]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selinux: don't revalidate an inode's label when explicitly setting it
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
828dfe1d
EP		 7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13 * Eric Paris <[email protected]>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <[email protected]>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <[email protected]>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <[email protected]>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
63205654 129static struct kmem_cache *file_security_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 140 *
141 */
142static int selinux_secmark_enabled(void)
143{
2be4d74f
CP		 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145}
146
147/**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157static int selinux_peerlbl_enabled(void)
158{
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 160}
161
615e51fd
PM		 162static int selinux_netcache_avc_callback(u32 event)
163{
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171}
172
d84f4f99
DH		 173/*
174 * initialise the security for the init task
175 */
176static void cred_init_security(void)
1da177e4 177{
3b11a1de 178 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 179 struct task_security_struct *tsec;
180
89d155ef 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 182 if (!tsec)
d84f4f99 183 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 184
d84f4f99 185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 186 cred->security = tsec;
1da177e4
LT		 187}
188
88e67f3b
DH		 189/*
190 * get the security ID of a set of credentials
191 */
192static inline u32 cred_sid(const struct cred *cred)
193{
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198}
199
275bb41e 200/*
3b11a1de 201 * get the objective security ID of a task
275bb41e
DH		 202 */
203static inline u32 task_sid(const struct task_struct *task)
204{
275bb41e
DH		 205 u32 sid;
206
207 rcu_read_lock();
88e67f3b 208 sid = cred_sid(__task_cred(task));
275bb41e
DH		 209 rcu_read_unlock();
210 return sid;
211}
212
213/*
3b11a1de 214 * get the subjective security ID of the current task
275bb41e
DH		 215 */
216static inline u32 current_sid(void)
217{
5fb49870 218 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 219
220 return tsec->sid;
221}
222
88e67f3b
DH		 223/* Allocate and free functions for each kind of security blob. */
224
1da177e4
LT		 225static int inode_alloc_security(struct inode *inode)
226{
1da177e4 227 struct inode_security_struct *isec;
275bb41e 228 u32 sid = current_sid();
1da177e4 229
a02fe132 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 231 if (!isec)
232 return -ENOMEM;
233
23970741 234 mutex_init(&isec->lock);
1da177e4 235 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
275bb41e 239 isec->task_sid = sid;
1da177e4
LT		 240 inode->i_security = isec;
241
242 return 0;
243}
244
5d226df4
AG		 245static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247/*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
253 */
254static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
256 bool may_sleep)
257{
258 struct inode_security_struct *isec = inode->i_security;
259
260 might_sleep_if(may_sleep);
261
4b57d6bc 262 if (isec->initialized != LABEL_INITIALIZED) {
5d226df4
AG		 263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
271 inode_doinit_with_dentry(inode, opt_dentry);
272 }
273 return 0;
274}
275
5d226df4
AG		 276static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277{
278 return inode->i_security;
279}
280
281static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282{
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
288 return inode->i_security;
289}
290
83da53c5
AG		 291/*
292 * Get the security label of an inode.
293 */
294static struct inode_security_struct *inode_security(struct inode *inode)
295{
5d226df4 296 __inode_security_revalidate(inode, NULL, true);
83da53c5
AG		 297 return inode->i_security;
298}
299
2c97165b
PM		 300static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301{
302 struct inode *inode = d_backing_inode(dentry);
303
304 return inode->i_security;
305}
306
83da53c5
AG		 307/*
308 * Get the security label of a dentry's backing inode.
309 */
310static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311{
312 struct inode *inode = d_backing_inode(dentry);
313
5d226df4 314 __inode_security_revalidate(inode, dentry, true);
83da53c5
AG		 315 return inode->i_security;
316}
317
3dc91d43
SR		 318static void inode_free_rcu(struct rcu_head *head)
319{
320 struct inode_security_struct *isec;
321
322 isec = container_of(head, struct inode_security_struct, rcu);
323 kmem_cache_free(sel_inode_cache, isec);
324}
325
1da177e4
LT		 326static void inode_free_security(struct inode *inode)
327{
328 struct inode_security_struct *isec = inode->i_security;
329 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
330
9629d04a
WL		 331 /*
332 * As not all inode security structures are in a list, we check for
333 * empty list outside of the lock to make sure that we won't waste
334 * time taking a lock doing nothing.
335 *
336 * The list_del_init() function can be safely called more than once.
337 * It should not be possible for this function to be called with
338 * concurrent list_add(), but for better safety against future changes
339 * in the code, we use list_empty_careful() here.
340 */
341 if (!list_empty_careful(&isec->list)) {
342 spin_lock(&sbsec->isec_lock);
1da177e4 343 list_del_init(&isec->list);
9629d04a
WL		 344 spin_unlock(&sbsec->isec_lock);
345 }
1da177e4 346
3dc91d43
SR		 347 /*
348 * The inode may still be referenced in a path walk and
349 * a call to selinux_inode_permission() can be made
350 * after inode_free_security() is called. Ideally, the VFS
351 * wouldn't do this, but fixing that is a much harder
352 * job. For now, simply free the i_security via RCU, and
353 * leave the current inode->i_security pointer intact.
354 * The inode will be freed after the RCU grace period too.
355 */
356 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 357}
358
359static int file_alloc_security(struct file *file)
360{
1da177e4 361 struct file_security_struct *fsec;
275bb41e 362 u32 sid = current_sid();
1da177e4 363
63205654 364 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
1da177e4
LT		 365 if (!fsec)
366 return -ENOMEM;
367
275bb41e
DH		 368 fsec->sid = sid;
369 fsec->fown_sid = sid;
1da177e4
LT		 370 file->f_security = fsec;
371
372 return 0;
373}
374
375static void file_free_security(struct file *file)
376{
377 struct file_security_struct *fsec = file->f_security;
1da177e4 378 file->f_security = NULL;
63205654 379 kmem_cache_free(file_security_cache, fsec);
1da177e4
LT		 380}
381
382static int superblock_alloc_security(struct super_block *sb)
383{
384 struct superblock_security_struct *sbsec;
385
89d155ef 386 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 387 if (!sbsec)
388 return -ENOMEM;
389
bc7e982b 390 mutex_init(&sbsec->lock);
1da177e4
LT		 391 INIT_LIST_HEAD(&sbsec->isec_head);
392 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 393 sbsec->sb = sb;
394 sbsec->sid = SECINITSID_UNLABELED;
395 sbsec->def_sid = SECINITSID_FILE;
c312feb2 396 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 397 sb->s_security = sbsec;
398
399 return 0;
400}
401
402static void superblock_free_security(struct super_block *sb)
403{
404 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 405 sb->s_security = NULL;
406 kfree(sbsec);
407}
408
1da177e4
LT		 409/* The file system's label must be initialized prior to use. */
410
eb9ae686 411static const char *labeling_behaviors[7] = {
1da177e4
LT		 412 "uses xattr",
413 "uses transition SIDs",
414 "uses task SIDs",
415 "uses genfs_contexts",
416 "not configured for labeling",
417 "uses mountpoint labeling",
eb9ae686 418 "uses native labeling",
1da177e4
LT		 419};
420
1da177e4
LT		 421static inline int inode_doinit(struct inode *inode)
422{
423 return inode_doinit_with_dentry(inode, NULL);
424}
425
426enum {
31e87930 427 Opt_error = -1,
1da177e4
LT		 428 Opt_context = 1,
429 Opt_fscontext = 2,
c9180a57
EP		 430 Opt_defcontext = 3,
431 Opt_rootcontext = 4,
11689d47 432 Opt_labelsupport = 5,
d355987f 433 Opt_nextmntopt = 6,
1da177e4
LT		 434};
435
d355987f
EP		 436#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
437
a447c093 438static const match_table_t tokens = {
832cbd9a
EP		 439 {Opt_context, CONTEXT_STR "%s"},
440 {Opt_fscontext, FSCONTEXT_STR "%s"},
441 {Opt_defcontext, DEFCONTEXT_STR "%s"},
442 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 443 {Opt_labelsupport, LABELSUPP_STR},
31e87930 444 {Opt_error, NULL},
1da177e4
LT		 445};
446
447#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
448
c312feb2
EP		 449static int may_context_mount_sb_relabel(u32 sid,
450 struct superblock_security_struct *sbsec,
275bb41e 451 const struct cred *cred)
c312feb2 452{
275bb41e 453 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 454 int rc;
455
456 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
457 FILESYSTEM__RELABELFROM, NULL);
458 if (rc)
459 return rc;
460
461 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
462 FILESYSTEM__RELABELTO, NULL);
463 return rc;
464}
465
0808925e
EP		 466static int may_context_mount_inode_relabel(u32 sid,
467 struct superblock_security_struct *sbsec,
275bb41e 468 const struct cred *cred)
0808925e 469{
275bb41e 470 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 471 int rc;
472 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 FILESYSTEM__RELABELFROM, NULL);
474 if (rc)
475 return rc;
476
477 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__ASSOCIATE, NULL);
479 return rc;
480}
481
b43e725d
EP		 482static int selinux_is_sblabel_mnt(struct super_block *sb)
483{
484 struct superblock_security_struct *sbsec = sb->s_security;
485
d5f3a5f6
MS		 486 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
487 sbsec->behavior == SECURITY_FS_USE_TRANS ||
488 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 489 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 490 /* Special handling. Genfs but also in-core setxattr handler */
491 !strcmp(sb->s_type->name, "sysfs") ||
492 !strcmp(sb->s_type->name, "pstore") ||
493 !strcmp(sb->s_type->name, "debugfs") ||
494 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 495}
496
c9180a57 497static int sb_finish_set_opts(struct super_block *sb)
1da177e4 498{
1da177e4 499 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 500 struct dentry *root = sb->s_root;
c6f493d6 501 struct inode *root_inode = d_backing_inode(root);
c9180a57 502 int rc = 0;
1da177e4 503
c9180a57
EP		 504 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
505 /* Make sure that the xattr handler exists and that no
506 error other than -ENODATA is returned by getxattr on
507 the root directory. -ENODATA is ok, as this may be
508 the first boot of the SELinux kernel before we have
509 assigned xattr values to the filesystem. */
510 if (!root_inode->i_op->getxattr) {
29b1deb2
LT		 511 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
512 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 513 rc = -EOPNOTSUPP;
514 goto out;
515 }
516 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
517 if (rc < 0 && rc != -ENODATA) {
518 if (rc == -EOPNOTSUPP)
519 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 520 "%s) has no security xattr handler\n",
521 sb->s_id, sb->s_type->name);
c9180a57
EP		 522 else
523 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 524 "%s) getxattr errno %d\n", sb->s_id,
525 sb->s_type->name, -rc);
c9180a57
EP		 526 goto out;
527 }
528 }
1da177e4 529
c9180a57 530 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 531 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
532 sb->s_id, sb->s_type->name);
1da177e4 533
eadcabc6 534 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 535 if (selinux_is_sblabel_mnt(sb))
12f348b9 536 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 537
c9180a57
EP		 538 /* Initialize the root inode. */
539 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 540
c9180a57
EP		 541 /* Initialize any other inodes associated with the superblock, e.g.
542 inodes created prior to initial policy load or inodes created
543 during get_sb by a pseudo filesystem that directly
544 populates itself. */
545 spin_lock(&sbsec->isec_lock);
546next_inode:
547 if (!list_empty(&sbsec->isec_head)) {
548 struct inode_security_struct *isec =
549 list_entry(sbsec->isec_head.next,
550 struct inode_security_struct, list);
551 struct inode *inode = isec->inode;
923190d3 552 list_del_init(&isec->list);
c9180a57
EP		 553 spin_unlock(&sbsec->isec_lock);
554 inode = igrab(inode);
555 if (inode) {
556 if (!IS_PRIVATE(inode))
557 inode_doinit(inode);
558 iput(inode);
559 }
560 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 561 goto next_inode;
562 }
563 spin_unlock(&sbsec->isec_lock);
564out:
565 return rc;
566}
1da177e4 567
c9180a57
EP		 568/*
569 * This function should allow an FS to ask what it's mount security
570 * options were so it can use those later for submounts, displaying
571 * mount options, or whatever.
