]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
rlimits: make sure ->rlim_max never grows in sys_setrlimit
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
828dfe1d
EP		 7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13 * Eric Paris <[email protected]>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <[email protected]>
ed6d76e4
PM		 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <[email protected]>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <[email protected]>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4
LT		 26#include <linux/init.h>
27#include <linux/kernel.h>
0d094efe 28#include <linux/tracehook.h>
1da177e4
LT		 29#include <linux/errno.h>
30#include <linux/sched.h>
31#include <linux/security.h>
32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
39#include <linux/swap.h>
1da177e4
LT		 40#include <linux/spinlock.h>
41#include <linux/syscalls.h>
42#include <linux/file.h>
9f3acc31 43#include <linux/fdtable.h>
1da177e4
LT		 44#include <linux/namei.h>
45#include <linux/mount.h>
1da177e4 46#include <linux/proc_fs.h>
1da177e4
LT		 47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
f5269710 55#include <linux/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
f06febc9 78#include <linux/posix-timers.h>
00234592 79#include <linux/syslog.h>
1da177e4
LT		 80
81#include "avc.h"
82#include "objsec.h"
83#include "netif.h"
224dfbd8 84#include "netnode.h"
3e112172 85#include "netport.h"
d28d1e08 86#include "xfrm.h"
c60475bf 87#include "netlabel.h"
9d57a7f9 88#include "audit.h"
1da177e4
LT		 89
90#define XATTR_SELINUX_SUFFIX "selinux"
91#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
92
11689d47 93#define NUM_SEL_MNT_OPTS 5
c9180a57 94
1da177e4 95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
20510f2f 96extern struct security_operations *security_ops;
1da177e4 97
d621d35e
PM		 98/* SECMARK reference count */
99atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
1da177e4 101#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 102int selinux_enforcing;
1da177e4
LT		 103
104static int __init enforcing_setup(char *str)
105{
f5269710
EP		 106 unsigned long enforcing;
107 if (!strict_strtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 109 return 1;
110}
111__setup("enforcing=", enforcing_setup);
112#endif
113
114#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117static int __init selinux_enabled_setup(char *str)
118{
f5269710
EP		 119 unsigned long enabled;
120 if (!strict_strtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 122 return 1;
123}
124__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 125#else
126int selinux_enabled = 1;
1da177e4
LT		 127#endif
128
e18b890b 129static struct kmem_cache *sel_inode_cache;
7cae7e26 130
d621d35e
PM		 131/**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled.
139 *
140 */
141static int selinux_secmark_enabled(void)
142{
143 return (atomic_read(&selinux_secmark_refcount) > 0);
144}
145
d84f4f99
DH		 146/*
147 * initialise the security for the init task
148 */
149static void cred_init_security(void)
1da177e4 150{
3b11a1de 151 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 152 struct task_security_struct *tsec;
153
89d155ef 154 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 155 if (!tsec)
d84f4f99 156 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 157
d84f4f99 158 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 159 cred->security = tsec;
1da177e4
LT		 160}
161
88e67f3b
DH		 162/*
163 * get the security ID of a set of credentials
164 */
165static inline u32 cred_sid(const struct cred *cred)
166{
167 const struct task_security_struct *tsec;
168
169 tsec = cred->security;
170 return tsec->sid;
171}
172
275bb41e 173/*
3b11a1de 174 * get the objective security ID of a task
275bb41e
DH		 175 */
176static inline u32 task_sid(const struct task_struct *task)
177{
275bb41e
DH		 178 u32 sid;
179
180 rcu_read_lock();
88e67f3b 181 sid = cred_sid(__task_cred(task));
275bb41e
DH		 182 rcu_read_unlock();
183 return sid;
184}
185
186/*
3b11a1de 187 * get the subjective security ID of the current task
275bb41e
DH		 188 */
189static inline u32 current_sid(void)
190{
191 const struct task_security_struct *tsec = current_cred()->security;
192
193 return tsec->sid;
194}
195
88e67f3b
DH		 196/* Allocate and free functions for each kind of security blob. */
197
1da177e4
LT		 198static int inode_alloc_security(struct inode *inode)
199{
1da177e4 200 struct inode_security_struct *isec;
275bb41e 201 u32 sid = current_sid();
1da177e4 202
a02fe132 203 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 204 if (!isec)
205 return -ENOMEM;
206
23970741 207 mutex_init(&isec->lock);
1da177e4 208 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 209 isec->inode = inode;
210 isec->sid = SECINITSID_UNLABELED;
211 isec->sclass = SECCLASS_FILE;
275bb41e 212 isec->task_sid = sid;
1da177e4
LT		 213 inode->i_security = isec;
214
215 return 0;
216}
217
218static void inode_free_security(struct inode *inode)
219{
220 struct inode_security_struct *isec = inode->i_security;
221 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
222
1da177e4
LT		 223 spin_lock(&sbsec->isec_lock);
224 if (!list_empty(&isec->list))
225 list_del_init(&isec->list);
226 spin_unlock(&sbsec->isec_lock);
227
228 inode->i_security = NULL;
7cae7e26 229 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 230}
231
232static int file_alloc_security(struct file *file)
233{
1da177e4 234 struct file_security_struct *fsec;
275bb41e 235 u32 sid = current_sid();
1da177e4 236
26d2a4be 237 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 238 if (!fsec)
239 return -ENOMEM;
240
275bb41e
DH		 241 fsec->sid = sid;
242 fsec->fown_sid = sid;
1da177e4
LT		 243 file->f_security = fsec;
244
245 return 0;
246}
247
248static void file_free_security(struct file *file)
249{
250 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 251 file->f_security = NULL;
252 kfree(fsec);
253}
254
255static int superblock_alloc_security(struct super_block *sb)
256{
257 struct superblock_security_struct *sbsec;
258
89d155ef 259 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 260 if (!sbsec)
261 return -ENOMEM;
262
bc7e982b 263 mutex_init(&sbsec->lock);
1da177e4
LT		 264 INIT_LIST_HEAD(&sbsec->isec_head);
265 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 266 sbsec->sb = sb;
267 sbsec->sid = SECINITSID_UNLABELED;
268 sbsec->def_sid = SECINITSID_FILE;
