]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[PATCH] SELinux: change isec semaphore to a mutex
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <[email protected]>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <[email protected]>
7420ed23
VY		 15 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16 * Paul Moore, <[email protected]>
1da177e4
LT		 17 *
18 * This program is free software; you can redistribute it and/or modify
19 * it under the terms of the GNU General Public License version 2,
20 * as published by the Free Software Foundation.
21 */
22
1da177e4
LT		 23#include <linux/module.h>
24#include <linux/init.h>
25#include <linux/kernel.h>
26#include <linux/ptrace.h>
27#include <linux/errno.h>
28#include <linux/sched.h>
29#include <linux/security.h>
30#include <linux/xattr.h>
31#include <linux/capability.h>
32#include <linux/unistd.h>
33#include <linux/mm.h>
34#include <linux/mman.h>
35#include <linux/slab.h>
36#include <linux/pagemap.h>
37#include <linux/swap.h>
38#include <linux/smp_lock.h>
39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
42#include <linux/namei.h>
43#include <linux/mount.h>
44#include <linux/ext2_fs.h>
45#include <linux/proc_fs.h>
46#include <linux/kd.h>
47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
51#include <net/ip.h> /* for sysctl_local_port_range[] */
52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53#include <asm/uaccess.h>
54#include <asm/semaphore.h>
55#include <asm/ioctls.h>
56#include <linux/bitops.h>
57#include <linux/interrupt.h>
58#include <linux/netdevice.h> /* for network interface checks */
59#include <linux/netlink.h>
60#include <linux/tcp.h>
61#include <linux/udp.h>
62#include <linux/quota.h>
63#include <linux/un.h> /* for Unix socket types */
64#include <net/af_unix.h> /* for Unix socket types */
65#include <linux/parser.h>
66#include <linux/nfs_mount.h>
67#include <net/ipv6.h>
68#include <linux/hugetlb.h>
69#include <linux/personality.h>
70#include <linux/sysctl.h>
71#include <linux/audit.h>
6931dfc9 72#include <linux/string.h>
877ce7c1 73#include <linux/selinux.h>
23970741 74#include <linux/mutex.h>
1da177e4
LT		 75
76#include "avc.h"
77#include "objsec.h"
78#include "netif.h"
d28d1e08 79#include "xfrm.h"
7420ed23 80#include "selinux_netlabel.h"
1da177e4
LT		 81
82#define XATTR_SELINUX_SUFFIX "selinux"
83#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
84
85extern unsigned int policydb_loaded_version;
86extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 87extern int selinux_compat_net;
1da177e4
LT		 88
89#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
90int selinux_enforcing = 0;
91
92static int __init enforcing_setup(char *str)
93{
94 selinux_enforcing = simple_strtol(str,NULL,0);
95 return 1;
96}
97__setup("enforcing=", enforcing_setup);
98#endif
99
100#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
101int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
102
103static int __init selinux_enabled_setup(char *str)
104{
105 selinux_enabled = simple_strtol(str, NULL, 0);
106 return 1;
107}
108__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 109#else
110int selinux_enabled = 1;
1da177e4
LT		 111#endif
112
113/* Original (dummy) security module. */
114static struct security_operations *original_ops = NULL;
115
116/* Minimal support for a secondary security module,
117 just to allow the use of the dummy or capability modules.
118 The owlsm module can alternatively be used as a secondary
119 module as long as CONFIG_OWLSM_FD is not enabled. */
120static struct security_operations *secondary_ops = NULL;
121
122/* Lists of inode and superblock security structures initialized
123 before the policy was loaded. */
124static LIST_HEAD(superblock_security_head);
125static DEFINE_SPINLOCK(sb_security_lock);
126
7cae7e26
JM		 127static kmem_cache_t *sel_inode_cache;
128
8c8570fb
DK		 129/* Return security context for a given sid or just the context
130 length if the buffer is null or length is 0 */
131static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
132{
133 char *context;
134 unsigned len;
135 int rc;
136
137 rc = security_sid_to_context(sid, &context, &len);
138 if (rc)
139 return rc;
140
141 if (!buffer || !size)
142 goto getsecurity_exit;
143
144 if (size < len) {
145 len = -ERANGE;
146 goto getsecurity_exit;
147 }
148 memcpy(buffer, context, len);
149
150getsecurity_exit:
151 kfree(context);
152 return len;
153}
154
1da177e4
LT		 155/* Allocate and free functions for each kind of security blob. */
156
157static int task_alloc_security(struct task_struct *task)
158{
159 struct task_security_struct *tsec;
160
89d155ef 161 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 162 if (!tsec)
163 return -ENOMEM;
164
1da177e4
LT		 165 tsec->task = task;
166 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
167 task->security = tsec;
168
169 return 0;
170}
171
172static void task_free_security(struct task_struct *task)
173{
174 struct task_security_struct *tsec = task->security;
1da177e4
LT		 175 task->security = NULL;
176 kfree(tsec);
177}
178
179static int inode_alloc_security(struct inode *inode)
180{
181 struct task_security_struct *tsec = current->security;
182 struct inode_security_struct *isec;
183
7cae7e26 184 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
1da177e4
LT		 185 if (!isec)
186 return -ENOMEM;
187
7cae7e26 188 memset(isec, 0, sizeof(*isec));
23970741 189 mutex_init(&isec->lock);
1da177e4 190 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 191 isec->inode = inode;
192 isec->sid = SECINITSID_UNLABELED;
193 isec->sclass = SECCLASS_FILE;
9ac49d22 194 isec->task_sid = tsec->sid;
1da177e4
LT		 195 inode->i_security = isec;
196
197 return 0;
198}
199
200static void inode_free_security(struct inode *inode)
201{
202 struct inode_security_struct *isec = inode->i_security;
203 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
204
1da177e4
LT		 205 spin_lock(&sbsec->isec_lock);
206 if (!list_empty(&isec->list))
207 list_del_init(&isec->list);
208 spin_unlock(&sbsec->isec_lock);
209
210 inode->i_security = NULL;
7cae7e26 211 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 212}
213
214static int file_alloc_security(struct file *file)
215{
216 struct task_security_struct *tsec = current->security;
217 struct file_security_struct *fsec;
218
26d2a4be 219 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 220 if (!fsec)
221 return -ENOMEM;
222
1da177e4 223 fsec->file = file;
9ac49d22
SS		 224 fsec->sid = tsec->sid;
225 fsec->fown_sid = tsec->sid;
1da177e4
LT		 226 file->f_security = fsec;
227
228 return 0;
229}
230
231static void file_free_security(struct file *file)
232{
233 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 234 file->f_security = NULL;
235 kfree(fsec);
236}
237
238static int superblock_alloc_security(struct super_block *sb)
239{
240 struct superblock_security_struct *sbsec;
241
89d155ef 242 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 243 if (!sbsec)
244 return -ENOMEM;
245
1da177e4
LT		 246 init_MUTEX(&sbsec->sem);
247 INIT_LIST_HEAD(&sbsec->list);
248 INIT_LIST_HEAD(&sbsec->isec_head);
249 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 250 sbsec->sb = sb;
251 sbsec->sid = SECINITSID_UNLABELED;
252 sbsec->def_sid = SECINITSID_FILE;
c312feb2 253 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 254 sb->s_security = sbsec;
255
256 return 0;
257}
258
259static void superblock_free_security(struct super_block *sb)
260{
261 struct superblock_security_struct *sbsec = sb->s_security;
262
1da177e4
LT		 263 spin_lock(&sb_security_lock);
264 if (!list_empty(&sbsec->list))
265 list_del_init(&sbsec->list);
266 spin_unlock(&sb_security_lock);
267
268 sb->s_security = NULL;
269 kfree(sbsec);
270}
271
7d877f3b 272static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 273{
274 struct sk_security_struct *ssec;
275
89d155ef 276 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 277 if (!ssec)
278 return -ENOMEM;
279
1da177e4
LT		 280 ssec->sk = sk;
281 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 282 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 283 sk->sk_security = ssec;
284
99f59ed0
PM		 285 selinux_netlbl_sk_security_init(ssec, family);
286
1da177e4
LT		 287 return 0;
288}
289
290static void sk_free_security(struct sock *sk)
291{
292 struct sk_security_struct *ssec = sk->sk_security;
293
1da177e4
LT		 294 sk->sk_security = NULL;
295 kfree(ssec);
296}
1da177e4
LT		 297
298/* The security server must be initialized before
299 any labeling or access decisions can be provided. */
300extern int ss_initialized;
301
302/* The file system's label must be initialized prior to use. */
303
304static char *labeling_behaviors[6] = {
305 "uses xattr",
306 "uses transition SIDs",
307 "uses task SIDs",
308 "uses genfs_contexts",
309 "not configured for labeling",
310 "uses mountpoint labeling",
311};
312
313static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
314
315static inline int inode_doinit(struct inode *inode)
316{