572 */
573static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 574 struct security_mnt_opts *opts)
c9180a57
EP		 575{
576 int rc = 0, i;
577 struct superblock_security_struct *sbsec = sb->s_security;
578 char *context = NULL;
579 u32 len;
580 char tmp;
1da177e4 581
e0007529 582 security_init_mnt_opts(opts);
1da177e4 583
0d90a7ec 584 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 585 return -EINVAL;
1da177e4 586
c9180a57
EP		 587 if (!ss_initialized)
588 return -EINVAL;
1da177e4 589
af8e50cc
EP		 590 /* make sure we always check enough bits to cover the mask */
591 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
592
0d90a7ec 593 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 594 /* count the number of mount options for this sb */
af8e50cc 595 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 596 if (tmp & 0x01)
e0007529 597 opts->num_mnt_opts++;
c9180a57
EP		 598 tmp >>= 1;
599 }
11689d47 600 /* Check if the Label support flag is set */
0b4bdb35 601 if (sbsec->flags & SBLABEL_MNT)
11689d47 602 opts->num_mnt_opts++;
1da177e4 603
e0007529
EP		 604 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
605 if (!opts->mnt_opts) {
c9180a57
EP		 606 rc = -ENOMEM;
607 goto out_free;
608 }
1da177e4 609
e0007529
EP		 610 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
611 if (!opts->mnt_opts_flags) {
c9180a57
EP		 612 rc = -ENOMEM;
613 goto out_free;
614 }
1da177e4 615
c9180a57
EP		 616 i = 0;
617 if (sbsec->flags & FSCONTEXT_MNT) {
618 rc = security_sid_to_context(sbsec->sid, &context, &len);
619 if (rc)
620 goto out_free;
e0007529
EP		 621 opts->mnt_opts[i] = context;
622 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 623 }
624 if (sbsec->flags & CONTEXT_MNT) {
625 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
626 if (rc)
627 goto out_free;
e0007529
EP		 628 opts->mnt_opts[i] = context;
629 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 630 }
631 if (sbsec->flags & DEFCONTEXT_MNT) {
632 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
633 if (rc)
634 goto out_free;
e0007529
EP		 635 opts->mnt_opts[i] = context;
636 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 637 }
638 if (sbsec->flags & ROOTCONTEXT_MNT) {
83da53c5
AG		 639 struct dentry *root = sbsec->sb->s_root;
640 struct inode_security_struct *isec = backing_inode_security(root);
0808925e 641
c9180a57
EP		 642 rc = security_sid_to_context(isec->sid, &context, &len);
643 if (rc)
644 goto out_free;
e0007529
EP		 645 opts->mnt_opts[i] = context;
646 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 647 }
12f348b9 648 if (sbsec->flags & SBLABEL_MNT) {
11689d47 649 opts->mnt_opts[i] = NULL;
12f348b9 650 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 651 }
1da177e4 652
e0007529 653 BUG_ON(i != opts->num_mnt_opts);
1da177e4 654
c9180a57
EP		 655 return 0;
656
657out_free:
e0007529 658 security_free_mnt_opts(opts);
c9180a57
EP		 659 return rc;
660}
1da177e4 661
c9180a57
EP		 662static int bad_option(struct superblock_security_struct *sbsec, char flag,
663 u32 old_sid, u32 new_sid)
664{
0d90a7ec
DQ		 665 char mnt_flags = sbsec->flags & SE_MNTMASK;
666
c9180a57 667 /* check if the old mount command had the same options */
0d90a7ec 668 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 669 if (!(sbsec->flags & flag) ||
670 (old_sid != new_sid))
671 return 1;
672
673 /* check if we were passed the same options twice,
674 * aka someone passed context=a,context=b
675 */
0d90a7ec
DQ		 676 if (!(sbsec->flags & SE_SBINITIALIZED))
677 if (mnt_flags & flag)
c9180a57
EP		 678 return 1;
679 return 0;
680}
e0007529 681
c9180a57
EP		 682/*
683 * Allow filesystems with binary mount data to explicitly set mount point
684 * labeling information.
685 */
e0007529 686static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 687 struct security_mnt_opts *opts,
688 unsigned long kern_flags,
689 unsigned long *set_kern_flags)
c9180a57 690{
275bb41e 691 const struct cred *cred = current_cred();
c9180a57 692 int rc = 0, i;
c9180a57 693 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 694 const char *name = sb->s_type->name;
83da53c5 695 struct dentry *root = sbsec->sb->s_root;
2c97165b 696 struct inode_security_struct *root_isec;
c9180a57
EP		 697 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
698 u32 defcontext_sid = 0;
e0007529
EP		 699 char **mount_options = opts->mnt_opts;
700 int *flags = opts->mnt_opts_flags;
701 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 702
703 mutex_lock(&sbsec->lock);
704
705 if (!ss_initialized) {
706 if (!num_opts) {
707 /* Defer initialization until selinux_complete_init,
708 after the initial policy is loaded and the security
709 server is ready to handle calls. */
c9180a57
EP		 710 goto out;
711 }
712 rc = -EINVAL;
744ba35e
EP		 713 printk(KERN_WARNING "SELinux: Unable to set superblock options "
714 "before the security server is initialized\n");
1da177e4 715 goto out;
c9180a57 716 }
649f6e77
DQ		 717 if (kern_flags && !set_kern_flags) {
718 /* Specifying internal flags without providing a place to
719 * place the results is not allowed */
720 rc = -EINVAL;
721 goto out;
722 }
1da177e4 723
e0007529
EP		 724 /*
725 * Binary mount data FS will come through this function twice. Once
726 * from an explicit call and once from the generic calls from the vfs.
727 * Since the generic VFS calls will not contain any security mount data
728 * we need to skip the double mount verification.
729 *
730 * This does open a hole in which we will not notice if the first
731 * mount using this sb set explict options and a second mount using
732 * this sb does not set any security options. (The first options
733 * will be used for both mounts)
734 */
0d90a7ec 735 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 736 && (num_opts == 0))
f5269710 737 goto out;
e0007529 738
2c97165b
PM		 739 root_isec = backing_inode_security_novalidate(root);
740
c9180a57
EP		 741 /*
742 * parse the mount options, check if they are valid sids.
743 * also check if someone is trying to mount the same sb more
744 * than once with different security options.
745 */
746 for (i = 0; i < num_opts; i++) {
747 u32 sid;
11689d47 748
12f348b9 749 if (flags[i] == SBLABEL_MNT)
11689d47 750 continue;
44be2f65 751 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
1da177e4 752 if (rc) {
44be2f65 753 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 754 "(%s) failed for (dev %s, type %s) errno=%d\n",
755 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 756 goto out;
757 }
758 switch (flags[i]) {
759 case FSCONTEXT_MNT:
760 fscontext_sid = sid;
761
762 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
763 fscontext_sid))
764 goto out_double_mount;
765
766 sbsec->flags |= FSCONTEXT_MNT;
767 break;
768 case CONTEXT_MNT:
769 context_sid = sid;
770
771 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
772 context_sid))
773 goto out_double_mount;
774
775 sbsec->flags |= CONTEXT_MNT;
776 break;
777 case ROOTCONTEXT_MNT:
778 rootcontext_sid = sid;
779
780 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
781 rootcontext_sid))
782 goto out_double_mount;
783
784 sbsec->flags |= ROOTCONTEXT_MNT;
785
786 break;
787 case DEFCONTEXT_MNT:
788 defcontext_sid = sid;
789
790 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
791 defcontext_sid))
792 goto out_double_mount;
793
794 sbsec->flags |= DEFCONTEXT_MNT;
795
796 break;
797 default:
798 rc = -EINVAL;
799 goto out;
1da177e4 800 }
c9180a57
EP		 801 }
802
0d90a7ec 803 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 804 /* previously mounted with options, but not on this attempt? */
0d90a7ec 805 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 806 goto out_double_mount;
807 rc = 0;
808 goto out;
809 }
810
089be43e 811 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 812 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
813
8e014720
SS		 814 if (!strcmp(sb->s_type->name, "debugfs") ||
815 !strcmp(sb->s_type->name, "sysfs") ||
816 !strcmp(sb->s_type->name, "pstore"))
134509d5 817 sbsec->flags |= SE_SBGENFS;
c9180a57 818
eb9ae686
DQ		 819 if (!sbsec->behavior) {
820 /*
821 * Determine the labeling behavior to use for this
822 * filesystem type.
823 */
98f700f3 824 rc = security_fs_use(sb);
eb9ae686
DQ		 825 if (rc) {
826 printk(KERN_WARNING
827 "%s: security_fs_use(%s) returned %d\n",
828 __func__, sb->s_type->name, rc);
829 goto out;
830 }
c9180a57 831 }
c9180a57
EP		 832 /* sets the context of the superblock for the fs being mounted. */
833 if (fscontext_sid) {
275bb41e 834 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 835 if (rc)
c9180a57 836 goto out;
1da177e4 837
c9180a57 838 sbsec->sid = fscontext_sid;
c312feb2
EP		 839 }
840
841 /*
842 * Switch to using mount point labeling behavior.
843 * sets the label used on all file below the mountpoint, and will set
844 * the superblock context if not already set.
845 */
eb9ae686
DQ		 846 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
847 sbsec->behavior = SECURITY_FS_USE_NATIVE;
848 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
849 }
850
c9180a57
EP		 851 if (context_sid) {
852 if (!fscontext_sid) {
275bb41e
DH		 853 rc = may_context_mount_sb_relabel(context_sid, sbsec,
854 cred);
b04ea3ce 855 if (rc)
c9180a57
EP		 856 goto out;
857 sbsec->sid = context_sid;
b04ea3ce 858 } else {
275bb41e
DH		 859 rc = may_context_mount_inode_relabel(context_sid, sbsec,
860 cred);
b04ea3ce 861 if (rc)
c9180a57 862 goto out;
b04ea3ce 863 }
c9180a57
EP		 864 if (!rootcontext_sid)
865 rootcontext_sid = context_sid;
1da177e4 866
c9180a57 867 sbsec->mntpoint_sid = context_sid;
c312feb2 868 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 869 }
870
c9180a57 871 if (rootcontext_sid) {
275bb41e
DH		 872 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
873 cred);
0808925e 874 if (rc)
c9180a57 875 goto out;
0808925e 876
c9180a57 877 root_isec->sid = rootcontext_sid;
6f3be9f5 878 root_isec->initialized = LABEL_INITIALIZED;
0808925e
EP		 879 }
880
c9180a57 881 if (defcontext_sid) {
eb9ae686
DQ		 882 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
883 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 884 rc = -EINVAL;
885 printk(KERN_WARNING "SELinux: defcontext option is "
886 "invalid for this filesystem type\n");
887 goto out;
1da177e4
LT		 888 }
889
c9180a57
EP		 890 if (defcontext_sid != sbsec->def_sid) {
891 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 892 sbsec, cred);
c9180a57
EP		 893 if (rc)
894 goto out;
895 }
1da177e4 896
c9180a57 897 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 898 }
899
c9180a57 900 rc = sb_finish_set_opts(sb);
1da177e4 901out:
c9180a57 902 mutex_unlock(&sbsec->lock);
1da177e4 903 return rc;
c9180a57
EP		 904out_double_mount:
905 rc = -EINVAL;
906 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 907 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 908 goto out;
1da177e4
LT		 909}
910
094f7b69
JL		 911static int selinux_cmp_sb_context(const struct super_block *oldsb,
912 const struct super_block *newsb)
913{
914 struct superblock_security_struct *old = oldsb->s_security;
915 struct superblock_security_struct *new = newsb->s_security;
916 char oldflags = old->flags & SE_MNTMASK;
917 char newflags = new->flags & SE_MNTMASK;
918
919 if (oldflags != newflags)
920 goto mismatch;
921 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
922 goto mismatch;
923 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
924 goto mismatch;
925 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
926 goto mismatch;
927 if (oldflags & ROOTCONTEXT_MNT) {
83da53c5
AG		 928 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
929 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
094f7b69
JL		 930 if (oldroot->sid != newroot->sid)
931 goto mismatch;
932 }
933 return 0;
934mismatch:
935 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
936 "different security settings for (dev %s, "
937 "type %s)\n", newsb->s_id, newsb->s_type->name);
938 return -EBUSY;
939}
940
941static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 942 struct super_block *newsb)
1da177e4 943{
c9180a57
EP		 944 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
945 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 946
c9180a57
EP		 947 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
948 int set_context = (oldsbsec->flags & CONTEXT_MNT);
949 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 950
0f5e6420
EP		 951 /*
952 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 953 * mount options. thus we can safely deal with this superblock later
0f5e6420 954 */
e8c26255 955 if (!ss_initialized)
094f7b69 956 return 0;
c9180a57 957
c9180a57 958 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 959 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 960
094f7b69 961 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 962 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 963 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 964