c312feb2 269 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 270 sb->s_security = sbsec;
271
272 return 0;
273}
274
275static void superblock_free_security(struct super_block *sb)
276{
277 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 278 sb->s_security = NULL;
279 kfree(sbsec);
280}
281
7d877f3b 282static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4 283{
dd3e7836 284 struct sk_security_struct *sksec;
1da177e4 285
dd3e7836
EP		 286 sksec = kzalloc(sizeof(*sksec), priority);
287 if (!sksec)
1da177e4
LT		 288 return -ENOMEM;
289
dd3e7836
EP		 290 sksec->peer_sid = SECINITSID_UNLABELED;
291 sksec->sid = SECINITSID_UNLABELED;
292 sk->sk_security = sksec;
1da177e4 293
dd3e7836 294 selinux_netlbl_sk_security_reset(sksec);
99f59ed0 295
1da177e4
LT		 296 return 0;
297}
298
299static void sk_free_security(struct sock *sk)
300{
dd3e7836 301 struct sk_security_struct *sksec = sk->sk_security;
1da177e4 302
1da177e4 303 sk->sk_security = NULL;
dd3e7836
EP		 304 selinux_netlbl_sk_security_free(sksec);
305 kfree(sksec);
1da177e4 306}
1da177e4
LT		 307
308/* The security server must be initialized before
309 any labeling or access decisions can be provided. */
310extern int ss_initialized;
311
312/* The file system's label must be initialized prior to use. */
313
634a539e 314static const char *labeling_behaviors[6] = {
1da177e4
LT		 315 "uses xattr",
316 "uses transition SIDs",
317 "uses task SIDs",
318 "uses genfs_contexts",
319 "not configured for labeling",
320 "uses mountpoint labeling",
321};
322
323static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
324
325static inline int inode_doinit(struct inode *inode)
326{
327 return inode_doinit_with_dentry(inode, NULL);
328}
329
330enum {
31e87930 331 Opt_error = -1,
1da177e4
LT		 332 Opt_context = 1,
333 Opt_fscontext = 2,
c9180a57
EP		 334 Opt_defcontext = 3,
335 Opt_rootcontext = 4,
11689d47 336 Opt_labelsupport = 5,
1da177e4
LT		 337};
338
a447c093 339static const match_table_t tokens = {
832cbd9a
EP		 340 {Opt_context, CONTEXT_STR "%s"},
341 {Opt_fscontext, FSCONTEXT_STR "%s"},
342 {Opt_defcontext, DEFCONTEXT_STR "%s"},
343 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 344 {Opt_labelsupport, LABELSUPP_STR},
31e87930 345 {Opt_error, NULL},
1da177e4
LT		 346};
347
348#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
349
c312feb2
EP		 350static int may_context_mount_sb_relabel(u32 sid,
351 struct superblock_security_struct *sbsec,
275bb41e 352 const struct cred *cred)
c312feb2 353{
275bb41e 354 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 355 int rc;
356
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
361
362 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__RELABELTO, NULL);
364 return rc;
365}
366
0808925e
EP		 367static int may_context_mount_inode_relabel(u32 sid,
368 struct superblock_security_struct *sbsec,
275bb41e 369 const struct cred *cred)
0808925e 370{
275bb41e 371 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 372 int rc;
373 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
374 FILESYSTEM__RELABELFROM, NULL);
375 if (rc)
376 return rc;
377
378 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
379 FILESYSTEM__ASSOCIATE, NULL);
380 return rc;
381}
382
c9180a57 383static int sb_finish_set_opts(struct super_block *sb)
1da177e4 384{
1da177e4 385 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 386 struct dentry *root = sb->s_root;
387 struct inode *root_inode = root->d_inode;
388 int rc = 0;
1da177e4 389
c9180a57
EP		 390 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
391 /* Make sure that the xattr handler exists and that no
392 error other than -ENODATA is returned by getxattr on
393 the root directory. -ENODATA is ok, as this may be
394 the first boot of the SELinux kernel before we have
395 assigned xattr values to the filesystem. */
396 if (!root_inode->i_op->getxattr) {
397 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
398 "xattr support\n", sb->s_id, sb->s_type->name);
399 rc = -EOPNOTSUPP;
400 goto out;
401 }
402 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
403 if (rc < 0 && rc != -ENODATA) {
404 if (rc == -EOPNOTSUPP)
405 printk(KERN_WARNING "SELinux: (dev %s, type "
406 "%s) has no security xattr handler\n",
407 sb->s_id, sb->s_type->name);
408 else
409 printk(KERN_WARNING "SELinux: (dev %s, type "
410 "%s) getxattr errno %d\n", sb->s_id,
411 sb->s_type->name, -rc);
412 goto out;
413 }
414 }
1da177e4 415
11689d47 416 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
1da177e4 417
c9180a57
EP		 418 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
419 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
420 sb->s_id, sb->s_type->name);
421 else
422 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
423 sb->s_id, sb->s_type->name,
424 labeling_behaviors[sbsec->behavior-1]);
1da177e4 425
11689d47
DQ		 426 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
427 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
428 sbsec->behavior == SECURITY_FS_USE_NONE ||
429 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
430 sbsec->flags &= ~SE_SBLABELSUPP;
431
ddd29ec6
DQ		 432 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
433 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
434 sbsec->flags |= SE_SBLABELSUPP;
435
c9180a57
EP		 436 /* Initialize the root inode. */
437 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 438
c9180a57
EP		 439 /* Initialize any other inodes associated with the superblock, e.g.
440 inodes created prior to initial policy load or inodes created
441 during get_sb by a pseudo filesystem that directly
442 populates itself. */
443 spin_lock(&sbsec->isec_lock);
444next_inode:
445 if (!list_empty(&sbsec->isec_head)) {
446 struct inode_security_struct *isec =
447 list_entry(sbsec->isec_head.next,
448 struct inode_security_struct, list);
449 struct inode *inode = isec->inode;
450 spin_unlock(&sbsec->isec_lock);
451 inode = igrab(inode);
452 if (inode) {
453 if (!IS_PRIVATE(inode))
454 inode_doinit(inode);
455 iput(inode);
456 }
457 spin_lock(&sbsec->isec_lock);
458 list_del_init(&isec->list);
459 goto next_inode;
460 }
461 spin_unlock(&sbsec->isec_lock);
462out:
463 return rc;
464}
1da177e4 465
c9180a57
EP		 466/*
467 * This function should allow an FS to ask what it's mount security
468 * options were so it can use those later for submounts, displaying
469 * mount options, or whatever.