317 return inode_doinit_with_dentry(inode, NULL);
318}
319
320enum {
321 Opt_context = 1,
322 Opt_fscontext = 2,
323 Opt_defcontext = 4,
0808925e 324 Opt_rootcontext = 8,
1da177e4
LT		 325};
326
327static match_table_t tokens = {
328 {Opt_context, "context=%s"},
329 {Opt_fscontext, "fscontext=%s"},
330 {Opt_defcontext, "defcontext=%s"},
0808925e 331 {Opt_rootcontext, "rootcontext=%s"},
1da177e4
LT		 332};
333
334#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335
c312feb2
EP		 336static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
339{
340 int rc;
341
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
344 if (rc)
345 return rc;
346
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
349 return rc;
350}
351
0808925e
EP		 352static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
355{
356 int rc;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
364 return rc;
365}
366
1da177e4
LT		 367static int try_context_mount(struct super_block *sb, void *data)
368{
369 char *context = NULL, *defcontext = NULL;
0808925e 370 char *fscontext = NULL, *rootcontext = NULL;
1da177e4
LT		 371 const char *name;
372 u32 sid;
373 int alloc = 0, rc = 0, seen = 0;
374 struct task_security_struct *tsec = current->security;
375 struct superblock_security_struct *sbsec = sb->s_security;
376
377 if (!data)
378 goto out;
379
380 name = sb->s_type->name;
381
382 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
383
384 /* NFS we understand. */
385 if (!strcmp(name, "nfs")) {
386 struct nfs_mount_data *d = data;
387
388 if (d->version < NFS_MOUNT_VERSION)
389 goto out;
390
391 if (d->context[0]) {
392 context = d->context;
393 seen |= Opt_context;
394 }
395 } else
396 goto out;
397
398 } else {
399 /* Standard string-based options. */
400 char *p, *options = data;
401
402 while ((p = strsep(&options, ",")) != NULL) {
403 int token;
404 substring_t args[MAX_OPT_ARGS];
405
406 if (!*p)
407 continue;
408
409 token = match_token(p, tokens, args);
410
411 switch (token) {
412 case Opt_context:
c312feb2 413 if (seen & (Opt_context|Opt_defcontext)) {
1da177e4
LT		 414 rc = -EINVAL;
415 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416 goto out_free;
417 }
418 context = match_strdup(&args[0]);
419 if (!context) {
420 rc = -ENOMEM;
421 goto out_free;
422 }
423 if (!alloc)
424 alloc = 1;
425 seen |= Opt_context;
426 break;
427
428 case Opt_fscontext:
c312feb2 429 if (seen & Opt_fscontext) {
1da177e4
LT		 430 rc = -EINVAL;
431 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
432 goto out_free;
433 }
c312feb2
EP		 434 fscontext = match_strdup(&args[0]);
435 if (!fscontext) {
1da177e4
LT		 436 rc = -ENOMEM;
437 goto out_free;
438 }
439 if (!alloc)
440 alloc = 1;
441 seen |= Opt_fscontext;
442 break;
443
0808925e
EP		 444 case Opt_rootcontext:
445 if (seen & Opt_rootcontext) {
446 rc = -EINVAL;
447 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
448 goto out_free;
449 }
450 rootcontext = match_strdup(&args[0]);
451 if (!rootcontext) {
452 rc = -ENOMEM;
453 goto out_free;
454 }
455 if (!alloc)
456 alloc = 1;
457 seen |= Opt_rootcontext;
458 break;
459
1da177e4
LT		 460 case Opt_defcontext:
461 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
462 rc = -EINVAL;
463 printk(KERN_WARNING "SELinux: "
464 "defcontext option is invalid "
465 "for this filesystem type\n");
466 goto out_free;
467 }
468 if (seen & (Opt_context|Opt_defcontext)) {
469 rc = -EINVAL;
470 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
471 goto out_free;
472 }
473 defcontext = match_strdup(&args[0]);
474 if (!defcontext) {
475 rc = -ENOMEM;
476 goto out_free;
477 }
478 if (!alloc)
479 alloc = 1;
480 seen |= Opt_defcontext;
481 break;
482
483 default:
484 rc = -EINVAL;
485 printk(KERN_WARNING "SELinux: unknown mount "
486 "option\n");
487 goto out_free;
488
489 }
490 }
491 }
492
493 if (!seen)
494 goto out;
495
c312feb2
EP		 496 /* sets the context of the superblock for the fs being mounted. */
497 if (fscontext) {
498 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
1da177e4
LT		 499 if (rc) {
500 printk(KERN_WARNING "SELinux: security_context_to_sid"
501 "(%s) failed for (dev %s, type %s) errno=%d\n",
c312feb2 502 fscontext, sb->s_id, name, rc);
1da177e4
LT		 503 goto out_free;
504 }
505
c312feb2 506 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
1da177e4
LT		 507 if (rc)
508 goto out_free;
509
c312feb2
EP		 510 sbsec->sid = sid;
511 }
512
513 /*
514 * Switch to using mount point labeling behavior.
515 * sets the label used on all file below the mountpoint, and will set
516 * the superblock context if not already set.
517 */
518 if (context) {
519 rc = security_context_to_sid(context, strlen(context), &sid);
520 if (rc) {
521 printk(KERN_WARNING "SELinux: security_context_to_sid"
522 "(%s) failed for (dev %s, type %s) errno=%d\n",
523 context, sb->s_id, name, rc);
524 goto out_free;
525 }
526
b04ea3ce
EP		 527 if (!fscontext) {
528 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
529 if (rc)
530 goto out_free;
c312feb2 531 sbsec->sid = sid;
b04ea3ce
EP		 532 } else {
533 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
534 if (rc)
535 goto out_free;
536 }
c312feb2 537 sbsec->mntpoint_sid = sid;
1da177e4 538
c312feb2 539 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 540 }
541
0808925e
EP		 542 if (rootcontext) {
543 struct inode *inode = sb->s_root->d_inode;
544 struct inode_security_struct *isec = inode->i_security;
545 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
546 if (rc) {
547 printk(KERN_WARNING "SELinux: security_context_to_sid"
548 "(%s) failed for (dev %s, type %s) errno=%d\n",
549 rootcontext, sb->s_id, name, rc);
550 goto out_free;
551 }
552
553 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
554 if (rc)
555 goto out_free;
556
557 isec->sid = sid;
558 isec->initialized = 1;
559 }
560
1da177e4
LT		 561 if (defcontext) {
562 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
563 if (rc) {
564 printk(KERN_WARNING "SELinux: security_context_to_sid"
565 "(%s) failed for (dev %s, type %s) errno=%d\n",
566 defcontext, sb->s_id, name, rc);
567 goto out_free;
568 }
569
570 if (sid == sbsec->def_sid)
571 goto out_free;
572
0808925e 573 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
1da177e4
LT		 574 if (rc)
575 goto out_free;
576
577 sbsec->def_sid = sid;
578 }
579
580out_free:
581 if (alloc) {
582 kfree(context);
583 kfree(defcontext);
c312feb2 584 kfree(fscontext);
0808925e 585 kfree(rootcontext);
1da177e4
LT		 586 }
587out:
588 return rc;
589}
590
591static int superblock_doinit(struct super_block *sb, void *data)
592{
593 struct superblock_security_struct *sbsec = sb->s_security;
594 struct dentry *root = sb->s_root;
595 struct inode *inode = root->d_inode;
596 int rc = 0;
597
598 down(&sbsec->sem);
599 if (sbsec->initialized)
600 goto out;
601
602 if (!ss_initialized) {
603 /* Defer initialization until selinux_complete_init,
604 after the initial policy is loaded and the security
605 server is ready to handle calls. */
606 spin_lock(&sb_security_lock);
607 if (list_empty(&sbsec->list))
608 list_add(&sbsec->list, &superblock_security_head);
609 spin_unlock(&sb_security_lock);
610 goto out;
611 }
612
613 /* Determine the labeling behavior to use for this filesystem type. */
614 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
615 if (rc) {
616 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
617 __FUNCTION__, sb->s_type->name, rc);
618 goto out;
619 }
620
621 rc = try_context_mount(sb, data);
622 if (rc)
623 goto out;
624
625 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
626 /* Make sure that the xattr handler exists and that no
627 error other than -ENODATA is returned by getxattr on
628 the root directory. -ENODATA is ok, as this may be
629 the first boot of the SELinux kernel before we have
630 assigned xattr values to the filesystem. */
631 if (!inode->i_op->getxattr) {
632 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
633 "xattr support\n", sb->s_id, sb->s_type->name);
634 rc = -EOPNOTSUPP;
635 goto out;
636 }
637 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
638 if (rc < 0 && rc != -ENODATA) {
639 if (rc == -EOPNOTSUPP)
640 printk(KERN_WARNING "SELinux: (dev %s, type "
641 "%s) has no security xattr handler\n",
642 sb->s_id, sb->s_type->name);
643 else
644 printk(KERN_WARNING "SELinux: (dev %s, type "
645 "%s) getxattr errno %d\n", sb->s_id,
646 sb->s_type->name, -rc);
647 goto out;
648 }
649 }
650
651 if (strcmp(sb->s_type->name, "proc") == 0)
652 sbsec->proc = 1;
653
654 sbsec->initialized = 1;
655
656 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
657 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
658 sb->s_id, sb->s_type->name);
659 }
660 else {
661 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
662 sb->s_id, sb->s_type->name,
663 labeling_behaviors[sbsec->behavior-1]);
664 }
665
666 /* Initialize the root inode. */
667 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
668
669 /* Initialize any other inodes associated with the superblock, e.g.
