]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SELinux: Better integration between peer labeling subsystems
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <[email protected]>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <[email protected]>
7420ed23
VY		 15 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16 * Paul Moore, <[email protected]>
788e7dd4
YN		 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <[email protected]>
1da177e4
LT		 19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
23 */
24
1da177e4
LT		 25#include <linux/init.h>
26#include <linux/kernel.h>
27#include <linux/ptrace.h>
28#include <linux/errno.h>
29#include <linux/sched.h>
30#include <linux/security.h>
31#include <linux/xattr.h>
32#include <linux/capability.h>
33#include <linux/unistd.h>
34#include <linux/mm.h>
35#include <linux/mman.h>
36#include <linux/slab.h>
37#include <linux/pagemap.h>
38#include <linux/swap.h>
1da177e4
LT		 39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
1da177e4 54#include <asm/uaccess.h>
1da177e4
LT		 55#include <asm/ioctls.h>
56#include <linux/bitops.h>
57#include <linux/interrupt.h>
58#include <linux/netdevice.h> /* for network interface checks */
59#include <linux/netlink.h>
60#include <linux/tcp.h>
61#include <linux/udp.h>
2ee92d46 62#include <linux/dccp.h>
1da177e4
LT		 63#include <linux/quota.h>
64#include <linux/un.h> /* for Unix socket types */
65#include <net/af_unix.h> /* for Unix socket types */
66#include <linux/parser.h>
67#include <linux/nfs_mount.h>
68#include <net/ipv6.h>
69#include <linux/hugetlb.h>
70#include <linux/personality.h>
71#include <linux/sysctl.h>
72#include <linux/audit.h>
6931dfc9 73#include <linux/string.h>
877ce7c1 74#include <linux/selinux.h>
23970741 75#include <linux/mutex.h>
1da177e4
LT		 76
77#include "avc.h"
78#include "objsec.h"
79#include "netif.h"
224dfbd8 80#include "netnode.h"
d28d1e08 81#include "xfrm.h"
c60475bf 82#include "netlabel.h"
1da177e4
LT		 83
84#define XATTR_SELINUX_SUFFIX "selinux"
85#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
86
c9180a57
EP		 87#define NUM_SEL_MNT_OPTS 4
88
1da177e4
LT		 89extern unsigned int policydb_loaded_version;
90extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 91extern int selinux_compat_net;
20510f2f 92extern struct security_operations *security_ops;
1da177e4
LT		 93
94#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
95int selinux_enforcing = 0;
96
97static int __init enforcing_setup(char *str)
98{
99 selinux_enforcing = simple_strtol(str,NULL,0);
100 return 1;
101}
102__setup("enforcing=", enforcing_setup);
103#endif
104
105#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
106int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
107
108static int __init selinux_enabled_setup(char *str)
109{
110 selinux_enabled = simple_strtol(str, NULL, 0);
111 return 1;
112}
113__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 114#else
115int selinux_enabled = 1;
1da177e4
LT		 116#endif
117
118/* Original (dummy) security module. */
119static struct security_operations *original_ops = NULL;
120
121/* Minimal support for a secondary security module,
122 just to allow the use of the dummy or capability modules.
123 The owlsm module can alternatively be used as a secondary
124 module as long as CONFIG_OWLSM_FD is not enabled. */
125static struct security_operations *secondary_ops = NULL;
126
127/* Lists of inode and superblock security structures initialized
128 before the policy was loaded. */
129static LIST_HEAD(superblock_security_head);
130static DEFINE_SPINLOCK(sb_security_lock);
131
e18b890b 132static struct kmem_cache *sel_inode_cache;
7cae7e26 133
8c8570fb
DK		 134/* Return security context for a given sid or just the context
135 length if the buffer is null or length is 0 */
136static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
137{
138 char *context;
139 unsigned len;
140 int rc;
141
142 rc = security_sid_to_context(sid, &context, &len);
143 if (rc)
144 return rc;
145
146 if (!buffer || !size)
147 goto getsecurity_exit;
148
149 if (size < len) {
150 len = -ERANGE;
151 goto getsecurity_exit;
152 }
153 memcpy(buffer, context, len);
154
155getsecurity_exit:
156 kfree(context);
157 return len;
158}
159
1da177e4
LT		 160/* Allocate and free functions for each kind of security blob. */
161
162static int task_alloc_security(struct task_struct *task)
163{
164 struct task_security_struct *tsec;
165
89d155ef 166 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 167 if (!tsec)
168 return -ENOMEM;
169
1da177e4
LT		 170 tsec->task = task;
171 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
172 task->security = tsec;
173
174 return 0;
175}
176
177static void task_free_security(struct task_struct *task)
178{
179 struct task_security_struct *tsec = task->security;
1da177e4
LT		 180 task->security = NULL;
181 kfree(tsec);
182}
183
184static int inode_alloc_security(struct inode *inode)
185{
186 struct task_security_struct *tsec = current->security;
187 struct inode_security_struct *isec;
188
c3762229 189 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
1da177e4
LT		 190 if (!isec)
191 return -ENOMEM;
192
23970741 193 mutex_init(&isec->lock);
1da177e4 194 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 195 isec->inode = inode;
196 isec->sid = SECINITSID_UNLABELED;
197 isec->sclass = SECCLASS_FILE;
9ac49d22 198 isec->task_sid = tsec->sid;
1da177e4
LT		 199 inode->i_security = isec;
200
201 return 0;
202}
203
204static void inode_free_security(struct inode *inode)
205{
206 struct inode_security_struct *isec = inode->i_security;
207 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
208
1da177e4
LT		 209 spin_lock(&sbsec->isec_lock);
210 if (!list_empty(&isec->list))
211 list_del_init(&isec->list);
212 spin_unlock(&sbsec->isec_lock);
213
214 inode->i_security = NULL;
7cae7e26 215 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 216}
217
218static int file_alloc_security(struct file *file)
219{
220 struct task_security_struct *tsec = current->security;
221 struct file_security_struct *fsec;
222
26d2a4be 223 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 224 if (!fsec)
225 return -ENOMEM;
226
1da177e4 227 fsec->file = file;
9ac49d22
SS		 228 fsec->sid = tsec->sid;
229 fsec->fown_sid = tsec->sid;
1da177e4
LT		 230 file->f_security = fsec;
231
232 return 0;
233}
234
235static void file_free_security(struct file *file)
236{
237 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 238 file->f_security = NULL;
239 kfree(fsec);
240}
241
242static int superblock_alloc_security(struct super_block *sb)
243{
244 struct superblock_security_struct *sbsec;
245
89d155ef 246 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 247 if (!sbsec)
248 return -ENOMEM;
249
bc7e982b 250 mutex_init(&sbsec->lock);
1da177e4
LT		 251 INIT_LIST_HEAD(&sbsec->list);
252 INIT_LIST_HEAD(&sbsec->isec_head);
253 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 254 sbsec->sb = sb;
255 sbsec->sid = SECINITSID_UNLABELED;
256 sbsec->def_sid = SECINITSID_FILE;
c312feb2 257 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 258 sb->s_security = sbsec;
259
260 return 0;
261}
262
263static void superblock_free_security(struct super_block *sb)
264{
265 struct superblock_security_struct *sbsec = sb->s_security;
266
1da177e4
LT		 267 spin_lock(&sb_security_lock);
268 if (!list_empty(&sbsec->list))
269 list_del_init(&sbsec->list);
270 spin_unlock(&sb_security_lock);
271
272 sb->s_security = NULL;
273 kfree(sbsec);
274}
275
7d877f3b 276static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 277{
278 struct sk_security_struct *ssec;
279
89d155ef 280 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 281 if (!ssec)
282 return -ENOMEM;
283
1da177e4
LT		 284 ssec->sk = sk;
285 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 286 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 287 sk->sk_security = ssec;
288
99f59ed0
PM		 289 selinux_netlbl_sk_security_init(ssec, family);
290
1da177e4
LT		 291 return 0;
292}
293
294static void sk_free_security(struct sock *sk)
295{
296 struct sk_security_struct *ssec = sk->sk_security;
297
1da177e4
LT		 298 sk->sk_security = NULL;
299 kfree(ssec);
300}
1da177e4
LT		 301
302/* The security server must be initialized before
303 any labeling or access decisions can be provided. */
304extern int ss_initialized;
305
306/* The file system's label must be initialized prior to use. */
307
308static char *labeling_behaviors[6] = {
309 "uses xattr",
310 "uses transition SIDs",
311 "uses task SIDs",
312 "uses genfs_contexts",
313 "not configured for labeling",
314 "uses mountpoint labeling",
315};
316
317static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
318
319static inline int inode_doinit(struct inode *inode)
320{
321 return inode_doinit_with_dentry(inode, NULL);
322}
323
324enum {
31e87930 325 Opt_error = -1,
1da177e4
LT		 326 Opt_context = 1,
327 Opt_fscontext = 2,
c9180a57
EP		 328 Opt_defcontext = 3,
329 Opt_rootcontext = 4,
1da177e4
LT		 330};
331
332static match_table_t tokens = {
333 {Opt_context, "context=%s"},
334 {Opt_fscontext, "fscontext=%s"},
335 {Opt_defcontext, "defcontext=%s"},
0808925e 336 {Opt_rootcontext, "rootcontext=%s"},
31e87930 337 {Opt_error, NULL},
1da177e4
LT		 338};
339
340#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
341
c312feb2
EP		 342static int may_context_mount_sb_relabel(u32 sid,
343 struct superblock_security_struct *sbsec,
344 struct task_security_struct *tsec)
345{
346 int rc;
347
348 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
349 FILESYSTEM__RELABELFROM, NULL);
350 if (rc)
351 return rc;
352
353 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
354 FILESYSTEM__RELABELTO, NULL);
355 return rc;
356}
357
0808925e
EP		 358static int may_context_mount_inode_relabel(u32 sid,
359 struct superblock_security_struct *sbsec,
360 struct task_security_struct *tsec)
361{
362 int rc;
363 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
364 FILESYSTEM__RELABELFROM, NULL);
365 if (rc)
366 return rc;
367
368 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
369 FILESYSTEM__ASSOCIATE, NULL);
370 return rc;
371}
372
c9180a57 373static int sb_finish_set_opts(struct super_block *sb)
1da177e4 374{
1da177e4 375 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 376 struct dentry *root = sb->s_root;
377 struct inode *root_inode = root->d_inode;
378 int rc = 0;
1da177e4 379
c9180a57
EP		 380 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
381 /* Make sure that the xattr handler exists and that no
382 error other than -ENODATA is returned by getxattr on
383 the root directory. -ENODATA is ok, as this may be
384 the first boot of the SELinux kernel before we have
385 assigned xattr values to the filesystem. */
386 if (!root_inode->i_op->getxattr) {
387 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
388 "xattr support\n", sb->s_id, sb->s_type->name);
389 rc = -EOPNOTSUPP;
390 goto out;
391 }
392 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
393 if (rc < 0 && rc != -ENODATA) {
394 if (rc == -EOPNOTSUPP)
395 printk(KERN_WARNING "SELinux: (dev %s, type "
396 "%s) has no security xattr handler\n",
397 sb->s_id, sb->s_type->name);
398 else
399 printk(KERN_WARNING "SELinux: (dev %s, type "
400 "%s) getxattr errno %d\n", sb->s_id,
401 sb->s_type->name, -rc);
402 goto out;
403 }
404 }
1da177e4 405
c9180a57 406 sbsec->initialized = 1;
1da177e4 407
c9180a57
EP		 408 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
409 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
410 sb->s_id, sb->s_type->name);
411 else
412 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
413 sb->s_id, sb->s_type->name,
414 labeling_behaviors[sbsec->behavior-1]);
1da177e4 415
c9180a57
EP		 416 /* Initialize the root inode. */
417 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 418
c9180a57
EP		 419 /* Initialize any other inodes associated with the superblock, e.g.
