]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: check ss_initialized before revalidating an inode label
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
828dfe1d
EP		 7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13 * Eric Paris <[email protected]>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <[email protected]>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <[email protected]>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <[email protected]>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
63205654 129static struct kmem_cache *file_security_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 140 *
141 */
142static int selinux_secmark_enabled(void)
143{
2be4d74f
CP		 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145}
146
147/**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157static int selinux_peerlbl_enabled(void)
158{
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 160}
161
615e51fd
PM		 162static int selinux_netcache_avc_callback(u32 event)
163{
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171}
172
d84f4f99
DH		 173/*
174 * initialise the security for the init task
175 */
176static void cred_init_security(void)
1da177e4 177{
3b11a1de 178 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 179 struct task_security_struct *tsec;
180
89d155ef 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 182 if (!tsec)
d84f4f99 183 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 184
d84f4f99 185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 186 cred->security = tsec;
1da177e4
LT		 187}
188
88e67f3b
DH		 189/*
190 * get the security ID of a set of credentials
191 */
192static inline u32 cred_sid(const struct cred *cred)
193{
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198}
199
275bb41e 200/*
3b11a1de 201 * get the objective security ID of a task
275bb41e
DH		 202 */
203static inline u32 task_sid(const struct task_struct *task)
204{
275bb41e
DH		 205 u32 sid;
206
207 rcu_read_lock();
88e67f3b 208 sid = cred_sid(__task_cred(task));
275bb41e
DH		 209 rcu_read_unlock();
210 return sid;
211}
212
213/*
3b11a1de 214 * get the subjective security ID of the current task
275bb41e
DH		 215 */
216static inline u32 current_sid(void)
217{
5fb49870 218 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 219
220 return tsec->sid;
221}
222
88e67f3b
DH		 223/* Allocate and free functions for each kind of security blob. */
224
1da177e4
LT		 225static int inode_alloc_security(struct inode *inode)
226{
1da177e4 227 struct inode_security_struct *isec;
275bb41e 228 u32 sid = current_sid();
1da177e4 229
a02fe132 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 231 if (!isec)
232 return -ENOMEM;
233
23970741 234 mutex_init(&isec->lock);
1da177e4 235 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
275bb41e 239 isec->task_sid = sid;
1da177e4
LT		 240 inode->i_security = isec;
241
242 return 0;
243}
244
5d226df4
AG		 245static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247/*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
253 */
254static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
256 bool may_sleep)
257{
258 struct inode_security_struct *isec = inode->i_security;
259
260 might_sleep_if(may_sleep);
261
1ac42476 262 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
271 inode_doinit_with_dentry(inode, opt_dentry);
272 }
273 return 0;
274}
275
5d226df4
AG		 276static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277{
278 return inode->i_security;
279}
280
281static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282{
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
288 return inode->i_security;
289}
290
83da53c5
AG		 291/*
292 * Get the security label of an inode.
293 */
294static struct inode_security_struct *inode_security(struct inode *inode)
295{
5d226df4 296 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 297 return inode->i_security;
298}
299
2c97165b
PM		 300static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301{
302 struct inode *inode = d_backing_inode(dentry);
303
304 return inode->i_security;
305}
306
83da53c5
AG		 307/*
308 * Get the security label of a dentry's backing inode.
309 */
310static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311{
312 struct inode *inode = d_backing_inode(dentry);
313
5d226df4 314 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 315 return inode->i_security;
316}
317
3dc91d43
SR		 318static void inode_free_rcu(struct rcu_head *head)
319{
320 struct inode_security_struct *isec;
321
322 isec = container_of(head, struct inode_security_struct, rcu);
323 kmem_cache_free(sel_inode_cache, isec);
324}
325
1da177e4
LT		 326static void inode_free_security(struct inode *inode)
327{
328 struct inode_security_struct *isec = inode->i_security;
329 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
330
9629d04a
WL		 331 /*
332 * As not all inode security structures are in a list, we check for
333 * empty list outside of the lock to make sure that we won't waste
334 * time taking a lock doing nothing.
335 *
336 * The list_del_init() function can be safely called more than once.
337 * It should not be possible for this function to be called with
338 * concurrent list_add(), but for better safety against future changes
339 * in the code, we use list_empty_careful() here.
340 */
341 if (!list_empty_careful(&isec->list)) {
342 spin_lock(&sbsec->isec_lock);
1da177e4 343 list_del_init(&isec->list);
9629d04a
WL		 344 spin_unlock(&sbsec->isec_lock);
345 }
1da177e4 346
3dc91d43
SR		 347 /*
348 * The inode may still be referenced in a path walk and
349 * a call to selinux_inode_permission() can be made
350 * after inode_free_security() is called. Ideally, the VFS
351 * wouldn't do this, but fixing that is a much harder
352 * job. For now, simply free the i_security via RCU, and
353 * leave the current inode->i_security pointer intact.
354 * The inode will be freed after the RCU grace period too.
355 */
356 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 357}
358
359static int file_alloc_security(struct file *file)
360{
1da177e4 361 struct file_security_struct *fsec;
275bb41e 362 u32 sid = current_sid();
1da177e4 363
63205654 364 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 365 if (!fsec)
366 return -ENOMEM;
367
275bb41e
DH		 368 fsec->sid = sid;
369 fsec->fown_sid = sid;
1da177e4
LT		 370 file->f_security = fsec;
371
372 return 0;
373}
374
375static void file_free_security(struct file *file)
376{
377 struct file_security_struct *fsec = file->f_security;
1da177e4 378 file->f_security = NULL;
63205654 379 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 380}
381
382static int superblock_alloc_security(struct super_block *sb)
383{
384 struct superblock_security_struct *sbsec;
385
89d155ef 386 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 387 if (!sbsec)
388 return -ENOMEM;
389
bc7e982b 390 mutex_init(&sbsec->lock);
1da177e4
LT		 391 INIT_LIST_HEAD(&sbsec->isec_head);
392 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 393 sbsec->sb = sb;
394 sbsec->sid = SECINITSID_UNLABELED;
395 sbsec->def_sid = SECINITSID_FILE;
c312feb2 396 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 397 sb->s_security = sbsec;
398
399 return 0;
400}
401
402static void superblock_free_security(struct super_block *sb)
403{
404 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 405 sb->s_security = NULL;
406 kfree(sbsec);
407}
408
1da177e4
LT		 409/* The file system's label must be initialized prior to use. */
410
eb9ae686 411static const char *labeling_behaviors[7] = {
1da177e4
LT		 412 "uses xattr",
413 "uses transition SIDs",
414 "uses task SIDs",
415 "uses genfs_contexts",
416 "not configured for labeling",
417 "uses mountpoint labeling",
eb9ae686 418 "uses native labeling",
1da177e4
LT		 419};
420
1da177e4
LT		 421static inline int inode_doinit(struct inode *inode)
422{
423 return inode_doinit_with_dentry(inode, NULL);
424}
425
426enum {
31e87930 427 Opt_error = -1,
1da177e4
LT		 428 Opt_context = 1,
429 Opt_fscontext = 2,
c9180a57
EP		 430 Opt_defcontext = 3,
431 Opt_rootcontext = 4,
11689d47 432 Opt_labelsupport = 5,
d355987f 433 Opt_nextmntopt = 6,
1da177e4
LT		 434};
435
d355987f
EP		 436#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
437
a447c093 438static const match_table_t tokens = {
832cbd9a
EP		 439 {Opt_context, CONTEXT_STR "%s"},
440 {Opt_fscontext, FSCONTEXT_STR "%s"},
441 {Opt_defcontext, DEFCONTEXT_STR "%s"},
442 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 443 {Opt_labelsupport, LABELSUPP_STR},
31e87930 444 {Opt_error, NULL},
1da177e4
LT		 445};
446
447#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
448
c312feb2
EP		 449static int may_context_mount_sb_relabel(u32 sid,
450 struct superblock_security_struct *sbsec,
275bb41e 451 const struct cred *cred)
c312feb2 452{
275bb41e 453 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 454 int rc;
455
456 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
457 FILESYSTEM__RELABELFROM, NULL);
458 if (rc)
459 return rc;
460
461 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
462 FILESYSTEM__RELABELTO, NULL);
463 return rc;
464}
465
0808925e
EP		 466static int may_context_mount_inode_relabel(u32 sid,
467 struct superblock_security_struct *sbsec,
275bb41e 468 const struct cred *cred)
0808925e 469{
275bb41e 470 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 471 int rc;
472 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 FILESYSTEM__RELABELFROM, NULL);
474 if (rc)
475 return rc;
476
477 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__ASSOCIATE, NULL);
479 return rc;
480}
481
b43e725d
EP		 482static int selinux_is_sblabel_mnt(struct super_block *sb)
483{
484 struct superblock_security_struct *sbsec = sb->s_security;
485
d5f3a5f6
MS		 486 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
487 sbsec->behavior == SECURITY_FS_USE_TRANS ||
488 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 489 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 490 /* Special handling. Genfs but also in-core setxattr handler */
491 !strcmp(sb->s_type->name, "sysfs") ||
492 !strcmp(sb->s_type->name, "pstore") ||
493 !strcmp(sb->s_type->name, "debugfs") ||
494 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 495}
496
c9180a57 497static int sb_finish_set_opts(struct super_block *sb)
1da177e4 498{
1da177e4 499 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 500 struct dentry *root = sb->s_root;
c6f493d6 501 struct inode *root_inode = d_backing_inode(root);
c9180a57 502 int rc = 0;
1da177e4 503
c9180a57
EP		 504 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
505 /* Make sure that the xattr handler exists and that no
506 error other than -ENODATA is returned by getxattr on
507 the root directory. -ENODATA is ok, as this may be
508 the first boot of the SELinux kernel before we have
509 assigned xattr values to the filesystem. */
510 if (!root_inode->i_op->getxattr) {
29b1deb2
LT		 511 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
512 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 513 rc = -EOPNOTSUPP;
514 goto out;
515 }
516 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
517 if (rc < 0 && rc != -ENODATA) {
518 if (rc == -EOPNOTSUPP)
519 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 520 "%s) has no security xattr handler\n",
521 sb->s_id, sb->s_type->name);
c9180a57
EP		 522 else
523 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 524 "%s) getxattr errno %d\n", sb->s_id,
525 sb->s_type->name, -rc);
c9180a57
EP		 526 goto out;
527 }
528 }
1da177e4 529
c9180a57 530 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 531 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
532 sb->s_id, sb->s_type->name);
1da177e4 533
eadcabc6 534 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 535 if (selinux_is_sblabel_mnt(sb))
12f348b9 536 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 537
c9180a57
EP		 538 /* Initialize the root inode. */
539 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 540
c9180a57
EP		 541 /* Initialize any other inodes associated with the superblock, e.g.
542 inodes created prior to initial policy load or inodes created
543 during get_sb by a pseudo filesystem that directly
544 populates itself. */
545 spin_lock(&sbsec->isec_lock);
546next_inode:
547 if (!list_empty(&sbsec->isec_head)) {
548 struct inode_security_struct *isec =
549 list_entry(sbsec->isec_head.next,
550 struct inode_security_struct, list);
551 struct inode *inode = isec->inode;
923190d3 552 list_del_init(&isec->list);
c9180a57
EP		 553 spin_unlock(&sbsec->isec_lock);
554 inode = igrab(inode);
555 if (inode) {
556 if (!IS_PRIVATE(inode))
557 inode_doinit(inode);
558 iput(inode);
559 }
560 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 561 goto next_inode;
562 }
563 spin_unlock(&sbsec->isec_lock);
564out:
565 return rc;
566}
1da177e4 567
c9180a57
EP		 568/*
569 * This function should allow an FS to ask what it's mount security
570 * options were so it can use those later for submounts, displaying
571 * mount options, or whatever.
