 			sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
772 						     &sbsec->mntpoint_sid);
781 		rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
785 		sbsec->sid = fscontext_sid;
793 	if (sbsec->flags & SE_SBNATIVE) {
802 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
804 		sbsec->behavior = SECURITY_FS_USE_NATIVE;
810 			rc = may_context_mount_sb_relabel(context_sid, sbsec,
814 			sbsec->sid = context_sid;
816 			rc = may_context_mount_inode_relabel(context_sid, sbsec,
824 		sbsec->mntpoint_sid = context_sid;
825 		sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
829 		rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
839 		if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
840 			sbsec->behavior != SECURITY_FS_USE_NATIVE) {
847 		if (defcontext_sid != sbsec->def_sid) {
849 							     sbsec, cred);
854 		sbsec->def_sid = defcontext_sid;
860 	mutex_unlock(&sbsec->lock);
1074 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
1077 	if (!(sbsec->flags & SE_SBINITIALIZED))
1083 	if (sbsec->flags & FSCONTEXT_MNT) {
1086 		rc = show_sid(m, sbsec->sid);
1090 	if (sbsec->flags & CONTEXT_MNT) {
1093 		rc = show_sid(m, sbsec->mntpoint_sid);
1097 	if (sbsec->flags & DEFCONTEXT_MNT) {
1100 		rc = show_sid(m, sbsec->def_sid);
1104 	if (sbsec->flags & ROOTCONTEXT_MNT) {
1113 	if (sbsec->flags & SBLABEL_MNT) {
1410 	struct superblock_security_struct *sbsec = NULL;
1427 	sbsec = selinux_superblock(inode->i_sb);
1428 	if (!(sbsec->flags & SE_SBINITIALIZED)) {
1432 		spin_lock(&sbsec->isec_lock);
1434 			list_add(&isec->list, &sbsec->isec_head);
1435 		spin_unlock(&sbsec->isec_lock);
1445 	switch (sbsec->behavior) {
1453 			sid = sbsec->def_sid;
1477 			 * sbsec->isec_head list.  No reason to complain as these
1485 		rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1496 		sid = sbsec->sid;
1505 		sid = sbsec->mntpoint_sid;
1509 		sid = sbsec->sid;
1511 		if ((sbsec->flags & SE_SBGENFS) &&
1533 			 * sbsec->isec_head list.  No reason to complain as
1541 						   sbsec->flags, &sid);
1547 			if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1775 	const struct superblock_security_struct *sbsec =
1778 	if ((sbsec->flags & SE_SBINITIALIZED) &&
1779 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1780 		*_new_isid = sbsec->mntpoint_sid;
1781 	} else if ((sbsec->flags & SBLABEL_MNT) &&
1801 	struct superblock_security_struct *sbsec;
1807 	sbsec = selinux_superblock(dir->i_sb);
1829 	return avc_has_perm(newsid, sbsec->sid,
1943 	struct superblock_security_struct *sbsec;
1946 	sbsec = selinux_superblock(sb);
1947 	return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2548 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2550 	mutex_init(&sbsec->lock);
2551 	INIT_LIST_HEAD(&sbsec->isec_head);
2552 	spin_lock_init(&sbsec->isec_lock);
2553 	sbsec->sid = SECINITSID_UNLABELED;
2554 	sbsec->def_sid = SECINITSID_FILE;
2555 	sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2639 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2645 	if (!(sbsec->flags & SE_SBINITIALIZED))
2653 		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2656 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2661 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2669 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2674 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2684 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2686 	if (!(sbsec->flags & SE_SBINITIALIZED))
2693 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2698 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2705 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2710 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2777 	const struct superblock_security_struct *sbsec = selinux_superblock(reference);
2784 	if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2791 	if (sbsec->flags & FSCONTEXT_MNT)
2792 		opts->fscontext_sid = sbsec->sid;
2793 	if (sbsec->flags & CONTEXT_MNT)
2794 		opts->context_sid = sbsec->mntpoint_sid;
2795 	if (sbsec->flags & DEFCONTEXT_MNT)
2796 		opts->defcontext_sid = sbsec->def_sid;
2906 	struct superblock_security_struct *sbsec;
2912 	sbsec = selinux_superblock(dir->i_sb);
2923 	if (sbsec->flags & SE_SBINITIALIZED) {
2931 	    !(sbsec->flags & SBLABEL_MNT))
3176 	struct superblock_security_struct *sbsec;
3194 	sbsec = selinux_superblock(inode->i_sb);
3195 	if (!(sbsec->flags & SBLABEL_MNT))
3256 			    sbsec->sid,
3454 	struct superblock_security_struct *sbsec;
3461 	sbsec = selinux_superblock(inode->i_sb);
3462 	if (!(sbsec->flags & SBLABEL_MNT))

Indexes created Thu Nov 07 10:32:03 CST 2024