670 inodes created prior to initial policy load or inodes created
671 during get_sb by a pseudo filesystem that directly
672 populates itself. */
673 spin_lock(&sbsec->isec_lock);
674next_inode:
675 if (!list_empty(&sbsec->isec_head)) {
676 struct inode_security_struct *isec =
677 list_entry(sbsec->isec_head.next,
678 struct inode_security_struct, list);
679 struct inode *inode = isec->inode;
680 spin_unlock(&sbsec->isec_lock);
681 inode = igrab(inode);
682 if (inode) {
683 if (!IS_PRIVATE (inode))
684 inode_doinit(inode);
685 iput(inode);
686 }
687 spin_lock(&sbsec->isec_lock);
688 list_del_init(&isec->list);
689 goto next_inode;
690 }
691 spin_unlock(&sbsec->isec_lock);
692out:
693 up(&sbsec->sem);
694 return rc;
695}
696
697static inline u16 inode_mode_to_security_class(umode_t mode)
698{
699 switch (mode & S_IFMT) {
700 case S_IFSOCK:
701 return SECCLASS_SOCK_FILE;
702 case S_IFLNK:
703 return SECCLASS_LNK_FILE;
704 case S_IFREG:
705 return SECCLASS_FILE;
706 case S_IFBLK:
707 return SECCLASS_BLK_FILE;
708 case S_IFDIR:
709 return SECCLASS_DIR;
710 case S_IFCHR:
711 return SECCLASS_CHR_FILE;
712 case S_IFIFO:
713 return SECCLASS_FIFO_FILE;
714
715 }
716
717 return SECCLASS_FILE;
718}
719
13402580
JM		 720static inline int default_protocol_stream(int protocol)
721{
722 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
723}
724
725static inline int default_protocol_dgram(int protocol)
726{
727 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
728}
729
1da177e4
LT		 730static inline u16 socket_type_to_security_class(int family, int type, int protocol)
731{
732 switch (family) {
733 case PF_UNIX:
734 switch (type) {
735 case SOCK_STREAM:
736 case SOCK_SEQPACKET:
737 return SECCLASS_UNIX_STREAM_SOCKET;
738 case SOCK_DGRAM:
739 return SECCLASS_UNIX_DGRAM_SOCKET;
740 }
741 break;
742 case PF_INET:
743 case PF_INET6:
744 switch (type) {
745 case SOCK_STREAM:
13402580
JM		 746 if (default_protocol_stream(protocol))
747 return SECCLASS_TCP_SOCKET;
748 else
749 return SECCLASS_RAWIP_SOCKET;
1da177e4 750 case SOCK_DGRAM:
13402580
JM		 751 if (default_protocol_dgram(protocol))
752 return SECCLASS_UDP_SOCKET;
753 else
754 return SECCLASS_RAWIP_SOCKET;
755 default:
1da177e4
LT		 756 return SECCLASS_RAWIP_SOCKET;
757 }
758 break;
759 case PF_NETLINK:
760 switch (protocol) {
761 case NETLINK_ROUTE:
762 return SECCLASS_NETLINK_ROUTE_SOCKET;
763 case NETLINK_FIREWALL:
764 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 765 case NETLINK_INET_DIAG:
1da177e4
LT		 766 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
767 case NETLINK_NFLOG:
768 return SECCLASS_NETLINK_NFLOG_SOCKET;
769 case NETLINK_XFRM:
770 return SECCLASS_NETLINK_XFRM_SOCKET;
771 case NETLINK_SELINUX:
772 return SECCLASS_NETLINK_SELINUX_SOCKET;
773 case NETLINK_AUDIT:
774 return SECCLASS_NETLINK_AUDIT_SOCKET;
775 case NETLINK_IP6_FW:
776 return SECCLASS_NETLINK_IP6FW_SOCKET;
777 case NETLINK_DNRTMSG:
778 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 779 case NETLINK_KOBJECT_UEVENT:
780 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 781 default:
782 return SECCLASS_NETLINK_SOCKET;
783 }
784 case PF_PACKET:
785 return SECCLASS_PACKET_SOCKET;
786 case PF_KEY:
787 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 788 case PF_APPLETALK:
789 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 790 }
791
792 return SECCLASS_SOCKET;
793}
794
795#ifdef CONFIG_PROC_FS
796static int selinux_proc_get_sid(struct proc_dir_entry *de,
797 u16 tclass,
798 u32 *sid)
799{
800 int buflen, rc;
801 char *buffer, *path, *end;
802
803 buffer = (char*)__get_free_page(GFP_KERNEL);
804 if (!buffer)
805 return -ENOMEM;
806
807 buflen = PAGE_SIZE;
808 end = buffer+buflen;
809 *--end = '\0';
810 buflen--;
811 path = end-1;
812 *path = '/';
813 while (de && de != de->parent) {
814 buflen -= de->namelen + 1;
815 if (buflen < 0)
816 break;
817 end -= de->namelen;
818 memcpy(end, de->name, de->namelen);
819 *--end = '/';
820 path = end;
821 de = de->parent;
822 }
823 rc = security_genfs_sid("proc", path, tclass, sid);
824 free_page((unsigned long)buffer);
825 return rc;
826}
827#else
828static int selinux_proc_get_sid(struct proc_dir_entry *de,
829 u16 tclass,
830 u32 *sid)
831{
832 return -EINVAL;
833}
834#endif
835
836/* The inode's security attributes must be initialized before first use. */
837static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
838{
839 struct superblock_security_struct *sbsec = NULL;
840 struct inode_security_struct *isec = inode->i_security;
841 u32 sid;
842 struct dentry *dentry;
843#define INITCONTEXTLEN 255
844 char *context = NULL;
845 unsigned len = 0;
846 int rc = 0;
1da177e4
LT		 847
848 if (isec->initialized)
849 goto out;
850
23970741 851 mutex_lock(&isec->lock);
1da177e4 852 if (isec->initialized)
23970741 853 goto out_unlock;
1da177e4
LT		 854
855 sbsec = inode->i_sb->s_security;
856 if (!sbsec->initialized) {
857 /* Defer initialization until selinux_complete_init,
858 after the initial policy is loaded and the security
859 server is ready to handle calls. */
860 spin_lock(&sbsec->isec_lock);
861 if (list_empty(&isec->list))
862 list_add(&isec->list, &sbsec->isec_head);
863 spin_unlock(&sbsec->isec_lock);
23970741 864 goto out_unlock;
1da177e4
LT		 865 }
866
867 switch (sbsec->behavior) {
868 case SECURITY_FS_USE_XATTR:
869 if (!inode->i_op->getxattr) {
870 isec->sid = sbsec->def_sid;
871 break;
872 }
873
874 /* Need a dentry, since the xattr API requires one.