c9180a57
EP		 965 mutex_lock(&newsbsec->lock);
966
967 newsbsec->flags = oldsbsec->flags;
968
969 newsbsec->sid = oldsbsec->sid;
970 newsbsec->def_sid = oldsbsec->def_sid;
971 newsbsec->behavior = oldsbsec->behavior;
972
973 if (set_context) {
974 u32 sid = oldsbsec->mntpoint_sid;
975
976 if (!set_fscontext)
977 newsbsec->sid = sid;
978 if (!set_rootcontext) {
83da53c5 979 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
c9180a57
EP		 980 newisec->sid = sid;
981 }
982 newsbsec->mntpoint_sid = sid;
1da177e4 983 }
c9180a57 984 if (set_rootcontext) {
83da53c5
AG		 985 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
986 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1da177e4 987
c9180a57 988 newisec->sid = oldisec->sid;
1da177e4
LT		 989 }
990
c9180a57
EP		 991 sb_finish_set_opts(newsb);
992 mutex_unlock(&newsbsec->lock);
094f7b69 993 return 0;
c9180a57
EP		 994}
995
2e1479d9
AB		 996static int selinux_parse_opts_str(char *options,
997 struct security_mnt_opts *opts)
c9180a57 998{
e0007529 999 char *p;
c9180a57
EP		 1000 char *context = NULL, *defcontext = NULL;
1001 char *fscontext = NULL, *rootcontext = NULL;
e0007529 1002 int rc, num_mnt_opts = 0;
1da177e4 1003
e0007529 1004 opts->num_mnt_opts = 0;
1da177e4 1005
c9180a57
EP		 1006 /* Standard string-based options. */
1007 while ((p = strsep(&options, "|")) != NULL) {
1008 int token;
1009 substring_t args[MAX_OPT_ARGS];
1da177e4 1010
c9180a57
EP		 1011 if (!*p)
1012 continue;
1da177e4 1013
c9180a57 1014 token = match_token(p, tokens, args);
1da177e4 1015
c9180a57
EP		 1016 switch (token) {
1017 case Opt_context:
1018 if (context || defcontext) {
1019 rc = -EINVAL;
1020 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1021 goto out_err;
1022 }
1023 context = match_strdup(&args[0]);
1024 if (!context) {
1025 rc = -ENOMEM;
1026 goto out_err;
1027 }
1028 break;
1029
1030 case Opt_fscontext:
1031 if (fscontext) {
1032 rc = -EINVAL;
1033 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1034 goto out_err;
1035 }
1036 fscontext = match_strdup(&args[0]);
1037 if (!fscontext) {
1038 rc = -ENOMEM;
1039 goto out_err;
1040 }
1041 break;
1042
1043 case Opt_rootcontext:
1044 if (rootcontext) {
1045 rc = -EINVAL;
1046 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1047 goto out_err;
1048 }
1049 rootcontext = match_strdup(&args[0]);
1050 if (!rootcontext) {
1051 rc = -ENOMEM;
1052 goto out_err;
1053 }
1054 break;
1055
1056 case Opt_defcontext:
1057 if (context || defcontext) {
1058 rc = -EINVAL;
1059 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1060 goto out_err;
1061 }
1062 defcontext = match_strdup(&args[0]);
1063 if (!defcontext) {
1064 rc = -ENOMEM;
1065 goto out_err;
1066 }
1067 break;
11689d47
DQ		 1068 case Opt_labelsupport:
1069 break;
c9180a57
EP		 1070 default:
1071 rc = -EINVAL;
1072 printk(KERN_WARNING "SELinux: unknown mount option\n");
1073 goto out_err;
1da177e4 1074
1da177e4 1075 }
1da177e4 1076 }
c9180a57 1077
e0007529
EP		 1078 rc = -ENOMEM;
1079 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1080 if (!opts->mnt_opts)
1081 goto out_err;
1082
1083 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1084 if (!opts->mnt_opts_flags) {
1085 kfree(opts->mnt_opts);
1086 goto out_err;
1087 }
1088
c9180a57 1089 if (fscontext) {
e0007529
EP		 1090 opts->mnt_opts[num_mnt_opts] = fscontext;
1091 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1092 }
1093 if (context) {
e0007529
EP		 1094 opts->mnt_opts[num_mnt_opts] = context;
1095 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1096 }
1097 if (rootcontext) {
e0007529
EP		 1098 opts->mnt_opts[num_mnt_opts] = rootcontext;
1099 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1100 }
1101 if (defcontext) {
e0007529
EP		 1102 opts->mnt_opts[num_mnt_opts] = defcontext;
1103 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1104 }
1105
e0007529
EP		 1106 opts->num_mnt_opts = num_mnt_opts;
1107 return 0;
1108
c9180a57
EP		 1109out_err:
1110 kfree(context);
1111 kfree(defcontext);
1112 kfree(fscontext);
1113 kfree(rootcontext);
1da177e4
LT		 1114 return rc;
1115}
e0007529
EP		 1116/*
1117 * string mount options parsing and call set the sbsec
1118 */
1119static int superblock_doinit(struct super_block *sb, void *data)
1120{
1121 int rc = 0;
1122 char *options = data;
1123 struct security_mnt_opts opts;
1124
1125 security_init_mnt_opts(&opts);
1126
1127 if (!data)
1128 goto out;
1129
1130 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1131
1132 rc = selinux_parse_opts_str(options, &opts);
1133 if (rc)
1134 goto out_err;
1135
1136out:
649f6e77 1137 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1138
1139out_err:
1140 security_free_mnt_opts(&opts);
1141 return rc;
1142}
1da177e4 1143
3583a711
AB		 1144static void selinux_write_opts(struct seq_file *m,
1145 struct security_mnt_opts *opts)
2069f457
EP		 1146{
1147 int i;
1148 char *prefix;
1149
1150 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1151 char *has_comma;
1152
1153 if (opts->mnt_opts[i])
1154 has_comma = strchr(opts->mnt_opts[i], ',');
1155 else
1156 has_comma = NULL;
2069f457
EP		 1157
1158 switch (opts->mnt_opts_flags[i]) {
1159 case CONTEXT_MNT:
1160 prefix = CONTEXT_STR;
1161 break;
1162 case FSCONTEXT_MNT:
1163 prefix = FSCONTEXT_STR;
1164 break;
1165 case ROOTCONTEXT_MNT:
1166 prefix = ROOTCONTEXT_STR;
1167 break;
1168 case DEFCONTEXT_MNT:
1169 prefix = DEFCONTEXT_STR;
1170 break;
12f348b9 1171 case SBLABEL_MNT:
11689d47
DQ		 1172 seq_putc(m, ',');
1173 seq_puts(m, LABELSUPP_STR);
1174 continue;
2069f457
EP		 1175 default:
1176 BUG();
a35c6c83 1177 return;
2069f457
EP		 1178 };
1179 /* we need a comma before each option */
1180 seq_putc(m, ',');
1181 seq_puts(m, prefix);
1182 if (has_comma)
1183 seq_putc(m, '\"');
a068acf2 1184 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
2069f457
EP		 1185 if (has_comma)
1186 seq_putc(m, '\"');
1187 }
1188}
1189
1190static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1191{
1192 struct security_mnt_opts opts;
1193 int rc;
1194
1195 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1196 if (rc) {
1197 /* before policy load we may get EINVAL, don't show anything */
1198 if (rc == -EINVAL)
1199 rc = 0;
2069f457 1200 return rc;
383795c2 1201 }
2069f457
EP		 1202
1203 selinux_write_opts(m, &opts);
1204
1205 security_free_mnt_opts(&opts);
1206
1207 return rc;
1208}
1209
1da177e4
LT		 1210static inline u16 inode_mode_to_security_class(umode_t mode)
1211{
1212 switch (mode & S_IFMT) {
1213 case S_IFSOCK:
1214 return SECCLASS_SOCK_FILE;
1215 case S_IFLNK:
1216 return SECCLASS_LNK_FILE;
1217 case S_IFREG:
1218 return SECCLASS_FILE;
1219 case S_IFBLK:
1220 return SECCLASS_BLK_FILE;
1221 case S_IFDIR:
1222 return SECCLASS_DIR;
1223 case S_IFCHR:
1224 return SECCLASS_CHR_FILE;
1225 case S_IFIFO:
1226 return SECCLASS_FIFO_FILE;
1227
1228 }
1229
1230 return SECCLASS_FILE;
1231}
1232
13402580
JM		 1233static inline int default_protocol_stream(int protocol)
1234{
1235 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1236}
1237
1238static inline int default_protocol_dgram(int protocol)
1239{
1240 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1241}
1242
1da177e4
LT		 1243static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1244{
1245 switch (family) {
1246 case PF_UNIX:
1247 switch (type) {
1248 case SOCK_STREAM:
1249 case SOCK_SEQPACKET:
1250 return SECCLASS_UNIX_STREAM_SOCKET;
1251 case SOCK_DGRAM:
1252 return SECCLASS_UNIX_DGRAM_SOCKET;
1253 }
1254 break;
1255 case PF_INET:
1256 case PF_INET6:
1257 switch (type) {
1258 case SOCK_STREAM:
13402580
JM		 1259 if (default_protocol_stream(protocol))
1260 return SECCLASS_TCP_SOCKET;
1261 else
1262 return SECCLASS_RAWIP_SOCKET;
1da177e4 1263 case SOCK_DGRAM:
13402580
JM		 1264 if (default_protocol_dgram(protocol))
1265 return SECCLASS_UDP_SOCKET;
1266 else
1267 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1268 case SOCK_DCCP:
1269 return SECCLASS_DCCP_SOCKET;
13402580 1270 default:
1da177e4
LT		 1271 return SECCLASS_RAWIP_SOCKET;
1272 }
1273 break;
1274 case PF_NETLINK:
1275 switch (protocol) {
1276 case NETLINK_ROUTE:
1277 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1278 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1279 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1280 case NETLINK_NFLOG:
1281 return SECCLASS_NETLINK_NFLOG_SOCKET;
1282 case NETLINK_XFRM:
1283 return SECCLASS_NETLINK_XFRM_SOCKET;
1284 case NETLINK_SELINUX:
1285 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1286 case NETLINK_ISCSI:
1287 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1288 case NETLINK_AUDIT:
1289 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1290 case NETLINK_FIB_LOOKUP:
1291 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1292 case NETLINK_CONNECTOR:
1293 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1294 case NETLINK_NETFILTER:
1295 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1296 case NETLINK_DNRTMSG:
1297 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1298 case NETLINK_KOBJECT_UEVENT:
1299 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1300 case NETLINK_GENERIC:
1301 return SECCLASS_NETLINK_GENERIC_SOCKET;
1302 case NETLINK_SCSITRANSPORT:
1303 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1304 case NETLINK_RDMA:
1305 return SECCLASS_NETLINK_RDMA_SOCKET;
1306 case NETLINK_CRYPTO:
1307 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1308 default:
1309 return SECCLASS_NETLINK_SOCKET;
1310 }
1311 case PF_PACKET:
1312 return SECCLASS_PACKET_SOCKET;
1313 case PF_KEY:
1314 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1315 case PF_APPLETALK:
1316 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1317 }
1318
1319 return SECCLASS_SOCKET;
1320}
1321
134509d5
SS		 1322static int selinux_genfs_get_sid(struct dentry *dentry,
1323 u16 tclass,
1324 u16 flags,
1325 u32 *sid)
1da177e4 1326{
8e6c9693 1327 int rc;
134509d5 1328 struct super_block *sb = dentry->d_inode->i_sb;
8e6c9693 1329 char *buffer, *path;
1da177e4 1330
828dfe1d 1331 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1332 if (!buffer)
1333 return -ENOMEM;
1334
8e6c9693
LAG		 1335 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1336 if (IS_ERR(path))
1337 rc = PTR_ERR(path);
1338 else {
134509d5
SS		 1339 if (flags & SE_SBPROC) {
1340 /* each process gets a /proc/PID/ entry. Strip off the
1341 * PID part to get a valid selinux labeling.
1342 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1343 while (path[1] >= '0' && path[1] <= '9') {
1344 path[1] = '/';
1345 path++;
1346 }
8e6c9693 1347 }
134509d5 1348 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1349 }
1da177e4
LT		 1350 free_page((unsigned long)buffer);
1351 return rc;
1352}
1da177e4
LT		 1353
1354/* The inode's security attributes must be initialized before first use. */
1355static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1356{
1357 struct superblock_security_struct *sbsec = NULL;
1358 struct inode_security_struct *isec = inode->i_security;
1359 u32 sid;
1360 struct dentry *dentry;
1361#define INITCONTEXTLEN 255
1362 char *context = NULL;
1363 unsigned len = 0;
1364 int rc = 0;
1da177e4 1365
6f3be9f5 1366 if (isec->initialized == LABEL_INITIALIZED)
1da177e4
LT		 1367 goto out;
1368
23970741 1369 mutex_lock(&isec->lock);
6f3be9f5 1370 if (isec->initialized == LABEL_INITIALIZED)
23970741 1371 goto out_unlock;
1da177e4
LT		 1372
1373 sbsec = inode->i_sb->s_security;
0d90a7ec 1374 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1375 /* Defer initialization until selinux_complete_init,
1376 after the initial policy is loaded and the security
1377 server is ready to handle calls. */
1378 spin_lock(&sbsec->isec_lock);
1379 if (list_empty(&isec->list))
1380 list_add(&isec->list, &sbsec->isec_head);
1381 spin_unlock(&sbsec->isec_lock);
23970741 1382 goto out_unlock;
1da177e4
LT		 1383 }
1384
1385 switch (sbsec->behavior) {
eb9ae686
DQ		 1386 case SECURITY_FS_USE_NATIVE:
1387 break;
1da177e4
LT		 1388 case SECURITY_FS_USE_XATTR:
1389 if (!inode->i_op->getxattr) {
1390 isec->sid = sbsec->def_sid;
1391 break;
1392 }
1393
1394 /* Need a dentry, since the xattr API requires one.
1395 Life would be simpler if we could just pass the inode. */
1396 if (opt_dentry) {
1397 /* Called from d_instantiate or d_splice_alias. */
1398 dentry = dget(opt_dentry);
1399 } else {
1400 /* Called from selinux_complete_init, try to find a dentry. */
1401 dentry = d_find_alias(inode);
1402 }
1403 if (!dentry) {
df7f54c0
EP		 1404 /*
1405 * this is can be hit on boot when a file is accessed
1406 * before the policy is loaded. When we load policy we
1407 * may find inodes that have no dentry on the
1408 * sbsec->isec_head list. No reason to complain as these
1409 * will get fixed up the next time we go through
1410 * inode_doinit with a dentry, before these inodes could
1411 * be used again by userspace.