420 inodes created prior to initial policy load or inodes created
421 during get_sb by a pseudo filesystem that directly
422 populates itself. */
423 spin_lock(&sbsec->isec_lock);
424next_inode:
425 if (!list_empty(&sbsec->isec_head)) {
426 struct inode_security_struct *isec =
427 list_entry(sbsec->isec_head.next,
428 struct inode_security_struct, list);
429 struct inode *inode = isec->inode;
430 spin_unlock(&sbsec->isec_lock);
431 inode = igrab(inode);
432 if (inode) {
433 if (!IS_PRIVATE(inode))
434 inode_doinit(inode);
435 iput(inode);
436 }
437 spin_lock(&sbsec->isec_lock);
438 list_del_init(&isec->list);
439 goto next_inode;
440 }
441 spin_unlock(&sbsec->isec_lock);
442out:
443 return rc;
444}
1da177e4 445
c9180a57
EP		 446/*
447 * This function should allow an FS to ask what it's mount security
448 * options were so it can use those later for submounts, displaying
449 * mount options, or whatever.
450 */
451static int selinux_get_mnt_opts(const struct super_block *sb,
452 char ***mount_options, int **mnt_opts_flags,
453 int *num_opts)
454{
455 int rc = 0, i;
456 struct superblock_security_struct *sbsec = sb->s_security;
457 char *context = NULL;
458 u32 len;
459 char tmp;
1da177e4 460
c9180a57
EP		 461 *num_opts = 0;
462 *mount_options = NULL;
463 *mnt_opts_flags = NULL;
1da177e4 464
c9180a57
EP		 465 if (!sbsec->initialized)
466 return -EINVAL;
1da177e4 467
c9180a57
EP		 468 if (!ss_initialized)
469 return -EINVAL;
1da177e4 470
c9180a57
EP		 471 /*
472 * if we ever use sbsec flags for anything other than tracking mount
473 * settings this is going to need a mask
474 */
475 tmp = sbsec->flags;
476 /* count the number of mount options for this sb */
477 for (i = 0; i < 8; i++) {
478 if (tmp & 0x01)
479 (*num_opts)++;
480 tmp >>= 1;
481 }
1da177e4 482
c9180a57
EP		 483 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
484 if (!*mount_options) {
485 rc = -ENOMEM;
486 goto out_free;
487 }
1da177e4 488
c9180a57
EP		 489 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
490 if (!*mnt_opts_flags) {
491 rc = -ENOMEM;
492 goto out_free;
493 }
1da177e4 494
c9180a57
EP		 495 i = 0;
496 if (sbsec->flags & FSCONTEXT_MNT) {
497 rc = security_sid_to_context(sbsec->sid, &context, &len);
498 if (rc)
499 goto out_free;
500 (*mount_options)[i] = context;
501 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
502 }
503 if (sbsec->flags & CONTEXT_MNT) {
504 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
505 if (rc)
506 goto out_free;
507 (*mount_options)[i] = context;
508 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
509 }
510 if (sbsec->flags & DEFCONTEXT_MNT) {
511 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
512 if (rc)
513 goto out_free;
514 (*mount_options)[i] = context;
515 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
516 }
517 if (sbsec->flags & ROOTCONTEXT_MNT) {
518 struct inode *root = sbsec->sb->s_root->d_inode;
519 struct inode_security_struct *isec = root->i_security;
0808925e 520
c9180a57
EP		 521 rc = security_sid_to_context(isec->sid, &context, &len);
522 if (rc)
523 goto out_free;
524 (*mount_options)[i] = context;
525 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
526 }
1da177e4 527
c9180a57 528 BUG_ON(i != *num_opts);
1da177e4 529
c9180a57
EP		 530 return 0;
531
532out_free:
533 /* don't leak context string if security_sid_to_context had an error */
534 if (*mount_options && i)
535 for (; i > 0; i--)
536 kfree((*mount_options)[i-1]);
537 kfree(*mount_options);
538 *mount_options = NULL;
539 kfree(*mnt_opts_flags);
540 *mnt_opts_flags = NULL;
541 *num_opts = 0;
542 return rc;
543}
1da177e4 544
c9180a57
EP		 545static int bad_option(struct superblock_security_struct *sbsec, char flag,
546 u32 old_sid, u32 new_sid)
547{
548 /* check if the old mount command had the same options */
549 if (sbsec->initialized)
550 if (!(sbsec->flags & flag) ||
551 (old_sid != new_sid))
552 return 1;
553
554 /* check if we were passed the same options twice,
555 * aka someone passed context=a,context=b
556 */
557 if (!sbsec->initialized)
558 if (sbsec->flags & flag)
559 return 1;
560 return 0;
561}
562/*
563 * Allow filesystems with binary mount data to explicitly set mount point
564 * labeling information.
565 */
566int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
567 int *flags, int num_opts)
568{
569 int rc = 0, i;
570 struct task_security_struct *tsec = current->security;
571 struct superblock_security_struct *sbsec = sb->s_security;
572 const char *name = sb->s_type->name;
573 struct inode *inode = sbsec->sb->s_root->d_inode;
574 struct inode_security_struct *root_isec = inode->i_security;
575 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
576 u32 defcontext_sid = 0;
577
578 mutex_lock(&sbsec->lock);
579
580 if (!ss_initialized) {
581 if (!num_opts) {
582 /* Defer initialization until selinux_complete_init,
583 after the initial policy is loaded and the security
584 server is ready to handle calls. */
585 spin_lock(&sb_security_lock);
586 if (list_empty(&sbsec->list))
587 list_add(&sbsec->list, &superblock_security_head);
588 spin_unlock(&sb_security_lock);
589 goto out;
590 }
591 rc = -EINVAL;
592 printk(KERN_WARNING "Unable to set superblock options before "
593 "the security server is initialized\n");
1da177e4 594 goto out;
c9180a57 595 }
1da177e4 596
c9180a57
EP		 597 /*
598 * parse the mount options, check if they are valid sids.
599 * also check if someone is trying to mount the same sb more
600 * than once with different security options.
601 */
602 for (i = 0; i < num_opts; i++) {
603 u32 sid;
604 rc = security_context_to_sid(mount_options[i],
605 strlen(mount_options[i]), &sid);
1da177e4
LT		 606 if (rc) {
607 printk(KERN_WARNING "SELinux: security_context_to_sid"
608 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 609 mount_options[i], sb->s_id, name, rc);
610 goto out;
611 }
612 switch (flags[i]) {
613 case FSCONTEXT_MNT:
614 fscontext_sid = sid;
615
616 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
617 fscontext_sid))
618 goto out_double_mount;
619
620 sbsec->flags |= FSCONTEXT_MNT;
621 break;
622 case CONTEXT_MNT:
623 context_sid = sid;
624
625 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
626 context_sid))
627 goto out_double_mount;
628
629 sbsec->flags |= CONTEXT_MNT;
630 break;
631 case ROOTCONTEXT_MNT:
632 rootcontext_sid = sid;
633
634 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
635 rootcontext_sid))
636 goto out_double_mount;
637
638 sbsec->flags |= ROOTCONTEXT_MNT;
639
640 break;
641 case DEFCONTEXT_MNT:
642 defcontext_sid = sid;
643
644 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
645 defcontext_sid))
646 goto out_double_mount;
647
648 sbsec->flags |= DEFCONTEXT_MNT;
649
650 break;
651 default:
652 rc = -EINVAL;
653 goto out;
1da177e4 654 }
c9180a57
EP		 655 }
656
657 if (sbsec->initialized) {
658 /* previously mounted with options, but not on this attempt? */
659 if (sbsec->flags && !num_opts)
660 goto out_double_mount;
661 rc = 0;
662 goto out;
663 }
664
665 if (strcmp(sb->s_type->name, "proc") == 0)
666 sbsec->proc = 1;
667
668 /* Determine the labeling behavior to use for this filesystem type. */
669 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
670 if (rc) {
671 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
672 __FUNCTION__, sb->s_type->name, rc);
673 goto out;
674 }
1da177e4 675
c9180a57
EP		 676 /* sets the context of the superblock for the fs being mounted. */
677 if (fscontext_sid) {
678
679 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 680 if (rc)
c9180a57 681 goto out;
1da177e4 682
c9180a57 683 sbsec->sid = fscontext_sid;
c312feb2
EP		 684 }
685
686 /*
687 * Switch to using mount point labeling behavior.
688 * sets the label used on all file below the mountpoint, and will set
689 * the superblock context if not already set.