875 Life would be simpler if we could just pass the inode. */
876 if (opt_dentry) {
877 /* Called from d_instantiate or d_splice_alias. */
878 dentry = dget(opt_dentry);
879 } else {
880 /* Called from selinux_complete_init, try to find a dentry. */
881 dentry = d_find_alias(inode);
882 }
883 if (!dentry) {
884 printk(KERN_WARNING "%s: no dentry for dev=%s "
885 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
886 inode->i_ino);
23970741 887 goto out_unlock;
1da177e4
LT		 888 }
889
890 len = INITCONTEXTLEN;
891 context = kmalloc(len, GFP_KERNEL);
892 if (!context) {
893 rc = -ENOMEM;
894 dput(dentry);
23970741 895 goto out_unlock;
1da177e4
LT		 896 }
897 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
898 context, len);
899 if (rc == -ERANGE) {
900 /* Need a larger buffer. Query for the right size. */
901 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
902 NULL, 0);
903 if (rc < 0) {
904 dput(dentry);
23970741 905 goto out_unlock;
1da177e4
LT		 906 }
907 kfree(context);
908 len = rc;
909 context = kmalloc(len, GFP_KERNEL);
910 if (!context) {
911 rc = -ENOMEM;
912 dput(dentry);
23970741 913 goto out_unlock;
1da177e4
LT		 914 }
915 rc = inode->i_op->getxattr(dentry,
916 XATTR_NAME_SELINUX,
917 context, len);
918 }
919 dput(dentry);
920 if (rc < 0) {
921 if (rc != -ENODATA) {
922 printk(KERN_WARNING "%s: getxattr returned "
923 "%d for dev=%s ino=%ld\n", __FUNCTION__,
924 -rc, inode->i_sb->s_id, inode->i_ino);
925 kfree(context);
23970741 926 goto out_unlock;
1da177e4
LT		 927 }
928 /* Map ENODATA to the default file SID */
929 sid = sbsec->def_sid;
930 rc = 0;
931 } else {
f5c1d5b2
JM		 932 rc = security_context_to_sid_default(context, rc, &sid,
933 sbsec->def_sid);
1da177e4
LT		 934 if (rc) {
935 printk(KERN_WARNING "%s: context_to_sid(%s) "
936 "returned %d for dev=%s ino=%ld\n",
937 __FUNCTION__, context, -rc,
938 inode->i_sb->s_id, inode->i_ino);
939 kfree(context);
940 /* Leave with the unlabeled SID */
941 rc = 0;
942 break;
943 }
944 }
945 kfree(context);
946 isec->sid = sid;
947 break;
948 case SECURITY_FS_USE_TASK:
949 isec->sid = isec->task_sid;
950 break;
951 case SECURITY_FS_USE_TRANS:
952 /* Default to the fs SID. */
953 isec->sid = sbsec->sid;
954
955 /* Try to obtain a transition SID. */
956 isec->sclass = inode_mode_to_security_class(inode->i_mode);
957 rc = security_transition_sid(isec->task_sid,
958 sbsec->sid,
959 isec->sclass,
960 &sid);
961 if (rc)
23970741 962 goto out_unlock;
1da177e4
LT		 963 isec->sid = sid;
964 break;
c312feb2
EP		 965 case SECURITY_FS_USE_MNTPOINT:
966 isec->sid = sbsec->mntpoint_sid;
967 break;
1da177e4 968 default:
c312feb2 969 /* Default to the fs superblock SID. */
1da177e4
LT		 970 isec->sid = sbsec->sid;
971
972 if (sbsec->proc) {
973 struct proc_inode *proci = PROC_I(inode);
974 if (proci->pde) {
975 isec->sclass = inode_mode_to_security_class(inode->i_mode);
976 rc = selinux_proc_get_sid(proci->pde,
977 isec->sclass,
978 &sid);
979 if (rc)
23970741 980 goto out_unlock;
1da177e4
LT		 981 isec->sid = sid;
982 }
983 }
984 break;
985 }
986
987 isec->initialized = 1;
988
23970741
EP		 989out_unlock:
990 mutex_unlock(&isec->lock);
1da177e4
LT		 991out:
992 if (isec->sclass == SECCLASS_FILE)
993 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 994 return rc;
995}
996
997/* Convert a Linux signal to an access vector. */
998static inline u32 signal_to_av(int sig)
999{
1000 u32 perm = 0;
1001
1002 switch (sig) {
1003 case SIGCHLD:
1004 /* Commonly granted from child to parent. */
1005 perm = PROCESS__SIGCHLD;
1006 break;
1007 case SIGKILL:
1008 /* Cannot be caught or ignored */
1009 perm = PROCESS__SIGKILL;
1010 break;
1011 case SIGSTOP:
1012 /* Cannot be caught or ignored */
1013 perm = PROCESS__SIGSTOP;
1014 break;
1015 default:
1016 /* All other signals. */
1017 perm = PROCESS__SIGNAL;
1018 break;
1019 }
1020
1021 return perm;
1022}
1023
1024/* Check permission betweeen a pair of tasks, e.g. signal checks,
1025 fork check, ptrace check, etc. */
1026static int task_has_perm(struct task_struct *tsk1,
1027 struct task_struct *tsk2,
1028 u32 perms)
1029{
1030 struct task_security_struct *tsec1, *tsec2;
1031
1032 tsec1 = tsk1->security;
1033 tsec2 = tsk2->security;
1034 return avc_has_perm(tsec1->sid, tsec2->sid,
1035 SECCLASS_PROCESS, perms, NULL);
1036}
1037
1038/* Check whether a task is allowed to use a capability. */
1039static int task_has_capability(struct task_struct *tsk,
1040 int cap)
1041{
1042 struct task_security_struct *tsec;
1043 struct avc_audit_data ad;
1044
1045 tsec = tsk->security;
1046
1047 AVC_AUDIT_DATA_INIT(&ad,CAP);
1048 ad.tsk = tsk;
1049 ad.u.cap = cap;
1050
1051 return avc_has_perm(tsec->sid, tsec->sid,
1052 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1053}
1054
1055/* Check whether a task is allowed to use a system operation. */
1056static int task_has_system(struct task_struct *tsk,
1057 u32 perms)
1058{
1059 struct task_security_struct *tsec;
1060
1061 tsec = tsk->security;
1062
1063 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1064 SECCLASS_SYSTEM, perms, NULL);
1065}
1066
1067/* Check whether a task has a particular permission to an inode.
1068 The 'adp' parameter is optional and allows other audit
1069 data to be passed (e.g. the dentry). */
1070static int inode_has_perm(struct task_struct *tsk,
1071 struct inode *inode,
1072 u32 perms,
1073 struct avc_audit_data *adp)
1074{
1075 struct task_security_struct *tsec;
1076 struct inode_security_struct *isec;
1077 struct avc_audit_data ad;
1078
1079 tsec = tsk->security;
1080 isec = inode->i_security;
1081
1082 if (!adp) {
1083 adp = &ad;
1084 AVC_AUDIT_DATA_INIT(&ad, FS);
1085 ad.u.fs.inode = inode;
1086 }
1087
1088 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1089}
1090
1091/* Same as inode_has_perm, but pass explicit audit data containing
1092 the dentry to help the auditing code to more easily generate the
1093 pathname if needed. */
1094static inline int dentry_has_perm(struct task_struct *tsk,
1095 struct vfsmount *mnt,
1096 struct dentry *dentry,
1097 u32 av)
1098{
1099 struct inode *inode = dentry->d_inode;
1100 struct avc_audit_data ad;
1101 AVC_AUDIT_DATA_INIT(&ad,FS);
1102 ad.u.fs.mnt = mnt;
1103 ad.u.fs.dentry = dentry;
1104 return inode_has_perm(tsk, inode, av, &ad);
1105}
1106
1107/* Check whether a task can use an open file descriptor to
1108 access an inode in a given way. Check access to the
1109 descriptor itself, and then use dentry_has_perm to
1110 check a particular permission to the file.
1111 Access to the descriptor is implicitly granted if it
1112 has the same SID as the process. If av is zero, then
1113 access to the file is not checked, e.g. for cases
1114 where only the descriptor is affected like seek. */
858119e1 1115static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1116 struct file *file,
1117 u32 av)
1118{
1119 struct task_security_struct *tsec = tsk->security;
1120 struct file_security_struct *fsec = file->f_security;
1121 struct vfsmount *mnt = file->f_vfsmnt;
1122 struct dentry *dentry = file->f_dentry;
1123 struct inode *inode = dentry->d_inode;
1124 struct avc_audit_data ad;
1125 int rc;
1126
1127 AVC_AUDIT_DATA_INIT(&ad, FS);
1128 ad.u.fs.mnt = mnt;
1129 ad.u.fs.dentry = dentry;
1130
1131 if (tsec->sid != fsec->sid) {
1132 rc = avc_has_perm(tsec->sid, fsec->sid,
1133 SECCLASS_FD,
1134 FD__USE,
1135 &ad);
1136 if (rc)
1137 return rc;
1138 }
1139
1140 /* av is zero if only checking access to the descriptor. */
1141 if (av)
1142 return inode_has_perm(tsk, inode, av, &ad);
1143
1144 return 0;
1145}
1146
1147/* Check whether a task can create a file. */
1148static int may_create(struct inode *dir,
1149 struct dentry *dentry,
1150 u16 tclass)
1151{
1152 struct task_security_struct *tsec;
1153 struct inode_security_struct *dsec;
1154 struct superblock_security_struct *sbsec;
1155 u32 newsid;
1156 struct avc_audit_data ad;
1157 int rc;
1158
1159 tsec = current->security;
1160 dsec = dir->i_security;
1161 sbsec = dir->i_sb->s_security;
1162
1163 AVC_AUDIT_DATA_INIT(&ad, FS);
1164 ad.u.fs.dentry = dentry;
1165
1166 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1167 DIR__ADD_NAME | DIR__SEARCH,
1168 &ad);
1169 if (rc)
1170 return rc;
1171
1172 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1173 newsid = tsec->create_sid;
1174 } else {
1175 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1176 &newsid);
1177 if (rc)
1178 return rc;
1179 }
1180
1181 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1182 if (rc)
1183 return rc;
1184
1185 return avc_has_perm(newsid, sbsec->sid,
1186 SECCLASS_FILESYSTEM,
1187 FILESYSTEM__ASSOCIATE, &ad);
1188}
1189
4eb582cf
ML		 1190/* Check whether a task can create a key. */
1191static int may_create_key(u32 ksid,
1192 struct task_struct *ctx)
1193{
1194 struct task_security_struct *tsec;
1195
1196 tsec = ctx->security;
1197
1198 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1199}
1200
1da177e4