1412 */
23970741 1413 goto out_unlock;
1da177e4
LT		 1414 }
1415
1416 len = INITCONTEXTLEN;
4cb912f1 1417 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1418 if (!context) {
1419 rc = -ENOMEM;
1420 dput(dentry);
23970741 1421 goto out_unlock;
1da177e4 1422 }
4cb912f1 1423 context[len] = '\0';
1da177e4
LT		 1424 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1425 context, len);
1426 if (rc == -ERANGE) {
314dabb8
JM		 1427 kfree(context);
1428
1da177e4
LT		 1429 /* Need a larger buffer. Query for the right size. */
1430 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1431 NULL, 0);
1432 if (rc < 0) {
1433 dput(dentry);
23970741 1434 goto out_unlock;
1da177e4 1435 }
1da177e4 1436 len = rc;
4cb912f1 1437 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1438 if (!context) {
1439 rc = -ENOMEM;
1440 dput(dentry);
23970741 1441 goto out_unlock;
1da177e4 1442 }
4cb912f1 1443 context[len] = '\0';
1da177e4
LT		 1444 rc = inode->i_op->getxattr(dentry,
1445 XATTR_NAME_SELINUX,
1446 context, len);
1447 }
1448 dput(dentry);
1449 if (rc < 0) {
1450 if (rc != -ENODATA) {
744ba35e 1451 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1452 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1453 -rc, inode->i_sb->s_id, inode->i_ino);
1454 kfree(context);
23970741 1455 goto out_unlock;
1da177e4
LT		 1456 }
1457 /* Map ENODATA to the default file SID */
1458 sid = sbsec->def_sid;
1459 rc = 0;
1460 } else {
f5c1d5b2 1461 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1462 sbsec->def_sid,
1463 GFP_NOFS);
1da177e4 1464 if (rc) {
4ba0a8ad
EP		 1465 char *dev = inode->i_sb->s_id;
1466 unsigned long ino = inode->i_ino;
1467
1468 if (rc == -EINVAL) {
1469 if (printk_ratelimit())
1470 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1471 "context=%s. This indicates you may need to relabel the inode or the "
1472 "filesystem in question.\n", ino, dev, context);
1473 } else {
1474 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1475 "returned %d for dev=%s ino=%ld\n",
1476 __func__, context, -rc, dev, ino);
1477 }
1da177e4
LT		 1478 kfree(context);
1479 /* Leave with the unlabeled SID */
1480 rc = 0;
1481 break;
1482 }
1483 }
1484 kfree(context);
1485 isec->sid = sid;
1486 break;
1487 case SECURITY_FS_USE_TASK:
1488 isec->sid = isec->task_sid;
1489 break;
1490 case SECURITY_FS_USE_TRANS:
1491 /* Default to the fs SID. */
1492 isec->sid = sbsec->sid;
1493
1494 /* Try to obtain a transition SID. */
1495 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1496 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1497 isec->sclass, NULL, &sid);
1da177e4 1498 if (rc)
23970741 1499 goto out_unlock;
1da177e4
LT		 1500 isec->sid = sid;
1501 break;
c312feb2
EP		 1502 case SECURITY_FS_USE_MNTPOINT:
1503 isec->sid = sbsec->mntpoint_sid;
1504 break;
1da177e4 1505 default:
c312feb2 1506 /* Default to the fs superblock SID. */
1da177e4
LT		 1507 isec->sid = sbsec->sid;
1508
134509d5 1509 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1510 /* We must have a dentry to determine the label on
1511 * procfs inodes */
1512 if (opt_dentry)
1513 /* Called from d_instantiate or
1514 * d_splice_alias. */
1515 dentry = dget(opt_dentry);
1516 else
1517 /* Called from selinux_complete_init, try to
1518 * find a dentry. */
1519 dentry = d_find_alias(inode);
1520 /*
1521 * This can be hit on boot when a file is accessed
1522 * before the policy is loaded. When we load policy we
1523 * may find inodes that have no dentry on the
1524 * sbsec->isec_head list. No reason to complain as
1525 * these will get fixed up the next time we go through
1526 * inode_doinit() with a dentry, before these inodes
1527 * could be used again by userspace.
1528 */
1529 if (!dentry)
1530 goto out_unlock;
1531 isec->sclass = inode_mode_to_security_class(inode->i_mode);
134509d5
SS		 1532 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1533 sbsec->flags, &sid);
f64410ec
PM		 1534 dput(dentry);
1535 if (rc)
1536 goto out_unlock;
1537 isec->sid = sid;
1da177e4
LT		 1538 }
1539 break;
1540 }
1541
6f3be9f5 1542 isec->initialized = LABEL_INITIALIZED;
1da177e4 1543
23970741
EP		 1544out_unlock:
1545 mutex_unlock(&isec->lock);
1da177e4
LT		 1546out:
1547 if (isec->sclass == SECCLASS_FILE)
1548 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1549 return rc;
1550}
1551
1552/* Convert a Linux signal to an access vector. */
1553static inline u32 signal_to_av(int sig)
1554{
1555 u32 perm = 0;
1556
1557 switch (sig) {
1558 case SIGCHLD:
1559 /* Commonly granted from child to parent. */
1560 perm = PROCESS__SIGCHLD;
1561 break;
1562 case SIGKILL:
1563 /* Cannot be caught or ignored */
1564 perm = PROCESS__SIGKILL;
1565 break;
1566 case SIGSTOP:
1567 /* Cannot be caught or ignored */
1568 perm = PROCESS__SIGSTOP;
1569 break;
1570 default:
1571 /* All other signals. */
1572 perm = PROCESS__SIGNAL;
1573 break;
1574 }
1575
1576 return perm;
1577}
1578
d84f4f99
DH		 1579/*
1580 * Check permission between a pair of credentials
1581 * fork check, ptrace check, etc.
1582 */
1583static int cred_has_perm(const struct cred *actor,
1584 const struct cred *target,
1585 u32 perms)
1586{
1587 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1588
1589 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1590}
1591
275bb41e 1592/*
88e67f3b 1593 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1594 * fork check, ptrace check, etc.
1595 * tsk1 is the actor and tsk2 is the target
3b11a1de 1596 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1597 */
1598static int task_has_perm(const struct task_struct *tsk1,
1599 const struct task_struct *tsk2,
1da177e4
LT		 1600 u32 perms)
1601{
275bb41e
DH		 1602 const struct task_security_struct *__tsec1, *__tsec2;
1603 u32 sid1, sid2;
1da177e4 1604
275bb41e
DH		 1605 rcu_read_lock();
1606 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1607 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1608 rcu_read_unlock();
1609 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1610}
1611
3b11a1de
DH		 1612/*
1613 * Check permission between current and another task, e.g. signal checks,
1614 * fork check, ptrace check, etc.
1615 * current is the actor and tsk2 is the target
1616 * - this uses current's subjective creds
1617 */
1618static int current_has_perm(const struct task_struct *tsk,
1619 u32 perms)
1620{
1621 u32 sid, tsid;
1622
1623 sid = current_sid();
1624 tsid = task_sid(tsk);
1625 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1626}
1627
b68e418c
SS		 1628#if CAP_LAST_CAP > 63
1629#error Fix SELinux to handle capabilities > 63.
1630#endif
1631
1da177e4 1632/* Check whether a task is allowed to use a capability. */
6a9de491 1633static int cred_has_capability(const struct cred *cred,
06112163 1634 int cap, int audit)
1da177e4 1635{
2bf49690 1636 struct common_audit_data ad;
06112163 1637 struct av_decision avd;
b68e418c 1638 u16 sclass;
3699c53c 1639 u32 sid = cred_sid(cred);
b68e418c 1640 u32 av = CAP_TO_MASK(cap);
06112163 1641 int rc;
1da177e4 1642
50c205f5 1643 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1644 ad.u.cap = cap;
1645
b68e418c
SS		 1646 switch (CAP_TO_INDEX(cap)) {
1647 case 0:
1648 sclass = SECCLASS_CAPABILITY;
1649 break;
1650 case 1:
1651 sclass = SECCLASS_CAPABILITY2;
1652 break;
1653 default:
1654 printk(KERN_ERR
1655 "SELinux: out of range capability %d\n", cap);
1656 BUG();
a35c6c83 1657 return -EINVAL;
b68e418c 1658 }
06112163 1659
275bb41e 1660 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1661 if (audit == SECURITY_CAP_AUDIT) {
7b20ea25 1662 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
9ade0cf4
EP		 1663 if (rc2)
1664 return rc2;
1665 }
06112163 1666 return rc;
1da177e4
LT		 1667}
1668
1669/* Check whether a task is allowed to use a system operation. */
1670static int task_has_system(struct task_struct *tsk,
1671 u32 perms)
1672{
275bb41e 1673 u32 sid = task_sid(tsk);
1da177e4 1674
275bb41e 1675 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1676 SECCLASS_SYSTEM, perms, NULL);
1677}
1678
1679/* Check whether a task has a particular permission to an inode.
1680 The 'adp' parameter is optional and allows other audit
1681 data to be passed (e.g. the dentry). */
88e67f3b 1682static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1683 struct inode *inode,
1684 u32 perms,
19e49834 1685 struct common_audit_data *adp)
1da177e4 1686{
1da177e4 1687 struct inode_security_struct *isec;
275bb41e 1688 u32 sid;
1da177e4 1689
e0e81739
DH		 1690 validate_creds(cred);
1691
828dfe1d 1692 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1693 return 0;
1694
88e67f3b 1695 sid = cred_sid(cred);
1da177e4
LT		 1696 isec = inode->i_security;
1697
19e49834 1698 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1699}
1700
1701/* Same as inode_has_perm, but pass explicit audit data containing
1702 the dentry to help the auditing code to more easily generate the
1703 pathname if needed. */
88e67f3b 1704static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1705 struct dentry *dentry,
1706 u32 av)
1707{
c6f493d6 1708 struct inode *inode = d_backing_inode(dentry);
2bf49690 1709 struct common_audit_data ad;
88e67f3b 1710
50c205f5 1711 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1712 ad.u.dentry = dentry;
5d226df4 1713 __inode_security_revalidate(inode, dentry, true);
19e49834 1714 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1715}
1716
1717/* Same as inode_has_perm, but pass explicit audit data containing
1718 the path to help the auditing code to more easily generate the
1719 pathname if needed. */
1720static inline int path_has_perm(const struct cred *cred,
3f7036a0 1721 const struct path *path,
2875fa00
EP		 1722 u32 av)
1723{
c6f493d6 1724 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1725 struct common_audit_data ad;
1726
50c205f5 1727 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1728 ad.u.path = *path;
5d226df4 1729 __inode_security_revalidate(inode, path->dentry, true);
19e49834 1730 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1731}
1732
13f8e981
DH		 1733/* Same as path_has_perm, but uses the inode from the file struct. */
1734static inline int file_path_has_perm(const struct cred *cred,
1735 struct file *file,
1736 u32 av)
1737{
1738 struct common_audit_data ad;
1739
1740 ad.type = LSM_AUDIT_DATA_PATH;
1741 ad.u.path = file->f_path;
19e49834 1742 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1743}
1744
1da177e4
LT		 1745/* Check whether a task can use an open file descriptor to
1746 access an inode in a given way. Check access to the
1747 descriptor itself, and then use dentry_has_perm to
1748 check a particular permission to the file.
1749 Access to the descriptor is implicitly granted if it
1750 has the same SID as the process. If av is zero, then
1751 access to the file is not checked, e.g. for cases
1752 where only the descriptor is affected like seek. */
88e67f3b
DH		 1753static int file_has_perm(const struct cred *cred,
1754 struct file *file,
1755 u32 av)
1da177e4 1756{
1da177e4 1757 struct file_security_struct *fsec = file->f_security;
496ad9aa 1758 struct inode *inode = file_inode(file);
2bf49690 1759 struct common_audit_data ad;
88e67f3b 1760 u32 sid = cred_sid(cred);
1da177e4
LT		 1761 int rc;
1762
50c205f5 1763 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1764 ad.u.path = file->f_path;
1da177e4 1765
275bb41e
DH		 1766 if (sid != fsec->sid) {
1767 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1768 SECCLASS_FD,
1769 FD__USE,
1770 &ad);
1771 if (rc)
88e67f3b 1772 goto out;
1da177e4
LT		 1773 }
1774
1775 /* av is zero if only checking access to the descriptor. */
88e67f3b 1776 rc = 0;
1da177e4 1777 if (av)
19e49834 1778 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1779
88e67f3b
DH		 1780out:
1781 return rc;
1da177e4
LT		 1782}
1783
c3c188b2
DH		 1784/*
1785 * Determine the label for an inode that might be unioned.
