selinux: parse contexts for mount options early

}

struct selinux_mnt_opts {

	const char *fscontext, *context, *rootcontext, *defcontext;

	u32 fscontext_sid;

	u32 context_sid;

	u32 rootcontext_sid;

static void selinux_free_mnt_opts(void *mnt_opts)

{

	struct selinux_mnt_opts *opts = mnt_opts;

	kfree(opts->fscontext);

	kfree(opts->context);

	kfree(opts->rootcontext);

	kfree(opts->defcontext);

	kfree(opts);

	kfree(mnt_opts);

}

enum {

	return 0;

}

static int parse_sid(struct super_block *sb, const char *s, u32 *sid)

{

	int rc = security_context_str_to_sid(&selinux_state, s,

					     sid, GFP_KERNEL);

	if (rc)

		pr_warn("SELinux: security_context_str_to_sid"

		       "(%s) failed for (dev %s, type %s) errno=%d\n",

		       s, sb ? sb->s_id : "?", sb ? sb->s_type->name : "?", rc);

	return rc;

}

/*

 * Allow filesystems with binary mount data to explicitly set mount point

 * labeling information.

	 * than once with different security options.

	 */

	if (opts) {

		if (opts->fscontext) {

			if (opts->fscontext_sid == SECSID_NULL) {

				rc = parse_sid(sb, opts->fscontext, &fscontext_sid);

				if (rc)

					goto out;

			} else

		if (opts->fscontext_sid) {

			fscontext_sid = opts->fscontext_sid;

			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,

					fscontext_sid))

				goto out_double_mount;

			sbsec->flags |= FSCONTEXT_MNT;

		}

		if (opts->context) {

			if (opts->context_sid == SECSID_NULL) {

				rc = parse_sid(sb, opts->context, &context_sid);

				if (rc)

					goto out;

			} else

		if (opts->context_sid) {

			context_sid = opts->context_sid;

			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,

					context_sid))

				goto out_double_mount;

			sbsec->flags |= CONTEXT_MNT;

		}

		if (opts->rootcontext) {

			if (opts->rootcontext_sid == SECSID_NULL) {

				rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);

				if (rc)

					goto out;

			} else

		if (opts->rootcontext_sid) {

			rootcontext_sid = opts->rootcontext_sid;

			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,

					rootcontext_sid))

				goto out_double_mount;

			sbsec->flags |= ROOTCONTEXT_MNT;

		}

		if (opts->defcontext) {

			if (opts->defcontext_sid == SECSID_NULL) {

				rc = parse_sid(sb, opts->defcontext, &defcontext_sid);

				if (rc)

					goto out;

			} else

		if (opts->defcontext_sid) {

			defcontext_sid = opts->defcontext_sid;

			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,

					defcontext_sid))

{

	struct selinux_mnt_opts *opts = *mnt_opts;

	bool is_alloc_opts = false;

	u32 *dst_sid;

	int rc;

	if (token == Opt_seclabel)

		/* eaten and completely ignored */

	if (!s)

		return -ENOMEM;

	if (!selinux_initialized(&selinux_state)) {

		pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");

		return -EINVAL;

	}

	if (!opts) {

		opts = kzalloc(sizeof(*opts), GFP_KERNEL);

		if (!opts)

	switch (token) {

	case Opt_context:

		if (opts->context || opts->defcontext)

		if (opts->context_sid || opts->defcontext_sid)

			goto err;

		opts->context = s;

		if (selinux_initialized(&selinux_state))

			parse_sid(NULL, s, &opts->context_sid);

		dst_sid = &opts->context_sid;

		break;

	case Opt_fscontext:

		if (opts->fscontext)

		if (opts->fscontext_sid)

			goto err;

		opts->fscontext = s;

		if (selinux_initialized(&selinux_state))

			parse_sid(NULL, s, &opts->fscontext_sid);

		dst_sid = &opts->fscontext_sid;

		break;

	case Opt_rootcontext:

		if (opts->rootcontext)

		if (opts->rootcontext_sid)

			goto err;

		opts->rootcontext = s;

		if (selinux_initialized(&selinux_state))

			parse_sid(NULL, s, &opts->rootcontext_sid);

		dst_sid = &opts->rootcontext_sid;

		break;

	case Opt_defcontext:

		if (opts->context || opts->defcontext)

		if (opts->context_sid || opts->defcontext_sid)

			goto err;

		opts->defcontext = s;

		if (selinux_initialized(&selinux_state))

			parse_sid(NULL, s, &opts->defcontext_sid);

		dst_sid = &opts->defcontext_sid;

		break;

	default:

		WARN_ON(1);

		return -EINVAL;

	}

	return 0;

	rc = security_context_str_to_sid(&selinux_state, s, dst_sid, GFP_KERNEL);

	if (rc)

		pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",

			s, rc);

	return rc;

err:

	if (is_alloc_opts) {

	if (!opts)

		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;

	if (opts->fscontext) {

		if (opts->fscontext_sid == SECSID_NULL)

			return 1;

		else if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,

	if (opts->fscontext_sid) {

		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,

			       opts->fscontext_sid))

			return 1;

	}

	if (opts->context) {

		if (opts->context_sid == SECSID_NULL)

			return 1;

		else if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,

	if (opts->context_sid) {

		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,

			       opts->context_sid))

			return 1;

	}

	if (opts->rootcontext) {

		if (opts->rootcontext_sid == SECSID_NULL)

			return 1;

		else {

	if (opts->rootcontext_sid) {

		struct inode_security_struct *root_isec;

		root_isec = backing_inode_security(sb->s_root);

			       opts->rootcontext_sid))

			return 1;

	}

	}

	if (opts->defcontext) {

		if (opts->defcontext_sid == SECSID_NULL)

			return 1;

		else if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,

	if (opts->defcontext_sid) {

		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,

			       opts->defcontext_sid))

			return 1;

	}

{

	struct selinux_mnt_opts *opts = mnt_opts;

	struct superblock_security_struct *sbsec = selinux_superblock(sb);

	int rc;

	if (!(sbsec->flags & SE_SBINITIALIZED))

		return 0;

	if (!opts)

		return 0;

	if (opts->fscontext) {

		if (opts->fscontext_sid == SECSID_NULL) {

			rc = parse_sid(sb, opts->fscontext,

				       &opts->fscontext_sid);

			if (rc)

				return rc;

		}

	if (opts->fscontext_sid) {

		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,

			       opts->fscontext_sid))

			goto out_bad_option;

	}

	if (opts->context) {

		if (opts->context_sid == SECSID_NULL) {

			rc = parse_sid(sb, opts->context, &opts->context_sid);

			if (rc)

				return rc;

		}

	if (opts->context_sid) {

		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,

			       opts->context_sid))

			goto out_bad_option;

	}

	if (opts->rootcontext) {

	if (opts->rootcontext_sid) {

		struct inode_security_struct *root_isec;

		root_isec = backing_inode_security(sb->s_root);

		if (opts->rootcontext_sid == SECSID_NULL) {

			rc = parse_sid(sb, opts->rootcontext,

				       &opts->rootcontext_sid);

			if (rc)

				return rc;

		}

		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,

			       opts->rootcontext_sid))

			goto out_bad_option;

	}

	if (opts->defcontext) {

		if (opts->defcontext_sid == SECSID_NULL) {

			rc = parse_sid(sb, opts->defcontext,

				       &opts->defcontext_sid);

			if (rc)

				return rc;

		}

	if (opts->defcontext_sid) {

		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,

			       opts->defcontext_sid))

			goto out_bad_option;

				  struct fs_context *src_fc)

{

	const struct selinux_mnt_opts *src = src_fc->security;

	struct selinux_mnt_opts *opts;

	if (!src)

		return 0;

	fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);

	if (!fc->security)

		return -ENOMEM;

	opts = fc->security;

	if (src->fscontext) {

		opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);

		if (!opts->fscontext)

			return -ENOMEM;

	}

	if (src->context) {

		opts->context = kstrdup(src->context, GFP_KERNEL);

		if (!opts->context)

			return -ENOMEM;

	}

	if (src->rootcontext) {

		opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);

		if (!opts->rootcontext)

			return -ENOMEM;

	}

	if (src->defcontext) {

		opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);

		if (!opts->defcontext)

			return -ENOMEM;

	}

	opts->fscontext_sid = src->fscontext_sid;

	opts->context_sid = src->context_sid;

	opts->rootcontext_sid = src->rootcontext_sid;

	opts->defcontext_sid = src->defcontext_sid;

	return 0;

	fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);

	return fc->security ? 0 : -ENOMEM;

}

static const struct fs_parameter_spec selinux_fs_parameters[] = {