LT		 1201#define MAY_LINK 0
1202#define MAY_UNLINK 1
1203#define MAY_RMDIR 2
1204
1205/* Check whether a task can link, unlink, or rmdir a file/directory. */
1206static int may_link(struct inode *dir,
1207 struct dentry *dentry,
1208 int kind)
1209
1210{
1211 struct task_security_struct *tsec;
1212 struct inode_security_struct *dsec, *isec;
1213 struct avc_audit_data ad;
1214 u32 av;
1215 int rc;
1216
1217 tsec = current->security;
1218 dsec = dir->i_security;
1219 isec = dentry->d_inode->i_security;
1220
1221 AVC_AUDIT_DATA_INIT(&ad, FS);
1222 ad.u.fs.dentry = dentry;
1223
1224 av = DIR__SEARCH;
1225 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1226 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1227 if (rc)
1228 return rc;
1229
1230 switch (kind) {
1231 case MAY_LINK:
1232 av = FILE__LINK;
1233 break;
1234 case MAY_UNLINK:
1235 av = FILE__UNLINK;
1236 break;
1237 case MAY_RMDIR:
1238 av = DIR__RMDIR;
1239 break;
1240 default:
1241 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1242 return 0;
1243 }
1244
1245 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1246 return rc;
1247}
1248
1249static inline int may_rename(struct inode *old_dir,
1250 struct dentry *old_dentry,
1251 struct inode *new_dir,
1252 struct dentry *new_dentry)
1253{
1254 struct task_security_struct *tsec;
1255 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1256 struct avc_audit_data ad;
1257 u32 av;
1258 int old_is_dir, new_is_dir;
1259 int rc;
1260
1261 tsec = current->security;
1262 old_dsec = old_dir->i_security;
1263 old_isec = old_dentry->d_inode->i_security;
1264 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1265 new_dsec = new_dir->i_security;
1266
1267 AVC_AUDIT_DATA_INIT(&ad, FS);
1268
1269 ad.u.fs.dentry = old_dentry;
1270 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1271 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1272 if (rc)
1273 return rc;
1274 rc = avc_has_perm(tsec->sid, old_isec->sid,
1275 old_isec->sclass, FILE__RENAME, &ad);
1276 if (rc)
1277 return rc;
1278 if (old_is_dir && new_dir != old_dir) {
1279 rc = avc_has_perm(tsec->sid, old_isec->sid,
1280 old_isec->sclass, DIR__REPARENT, &ad);
1281 if (rc)
1282 return rc;
1283 }
1284
1285 ad.u.fs.dentry = new_dentry;
1286 av = DIR__ADD_NAME | DIR__SEARCH;
1287 if (new_dentry->d_inode)
1288 av |= DIR__REMOVE_NAME;
1289 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1290 if (rc)
1291 return rc;
1292 if (new_dentry->d_inode) {
1293 new_isec = new_dentry->d_inode->i_security;
1294 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1295 rc = avc_has_perm(tsec->sid, new_isec->sid,
1296 new_isec->sclass,
1297 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1298 if (rc)
1299 return rc;
1300 }
1301
1302 return 0;
1303}
1304
1305/* Check whether a task can perform a filesystem operation. */
1306static int superblock_has_perm(struct task_struct *tsk,
1307 struct super_block *sb,
1308 u32 perms,
1309 struct avc_audit_data *ad)
1310{
1311 struct task_security_struct *tsec;
1312 struct superblock_security_struct *sbsec;
1313
1314 tsec = tsk->security;
1315 sbsec = sb->s_security;
1316 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1317 perms, ad);
1318}
1319
1320/* Convert a Linux mode and permission mask to an access vector. */
1321static inline u32 file_mask_to_av(int mode, int mask)
1322{
1323 u32 av = 0;
1324
1325 if ((mode & S_IFMT) != S_IFDIR) {
1326 if (mask & MAY_EXEC)
1327 av |= FILE__EXECUTE;
1328 if (mask & MAY_READ)
1329 av |= FILE__READ;
1330
1331 if (mask & MAY_APPEND)
1332 av |= FILE__APPEND;
1333 else if (mask & MAY_WRITE)
1334 av |= FILE__WRITE;
1335
1336 } else {
1337 if (mask & MAY_EXEC)
1338 av |= DIR__SEARCH;
1339 if (mask & MAY_WRITE)
1340 av |= DIR__WRITE;
1341 if (mask & MAY_READ)
1342 av |= DIR__READ;
1343 }
1344
1345 return av;
1346}
1347
1348/* Convert a Linux file to an access vector. */
1349static inline u32 file_to_av(struct file *file)
1350{
1351 u32 av = 0;
1352
1353 if (file->f_mode & FMODE_READ)
1354 av |= FILE__READ;
1355 if (file->f_mode & FMODE_WRITE) {
1356 if (file->f_flags & O_APPEND)
1357 av |= FILE__APPEND;
1358 else
1359 av |= FILE__WRITE;
1360 }
1361
1362 return av;
1363}
1364
1da177e4
LT		 1365/* Hook functions begin here. */
1366
1367static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1368{
1369 struct task_security_struct *psec = parent->security;
1370 struct task_security_struct *csec = child->security;
1371 int rc;
1372
1373 rc = secondary_ops->ptrace(parent,child);
1374 if (rc)
1375 return rc;
1376
1377 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1378 /* Save the SID of the tracing process for later use in apply_creds. */
341c2d80 1379 if (!(child->ptrace & PT_PTRACED) && !rc)
1da177e4
LT		 1380 csec->ptrace_sid = psec->sid;
1381 return rc;
1382}
1383
1384static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1385 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1386{
1387 int error;
1388
1389 error = task_has_perm(current, target, PROCESS__GETCAP);
1390 if (error)
1391 return error;
1392
1393 return secondary_ops->capget(target, effective, inheritable, permitted);
1394}
1395
1396static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1397 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1398{
1399 int error;
1400
1401 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1402 if (error)
1403 return error;
1404
1405 return task_has_perm(current, target, PROCESS__SETCAP);
1406}
1407
1408static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1409 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1410{
1411 secondary_ops->capset_set(target, effective, inheritable, permitted);
1412}
1413
1414static int selinux_capable(struct task_struct *tsk, int cap)
1415{
1416 int rc;
1417
1418 rc = secondary_ops->capable(tsk, cap);
1419 if (rc)
1420 return rc;
1421
1422 return task_has_capability(tsk,cap);
1423}
1424
1425static int selinux_sysctl(ctl_table *table, int op)
1426{
1427 int error = 0;
1428 u32 av;
1429 struct task_security_struct *tsec;
1430 u32 tsid;
1431 int rc;
1432
1433 rc = secondary_ops->sysctl(table, op);
1434 if (rc)
1435 return rc;
1436
1437 tsec = current->security;
1438
1439 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1440 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1441 if (rc) {
1442 /* Default to the well-defined sysctl SID. */
1443 tsid = SECINITSID_SYSCTL;
1444 }
1445
1446 /* The op values are "defined" in sysctl.c, thereby creating
1447 * a bad coupling between this module and sysctl.c */
1448 if(op == 001) {
1449 error = avc_has_perm(tsec->sid, tsid,
1450 SECCLASS_DIR, DIR__SEARCH, NULL);
1451 } else {
1452 av = 0;
1453 if (op & 004)
1454 av |= FILE__READ;
1455 if (op & 002)
1456 av |= FILE__WRITE;
1457 if (av)
1458 error = avc_has_perm(tsec->sid, tsid,
1459 SECCLASS_FILE, av, NULL);
1460 }
1461
1462 return error;
1463}
1464
1465static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1466{
1467 int rc = 0;
1468
1469 if (!sb)
1470 return 0;
1471
1472 switch (cmds) {
1473 case Q_SYNC:
1474 case Q_QUOTAON:
1475 case Q_QUOTAOFF:
1476 case Q_SETINFO:
1477 case Q_SETQUOTA:
1478 rc = superblock_has_perm(current,
1479 sb,
1480 FILESYSTEM__QUOTAMOD, NULL);
1481 break;
1482 case Q_GETFMT:
1483 case Q_GETINFO:
1484 case Q_GETQUOTA:
1485 rc = superblock_has_perm(current,
1486 sb,
1487 FILESYSTEM__QUOTAGET, NULL);
1488 break;
1489 default:
1490 rc = 0; /* let the kernel handle invalid cmds */
1491 break;
1492 }
1493 return rc;
1494}
1495
1496static int selinux_quota_on(struct dentry *dentry)
1497{
1498 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1499}
1500
1501static int selinux_syslog(int type)
1502{
1503 int rc;
1504
1505 rc = secondary_ops->syslog(type);
1506 if (rc)
1507 return rc;
1508
1509 switch (type) {
1510 case 3: /* Read last kernel messages */
1511 case 10: /* Return size of the log buffer */
1512 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1513 break;
1514 case 6: /* Disable logging to console */
1515 case 7: /* Enable logging to console */
1516 case 8: /* Set level of messages printed to console */
1517 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1518 break;
1519 case 0: /* Close log */
1520 case 1: /* Open log */
1521 case 2: /* Read from log */
1522 case 4: /* Read/clear last kernel messages */
1523 case 5: /* Clear ring buffer */
1524 default:
1525 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1526 break;
1527 }
1528 return rc;
1529}
1530
1531/*
1532 * Check that a process has enough memory to allocate a new virtual
1533 * mapping. 0 means there is enough memory for the allocation to
1534 * succeed and -ENOMEM implies there is not.
1535 *
1536 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1537 * if the capability is granted, but __vm_enough_memory requires 1 if
1538 * the capability is granted.
1539 *
1540 * Do not audit the selinux permission check, as this is applied to all
1541 * processes that allocate mappings.