690 */
c9180a57
EP		 691 if (context_sid) {
692 if (!fscontext_sid) {
693 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 694 if (rc)
c9180a57
EP		 695 goto out;
696 sbsec->sid = context_sid;
b04ea3ce 697 } else {
c9180a57 698 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 699 if (rc)
c9180a57 700 goto out;
b04ea3ce 701 }
c9180a57
EP		 702 if (!rootcontext_sid)
703 rootcontext_sid = context_sid;
1da177e4 704
c9180a57 705 sbsec->mntpoint_sid = context_sid;
c312feb2 706 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 707 }
708
c9180a57
EP		 709 if (rootcontext_sid) {
710 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 711 if (rc)
c9180a57 712 goto out;
0808925e 713
c9180a57
EP		 714 root_isec->sid = rootcontext_sid;
715 root_isec->initialized = 1;
0808925e
EP		 716 }
717
c9180a57
EP		 718 if (defcontext_sid) {
719 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
720 rc = -EINVAL;
721 printk(KERN_WARNING "SELinux: defcontext option is "
722 "invalid for this filesystem type\n");
723 goto out;
1da177e4
LT		 724 }
725
c9180a57
EP		 726 if (defcontext_sid != sbsec->def_sid) {
727 rc = may_context_mount_inode_relabel(defcontext_sid,
728 sbsec, tsec);
729 if (rc)
730 goto out;
731 }
1da177e4 732
c9180a57 733 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 734 }
735
c9180a57 736 rc = sb_finish_set_opts(sb);
1da177e4 737out:
c9180a57 738 mutex_unlock(&sbsec->lock);
1da177e4 739 return rc;
c9180a57
EP		 740out_double_mount:
741 rc = -EINVAL;
742 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
743 "security settings for (dev %s, type %s)\n", sb->s_id, name);
744 goto out;
1da177e4
LT		 745}
746
c9180a57
EP		 747static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
748 struct super_block *newsb)
1da177e4 749{
c9180a57
EP		 750 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
751 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 752
c9180a57
EP		 753 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
754 int set_context = (oldsbsec->flags & CONTEXT_MNT);
755 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 756
c9180a57
EP		 757 /* we can't error, we can't save the info, this shouldn't get called
758 * this early in the boot process. */
759 BUG_ON(!ss_initialized);
760
761 /* this might go away sometime down the line if there is a new user
762 * of clone, but for now, nfs better not get here... */
763 BUG_ON(newsbsec->initialized);
764
765 /* how can we clone if the old one wasn't set up?? */
766 BUG_ON(!oldsbsec->initialized);
767
768 mutex_lock(&newsbsec->lock);
769
770 newsbsec->flags = oldsbsec->flags;
771
772 newsbsec->sid = oldsbsec->sid;
773 newsbsec->def_sid = oldsbsec->def_sid;
774 newsbsec->behavior = oldsbsec->behavior;
775
776 if (set_context) {
777 u32 sid = oldsbsec->mntpoint_sid;
778
779 if (!set_fscontext)
780 newsbsec->sid = sid;
781 if (!set_rootcontext) {
782 struct inode *newinode = newsb->s_root->d_inode;
783 struct inode_security_struct *newisec = newinode->i_security;
784 newisec->sid = sid;
785 }
786 newsbsec->mntpoint_sid = sid;
1da177e4 787 }
c9180a57
EP		 788 if (set_rootcontext) {
789 const struct inode *oldinode = oldsb->s_root->d_inode;
790 const struct inode_security_struct *oldisec = oldinode->i_security;
791 struct inode *newinode = newsb->s_root->d_inode;
792 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 793
c9180a57 794 newisec->sid = oldisec->sid;
1da177e4
LT		 795 }
796
c9180a57
EP		 797 sb_finish_set_opts(newsb);
798 mutex_unlock(&newsbsec->lock);
799}
800
801/*
802 * string mount options parsing and call set the sbsec
803 */
804static int superblock_doinit(struct super_block *sb, void *data)
805{
806 char *context = NULL, *defcontext = NULL;
807 char *fscontext = NULL, *rootcontext = NULL;
808 int rc = 0;
809 char *p, *options = data;
810 /* selinux only know about a fixed number of mount options */
811 char *mnt_opts[NUM_SEL_MNT_OPTS];
812 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
813
814 if (!data)
1da177e4
LT		 815 goto out;
816
c9180a57
EP		 817 /* with the nfs patch this will become a goto out; */
818 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
819 const char *name = sb->s_type->name;
820 /* NFS we understand. */
821 if (!strcmp(name, "nfs")) {
822 struct nfs_mount_data *d = data;
823
824 if (d->version != NFS_MOUNT_VERSION)
825 goto out;
826
827 if (d->context[0]) {
828 context = kstrdup(d->context, GFP_KERNEL);
829 if (!context) {
830 rc = -ENOMEM;
831 goto out;
832 }
833 }
834 goto build_flags;
835 } else
1da177e4 836 goto out;
1da177e4
LT		 837 }
838
c9180a57
EP		 839 /* Standard string-based options. */
840 while ((p = strsep(&options, "|")) != NULL) {
841 int token;
842 substring_t args[MAX_OPT_ARGS];
1da177e4 843
c9180a57
EP		 844 if (!*p)
845 continue;
1da177e4 846
c9180a57 847 token = match_token(p, tokens, args);
1da177e4 848
c9180a57
EP		 849 switch (token) {
850 case Opt_context:
851 if (context || defcontext) {
852 rc = -EINVAL;
853 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854 goto out_err;
855 }
856 context = match_strdup(&args[0]);
857 if (!context) {
858 rc = -ENOMEM;
859 goto out_err;
860 }
861 break;
862
863 case Opt_fscontext:
864 if (fscontext) {
865 rc = -EINVAL;
866 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867 goto out_err;
868 }
869 fscontext = match_strdup(&args[0]);
870 if (!fscontext) {
871 rc = -ENOMEM;
872 goto out_err;
873 }
874 break;
875
876 case Opt_rootcontext:
877 if (rootcontext) {
878 rc = -EINVAL;
879 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
880 goto out_err;
881 }
882 rootcontext = match_strdup(&args[0]);
883 if (!rootcontext) {
884 rc = -ENOMEM;
885 goto out_err;
886 }
887 break;
888
889 case Opt_defcontext:
890 if (context || defcontext) {
891 rc = -EINVAL;
892 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
893 goto out_err;
894 }
895 defcontext = match_strdup(&args[0]);
896 if (!defcontext) {
897 rc = -ENOMEM;
898 goto out_err;
899 }
900 break;
901
902 default:
903 rc = -EINVAL;
904 printk(KERN_WARNING "SELinux: unknown mount option\n");
905 goto out_err;
1da177e4 906
1da177e4 907 }
1da177e4 908 }
c9180a57
EP		 909
910build_flags:
911 if (fscontext) {
912 mnt_opts[num_mnt_opts] = fscontext;
913 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
914 }
915 if (context) {
916 mnt_opts[num_mnt_opts] = context;
917 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
918 }
919 if (rootcontext) {
920 mnt_opts[num_mnt_opts] = rootcontext;
921 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
922 }
923 if (defcontext) {
924 mnt_opts[num_mnt_opts] = defcontext;
925 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
926 }
927
1da177e4 928out:
c9180a57
EP		 929 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
930out_err:
931 kfree(context);
932 kfree(defcontext);
933 kfree(fscontext);
934 kfree(rootcontext);
1da177e4
LT		 935 return rc;
936}
937
938static inline u16 inode_mode_to_security_class(umode_t mode)
939{
940 switch (mode & S_IFMT) {
941 case S_IFSOCK:
942 return SECCLASS_SOCK_FILE;
943 case S_IFLNK:
944 return SECCLASS_LNK_FILE;
945 case S_IFREG:
946 return SECCLASS_FILE;
947 case S_IFBLK:
948 return SECCLASS_BLK_FILE;
949 case S_IFDIR:
950 return SECCLASS_DIR;
951 case S_IFCHR:
952 return SECCLASS_CHR_FILE;
953 case S_IFIFO:
954 return SECCLASS_FIFO_FILE;
955
956 }
957
958 return SECCLASS_FILE;
959}
960
13402580
JM		 961static inline int default_protocol_stream(int protocol)
962{
963 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
964}
965
966static inline int default_protocol_dgram(int protocol)
967{
968 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
969}
970
1da177e4
LT		 971static inline u16 socket_type_to_security_class(int family, int type, int protocol)
972{
973 switch (family) {
974 case PF_UNIX:
975 switch (type) {
976 case SOCK_STREAM:
977 case SOCK_SEQPACKET:
978 return SECCLASS_UNIX_STREAM_SOCKET;
979 case SOCK_DGRAM:
980 return SECCLASS_UNIX_DGRAM_SOCKET;
981 }
982 break;
983 case PF_INET:
984 case PF_INET6:
985 switch (type) {
986 case SOCK_STREAM:
13402580
JM		 987 if (default_protocol_stream(protocol))
988 return SECCLASS_TCP_SOCKET;
989 else
990 return SECCLASS_RAWIP_SOCKET;
1da177e4 991 case SOCK_DGRAM:
13402580
JM		 992 if (default_protocol_dgram(protocol))
993 return SECCLASS_UDP_SOCKET;
994 else
995 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 996 case SOCK_DCCP:
997 return SECCLASS_DCCP_SOCKET;
13402580 998 default:
1da177e4
LT		 999 return SECCLASS_RAWIP_SOCKET;
1000 }
1001 break;
1002 case PF_NETLINK:
1003 switch (protocol) {
1004 case NETLINK_ROUTE:
1005 return SECCLASS_NETLINK_ROUTE_SOCKET;
1006 case NETLINK_FIREWALL:
1007 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1008 case NETLINK_INET_DIAG:
1da177e4
LT		 1009 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1010 case NETLINK_NFLOG:
1011 return SECCLASS_NETLINK_NFLOG_SOCKET;
1012 case NETLINK_XFRM:
1013 return SECCLASS_NETLINK_XFRM_SOCKET;
1014 case NETLINK_SELINUX:
1015 return SECCLASS_NETLINK_SELINUX_SOCKET;
1016 case NETLINK_AUDIT:
1017 return SECCLASS_NETLINK_AUDIT_SOCKET;
1018 case NETLINK_IP6_FW:
1019 return SECCLASS_NETLINK_IP6FW_SOCKET;
1020 case NETLINK_DNRTMSG:
1021 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1022 case NETLINK_KOBJECT_UEVENT:
1023 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1024 default:
1025 return SECCLASS_NETLINK_SOCKET;
1026 }
1027 case PF_PACKET:
1028 return SECCLASS_PACKET_SOCKET;
1029 case PF_KEY:
1030 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1031 case PF_APPLETALK:
1032 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1033 }
1034
1035 return SECCLASS_SOCKET;
1036}
1037
1038#ifdef CONFIG_PROC_FS
1039static int selinux_proc_get_sid(struct proc_dir_entry *de,
1040 u16 tclass,
1041 u32 *sid)
1042{
1043 int buflen, rc;
1044 char *buffer, *path, *end;
1045
1046 buffer = (char*)__get_free_page(GFP_KERNEL);
1047 if (!buffer)
1048 return -ENOMEM;
1049
1050 buflen = PAGE_SIZE;
1051 end = buffer+buflen;
1052 *--end = '\0';
1053 buflen--;
1054 path = end-1;
1055 *path = '/';
1056 while (de && de != de->parent) {
1057 buflen -= de->namelen + 1;
1058 if (buflen < 0)
1059 break;
1060 end -= de->namelen;
1061 memcpy(end, de->name, de->namelen);
1062 *--end = '/';
1063 path = end;
1064 de = de->parent;
1065 }
1066 rc = security_genfs_sid("proc", path, tclass, sid);
1067 free_page((unsigned long)buffer);
1068 return rc;
1069}
1070#else
1071static int selinux_proc_get_sid(struct proc_dir_entry *de,
1072 u16 tclass,
1073 u32 *sid)
1074{
1075 return -EINVAL;
1076}
1077#endif
1078
1079/* The inode's security attributes must be initialized before first use. */
1080static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1081{
1082 struct superblock_security_struct *sbsec = NULL;
1083 struct inode_security_struct *isec = inode->i_security;
1084 u32 sid;
1085 struct dentry *dentry;
1086#define INITCONTEXTLEN 255
1087 char *context = NULL;
1088 unsigned len = 0;
1089 int rc = 0;
1da177e4
LT		 1090
1091 if (isec->initialized)
1092 goto out;
1093
23970741 1094 mutex_lock(&isec->lock);
1da177e4 1095 if (isec->initialized)
23970741 1096 goto out_unlock;
1da177e4
LT		 1097
1098 sbsec = inode->i_sb->s_security;
1099 if (!sbsec->initialized) {
1100 /* Defer initialization until selinux_complete_init,
1101 after the initial policy is loaded and the security
1102 server is ready to handle calls. */
1103 spin_lock(&sbsec->isec_lock);
1104 if (list_empty(&isec->list))
1105 list_add(&isec->list, &sbsec->isec_head);
1106 spin_unlock(&sbsec->isec_lock);
23970741 1107 goto out_unlock;
1da177e4
LT		 1108 }
1109
1110 switch (sbsec->behavior) {
1111 case SECURITY_FS_USE_XATTR:
1112 if (!inode->i_op->getxattr) {
1113 isec->sid = sbsec->def_sid;
1114 break;
1115 }
1116
1117 /* Need a dentry, since the xattr API requires one.