572 */
573static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 574 struct security_mnt_opts *opts)
c9180a57
EP		 575{
576 int rc = 0, i;
577 struct superblock_security_struct *sbsec = sb->s_security;
578 char *context = NULL;
579 u32 len;
580 char tmp;
1da177e4 581
e0007529 582 security_init_mnt_opts(opts);
1da177e4 583
0d90a7ec 584 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 585 return -EINVAL;
1da177e4 586
c9180a57
EP		 587 if (!ss_initialized)
588 return -EINVAL;
1da177e4 589
af8e50cc
EP		 590 /* make sure we always check enough bits to cover the mask */
591 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
592
0d90a7ec 593 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 594 /* count the number of mount options for this sb */
af8e50cc 595 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 596 if (tmp & 0x01)
e0007529 597 opts->num_mnt_opts++;
c9180a57
EP		 598 tmp >>= 1;
599 }
11689d47 600 /* Check if the Label support flag is set */
0b4bdb35 601 if (sbsec->flags & SBLABEL_MNT)
11689d47 602 opts->num_mnt_opts++;
1da177e4 603
e0007529
EP		 604 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
605 if (!opts->mnt_opts) {
c9180a57
EP		 606 rc = -ENOMEM;
607 goto out_free;
608 }
1da177e4 609
e0007529
EP		 610 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
611 if (!opts->mnt_opts_flags) {
c9180a57
EP		 612 rc = -ENOMEM;
613 goto out_free;
614 }
1da177e4 615
c9180a57
EP		 616 i = 0;
617 if (sbsec->flags & FSCONTEXT_MNT) {
618 rc = security_sid_to_context(sbsec->sid, &context, &len);
619 if (rc)
620 goto out_free;
e0007529
EP		 621 opts->mnt_opts[i] = context;
622 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 623 }
624 if (sbsec->flags & CONTEXT_MNT) {
625 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
626 if (rc)
627 goto out_free;
e0007529
EP		 628 opts->mnt_opts[i] = context;
629 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 630 }
631 if (sbsec->flags & DEFCONTEXT_MNT) {
632 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
633 if (rc)
634 goto out_free;
e0007529
EP		 635 opts->mnt_opts[i] = context;
636 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 637 }
638 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 639 struct dentry *root = sbsec->sb->s_root;
640 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 641
c9180a57
EP		 642 rc = security_sid_to_context(isec->sid, &context, &len);
643 if (rc)
644 goto out_free;
e0007529
EP		 645 opts->mnt_opts[i] = context;
646 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 647 }
12f348b9 648 if (sbsec->flags & SBLABEL_MNT) {
11689d47 649 opts->mnt_opts[i] = NULL;
12f348b9 650 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 651 }
1da177e4 652
e0007529 653 BUG_ON(i != opts->num_mnt_opts);
1da177e4 654
c9180a57
EP		 655 return 0;
656
657out_free:
e0007529 658 security_free_mnt_opts(opts);
c9180a57
EP		 659 return rc;
660}
1da177e4 661
c9180a57
EP		 662static int bad_option(struct superblock_security_struct *sbsec, char flag,
663 u32 old_sid, u32 new_sid)
664{
0d90a7ec
DQ		 665 char mnt_flags = sbsec->flags & SE_MNTMASK;
666
c9180a57 667 /* check if the old mount command had the same options */
0d90a7ec 668 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 669 if (!(sbsec->flags & flag) ||
670 (old_sid != new_sid))
671 return 1;
672
673 /* check if we were passed the same options twice,
674 * aka someone passed context=a,context=b
675 */
0d90a7ec
DQ		 676 if (!(sbsec->flags & SE_SBINITIALIZED))
677 if (mnt_flags & flag)
c9180a57
EP		 678 return 1;
679 return 0;
680}
e0007529 681
c9180a57
EP		 682/*
683 * Allow filesystems with binary mount data to explicitly set mount point
684 * labeling information.
685 */
e0007529 686static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 687 struct security_mnt_opts *opts,
688 unsigned long kern_flags,
689 unsigned long *set_kern_flags)
c9180a57 690{
275bb41e 691 const struct cred *cred = current_cred();
c9180a57 692 int rc = 0, i;
c9180a57 693 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 694 const char *name = sb->s_type->name;
83da53c5 695 struct dentry *root = sbsec->sb->s_root;
2c97165b 696 struct inode_security_struct *root_isec;
c9180a57
EP		 697 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
698 u32 defcontext_sid = 0;
e0007529
EP		 699 char **mount_options = opts->mnt_opts;
700 int *flags = opts->mnt_opts_flags;
701 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 702
703 mutex_lock(&sbsec->lock);
704
705 if (!ss_initialized) {
706 if (!num_opts) {
707 /* Defer initialization until selinux_complete_init,
708 after the initial policy is loaded and the security
709 server is ready to handle calls. */
c9180a57
EP		 710 goto out;
711 }
712 rc = -EINVAL;
744ba35e
EP		 713 printk(KERN_WARNING "SELinux: Unable to set superblock options "
714 "before the security server is initialized\n");
1da177e4 715 goto out;
c9180a57 716 }
649f6e77
DQ		 717 if (kern_flags && !set_kern_flags) {
718 /* Specifying internal flags without providing a place to
719 * place the results is not allowed */
720 rc = -EINVAL;
721 goto out;
722 }
1da177e4 723
e0007529
EP		 724 /*
725 * Binary mount data FS will come through this function twice. Once
726 * from an explicit call and once from the generic calls from the vfs.
727 * Since the generic VFS calls will not contain any security mount data
728 * we need to skip the double mount verification.
729 *
730 * This does open a hole in which we will not notice if the first
731 * mount using this sb set explict options and a second mount using
732 * this sb does not set any security options. (The first options
733 * will be used for both mounts)
734 */
0d90a7ec 735 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 736 && (num_opts == 0))
f5269710 737 goto out;
e0007529 738
2c97165b
PM		 739 root_isec = backing_inode_security_novalidate(root);
740
c9180a57
EP		 741 /*
742 * parse the mount options, check if they are valid sids.
743 * also check if someone is trying to mount the same sb more
744 * than once with different security options.
745 */
746 for (i = 0; i < num_opts; i++) {
747 u32 sid;
11689d47 748
12f348b9 749 if (flags[i] == SBLABEL_MNT)
11689d47 750 continue;
44be2f65 751 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 752 if (rc) {
44be2f65 753 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 754 "(%s) failed for (dev %s, type %s) errno=%d\n",
755 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 756 goto out;
757 }
758 switch (flags[i]) {
759 case FSCONTEXT_MNT:
760 fscontext_sid = sid;
761
762 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
763 fscontext_sid))
764 goto out_double_mount;
765
766 sbsec->flags |= FSCONTEXT_MNT;
767 break;
768 case CONTEXT_MNT:
769 context_sid = sid;
770
771 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
772 context_sid))
773 goto out_double_mount;
774
775 sbsec->flags |= CONTEXT_MNT;
776 break;
777 case ROOTCONTEXT_MNT:
778 rootcontext_sid = sid;
779
780 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
781 rootcontext_sid))
782 goto out_double_mount;
783
784 sbsec->flags |= ROOTCONTEXT_MNT;
785
786 break;
787 case DEFCONTEXT_MNT:
788 defcontext_sid = sid;
789
790 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
791 defcontext_sid))
792 goto out_double_mount;
793
794 sbsec->flags |= DEFCONTEXT_MNT;
795
796 break;
797 default:
798 rc = -EINVAL;
799 goto out;
1da177e4 800 }
c9180a57
EP		 801 }
802
0d90a7ec 803 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 804 /* previously mounted with options, but not on this attempt? */
0d90a7ec 805 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 806 goto out_double_mount;
807 rc = 0;
808 goto out;
809 }
810
089be43e 811 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 812 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
813
8e014720
SS		 814 if (!strcmp(sb->s_type->name, "debugfs") ||
815 !strcmp(sb->s_type->name, "sysfs") ||
816 !strcmp(sb->s_type->name, "pstore"))
134509d5 817 sbsec->flags |= SE_SBGENFS;
c9180a57 818
eb9ae686
DQ		 819 if (!sbsec->behavior) {
820 /*
821 * Determine the labeling behavior to use for this
822 * filesystem type.
823 */
98f700f3 824 rc = security_fs_use(sb);
eb9ae686
DQ		 825 if (rc) {
826 printk(KERN_WARNING
827 "%s: security_fs_use(%s) returned %d\n",
828 __func__, sb->s_type->name, rc);
829 goto out;
830 }
c9180a57 831 }
c9180a57
EP		 832 /* sets the context of the superblock for the fs being mounted. */
833 if (fscontext_sid) {
275bb41e 834 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 835 if (rc)
c9180a57 836 goto out;
1da177e4 837
c9180a57 838 sbsec->sid = fscontext_sid;
c312feb2
EP		 839 }
840
841 /*
842 * Switch to using mount point labeling behavior.
843 * sets the label used on all file below the mountpoint, and will set
844 * the superblock context if not already set.
845 */
eb9ae686
DQ		 846 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
847 sbsec->behavior = SECURITY_FS_USE_NATIVE;
848 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
849 }
850
c9180a57
EP		 851 if (context_sid) {
852 if (!fscontext_sid) {
275bb41e
DH		 853 rc = may_context_mount_sb_relabel(context_sid, sbsec,
854 cred);
b04ea3ce 855 if (rc)
c9180a57
EP		 856 goto out;
857 sbsec->sid = context_sid;
b04ea3ce 858 } else {
275bb41e
DH		 859 rc = may_context_mount_inode_relabel(context_sid, sbsec,
860 cred);
b04ea3ce 861 if (rc)
c9180a57 862 goto out;
b04ea3ce 863 }
c9180a57
EP		 864 if (!rootcontext_sid)
865 rootcontext_sid = context_sid;
1da177e4 866
c9180a57 867 sbsec->mntpoint_sid = context_sid;
c312feb2 868 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 869 }
870
c9180a57 871 if (rootcontext_sid) {
275bb41e
DH		 872 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
873 cred);
0808925e 874 if (rc)
c9180a57 875 goto out;
0808925e 876
c9180a57 877 root_isec->sid = rootcontext_sid;
6f3be9f5 878 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 879 }
880
c9180a57 881 if (defcontext_sid) {
eb9ae686
DQ		 882 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
883 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 884 rc = -EINVAL;
885 printk(KERN_WARNING "SELinux: defcontext option is "
886 "invalid for this filesystem type\n");
887 goto out;
1da177e4
LT		 888 }
889
c9180a57
EP		 890 if (defcontext_sid != sbsec->def_sid) {
891 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 892 sbsec, cred);
c9180a57
EP		 893 if (rc)
894 goto out;
895 }
1da177e4 896
c9180a57 897 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 898 }
899
c9180a57 900 rc = sb_finish_set_opts(sb);
1da177e4 901out:
c9180a57 902 mutex_unlock(&sbsec->lock);
1da177e4 903 return rc;
c9180a57
EP		 904out_double_mount:
905 rc = -EINVAL;
906 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 907 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 908 goto out;
1da177e4
LT		 909}
910
094f7b69
JL		 911static int selinux_cmp_sb_context(const struct super_block *oldsb,
912 const struct super_block *newsb)
913{
914 struct superblock_security_struct *old = oldsb->s_security;
915 struct superblock_security_struct *new = newsb->s_security;
916 char oldflags = old->flags & SE_MNTMASK;
917 char newflags = new->flags & SE_MNTMASK;
918
919 if (oldflags != newflags)
920 goto mismatch;
921 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
922 goto mismatch;
923 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
924 goto mismatch;
925 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
926 goto mismatch;
927 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 928 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
929 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 930 if (oldroot->sid != newroot->sid)
931 goto mismatch;
932 }
933 return 0;
934mismatch:
935 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
936 "different security settings for (dev %s, "
937 "type %s)\n", newsb->s_id, newsb->s_type->name);
938 return -EBUSY;
939}
940
941static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 942 struct super_block *newsb)
1da177e4 943{
c9180a57
EP		 944 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
945 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 946
c9180a57
EP		 947 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
948 int set_context = (oldsbsec->flags & CONTEXT_MNT);
949 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 950
0f5e6420
EP		 951 /*
952 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 953 * mount options. thus we can safely deal with this superblock later
0f5e6420 954 */
e8c26255 955 if (!ss_initialized)
094f7b69 956 return 0;
c9180a57 957
c9180a57 958 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 959 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 960
094f7b69 961 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 962 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 963 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 964