1542 */
1543static int selinux_vm_enough_memory(long pages)
1544{
1545 int rc, cap_sys_admin = 0;
1546 struct task_security_struct *tsec = current->security;
1547
1548 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1549 if (rc == 0)
1550 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1551 SECCLASS_CAPABILITY,
1552 CAP_TO_MASK(CAP_SYS_ADMIN),
1553 NULL);
1554
1555 if (rc == 0)
1556 cap_sys_admin = 1;
1557
1558 return __vm_enough_memory(pages, cap_sys_admin);
1559}
1560
1561/* binprm security operations */
1562
1563static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1564{
1565 struct bprm_security_struct *bsec;
1566
89d155ef 1567 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1568 if (!bsec)
1569 return -ENOMEM;
1570
1da177e4
LT		 1571 bsec->bprm = bprm;
1572 bsec->sid = SECINITSID_UNLABELED;
1573 bsec->set = 0;
1574
1575 bprm->security = bsec;
1576 return 0;
1577}
1578
1579static int selinux_bprm_set_security(struct linux_binprm *bprm)
1580{
1581 struct task_security_struct *tsec;
1582 struct inode *inode = bprm->file->f_dentry->d_inode;
1583 struct inode_security_struct *isec;
1584 struct bprm_security_struct *bsec;
1585 u32 newsid;
1586 struct avc_audit_data ad;
1587 int rc;
1588
1589 rc = secondary_ops->bprm_set_security(bprm);
1590 if (rc)
1591 return rc;
1592
1593 bsec = bprm->security;
1594
1595 if (bsec->set)
1596 return 0;
1597
1598 tsec = current->security;
1599 isec = inode->i_security;
1600
1601 /* Default to the current task SID. */
1602 bsec->sid = tsec->sid;
1603
28eba5bf 1604 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1605 tsec->create_sid = 0;
28eba5bf 1606 tsec->keycreate_sid = 0;
42c3e03e 1607 tsec->sockcreate_sid = 0;
1da177e4
LT		 1608
1609 if (tsec->exec_sid) {
1610 newsid = tsec->exec_sid;
1611 /* Reset exec SID on execve. */
1612 tsec->exec_sid = 0;
1613 } else {
1614 /* Check for a default transition on this program. */
1615 rc = security_transition_sid(tsec->sid, isec->sid,
1616 SECCLASS_PROCESS, &newsid);
1617 if (rc)
1618 return rc;
1619 }
1620
1621 AVC_AUDIT_DATA_INIT(&ad, FS);
1622 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1623 ad.u.fs.dentry = bprm->file->f_dentry;
1624
1625 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1626 newsid = tsec->sid;
1627
1628 if (tsec->sid == newsid) {
1629 rc = avc_has_perm(tsec->sid, isec->sid,
1630 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1631 if (rc)
1632 return rc;
1633 } else {
1634 /* Check permissions for the transition. */
1635 rc = avc_has_perm(tsec->sid, newsid,
1636 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1637 if (rc)
1638 return rc;
1639
1640 rc = avc_has_perm(newsid, isec->sid,
1641 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1642 if (rc)
1643 return rc;
1644
1645 /* Clear any possibly unsafe personality bits on exec: */
1646 current->personality &= ~PER_CLEAR_ON_SETID;
1647
1648 /* Set the security field to the new SID. */
1649 bsec->sid = newsid;
1650 }
1651
1652 bsec->set = 1;
1653 return 0;
1654}
1655
1656static int selinux_bprm_check_security (struct linux_binprm *bprm)
1657{
1658 return secondary_ops->bprm_check_security(bprm);
1659}
1660
1661
1662static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1663{
1664 struct task_security_struct *tsec = current->security;
1665 int atsecure = 0;
1666
1667 if (tsec->osid != tsec->sid) {
1668 /* Enable secure mode for SIDs transitions unless
1669 the noatsecure permission is granted between
1670 the two SIDs, i.e. ahp returns 0. */
1671 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1672 SECCLASS_PROCESS,
1673 PROCESS__NOATSECURE, NULL);
1674 }
1675
1676 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1677}
1678
1679static void selinux_bprm_free_security(struct linux_binprm *bprm)
1680{
9a5f04bf 1681 kfree(bprm->security);
1da177e4 1682 bprm->security = NULL;
1da177e4
LT		 1683}
1684
1685extern struct vfsmount *selinuxfs_mount;
1686extern struct dentry *selinux_null;
1687
1688/* Derived from fs/exec.c:flush_old_files. */
1689static inline void flush_unauthorized_files(struct files_struct * files)
1690{
1691 struct avc_audit_data ad;
1692 struct file *file, *devnull = NULL;
1693 struct tty_struct *tty = current->signal->tty;
badf1662 1694 struct fdtable *fdt;
1da177e4
LT		 1695 long j = -1;
1696
1697 if (tty) {
1698 file_list_lock();
2f512016 1699 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 1700 if (file) {
1701 /* Revalidate access to controlling tty.
1702 Use inode_has_perm on the tty inode directly rather
1703 than using file_has_perm, as this particular open
1704 file may belong to another process and we are only
1705 interested in the inode-based check here. */
1706 struct inode *inode = file->f_dentry->d_inode;
1707 if (inode_has_perm(current, inode,
1708 FILE__READ | FILE__WRITE, NULL)) {
1709 /* Reset controlling tty. */
1710 current->signal->tty = NULL;
1711 current->signal->tty_old_pgrp = 0;
1712 }
1713 }
1714 file_list_unlock();
1715 }
1716
1717 /* Revalidate access to inherited open files. */
1718
1719 AVC_AUDIT_DATA_INIT(&ad,FS);
1720
1721 spin_lock(&files->file_lock);
1722 for (;;) {
1723 unsigned long set, i;
1724 int fd;
1725
1726 j++;
1727 i = j * __NFDBITS;
badf1662
DS		 1728 fdt = files_fdtable(files);
1729 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1da177e4 1730 break;
badf1662 1731 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 1732 if (!set)
1733 continue;
1734 spin_unlock(&files->file_lock);
1735 for ( ; set ; i++,set >>= 1) {
1736 if (set & 1) {
1737 file = fget(i);
1738 if (!file)
1739 continue;
1740 if (file_has_perm(current,
1741 file,
1742 file_to_av(file))) {
1743 sys_close(i);
1744 fd = get_unused_fd();
1745 if (fd != i) {
1746 if (fd >= 0)
1747 put_unused_fd(fd);
1748 fput(file);
1749 continue;
1750 }
1751 if (devnull) {
095975da 1752 get_file(devnull);
1da177e4
LT		 1753 } else {
1754 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1755 if (!devnull) {
1756 put_unused_fd(fd);
1757 fput(file);
1758 continue;
1759 }
1760 }
1761 fd_install(fd, devnull);
1762 }
1763 fput(file);
1764 }
1765 }
1766 spin_lock(&files->file_lock);
1767
1768 }
1769 spin_unlock(&files->file_lock);
1770}
1771
1772static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1773{
1774 struct task_security_struct *tsec;
1775 struct bprm_security_struct *bsec;
1776 u32 sid;
1777 int rc;
1778
1779 secondary_ops->bprm_apply_creds(bprm, unsafe);
1780
1781 tsec = current->security;
1782
1783 bsec = bprm->security;
1784 sid = bsec->sid;
1785
1786 tsec->osid = tsec->sid;
1787 bsec->unsafe = 0;
1788 if (tsec->sid != sid) {
1789 /* Check for shared state. If not ok, leave SID
1790 unchanged and kill. */
1791 if (unsafe & LSM_UNSAFE_SHARE) {
1792 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1793 PROCESS__SHARE, NULL);
1794 if (rc) {
1795 bsec->unsafe = 1;
1796 return;
1797 }
1798 }
1799
1800 /* Check for ptracing, and update the task SID if ok.
1801 Otherwise, leave SID unchanged and kill. */
1802 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1803 rc = avc_has_perm(tsec->ptrace_sid, sid,
1804 SECCLASS_PROCESS, PROCESS__PTRACE,
1805 NULL);
1806 if (rc) {
1807 bsec->unsafe = 1;
1808 return;
1809 }
1810 }
1811 tsec->sid = sid;
1812 }
1813}
1814
1815/*
1816 * called after apply_creds without the task lock held
1817 */
1818static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1819{
1820 struct task_security_struct *tsec;
1821 struct rlimit *rlim, *initrlim;
1822 struct itimerval itimer;
1823 struct bprm_security_struct *bsec;
1824 int rc, i;
1825
1826 tsec = current->security;
1827 bsec = bprm->security;
1828
1829 if (bsec->unsafe) {
1830 force_sig_specific(SIGKILL, current);
1831 return;
1832 }
1833 if (tsec->osid == tsec->sid)
1834 return;
1835
1836 /* Close files for which the new task SID is not authorized. */
1837 flush_unauthorized_files(current->files);
1838
1839 /* Check whether the new SID can inherit signal state
1840 from the old SID. If not, clear itimers to avoid
1841 subsequent signal generation and flush and unblock
1842 signals. This must occur _after_ the task SID has
1843 been updated so that any kill done after the flush
1844 will be checked against the new SID. */
1845 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1846 PROCESS__SIGINH, NULL);
1847 if (rc) {
1848 memset(&itimer, 0, sizeof itimer);
1849 for (i = 0; i < 3; i++)
1850 do_setitimer(i, &itimer, NULL);
1851 flush_signals(current);
1852 spin_lock_irq(&current->sighand->siglock);
1853 flush_signal_handlers(current, 1);
1854 sigemptyset(&current->blocked);
1855 recalc_sigpending();
1856 spin_unlock_irq(&current->sighand->siglock);
1857 }
1858
1859 /* Check whether the new SID can inherit resource limits
1860 from the old SID. If not, reset all soft limits to
1861 the lower of the current task's hard limit and the init
1862 task's soft limit. Note that the setting of hard limits
1863 (even to lower them) can be controlled by the setrlimit
1864 check. The inclusion of the init task's soft limit into
1865 the computation is to avoid resetting soft limits higher
1866 than the default soft limit for cases where the default
1867 is lower than the hard limit, e.g. RLIMIT_CORE or
1868 RLIMIT_STACK.*/
1869 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1870 PROCESS__RLIMITINH, NULL);
1871 if (rc) {
1872 for (i = 0; i < RLIM_NLIMITS; i++) {
1873 rlim = current->signal->rlim + i;
1874 initrlim = init_task.signal->rlim+i;
1875 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1876 }
1877 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1878 /*
1879 * This will cause RLIMIT_CPU calculations
1880 * to be refigured.