1118 Life would be simpler if we could just pass the inode. */
1119 if (opt_dentry) {
1120 /* Called from d_instantiate or d_splice_alias. */
1121 dentry = dget(opt_dentry);
1122 } else {
1123 /* Called from selinux_complete_init, try to find a dentry. */
1124 dentry = d_find_alias(inode);
1125 }
1126 if (!dentry) {
1127 printk(KERN_WARNING "%s: no dentry for dev=%s "
1128 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1129 inode->i_ino);
23970741 1130 goto out_unlock;
1da177e4
LT		 1131 }
1132
1133 len = INITCONTEXTLEN;
1134 context = kmalloc(len, GFP_KERNEL);
1135 if (!context) {
1136 rc = -ENOMEM;
1137 dput(dentry);
23970741 1138 goto out_unlock;
1da177e4
LT		 1139 }
1140 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1141 context, len);
1142 if (rc == -ERANGE) {
1143 /* Need a larger buffer. Query for the right size. */
1144 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1145 NULL, 0);
1146 if (rc < 0) {
1147 dput(dentry);
23970741 1148 goto out_unlock;
1da177e4
LT		 1149 }
1150 kfree(context);
1151 len = rc;
1152 context = kmalloc(len, GFP_KERNEL);
1153 if (!context) {
1154 rc = -ENOMEM;
1155 dput(dentry);
23970741 1156 goto out_unlock;
1da177e4
LT		 1157 }
1158 rc = inode->i_op->getxattr(dentry,
1159 XATTR_NAME_SELINUX,
1160 context, len);
1161 }
1162 dput(dentry);
1163 if (rc < 0) {
1164 if (rc != -ENODATA) {
1165 printk(KERN_WARNING "%s: getxattr returned "
1166 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1167 -rc, inode->i_sb->s_id, inode->i_ino);
1168 kfree(context);
23970741 1169 goto out_unlock;
1da177e4
LT		 1170 }
1171 /* Map ENODATA to the default file SID */
1172 sid = sbsec->def_sid;
1173 rc = 0;
1174 } else {
f5c1d5b2
JM		 1175 rc = security_context_to_sid_default(context, rc, &sid,
1176 sbsec->def_sid);
1da177e4
LT		 1177 if (rc) {
1178 printk(KERN_WARNING "%s: context_to_sid(%s) "
1179 "returned %d for dev=%s ino=%ld\n",
1180 __FUNCTION__, context, -rc,
1181 inode->i_sb->s_id, inode->i_ino);
1182 kfree(context);
1183 /* Leave with the unlabeled SID */
1184 rc = 0;
1185 break;
1186 }
1187 }
1188 kfree(context);
1189 isec->sid = sid;
1190 break;
1191 case SECURITY_FS_USE_TASK:
1192 isec->sid = isec->task_sid;
1193 break;
1194 case SECURITY_FS_USE_TRANS:
1195 /* Default to the fs SID. */
1196 isec->sid = sbsec->sid;
1197
1198 /* Try to obtain a transition SID. */
1199 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1200 rc = security_transition_sid(isec->task_sid,
1201 sbsec->sid,
1202 isec->sclass,
1203 &sid);
1204 if (rc)
23970741 1205 goto out_unlock;
1da177e4
LT		 1206 isec->sid = sid;
1207 break;
c312feb2
EP		 1208 case SECURITY_FS_USE_MNTPOINT:
1209 isec->sid = sbsec->mntpoint_sid;
1210 break;
1da177e4 1211 default:
c312feb2 1212 /* Default to the fs superblock SID. */
1da177e4
LT		 1213 isec->sid = sbsec->sid;
1214
1215 if (sbsec->proc) {
1216 struct proc_inode *proci = PROC_I(inode);
1217 if (proci->pde) {
1218 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1219 rc = selinux_proc_get_sid(proci->pde,
1220 isec->sclass,
1221 &sid);
1222 if (rc)
23970741 1223 goto out_unlock;
1da177e4
LT		 1224 isec->sid = sid;
1225 }
1226 }
1227 break;
1228 }
1229
1230 isec->initialized = 1;
1231
23970741
EP		 1232out_unlock:
1233 mutex_unlock(&isec->lock);
1da177e4
LT		 1234out:
1235 if (isec->sclass == SECCLASS_FILE)
1236 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1237 return rc;
1238}
1239
1240/* Convert a Linux signal to an access vector. */
1241static inline u32 signal_to_av(int sig)
1242{
1243 u32 perm = 0;
1244
1245 switch (sig) {
1246 case SIGCHLD:
1247 /* Commonly granted from child to parent. */
1248 perm = PROCESS__SIGCHLD;
1249 break;
1250 case SIGKILL:
1251 /* Cannot be caught or ignored */
1252 perm = PROCESS__SIGKILL;
1253 break;
1254 case SIGSTOP:
1255 /* Cannot be caught or ignored */
1256 perm = PROCESS__SIGSTOP;
1257 break;
1258 default:
1259 /* All other signals. */
1260 perm = PROCESS__SIGNAL;
1261 break;
1262 }
1263
1264 return perm;
1265}
1266
1267/* Check permission betweeen a pair of tasks, e.g. signal checks,
1268 fork check, ptrace check, etc. */
1269static int task_has_perm(struct task_struct *tsk1,
1270 struct task_struct *tsk2,
1271 u32 perms)
1272{
1273 struct task_security_struct *tsec1, *tsec2;
1274
1275 tsec1 = tsk1->security;
1276 tsec2 = tsk2->security;
1277 return avc_has_perm(tsec1->sid, tsec2->sid,
1278 SECCLASS_PROCESS, perms, NULL);
1279}
1280
1281/* Check whether a task is allowed to use a capability. */
1282static int task_has_capability(struct task_struct *tsk,
1283 int cap)
1284{
1285 struct task_security_struct *tsec;
1286 struct avc_audit_data ad;
1287
1288 tsec = tsk->security;
1289
1290 AVC_AUDIT_DATA_INIT(&ad,CAP);
1291 ad.tsk = tsk;
1292 ad.u.cap = cap;
1293
1294 return avc_has_perm(tsec->sid, tsec->sid,
1295 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1296}
1297
1298/* Check whether a task is allowed to use a system operation. */
1299static int task_has_system(struct task_struct *tsk,
1300 u32 perms)
1301{
1302 struct task_security_struct *tsec;
1303
1304 tsec = tsk->security;
1305
1306 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1307 SECCLASS_SYSTEM, perms, NULL);
1308}
1309
1310/* Check whether a task has a particular permission to an inode.
1311 The 'adp' parameter is optional and allows other audit
1312 data to be passed (e.g. the dentry). */
1313static int inode_has_perm(struct task_struct *tsk,
1314 struct inode *inode,
1315 u32 perms,
1316 struct avc_audit_data *adp)
1317{
1318 struct task_security_struct *tsec;
1319 struct inode_security_struct *isec;
1320 struct avc_audit_data ad;
1321
bbaca6c2
SS		 1322 if (unlikely (IS_PRIVATE (inode)))
1323 return 0;
1324
1da177e4
LT		 1325 tsec = tsk->security;
1326 isec = inode->i_security;
1327
1328 if (!adp) {
1329 adp = &ad;
1330 AVC_AUDIT_DATA_INIT(&ad, FS);
1331 ad.u.fs.inode = inode;
1332 }
1333
1334 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1335}
1336
1337/* Same as inode_has_perm, but pass explicit audit data containing
1338 the dentry to help the auditing code to more easily generate the
1339 pathname if needed. */
1340static inline int dentry_has_perm(struct task_struct *tsk,
1341 struct vfsmount *mnt,
1342 struct dentry *dentry,
1343 u32 av)
1344{
1345 struct inode *inode = dentry->d_inode;
1346 struct avc_audit_data ad;
1347 AVC_AUDIT_DATA_INIT(&ad,FS);
1348 ad.u.fs.mnt = mnt;
1349 ad.u.fs.dentry = dentry;
1350 return inode_has_perm(tsk, inode, av, &ad);
1351}
1352
1353/* Check whether a task can use an open file descriptor to
1354 access an inode in a given way. Check access to the
1355 descriptor itself, and then use dentry_has_perm to
1356 check a particular permission to the file.