470 */
471static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 472 struct security_mnt_opts *opts)
c9180a57
EP		 473{
474 int rc = 0, i;
475 struct superblock_security_struct *sbsec = sb->s_security;
476 char *context = NULL;
477 u32 len;
478 char tmp;
1da177e4 479
e0007529 480 security_init_mnt_opts(opts);
1da177e4 481
0d90a7ec 482 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 483 return -EINVAL;
1da177e4 484
c9180a57
EP		 485 if (!ss_initialized)
486 return -EINVAL;
1da177e4 487
0d90a7ec 488 tmp = sbsec->flags & SE_MNTMASK;
c9180a57
EP		 489 /* count the number of mount options for this sb */
490 for (i = 0; i < 8; i++) {
491 if (tmp & 0x01)
e0007529 492 opts->num_mnt_opts++;
c9180a57
EP		 493 tmp >>= 1;
494 }
11689d47
DQ		 495 /* Check if the Label support flag is set */
496 if (sbsec->flags & SE_SBLABELSUPP)
497 opts->num_mnt_opts++;
1da177e4 498
e0007529
EP		 499 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
500 if (!opts->mnt_opts) {
c9180a57
EP		 501 rc = -ENOMEM;
502 goto out_free;
503 }
1da177e4 504
e0007529
EP		 505 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
506 if (!opts->mnt_opts_flags) {
c9180a57
EP		 507 rc = -ENOMEM;
508 goto out_free;
509 }
1da177e4 510
c9180a57
EP		 511 i = 0;
512 if (sbsec->flags & FSCONTEXT_MNT) {
513 rc = security_sid_to_context(sbsec->sid, &context, &len);
514 if (rc)
515 goto out_free;
e0007529
EP		 516 opts->mnt_opts[i] = context;
517 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 518 }
519 if (sbsec->flags & CONTEXT_MNT) {
520 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
521 if (rc)
522 goto out_free;
e0007529
EP		 523 opts->mnt_opts[i] = context;
524 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 525 }
526 if (sbsec->flags & DEFCONTEXT_MNT) {
527 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
528 if (rc)
529 goto out_free;
e0007529
EP		 530 opts->mnt_opts[i] = context;
531 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 532 }
533 if (sbsec->flags & ROOTCONTEXT_MNT) {
534 struct inode *root = sbsec->sb->s_root->d_inode;
535 struct inode_security_struct *isec = root->i_security;
0808925e 536
c9180a57
EP		 537 rc = security_sid_to_context(isec->sid, &context, &len);
538 if (rc)
539 goto out_free;
e0007529
EP		 540 opts->mnt_opts[i] = context;
541 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 542 }
11689d47
DQ		 543 if (sbsec->flags & SE_SBLABELSUPP) {
544 opts->mnt_opts[i] = NULL;
545 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
546 }
1da177e4 547
e0007529 548 BUG_ON(i != opts->num_mnt_opts);
1da177e4 549
c9180a57
EP		 550 return 0;
551
552out_free:
e0007529 553 security_free_mnt_opts(opts);
c9180a57
EP		 554 return rc;
555}
1da177e4 556
c9180a57
EP		 557static int bad_option(struct superblock_security_struct *sbsec, char flag,
558 u32 old_sid, u32 new_sid)
559{
0d90a7ec
DQ		 560 char mnt_flags = sbsec->flags & SE_MNTMASK;
561
c9180a57 562 /* check if the old mount command had the same options */
0d90a7ec 563 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 564 if (!(sbsec->flags & flag) ||
565 (old_sid != new_sid))
566 return 1;
567
568 /* check if we were passed the same options twice,
569 * aka someone passed context=a,context=b
570 */
0d90a7ec
DQ		 571 if (!(sbsec->flags & SE_SBINITIALIZED))
572 if (mnt_flags & flag)
c9180a57
EP		 573 return 1;
574 return 0;
575}
e0007529 576
c9180a57
EP		 577/*
578 * Allow filesystems with binary mount data to explicitly set mount point
579 * labeling information.
580 */
e0007529
EP		 581static int selinux_set_mnt_opts(struct super_block *sb,
582 struct security_mnt_opts *opts)
c9180a57 583{
275bb41e 584 const struct cred *cred = current_cred();
c9180a57 585 int rc = 0, i;
c9180a57
EP		 586 struct superblock_security_struct *sbsec = sb->s_security;
587 const char *name = sb->s_type->name;
089be43e
JM		 588 struct inode *inode = sbsec->sb->s_root->d_inode;
589 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 590 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
591 u32 defcontext_sid = 0;
e0007529
EP		 592 char **mount_options = opts->mnt_opts;
593 int *flags = opts->mnt_opts_flags;
594 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 595
596 mutex_lock(&sbsec->lock);
597
598 if (!ss_initialized) {
599 if (!num_opts) {
600 /* Defer initialization until selinux_complete_init,
601 after the initial policy is loaded and the security
602 server is ready to handle calls. */
c9180a57
EP		 603 goto out;
604 }
605 rc = -EINVAL;
744ba35e
EP		 606 printk(KERN_WARNING "SELinux: Unable to set superblock options "
607 "before the security server is initialized\n");
1da177e4 608 goto out;
c9180a57 609 }
1da177e4 610
e0007529
EP		 611 /*
612 * Binary mount data FS will come through this function twice. Once
613 * from an explicit call and once from the generic calls from the vfs.
614 * Since the generic VFS calls will not contain any security mount data
615 * we need to skip the double mount verification.
616 *
617 * This does open a hole in which we will not notice if the first
618 * mount using this sb set explict options and a second mount using
619 * this sb does not set any security options. (The first options
620 * will be used for both mounts)
621 */
0d90a7ec 622 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 623 && (num_opts == 0))
f5269710 624 goto out;
e0007529 625
c9180a57
EP		 626 /*
627 * parse the mount options, check if they are valid sids.
628 * also check if someone is trying to mount the same sb more
629 * than once with different security options.