c9180a57
EP		 965 mutex_lock(&newsbsec->lock);
966
967 newsbsec->flags = oldsbsec->flags;
968
969 newsbsec->sid = oldsbsec->sid;
970 newsbsec->def_sid = oldsbsec->def_sid;
971 newsbsec->behavior = oldsbsec->behavior;
972
973 if (set_context) {
974 u32 sid = oldsbsec->mntpoint_sid;
975
976 if (!set_fscontext)
977 newsbsec->sid = sid;
978 if (!set_rootcontext) {
83da53c5 979 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 980 newisec->sid = sid;
981 }
982 newsbsec->mntpoint_sid = sid;
1da177e4 983 }
c9180a57 984 if (set_rootcontext) {
83da53c5
AG		 985 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
986 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 987
c9180a57 988 newisec->sid = oldisec->sid;
1da177e4
LT		 989 }
990
c9180a57
EP		 991 sb_finish_set_opts(newsb);
992 mutex_unlock(&newsbsec->lock);
094f7b69 993 return 0;
c9180a57
EP		 994}
995
2e1479d9
AB		 996static int selinux_parse_opts_str(char *options,
997 struct security_mnt_opts *opts)
c9180a57 998{
e0007529 999 char *p;
c9180a57
EP		 1000 char *context = NULL, *defcontext = NULL;
1001 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1002 int rc, num_mnt_opts = 0;
1da177e4 1003
e0007529 1004 opts->num_mnt_opts = 0;
1da177e4 1005
c9180a57
EP		 1006 /* Standard string-based options. */
1007 while ((p = strsep(&options, "|")) != NULL) {
1008 int token;
1009 substring_t args[MAX_OPT_ARGS];
1da177e4 1010
c9180a57
EP		 1011 if (!*p)
1012 continue;
1da177e4 1013
c9180a57 1014 token = match_token(p, tokens, args);
1da177e4 1015
c9180a57
EP		 1016 switch (token) {
1017 case Opt_context:
1018 if (context || defcontext) {
1019 rc = -EINVAL;
1020 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1021 goto out_err;
1022 }
1023 context = match_strdup(&args[0]);
1024 if (!context) {
1025 rc = -ENOMEM;
1026 goto out_err;
1027 }
1028 break;
1029
1030 case Opt_fscontext:
1031 if (fscontext) {
1032 rc = -EINVAL;
1033 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1034 goto out_err;
1035 }
1036 fscontext = match_strdup(&args[0]);
1037 if (!fscontext) {
1038 rc = -ENOMEM;
1039 goto out_err;
1040 }
1041 break;
1042
1043 case Opt_rootcontext:
1044 if (rootcontext) {
1045 rc = -EINVAL;
1046 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1047 goto out_err;
1048 }
1049 rootcontext = match_strdup(&args[0]);
1050 if (!rootcontext) {
1051 rc = -ENOMEM;
1052 goto out_err;
1053 }
1054 break;
1055
1056 case Opt_defcontext:
1057 if (context || defcontext) {
1058 rc = -EINVAL;
1059 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1060 goto out_err;
1061 }
1062 defcontext = match_strdup(&args[0]);
1063 if (!defcontext) {
1064 rc = -ENOMEM;
1065 goto out_err;
1066 }
1067 break;
11689d47
DQ		 1068 case Opt_labelsupport:
1069 break;
c9180a57
EP		 1070 default:
1071 rc = -EINVAL;
1072 printk(KERN_WARNING "SELinux: unknown mount option\n");
1073 goto out_err;
1da177e4 1074
1da177e4 1075 }
1da177e4 1076 }
c9180a57 1077
e0007529
EP		 1078 rc = -ENOMEM;
1079 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1080 if (!opts->mnt_opts)
1081 goto out_err;
1082
1083 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1084 if (!opts->mnt_opts_flags) {
1085 kfree(opts->mnt_opts);
1086 goto out_err;
1087 }
1088
c9180a57 1089 if (fscontext) {
e0007529
EP		 1090 opts->mnt_opts[num_mnt_opts] = fscontext;
1091 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1092 }
1093 if (context) {
e0007529
EP		 1094 opts->mnt_opts[num_mnt_opts] = context;
1095 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1096 }
1097 if (rootcontext) {
e0007529
EP		 1098 opts->mnt_opts[num_mnt_opts] = rootcontext;
1099 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1100 }
1101 if (defcontext) {
e0007529
EP		 1102 opts->mnt_opts[num_mnt_opts] = defcontext;
1103 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1104 }
1105
e0007529
EP		 1106 opts->num_mnt_opts = num_mnt_opts;
1107 return 0;
1108
c9180a57
EP		 1109out_err:
1110 kfree(context);
1111 kfree(defcontext);
1112 kfree(fscontext);
1113 kfree(rootcontext);
1da177e4
LT		 1114 return rc;
1115}
e0007529
EP		 1116/*
1117 * string mount options parsing and call set the sbsec
1118 */
1119static int superblock_doinit(struct super_block *sb, void *data)
1120{
1121 int rc = 0;
1122 char *options = data;
1123 struct security_mnt_opts opts;
1124
1125 security_init_mnt_opts(&opts);
1126
1127 if (!data)
1128 goto out;
1129
1130 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1131
1132 rc = selinux_parse_opts_str(options, &opts);
1133 if (rc)
1134 goto out_err;
1135
1136out:
649f6e77 1137 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1138
1139out_err:
1140 security_free_mnt_opts(&opts);
1141 return rc;
1142}
1da177e4 1143
3583a711
AB		 1144static void selinux_write_opts(struct seq_file *m,
1145 struct security_mnt_opts *opts)
2069f457
EP		 1146{
1147 int i;
1148 char *prefix;
1149
1150 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1151 char *has_comma;
1152
1153 if (opts->mnt_opts[i])
1154 has_comma = strchr(opts->mnt_opts[i], ',');
1155 else
1156 has_comma = NULL;
2069f457
EP		 1157
1158 switch (opts->mnt_opts_flags[i]) {
1159 case CONTEXT_MNT:
1160 prefix = CONTEXT_STR;
1161 break;
1162 case FSCONTEXT_MNT:
1163 prefix = FSCONTEXT_STR;
1164 break;
1165 case ROOTCONTEXT_MNT:
1166 prefix = ROOTCONTEXT_STR;
1167 break;
1168 case DEFCONTEXT_MNT:
1169 prefix = DEFCONTEXT_STR;
1170 break;
12f348b9 1171 case SBLABEL_MNT:
11689d47
DQ		 1172 seq_putc(m, ',');
1173 seq_puts(m, LABELSUPP_STR);
1174 continue;
2069f457
EP		 1175 default:
1176 BUG();
a35c6c83 1177 return;
2069f457
EP		 1178 };
1179 /* we need a comma before each option */
1180 seq_putc(m, ',');
1181 seq_puts(m, prefix);
1182 if (has_comma)
1183 seq_putc(m, '\"');
a068acf2 1184 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1185 if (has_comma)
1186 seq_putc(m, '\"');
1187 }
1188}
1189
1190static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1191{
1192 struct security_mnt_opts opts;
1193 int rc;
1194
1195 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1196 if (rc) {
1197 /* before policy load we may get EINVAL, don't show anything */
1198 if (rc == -EINVAL)
1199 rc = 0;
2069f457 1200 return rc;
383795c2 1201 }
2069f457
EP		 1202
1203 selinux_write_opts(m, &opts);
1204
1205 security_free_mnt_opts(&opts);
1206
1207 return rc;
1208}
1209
1da177e4
LT		 1210static inline u16 inode_mode_to_security_class(umode_t mode)
1211{
1212 switch (mode & S_IFMT) {
1213 case S_IFSOCK:
1214 return SECCLASS_SOCK_FILE;
1215 case S_IFLNK:
1216 return SECCLASS_LNK_FILE;
1217 case S_IFREG:
1218 return SECCLASS_FILE;
1219 case S_IFBLK:
1220 return SECCLASS_BLK_FILE;
1221 case S_IFDIR:
1222 return SECCLASS_DIR;
1223 case S_IFCHR:
1224 return SECCLASS_CHR_FILE;
1225 case S_IFIFO:
1226 return SECCLASS_FIFO_FILE;
1227
1228 }
1229
1230 return SECCLASS_FILE;
1231}
1232
13402580
JM		 1233static inline int default_protocol_stream(int protocol)
1234{
1235 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1236}
1237
1238static inline int default_protocol_dgram(int protocol)
1239{
1240 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1241}
1242
1da177e4
LT		 1243static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1244{
1245 switch (family) {
1246 case PF_UNIX:
1247 switch (type) {
1248 case SOCK_STREAM:
1249 case SOCK_SEQPACKET:
1250 return SECCLASS_UNIX_STREAM_SOCKET;
1251 case SOCK_DGRAM:
1252 return SECCLASS_UNIX_DGRAM_SOCKET;
1253 }
1254 break;
1255 case PF_INET:
1256 case PF_INET6:
1257 switch (type) {
1258 case SOCK_STREAM:
13402580
JM		 1259 if (default_protocol_stream(protocol))
1260 return SECCLASS_TCP_SOCKET;
1261 else
1262 return SECCLASS_RAWIP_SOCKET;
1da177e4 1263 case SOCK_DGRAM:
13402580
JM		 1264 if (default_protocol_dgram(protocol))
1265 return SECCLASS_UDP_SOCKET;
1266 else
1267 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1268 case SOCK_DCCP:
1269 return SECCLASS_DCCP_SOCKET;
13402580 1270 default:
1da177e4
LT		 1271 return SECCLASS_RAWIP_SOCKET;
1272 }
1273 break;
1274 case PF_NETLINK:
1275 switch (protocol) {
1276 case NETLINK_ROUTE:
1277 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1278 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1279 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1280 case NETLINK_NFLOG:
1281 return SECCLASS_NETLINK_NFLOG_SOCKET;
1282 case NETLINK_XFRM:
1283 return SECCLASS_NETLINK_XFRM_SOCKET;
1284 case NETLINK_SELINUX:
1285 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1286 case NETLINK_ISCSI:
1287 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1288 case NETLINK_AUDIT:
1289 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1290 case NETLINK_FIB_LOOKUP:
1291 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1292 case NETLINK_CONNECTOR:
1293 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1294 case NETLINK_NETFILTER:
1295 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1296 case NETLINK_DNRTMSG:
1297 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1298 case NETLINK_KOBJECT_UEVENT:
1299 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1300 case NETLINK_GENERIC:
1301 return SECCLASS_NETLINK_GENERIC_SOCKET;
1302 case NETLINK_SCSITRANSPORT:
1303 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1304 case NETLINK_RDMA:
1305 return SECCLASS_NETLINK_RDMA_SOCKET;
1306 case NETLINK_CRYPTO:
1307 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1308 default:
1309 return SECCLASS_NETLINK_SOCKET;
1310 }
1311 case PF_PACKET:
1312 return SECCLASS_PACKET_SOCKET;
1313 case PF_KEY:
1314 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1315 case PF_APPLETALK:
1316 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1317 }
1318
1319 return SECCLASS_SOCKET;
1320}
1321
134509d5
SS		 1322static int selinux_genfs_get_sid(struct dentry *dentry,
1323 u16 tclass,
1324 u16 flags,
1325 u32 *sid)
1da177e4 1326{
8e6c9693 1327 int rc;
134509d5 1328 struct super_block *sb = dentry->d_inode->i_sb;
8e6c9693 1329 char *buffer, *path;
1da177e4 1330
828dfe1d 1331 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1332 if (!buffer)
1333 return -ENOMEM;
1334
8e6c9693
LAG		 1335 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1336 if (IS_ERR(path))
1337 rc = PTR_ERR(path);
1338 else {
134509d5
SS		 1339 if (flags & SE_SBPROC) {
1340 /* each process gets a /proc/PID/ entry. Strip off the
1341 * PID part to get a valid selinux labeling.
1342 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1343 while (path[1] >= '0' && path[1] <= '9') {
1344 path[1] = '/';
1345 path++;
1346 }
8e6c9693 1347 }
134509d5 1348 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1349 }
1da177e4
LT		 1350 free_page((unsigned long)buffer);
1351 return rc;
1352}
1da177e4
LT		 1353
1354/* The inode's security attributes must be initialized before first use. */
1355static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1356{
1357 struct superblock_security_struct *sbsec = NULL;
1358 struct inode_security_struct *isec = inode->i_security;
1359 u32 sid;
1360 struct dentry *dentry;
1361#define INITCONTEXTLEN 255
1362 char *context = NULL;
1363 unsigned len = 0;
1364 int rc = 0;
1da177e4 1365
6f3be9f5 1366 if (isec->initialized == LABEL_INITIALIZED)
1da177e4
LT		 1367 goto out;
1368
23970741 1369 mutex_lock(&isec->lock);
6f3be9f5 1370 if (isec->initialized == LABEL_INITIALIZED)
23970741 1371 goto out_unlock;
1da177e4
LT		 1372
1373 sbsec = inode->i_sb->s_security;
0d90a7ec 1374 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1375 /* Defer initialization until selinux_complete_init,
1376 after the initial policy is loaded and the security
1377 server is ready to handle calls. */
1378 spin_lock(&sbsec->isec_lock);
1379 if (list_empty(&isec->list))
1380 list_add(&isec->list, &sbsec->isec_head);
1381 spin_unlock(&sbsec->isec_lock);
23970741 1382 goto out_unlock;
1da177e4
LT		 1383 }
1384
1385 switch (sbsec->behavior) {
eb9ae686
DQ		 1386 case SECURITY_FS_USE_NATIVE:
1387 break;
1da177e4
LT		 1388 case SECURITY_FS_USE_XATTR:
1389 if (!inode->i_op->getxattr) {
1390 isec->sid = sbsec->def_sid;
1391 break;
1392 }
1393
1394 /* Need a dentry, since the xattr API requires one.
1395 Life would be simpler if we could just pass the inode. */
1396 if (opt_dentry) {
1397 /* Called from d_instantiate or d_splice_alias. */
1398 dentry = dget(opt_dentry);
1399 } else {
1400 /* Called from selinux_complete_init, try to find a dentry. */
1401 dentry = d_find_alias(inode);
1402 }
1403 if (!dentry) {
df7f54c0
EP		 1404 /*
1405 * this is can be hit on boot when a file is accessed
1406 * before the policy is loaded. When we load policy we
1407 * may find inodes that have no dentry on the
1408 * sbsec->isec_head list. No reason to complain as these
1409 * will get fixed up the next time we go through
1410 * inode_doinit with a dentry, before these inodes could
1411 * be used again by userspace.