1357 Access to the descriptor is implicitly granted if it
1358 has the same SID as the process. If av is zero, then
1359 access to the file is not checked, e.g. for cases
1360 where only the descriptor is affected like seek. */
858119e1 1361static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1362 struct file *file,
1363 u32 av)
1364{
1365 struct task_security_struct *tsec = tsk->security;
1366 struct file_security_struct *fsec = file->f_security;
3d5ff529
JS		 1367 struct vfsmount *mnt = file->f_path.mnt;
1368 struct dentry *dentry = file->f_path.dentry;
1da177e4
LT		 1369 struct inode *inode = dentry->d_inode;
1370 struct avc_audit_data ad;
1371 int rc;
1372
1373 AVC_AUDIT_DATA_INIT(&ad, FS);
1374 ad.u.fs.mnt = mnt;
1375 ad.u.fs.dentry = dentry;
1376
1377 if (tsec->sid != fsec->sid) {
1378 rc = avc_has_perm(tsec->sid, fsec->sid,
1379 SECCLASS_FD,
1380 FD__USE,
1381 &ad);
1382 if (rc)
1383 return rc;
1384 }
1385
1386 /* av is zero if only checking access to the descriptor. */
1387 if (av)
1388 return inode_has_perm(tsk, inode, av, &ad);
1389
1390 return 0;
1391}
1392
1393/* Check whether a task can create a file. */
1394static int may_create(struct inode *dir,
1395 struct dentry *dentry,
1396 u16 tclass)
1397{
1398 struct task_security_struct *tsec;
1399 struct inode_security_struct *dsec;
1400 struct superblock_security_struct *sbsec;
1401 u32 newsid;
1402 struct avc_audit_data ad;
1403 int rc;
1404
1405 tsec = current->security;
1406 dsec = dir->i_security;
1407 sbsec = dir->i_sb->s_security;
1408
1409 AVC_AUDIT_DATA_INIT(&ad, FS);
1410 ad.u.fs.dentry = dentry;
1411
1412 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1413 DIR__ADD_NAME | DIR__SEARCH,
1414 &ad);
1415 if (rc)
1416 return rc;
1417
1418 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1419 newsid = tsec->create_sid;
1420 } else {
1421 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1422 &newsid);
1423 if (rc)
1424 return rc;
1425 }
1426
1427 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1428 if (rc)
1429 return rc;
1430
1431 return avc_has_perm(newsid, sbsec->sid,
1432 SECCLASS_FILESYSTEM,
1433 FILESYSTEM__ASSOCIATE, &ad);
1434}
1435
4eb582cf
ML		 1436/* Check whether a task can create a key. */
1437static int may_create_key(u32 ksid,
1438 struct task_struct *ctx)
1439{
1440 struct task_security_struct *tsec;
1441
1442 tsec = ctx->security;
1443
1444 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1445}
1446
1da177e4
LT		 1447#define MAY_LINK 0
1448#define MAY_UNLINK 1
1449#define MAY_RMDIR 2
1450
1451/* Check whether a task can link, unlink, or rmdir a file/directory. */
1452static int may_link(struct inode *dir,
1453 struct dentry *dentry,
1454 int kind)
1455
1456{
1457 struct task_security_struct *tsec;
1458 struct inode_security_struct *dsec, *isec;
1459 struct avc_audit_data ad;
1460 u32 av;
1461 int rc;
1462
1463 tsec = current->security;
1464 dsec = dir->i_security;
1465 isec = dentry->d_inode->i_security;
1466
1467 AVC_AUDIT_DATA_INIT(&ad, FS);
1468 ad.u.fs.dentry = dentry;
1469
1470 av = DIR__SEARCH;
1471 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1472 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1473 if (rc)
1474 return rc;
1475
1476 switch (kind) {
1477 case MAY_LINK:
1478 av = FILE__LINK;
1479 break;
1480 case MAY_UNLINK:
1481 av = FILE__UNLINK;
1482 break;
1483 case MAY_RMDIR:
1484 av = DIR__RMDIR;
1485 break;
1486 default:
1487 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1488 return 0;
1489 }
1490
1491 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1492 return rc;
1493}
1494
1495static inline int may_rename(struct inode *old_dir,
1496 struct dentry *old_dentry,
1497 struct inode *new_dir,
1498 struct dentry *new_dentry)
1499{
1500 struct task_security_struct *tsec;
1501 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1502 struct avc_audit_data ad;
1503 u32 av;
1504 int old_is_dir, new_is_dir;
1505 int rc;
1506
1507 tsec = current->security;
1508 old_dsec = old_dir->i_security;
1509 old_isec = old_dentry->d_inode->i_security;
1510 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1511 new_dsec = new_dir->i_security;
1512
1513 AVC_AUDIT_DATA_INIT(&ad, FS);
1514
1515 ad.u.fs.dentry = old_dentry;
1516 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1517 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1518 if (rc)
1519 return rc;
1520 rc = avc_has_perm(tsec->sid, old_isec->sid,
1521 old_isec->sclass, FILE__RENAME, &ad);
1522 if (rc)
1523 return rc;
1524 if (old_is_dir && new_dir != old_dir) {
1525 rc = avc_has_perm(tsec->sid, old_isec->sid,
1526 old_isec->sclass, DIR__REPARENT, &ad);
1527 if (rc)
1528 return rc;
1529 }
1530
1531 ad.u.fs.dentry = new_dentry;
1532 av = DIR__ADD_NAME | DIR__SEARCH;
1533 if (new_dentry->d_inode)
1534 av |= DIR__REMOVE_NAME;
1535 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1536 if (rc)
1537 return rc;
1538 if (new_dentry->d_inode) {
1539 new_isec = new_dentry->d_inode->i_security;
1540 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1541 rc = avc_has_perm(tsec->sid, new_isec->sid,
1542 new_isec->sclass,
1543 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1544 if (rc)
1545 return rc;
1546 }
1547
1548 return 0;
1549}
1550
1551/* Check whether a task can perform a filesystem operation. */
1552static int superblock_has_perm(struct task_struct *tsk,
1553 struct super_block *sb,
1554 u32 perms,
1555 struct avc_audit_data *ad)
1556{
1557 struct task_security_struct *tsec;
1558 struct superblock_security_struct *sbsec;
1559
1560 tsec = tsk->security;
1561 sbsec = sb->s_security;
1562 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1563 perms, ad);
1564}
1565
1566/* Convert a Linux mode and permission mask to an access vector. */
1567static inline u32 file_mask_to_av(int mode, int mask)
1568{
1569 u32 av = 0;
1570
1571 if ((mode & S_IFMT) != S_IFDIR) {
1572 if (mask & MAY_EXEC)
1573 av |= FILE__EXECUTE;
1574 if (mask & MAY_READ)
1575 av |= FILE__READ;
1576
1577 if (mask & MAY_APPEND)
1578 av |= FILE__APPEND;
1579 else if (mask & MAY_WRITE)
1580 av |= FILE__WRITE;
1581
1582 } else {
1583 if (mask & MAY_EXEC)
1584 av |= DIR__SEARCH;
1585 if (mask & MAY_WRITE)
1586 av |= DIR__WRITE;
1587 if (mask & MAY_READ)
1588 av |= DIR__READ;
1589 }
1590
1591 return av;
1592}
1593
1594/* Convert a Linux file to an access vector. */
1595static inline u32 file_to_av(struct file *file)
1596{
1597 u32 av = 0;
1598
1599 if (file->f_mode & FMODE_READ)
1600 av |= FILE__READ;
1601 if (file->f_mode & FMODE_WRITE) {
1602 if (file->f_flags & O_APPEND)
1603 av |= FILE__APPEND;
1604 else
1605 av |= FILE__WRITE;
1606 }
1607
1608 return av;
1609}
1610
1da177e4
LT		 1611/* Hook functions begin here. */
1612
1613static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1614{
1615 struct task_security_struct *psec = parent->security;
1616 struct task_security_struct *csec = child->security;
1617 int rc;
1618
1619 rc = secondary_ops->ptrace(parent,child);
1620 if (rc)
1621 return rc;
1622
1623 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1624 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1625 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1626 csec->ptrace_sid = psec->sid;
1627 return rc;
1628}
1629
1630static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1631 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1632{
1633 int error;
1634
1635 error = task_has_perm(current, target, PROCESS__GETCAP);
1636 if (error)
1637 return error;
1638
1639 return secondary_ops->capget(target, effective, inheritable, permitted);
1640}
1641
1642static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1643 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1644{
1645 int error;
1646
1647 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1648 if (error)
1649 return error;
1650
1651 return task_has_perm(current, target, PROCESS__SETCAP);
1652}
1653
1654static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1655 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1656{
1657 secondary_ops->capset_set(target, effective, inheritable, permitted);
1658}
1659
1660static int selinux_capable(struct task_struct *tsk, int cap)
1661{
1662 int rc;
1663
1664 rc = secondary_ops->capable(tsk, cap);
1665 if (rc)
1666 return rc;
1667
1668 return task_has_capability(tsk,cap);
1669}
1670
3fbfa981
EB		 1671static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1672{
1673 int buflen, rc;
1674 char *buffer, *path, *end;
1675
1676 rc = -ENOMEM;
1677 buffer = (char*)__get_free_page(GFP_KERNEL);
1678 if (!buffer)
1679 goto out;
1680
1681 buflen = PAGE_SIZE;
1682 end = buffer+buflen;
1683 *--end = '\0';
1684 buflen--;
1685 path = end-1;
1686 *path = '/';
1687 while (table) {
1688 const char *name = table->procname;
1689 size_t namelen = strlen(name);
1690 buflen -= namelen + 1;
1691 if (buflen < 0)
1692 goto out_free;
1693 end -= namelen;
1694 memcpy(end, name, namelen);
1695 *--end = '/';
1696 path = end;
1697 table = table->parent;
1698 }
b599fdfd
EB		 1699 buflen -= 4;
1700 if (buflen < 0)
1701 goto out_free;
1702 end -= 4;
1703 memcpy(end, "/sys", 4);
1704 path = end;
3fbfa981
EB		 1705 rc = security_genfs_sid("proc", path, tclass, sid);
1706out_free:
1707 free_page((unsigned long)buffer);
1708out:
1709 return rc;
1710}
1711
1da177e4
LT		 1712static int selinux_sysctl(ctl_table *table, int op)
1713{
1714 int error = 0;
1715 u32 av;
1716 struct task_security_struct *tsec;
1717 u32 tsid;
1718 int rc;
1719
1720 rc = secondary_ops->sysctl(table, op);
1721 if (rc)
1722 return rc;
1723
1724 tsec = current->security;
1725
3fbfa981
EB		 1726 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1727 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1728 if (rc) {
1729 /* Default to the well-defined sysctl SID. */
1730 tsid = SECINITSID_SYSCTL;
1731 }
1732
1733 /* The op values are "defined" in sysctl.c, thereby creating
1734 * a bad coupling between this module and sysctl.c */
1735 if(op == 001) {
1736 error = avc_has_perm(tsec->sid, tsid,
1737 SECCLASS_DIR, DIR__SEARCH, NULL);
1738 } else {
1739 av = 0;
1740 if (op & 004)
1741 av |= FILE__READ;
1742 if (op & 002)
1743 av |= FILE__WRITE;
1744 if (av)
1745 error = avc_has_perm(tsec->sid, tsid,
1746 SECCLASS_FILE, av, NULL);
1747 }
1748
1749 return error;
1750}
1751
1752static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1753{
1754 int rc = 0;
1755
1756 if (!sb)
1757 return 0;
1758
1759 switch (cmds) {
1760 case Q_SYNC:
1761 case Q_QUOTAON:
1762 case Q_QUOTAOFF:
1763 case Q_SETINFO:
1764 case Q_SETQUOTA:
1765 rc = superblock_has_perm(current,
1766 sb,
1767 FILESYSTEM__QUOTAMOD, NULL);
1768 break;
1769 case Q_GETFMT:
1770 case Q_GETINFO:
1771 case Q_GETQUOTA:
1772 rc = superblock_has_perm(current,
1773 sb,
1774 FILESYSTEM__QUOTAGET, NULL);
1775 break;
1776 default:
1777 rc = 0; /* let the kernel handle invalid cmds */
1778 break;
1779 }
1780 return rc;
1781}
1782
1783static int selinux_quota_on(struct dentry *dentry)
1784{
1785 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1786}
1787
1788static int selinux_syslog(int type)
1789{
1790 int rc;
1791
1792 rc = secondary_ops->syslog(type);
1793 if (rc)
1794 return rc;
1795
1796 switch (type) {
1797 case 3: /* Read last kernel messages */
1798 case 10: /* Return size of the log buffer */
1799 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1800 break;
1801 case 6: /* Disable logging to console */
1802 case 7: /* Enable logging to console */
1803 case 8: /* Set level of messages printed to console */
1804 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1805 break;
1806 case 0: /* Close log */
1807 case 1: /* Open log */
1808 case 2: /* Read from log */
1809 case 4: /* Read/clear last kernel messages */
1810 case 5: /* Clear ring buffer */
1811 default:
1812 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1813 break;
1814 }
1815 return rc;
1816}
1817
1818/*
1819 * Check that a process has enough memory to allocate a new virtual
1820 * mapping. 0 means there is enough memory for the allocation to
1821 * succeed and -ENOMEM implies there is not.