630 */
631 for (i = 0; i < num_opts; i++) {
632 u32 sid;
11689d47
DQ		 633
634 if (flags[i] == SE_SBLABELSUPP)
635 continue;
c9180a57
EP		 636 rc = security_context_to_sid(mount_options[i],
637 strlen(mount_options[i]), &sid);
1da177e4
LT		 638 if (rc) {
639 printk(KERN_WARNING "SELinux: security_context_to_sid"
640 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 641 mount_options[i], sb->s_id, name, rc);
642 goto out;
643 }
644 switch (flags[i]) {
645 case FSCONTEXT_MNT:
646 fscontext_sid = sid;
647
648 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
649 fscontext_sid))
650 goto out_double_mount;
651
652 sbsec->flags |= FSCONTEXT_MNT;
653 break;
654 case CONTEXT_MNT:
655 context_sid = sid;
656
657 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
658 context_sid))
659 goto out_double_mount;
660
661 sbsec->flags |= CONTEXT_MNT;
662 break;
663 case ROOTCONTEXT_MNT:
664 rootcontext_sid = sid;
665
666 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
667 rootcontext_sid))
668 goto out_double_mount;
669
670 sbsec->flags |= ROOTCONTEXT_MNT;
671
672 break;
673 case DEFCONTEXT_MNT:
674 defcontext_sid = sid;
675
676 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
677 defcontext_sid))
678 goto out_double_mount;
679
680 sbsec->flags |= DEFCONTEXT_MNT;
681
682 break;
683 default:
684 rc = -EINVAL;
685 goto out;
1da177e4 686 }
c9180a57
EP		 687 }
688
0d90a7ec 689 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 690 /* previously mounted with options, but not on this attempt? */
0d90a7ec 691 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 692 goto out_double_mount;
693 rc = 0;
694 goto out;
695 }
696
089be43e 697 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 698 sbsec->flags |= SE_SBPROC;
c9180a57
EP		 699
700 /* Determine the labeling behavior to use for this filesystem type. */
0d90a7ec 701 rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
c9180a57
EP		 702 if (rc) {
703 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
089be43e 704 __func__, sb->s_type->name, rc);
c9180a57
EP		 705 goto out;
706 }
1da177e4 707
c9180a57
EP		 708 /* sets the context of the superblock for the fs being mounted. */
709 if (fscontext_sid) {
275bb41e 710 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 711 if (rc)
c9180a57 712 goto out;
1da177e4 713
c9180a57 714 sbsec->sid = fscontext_sid;
c312feb2
EP		 715 }
716
717 /*
718 * Switch to using mount point labeling behavior.
719 * sets the label used on all file below the mountpoint, and will set
720 * the superblock context if not already set.
721 */
c9180a57
EP		 722 if (context_sid) {
723 if (!fscontext_sid) {
275bb41e
DH		 724 rc = may_context_mount_sb_relabel(context_sid, sbsec,
725 cred);
b04ea3ce 726 if (rc)
c9180a57
EP		 727 goto out;
728 sbsec->sid = context_sid;
b04ea3ce 729 } else {
275bb41e
DH		 730 rc = may_context_mount_inode_relabel(context_sid, sbsec,
731 cred);
b04ea3ce 732 if (rc)
c9180a57 733 goto out;
b04ea3ce 734 }
c9180a57
EP		 735 if (!rootcontext_sid)
736 rootcontext_sid = context_sid;
1da177e4 737
c9180a57 738 sbsec->mntpoint_sid = context_sid;
c312feb2 739 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 740 }
741
c9180a57 742 if (rootcontext_sid) {
275bb41e
DH		 743 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
744 cred);
0808925e 745 if (rc)
c9180a57 746 goto out;
0808925e 747
c9180a57
EP		 748 root_isec->sid = rootcontext_sid;
749 root_isec->initialized = 1;
0808925e
EP		 750 }
751
c9180a57
EP		 752 if (defcontext_sid) {
753 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
754 rc = -EINVAL;
755 printk(KERN_WARNING "SELinux: defcontext option is "
756 "invalid for this filesystem type\n");
757 goto out;
1da177e4
LT		 758 }
759
c9180a57
EP		 760 if (defcontext_sid != sbsec->def_sid) {
761 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 762 sbsec, cred);
c9180a57
EP		 763 if (rc)
764 goto out;
765 }
1da177e4 766
c9180a57 767 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 768 }
769
c9180a57 770 rc = sb_finish_set_opts(sb);
1da177e4 771out:
c9180a57 772 mutex_unlock(&sbsec->lock);
1da177e4 773 return rc;
c9180a57
EP		 774out_double_mount:
775 rc = -EINVAL;
776 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
777 "security settings for (dev %s, type %s)\n", sb->s_id, name);
778 goto out;
1da177e4
LT		 779}
780
c9180a57
EP		 781static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
782 struct super_block *newsb)
1da177e4 783{
c9180a57
EP		 784 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
785 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 786
c9180a57
EP		 787 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
788 int set_context = (oldsbsec->flags & CONTEXT_MNT);
789 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 790
0f5e6420
EP		 791 /*
792 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 793 * mount options. thus we can safely deal with this superblock later
0f5e6420 794 */
e8c26255 795 if (!ss_initialized)
0f5e6420 796 return;
c9180a57 797
c9180a57 798 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 799 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 800
5a552617 801 /* if fs is reusing a sb, just let its options stand... */
0d90a7ec 802 if (newsbsec->flags & SE_SBINITIALIZED)
5a552617
EP		 803 return;
804
c9180a57
EP		 805 mutex_lock(&newsbsec->lock);
806
807 newsbsec->flags = oldsbsec->flags;
808
809 newsbsec->sid = oldsbsec->sid;
810 newsbsec->def_sid = oldsbsec->def_sid;
811 newsbsec->behavior = oldsbsec->behavior;
812