1881 */
1882 current->it_prof_expires = jiffies_to_cputime(1);
1883 }
1884 }
1885
1886 /* Wake up the parent if it is waiting so that it can
1887 recheck wait permission to the new task SID. */
1888 wake_up_interruptible(&current->parent->signal->wait_chldexit);
1889}
1890
1891/* superblock security operations */
1892
1893static int selinux_sb_alloc_security(struct super_block *sb)
1894{
1895 return superblock_alloc_security(sb);
1896}
1897
1898static void selinux_sb_free_security(struct super_block *sb)
1899{
1900 superblock_free_security(sb);
1901}
1902
1903static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1904{
1905 if (plen > olen)
1906 return 0;
1907
1908 return !memcmp(prefix, option, plen);
1909}
1910
1911static inline int selinux_option(char *option, int len)
1912{
1913 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1914 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
0808925e
EP		 1915 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1916 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1da177e4
LT		 1917}
1918
1919static inline void take_option(char **to, char *from, int *first, int len)
1920{
1921 if (!*first) {
1922 **to = ',';
1923 *to += 1;
1924 }
1925 else
1926 *first = 0;
1927 memcpy(*to, from, len);
1928 *to += len;
1929}
1930
1931static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1932{
1933 int fnosec, fsec, rc = 0;
1934 char *in_save, *in_curr, *in_end;
1935 char *sec_curr, *nosec_save, *nosec;
1936
1937 in_curr = orig;
1938 sec_curr = copy;
1939
1940 /* Binary mount data: just copy */
1941 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1942 copy_page(sec_curr, in_curr);
1943 goto out;
1944 }
1945
1946 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1947 if (!nosec) {
1948 rc = -ENOMEM;
1949 goto out;
1950 }
1951
1952 nosec_save = nosec;
1953 fnosec = fsec = 1;
1954 in_save = in_end = orig;
1955
1956 do {
1957 if (*in_end == ',' || *in_end == '\0') {
1958 int len = in_end - in_curr;
1959
1960 if (selinux_option(in_curr, len))
1961 take_option(&sec_curr, in_curr, &fsec, len);
1962 else
1963 take_option(&nosec, in_curr, &fnosec, len);
1964
1965 in_curr = in_end + 1;
1966 }
1967 } while (*in_end++);
1968
6931dfc9 1969 strcpy(in_save, nosec_save);
da3caa20 1970 free_page((unsigned long)nosec_save);
1da177e4
LT		 1971out:
1972 return rc;
1973}
1974
1975static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1976{
1977 struct avc_audit_data ad;
1978 int rc;
1979
1980 rc = superblock_doinit(sb, data);
1981 if (rc)
1982 return rc;
1983
1984 AVC_AUDIT_DATA_INIT(&ad,FS);
1985 ad.u.fs.dentry = sb->s_root;
1986 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1987}
1988
726c3342 1989static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 1990{
1991 struct avc_audit_data ad;
1992
1993 AVC_AUDIT_DATA_INIT(&ad,FS);
726c3342
DH		 1994 ad.u.fs.dentry = dentry->d_sb->s_root;
1995 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 1996}
1997
1998static int selinux_mount(char * dev_name,
1999 struct nameidata *nd,
2000 char * type,
2001 unsigned long flags,
2002 void * data)
2003{
2004 int rc;
2005
2006 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2007 if (rc)
2008 return rc;
2009
2010 if (flags & MS_REMOUNT)
2011 return superblock_has_perm(current, nd->mnt->mnt_sb,
2012 FILESYSTEM__REMOUNT, NULL);
2013 else
2014 return dentry_has_perm(current, nd->mnt, nd->dentry,
2015 FILE__MOUNTON);
2016}
2017
2018static int selinux_umount(struct vfsmount *mnt, int flags)
2019{
2020 int rc;
2021
2022 rc = secondary_ops->sb_umount(mnt, flags);
2023 if (rc)
2024 return rc;
2025
2026 return superblock_has_perm(current,mnt->mnt_sb,
2027 FILESYSTEM__UNMOUNT,NULL);
2028}
2029
2030/* inode security operations */
2031
2032static int selinux_inode_alloc_security(struct inode *inode)
2033{
2034 return inode_alloc_security(inode);
2035}
2036
2037static void selinux_inode_free_security(struct inode *inode)
2038{
2039 inode_free_security(inode);
2040}
2041
5e41ff9e
SS		 2042static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2043 char **name, void **value,
2044 size_t *len)
2045{
2046 struct task_security_struct *tsec;
2047 struct inode_security_struct *dsec;
2048 struct superblock_security_struct *sbsec;
570bc1c2 2049 u32 newsid, clen;
5e41ff9e 2050 int rc;
570bc1c2 2051 char *namep = NULL, *context;
5e41ff9e
SS		 2052
2053 tsec = current->security;
2054 dsec = dir->i_security;
2055 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2056
2057 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2058 newsid = tsec->create_sid;
2059 } else {
2060 rc = security_transition_sid(tsec->sid, dsec->sid,
2061 inode_mode_to_security_class(inode->i_mode),
2062 &newsid);
2063 if (rc) {
2064 printk(KERN_WARNING "%s: "
2065 "security_transition_sid failed, rc=%d (dev=%s "
2066 "ino=%ld)\n",
2067 __FUNCTION__,
2068 -rc, inode->i_sb->s_id, inode->i_ino);
2069 return rc;
2070 }
2071 }
2072
296fddf7
EP		 2073 /* Possibly defer initialization to selinux_complete_init. */
2074 if (sbsec->initialized) {
2075 struct inode_security_struct *isec = inode->i_security;
2076 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2077 isec->sid = newsid;
2078 isec->initialized = 1;
2079 }
5e41ff9e 2080
8aad3875 2081 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2082 return -EOPNOTSUPP;
2083
570bc1c2
SS		 2084 if (name) {
2085 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2086 if (!namep)
2087 return -ENOMEM;
2088 *name = namep;
2089 }
5e41ff9e 2090
570bc1c2
SS		 2091 if (value && len) {
2092 rc = security_sid_to_context(newsid, &context, &clen);
2093 if (rc) {
2094 kfree(namep);
2095 return rc;
2096 }
2097 *value = context;
2098 *len = clen;
5e41ff9e 2099 }
5e41ff9e 2100
5e41ff9e
SS		 2101 return 0;
2102}
2103
1da177e4
LT		 2104static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2105{
2106 return may_create(dir, dentry, SECCLASS_FILE);
2107}
2108
1da177e4
LT		 2109static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2110{
2111 int rc;
2112
2113 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2114 if (rc)
2115 return rc;
2116 return may_link(dir, old_dentry, MAY_LINK);
2117}
2118
1da177e4
LT		 2119static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2120{
2121 int rc;
2122
2123 rc = secondary_ops->inode_unlink(dir, dentry);
2124 if (rc)
2125 return rc;
2126 return may_link(dir, dentry, MAY_UNLINK);
2127}
2128
2129static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2130{
2131 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2132}
2133
1da177e4
LT		 2134static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2135{
2136 return may_create(dir, dentry, SECCLASS_DIR);
2137}
2138
1da177e4
LT		 2139static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2140{
2141 return may_link(dir, dentry, MAY_RMDIR);
2142}
2143
2144static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2145{
2146 int rc;
2147
2148 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2149 if (rc)
2150 return rc;
2151
2152 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2153}
2154
1da177e4
LT		 2155static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2156 struct inode *new_inode, struct dentry *new_dentry)
2157{
2158 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2159}
2160
1da177e4
LT		 2161static int selinux_inode_readlink(struct dentry *dentry)
2162{
2163 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2164}
2165
2166static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2167{
2168 int rc;
2169
2170 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2171 if (rc)
2172 return rc;
2173 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2174}
2175
2176static int selinux_inode_permission(struct inode *inode, int mask,
2177 struct nameidata *nd)
2178{
2179 int rc;
2180
2181 rc = secondary_ops->inode_permission(inode, mask, nd);
2182 if (rc)
2183 return rc;
2184
2185 if (!mask) {
2186 /* No permission to check. Existence test. */
2187 return 0;
2188 }
2189
2190 return inode_has_perm(current, inode,
2191 file_mask_to_av(inode->i_mode, mask), NULL);
2192}
2193
2194static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2195{
2196 int rc;
2197
2198 rc = secondary_ops->inode_setattr(dentry, iattr);
2199 if (rc)
2200 return rc;
2201
2202 if (iattr->ia_valid & ATTR_FORCE)
2203 return 0;
2204
2205 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2206 ATTR_ATIME_SET | ATTR_MTIME_SET))
2207 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2208
2209 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2210}
2211
2212static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2213{
2214 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2215}
2216
2217static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2218{
2219 struct task_security_struct *tsec = current->security;
2220 struct inode *inode = dentry->d_inode;
2221 struct inode_security_struct *isec = inode->i_security;
2222 struct superblock_security_struct *sbsec;
2223 struct avc_audit_data ad;
2224 u32 newsid;
2225 int rc = 0;
2226
2227 if (strcmp(name, XATTR_NAME_SELINUX)) {
2228 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2229 sizeof XATTR_SECURITY_PREFIX - 1) &&
2230 !capable(CAP_SYS_ADMIN)) {
2231 /* A different attribute in the security namespace.