1822 *
1823 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1824 * if the capability is granted, but __vm_enough_memory requires 1 if
1825 * the capability is granted.
1826 *
1827 * Do not audit the selinux permission check, as this is applied to all
1828 * processes that allocate mappings.
1829 */
34b4e4aa 1830static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1831{
1832 int rc, cap_sys_admin = 0;
1833 struct task_security_struct *tsec = current->security;
1834
1835 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1836 if (rc == 0)
1837 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS		 1838 SECCLASS_CAPABILITY,
1839 CAP_TO_MASK(CAP_SYS_ADMIN),
1840 0,
1841 NULL);
1da177e4
LT		 1842
1843 if (rc == 0)
1844 cap_sys_admin = 1;
1845
34b4e4aa 1846 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1847}
1848
1849/* binprm security operations */
1850
1851static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1852{
1853 struct bprm_security_struct *bsec;
1854
89d155ef 1855 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1856 if (!bsec)
1857 return -ENOMEM;
1858
1da177e4
LT		 1859 bsec->bprm = bprm;
1860 bsec->sid = SECINITSID_UNLABELED;
1861 bsec->set = 0;
1862
1863 bprm->security = bsec;
1864 return 0;
1865}
1866
1867static int selinux_bprm_set_security(struct linux_binprm *bprm)
1868{
1869 struct task_security_struct *tsec;
3d5ff529 1870 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1871 struct inode_security_struct *isec;
1872 struct bprm_security_struct *bsec;
1873 u32 newsid;
1874 struct avc_audit_data ad;
1875 int rc;
1876
1877 rc = secondary_ops->bprm_set_security(bprm);
1878 if (rc)
1879 return rc;
1880
1881 bsec = bprm->security;
1882
1883 if (bsec->set)
1884 return 0;
1885
1886 tsec = current->security;
1887 isec = inode->i_security;
1888
1889 /* Default to the current task SID. */
1890 bsec->sid = tsec->sid;
1891
28eba5bf 1892 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1893 tsec->create_sid = 0;
28eba5bf 1894 tsec->keycreate_sid = 0;
42c3e03e 1895 tsec->sockcreate_sid = 0;
1da177e4
LT		 1896
1897 if (tsec->exec_sid) {
1898 newsid = tsec->exec_sid;
1899 /* Reset exec SID on execve. */
1900 tsec->exec_sid = 0;
1901 } else {
1902 /* Check for a default transition on this program. */
1903 rc = security_transition_sid(tsec->sid, isec->sid,
1904 SECCLASS_PROCESS, &newsid);
1905 if (rc)
1906 return rc;
1907 }
1908
1909 AVC_AUDIT_DATA_INIT(&ad, FS);
3d5ff529
JS		 1910 ad.u.fs.mnt = bprm->file->f_path.mnt;
1911 ad.u.fs.dentry = bprm->file->f_path.dentry;
1da177e4 1912
3d5ff529 1913 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 1914 newsid = tsec->sid;
1915
1916 if (tsec->sid == newsid) {
1917 rc = avc_has_perm(tsec->sid, isec->sid,
1918 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1919 if (rc)
1920 return rc;
1921 } else {
1922 /* Check permissions for the transition. */
1923 rc = avc_has_perm(tsec->sid, newsid,
1924 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1925 if (rc)
1926 return rc;
1927
1928 rc = avc_has_perm(newsid, isec->sid,
1929 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1930 if (rc)
1931 return rc;
1932
1933 /* Clear any possibly unsafe personality bits on exec: */
1934 current->personality &= ~PER_CLEAR_ON_SETID;
1935
1936 /* Set the security field to the new SID. */
1937 bsec->sid = newsid;
1938 }
1939
1940 bsec->set = 1;
1941 return 0;
1942}
1943
1944static int selinux_bprm_check_security (struct linux_binprm *bprm)
1945{
1946 return secondary_ops->bprm_check_security(bprm);
1947}
1948
1949
1950static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1951{
1952 struct task_security_struct *tsec = current->security;
1953 int atsecure = 0;
1954
1955 if (tsec->osid != tsec->sid) {
1956 /* Enable secure mode for SIDs transitions unless
1957 the noatsecure permission is granted between
1958 the two SIDs, i.e. ahp returns 0. */
1959 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1960 SECCLASS_PROCESS,
1961 PROCESS__NOATSECURE, NULL);
1962 }
1963
1964 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1965}
1966
1967static void selinux_bprm_free_security(struct linux_binprm *bprm)
1968{
9a5f04bf 1969 kfree(bprm->security);
1da177e4 1970 bprm->security = NULL;
1da177e4
LT		 1971}
1972
1973extern struct vfsmount *selinuxfs_mount;
1974extern struct dentry *selinux_null;
1975
1976/* Derived from fs/exec.c:flush_old_files. */
1977static inline void flush_unauthorized_files(struct files_struct * files)
1978{
1979 struct avc_audit_data ad;
1980 struct file *file, *devnull = NULL;
b20c8122 1981 struct tty_struct *tty;
badf1662 1982 struct fdtable *fdt;
1da177e4 1983 long j = -1;
24ec839c 1984 int drop_tty = 0;
1da177e4 1985
b20c8122 1986 mutex_lock(&tty_mutex);
24ec839c 1987 tty = get_current_tty();
1da177e4
LT		 1988 if (tty) {
1989 file_list_lock();
2f512016 1990 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 1991 if (file) {
1992 /* Revalidate access to controlling tty.
1993 Use inode_has_perm on the tty inode directly rather
1994 than using file_has_perm, as this particular open
1995 file may belong to another process and we are only
1996 interested in the inode-based check here. */
3d5ff529 1997 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 1998 if (inode_has_perm(current, inode,
1999 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2000 drop_tty = 1;
1da177e4
LT		 2001 }
2002 }
2003 file_list_unlock();
2004 }
b20c8122 2005 mutex_unlock(&tty_mutex);
98a27ba4
EB		 2006 /* Reset controlling tty. */
2007 if (drop_tty)
2008 no_tty();
1da177e4
LT		 2009
2010 /* Revalidate access to inherited open files. */
2011
2012 AVC_AUDIT_DATA_INIT(&ad,FS);
2013
2014 spin_lock(&files->file_lock);
2015 for (;;) {
2016 unsigned long set, i;
2017 int fd;
2018
2019 j++;
2020 i = j * __NFDBITS;
badf1662 2021 fdt = files_fdtable(files);
bbea9f69 2022 if (i >= fdt->max_fds)
1da177e4 2023 break;
badf1662 2024 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2025 if (!set)
2026 continue;
2027 spin_unlock(&files->file_lock);
2028 for ( ; set ; i++,set >>= 1) {
2029 if (set & 1) {
2030 file = fget(i);
2031 if (!file)
2032 continue;
2033 if (file_has_perm(current,
2034 file,
2035 file_to_av(file))) {
2036 sys_close(i);
2037 fd = get_unused_fd();
2038 if (fd != i) {
2039 if (fd >= 0)
2040 put_unused_fd(fd);
2041 fput(file);
2042 continue;
2043 }
2044 if (devnull) {
095975da 2045 get_file(devnull);
1da177e4
LT		 2046 } else {
2047 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2048 if (IS_ERR(devnull)) {
2049 devnull = NULL;
1da177e4
LT		 2050 put_unused_fd(fd);
2051 fput(file);
2052 continue;
2053 }
2054 }
2055 fd_install(fd, devnull);
2056 }
2057 fput(file);
2058 }
2059 }
2060 spin_lock(&files->file_lock);
2061
2062 }
2063 spin_unlock(&files->file_lock);
2064}
2065
2066static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2067{
2068 struct task_security_struct *tsec;
2069 struct bprm_security_struct *bsec;
2070 u32 sid;
2071 int rc;
2072
2073 secondary_ops->bprm_apply_creds(bprm, unsafe);
2074
2075 tsec = current->security;
2076
2077 bsec = bprm->security;
2078 sid = bsec->sid;
2079
2080 tsec->osid = tsec->sid;
2081 bsec->unsafe = 0;
2082 if (tsec->sid != sid) {
2083 /* Check for shared state. If not ok, leave SID
2084 unchanged and kill. */
2085 if (unsafe & LSM_UNSAFE_SHARE) {
2086 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2087 PROCESS__SHARE, NULL);
2088 if (rc) {
2089 bsec->unsafe = 1;
2090 return;
2091 }
2092 }
2093
2094 /* Check for ptracing, and update the task SID if ok.