1786 */
83da53c5 1787static int selinux_determine_inode_label(struct inode *dir,
c3c188b2
DH		 1788 const struct qstr *name,
1789 u16 tclass,
1790 u32 *_new_isid)
1791{
1792 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
83da53c5 1793 const struct inode_security_struct *dsec = inode_security(dir);
c3c188b2
DH		 1794 const struct task_security_struct *tsec = current_security();
1795
1796 if ((sbsec->flags & SE_SBINITIALIZED) &&
1797 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1798 *_new_isid = sbsec->mntpoint_sid;
1799 } else if ((sbsec->flags & SBLABEL_MNT) &&
1800 tsec->create_sid) {
1801 *_new_isid = tsec->create_sid;
1802 } else {
1803 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1804 name, _new_isid);
1805 }
1806
1807 return 0;
1808}
1809
1da177e4
LT		 1810/* Check whether a task can create a file. */
1811static int may_create(struct inode *dir,
1812 struct dentry *dentry,
1813 u16 tclass)
1814{
5fb49870 1815 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1816 struct inode_security_struct *dsec;
1817 struct superblock_security_struct *sbsec;
275bb41e 1818 u32 sid, newsid;
2bf49690 1819 struct common_audit_data ad;
1da177e4
LT		 1820 int rc;
1821
83da53c5 1822 dsec = inode_security(dir);
1da177e4
LT		 1823 sbsec = dir->i_sb->s_security;
1824
275bb41e 1825 sid = tsec->sid;
275bb41e 1826
50c205f5 1827 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1828 ad.u.dentry = dentry;
1da177e4 1829
275bb41e 1830 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1831 DIR__ADD_NAME | DIR__SEARCH,
1832 &ad);
1833 if (rc)
1834 return rc;
1835
c3c188b2
DH		 1836 rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1837 &newsid);
1838 if (rc)
1839 return rc;
1da177e4 1840
275bb41e 1841 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1842 if (rc)
1843 return rc;
1844
1845 return avc_has_perm(newsid, sbsec->sid,
1846 SECCLASS_FILESYSTEM,
1847 FILESYSTEM__ASSOCIATE, &ad);
1848}
1849
4eb582cf
ML		 1850/* Check whether a task can create a key. */
1851static int may_create_key(u32 ksid,
1852 struct task_struct *ctx)
1853{
275bb41e 1854 u32 sid = task_sid(ctx);
4eb582cf 1855
275bb41e 1856 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1857}
1858
828dfe1d
EP		 1859#define MAY_LINK 0
1860#define MAY_UNLINK 1
1861#define MAY_RMDIR 2
1da177e4
LT		 1862
1863/* Check whether a task can link, unlink, or rmdir a file/directory. */
1864static int may_link(struct inode *dir,
1865 struct dentry *dentry,
1866 int kind)
1867
1868{
1da177e4 1869 struct inode_security_struct *dsec, *isec;
2bf49690 1870 struct common_audit_data ad;
275bb41e 1871 u32 sid = current_sid();
1da177e4
LT		 1872 u32 av;
1873 int rc;
1874
83da53c5
AG		 1875 dsec = inode_security(dir);
1876 isec = backing_inode_security(dentry);
1da177e4 1877
50c205f5 1878 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1879 ad.u.dentry = dentry;
1da177e4
LT		 1880
1881 av = DIR__SEARCH;
1882 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1883 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1884 if (rc)
1885 return rc;
1886
1887 switch (kind) {
1888 case MAY_LINK:
1889 av = FILE__LINK;
1890 break;
1891 case MAY_UNLINK:
1892 av = FILE__UNLINK;
1893 break;
1894 case MAY_RMDIR:
1895 av = DIR__RMDIR;
1896 break;
1897 default:
744ba35e
EP		 1898 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1899 __func__, kind);
1da177e4
LT		 1900 return 0;
1901 }
1902
275bb41e 1903 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1904 return rc;
1905}
1906
1907static inline int may_rename(struct inode *old_dir,
1908 struct dentry *old_dentry,
1909 struct inode *new_dir,
1910 struct dentry *new_dentry)
1911{
1da177e4 1912 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1913 struct common_audit_data ad;
275bb41e 1914 u32 sid = current_sid();
1da177e4
LT		 1915 u32 av;
1916 int old_is_dir, new_is_dir;
1917 int rc;
1918
83da53c5
AG		 1919 old_dsec = inode_security(old_dir);
1920 old_isec = backing_inode_security(old_dentry);
e36cb0b8 1921 old_is_dir = d_is_dir(old_dentry);
83da53c5 1922 new_dsec = inode_security(new_dir);
1da177e4 1923
50c205f5 1924 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1925
a269434d 1926 ad.u.dentry = old_dentry;
275bb41e 1927 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1928 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1929 if (rc)
1930 return rc;
275bb41e 1931 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1932 old_isec->sclass, FILE__RENAME, &ad);
1933 if (rc)
1934 return rc;
1935 if (old_is_dir && new_dir != old_dir) {
275bb41e 1936 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1937 old_isec->sclass, DIR__REPARENT, &ad);
1938 if (rc)
1939 return rc;
1940 }
1941
a269434d 1942 ad.u.dentry = new_dentry;
1da177e4 1943 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1944 if (d_is_positive(new_dentry))
1da177e4 1945 av |= DIR__REMOVE_NAME;
275bb41e 1946 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1947 if (rc)
1948 return rc;
2c616d4d 1949 if (d_is_positive(new_dentry)) {
83da53c5 1950 new_isec = backing_inode_security(new_dentry);
e36cb0b8 1951 new_is_dir = d_is_dir(new_dentry);
275bb41e 1952 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1953 new_isec->sclass,
1954 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1955 if (rc)
1956 return rc;
1957 }
1958
1959 return 0;
1960}
1961
1962/* Check whether a task can perform a filesystem operation. */
88e67f3b 1963static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1964 struct super_block *sb,
1965 u32 perms,
2bf49690 1966 struct common_audit_data *ad)
1da177e4 1967{
1da177e4 1968 struct superblock_security_struct *sbsec;
88e67f3b 1969 u32 sid = cred_sid(cred);
1da177e4 1970
1da177e4 1971 sbsec = sb->s_security;
275bb41e 1972 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1973}
1974
1975/* Convert a Linux mode and permission mask to an access vector. */
1976static inline u32 file_mask_to_av(int mode, int mask)
1977{
1978 u32 av = 0;
1979
dba19c60 1980 if (!S_ISDIR(mode)) {
1da177e4
LT		 1981 if (mask & MAY_EXEC)
1982 av |= FILE__EXECUTE;
1983 if (mask & MAY_READ)
1984 av |= FILE__READ;
1985
1986 if (mask & MAY_APPEND)
1987 av |= FILE__APPEND;
1988 else if (mask & MAY_WRITE)
1989 av |= FILE__WRITE;
1990
1991 } else {
1992 if (mask & MAY_EXEC)
1993 av |= DIR__SEARCH;
1994 if (mask & MAY_WRITE)
1995 av |= DIR__WRITE;
1996 if (mask & MAY_READ)
1997 av |= DIR__READ;
1998 }
1999
2000 return av;
2001}
2002
8b6a5a37
EP		 2003/* Convert a Linux file to an access vector. */
2004static inline u32 file_to_av(struct file *file)
2005{
2006 u32 av = 0;
2007
2008 if (file->f_mode & FMODE_READ)
2009 av |= FILE__READ;
2010 if (file->f_mode & FMODE_WRITE) {
2011 if (file->f_flags & O_APPEND)
2012 av |= FILE__APPEND;
2013 else
2014 av |= FILE__WRITE;
2015 }
2016 if (!av) {
2017 /*
2018 * Special file opened with flags 3 for ioctl-only use.
2019 */
2020 av = FILE__IOCTL;
2021 }
2022
2023 return av;
2024}
2025
b0c636b9 2026/*
8b6a5a37 2027 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 2028 * open permission.
2029 */
8b6a5a37 2030static inline u32 open_file_to_av(struct file *file)
b0c636b9 2031{
8b6a5a37 2032 u32 av = file_to_av(file);
b0c636b9 2033
49b7b8de
EP		 2034 if (selinux_policycap_openperm)
2035 av |= FILE__OPEN;
2036
b0c636b9
EP		 2037 return av;
2038}
2039
1da177e4
LT		 2040/* Hook functions begin here. */
2041
79af7307
SS		 2042static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2043{
2044 u32 mysid = current_sid();
2045 u32 mgrsid = task_sid(mgr);
2046
2047 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2048 BINDER__SET_CONTEXT_MGR, NULL);
2049}
2050
2051static int selinux_binder_transaction(struct task_struct *from,
2052 struct task_struct *to)
2053{
2054 u32 mysid = current_sid();
2055 u32 fromsid = task_sid(from);
2056 u32 tosid = task_sid(to);
2057 int rc;
2058
2059 if (mysid != fromsid) {
2060 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2061 BINDER__IMPERSONATE, NULL);
2062 if (rc)
2063 return rc;
2064 }
2065
2066 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2067 NULL);
2068}
2069
2070static int selinux_binder_transfer_binder(struct task_struct *from,
2071 struct task_struct *to)
2072{
2073 u32 fromsid = task_sid(from);
2074 u32 tosid = task_sid(to);
2075
2076 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2077 NULL);
2078}
2079
2080static int selinux_binder_transfer_file(struct task_struct *from,
2081 struct task_struct *to,
2082 struct file *file)
2083{
2084 u32 sid = task_sid(to);
2085 struct file_security_struct *fsec = file->f_security;
83da53c5
AG		 2086 struct dentry *dentry = file->f_path.dentry;
2087 struct inode_security_struct *isec = backing_inode_security(dentry);
79af7307
SS		 2088 struct common_audit_data ad;
2089 int rc;
2090
2091 ad.type = LSM_AUDIT_DATA_PATH;
2092 ad.u.path = file->f_path;
2093
2094 if (sid != fsec->sid) {
2095 rc = avc_has_perm(sid, fsec->sid,
2096 SECCLASS_FD,
2097 FD__USE,
2098 &ad);
2099 if (rc)
2100 return rc;
2101 }
2102
83da53c5 2103 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
79af7307
SS		 2104 return 0;
2105
2106 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2107 &ad);
2108}
2109
9e48858f 2110static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2111 unsigned int mode)
1da177e4 2112{
69f594a3 2113 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2114 u32 sid = current_sid();
2115 u32 csid = task_sid(child);
2116 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2117 }
2118
3b11a1de 2119 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2120}
2121
2122static int selinux_ptrace_traceme(struct task_struct *parent)
2123{
5cd9c58f 2124 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2125}
2126
2127static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2128 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2129{
b1d9e6b0 2130 return current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2131}
2132
d84f4f99
DH		 2133static int selinux_capset(struct cred *new, const struct cred *old,
2134 const kernel_cap_t *effective,
2135 const kernel_cap_t *inheritable,
2136 const kernel_cap_t *permitted)
1da177e4 2137{
d84f4f99 2138 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2139}
2140
5626d3e8
JM		 2141/*
2142 * (This comment used to live with the selinux_task_setuid hook,
2143 * which was removed).
2144 *
2145 * Since setuid only affects the current process, and since the SELinux
2146 * controls are not based on the Linux identity attributes, SELinux does not
2147 * need to control this operation. However, SELinux does control the use of
2148 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2149 */
2150
6a9de491
EP		 2151static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2152 int cap, int audit)
1da177e4 2153{
6a9de491 2154 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 2155}
2156
1da177e4
LT		 2157static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2158{
88e67f3b 2159 const struct cred *cred = current_cred();
1da177e4
LT		 2160 int rc = 0;
2161
2162 if (!sb)
2163 return 0;
2164
2165 switch (cmds) {
828dfe1d
EP		 2166 case Q_SYNC:
2167 case Q_QUOTAON:
2168 case Q_QUOTAOFF:
2169 case Q_SETINFO:
2170 case Q_SETQUOTA:
88e67f3b 2171 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2172 break;
2173 case Q_GETFMT:
2174 case Q_GETINFO:
2175 case Q_GETQUOTA:
88e67f3b 2176 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2177 break;
2178 default:
2179 rc = 0; /* let the kernel handle invalid cmds */
2180 break;
1da177e4
LT		 2181 }
2182 return rc;
2183}
2184
2185static int selinux_quota_on(struct dentry *dentry)
2186{
88e67f3b
DH		 2187 const struct cred *cred = current_cred();
2188
2875fa00 2189 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2190}
2191
12b3052c 2192static int selinux_syslog(int type)
1da177e4
LT		 2193{
2194 int rc;
2195
1da177e4 2196 switch (type) {
d78ca3cd
KC		 2197 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2198 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2199 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2200 break;
d78ca3cd
KC		 2201 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2202 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2203 /* Set level of messages printed to console */
2204 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2205 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2206 break;
d78ca3cd
KC		 2207 case SYSLOG_ACTION_CLOSE: /* Close log */
2208 case SYSLOG_ACTION_OPEN: /* Open log */
2209 case SYSLOG_ACTION_READ: /* Read from log */
2210 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2211 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2212 default:
2213 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2214 break;
1da177e4
LT		 2215 }
2216 return rc;
2217}
2218
2219/*
2220 * Check that a process has enough memory to allocate a new virtual
2221 * mapping. 0 means there is enough memory for the allocation to
2222 * succeed and -ENOMEM implies there is not.
2223 *
1da177e4
LT		 2224 * Do not audit the selinux permission check, as this is applied to all
2225 * processes that allocate mappings.