1412 */
23970741 1413 goto out_unlock;
1da177e4
LT		 1414 }
1415
1416 len = INITCONTEXTLEN;
4cb912f1 1417 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1418 if (!context) {
1419 rc = -ENOMEM;
1420 dput(dentry);
23970741 1421 goto out_unlock;
1da177e4 1422 }
4cb912f1 1423 context[len] = '\0';
1da177e4
LT		 1424 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1425 context, len);
1426 if (rc == -ERANGE) {
314dabb8
JM		 1427 kfree(context);
1428
1da177e4
LT		 1429 /* Need a larger buffer. Query for the right size. */
1430 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1431 NULL, 0);
1432 if (rc < 0) {
1433 dput(dentry);
23970741 1434 goto out_unlock;
1da177e4 1435 }
1da177e4 1436 len = rc;
4cb912f1 1437 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1438 if (!context) {
1439 rc = -ENOMEM;
1440 dput(dentry);
23970741 1441 goto out_unlock;
1da177e4 1442 }
4cb912f1 1443 context[len] = '\0';
1da177e4
LT		 1444 rc = inode->i_op->getxattr(dentry,
1445 XATTR_NAME_SELINUX,
1446 context, len);
1447 }
1448 dput(dentry);
1449 if (rc < 0) {
1450 if (rc != -ENODATA) {
744ba35e 1451 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1452 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1453 -rc, inode->i_sb->s_id, inode->i_ino);
1454 kfree(context);
23970741 1455 goto out_unlock;
1da177e4
LT		 1456 }
1457 /* Map ENODATA to the default file SID */
1458 sid = sbsec->def_sid;
1459 rc = 0;
1460 } else {
f5c1d5b2 1461 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1462 sbsec->def_sid,
1463 GFP_NOFS);
1da177e4 1464 if (rc) {
4ba0a8ad
EP		 1465 char *dev = inode->i_sb->s_id;
1466 unsigned long ino = inode->i_ino;
1467
1468 if (rc == -EINVAL) {
1469 if (printk_ratelimit())
1470 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1471 "context=%s. This indicates you may need to relabel the inode or the "
1472 "filesystem in question.\n", ino, dev, context);
1473 } else {
1474 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1475 "returned %d for dev=%s ino=%ld\n",
1476 __func__, context, -rc, dev, ino);
1477 }
1da177e4
LT		 1478 kfree(context);
1479 /* Leave with the unlabeled SID */
1480 rc = 0;
1481 break;
1482 }
1483 }
1484 kfree(context);
1485 isec->sid = sid;
1486 break;
1487 case SECURITY_FS_USE_TASK:
1488 isec->sid = isec->task_sid;
1489 break;
1490 case SECURITY_FS_USE_TRANS:
1491 /* Default to the fs SID. */
1492 isec->sid = sbsec->sid;
1493
1494 /* Try to obtain a transition SID. */
1495 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1496 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1497 isec->sclass, NULL, &sid);
1da177e4 1498 if (rc)
23970741 1499 goto out_unlock;
1da177e4
LT		 1500 isec->sid = sid;
1501 break;
c312feb2
EP		 1502 case SECURITY_FS_USE_MNTPOINT:
1503 isec->sid = sbsec->mntpoint_sid;
1504 break;
1da177e4 1505 default:
c312feb2 1506 /* Default to the fs superblock SID. */
1da177e4
LT		 1507 isec->sid = sbsec->sid;
1508
134509d5 1509 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1510 /* We must have a dentry to determine the label on
1511 * procfs inodes */
1512 if (opt_dentry)
1513 /* Called from d_instantiate or
1514 * d_splice_alias. */
1515 dentry = dget(opt_dentry);
1516 else
1517 /* Called from selinux_complete_init, try to
1518 * find a dentry. */
1519 dentry = d_find_alias(inode);
1520 /*
1521 * This can be hit on boot when a file is accessed
1522 * before the policy is loaded. When we load policy we
1523 * may find inodes that have no dentry on the
1524 * sbsec->isec_head list. No reason to complain as
1525 * these will get fixed up the next time we go through
1526 * inode_doinit() with a dentry, before these inodes
1527 * could be used again by userspace.
1528 */
1529 if (!dentry)
1530 goto out_unlock;
1531 isec->sclass = inode_mode_to_security_class(inode->i_mode);
134509d5
SS		 1532 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1533 sbsec->flags, &sid);
f64410ec
PM		 1534 dput(dentry);
1535 if (rc)
1536 goto out_unlock;
1537 isec->sid = sid;
1da177e4
LT		 1538 }
1539 break;
1540 }
1541
6f3be9f5 1542 isec->initialized = LABEL_INITIALIZED;
1da177e4 1543
23970741
EP		 1544out_unlock:
1545 mutex_unlock(&isec->lock);
1da177e4
LT		 1546out:
1547 if (isec->sclass == SECCLASS_FILE)
1548 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1549 return rc;
1550}
1551
1552/* Convert a Linux signal to an access vector. */
1553static inline u32 signal_to_av(int sig)
1554{
1555 u32 perm = 0;
1556
1557 switch (sig) {
1558 case SIGCHLD:
1559 /* Commonly granted from child to parent. */
1560 perm = PROCESS__SIGCHLD;
1561 break;
1562 case SIGKILL:
1563 /* Cannot be caught or ignored */
1564 perm = PROCESS__SIGKILL;
1565 break;
1566 case SIGSTOP:
1567 /* Cannot be caught or ignored */
1568 perm = PROCESS__SIGSTOP;
1569 break;
1570 default:
1571 /* All other signals. */
1572 perm = PROCESS__SIGNAL;
1573 break;
1574 }
1575
1576 return perm;
1577}
1578
d84f4f99
DH		 1579/*
1580 * Check permission between a pair of credentials
1581 * fork check, ptrace check, etc.
1582 */
1583static int cred_has_perm(const struct cred *actor,
1584 const struct cred *target,
1585 u32 perms)
1586{
1587 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1588
1589 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1590}
1591
275bb41e 1592/*
88e67f3b 1593 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1594 * fork check, ptrace check, etc.
1595 * tsk1 is the actor and tsk2 is the target
3b11a1de 1596 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1597 */
1598static int task_has_perm(const struct task_struct *tsk1,
1599 const struct task_struct *tsk2,
1da177e4
LT		 1600 u32 perms)
1601{
275bb41e
DH		 1602 const struct task_security_struct *__tsec1, *__tsec2;
1603 u32 sid1, sid2;
1da177e4 1604
275bb41e
DH		 1605 rcu_read_lock();
1606 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1607 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1608 rcu_read_unlock();
1609 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1610}
1611
3b11a1de
DH		 1612/*
1613 * Check permission between current and another task, e.g. signal checks,
1614 * fork check, ptrace check, etc.
1615 * current is the actor and tsk2 is the target
1616 * - this uses current's subjective creds
1617 */
1618static int current_has_perm(const struct task_struct *tsk,
1619 u32 perms)
1620{
1621 u32 sid, tsid;
1622
1623 sid = current_sid();
1624 tsid = task_sid(tsk);
1625 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1626}
1627
b68e418c
SS		 1628#if CAP_LAST_CAP > 63
1629#error Fix SELinux to handle capabilities > 63.
1630#endif
1631
1da177e4 1632/* Check whether a task is allowed to use a capability. */
6a9de491 1633static int cred_has_capability(const struct cred *cred,
06112163 1634 int cap, int audit)
1da177e4 1635{
2bf49690 1636 struct common_audit_data ad;
06112163 1637 struct av_decision avd;
b68e418c 1638 u16 sclass;
3699c53c 1639 u32 sid = cred_sid(cred);
b68e418c 1640 u32 av = CAP_TO_MASK(cap);
06112163 1641 int rc;
1da177e4 1642
50c205f5 1643 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1644 ad.u.cap = cap;
1645
b68e418c
SS		 1646 switch (CAP_TO_INDEX(cap)) {
1647 case 0:
1648 sclass = SECCLASS_CAPABILITY;
1649 break;
1650 case 1:
1651 sclass = SECCLASS_CAPABILITY2;
1652 break;
1653 default:
1654 printk(KERN_ERR
1655 "SELinux: out of range capability %d\n", cap);
1656 BUG();
a35c6c83 1657 return -EINVAL;
b68e418c 1658 }
06112163 1659
275bb41e 1660 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1661 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1662 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1663 if (rc2)
1664 return rc2;
1665 }
06112163 1666 return rc;
1da177e4
LT		 1667}
1668
1669/* Check whether a task is allowed to use a system operation. */
1670static int task_has_system(struct task_struct *tsk,
1671 u32 perms)
1672{
275bb41e 1673 u32 sid = task_sid(tsk);
1da177e4 1674
275bb41e 1675 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1676 SECCLASS_SYSTEM, perms, NULL);
1677}
1678
1679/* Check whether a task has a particular permission to an inode.
1680 The 'adp' parameter is optional and allows other audit
1681 data to be passed (e.g. the dentry). */
88e67f3b 1682static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1683 struct inode *inode,
1684 u32 perms,
19e49834 1685 struct common_audit_data *adp)
1da177e4 1686{
1da177e4 1687 struct inode_security_struct *isec;
275bb41e 1688 u32 sid;
1da177e4 1689
e0e81739
DH		 1690 validate_creds(cred);
1691
828dfe1d 1692 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1693 return 0;
1694
88e67f3b 1695 sid = cred_sid(cred);
1da177e4
LT		 1696 isec = inode->i_security;
1697
19e49834 1698 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1699}
1700
1701/* Same as inode_has_perm, but pass explicit audit data containing
1702 the dentry to help the auditing code to more easily generate the
1703 pathname if needed. */
88e67f3b 1704static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1705 struct dentry *dentry,
1706 u32 av)
1707{
c6f493d6 1708 struct inode *inode = d_backing_inode(dentry);
2bf49690 1709 struct common_audit_data ad;
88e67f3b 1710
50c205f5 1711 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1712 ad.u.dentry = dentry;
5d226df4 1713 __inode_security_revalidate(inode, dentry, true);
19e49834 1714 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1715}
1716
1717/* Same as inode_has_perm, but pass explicit audit data containing
1718 the path to help the auditing code to more easily generate the
1719 pathname if needed. */
1720static inline int path_has_perm(const struct cred *cred,
3f7036a0 1721 const struct path *path,
2875fa00
EP		 1722 u32 av)
1723{
c6f493d6 1724 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1725 struct common_audit_data ad;
1726
50c205f5 1727 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1728 ad.u.path = *path;
5d226df4 1729 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1730 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1731}
1732
13f8e981
DH		 1733/* Same as path_has_perm, but uses the inode from the file struct. */
1734static inline int file_path_has_perm(const struct cred *cred,
1735 struct file *file,
1736 u32 av)
1737{
1738 struct common_audit_data ad;
1739
1740 ad.type = LSM_AUDIT_DATA_PATH;
1741 ad.u.path = file->f_path;
19e49834 1742 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1743}
1744
1da177e4
LT		 1745/* Check whether a task can use an open file descriptor to
1746 access an inode in a given way. Check access to the
1747 descriptor itself, and then use dentry_has_perm to
1748 check a particular permission to the file.
1749 Access to the descriptor is implicitly granted if it
1750 has the same SID as the process. If av is zero, then
1751 access to the file is not checked, e.g. for cases
1752 where only the descriptor is affected like seek. */
88e67f3b
DH		 1753static int file_has_perm(const struct cred *cred,
1754 struct file *file,
1755 u32 av)
1da177e4 1756{
1da177e4 1757 struct file_security_struct *fsec = file->f_security;
496ad9aa 1758 struct inode *inode = file_inode(file);
2bf49690 1759 struct common_audit_data ad;
88e67f3b 1760 u32 sid = cred_sid(cred);
1da177e4
LT		 1761 int rc;
1762
50c205f5 1763 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1764 ad.u.path = file->f_path;
1da177e4 1765
275bb41e
DH		 1766 if (sid != fsec->sid) {
1767 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1768 SECCLASS_FD,
1769 FD__USE,
1770 &ad);
1771 if (rc)
88e67f3b 1772 goto out;
1da177e4
LT		 1773 }
1774
1775 /* av is zero if only checking access to the descriptor. */
88e67f3b 1776 rc = 0;
1da177e4 1777 if (av)
19e49834 1778 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1779
88e67f3b
DH		 1780out:
1781 return rc;
1da177e4
LT		 1782}
1783
c3c188b2
DH		 1784/*
1785 * Determine the label for an inode that might be unioned.