2095 Otherwise, leave SID unchanged and kill. */
2096 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2097 rc = avc_has_perm(tsec->ptrace_sid, sid,
2098 SECCLASS_PROCESS, PROCESS__PTRACE,
2099 NULL);
2100 if (rc) {
2101 bsec->unsafe = 1;
2102 return;
2103 }
2104 }
2105 tsec->sid = sid;
2106 }
2107}
2108
2109/*
2110 * called after apply_creds without the task lock held
2111 */
2112static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2113{
2114 struct task_security_struct *tsec;
2115 struct rlimit *rlim, *initrlim;
2116 struct itimerval itimer;
2117 struct bprm_security_struct *bsec;
2118 int rc, i;
2119
2120 tsec = current->security;
2121 bsec = bprm->security;
2122
2123 if (bsec->unsafe) {
2124 force_sig_specific(SIGKILL, current);
2125 return;
2126 }
2127 if (tsec->osid == tsec->sid)
2128 return;
2129
2130 /* Close files for which the new task SID is not authorized. */
2131 flush_unauthorized_files(current->files);
2132
2133 /* Check whether the new SID can inherit signal state
2134 from the old SID. If not, clear itimers to avoid
2135 subsequent signal generation and flush and unblock
2136 signals. This must occur _after_ the task SID has
2137 been updated so that any kill done after the flush
2138 will be checked against the new SID. */
2139 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2140 PROCESS__SIGINH, NULL);
2141 if (rc) {
2142 memset(&itimer, 0, sizeof itimer);
2143 for (i = 0; i < 3; i++)
2144 do_setitimer(i, &itimer, NULL);
2145 flush_signals(current);
2146 spin_lock_irq(&current->sighand->siglock);
2147 flush_signal_handlers(current, 1);
2148 sigemptyset(&current->blocked);
2149 recalc_sigpending();
2150 spin_unlock_irq(&current->sighand->siglock);
2151 }
2152
4ac212ad
SS		 2153 /* Always clear parent death signal on SID transitions. */
2154 current->pdeath_signal = 0;
2155
1da177e4
LT		 2156 /* Check whether the new SID can inherit resource limits
2157 from the old SID. If not, reset all soft limits to
2158 the lower of the current task's hard limit and the init
2159 task's soft limit. Note that the setting of hard limits
2160 (even to lower them) can be controlled by the setrlimit
2161 check. The inclusion of the init task's soft limit into
2162 the computation is to avoid resetting soft limits higher
2163 than the default soft limit for cases where the default
2164 is lower than the hard limit, e.g. RLIMIT_CORE or
2165 RLIMIT_STACK.*/
2166 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2167 PROCESS__RLIMITINH, NULL);
2168 if (rc) {
2169 for (i = 0; i < RLIM_NLIMITS; i++) {
2170 rlim = current->signal->rlim + i;
2171 initrlim = init_task.signal->rlim+i;
2172 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2173 }
2174 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2175 /*
2176 * This will cause RLIMIT_CPU calculations
2177 * to be refigured.
2178 */
2179 current->it_prof_expires = jiffies_to_cputime(1);
2180 }
2181 }
2182
2183 /* Wake up the parent if it is waiting so that it can
2184 recheck wait permission to the new task SID. */
2185 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2186}
2187
2188/* superblock security operations */
2189
2190static int selinux_sb_alloc_security(struct super_block *sb)
2191{
2192 return superblock_alloc_security(sb);
2193}
2194
2195static void selinux_sb_free_security(struct super_block *sb)
2196{
2197 superblock_free_security(sb);
2198}
2199
2200static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2201{
2202 if (plen > olen)
2203 return 0;
2204
2205 return !memcmp(prefix, option, plen);
2206}
2207
2208static inline int selinux_option(char *option, int len)
2209{
2210 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2211 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 2212 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2213 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 2214}
2215
2216static inline void take_option(char **to, char *from, int *first, int len)
2217{
2218 if (!*first) {
2219 **to = ',';
2220 *to += 1;
3528a953 2221 } else
1da177e4
LT		 2222 *first = 0;
2223 memcpy(*to, from, len);
2224 *to += len;
2225}
2226
3528a953
CO		 2227static inline void take_selinux_option(char **to, char *from, int *first,
2228 int len)
2229{
2230 int current_size = 0;
2231
2232 if (!*first) {
2233 **to = '|';
2234 *to += 1;
2235 }
2236 else
2237 *first = 0;
2238
2239 while (current_size < len) {
2240 if (*from != '"') {
2241 **to = *from;
2242 *to += 1;
2243 }
2244 from += 1;
2245 current_size += 1;
2246 }
2247}
2248
1da177e4
LT		 2249static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2250{
2251 int fnosec, fsec, rc = 0;
2252 char *in_save, *in_curr, *in_end;
2253 char *sec_curr, *nosec_save, *nosec;
3528a953 2254 int open_quote = 0;
1da177e4
LT		 2255
2256 in_curr = orig;
2257 sec_curr = copy;
2258
2259 /* Binary mount data: just copy */
2260 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2261 copy_page(sec_curr, in_curr);
2262 goto out;
2263 }
2264
2265 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2266 if (!nosec) {
2267 rc = -ENOMEM;
2268 goto out;
2269 }
2270
2271 nosec_save = nosec;
2272 fnosec = fsec = 1;
2273 in_save = in_end = orig;
2274
2275 do {
3528a953
CO		 2276 if (*in_end == '"')
2277 open_quote = !open_quote;
2278 if ((*in_end == ',' && open_quote == 0) ||
2279 *in_end == '\0') {
1da177e4
LT		 2280 int len = in_end - in_curr;
2281
2282 if (selinux_option(in_curr, len))
3528a953 2283 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2284 else
2285 take_option(&nosec, in_curr, &fnosec, len);
2286
2287 in_curr = in_end + 1;
2288 }
2289 } while (*in_end++);
2290
6931dfc9 2291 strcpy(in_save, nosec_save);
da3caa20 2292 free_page((unsigned long)nosec_save);
1da177e4
LT		 2293out:
2294 return rc;
2295}
2296
2297static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2298{
2299 struct avc_audit_data ad;
2300 int rc;
2301
2302 rc = superblock_doinit(sb, data);
2303 if (rc)
2304 return rc;
2305
2306 AVC_AUDIT_DATA_INIT(&ad,FS);
2307 ad.u.fs.dentry = sb->s_root;
2308 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2309}
2310
726c3342 2311static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2312{
2313 struct avc_audit_data ad;
2314
2315 AVC_AUDIT_DATA_INIT(&ad,FS);
726c3342
DH		 2316 ad.u.fs.dentry = dentry->d_sb->s_root;
2317 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2318}
2319
2320static int selinux_mount(char * dev_name,
2321 struct nameidata *nd,
2322 char * type,
2323 unsigned long flags,
2324 void * data)
2325{
2326 int rc;
2327
2328 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2329 if (rc)
2330 return rc;
2331
2332 if (flags & MS_REMOUNT)
2333 return superblock_has_perm(current, nd->mnt->mnt_sb,
2334 FILESYSTEM__REMOUNT, NULL);
2335 else
2336 return dentry_has_perm(current, nd->mnt, nd->dentry,
2337 FILE__MOUNTON);
2338}
2339
2340static int selinux_umount(struct vfsmount *mnt, int flags)
2341{
2342 int rc;
2343
2344 rc = secondary_ops->sb_umount(mnt, flags);
2345 if (rc)
2346 return rc;
2347
2348 return superblock_has_perm(current,mnt->mnt_sb,
2349 FILESYSTEM__UNMOUNT,NULL);
2350}
2351
2352/* inode security operations */
2353
2354static int selinux_inode_alloc_security(struct inode *inode)
2355{
2356 return inode_alloc_security(inode);
2357}
2358
2359static void selinux_inode_free_security(struct inode *inode)
2360{
2361 inode_free_security(inode);
2362}
2363
5e41ff9e
SS		 2364static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2365 char **name, void **value,
2366 size_t *len)
2367{
2368 struct task_security_struct *tsec;
2369 struct inode_security_struct *dsec;
2370 struct superblock_security_struct *sbsec;
570bc1c2 2371 u32 newsid, clen;
5e41ff9e 2372 int rc;
570bc1c2 2373 char *namep = NULL, *context;
5e41ff9e
SS		 2374
2375 tsec = current->security;
2376 dsec = dir->i_security;
2377 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2378
2379 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2380 newsid = tsec->create_sid;
2381 } else {
2382 rc = security_transition_sid(tsec->sid, dsec->sid,
2383 inode_mode_to_security_class(inode->i_mode),
2384 &newsid);
2385 if (rc) {
2386 printk(KERN_WARNING "%s: "
2387 "security_transition_sid failed, rc=%d (dev=%s "
2388 "ino=%ld)\n",
2389 __FUNCTION__,
2390 -rc, inode->i_sb->s_id, inode->i_ino);
2391 return rc;
2392 }
2393 }
2394
296fddf7
EP		 2395 /* Possibly defer initialization to selinux_complete_init. */
2396 if (sbsec->initialized) {
2397 struct inode_security_struct *isec = inode->i_security;
2398 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2399 isec->sid = newsid;
2400 isec->initialized = 1;
2401 }
5e41ff9e 2402
8aad3875 2403 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2404 return -EOPNOTSUPP;
2405
570bc1c2
SS		 2406 if (name) {
2407 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2408 if (!namep)
2409 return -ENOMEM;
2410 *name = namep;
2411 }
5e41ff9e 2412
570bc1c2
SS		 2413 if (value && len) {
2414 rc = security_sid_to_context(newsid, &context, &clen);
2415 if (rc) {
2416 kfree(namep);
2417 return rc;
2418 }
2419 *value = context;
2420 *len = clen;
5e41ff9e 2421 }
5e41ff9e 2422
5e41ff9e
SS		 2423 return 0;
2424}
2425
1da177e4
LT		 2426static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2427{
2428 return may_create(dir, dentry, SECCLASS_FILE);
2429}
2430
1da177e4
LT		 2431static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2432{
2433 int rc;
2434
2435 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2436 if (rc)
2437 return rc;
2438 return may_link(dir, old_dentry, MAY_LINK);
2439}
2440
1da177e4
LT		 2441static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2442{
2443 int rc;
2444
2445 rc = secondary_ops->inode_unlink(dir, dentry);
2446 if (rc)
2447 return rc;
2448 return may_link(dir, dentry, MAY_UNLINK);
2449}
2450
2451static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2452{
2453 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2454}
2455
1da177e4
LT		 2456static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2457{
2458 return may_create(dir, dentry, SECCLASS_DIR);
2459}
2460
1da177e4
LT		 2461static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2462{
2463 return may_link(dir, dentry, MAY_RMDIR);
2464}
2465
2466static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2467{
2468 int rc;
2469
2470 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2471 if (rc)
2472 return rc;
2473
2474 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2475}
2476
1da177e4
LT		 2477static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2478 struct inode *new_inode, struct dentry *new_dentry)
2479{
2480 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2481}
2482
1da177e4
LT		 2483static int selinux_inode_readlink(struct dentry *dentry)
2484{
2485 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2486}
2487
2488static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2489{
2490 int rc;
2491
2492 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2493 if (rc)
2494 return rc;
2495 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2496}
2497
2498static int selinux_inode_permission(struct inode *inode, int mask,
2499 struct nameidata *nd)
2500{
2501 int rc;
2502
2503 rc = secondary_ops->inode_permission(inode, mask, nd);
2504 if (rc)
2505 return rc;
2506
2507 if (!mask) {
2508 /* No permission to check. Existence test. */
2509 return 0;
2510 }
2511
2512 return inode_has_perm(current, inode,
2513 file_mask_to_av(inode->i_mode, mask), NULL);
2514}
2515
2516static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2517{
2518 int rc;
2519
2520 rc = secondary_ops->inode_setattr(dentry, iattr);
2521 if (rc)
2522 return rc;
2523
2524 if (iattr->ia_valid & ATTR_FORCE)
2525 return 0;
2526
2527 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2528 ATTR_ATIME_SET | ATTR_MTIME_SET))
2529 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2530
2531 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2532}
2533
2534static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2535{
2536 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2537}
2538
b5376771
SH		 2539static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2540{
2541 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2542 sizeof XATTR_SECURITY_PREFIX - 1)) {
2543 if (!strcmp(name, XATTR_NAME_CAPS)) {
2544 if (!capable(CAP_SETFCAP))
2545 return -EPERM;
2546 } else if (!capable(CAP_SYS_ADMIN)) {
2547 /* A different attribute in the security namespace.