813 if (set_context) {
814 u32 sid = oldsbsec->mntpoint_sid;
815
816 if (!set_fscontext)
817 newsbsec->sid = sid;
818 if (!set_rootcontext) {
819 struct inode *newinode = newsb->s_root->d_inode;
820 struct inode_security_struct *newisec = newinode->i_security;
821 newisec->sid = sid;
822 }
823 newsbsec->mntpoint_sid = sid;
1da177e4 824 }
c9180a57
EP		 825 if (set_rootcontext) {
826 const struct inode *oldinode = oldsb->s_root->d_inode;
827 const struct inode_security_struct *oldisec = oldinode->i_security;
828 struct inode *newinode = newsb->s_root->d_inode;
829 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 830
c9180a57 831 newisec->sid = oldisec->sid;
1da177e4
LT		 832 }
833
c9180a57
EP		 834 sb_finish_set_opts(newsb);
835 mutex_unlock(&newsbsec->lock);
836}
837
2e1479d9
AB		 838static int selinux_parse_opts_str(char *options,
839 struct security_mnt_opts *opts)
c9180a57 840{
e0007529 841 char *p;
c9180a57
EP		 842 char *context = NULL, *defcontext = NULL;
843 char *fscontext = NULL, *rootcontext = NULL;
e0007529 844 int rc, num_mnt_opts = 0;
1da177e4 845
e0007529 846 opts->num_mnt_opts = 0;
1da177e4 847
c9180a57
EP		 848 /* Standard string-based options. */
849 while ((p = strsep(&options, "|")) != NULL) {
850 int token;
851 substring_t args[MAX_OPT_ARGS];
1da177e4 852
c9180a57
EP		 853 if (!*p)
854 continue;
1da177e4 855
c9180a57 856 token = match_token(p, tokens, args);
1da177e4 857
c9180a57
EP		 858 switch (token) {
859 case Opt_context:
860 if (context || defcontext) {
861 rc = -EINVAL;
862 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
863 goto out_err;
864 }
865 context = match_strdup(&args[0]);
866 if (!context) {
867 rc = -ENOMEM;
868 goto out_err;
869 }
870 break;
871
872 case Opt_fscontext:
873 if (fscontext) {
874 rc = -EINVAL;
875 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876 goto out_err;
877 }
878 fscontext = match_strdup(&args[0]);
879 if (!fscontext) {
880 rc = -ENOMEM;
881 goto out_err;
882 }
883 break;
884
885 case Opt_rootcontext:
886 if (rootcontext) {
887 rc = -EINVAL;
888 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
889 goto out_err;
890 }
891 rootcontext = match_strdup(&args[0]);
892 if (!rootcontext) {
893 rc = -ENOMEM;
894 goto out_err;
895 }
896 break;
897
898 case Opt_defcontext:
899 if (context || defcontext) {
900 rc = -EINVAL;
901 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
902 goto out_err;
903 }
904 defcontext = match_strdup(&args[0]);
905 if (!defcontext) {
906 rc = -ENOMEM;
907 goto out_err;
908 }
909 break;
11689d47
DQ		 910 case Opt_labelsupport:
911 break;
c9180a57
EP		 912 default:
913 rc = -EINVAL;
914 printk(KERN_WARNING "SELinux: unknown mount option\n");
915 goto out_err;
1da177e4 916
1da177e4 917 }
1da177e4 918 }
c9180a57 919
e0007529
EP		 920 rc = -ENOMEM;
921 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
922 if (!opts->mnt_opts)
923 goto out_err;
924
925 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
926 if (!opts->mnt_opts_flags) {
927 kfree(opts->mnt_opts);
928 goto out_err;
929 }
930
c9180a57 931 if (fscontext) {
e0007529
EP		 932 opts->mnt_opts[num_mnt_opts] = fscontext;
933 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 934 }
935 if (context) {
e0007529
EP		 936 opts->mnt_opts[num_mnt_opts] = context;
937 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 938 }
939 if (rootcontext) {
e0007529
EP		 940 opts->mnt_opts[num_mnt_opts] = rootcontext;
941 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 942 }
943 if (defcontext) {
e0007529
EP		 944 opts->mnt_opts[num_mnt_opts] = defcontext;
945 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 946 }
947
e0007529
EP		 948 opts->num_mnt_opts = num_mnt_opts;
949 return 0;
950
c9180a57
EP		 951out_err:
952 kfree(context);
953 kfree(defcontext);
954 kfree(fscontext);
955 kfree(rootcontext);
1da177e4
LT		 956 return rc;
957}
e0007529
EP		 958/*
959 * string mount options parsing and call set the sbsec
960 */
961static int superblock_doinit(struct super_block *sb, void *data)
962{
963 int rc = 0;
964 char *options = data;
965 struct security_mnt_opts opts;
966
967 security_init_mnt_opts(&opts);
968
969 if (!data)
970 goto out;
971
972 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
973
974 rc = selinux_parse_opts_str(options, &opts);
975 if (rc)
976 goto out_err;
977
978out:
979 rc = selinux_set_mnt_opts(sb, &opts);
980
981out_err:
982 security_free_mnt_opts(&opts);
983 return rc;
984}
1da177e4 985
3583a711
AB		 986static void selinux_write_opts(struct seq_file *m,
987 struct security_mnt_opts *opts)
2069f457
EP		 988{
989 int i;
990 char *prefix;
991
992 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 993 char *has_comma;
994
995 if (opts->mnt_opts[i])
996 has_comma = strchr(opts->mnt_opts[i], ',');
997 else
998 has_comma = NULL;
2069f457
EP		 999
1000 switch (opts->mnt_opts_flags[i]) {
1001 case CONTEXT_MNT:
1002 prefix = CONTEXT_STR;
1003 break;
1004 case FSCONTEXT_MNT:
1005 prefix = FSCONTEXT_STR;
1006 break;
1007 case ROOTCONTEXT_MNT:
1008 prefix = ROOTCONTEXT_STR;
1009 break;
1010 case DEFCONTEXT_MNT:
1011 prefix = DEFCONTEXT_STR;
1012 break;
11689d47
DQ		 1013 case SE_SBLABELSUPP:
1014 seq_putc(m, ',');
1015 seq_puts(m, LABELSUPP_STR);
1016 continue;
2069f457
EP		 1017 default:
1018 BUG();
1019 };
1020 /* we need a comma before each option */
1021 seq_putc(m, ',');
1022 seq_puts(m, prefix);
1023 if (has_comma)
1024 seq_putc(m, '\"');
1025 seq_puts(m, opts->mnt_opts[i]);
1026 if (has_comma)
1027 seq_putc(m, '\"');
1028 }