1786 */
83da53c5 1787static int selinux_determine_inode_label(struct inode *dir,
c3c188b2
DH		 1788 const struct qstr *name,
1789 u16 tclass,
1790 u32 *_new_isid)
1791{
1792 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
c3c188b2
DH		 1793 const struct task_security_struct *tsec = current_security();
1794
1795 if ((sbsec->flags & SE_SBINITIALIZED) &&
1796 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1797 *_new_isid = sbsec->mntpoint_sid;
1798 } else if ((sbsec->flags & SBLABEL_MNT) &&
1799 tsec->create_sid) {
1800 *_new_isid = tsec->create_sid;
1801 } else {
20cdef8d 1802 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1803 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1804 name, _new_isid);
1805 }
1806
1807 return 0;
1808}
1809
1da177e4
LT		 1810/* Check whether a task can create a file. */
1811static int may_create(struct inode *dir,
1812 struct dentry *dentry,
1813 u16 tclass)
1814{
5fb49870 1815 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1816 struct inode_security_struct *dsec;
1817 struct superblock_security_struct *sbsec;
275bb41e 1818 u32 sid, newsid;
2bf49690 1819 struct common_audit_data ad;
1da177e4
LT		 1820 int rc;
1821
83da53c5 1822 dsec = inode_security(dir);
1da177e4
LT		 1823 sbsec = dir->i_sb->s_security;
1824
275bb41e 1825 sid = tsec->sid;
275bb41e 1826
50c205f5 1827 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1828 ad.u.dentry = dentry;
1da177e4 1829
275bb41e 1830 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1831 DIR__ADD_NAME | DIR__SEARCH,
1832 &ad);
1833 if (rc)
1834 return rc;
1835
c3c188b2
DH		 1836 rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1837 &newsid);
1838 if (rc)
1839 return rc;
1da177e4 1840
275bb41e 1841 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1842 if (rc)
1843 return rc;
1844
1845 return avc_has_perm(newsid, sbsec->sid,
1846 SECCLASS_FILESYSTEM,
1847 FILESYSTEM__ASSOCIATE, &ad);
1848}
1849
4eb582cf
ML		 1850/* Check whether a task can create a key. */
1851static int may_create_key(u32 ksid,
1852 struct task_struct *ctx)
1853{
275bb41e 1854 u32 sid = task_sid(ctx);
4eb582cf 1855
275bb41e 1856 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1857}
1858
828dfe1d
EP		 1859#define MAY_LINK 0
1860#define MAY_UNLINK 1
1861#define MAY_RMDIR 2
1da177e4
LT		 1862
1863/* Check whether a task can link, unlink, or rmdir a file/directory. */
1864static int may_link(struct inode *dir,
1865 struct dentry *dentry,
1866 int kind)
1867
1868{
1da177e4 1869 struct inode_security_struct *dsec, *isec;
2bf49690 1870 struct common_audit_data ad;
275bb41e 1871 u32 sid = current_sid();
1da177e4
LT		 1872 u32 av;
1873 int rc;
1874
83da53c5
AG		 1875 dsec = inode_security(dir);
1876 isec = backing_inode_security(dentry);
1da177e4 1877
50c205f5 1878 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1879 ad.u.dentry = dentry;
1da177e4
LT		 1880
1881 av = DIR__SEARCH;
1882 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1883 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1884 if (rc)
1885 return rc;
1886
1887 switch (kind) {
1888 case MAY_LINK:
1889 av = FILE__LINK;
1890 break;
1891 case MAY_UNLINK:
1892 av = FILE__UNLINK;
1893 break;
1894 case MAY_RMDIR:
1895 av = DIR__RMDIR;
1896 break;
1897 default:
744ba35e
EP		 1898 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1899 __func__, kind);
1da177e4
LT		 1900 return 0;
1901 }
1902
275bb41e 1903 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1904 return rc;
1905}
1906
1907static inline int may_rename(struct inode *old_dir,
1908 struct dentry *old_dentry,
1909 struct inode *new_dir,
1910 struct dentry *new_dentry)
1911{
1da177e4 1912 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1913 struct common_audit_data ad;
275bb41e 1914 u32 sid = current_sid();
1da177e4
LT		 1915 u32 av;
1916 int old_is_dir, new_is_dir;
1917 int rc;
1918
83da53c5
AG		 1919 old_dsec = inode_security(old_dir);
1920 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1921 old_is_dir = d_is_dir(old_dentry);
83da53c5 1922 new_dsec = inode_security(new_dir);
1da177e4 1923
50c205f5 1924 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1925
a269434d 1926 ad.u.dentry = old_dentry;
275bb41e 1927 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1928 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1929 if (rc)
1930 return rc;
275bb41e 1931 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1932 old_isec->sclass, FILE__RENAME, &ad);
1933 if (rc)
1934 return rc;
1935 if (old_is_dir && new_dir != old_dir) {
275bb41e 1936 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1937 old_isec->sclass, DIR__REPARENT, &ad);
1938 if (rc)
1939 return rc;
1940 }
1941
a269434d 1942 ad.u.dentry = new_dentry;
1da177e4 1943 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1944 if (d_is_positive(new_dentry))
1da177e4 1945 av |= DIR__REMOVE_NAME;
275bb41e 1946 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1947 if (rc)
1948 return rc;
2c616d4d 1949 if (d_is_positive(new_dentry)) {
83da53c5 1950 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1951 new_is_dir = d_is_dir(new_dentry);
275bb41e 1952 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1953 new_isec->sclass,
1954 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1955 if (rc)
1956 return rc;
1957 }
1958
1959 return 0;
1960}
1961
1962/* Check whether a task can perform a filesystem operation. */
88e67f3b 1963static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1964 struct super_block *sb,
1965 u32 perms,
2bf49690 1966 struct common_audit_data *ad)
1da177e4 1967{
1da177e4 1968 struct superblock_security_struct *sbsec;
88e67f3b 1969 u32 sid = cred_sid(cred);
1da177e4 1970
1da177e4 1971 sbsec = sb->s_security;
275bb41e 1972 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1973}
1974
1975/* Convert a Linux mode and permission mask to an access vector. */
1976static inline u32 file_mask_to_av(int mode, int mask)
1977{
1978 u32 av = 0;
1979
dba19c60 1980 if (!S_ISDIR(mode)) {
1da177e4
LT		 1981 if (mask & MAY_EXEC)
1982 av |= FILE__EXECUTE;
1983 if (mask & MAY_READ)
1984 av |= FILE__READ;
1985
1986 if (mask & MAY_APPEND)
1987 av |= FILE__APPEND;
1988 else if (mask & MAY_WRITE)
1989 av |= FILE__WRITE;
1990
1991 } else {
1992 if (mask & MAY_EXEC)
1993 av |= DIR__SEARCH;
1994 if (mask & MAY_WRITE)
1995 av |= DIR__WRITE;
1996 if (mask & MAY_READ)
1997 av |= DIR__READ;
1998 }
1999
2000 return av;
2001}
2002
8b6a5a37
EP		 2003/* Convert a Linux file to an access vector. */
2004static inline u32 file_to_av(struct file *file)
2005{
2006 u32 av = 0;
2007
2008 if (file->f_mode & FMODE_READ)
2009 av |= FILE__READ;
2010 if (file->f_mode & FMODE_WRITE) {
2011 if (file->f_flags & O_APPEND)
2012 av |= FILE__APPEND;
2013 else
2014 av |= FILE__WRITE;
2015 }
2016 if (!av) {
2017 /*
2018 * Special file opened with flags 3 for ioctl-only use.
2019 */
2020 av = FILE__IOCTL;
2021 }
2022
2023 return av;
2024}
2025
b0c636b9 2026/*
8b6a5a37 2027 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2028 * open permission.
2029 */
8b6a5a37 2030static inline u32 open_file_to_av(struct file *file)
b0c636b9 2031{
8b6a5a37 2032 u32 av = file_to_av(file);
b0c636b9 2033
49b7b8de
EP		 2034 if (selinux_policycap_openperm)
2035 av |= FILE__OPEN;
2036
b0c636b9
EP		 2037 return av;
2038}
2039
1da177e4
LT		 2040/* Hook functions begin here. */
2041
79af7307
SS		 2042static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2043{
2044 u32 mysid = current_sid();
2045 u32 mgrsid = task_sid(mgr);
2046
2047 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2048 BINDER__SET_CONTEXT_MGR, NULL);
2049}
2050
2051static int selinux_binder_transaction(struct task_struct *from,
2052 struct task_struct *to)
2053{
2054 u32 mysid = current_sid();
2055 u32 fromsid = task_sid(from);
2056 u32 tosid = task_sid(to);
2057 int rc;
2058
2059 if (mysid != fromsid) {
2060 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2061 BINDER__IMPERSONATE, NULL);
2062 if (rc)
2063 return rc;
2064 }
2065
2066 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2067 NULL);
2068}
2069
2070static int selinux_binder_transfer_binder(struct task_struct *from,
2071 struct task_struct *to)
2072{
2073 u32 fromsid = task_sid(from);
2074 u32 tosid = task_sid(to);
2075
2076 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2077 NULL);
2078}
2079
2080static int selinux_binder_transfer_file(struct task_struct *from,
2081 struct task_struct *to,
2082 struct file *file)
2083{
2084 u32 sid = task_sid(to);
2085 struct file_security_struct *fsec = file->f_security;
83da53c5 2086 struct dentry *dentry = file->f_path.dentry;
20cdef8d 2087 struct inode_security_struct *isec;
79af7307
SS		 2088 struct common_audit_data ad;
2089 int rc;
2090
2091 ad.type = LSM_AUDIT_DATA_PATH;
2092 ad.u.path = file->f_path;
2093
2094 if (sid != fsec->sid) {
2095 rc = avc_has_perm(sid, fsec->sid,
2096 SECCLASS_FD,
2097 FD__USE,
2098 &ad);
2099 if (rc)
2100 return rc;
2101 }
2102
83da53c5 2103 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2104 return 0;
2105
20cdef8d 2106 isec = backing_inode_security(dentry);
79af7307
SS		 2107 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2108 &ad);
2109}
2110
9e48858f 2111static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2112 unsigned int mode)
1da177e4 2113{
69f594a3 2114 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2115 u32 sid = current_sid();
2116 u32 csid = task_sid(child);
2117 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2118 }
2119
3b11a1de 2120 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2121}
2122
2123static int selinux_ptrace_traceme(struct task_struct *parent)
2124{
5cd9c58f 2125 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2126}
2127
2128static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2129 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2130{
b1d9e6b0 2131 return current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2132}
2133
d84f4f99
DH		 2134static int selinux_capset(struct cred *new, const struct cred *old,
2135 const kernel_cap_t *effective,
2136 const kernel_cap_t *inheritable,
2137 const kernel_cap_t *permitted)
1da177e4 2138{
d84f4f99 2139 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2140}
2141
5626d3e8
JM		 2142/*
2143 * (This comment used to live with the selinux_task_setuid hook,
2144 * which was removed).
2145 *
2146 * Since setuid only affects the current process, and since the SELinux
2147 * controls are not based on the Linux identity attributes, SELinux does not
2148 * need to control this operation. However, SELinux does control the use of
2149 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2150 */
2151
6a9de491
EP		 2152static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2153 int cap, int audit)
1da177e4 2154{
6a9de491 2155 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 2156}
2157
1da177e4
LT		 2158static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2159{
88e67f3b 2160 const struct cred *cred = current_cred();
1da177e4
LT		 2161 int rc = 0;
2162
2163 if (!sb)
2164 return 0;
2165
2166 switch (cmds) {
828dfe1d
EP		 2167 case Q_SYNC:
2168 case Q_QUOTAON:
2169 case Q_QUOTAOFF:
2170 case Q_SETINFO:
2171 case Q_SETQUOTA:
88e67f3b 2172 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2173 break;
2174 case Q_GETFMT:
2175 case Q_GETINFO:
2176 case Q_GETQUOTA:
88e67f3b 2177 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2178 break;
2179 default:
2180 rc = 0; /* let the kernel handle invalid cmds */
2181 break;
1da177e4
LT		 2182 }
2183 return rc;
2184}
2185
2186static int selinux_quota_on(struct dentry *dentry)
2187{
88e67f3b
DH		 2188 const struct cred *cred = current_cred();
2189
2875fa00 2190 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2191}
2192
12b3052c 2193static int selinux_syslog(int type)
1da177e4
LT		 2194{
2195 int rc;
2196
1da177e4 2197 switch (type) {
d78ca3cd
KC		 2198 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2199 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2200 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2201 break;
d78ca3cd
KC		 2202 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2203 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2204 /* Set level of messages printed to console */
2205 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2206 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2207 break;
d78ca3cd
KC		 2208 case SYSLOG_ACTION_CLOSE: /* Close log */
2209 case SYSLOG_ACTION_OPEN: /* Open log */
2210 case SYSLOG_ACTION_READ: /* Read from log */
2211 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2212 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2213 default:
2214 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2215 break;
1da177e4
LT		 2216 }
2217 return rc;
2218}
2219
2220/*
2221 * Check that a process has enough memory to allocate a new virtual
2222 * mapping. 0 means there is enough memory for the allocation to
2223 * succeed and -ENOMEM implies there is not.
2224 *
1da177e4
LT		 2225 * Do not audit the selinux permission check, as this is applied to all
2226 * processes that allocate mappings.
2227 */
34b4e4aa 2228static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2229{
2230 int rc, cap_sys_admin = 0;
1da177e4 2231
b1d9e6b0
CS		 2232 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2233 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2234 if (rc == 0)
2235 cap_sys_admin = 1;
2236
b1d9e6b0 2237 return cap_sys_admin;
1da177e4
LT		 2238}
2239
2240/* binprm security operations */
2241
0c6181cb
PM		 2242static u32 ptrace_parent_sid(struct task_struct *task)
2243{
2244 u32 sid = 0;
2245 struct task_struct *tracer;
2246
2247 rcu_read_lock();
2248 tracer = ptrace_parent(task);
2249 if (tracer)
2250 sid = task_sid(tracer);
2251 rcu_read_unlock();
2252
2253 return sid;
2254}
2255
7b0d0b40
SS		 2256static int check_nnp_nosuid(const struct linux_binprm *bprm,
2257 const struct task_security_struct *old_tsec,
2258 const struct task_security_struct *new_tsec)
2259{
2260 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2261 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2262 int rc;
2263
2264 if (!nnp && !nosuid)
2265 return 0; /* neither NNP nor nosuid */
2266
2267 if (new_tsec->sid == old_tsec->sid)
2268 return 0; /* No change in credentials */
2269
2270 /*
2271 * The only transitions we permit under NNP or nosuid
2272 * are transitions to bounded SIDs, i.e. SIDs that are
2273 * guaranteed to only be allowed a subset of the permissions
2274 * of the current SID.