2226 */
34b4e4aa 2227static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2228{
2229 int rc, cap_sys_admin = 0;
1da177e4 2230
b1d9e6b0
CS		 2231 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2232 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2233 if (rc == 0)
2234 cap_sys_admin = 1;
2235
b1d9e6b0 2236 return cap_sys_admin;
1da177e4
LT		 2237}
2238
2239/* binprm security operations */
2240
0c6181cb
PM		 2241static u32 ptrace_parent_sid(struct task_struct *task)
2242{
2243 u32 sid = 0;
2244 struct task_struct *tracer;
2245
2246 rcu_read_lock();
2247 tracer = ptrace_parent(task);
2248 if (tracer)
2249 sid = task_sid(tracer);
2250 rcu_read_unlock();
2251
2252 return sid;
2253}
2254
7b0d0b40
SS		 2255static int check_nnp_nosuid(const struct linux_binprm *bprm,
2256 const struct task_security_struct *old_tsec,
2257 const struct task_security_struct *new_tsec)
2258{
2259 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2260 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2261 int rc;
2262
2263 if (!nnp && !nosuid)
2264 return 0; /* neither NNP nor nosuid */
2265
2266 if (new_tsec->sid == old_tsec->sid)
2267 return 0; /* No change in credentials */
2268
2269 /*
2270 * The only transitions we permit under NNP or nosuid
2271 * are transitions to bounded SIDs, i.e. SIDs that are
2272 * guaranteed to only be allowed a subset of the permissions
2273 * of the current SID.
2274 */
2275 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2276 if (rc) {
2277 /*
2278 * On failure, preserve the errno values for NNP vs nosuid.
2279 * NNP: Operation not permitted for caller.
2280 * nosuid: Permission denied to file.
2281 */
2282 if (nnp)
2283 return -EPERM;
2284 else
2285 return -EACCES;
2286 }
2287 return 0;
2288}
2289
a6f76f23 2290static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2291{
a6f76f23
DH		 2292 const struct task_security_struct *old_tsec;
2293 struct task_security_struct *new_tsec;
1da177e4 2294 struct inode_security_struct *isec;
2bf49690 2295 struct common_audit_data ad;
496ad9aa 2296 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2297 int rc;
2298
a6f76f23
DH		 2299 /* SELinux context only depends on initial program or script and not
2300 * the script interpreter */
2301 if (bprm->cred_prepared)
1da177e4
LT		 2302 return 0;
2303
a6f76f23
DH		 2304 old_tsec = current_security();
2305 new_tsec = bprm->cred->security;
83da53c5 2306 isec = inode_security(inode);
1da177e4
LT		 2307
2308 /* Default to the current task SID. */
a6f76f23
DH		 2309 new_tsec->sid = old_tsec->sid;
2310 new_tsec->osid = old_tsec->sid;
1da177e4 2311
28eba5bf 2312 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2313 new_tsec->create_sid = 0;
2314 new_tsec->keycreate_sid = 0;
2315 new_tsec->sockcreate_sid = 0;
1da177e4 2316
a6f76f23
DH		 2317 if (old_tsec->exec_sid) {
2318 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2319 /* Reset exec SID on execve. */
a6f76f23 2320 new_tsec->exec_sid = 0;
259e5e6c 2321
7b0d0b40
SS		 2322 /* Fail on NNP or nosuid if not an allowed transition. */
2323 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2324 if (rc)
2325 return rc;
1da177e4
LT		 2326 } else {
2327 /* Check for a default transition on this program. */
a6f76f23 2328 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2329 SECCLASS_PROCESS, NULL,
2330 &new_tsec->sid);
1da177e4
LT		 2331 if (rc)
2332 return rc;
7b0d0b40
SS		 2333
2334 /*
2335 * Fallback to old SID on NNP or nosuid if not an allowed
2336 * transition.
2337 */
2338 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2339 if (rc)
2340 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2341 }
2342
50c205f5 2343 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2344 ad.u.path = bprm->file->f_path;
1da177e4 2345
a6f76f23
DH		 2346 if (new_tsec->sid == old_tsec->sid) {
2347 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2348 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2349 if (rc)
2350 return rc;
2351 } else {
2352 /* Check permissions for the transition. */
a6f76f23 2353 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2354 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2355 if (rc)
2356 return rc;
2357
a6f76f23 2358 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2359 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2360 if (rc)
2361 return rc;
2362
a6f76f23
DH		 2363 /* Check for shared state */
2364 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2365 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2366 SECCLASS_PROCESS, PROCESS__SHARE,
2367 NULL);
2368 if (rc)
2369 return -EPERM;
2370 }
2371
2372 /* Make sure that anyone attempting to ptrace over a task that
2373 * changes its SID has the appropriate permit */
2374 if (bprm->unsafe &
2375 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0c6181cb 2376 u32 ptsid = ptrace_parent_sid(current);
a6f76f23
DH		 2377 if (ptsid != 0) {
2378 rc = avc_has_perm(ptsid, new_tsec->sid,
2379 SECCLASS_PROCESS,
2380 PROCESS__PTRACE, NULL);
2381 if (rc)
2382 return -EPERM;
2383 }
2384 }
1da177e4 2385
a6f76f23
DH		 2386 /* Clear any possibly unsafe personality bits on exec: */
2387 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2388 }
2389
1da177e4
LT		 2390 return 0;
2391}
2392
828dfe1d 2393static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2394{
5fb49870 2395 const struct task_security_struct *tsec = current_security();
275bb41e 2396 u32 sid, osid;
1da177e4
LT		 2397 int atsecure = 0;
2398
275bb41e
DH		 2399 sid = tsec->sid;
2400 osid = tsec->osid;
2401
2402 if (osid != sid) {
1da177e4
LT		 2403 /* Enable secure mode for SIDs transitions unless
2404 the noatsecure permission is granted between
2405 the two SIDs, i.e. ahp returns 0. */
275bb41e 2406 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2407 SECCLASS_PROCESS,
2408 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2409 }
2410
b1d9e6b0 2411 return !!atsecure;
1da177e4
LT		 2412}
2413
c3c073f8
AV		 2414static int match_file(const void *p, struct file *file, unsigned fd)
2415{
2416 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2417}
2418
1da177e4 2419/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2420static inline void flush_unauthorized_files(const struct cred *cred,
2421 struct files_struct *files)
1da177e4 2422{
1da177e4 2423 struct file *file, *devnull = NULL;
b20c8122 2424 struct tty_struct *tty;
24ec839c 2425 int drop_tty = 0;
c3c073f8 2426 unsigned n;
1da177e4 2427
24ec839c 2428 tty = get_current_tty();
1da177e4 2429 if (tty) {
4a510969 2430 spin_lock(&tty->files_lock);
37dd0bd0 2431 if (!list_empty(&tty->tty_files)) {
d996b62a 2432 struct tty_file_private *file_priv;
37dd0bd0 2433
1da177e4 2434 /* Revalidate access to controlling tty.
13f8e981
DH		 2435 Use file_path_has_perm on the tty path directly
2436 rather than using file_has_perm, as this particular
2437 open file may belong to another process and we are
2438 only interested in the inode-based check here. */
d996b62a
NP		 2439 file_priv = list_first_entry(&tty->tty_files,
2440 struct tty_file_private, list);
2441 file = file_priv->file;
13f8e981 2442 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2443 drop_tty = 1;
1da177e4 2444 }
4a510969 2445 spin_unlock(&tty->files_lock);
452a00d2 2446 tty_kref_put(tty);
1da177e4 2447 }
98a27ba4
EB		 2448 /* Reset controlling tty. */
2449 if (drop_tty)
2450 no_tty();
1da177e4
LT		 2451
2452 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2453 n = iterate_fd(files, 0, match_file, cred);
2454 if (!n) /* none found? */
2455 return;
1da177e4 2456
c3c073f8 2457 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2458 if (IS_ERR(devnull))
2459 devnull = NULL;
2460 /* replace all the matching ones with this */
2461 do {
2462 replace_fd(n - 1, devnull, 0);
2463 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2464 if (devnull)
c3c073f8 2465 fput(devnull);
1da177e4
LT		 2466}
2467
a6f76f23
DH		 2468/*
2469 * Prepare a process for imminent new credential changes due to exec
2470 */
2471static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2472{
a6f76f23
DH		 2473 struct task_security_struct *new_tsec;
2474 struct rlimit *rlim, *initrlim;
2475 int rc, i;
d84f4f99 2476
a6f76f23
DH		 2477 new_tsec = bprm->cred->security;
2478 if (new_tsec->sid == new_tsec->osid)
2479 return;
1da177e4 2480
a6f76f23
DH		 2481 /* Close files for which the new task SID is not authorized. */
2482 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2483
a6f76f23
DH		 2484 /* Always clear parent death signal on SID transitions. */
2485 current->pdeath_signal = 0;
0356357c 2486
a6f76f23
DH		 2487 /* Check whether the new SID can inherit resource limits from the old
2488 * SID. If not, reset all soft limits to the lower of the current
2489 * task's hard limit and the init task's soft limit.
2490 *
2491 * Note that the setting of hard limits (even to lower them) can be
2492 * controlled by the setrlimit check. The inclusion of the init task's
2493 * soft limit into the computation is to avoid resetting soft limits
2494 * higher than the default soft limit for cases where the default is
2495 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2496 */
2497 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2498 PROCESS__RLIMITINH, NULL);
2499 if (rc) {
eb2d55a3
ON		 2500 /* protect against do_prlimit() */
2501 task_lock(current);
a6f76f23
DH		 2502 for (i = 0; i < RLIM_NLIMITS; i++) {
2503 rlim = current->signal->rlim + i;
2504 initrlim = init_task.signal->rlim + i;
2505 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2506 }
eb2d55a3
ON		 2507 task_unlock(current);
2508 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2509 }
2510}
2511
2512/*
a6f76f23
DH		 2513 * Clean up the process immediately after the installation of new credentials
2514 * due to exec
1da177e4 2515 */
a6f76f23 2516static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2517{
a6f76f23 2518 const struct task_security_struct *tsec = current_security();
1da177e4 2519 struct itimerval itimer;
a6f76f23 2520 u32 osid, sid;
1da177e4
LT		 2521 int rc, i;
2522
a6f76f23
DH		 2523 osid = tsec->osid;
2524 sid = tsec->sid;
2525
2526 if (sid == osid)
1da177e4
LT		 2527 return;
2528
a6f76f23
DH		 2529 /* Check whether the new SID can inherit signal state from the old SID.
2530 * If not, clear itimers to avoid subsequent signal generation and
2531 * flush and unblock signals.
2532 *
2533 * This must occur _after_ the task SID has been updated so that any
2534 * kill done after the flush will be checked against the new SID.