2232 Restrict to administrator. */
2233 return -EPERM;
2234 }
2235
2236 /* Not an attribute we recognize, so just check the
2237 ordinary setattr permission. */
2238 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2239 }
2240
2241 sbsec = inode->i_sb->s_security;
2242 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2243 return -EOPNOTSUPP;
2244
2245 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2246 return -EPERM;
2247
2248 AVC_AUDIT_DATA_INIT(&ad,FS);
2249 ad.u.fs.dentry = dentry;
2250
2251 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2252 FILE__RELABELFROM, &ad);
2253 if (rc)
2254 return rc;
2255
2256 rc = security_context_to_sid(value, size, &newsid);
2257 if (rc)
2258 return rc;
2259
2260 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2261 FILE__RELABELTO, &ad);
2262 if (rc)
2263 return rc;
2264
2265 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2266 isec->sclass);
2267 if (rc)
2268 return rc;
2269
2270 return avc_has_perm(newsid,
2271 sbsec->sid,
2272 SECCLASS_FILESYSTEM,
2273 FILESYSTEM__ASSOCIATE,
2274 &ad);
2275}
2276
2277static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2278 void *value, size_t size, int flags)
2279{
2280 struct inode *inode = dentry->d_inode;
2281 struct inode_security_struct *isec = inode->i_security;
2282 u32 newsid;
2283 int rc;
2284
2285 if (strcmp(name, XATTR_NAME_SELINUX)) {
2286 /* Not an attribute we recognize, so nothing to do. */
2287 return;
2288 }
2289
2290 rc = security_context_to_sid(value, size, &newsid);
2291 if (rc) {
2292 printk(KERN_WARNING "%s: unable to obtain SID for context "
2293 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2294 return;
2295 }
2296
2297 isec->sid = newsid;
2298 return;
2299}
2300
2301static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2302{
1da177e4
LT		 2303 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2304}
2305
2306static int selinux_inode_listxattr (struct dentry *dentry)
2307{
2308 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2309}
2310
2311static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2312{
2313 if (strcmp(name, XATTR_NAME_SELINUX)) {
2314 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2315 sizeof XATTR_SECURITY_PREFIX - 1) &&
2316 !capable(CAP_SYS_ADMIN)) {
2317 /* A different attribute in the security namespace.
2318 Restrict to administrator. */
2319 return -EPERM;
2320 }
2321
2322 /* Not an attribute we recognize, so just check the
2323 ordinary setattr permission. Might want a separate
2324 permission for removexattr. */
2325 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2326 }
2327
2328 /* No one is allowed to remove a SELinux security label.
2329 You can change the label, but all data must be labeled. */
2330 return -EACCES;
2331}
2332
8c8570fb
DK		 2333static const char *selinux_inode_xattr_getsuffix(void)
2334{
2335 return XATTR_SELINUX_SUFFIX;
2336}
2337
d381d8a9
JM		 2338/*
2339 * Copy the in-core inode security context value to the user. If the
2340 * getxattr() prior to this succeeded, check to see if we need to
2341 * canonicalize the value to be finally returned to the user.
2342 *
2343 * Permission check is handled by selinux_inode_getxattr hook.
2344 */
7306a0b9 2345static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
1da177e4
LT		 2346{
2347 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2348
8c8570fb
DK		 2349 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2350 return -EOPNOTSUPP;
d381d8a9 2351
8c8570fb 2352 return selinux_getsecurity(isec->sid, buffer, size);
1da177e4
LT		 2353}
2354
2355static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2356 const void *value, size_t size, int flags)
2357{
2358 struct inode_security_struct *isec = inode->i_security;
2359 u32 newsid;
2360 int rc;
2361
2362 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2363 return -EOPNOTSUPP;
2364
2365 if (!value || !size)
2366 return -EACCES;
2367
2368 rc = security_context_to_sid((void*)value, size, &newsid);
2369 if (rc)
2370 return rc;
2371
2372 isec->sid = newsid;
2373 return 0;
2374}
2375
2376static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2377{
2378 const int len = sizeof(XATTR_NAME_SELINUX);
2379 if (buffer && len <= buffer_size)
2380 memcpy(buffer, XATTR_NAME_SELINUX, len);
2381 return len;
2382}
2383
2384/* file security operations */
2385
2386static int selinux_file_permission(struct file *file, int mask)
2387{
7420ed23 2388 int rc;
1da177e4
LT		 2389 struct inode *inode = file->f_dentry->d_inode;
2390
2391 if (!mask) {
2392 /* No permission to check. Existence test. */
2393 return 0;
2394 }
2395
2396 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2397 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2398 mask |= MAY_APPEND;
2399
7420ed23
VY		 2400 rc = file_has_perm(current, file,
2401 file_mask_to_av(inode->i_mode, mask));
2402 if (rc)
2403 return rc;
2404
2405 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2406}
2407
2408static int selinux_file_alloc_security(struct file *file)
2409{
2410 return file_alloc_security(file);
2411}
2412
2413static void selinux_file_free_security(struct file *file)
2414{
2415 file_free_security(file);
2416}
2417
2418static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2419 unsigned long arg)
2420{
2421 int error = 0;
2422
2423 switch (cmd) {
2424 case FIONREAD:
2425 /* fall through */
2426 case FIBMAP:
2427 /* fall through */
2428 case FIGETBSZ:
2429 /* fall through */
2430 case EXT2_IOC_GETFLAGS:
2431 /* fall through */
2432 case EXT2_IOC_GETVERSION:
2433 error = file_has_perm(current, file, FILE__GETATTR);
2434 break;
2435
2436 case EXT2_IOC_SETFLAGS:
2437 /* fall through */
2438 case EXT2_IOC_SETVERSION:
2439 error = file_has_perm(current, file, FILE__SETATTR);
2440 break;
2441
2442 /* sys_ioctl() checks */
2443 case FIONBIO:
2444 /* fall through */
2445 case FIOASYNC:
2446 error = file_has_perm(current, file, 0);
2447 break;
2448
2449 case KDSKBENT:
2450 case KDSKBSENT:
2451 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2452 break;
2453
2454 /* default case assumes that the command will go
2455 * to the file's ioctl() function.
2456 */
2457 default:
2458 error = file_has_perm(current, file, FILE__IOCTL);
2459
2460 }
2461 return error;
2462}
2463
2464static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2465{
2466#ifndef CONFIG_PPC32
2467 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2468 /*
2469 * We are making executable an anonymous mapping or a
2470 * private file mapping that will also be writable.
2471 * This has an additional check.
2472 */
2473 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2474 if (rc)
2475 return rc;
2476 }
2477#endif
2478
2479 if (file) {
2480 /* read access is always possible with a mapping */
2481 u32 av = FILE__READ;
2482
2483 /* write access only matters if the mapping is shared */
2484 if (shared && (prot & PROT_WRITE))
2485 av |= FILE__WRITE;
2486
2487 if (prot & PROT_EXEC)
2488 av |= FILE__EXECUTE;
2489
2490 return file_has_perm(current, file, av);
2491 }
2492 return 0;
2493}
2494
2495static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2496 unsigned long prot, unsigned long flags)
2497{
2498 int rc;
2499
2500 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2501 if (rc)
2502 return rc;
2503
2504 if (selinux_checkreqprot)
2505 prot = reqprot;
2506
2507 return file_map_prot_check(file, prot,
2508 (flags & MAP_TYPE) == MAP_SHARED);
2509}
2510
2511static int selinux_file_mprotect(struct vm_area_struct *vma,
2512 unsigned long reqprot,
2513 unsigned long prot)
2514{
2515 int rc;
2516
2517 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2518 if (rc)
2519 return rc;
2520
2521 if (selinux_checkreqprot)
2522 prot = reqprot;
2523
2524#ifndef CONFIG_PPC32
db4c9641
SS		 2525 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2526 rc = 0;
2527 if (vma->vm_start >= vma->vm_mm->start_brk &&
2528 vma->vm_end <= vma->vm_mm->brk) {
2529 rc = task_has_perm(current, current,
2530 PROCESS__EXECHEAP);
2531 } else if (!vma->vm_file &&
2532 vma->vm_start <= vma->vm_mm->start_stack &&
2533 vma->vm_end >= vma->vm_mm->start_stack) {
2534 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2535 } else if (vma->vm_file && vma->anon_vma) {
2536 /*
2537 * We are making executable a file mapping that has
2538 * had some COW done. Since pages might have been
2539 * written, check ability to execute the possibly
2540 * modified content. This typically should only
2541 * occur for text relocations.
2542 */
2543 rc = file_has_perm(current, vma->vm_file,
2544 FILE__EXECMOD);
2545 }