2548 Restrict to administrator. */
2549 return -EPERM;
2550 }
2551 }
2552
2553 /* Not an attribute we recognize, so just check the
2554 ordinary setattr permission. */
2555 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2556}
2557
1da177e4
LT		 2558static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2559{
2560 struct task_security_struct *tsec = current->security;
2561 struct inode *inode = dentry->d_inode;
2562 struct inode_security_struct *isec = inode->i_security;
2563 struct superblock_security_struct *sbsec;
2564 struct avc_audit_data ad;
2565 u32 newsid;
2566 int rc = 0;
2567
b5376771
SH		 2568 if (strcmp(name, XATTR_NAME_SELINUX))
2569 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2570
2571 sbsec = inode->i_sb->s_security;
2572 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2573 return -EOPNOTSUPP;
2574
3bd858ab 2575 if (!is_owner_or_cap(inode))
1da177e4
LT		 2576 return -EPERM;
2577
2578 AVC_AUDIT_DATA_INIT(&ad,FS);
2579 ad.u.fs.dentry = dentry;
2580
2581 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2582 FILE__RELABELFROM, &ad);
2583 if (rc)
2584 return rc;
2585
2586 rc = security_context_to_sid(value, size, &newsid);
2587 if (rc)
2588 return rc;
2589
2590 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2591 FILE__RELABELTO, &ad);
2592 if (rc)
2593 return rc;
2594
2595 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2596 isec->sclass);
2597 if (rc)
2598 return rc;
2599
2600 return avc_has_perm(newsid,
2601 sbsec->sid,
2602 SECCLASS_FILESYSTEM,
2603 FILESYSTEM__ASSOCIATE,
2604 &ad);
2605}
2606
2607static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2608 void *value, size_t size, int flags)
2609{
2610 struct inode *inode = dentry->d_inode;
2611 struct inode_security_struct *isec = inode->i_security;
2612 u32 newsid;
2613 int rc;
2614
2615 if (strcmp(name, XATTR_NAME_SELINUX)) {
2616 /* Not an attribute we recognize, so nothing to do. */
2617 return;
2618 }
2619
2620 rc = security_context_to_sid(value, size, &newsid);
2621 if (rc) {
2622 printk(KERN_WARNING "%s: unable to obtain SID for context "
2623 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2624 return;
2625 }
2626
2627 isec->sid = newsid;
2628 return;
2629}
2630
2631static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2632{
1da177e4
LT		 2633 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2634}
2635
2636static int selinux_inode_listxattr (struct dentry *dentry)
2637{
2638 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2639}
2640
2641static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2642{
b5376771
SH		 2643 if (strcmp(name, XATTR_NAME_SELINUX))
2644 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2645
2646 /* No one is allowed to remove a SELinux security label.
2647 You can change the label, but all data must be labeled. */
2648 return -EACCES;
2649}
2650
d381d8a9
JM		 2651/*
2652 * Copy the in-core inode security context value to the user. If the
2653 * getxattr() prior to this succeeded, check to see if we need to
2654 * canonicalize the value to be finally returned to the user.
2655 *
2656 * Permission check is handled by selinux_inode_getxattr hook.
2657 */
7306a0b9 2658static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
1da177e4
LT		 2659{
2660 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2661
8c8570fb
DK		 2662 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2663 return -EOPNOTSUPP;
d381d8a9 2664
8c8570fb 2665 return selinux_getsecurity(isec->sid, buffer, size);
1da177e4
LT		 2666}
2667
2668static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2669 const void *value, size_t size, int flags)
2670{
2671 struct inode_security_struct *isec = inode->i_security;
2672 u32 newsid;
2673 int rc;
2674
2675 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2676 return -EOPNOTSUPP;
2677
2678 if (!value || !size)
2679 return -EACCES;
2680
2681 rc = security_context_to_sid((void*)value, size, &newsid);
2682 if (rc)
2683 return rc;
2684
2685 isec->sid = newsid;
2686 return 0;
2687}
2688
2689static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2690{
2691 const int len = sizeof(XATTR_NAME_SELINUX);
2692 if (buffer && len <= buffer_size)
2693 memcpy(buffer, XATTR_NAME_SELINUX, len);
2694 return len;
2695}
2696
b5376771
SH		 2697static int selinux_inode_need_killpriv(struct dentry *dentry)
2698{
2699 return secondary_ops->inode_need_killpriv(dentry);
2700}
2701
2702static int selinux_inode_killpriv(struct dentry *dentry)
2703{
2704 return secondary_ops->inode_killpriv(dentry);
2705}
2706
1da177e4
LT		 2707/* file security operations */
2708
788e7dd4 2709static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2710{
7420ed23 2711 int rc;
3d5ff529 2712 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2713
2714 if (!mask) {
2715 /* No permission to check. Existence test. */
2716 return 0;
2717 }
2718
2719 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2720 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2721 mask |= MAY_APPEND;
2722
7420ed23
VY		 2723 rc = file_has_perm(current, file,
2724 file_mask_to_av(inode->i_mode, mask));
2725 if (rc)
2726 return rc;
2727
2728 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2729}
2730
788e7dd4
YN		 2731static int selinux_file_permission(struct file *file, int mask)
2732{
2733 struct inode *inode = file->f_path.dentry->d_inode;
2734 struct task_security_struct *tsec = current->security;
2735 struct file_security_struct *fsec = file->f_security;
2736 struct inode_security_struct *isec = inode->i_security;
2737
2738 if (!mask) {
2739 /* No permission to check. Existence test. */
2740 return 0;
2741 }
2742
2743 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2744 && fsec->pseqno == avc_policy_seqno())
2745 return selinux_netlbl_inode_permission(inode, mask);
2746
2747 return selinux_revalidate_file_permission(file, mask);
2748}
2749
1da177e4
LT		 2750static int selinux_file_alloc_security(struct file *file)
2751{
2752 return file_alloc_security(file);
2753}
2754
2755static void selinux_file_free_security(struct file *file)
2756{
2757 file_free_security(file);
2758}
2759
2760static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2761 unsigned long arg)
2762{
2763 int error = 0;
2764
2765 switch (cmd) {
2766 case FIONREAD:
2767 /* fall through */
2768 case FIBMAP:
2769 /* fall through */
2770 case FIGETBSZ:
2771 /* fall through */
2772 case EXT2_IOC_GETFLAGS:
2773 /* fall through */
2774 case EXT2_IOC_GETVERSION:
2775 error = file_has_perm(current, file, FILE__GETATTR);
2776 break;
2777
2778 case EXT2_IOC_SETFLAGS:
2779 /* fall through */
2780 case EXT2_IOC_SETVERSION:
2781 error = file_has_perm(current, file, FILE__SETATTR);
2782 break;
2783
2784 /* sys_ioctl() checks */
2785 case FIONBIO:
2786 /* fall through */
2787 case FIOASYNC:
2788 error = file_has_perm(current, file, 0);
2789 break;
2790
2791 case KDSKBENT:
2792 case KDSKBSENT:
2793 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2794 break;
2795
2796 /* default case assumes that the command will go
2797 * to the file's ioctl() function.
2798 */
2799 default:
2800 error = file_has_perm(current, file, FILE__IOCTL);
2801
2802 }
2803 return error;
2804}
2805
2806static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2807{
2808#ifndef CONFIG_PPC32
2809 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2810 /*
2811 * We are making executable an anonymous mapping or a
2812 * private file mapping that will also be writable.
2813 * This has an additional check.
2814 */
2815 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2816 if (rc)
2817 return rc;
2818 }
2819#endif
2820
2821 if (file) {
2822 /* read access is always possible with a mapping */
2823 u32 av = FILE__READ;
2824
2825 /* write access only matters if the mapping is shared */
2826 if (shared && (prot & PROT_WRITE))
2827 av |= FILE__WRITE;
2828
2829 if (prot & PROT_EXEC)
2830 av |= FILE__EXECUTE;
2831
2832 return file_has_perm(current, file, av);
2833 }
2834 return 0;
2835}
2836
2837static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 2838 unsigned long prot, unsigned long flags,
2839 unsigned long addr, unsigned long addr_only)
1da177e4 2840{
ed032189
EP		 2841 int rc = 0;
2842 u32 sid = ((struct task_security_struct*)(current->security))->sid;
1da177e4 2843
ed032189
EP		 2844 if (addr < mmap_min_addr)
2845 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2846 MEMPROTECT__MMAP_ZERO, NULL);
2847 if (rc || addr_only)
1da177e4
LT		 2848 return rc;
2849
2850 if (selinux_checkreqprot)
2851 prot = reqprot;
2852
2853 return file_map_prot_check(file, prot,
2854 (flags & MAP_TYPE) == MAP_SHARED);
2855}
2856
2857static int selinux_file_mprotect(struct vm_area_struct *vma,
2858 unsigned long reqprot,
2859 unsigned long prot)
2860{
2861 int rc;
2862
2863 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2864 if (rc)
2865 return rc;
2866
2867 if (selinux_checkreqprot)
2868 prot = reqprot;
2869
2870#ifndef CONFIG_PPC32
db4c9641
SS		 2871 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2872 rc = 0;
2873 if (vma->vm_start >= vma->vm_mm->start_brk &&
2874 vma->vm_end <= vma->vm_mm->brk) {
2875 rc = task_has_perm(current, current,
2876 PROCESS__EXECHEAP);
2877 } else if (!vma->vm_file &&
2878 vma->vm_start <= vma->vm_mm->start_stack &&
2879 vma->vm_end >= vma->vm_mm->start_stack) {
2880 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2881 } else if (vma->vm_file && vma->anon_vma) {
2882 /*
2883 * We are making executable a file mapping that has
2884 * had some COW done. Since pages might have been
2885 * written, check ability to execute the possibly
2886 * modified content. This typically should only
2887 * occur for text relocations.
2888 */
2889 rc = file_has_perm(current, vma->vm_file,
2890 FILE__EXECMOD);
2891 }