2535 */
2536 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2537 if (rc) {
2538 memset(&itimer, 0, sizeof itimer);
2539 for (i = 0; i < 3; i++)
2540 do_setitimer(i, &itimer, NULL);
1da177e4 2541 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2542 if (!fatal_signal_pending(current)) {
2543 flush_sigqueue(&current->pending);
2544 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2545 flush_signal_handlers(current, 1);
2546 sigemptyset(&current->blocked);
9e7c8f8c 2547 recalc_sigpending();
3bcac026 2548 }
1da177e4
LT		 2549 spin_unlock_irq(&current->sighand->siglock);
2550 }
2551
a6f76f23
DH		 2552 /* Wake up the parent if it is waiting so that it can recheck
2553 * wait permission to the new task SID. */
ecd6de3c 2554 read_lock(&tasklist_lock);
0b7570e7 2555 __wake_up_parent(current, current->real_parent);
ecd6de3c 2556 read_unlock(&tasklist_lock);
1da177e4
LT		 2557}
2558
2559/* superblock security operations */
2560
2561static int selinux_sb_alloc_security(struct super_block *sb)
2562{
2563 return superblock_alloc_security(sb);
2564}
2565
2566static void selinux_sb_free_security(struct super_block *sb)
2567{
2568 superblock_free_security(sb);
2569}
2570
2571static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2572{
2573 if (plen > olen)
2574 return 0;
2575
2576 return !memcmp(prefix, option, plen);
2577}
2578
2579static inline int selinux_option(char *option, int len)
2580{
832cbd9a
EP		 2581 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2582 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2583 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2584 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2585 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2586}
2587
2588static inline void take_option(char **to, char *from, int *first, int len)
2589{
2590 if (!*first) {
2591 **to = ',';
2592 *to += 1;
3528a953 2593 } else
1da177e4
LT		 2594 *first = 0;
2595 memcpy(*to, from, len);
2596 *to += len;
2597}
2598
828dfe1d
EP		 2599static inline void take_selinux_option(char **to, char *from, int *first,
2600 int len)
3528a953
CO		 2601{
2602 int current_size = 0;
2603
2604 if (!*first) {
2605 **to = '|';
2606 *to += 1;
828dfe1d 2607 } else
3528a953
CO		 2608 *first = 0;
2609
2610 while (current_size < len) {
2611 if (*from != '"') {
2612 **to = *from;
2613 *to += 1;
2614 }
2615 from += 1;
2616 current_size += 1;
2617 }
2618}
2619
e0007529 2620static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2621{
2622 int fnosec, fsec, rc = 0;
2623 char *in_save, *in_curr, *in_end;
2624 char *sec_curr, *nosec_save, *nosec;
3528a953 2625 int open_quote = 0;
1da177e4
LT		 2626
2627 in_curr = orig;
2628 sec_curr = copy;
2629
1da177e4
LT		 2630 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2631 if (!nosec) {
2632 rc = -ENOMEM;
2633 goto out;
2634 }
2635
2636 nosec_save = nosec;
2637 fnosec = fsec = 1;
2638 in_save = in_end = orig;
2639
2640 do {
3528a953
CO		 2641 if (*in_end == '"')
2642 open_quote = !open_quote;
2643 if ((*in_end == ',' && open_quote == 0) ||
2644 *in_end == '\0') {
1da177e4
LT		 2645 int len = in_end - in_curr;
2646
2647 if (selinux_option(in_curr, len))
3528a953 2648 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2649 else
2650 take_option(&nosec, in_curr, &fnosec, len);
2651
2652 in_curr = in_end + 1;
2653 }
2654 } while (*in_end++);
2655
6931dfc9 2656 strcpy(in_save, nosec_save);
da3caa20 2657 free_page((unsigned long)nosec_save);
1da177e4
LT		 2658out:
2659 return rc;
2660}
2661
026eb167
EP		 2662static int selinux_sb_remount(struct super_block *sb, void *data)
2663{
2664 int rc, i, *flags;
2665 struct security_mnt_opts opts;
2666 char *secdata, **mount_options;
2667 struct superblock_security_struct *sbsec = sb->s_security;
2668
2669 if (!(sbsec->flags & SE_SBINITIALIZED))
2670 return 0;
2671
2672 if (!data)
2673 return 0;
2674
2675 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2676 return 0;
2677
2678 security_init_mnt_opts(&opts);
2679 secdata = alloc_secdata();
2680 if (!secdata)
2681 return -ENOMEM;
2682 rc = selinux_sb_copy_data(data, secdata);
2683 if (rc)
2684 goto out_free_secdata;
2685
2686 rc = selinux_parse_opts_str(secdata, &opts);
2687 if (rc)
2688 goto out_free_secdata;
2689
2690 mount_options = opts.mnt_opts;
2691 flags = opts.mnt_opts_flags;
2692
2693 for (i = 0; i < opts.num_mnt_opts; i++) {
2694 u32 sid;
026eb167 2695
12f348b9 2696 if (flags[i] == SBLABEL_MNT)
026eb167 2697 continue;
44be2f65 2698 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
026eb167 2699 if (rc) {
44be2f65 2700 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
29b1deb2
LT		 2701 "(%s) failed for (dev %s, type %s) errno=%d\n",
2702 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2703 goto out_free_opts;
2704 }
2705 rc = -EINVAL;
2706 switch (flags[i]) {
2707 case FSCONTEXT_MNT:
2708 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2709 goto out_bad_option;
2710 break;
2711 case CONTEXT_MNT:
2712 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2713 goto out_bad_option;
2714 break;
2715 case ROOTCONTEXT_MNT: {
2716 struct inode_security_struct *root_isec;
83da53c5 2717 root_isec = backing_inode_security(sb->s_root);
026eb167
EP		 2718
2719 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2720 goto out_bad_option;
2721 break;
2722 }
2723 case DEFCONTEXT_MNT:
2724 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2725 goto out_bad_option;
2726 break;
2727 default:
2728 goto out_free_opts;
2729 }
2730 }
2731
2732 rc = 0;
2733out_free_opts:
2734 security_free_mnt_opts(&opts);
2735out_free_secdata:
2736 free_secdata(secdata);
2737 return rc;
2738out_bad_option:
2739 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2740 "during remount (dev %s, type=%s)\n", sb->s_id,
2741 sb->s_type->name);
026eb167
EP		 2742 goto out_free_opts;
2743}
2744
12204e24 2745static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2746{
88e67f3b 2747 const struct cred *cred = current_cred();
2bf49690 2748 struct common_audit_data ad;
1da177e4
LT		 2749 int rc;
2750
2751 rc = superblock_doinit(sb, data);
2752 if (rc)
2753 return rc;
2754
74192246
JM		 2755 /* Allow all mounts performed by the kernel */
2756 if (flags & MS_KERNMOUNT)
2757 return 0;
2758
50c205f5 2759 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2760 ad.u.dentry = sb->s_root;
88e67f3b 2761 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2762}
2763
726c3342 2764static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2765{
88e67f3b 2766 const struct cred *cred = current_cred();
2bf49690 2767 struct common_audit_data ad;
1da177e4 2768
50c205f5 2769 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2770 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2771 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2772}
2773
808d4e3c 2774static int selinux_mount(const char *dev_name,
b5266eb4 2775 struct path *path,
808d4e3c 2776 const char *type,
828dfe1d
EP		 2777 unsigned long flags,
2778 void *data)
1da177e4 2779{
88e67f3b 2780 const struct cred *cred = current_cred();
1da177e4
LT		 2781
2782 if (flags & MS_REMOUNT)
d8c9584e 2783 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2784 FILESYSTEM__REMOUNT, NULL);
1da177e4 2785 else
2875fa00 2786 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2787}
2788
2789static int selinux_umount(struct vfsmount *mnt, int flags)
2790{
88e67f3b 2791 const struct cred *cred = current_cred();
1da177e4 2792
88e67f3b 2793 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2794 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2795}
2796
2797/* inode security operations */
2798
2799static int selinux_inode_alloc_security(struct inode *inode)
2800{
2801 return inode_alloc_security(inode);
2802}
2803
2804static void selinux_inode_free_security(struct inode *inode)
2805{
2806 inode_free_security(inode);
2807}
2808
d47be3df
DQ		 2809static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2810 struct qstr *name, void **ctx,
2811 u32 *ctxlen)
2812{
d47be3df
DQ		 2813 u32 newsid;
2814 int rc;
2815
c3c188b2
DH		 2816 rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2817 inode_mode_to_security_class(mode),
2818 &newsid);
2819 if (rc)
2820 return rc;
d47be3df
DQ		 2821
2822 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2823}
2824
5e41ff9e 2825static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2826 const struct qstr *qstr,
2827 const char **name,
2a7dba39 2828 void **value, size_t *len)
5e41ff9e 2829{
5fb49870 2830 const struct task_security_struct *tsec = current_security();
5e41ff9e 2831 struct superblock_security_struct *sbsec;
275bb41e 2832 u32 sid, newsid, clen;
5e41ff9e 2833 int rc;
9548906b 2834 char *context;
5e41ff9e 2835
5e41ff9e 2836 sbsec = dir->i_sb->s_security;
5e41ff9e 2837
275bb41e
DH		 2838 sid = tsec->sid;
2839 newsid = tsec->create_sid;
2840
c3c188b2
DH		 2841 rc = selinux_determine_inode_label(
2842 dir, qstr,
2843 inode_mode_to_security_class(inode->i_mode),
2844 &newsid);
2845 if (rc)
2846 return rc;
5e41ff9e 2847
296fddf7 2848 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2849 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2850 struct inode_security_struct *isec = inode->i_security;
2851 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2852 isec->sid = newsid;
6f3be9f5 2853 isec->initialized = LABEL_INITIALIZED;
296fddf7 2854 }
5e41ff9e 2855
12f348b9 2856 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2857 return -EOPNOTSUPP;
2858
9548906b
TH		 2859 if (name)
2860 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2861
570bc1c2 2862 if (value && len) {
12b29f34 2863 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2864 if (rc)
570bc1c2 2865 return rc;
570bc1c2
SS		 2866 *value = context;
2867 *len = clen;
5e41ff9e 2868 }
5e41ff9e 2869
5e41ff9e
SS		 2870 return 0;
2871}
2872
4acdaf27 2873static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2874{
2875 return may_create(dir, dentry, SECCLASS_FILE);
2876}
2877
1da177e4
LT		 2878static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2879{
1da177e4
LT		 2880 return may_link(dir, old_dentry, MAY_LINK);
2881}
2882
1da177e4
LT		 2883static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2884{
1da177e4
LT		 2885 return may_link(dir, dentry, MAY_UNLINK);
2886}
2887
2888static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2889{
2890 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2891}
2892
18bb1db3 2893static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2894{
2895 return may_create(dir, dentry, SECCLASS_DIR);
2896}
2897
1da177e4
LT		 2898static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2899{
2900 return may_link(dir, dentry, MAY_RMDIR);
2901}
2902
1a67aafb 2903static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2904{
1da177e4
LT		 2905 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2906}
2907
1da177e4 2908static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2909 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2910{
2911 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2912}
2913
1da177e4
LT		 2914static int selinux_inode_readlink(struct dentry *dentry)
2915{
88e67f3b
DH		 2916 const struct cred *cred = current_cred();
2917
2875fa00 2918 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2919}
2920
bda0be7a
N		 2921static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2922 bool rcu)
1da177e4 2923{
88e67f3b 2924 const struct cred *cred = current_cred();
bda0be7a
N		 2925 struct common_audit_data ad;
2926 struct inode_security_struct *isec;
2927 u32 sid;
1da177e4 2928
bda0be7a
N		 2929 validate_creds(cred);
2930
2931 ad.type = LSM_AUDIT_DATA_DENTRY;
2932 ad.u.dentry = dentry;
2933 sid = cred_sid(cred);
5d226df4
AG		 2934 isec = inode_security_rcu(inode, rcu);
2935 if (IS_ERR(isec))
2936 return PTR_ERR(isec);
bda0be7a
N		 2937
2938 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2939 rcu ? MAY_NOT_BLOCK : 0);
1da177e4
LT		 2940}
2941
d4cf970d
EP		 2942static noinline int audit_inode_permission(struct inode *inode,
2943 u32 perms, u32 audited, u32 denied,
626b9740 2944 int result,
d4cf970d 2945 unsigned flags)
1da177e4 2946{
b782e0a6 2947 struct common_audit_data ad;
d4cf970d
EP		 2948 struct inode_security_struct *isec = inode->i_security;
2949 int rc;
2950
50c205f5 2951 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2952 ad.u.inode = inode;
2953
2954 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 2955 audited, denied, result, &ad, flags);
d4cf970d
EP		 2956 if (rc)
2957 return rc;
2958 return 0;
2959}
2960
e74f71eb 2961static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2962{
88e67f3b 2963 const struct cred *cred = current_cred();
b782e0a6
EP		 2964 u32 perms;
2965 bool from_access;
cf1dd1da 2966 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2967 struct inode_security_struct *isec;
2968 u32 sid;
2969 struct av_decision avd;
2970 int rc, rc2;
2971 u32 audited, denied;
1da177e4 2972
b782e0a6 2973 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2974 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2975
b782e0a6
EP		 2976 /* No permission to check. Existence test. */
2977 if (!mask)
1da177e4 2978 return 0;
1da177e4 2979
2e334057 2980 validate_creds(cred);
b782e0a6 2981
2e334057
EP		 2982 if (unlikely(IS_PRIVATE(inode)))
2983 return 0;
b782e0a6
EP		 2984
2985 perms = file_mask_to_av(inode->i_mode, mask);
2986
2e334057 2987 sid = cred_sid(cred);
5d226df4
AG		 2988 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2989 if (IS_ERR(isec))
2990 return PTR_ERR(isec);
2e334057
EP		 2991
2992 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2993 audited = avc_audit_required(perms, &avd, rc,
2994 from_access ? FILE__AUDIT_ACCESS : 0,
2995 &denied);
2996 if (likely(!audited))
2997 return rc;
2998
626b9740 2999 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 3000 if (rc2)
3001 return rc2;
3002 return rc;
1da177e4
LT		 3003}
3004
3005static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3006{
88e67f3b 3007 const struct cred *cred = current_cred();
bc6a6008 3008 unsigned int ia_valid = iattr->ia_valid;
95dbf739 3009 __u32 av = FILE__WRITE;
1da177e4 3010
bc6a6008
AW		 3011 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3012 if (ia_valid & ATTR_FORCE) {
3013 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3014 ATTR_FORCE);
3015 if (!ia_valid)
3016 return 0;
3017 }
1da177e4 3018
bc6a6008
AW		 3019 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3020 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 3021 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 3022
44d37ad3
JVS		 3023 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3024 && !(ia_valid & ATTR_FILE))
95dbf739
EP		 3025 av |= FILE__OPEN;
3026
3027 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 3028}
3029
3f7036a0 3030static int selinux_inode_getattr(const struct path *path)
1da177e4 3031{
3f7036a0 3032 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 3033}
3034
8f0cfa52 3035static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 3036{
88e67f3b
DH		 3037 const struct cred *cred = current_cred();
3038
b5376771
SH		 3039 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3040 sizeof XATTR_SECURITY_PREFIX - 1)) {
3041 if (!strcmp(name, XATTR_NAME_CAPS)) {
3042 if (!capable(CAP_SETFCAP))
3043 return -EPERM;
3044 } else if (!capable(CAP_SYS_ADMIN)) {
3045 /* A different attribute in the security namespace.