2275 */
2276 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2277 if (rc) {
2278 /*
2279 * On failure, preserve the errno values for NNP vs nosuid.
2280 * NNP: Operation not permitted for caller.
2281 * nosuid: Permission denied to file.
2282 */
2283 if (nnp)
2284 return -EPERM;
2285 else
2286 return -EACCES;
2287 }
2288 return 0;
2289}
2290
a6f76f23 2291static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2292{
a6f76f23
DH		 2293 const struct task_security_struct *old_tsec;
2294 struct task_security_struct *new_tsec;
1da177e4 2295 struct inode_security_struct *isec;
2bf49690 2296 struct common_audit_data ad;
496ad9aa 2297 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2298 int rc;
2299
a6f76f23
DH		 2300 /* SELinux context only depends on initial program or script and not
2301 * the script interpreter */
2302 if (bprm->cred_prepared)
1da177e4
LT		 2303 return 0;
2304
a6f76f23
DH		 2305 old_tsec = current_security();
2306 new_tsec = bprm->cred->security;
83da53c5 2307 isec = inode_security(inode);
1da177e4
LT		 2308
2309 /* Default to the current task SID. */
a6f76f23
DH		 2310 new_tsec->sid = old_tsec->sid;
2311 new_tsec->osid = old_tsec->sid;
1da177e4 2312
28eba5bf 2313 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2314 new_tsec->create_sid = 0;
2315 new_tsec->keycreate_sid = 0;
2316 new_tsec->sockcreate_sid = 0;
1da177e4 2317
a6f76f23
DH		 2318 if (old_tsec->exec_sid) {
2319 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2320 /* Reset exec SID on execve. */
a6f76f23 2321 new_tsec->exec_sid = 0;
259e5e6c 2322
7b0d0b40
SS		 2323 /* Fail on NNP or nosuid if not an allowed transition. */
2324 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2325 if (rc)
2326 return rc;
1da177e4
LT		 2327 } else {
2328 /* Check for a default transition on this program. */
a6f76f23 2329 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2330 SECCLASS_PROCESS, NULL,
2331 &new_tsec->sid);
1da177e4
LT		 2332 if (rc)
2333 return rc;
7b0d0b40
SS		 2334
2335 /*
2336 * Fallback to old SID on NNP or nosuid if not an allowed
2337 * transition.
2338 */
2339 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2340 if (rc)
2341 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2342 }
2343
50c205f5 2344 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2345 ad.u.path = bprm->file->f_path;
1da177e4 2346
a6f76f23
DH		 2347 if (new_tsec->sid == old_tsec->sid) {
2348 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2349 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2350 if (rc)
2351 return rc;
2352 } else {
2353 /* Check permissions for the transition. */
a6f76f23 2354 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2355 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2356 if (rc)
2357 return rc;
2358
a6f76f23 2359 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2360 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2361 if (rc)
2362 return rc;
2363
a6f76f23
DH		 2364 /* Check for shared state */
2365 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2366 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2367 SECCLASS_PROCESS, PROCESS__SHARE,
2368 NULL);
2369 if (rc)
2370 return -EPERM;
2371 }
2372
2373 /* Make sure that anyone attempting to ptrace over a task that
2374 * changes its SID has the appropriate permit */
2375 if (bprm->unsafe &
2376 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0c6181cb 2377 u32 ptsid = ptrace_parent_sid(current);
a6f76f23
DH		 2378 if (ptsid != 0) {
2379 rc = avc_has_perm(ptsid, new_tsec->sid,
2380 SECCLASS_PROCESS,
2381 PROCESS__PTRACE, NULL);
2382 if (rc)
2383 return -EPERM;
2384 }
2385 }
1da177e4 2386
a6f76f23
DH		 2387 /* Clear any possibly unsafe personality bits on exec: */
2388 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2389 }
2390
1da177e4
LT		 2391 return 0;
2392}
2393
828dfe1d 2394static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2395{
5fb49870 2396 const struct task_security_struct *tsec = current_security();
275bb41e 2397 u32 sid, osid;
1da177e4
LT		 2398 int atsecure = 0;
2399
275bb41e
DH		 2400 sid = tsec->sid;
2401 osid = tsec->osid;
2402
2403 if (osid != sid) {
1da177e4
LT		 2404 /* Enable secure mode for SIDs transitions unless
2405 the noatsecure permission is granted between
2406 the two SIDs, i.e. ahp returns 0. */
275bb41e 2407 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2408 SECCLASS_PROCESS,
2409 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2410 }
2411
b1d9e6b0 2412 return !!atsecure;
1da177e4
LT		 2413}
2414
c3c073f8
AV		 2415static int match_file(const void *p, struct file *file, unsigned fd)
2416{
2417 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2418}
2419
1da177e4 2420/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2421static inline void flush_unauthorized_files(const struct cred *cred,
2422 struct files_struct *files)
1da177e4 2423{
1da177e4 2424 struct file *file, *devnull = NULL;
b20c8122 2425 struct tty_struct *tty;
24ec839c 2426 int drop_tty = 0;
c3c073f8 2427 unsigned n;
1da177e4 2428
24ec839c 2429 tty = get_current_tty();
1da177e4 2430 if (tty) {
4a510969 2431 spin_lock(&tty->files_lock);
37dd0bd0 2432 if (!list_empty(&tty->tty_files)) {
d996b62a 2433 struct tty_file_private *file_priv;
37dd0bd0 2434
1da177e4 2435 /* Revalidate access to controlling tty.
13f8e981
DH		 2436 Use file_path_has_perm on the tty path directly
2437 rather than using file_has_perm, as this particular
2438 open file may belong to another process and we are
2439 only interested in the inode-based check here. */
d996b62a
NP		 2440 file_priv = list_first_entry(&tty->tty_files,
2441 struct tty_file_private, list);
2442 file = file_priv->file;
13f8e981 2443 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2444 drop_tty = 1;
1da177e4 2445 }
4a510969 2446 spin_unlock(&tty->files_lock);
452a00d2 2447 tty_kref_put(tty);
1da177e4 2448 }
98a27ba4
EB		 2449 /* Reset controlling tty. */
2450 if (drop_tty)
2451 no_tty();
1da177e4
LT		 2452
2453 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2454 n = iterate_fd(files, 0, match_file, cred);
2455 if (!n) /* none found? */
2456 return;
1da177e4 2457
c3c073f8 2458 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2459 if (IS_ERR(devnull))
2460 devnull = NULL;
2461 /* replace all the matching ones with this */
2462 do {
2463 replace_fd(n - 1, devnull, 0);
2464 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2465 if (devnull)
c3c073f8 2466 fput(devnull);
1da177e4
LT		 2467}
2468
a6f76f23
DH		 2469/*
2470 * Prepare a process for imminent new credential changes due to exec
2471 */
2472static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2473{
a6f76f23
DH		 2474 struct task_security_struct *new_tsec;
2475 struct rlimit *rlim, *initrlim;
2476 int rc, i;
d84f4f99 2477
a6f76f23
DH		 2478 new_tsec = bprm->cred->security;
2479 if (new_tsec->sid == new_tsec->osid)
2480 return;
1da177e4 2481
a6f76f23
DH		 2482 /* Close files for which the new task SID is not authorized. */
2483 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2484
a6f76f23
DH		 2485 /* Always clear parent death signal on SID transitions. */
2486 current->pdeath_signal = 0;
0356357c 2487
a6f76f23
DH		 2488 /* Check whether the new SID can inherit resource limits from the old
2489 * SID. If not, reset all soft limits to the lower of the current
2490 * task's hard limit and the init task's soft limit.
2491 *
2492 * Note that the setting of hard limits (even to lower them) can be
2493 * controlled by the setrlimit check. The inclusion of the init task's
2494 * soft limit into the computation is to avoid resetting soft limits
2495 * higher than the default soft limit for cases where the default is
2496 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2497 */
2498 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2499 PROCESS__RLIMITINH, NULL);
2500 if (rc) {
eb2d55a3
ON		 2501 /* protect against do_prlimit() */
2502 task_lock(current);
a6f76f23
DH		 2503 for (i = 0; i < RLIM_NLIMITS; i++) {
2504 rlim = current->signal->rlim + i;
2505 initrlim = init_task.signal->rlim + i;
2506 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2507 }
eb2d55a3
ON		 2508 task_unlock(current);
2509 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2510 }
2511}
2512
2513/*
a6f76f23
DH		 2514 * Clean up the process immediately after the installation of new credentials
2515 * due to exec
1da177e4 2516 */
a6f76f23 2517static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2518{
a6f76f23 2519 const struct task_security_struct *tsec = current_security();
1da177e4 2520 struct itimerval itimer;
a6f76f23 2521 u32 osid, sid;
1da177e4
LT		 2522 int rc, i;
2523
a6f76f23
DH		 2524 osid = tsec->osid;
2525 sid = tsec->sid;
2526
2527 if (sid == osid)
1da177e4
LT		 2528 return;
2529
a6f76f23
DH		 2530 /* Check whether the new SID can inherit signal state from the old SID.
2531 * If not, clear itimers to avoid subsequent signal generation and
2532 * flush and unblock signals.
2533 *
2534 * This must occur _after_ the task SID has been updated so that any
2535 * kill done after the flush will be checked against the new SID.