1029}
1030
1031static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1032{
1033 struct security_mnt_opts opts;
1034 int rc;
1035
1036 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1037 if (rc) {
1038 /* before policy load we may get EINVAL, don't show anything */
1039 if (rc == -EINVAL)
1040 rc = 0;
2069f457 1041 return rc;
383795c2 1042 }
2069f457
EP		 1043
1044 selinux_write_opts(m, &opts);
1045
1046 security_free_mnt_opts(&opts);
1047
1048 return rc;
1049}
1050
1da177e4
LT		 1051static inline u16 inode_mode_to_security_class(umode_t mode)
1052{
1053 switch (mode & S_IFMT) {
1054 case S_IFSOCK:
1055 return SECCLASS_SOCK_FILE;
1056 case S_IFLNK:
1057 return SECCLASS_LNK_FILE;
1058 case S_IFREG:
1059 return SECCLASS_FILE;
1060 case S_IFBLK:
1061 return SECCLASS_BLK_FILE;
1062 case S_IFDIR:
1063 return SECCLASS_DIR;
1064 case S_IFCHR:
1065 return SECCLASS_CHR_FILE;
1066 case S_IFIFO:
1067 return SECCLASS_FIFO_FILE;
1068
1069 }
1070
1071 return SECCLASS_FILE;
1072}
1073
13402580
JM		 1074static inline int default_protocol_stream(int protocol)
1075{
1076 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1077}
1078
1079static inline int default_protocol_dgram(int protocol)
1080{
1081 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1082}
1083
1da177e4
LT		 1084static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1085{
1086 switch (family) {
1087 case PF_UNIX:
1088 switch (type) {
1089 case SOCK_STREAM:
1090 case SOCK_SEQPACKET:
1091 return SECCLASS_UNIX_STREAM_SOCKET;
1092 case SOCK_DGRAM:
1093 return SECCLASS_UNIX_DGRAM_SOCKET;
1094 }
1095 break;
1096 case PF_INET:
1097 case PF_INET6:
1098 switch (type) {
1099 case SOCK_STREAM:
13402580
JM		 1100 if (default_protocol_stream(protocol))
1101 return SECCLASS_TCP_SOCKET;
1102 else
1103 return SECCLASS_RAWIP_SOCKET;
1da177e4 1104 case SOCK_DGRAM:
13402580
JM		 1105 if (default_protocol_dgram(protocol))
1106 return SECCLASS_UDP_SOCKET;
1107 else
1108 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1109 case SOCK_DCCP:
1110 return SECCLASS_DCCP_SOCKET;
13402580 1111 default:
1da177e4
LT		 1112 return SECCLASS_RAWIP_SOCKET;
1113 }
1114 break;
1115 case PF_NETLINK:
1116 switch (protocol) {
1117 case NETLINK_ROUTE:
1118 return SECCLASS_NETLINK_ROUTE_SOCKET;
1119 case NETLINK_FIREWALL:
1120 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1121 case NETLINK_INET_DIAG:
1da177e4
LT		 1122 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1123 case NETLINK_NFLOG:
1124 return SECCLASS_NETLINK_NFLOG_SOCKET;
1125 case NETLINK_XFRM:
1126 return SECCLASS_NETLINK_XFRM_SOCKET;
1127 case NETLINK_SELINUX:
1128 return SECCLASS_NETLINK_SELINUX_SOCKET;
1129 case NETLINK_AUDIT:
1130 return SECCLASS_NETLINK_AUDIT_SOCKET;
1131 case NETLINK_IP6_FW:
1132 return SECCLASS_NETLINK_IP6FW_SOCKET;
1133 case NETLINK_DNRTMSG:
1134 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1135 case NETLINK_KOBJECT_UEVENT:
1136 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1137 default:
1138 return SECCLASS_NETLINK_SOCKET;
1139 }
1140 case PF_PACKET:
1141 return SECCLASS_PACKET_SOCKET;
1142 case PF_KEY:
1143 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1144 case PF_APPLETALK:
1145 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1146 }
1147
1148 return SECCLASS_SOCKET;
1149}
1150
1151#ifdef CONFIG_PROC_FS
1152static int selinux_proc_get_sid(struct proc_dir_entry *de,
1153 u16 tclass,
1154 u32 *sid)
1155{
1156 int buflen, rc;
1157 char *buffer, *path, *end;
1158
828dfe1d 1159 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1160 if (!buffer)
1161 return -ENOMEM;
1162
1163 buflen = PAGE_SIZE;
1164 end = buffer+buflen;
1165 *--end = '\0';
1166 buflen--;
1167 path = end-1;
1168 *path = '/';
1169 while (de && de != de->parent) {
1170 buflen -= de->namelen + 1;
1171 if (buflen < 0)
1172 break;
1173 end -= de->namelen;
1174 memcpy(end, de->name, de->namelen);
1175 *--end = '/';
1176 path = end;
1177 de = de->parent;
1178 }
1179 rc = security_genfs_sid("proc", path, tclass, sid);
1180 free_page((unsigned long)buffer);
1181 return rc;
1182}
1183#else
1184static int selinux_proc_get_sid(struct proc_dir_entry *de,
1185 u16 tclass,
1186 u32 *sid)
1187{
1188 return -EINVAL;
1189}
1190#endif
1191
1192/* The inode's security attributes must be initialized before first use. */
1193static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1194{
1195 struct superblock_security_struct *sbsec = NULL;
1196 struct inode_security_struct *isec = inode->i_security;
1197 u32 sid;
1198 struct dentry *dentry;
1199#define INITCONTEXTLEN 255
1200 char *context = NULL;
1201 unsigned len = 0;
1202 int rc = 0;
1da177e4
LT		 1203
1204 if (isec->initialized)
1205 goto out;
1206
23970741 1207 mutex_lock(&isec->lock);
1da177e4 1208 if (isec->initialized)
23970741 1209 goto out_unlock;
1da177e4
LT		 1210
1211 sbsec = inode->i_sb->s_security;
0d90a7ec 1212 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1213 /* Defer initialization until selinux_complete_init,
1214 after the initial policy is loaded and the security
1215 server is ready to handle calls. */
1216 spin_lock(&sbsec->isec_lock);
1217 if (list_empty(&isec->list))
1218 list_add(&isec->list, &sbsec->isec_head);
1219 spin_unlock(&sbsec->isec_lock);
23970741 1220 goto out_unlock;
1da177e4
LT		 1221 }
1222
1223 switch (sbsec->behavior) {
1224 case SECURITY_FS_USE_XATTR:
1225 if (!inode->i_op->getxattr) {
1226 isec->sid = sbsec->def_sid;
1227 break;
1228 }
1229
1230 /* Need a dentry, since the xattr API requires one.