3046 Restrict to administrator. */
3047 return -EPERM;
3048 }
3049 }
3050
3051 /* Not an attribute we recognize, so just check the
3052 ordinary setattr permission. */
2875fa00 3053 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 3054}
3055
8f0cfa52
DH		 3056static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3057 const void *value, size_t size, int flags)
1da177e4 3058{
c6f493d6 3059 struct inode *inode = d_backing_inode(dentry);
83da53c5 3060 struct inode_security_struct *isec = backing_inode_security(dentry);
1da177e4 3061 struct superblock_security_struct *sbsec;
2bf49690 3062 struct common_audit_data ad;
275bb41e 3063 u32 newsid, sid = current_sid();
1da177e4
LT		 3064 int rc = 0;
3065
b5376771
SH		 3066 if (strcmp(name, XATTR_NAME_SELINUX))
3067 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3068
3069 sbsec = inode->i_sb->s_security;
12f348b9 3070 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 3071 return -EOPNOTSUPP;
3072
2e149670 3073 if (!inode_owner_or_capable(inode))
1da177e4
LT		 3074 return -EPERM;
3075
50c205f5 3076 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 3077 ad.u.dentry = dentry;
1da177e4 3078
275bb41e 3079 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 3080 FILE__RELABELFROM, &ad);
3081 if (rc)
3082 return rc;
3083
52a4c640 3084 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 3085 if (rc == -EINVAL) {
d6ea83ec
EP		 3086 if (!capable(CAP_MAC_ADMIN)) {
3087 struct audit_buffer *ab;
3088 size_t audit_size;
3089 const char *str;
3090
3091 /* We strip a nul only if it is at the end, otherwise the
3092 * context contains a nul and we should audit that */
e3fea3f7
AV		 3093 if (value) {
3094 str = value;
3095 if (str[size - 1] == '\0')
3096 audit_size = size - 1;
3097 else
3098 audit_size = size;
3099 } else {
3100 str = "";
3101 audit_size = 0;
3102 }
d6ea83ec
EP		 3103 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3104 audit_log_format(ab, "op=setxattr invalid_context=");
3105 audit_log_n_untrustedstring(ab, value, audit_size);
3106 audit_log_end(ab);
3107
12b29f34 3108 return rc;
d6ea83ec 3109 }
12b29f34
SS		 3110 rc = security_context_to_sid_force(value, size, &newsid);
3111 }
1da177e4
LT		 3112 if (rc)
3113 return rc;
3114
275bb41e 3115 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3116 FILE__RELABELTO, &ad);
3117 if (rc)
3118 return rc;
3119
275bb41e 3120 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3121 isec->sclass);
1da177e4
LT		 3122 if (rc)
3123 return rc;
3124
3125 return avc_has_perm(newsid,
3126 sbsec->sid,
3127 SECCLASS_FILESYSTEM,
3128 FILESYSTEM__ASSOCIATE,
3129 &ad);
3130}
3131
8f0cfa52 3132static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3133 const void *value, size_t size,
8f0cfa52 3134 int flags)
1da177e4 3135{
c6f493d6 3136 struct inode *inode = d_backing_inode(dentry);
83da53c5 3137 struct inode_security_struct *isec = backing_inode_security(dentry);
1da177e4
LT		 3138 u32 newsid;
3139 int rc;
3140
3141 if (strcmp(name, XATTR_NAME_SELINUX)) {
3142 /* Not an attribute we recognize, so nothing to do. */
3143 return;
3144 }
3145
12b29f34 3146 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3147 if (rc) {
12b29f34
SS		 3148 printk(KERN_ERR "SELinux: unable to map context to SID"
3149 "for (%s, %lu), rc=%d\n",
3150 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3151 return;
3152 }
3153
aa9c2669 3154 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3155 isec->sid = newsid;
6f3be9f5 3156 isec->initialized = LABEL_INITIALIZED;
aa9c2669 3157
1da177e4
LT		 3158 return;
3159}
3160
8f0cfa52 3161static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3162{
88e67f3b
DH		 3163 const struct cred *cred = current_cred();
3164
2875fa00 3165 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3166}
3167
828dfe1d 3168static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3169{
88e67f3b
DH		 3170 const struct cred *cred = current_cred();
3171
2875fa00 3172 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3173}
3174
8f0cfa52 3175static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3176{
b5376771
SH		 3177 if (strcmp(name, XATTR_NAME_SELINUX))
3178 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3179
3180 /* No one is allowed to remove a SELinux security label.
3181 You can change the label, but all data must be labeled. */
3182 return -EACCES;
3183}
3184
d381d8a9 3185/*
abc69bb6 3186 * Copy the inode security context value to the user.
d381d8a9
JM		 3187 *
3188 * Permission check is handled by selinux_inode_getxattr hook.
3189 */
ea861dfd 3190static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3191{
42492594
DQ		 3192 u32 size;
3193 int error;
3194 char *context = NULL;
83da53c5 3195 struct inode_security_struct *isec = inode_security(inode);
d381d8a9 3196
8c8570fb
DK		 3197 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3198 return -EOPNOTSUPP;
d381d8a9 3199
abc69bb6
SS		 3200 /*
3201 * If the caller has CAP_MAC_ADMIN, then get the raw context
3202 * value even if it is not defined by current policy; otherwise,
3203 * use the in-core value under current policy.
3204 * Use the non-auditing forms of the permission checks since
3205 * getxattr may be called by unprivileged processes commonly
3206 * and lack of permission just means that we fall back to the
3207 * in-core context value, not a denial.
3208 */
b1d9e6b0
CS		 3209 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3210 SECURITY_CAP_NOAUDIT);
3211 if (!error)
3212 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3213 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 3214 if (!error)
3215 error = security_sid_to_context_force(isec->sid, &context,
3216 &size);
3217 else
3218 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3219 if (error)
3220 return error;
3221 error = size;
3222 if (alloc) {
3223 *buffer = context;
3224 goto out_nofree;
3225 }
3226 kfree(context);
3227out_nofree:
3228 return error;
1da177e4
LT		 3229}
3230
3231static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3232 const void *value, size_t size, int flags)
1da177e4 3233{
2c97165b 3234 struct inode_security_struct *isec = inode_security_novalidate(inode);
1da177e4
LT		 3235 u32 newsid;
3236 int rc;
3237
3238 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3239 return -EOPNOTSUPP;
3240
3241 if (!value || !size)
3242 return -EACCES;
3243
20ba96ae 3244 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3245 if (rc)
3246 return rc;
3247
aa9c2669 3248 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3249 isec->sid = newsid;
6f3be9f5 3250 isec->initialized = LABEL_INITIALIZED;
1da177e4
LT		 3251 return 0;
3252}
3253
3254static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3255{
3256 const int len = sizeof(XATTR_NAME_SELINUX);
3257 if (buffer && len <= buffer_size)
3258 memcpy(buffer, XATTR_NAME_SELINUX, len);
3259 return len;
3260}
3261
d6335d77 3262static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
713a04ae 3263{
e817c2f3 3264 struct inode_security_struct *isec = inode_security_novalidate(inode);
713a04ae
AD		 3265 *secid = isec->sid;
3266}
3267
1da177e4
LT		 3268/* file security operations */
3269
788e7dd4 3270static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3271{
88e67f3b 3272 const struct cred *cred = current_cred();
496ad9aa 3273 struct inode *inode = file_inode(file);
1da177e4 3274
1da177e4
LT		 3275 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3276 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3277 mask |= MAY_APPEND;
3278
389fb800
PM		 3279 return file_has_perm(cred, file,
3280 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3281}
3282
788e7dd4
YN		 3283static int selinux_file_permission(struct file *file, int mask)
3284{
496ad9aa 3285 struct inode *inode = file_inode(file);
20dda18b 3286 struct file_security_struct *fsec = file->f_security;
b197367e 3287 struct inode_security_struct *isec;
20dda18b
SS		 3288 u32 sid = current_sid();
3289
389fb800 3290 if (!mask)
788e7dd4
YN		 3291 /* No permission to check. Existence test. */
3292 return 0;
788e7dd4 3293
b197367e 3294 isec = inode_security(inode);
20dda18b
SS		 3295 if (sid == fsec->sid && fsec->isid == isec->sid &&
3296 fsec->pseqno == avc_policy_seqno())
83d49856 3297 /* No change since file_open check. */
20dda18b
SS		 3298 return 0;
3299
788e7dd4
YN		 3300 return selinux_revalidate_file_permission(file, mask);
3301}
3302
1da177e4
LT		 3303static int selinux_file_alloc_security(struct file *file)
3304{
3305 return file_alloc_security(file);
3306}
3307
3308static void selinux_file_free_security(struct file *file)
3309{
3310 file_free_security(file);
3311}
3312
fa1aa143
JVS		 3313/*
3314 * Check whether a task has the ioctl permission and cmd
3315 * operation to an inode.
3316 */
1d2a168a 3317static int ioctl_has_perm(const struct cred *cred, struct file *file,
fa1aa143
JVS		 3318 u32 requested, u16 cmd)
3319{
3320 struct common_audit_data ad;
3321 struct file_security_struct *fsec = file->f_security;
3322 struct inode *inode = file_inode(file);
83da53c5 3323 struct inode_security_struct *isec = inode_security(inode);
fa1aa143
JVS		 3324 struct lsm_ioctlop_audit ioctl;
3325 u32 ssid = cred_sid(cred);
3326 int rc;
3327 u8 driver = cmd >> 8;
3328 u8 xperm = cmd & 0xff;
3329
3330 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3331 ad.u.op = &ioctl;
3332 ad.u.op->cmd = cmd;
3333 ad.u.op->path = file->f_path;
3334
3335 if (ssid != fsec->sid) {
3336 rc = avc_has_perm(ssid, fsec->sid,
3337 SECCLASS_FD,
3338 FD__USE,
3339 &ad);
3340 if (rc)
3341 goto out;
3342 }
3343
3344 if (unlikely(IS_PRIVATE(inode)))
3345 return 0;
3346
3347 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3348 requested, driver, xperm, &ad);
3349out:
3350 return rc;
3351}
3352
1da177e4
LT		 3353static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3354 unsigned long arg)
3355{
88e67f3b 3356 const struct cred *cred = current_cred();
0b24dcb7 3357 int error = 0;
1da177e4 3358
0b24dcb7
EP		 3359 switch (cmd) {
3360 case FIONREAD:
3361 /* fall through */
3362 case FIBMAP:
3363 /* fall through */
3364 case FIGETBSZ:
3365 /* fall through */
2f99c369 3366 case FS_IOC_GETFLAGS:
0b24dcb7 3367 /* fall through */
2f99c369 3368 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3369 error = file_has_perm(cred, file, FILE__GETATTR);
3370 break;
1da177e4 3371
2f99c369 3372 case FS_IOC_SETFLAGS:
0b24dcb7 3373 /* fall through */
2f99c369 3374 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3375 error = file_has_perm(cred, file, FILE__SETATTR);
3376 break;
3377
3378 /* sys_ioctl() checks */
3379 case FIONBIO:
3380 /* fall through */
3381 case FIOASYNC:
3382 error = file_has_perm(cred, file, 0);
3383 break;
1da177e4 3384
0b24dcb7
EP		 3385 case KDSKBENT:
3386 case KDSKBSENT:
6a9de491
EP		 3387 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3388 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3389 break;
3390
3391 /* default case assumes that the command will go
3392 * to the file's ioctl() function.
3393 */
3394 default:
fa1aa143 3395 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
0b24dcb7
EP		 3396 }
3397 return error;
1da177e4
LT		 3398}
3399
fcaaade1
SS		 3400static int default_noexec;
3401
1da177e4
LT		 3402static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3403{
88e67f3b 3404 const struct cred *cred = current_cred();
d84f4f99 3405 int rc = 0;
88e67f3b 3406
fcaaade1 3407 if (default_noexec &&
892e8cac
SS		 3408 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3409 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3410 /*
3411 * We are making executable an anonymous mapping or a
3412 * private file mapping that will also be writable.
3413 * This has an additional check.
3414 */
d84f4f99 3415 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3416 if (rc)
d84f4f99 3417 goto error;
1da177e4 3418 }
1da177e4
LT		 3419
3420 if (file) {
3421 /* read access is always possible with a mapping */
3422 u32 av = FILE__READ;
3423
3424 /* write access only matters if the mapping is shared */
3425 if (shared && (prot & PROT_WRITE))
3426 av |= FILE__WRITE;
3427
3428 if (prot & PROT_EXEC)
3429 av |= FILE__EXECUTE;
3430
88e67f3b 3431 return file_has_perm(cred, file, av);
1da177e4 3432 }
d84f4f99
DH		 3433
3434error:
3435 return rc;
1da177e4
LT		 3436}
3437
e5467859 3438static int selinux_mmap_addr(unsigned long addr)
1da177e4 3439{
b1d9e6b0 3440 int rc = 0;
1da177e4 3441
a2551df7 3442 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3443 u32 sid = current_sid();
ed032189
EP		 3444 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3445 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3446 }
3447
98883bfd 3448 return rc;
e5467859 3449}
1da177e4 3450
e5467859
AV		 3451static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3452 unsigned long prot, unsigned long flags)
3453{
1da177e4
LT		 3454 if (selinux_checkreqprot)
3455 prot = reqprot;
3456
3457 return file_map_prot_check(file, prot,
3458 (flags & MAP_TYPE) == MAP_SHARED);
3459}
3460
3461static int selinux_file_mprotect(struct vm_area_struct *vma,
3462 unsigned long reqprot,
3463 unsigned long prot)
3464{
88e67f3b 3465 const struct cred *cred = current_cred();
1da177e4
LT		 3466
3467 if (selinux_checkreqprot)
3468 prot = reqprot;
3469
fcaaade1
SS		 3470 if (default_noexec &&
3471 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3472 int rc = 0;
db4c9641
SS		 3473 if (vma->vm_start >= vma->vm_mm->start_brk &&
3474 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3475 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3476 } else if (!vma->vm_file &&
3477 vma->vm_start <= vma->vm_mm->start_stack &&
3478 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3479 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3480 } else if (vma->vm_file && vma->anon_vma) {
3481 /*
3482 * We are making executable a file mapping that has
3483 * had some COW done. Since pages might have been
3484 * written, check ability to execute the possibly
3485 * modified content. This typically should only
3486 * occur for text relocations.
3487 */
d84f4f99 3488 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3489 }