2536 */
2537 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2538 if (rc) {
2539 memset(&itimer, 0, sizeof itimer);
2540 for (i = 0; i < 3; i++)
2541 do_setitimer(i, &itimer, NULL);
1da177e4 2542 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2543 if (!fatal_signal_pending(current)) {
2544 flush_sigqueue(&current->pending);
2545 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2546 flush_signal_handlers(current, 1);
2547 sigemptyset(&current->blocked);
9e7c8f8c 2548 recalc_sigpending();
3bcac026 2549 }
1da177e4
LT		 2550 spin_unlock_irq(&current->sighand->siglock);
2551 }
2552
a6f76f23
DH		 2553 /* Wake up the parent if it is waiting so that it can recheck
2554 * wait permission to the new task SID. */
ecd6de3c 2555 read_lock(&tasklist_lock);
0b7570e7 2556 __wake_up_parent(current, current->real_parent);
ecd6de3c 2557 read_unlock(&tasklist_lock);
1da177e4
LT		 2558}
2559
2560/* superblock security operations */
2561
2562static int selinux_sb_alloc_security(struct super_block *sb)
2563{
2564 return superblock_alloc_security(sb);
2565}
2566
2567static void selinux_sb_free_security(struct super_block *sb)
2568{
2569 superblock_free_security(sb);
2570}
2571
2572static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2573{
2574 if (plen > olen)
2575 return 0;
2576
2577 return !memcmp(prefix, option, plen);
2578}
2579
2580static inline int selinux_option(char *option, int len)
2581{
832cbd9a
EP		 2582 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2583 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2584 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2585 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2586 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2587}
2588
2589static inline void take_option(char **to, char *from, int *first, int len)
2590{
2591 if (!*first) {
2592 **to = ',';
2593 *to += 1;
3528a953 2594 } else
1da177e4
LT		 2595 *first = 0;
2596 memcpy(*to, from, len);
2597 *to += len;
2598}
2599
828dfe1d
EP		 2600static inline void take_selinux_option(char **to, char *from, int *first,
2601 int len)
3528a953
CO		 2602{
2603 int current_size = 0;
2604
2605 if (!*first) {
2606 **to = '|';
2607 *to += 1;
828dfe1d 2608 } else
3528a953
CO		 2609 *first = 0;
2610
2611 while (current_size < len) {
2612 if (*from != '"') {
2613 **to = *from;
2614 *to += 1;
2615 }
2616 from += 1;
2617 current_size += 1;
2618 }
2619}
2620
e0007529 2621static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2622{
2623 int fnosec, fsec, rc = 0;
2624 char *in_save, *in_curr, *in_end;
2625 char *sec_curr, *nosec_save, *nosec;
3528a953 2626 int open_quote = 0;
1da177e4
LT		 2627
2628 in_curr = orig;
2629 sec_curr = copy;
2630
1da177e4
LT		 2631 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2632 if (!nosec) {
2633 rc = -ENOMEM;
2634 goto out;
2635 }
2636
2637 nosec_save = nosec;
2638 fnosec = fsec = 1;
2639 in_save = in_end = orig;
2640
2641 do {
3528a953
CO		 2642 if (*in_end == '"')
2643 open_quote = !open_quote;
2644 if ((*in_end == ',' && open_quote == 0) ||
2645 *in_end == '\0') {
1da177e4
LT		 2646 int len = in_end - in_curr;
2647
2648 if (selinux_option(in_curr, len))
3528a953 2649 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2650 else
2651 take_option(&nosec, in_curr, &fnosec, len);
2652
2653 in_curr = in_end + 1;
2654 }
2655 } while (*in_end++);
2656
6931dfc9 2657 strcpy(in_save, nosec_save);
da3caa20 2658 free_page((unsigned long)nosec_save);
1da177e4
LT		 2659out:
2660 return rc;
2661}
2662
026eb167
EP		 2663static int selinux_sb_remount(struct super_block *sb, void *data)
2664{
2665 int rc, i, *flags;
2666 struct security_mnt_opts opts;
2667 char *secdata, **mount_options;
2668 struct superblock_security_struct *sbsec = sb->s_security;
2669
2670 if (!(sbsec->flags & SE_SBINITIALIZED))
2671 return 0;
2672
2673 if (!data)
2674 return 0;
2675
2676 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2677 return 0;
2678
2679 security_init_mnt_opts(&opts);
2680 secdata = alloc_secdata();
2681 if (!secdata)
2682 return -ENOMEM;
2683 rc = selinux_sb_copy_data(data, secdata);
2684 if (rc)
2685 goto out_free_secdata;
2686
2687 rc = selinux_parse_opts_str(secdata, &opts);
2688 if (rc)
2689 goto out_free_secdata;
2690
2691 mount_options = opts.mnt_opts;
2692 flags = opts.mnt_opts_flags;
2693
2694 for (i = 0; i < opts.num_mnt_opts; i++) {
2695 u32 sid;
026eb167 2696
12f348b9 2697 if (flags[i] == SBLABEL_MNT)
026eb167 2698 continue;
44be2f65 2699 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2700 if (rc) {
44be2f65 2701 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2702 "(%s) failed for (dev %s, type %s) errno=%d\n",
2703 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2704 goto out_free_opts;
2705 }
2706 rc = -EINVAL;
2707 switch (flags[i]) {
2708 case FSCONTEXT_MNT:
2709 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2710 goto out_bad_option;
2711 break;
2712 case CONTEXT_MNT:
2713 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2714 goto out_bad_option;
2715 break;
2716 case ROOTCONTEXT_MNT: {
2717 struct inode_security_struct *root_isec;
83da53c5 2718 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2719
2720 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2721 goto out_bad_option;
2722 break;
2723 }
2724 case DEFCONTEXT_MNT:
2725 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2726 goto out_bad_option;
2727 break;
2728 default:
2729 goto out_free_opts;
2730 }
2731 }
2732
2733 rc = 0;
2734out_free_opts:
2735 security_free_mnt_opts(&opts);
2736out_free_secdata:
2737 free_secdata(secdata);
2738 return rc;
2739out_bad_option:
2740 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2741 "during remount (dev %s, type=%s)\n", sb->s_id,
2742 sb->s_type->name);
026eb167
EP		 2743 goto out_free_opts;
2744}
2745
12204e24 2746static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2747{
88e67f3b 2748 const struct cred *cred = current_cred();
2bf49690 2749 struct common_audit_data ad;
1da177e4
LT		 2750 int rc;
2751
2752 rc = superblock_doinit(sb, data);
2753 if (rc)
2754 return rc;
2755
74192246
JM		 2756 /* Allow all mounts performed by the kernel */
2757 if (flags & MS_KERNMOUNT)
2758 return 0;
2759
50c205f5 2760 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2761 ad.u.dentry = sb->s_root;
88e67f3b 2762 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2763}
2764
726c3342 2765static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2766{
88e67f3b 2767 const struct cred *cred = current_cred();
2bf49690 2768 struct common_audit_data ad;
1da177e4 2769
50c205f5 2770 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2771 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2772 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2773}
2774
808d4e3c 2775static int selinux_mount(const char *dev_name,
b5266eb4 2776 struct path *path,
808d4e3c 2777 const char *type,
828dfe1d
EP		 2778 unsigned long flags,
2779 void *data)
1da177e4 2780{
88e67f3b 2781 const struct cred *cred = current_cred();
1da177e4
LT		 2782
2783 if (flags & MS_REMOUNT)
d8c9584e 2784 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2785 FILESYSTEM__REMOUNT, NULL);
1da177e4 2786 else
2875fa00 2787 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2788}
2789
2790static int selinux_umount(struct vfsmount *mnt, int flags)
2791{
88e67f3b 2792 const struct cred *cred = current_cred();
1da177e4 2793
88e67f3b 2794 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2795 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2796}
2797
2798/* inode security operations */
2799
2800static int selinux_inode_alloc_security(struct inode *inode)
2801{
2802 return inode_alloc_security(inode);
2803}
2804
2805static void selinux_inode_free_security(struct inode *inode)
2806{
2807 inode_free_security(inode);
2808}
2809
d47be3df
DQ		 2810static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2811 struct qstr *name, void **ctx,
2812 u32 *ctxlen)
2813{
d47be3df
DQ		 2814 u32 newsid;
2815 int rc;
2816
c3c188b2
DH		 2817 rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2818 inode_mode_to_security_class(mode),
2819 &newsid);
2820 if (rc)
2821 return rc;
d47be3df
DQ		 2822
2823 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2824}
2825
5e41ff9e 2826static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2827 const struct qstr *qstr,
2828 const char **name,
2a7dba39 2829 void **value, size_t *len)
5e41ff9e 2830{
5fb49870 2831 const struct task_security_struct *tsec = current_security();
5e41ff9e 2832 struct superblock_security_struct *sbsec;
275bb41e 2833 u32 sid, newsid, clen;
5e41ff9e 2834 int rc;
9548906b 2835 char *context;
5e41ff9e 2836
5e41ff9e 2837 sbsec = dir->i_sb->s_security;
5e41ff9e 2838
275bb41e
DH		 2839 sid = tsec->sid;
2840 newsid = tsec->create_sid;
2841
c3c188b2
DH		 2842 rc = selinux_determine_inode_label(
2843 dir, qstr,
2844 inode_mode_to_security_class(inode->i_mode),
2845 &newsid);
2846 if (rc)
2847 return rc;
5e41ff9e 2848
296fddf7 2849 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2850 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2851 struct inode_security_struct *isec = inode->i_security;
2852 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2853 isec->sid = newsid;
6f3be9f5 2854 isec->initialized = LABEL_INITIALIZED;
296fddf7 2855 }
5e41ff9e 2856
12f348b9 2857 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2858 return -EOPNOTSUPP;
2859
9548906b
TH		 2860 if (name)
2861 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2862
570bc1c2 2863 if (value && len) {
12b29f34 2864 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2865 if (rc)
570bc1c2 2866 return rc;
570bc1c2
SS		 2867 *value = context;
2868 *len = clen;
5e41ff9e 2869 }
5e41ff9e 2870
5e41ff9e
SS		 2871 return 0;
2872}
2873
4acdaf27 2874static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2875{
2876 return may_create(dir, dentry, SECCLASS_FILE);
2877}
2878
1da177e4
LT		 2879static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2880{
1da177e4
LT		 2881 return may_link(dir, old_dentry, MAY_LINK);
2882}
2883
1da177e4
LT		 2884static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2885{
1da177e4
LT		 2886 return may_link(dir, dentry, MAY_UNLINK);
2887}
2888
2889static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2890{
2891 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2892}
2893
18bb1db3 2894static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2895{
2896 return may_create(dir, dentry, SECCLASS_DIR);
2897}
2898
1da177e4
LT		 2899static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2900{
2901 return may_link(dir, dentry, MAY_RMDIR);
2902}
2903
1a67aafb 2904static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2905{
1da177e4
LT		 2906 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2907}
2908
1da177e4 2909static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2910 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2911{
2912 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2913}
2914
1da177e4
LT		 2915static int selinux_inode_readlink(struct dentry *dentry)
2916{
88e67f3b
DH		 2917 const struct cred *cred = current_cred();
2918
2875fa00 2919 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2920}
2921
bda0be7a
N		 2922static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2923 bool rcu)
1da177e4 2924{
88e67f3b 2925 const struct cred *cred = current_cred();
bda0be7a
N		 2926 struct common_audit_data ad;
2927 struct inode_security_struct *isec;
2928 u32 sid;
1da177e4 2929
bda0be7a
N		 2930 validate_creds(cred);
2931
2932 ad.type = LSM_AUDIT_DATA_DENTRY;
2933 ad.u.dentry = dentry;
2934 sid = cred_sid(cred);
5d226df4
AG		 2935 isec = inode_security_rcu(inode, rcu);
2936 if (IS_ERR(isec))
2937 return PTR_ERR(isec);
bda0be7a
N		 2938
2939 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2940 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2941}
2942
d4cf970d
EP		 2943static noinline int audit_inode_permission(struct inode *inode,
2944 u32 perms, u32 audited, u32 denied,
626b9740 2945 int result,
d4cf970d 2946 unsigned flags)
1da177e4 2947{
b782e0a6 2948 struct common_audit_data ad;
d4cf970d
EP		 2949 struct inode_security_struct *isec = inode->i_security;
2950 int rc;
2951
50c205f5 2952 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2953 ad.u.inode = inode;
2954
2955 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 2956 audited, denied, result, &ad, flags);
d4cf970d
EP		 2957 if (rc)
2958 return rc;
2959 return 0;
2960}
2961
e74f71eb 2962static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2963{
88e67f3b 2964 const struct cred *cred = current_cred();
b782e0a6
EP		 2965 u32 perms;
2966 bool from_access;
cf1dd1da 2967 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2968 struct inode_security_struct *isec;
2969 u32 sid;
2970 struct av_decision avd;
2971 int rc, rc2;
2972 u32 audited, denied;
1da177e4 2973
b782e0a6 2974 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2975 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2976
b782e0a6
EP		 2977 /* No permission to check. Existence test. */
2978 if (!mask)
1da177e4 2979 return 0;
1da177e4 2980
2e334057 2981 validate_creds(cred);
b782e0a6 2982
2e334057
EP		 2983 if (unlikely(IS_PRIVATE(inode)))
2984 return 0;
b782e0a6
EP		 2985
2986 perms = file_mask_to_av(inode->i_mode, mask);
2987
2e334057 2988 sid = cred_sid(cred);
5d226df4
AG		 2989 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2990 if (IS_ERR(isec))
2991 return PTR_ERR(isec);
2e334057
EP		 2992
2993 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2994 audited = avc_audit_required(perms, &avd, rc,
2995 from_access ? FILE__AUDIT_ACCESS : 0,
2996 &denied);
2997 if (likely(!audited))
2998 return rc;
2999
626b9740 3000 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3001 if (rc2)
3002 return rc2;
3003 return rc;
1da177e4
LT		 3004}
3005
3006static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3007{
88e67f3b 3008 const struct cred *cred = current_cred();
bc6a6008 3009 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3010 __u32 av = FILE__WRITE;
1da177e4 3011
bc6a6008
AW		 3012 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3013 if (ia_valid & ATTR_FORCE) {
3014 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3015 ATTR_FORCE);
3016 if (!ia_valid)
3017 return 0;
3018 }
1da177e4 3019
bc6a6008
AW		 3020 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3021 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3022 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3023
44d37ad3
JVS		 3024 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3025 && !(ia_valid & ATTR_FILE))
95dbf739
EP		 3026 av |= FILE__OPEN;
3027
3028 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3029}
3030
3f7036a0 3031static int selinux_inode_getattr(const struct path *path)
1da177e4 3032{
3f7036a0 3033 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3034}
3035
8f0cfa52 3036static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3037{
88e67f3b
DH		 3038 const struct cred *cred = current_cred();
3039
b5376771
SH		 3040 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3041 sizeof XATTR_SECURITY_PREFIX - 1)) {
3042 if (!strcmp(name, XATTR_NAME_CAPS)) {
3043 if (!capable(CAP_SETFCAP))
3044 return -EPERM;
3045 } else if (!capable(CAP_SYS_ADMIN)) {
3046 /* A different attribute in the security namespace.