1231 Life would be simpler if we could just pass the inode. */
1232 if (opt_dentry) {
1233 /* Called from d_instantiate or d_splice_alias. */
1234 dentry = dget(opt_dentry);
1235 } else {
1236 /* Called from selinux_complete_init, try to find a dentry. */
1237 dentry = d_find_alias(inode);
1238 }
1239 if (!dentry) {
df7f54c0
EP		 1240 /*
1241 * this is can be hit on boot when a file is accessed
1242 * before the policy is loaded. When we load policy we
1243 * may find inodes that have no dentry on the
1244 * sbsec->isec_head list. No reason to complain as these
1245 * will get fixed up the next time we go through
1246 * inode_doinit with a dentry, before these inodes could
1247 * be used again by userspace.
1248 */
23970741 1249 goto out_unlock;
1da177e4
LT		 1250 }
1251
1252 len = INITCONTEXTLEN;
4cb912f1 1253 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1254 if (!context) {
1255 rc = -ENOMEM;
1256 dput(dentry);
23970741 1257 goto out_unlock;
1da177e4 1258 }
4cb912f1 1259 context[len] = '\0';
1da177e4
LT		 1260 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1261 context, len);
1262 if (rc == -ERANGE) {
314dabb8
JM		 1263 kfree(context);
1264
1da177e4
LT		 1265 /* Need a larger buffer. Query for the right size. */
1266 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1267 NULL, 0);
1268 if (rc < 0) {
1269 dput(dentry);
23970741 1270 goto out_unlock;
1da177e4 1271 }
1da177e4 1272 len = rc;
4cb912f1 1273 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1274 if (!context) {
1275 rc = -ENOMEM;
1276 dput(dentry);
23970741 1277 goto out_unlock;
1da177e4 1278 }
4cb912f1 1279 context[len] = '\0';
1da177e4
LT		 1280 rc = inode->i_op->getxattr(dentry,
1281 XATTR_NAME_SELINUX,
1282 context, len);
1283 }
1284 dput(dentry);
1285 if (rc < 0) {
1286 if (rc != -ENODATA) {
744ba35e 1287 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1288 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1289 -rc, inode->i_sb->s_id, inode->i_ino);
1290 kfree(context);
23970741 1291 goto out_unlock;
1da177e4
LT		 1292 }
1293 /* Map ENODATA to the default file SID */
1294 sid = sbsec->def_sid;
1295 rc = 0;
1296 } else {
f5c1d5b2 1297 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1298 sbsec->def_sid,
1299 GFP_NOFS);
1da177e4 1300 if (rc) {
4ba0a8ad
EP		 1301 char *dev = inode->i_sb->s_id;
1302 unsigned long ino = inode->i_ino;
1303
1304 if (rc == -EINVAL) {
1305 if (printk_ratelimit())
1306 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1307 "context=%s. This indicates you may need to relabel the inode or the "
1308 "filesystem in question.\n", ino, dev, context);
1309 } else {
1310 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1311 "returned %d for dev=%s ino=%ld\n",
1312 __func__, context, -rc, dev, ino);
1313 }
1da177e4
LT		 1314 kfree(context);
1315 /* Leave with the unlabeled SID */
1316 rc = 0;
1317 break;
1318 }
1319 }
1320 kfree(context);
1321 isec->sid = sid;
1322 break;
1323 case SECURITY_FS_USE_TASK:
1324 isec->sid = isec->task_sid;
1325 break;
1326 case SECURITY_FS_USE_TRANS:
1327 /* Default to the fs SID. */
1328 isec->sid = sbsec->sid;
1329
1330 /* Try to obtain a transition SID. */
1331 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1332 rc = security_transition_sid(isec->task_sid,
1333 sbsec->sid,
1334 isec->sclass,
1335 &sid);
1336 if (rc)
23970741 1337 goto out_unlock;
1da177e4
LT		 1338 isec->sid = sid;
1339 break;
c312feb2
EP		 1340 case SECURITY_FS_USE_MNTPOINT:
1341 isec->sid = sbsec->mntpoint_sid;
1342 break;
1da177e4 1343 default:
c312feb2 1344 /* Default to the fs superblock SID. */
1da177e4
LT		 1345 isec->sid = sbsec->sid;
1346
0d90a7ec 1347 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1da177e4
LT		 1348 struct proc_inode *proci = PROC_I(inode);
1349 if (proci->pde) {
1350 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1351 rc = selinux_proc_get_sid(proci->pde,
1352 isec->sclass,
1353 &sid);
1354 if (rc)
23970741 1355 goto out_unlock;
1da177e4
LT		 1356 isec->sid = sid;
1357 }
1358 }
1359 break;
1360 }
1361
1362 isec->initialized = 1;
1363
23970741
EP		 1364out_unlock:
1365 mutex_unlock(&isec->lock);
1da177e4
LT		 1366out:
1367 if (isec->sclass == SECCLASS_FILE)
1368 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1369 return rc;
1370}
1371
1372/* Convert a Linux signal to an access vector. */
1373static inline u32 signal_to_av(int sig)
1374{
1375 u32 perm = 0;
1376
1377 switch (sig) {
1378 case SIGCHLD:
1379 /* Commonly granted from child to parent. */
1380 perm = PROCESS__SIGCHLD;
1381 break;
1382 case SIGKILL:
1383 /* Cannot be caught or ignored */
1384 perm = PROCESS__SIGKILL;
1385 break;
1386 case SIGSTOP:
1387 /* Cannot be caught or ignored */
1388 perm = PROCESS__SIGSTOP;
1389 break;
1390 default:
1391 /* All other signals. */
1392 perm = PROCESS__SIGNAL;
1393 break;
1394 }
1395
1396 return perm;
1397}
1398
d84f4f99
DH		 1399/*
1400 * Check permission between a pair of credentials
1401 * fork check, ptrace check, etc.