3047 Restrict to administrator. */
3048 return -EPERM;
3049 }
3050 }
3051
3052 /* Not an attribute we recognize, so just check the
3053 ordinary setattr permission. */
2875fa00 3054 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3055}
3056
8f0cfa52
DH		 3057static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3058 const void *value, size_t size, int flags)
1da177e4 3059{
c6f493d6 3060 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3061 struct inode_security_struct *isec;
1da177e4 3062 struct superblock_security_struct *sbsec;
2bf49690 3063 struct common_audit_data ad;
275bb41e 3064 u32 newsid, sid = current_sid();
1da177e4
LT		 3065 int rc = 0;
3066
b5376771
SH		 3067 if (strcmp(name, XATTR_NAME_SELINUX))
3068 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3069
3070 sbsec = inode->i_sb->s_security;
12f348b9 3071 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3072 return -EOPNOTSUPP;
3073
2e149670 3074 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3075 return -EPERM;
3076
50c205f5 3077 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3078 ad.u.dentry = dentry;
1da177e4 3079
20cdef8d 3080 isec = backing_inode_security(dentry);
275bb41e 3081 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3082 FILE__RELABELFROM, &ad);
3083 if (rc)
3084 return rc;
3085
52a4c640 3086 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3087 if (rc == -EINVAL) {
d6ea83ec
EP		 3088 if (!capable(CAP_MAC_ADMIN)) {
3089 struct audit_buffer *ab;
3090 size_t audit_size;
3091 const char *str;
3092
3093 /* We strip a nul only if it is at the end, otherwise the
3094 * context contains a nul and we should audit that */
e3fea3f7
AV		 3095 if (value) {
3096 str = value;
3097 if (str[size - 1] == '\0')
3098 audit_size = size - 1;
3099 else
3100 audit_size = size;
3101 } else {
3102 str = "";
3103 audit_size = 0;
3104 }
d6ea83ec
EP		 3105 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3106 audit_log_format(ab, "op=setxattr invalid_context=");
3107 audit_log_n_untrustedstring(ab, value, audit_size);
3108 audit_log_end(ab);
3109
12b29f34 3110 return rc;
d6ea83ec 3111 }
12b29f34
SS		 3112 rc = security_context_to_sid_force(value, size, &newsid);
3113 }
1da177e4
LT		 3114 if (rc)
3115 return rc;
3116
275bb41e 3117 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3118 FILE__RELABELTO, &ad);
3119 if (rc)
3120 return rc;
3121
275bb41e 3122 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3123 isec->sclass);
1da177e4
LT		 3124 if (rc)
3125 return rc;
3126
3127 return avc_has_perm(newsid,
3128 sbsec->sid,
3129 SECCLASS_FILESYSTEM,
3130 FILESYSTEM__ASSOCIATE,
3131 &ad);
3132}
3133
8f0cfa52 3134static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3135 const void *value, size_t size,
8f0cfa52 3136 int flags)
1da177e4 3137{
c6f493d6 3138 struct inode *inode = d_backing_inode(dentry);
20cdef8d 3139 struct inode_security_struct *isec;
1da177e4
LT		 3140 u32 newsid;
3141 int rc;
3142
3143 if (strcmp(name, XATTR_NAME_SELINUX)) {
3144 /* Not an attribute we recognize, so nothing to do. */
3145 return;
3146 }
3147
12b29f34 3148 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3149 if (rc) {
12b29f34
SS		 3150 printk(KERN_ERR "SELinux: unable to map context to SID"
3151 "for (%s, %lu), rc=%d\n",
3152 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3153 return;
3154 }
3155
20cdef8d 3156 isec = backing_inode_security(dentry);
aa9c2669 3157 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3158 isec->sid = newsid;
6f3be9f5 3159 isec->initialized = LABEL_INITIALIZED;
aa9c2669 3160
1da177e4
LT		 3161 return;
3162}
3163
8f0cfa52 3164static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3165{
88e67f3b
DH		 3166 const struct cred *cred = current_cred();
3167
2875fa00 3168 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3169}
3170
828dfe1d 3171static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3172{
88e67f3b
DH		 3173 const struct cred *cred = current_cred();
3174
2875fa00 3175 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3176}
3177
8f0cfa52 3178static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3179{
b5376771
SH		 3180 if (strcmp(name, XATTR_NAME_SELINUX))
3181 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3182
3183 /* No one is allowed to remove a SELinux security label.
3184 You can change the label, but all data must be labeled. */
3185 return -EACCES;
3186}
3187
d381d8a9 3188/*
abc69bb6 3189 * Copy the inode security context value to the user.
d381d8a9
JM		 3190 *
3191 * Permission check is handled by selinux_inode_getxattr hook.
3192 */
ea861dfd 3193static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3194{
42492594
DQ		 3195 u32 size;
3196 int error;
3197 char *context = NULL;
20cdef8d 3198 struct inode_security_struct *isec;
d381d8a9 3199
8c8570fb
DK		 3200 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3201 return -EOPNOTSUPP;
d381d8a9 3202
abc69bb6
SS		 3203 /*
3204 * If the caller has CAP_MAC_ADMIN, then get the raw context
3205 * value even if it is not defined by current policy; otherwise,
3206 * use the in-core value under current policy.
3207 * Use the non-auditing forms of the permission checks since
3208 * getxattr may be called by unprivileged processes commonly
3209 * and lack of permission just means that we fall back to the
3210 * in-core context value, not a denial.
3211 */
b1d9e6b0
CS		 3212 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3213 SECURITY_CAP_NOAUDIT);
3214 if (!error)
3215 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3216 SECURITY_CAP_NOAUDIT);
20cdef8d 3217 isec = inode_security(inode);
abc69bb6
SS		 3218 if (!error)
3219 error = security_sid_to_context_force(isec->sid, &context,
3220 &size);
3221 else
3222 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3223 if (error)
3224 return error;
3225 error = size;
3226 if (alloc) {
3227 *buffer = context;
3228 goto out_nofree;
3229 }
3230 kfree(context);
3231out_nofree:
3232 return error;
1da177e4
LT		 3233}
3234
3235static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3236 const void *value, size_t size, int flags)
1da177e4 3237{
2c97165b 3238 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3239 u32 newsid;
3240 int rc;
3241
3242 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3243 return -EOPNOTSUPP;
3244
3245 if (!value || !size)
3246 return -EACCES;
3247
20ba96ae 3248 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3249 if (rc)
3250 return rc;
3251
aa9c2669 3252 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3253 isec->sid = newsid;
6f3be9f5 3254 isec->initialized = LABEL_INITIALIZED;
1da177e4
LT		 3255 return 0;
3256}
3257
3258static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3259{
3260 const int len = sizeof(XATTR_NAME_SELINUX);
3261 if (buffer && len <= buffer_size)
3262 memcpy(buffer, XATTR_NAME_SELINUX, len);
3263 return len;
3264}
3265
d6335d77 3266static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3267{
e817c2f3 3268 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3269 *secid = isec->sid;
3270}
3271
1da177e4
LT		 3272/* file security operations */
3273
788e7dd4 3274static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3275{
88e67f3b 3276 const struct cred *cred = current_cred();
496ad9aa 3277 struct inode *inode = file_inode(file);
1da177e4 3278
1da177e4
LT		 3279 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3280 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3281 mask |= MAY_APPEND;
3282
389fb800
PM		 3283 return file_has_perm(cred, file,
3284 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3285}
3286
788e7dd4
YN		 3287static int selinux_file_permission(struct file *file, int mask)
3288{
496ad9aa 3289 struct inode *inode = file_inode(file);
20dda18b 3290 struct file_security_struct *fsec = file->f_security;
b197367e 3291 struct inode_security_struct *isec;
20dda18b
SS		 3292 u32 sid = current_sid();
3293
389fb800 3294 if (!mask)
788e7dd4
YN		 3295 /* No permission to check. Existence test. */
3296 return 0;
788e7dd4 3297
b197367e 3298 isec = inode_security(inode);
20dda18b
SS		 3299 if (sid == fsec->sid && fsec->isid == isec->sid &&
3300 fsec->pseqno == avc_policy_seqno())
83d49856 3301 /* No change since file_open check. */
20dda18b
SS		 3302 return 0;
3303
788e7dd4
YN		 3304 return selinux_revalidate_file_permission(file, mask);
3305}
3306
1da177e4
LT		 3307static int selinux_file_alloc_security(struct file *file)
3308{
3309 return file_alloc_security(file);
3310}
3311
3312static void selinux_file_free_security(struct file *file)
3313{
3314 file_free_security(file);
3315}
3316
fa1aa143
JVS		 3317/*
3318 * Check whether a task has the ioctl permission and cmd
3319 * operation to an inode.
3320 */
1d2a168a 3321static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3322 u32 requested, u16 cmd)
3323{
3324 struct common_audit_data ad;
3325 struct file_security_struct *fsec = file->f_security;
3326 struct inode *inode = file_inode(file);
20cdef8d 3327 struct inode_security_struct *isec;
fa1aa143
JVS		 3328 struct lsm_ioctlop_audit ioctl;
3329 u32 ssid = cred_sid(cred);
3330 int rc;
3331 u8 driver = cmd >> 8;
3332 u8 xperm = cmd & 0xff;
3333
3334 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3335 ad.u.op = &ioctl;
3336 ad.u.op->cmd = cmd;
3337 ad.u.op->path = file->f_path;
3338
3339 if (ssid != fsec->sid) {
3340 rc = avc_has_perm(ssid, fsec->sid,
3341 SECCLASS_FD,
3342 FD__USE,
3343 &ad);
3344 if (rc)
3345 goto out;
3346 }
3347
3348 if (unlikely(IS_PRIVATE(inode)))
3349 return 0;
3350
20cdef8d 3351 isec = inode_security(inode);
fa1aa143
JVS		 3352 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3353 requested, driver, xperm, &ad);
3354out:
3355 return rc;
3356}
3357
1da177e4
LT		 3358static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3359 unsigned long arg)
3360{
88e67f3b 3361 const struct cred *cred = current_cred();
0b24dcb7 3362 int error = 0;
1da177e4 3363
0b24dcb7
EP		 3364 switch (cmd) {
3365 case FIONREAD:
3366 /* fall through */
3367 case FIBMAP:
3368 /* fall through */
3369 case FIGETBSZ:
3370 /* fall through */
2f99c369 3371 case FS_IOC_GETFLAGS:
0b24dcb7 3372 /* fall through */
2f99c369 3373 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3374 error = file_has_perm(cred, file, FILE__GETATTR);
3375 break;
1da177e4 3376
2f99c369 3377 case FS_IOC_SETFLAGS:
0b24dcb7 3378 /* fall through */
2f99c369 3379 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3380 error = file_has_perm(cred, file, FILE__SETATTR);
3381 break;
3382
3383 /* sys_ioctl() checks */
3384 case FIONBIO:
3385 /* fall through */
3386 case FIOASYNC:
3387 error = file_has_perm(cred, file, 0);
3388 break;
1da177e4 3389
0b24dcb7
EP		 3390 case KDSKBENT:
3391 case KDSKBSENT:
6a9de491
EP		 3392 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3393 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3394 break;
3395
3396 /* default case assumes that the command will go
3397 * to the file's ioctl() function.
3398 */
3399 default:
fa1aa143 3400 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3401 }
3402 return error;
1da177e4
LT		 3403}
3404
fcaaade1
SS		 3405static int default_noexec;
3406
1da177e4
LT		 3407static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3408{
88e67f3b 3409 const struct cred *cred = current_cred();
d84f4f99 3410 int rc = 0;
88e67f3b 3411
fcaaade1 3412 if (default_noexec &&
892e8cac
SS		 3413 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3414 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3415 /*
3416 * We are making executable an anonymous mapping or a
3417 * private file mapping that will also be writable.
3418 * This has an additional check.
3419 */
d84f4f99 3420 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3421 if (rc)
d84f4f99 3422 goto error;
1da177e4 3423 }
1da177e4
LT		 3424
3425 if (file) {
3426 /* read access is always possible with a mapping */
3427 u32 av = FILE__READ;
3428
3429 /* write access only matters if the mapping is shared */
3430 if (shared && (prot & PROT_WRITE))
3431 av |= FILE__WRITE;
3432
3433 if (prot & PROT_EXEC)
3434 av |= FILE__EXECUTE;
3435
88e67f3b 3436 return file_has_perm(cred, file, av);
1da177e4 3437 }
d84f4f99
DH		 3438
3439error:
3440 return rc;
1da177e4
LT		 3441}
3442
e5467859 3443static int selinux_mmap_addr(unsigned long addr)
1da177e4 3444{
b1d9e6b0 3445 int rc = 0;
1da177e4 3446
a2551df7 3447 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3448 u32 sid = current_sid();
ed032189
EP		 3449 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3450 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3451 }
3452
98883bfd 3453 return rc;
e5467859 3454}
1da177e4 3455
e5467859
AV		 3456static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3457 unsigned long prot, unsigned long flags)
3458{
1da177e4
LT		 3459 if (selinux_checkreqprot)
3460 prot = reqprot;
3461
3462 return file_map_prot_check(file, prot,
3463 (flags & MAP_TYPE) == MAP_SHARED);
3464}
3465
3466static int selinux_file_mprotect(struct vm_area_struct *vma,
3467 unsigned long reqprot,
3468 unsigned long prot)
3469{
88e67f3b 3470 const struct cred *cred = current_cred();
1da177e4
LT		 3471
3472 if (selinux_checkreqprot)
3473 prot = reqprot;
3474
fcaaade1
SS		 3475 if (default_noexec &&
3476 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3477 int rc = 0;
db4c9641
SS		 3478 if (vma->vm_start >= vma->vm_mm->start_brk &&
3479 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3480 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3481 } else if (!vma->vm_file &&
3482 vma->vm_start <= vma->vm_mm->start_stack &&
3483 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3484 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3485 } else if (vma->vm_file && vma->anon_vma) {
3486 /*
3487 * We are making executable a file mapping that has
3488 * had some COW done. Since pages might have been
3489 * written, check ability to execute the possibly
3490 * modified content. This typically should only
3491 * occur for text relocations.
3492 */
d84f4f99 3493 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3494 }