1402 */
1403static int cred_has_perm(const struct cred *actor,
1404 const struct cred *target,
1405 u32 perms)
1406{
1407 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1408
1409 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1410}
1411
275bb41e 1412/*
88e67f3b 1413 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1414 * fork check, ptrace check, etc.
1415 * tsk1 is the actor and tsk2 is the target
3b11a1de 1416 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1417 */
1418static int task_has_perm(const struct task_struct *tsk1,
1419 const struct task_struct *tsk2,
1da177e4
LT		 1420 u32 perms)
1421{
275bb41e
DH		 1422 const struct task_security_struct *__tsec1, *__tsec2;
1423 u32 sid1, sid2;
1da177e4 1424
275bb41e
DH		 1425 rcu_read_lock();
1426 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1427 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1428 rcu_read_unlock();
1429 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1430}
1431
3b11a1de
DH		 1432/*
1433 * Check permission between current and another task, e.g. signal checks,
1434 * fork check, ptrace check, etc.
1435 * current is the actor and tsk2 is the target
1436 * - this uses current's subjective creds
1437 */
1438static int current_has_perm(const struct task_struct *tsk,
1439 u32 perms)
1440{
1441 u32 sid, tsid;
1442
1443 sid = current_sid();
1444 tsid = task_sid(tsk);
1445 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1446}
1447
b68e418c
SS		 1448#if CAP_LAST_CAP > 63
1449#error Fix SELinux to handle capabilities > 63.
1450#endif
1451
1da177e4
LT		 1452/* Check whether a task is allowed to use a capability. */
1453static int task_has_capability(struct task_struct *tsk,
3699c53c 1454 const struct cred *cred,
06112163 1455 int cap, int audit)
1da177e4 1456{
2bf49690 1457 struct common_audit_data ad;
06112163 1458 struct av_decision avd;
b68e418c 1459 u16 sclass;
3699c53c 1460 u32 sid = cred_sid(cred);
b68e418c 1461 u32 av = CAP_TO_MASK(cap);
06112163 1462 int rc;
1da177e4 1463
2bf49690 1464 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1da177e4
LT		 1465 ad.tsk = tsk;
1466 ad.u.cap = cap;
1467
b68e418c
SS		 1468 switch (CAP_TO_INDEX(cap)) {
1469 case 0:
1470 sclass = SECCLASS_CAPABILITY;
1471 break;
1472 case 1:
1473 sclass = SECCLASS_CAPABILITY2;
1474 break;
1475 default:
1476 printk(KERN_ERR
1477 "SELinux: out of range capability %d\n", cap);
1478 BUG();
1479 }
06112163 1480
275bb41e 1481 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
06112163 1482 if (audit == SECURITY_CAP_AUDIT)
275bb41e 1483 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
06112163 1484 return rc;
1da177e4
LT		 1485}
1486
1487/* Check whether a task is allowed to use a system operation. */
1488static int task_has_system(struct task_struct *tsk,
1489 u32 perms)
1490{
275bb41e 1491 u32 sid = task_sid(tsk);
1da177e4 1492
275bb41e 1493 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1494 SECCLASS_SYSTEM, perms, NULL);
1495}
1496
1497/* Check whether a task has a particular permission to an inode.
1498 The 'adp' parameter is optional and allows other audit
1499 data to be passed (e.g. the dentry). */
88e67f3b 1500static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1501 struct inode *inode,
1502 u32 perms,
2bf49690 1503 struct common_audit_data *adp)
1da177e4 1504{
1da177e4 1505 struct inode_security_struct *isec;
2bf49690 1506 struct common_audit_data ad;
275bb41e 1507 u32 sid;
1da177e4 1508
e0e81739
DH		 1509 validate_creds(cred);
1510
828dfe1d 1511 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1512 return 0;
1513
88e67f3b 1514 sid = cred_sid(cred);
1da177e4
LT		 1515 isec = inode->i_security;
1516
1517 if (!adp) {
1518 adp = &ad;
2bf49690 1519 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 1520 ad.u.fs.inode = inode;
1521 }
1522
275bb41e 1523 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1524}
1525
1526/* Same as inode_has_perm, but pass explicit audit data containing
1527 the dentry to help the auditing code to more easily generate the
1528 pathname if needed. */
88e67f3b 1529static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1530 struct vfsmount *mnt,
1531 struct dentry *dentry,
1532 u32 av)
1533{
1534 struct inode *inode = dentry->d_inode;
2bf49690 1535 struct common_audit_data ad;
88e67f3b 1536
2bf49690 1537 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf
JB		 1538 ad.u.fs.path.mnt = mnt;
1539 ad.u.fs.path.dentry = dentry;
88e67f3b 1540 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1541}
1542
1543/* Check whether a task can use an open file descriptor to
1544 access an inode in a given way. Check access to the
1545 descriptor itself, and then use dentry_has_perm to
1546 check a particular permission to the file.
1547 Access to the descriptor is implicitly granted if it
1548 has the same SID as the process. If av is zero, then
1549 access to the file is not checked, e.g. for cases
1550 where only the descriptor is affected like seek. */
88e67f3b
DH		 1551static int file_has_perm(const struct cred *cred,
1552 struct file *file,
1553 u32 av)
1da177e4 1554{
1da177e4 1555 struct file_security_struct *fsec = file->f_security;
44707fdf 1556 struct inode *inode = file->f_path.dentry->d_inode;
2bf49690 1557 struct common_audit_data ad;
88e67f3b 1558 u32 sid = cred_sid(cred);
1da177e4
LT		 1559 int rc;
1560
2bf49690 1561 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1562 ad.u.fs.path = file->f_path;
1da177e4 1563
275bb41e
DH		 1564 if (sid != fsec->sid) {
1565 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1566 SECCLASS_FD,
1567 FD__USE,
1568 &ad);
1569 if (rc)
88e67f3b 1570 goto out;
1da177e4
LT		 1571 }
1572
1573 /* av is zero if only checking access to the descriptor. */
88e67f3b 1574 rc = 0;
1da177e4 1575 if (av)
88e67f3b 1576 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1577
88e67f3b
DH		 1578out:
1579 return rc;
1da177e4
LT		 1580}
1581
1582/* Check whether a task can create a file. */
1583static int may_create(struct inode *dir,
1584 struct dentry *dentry,
1585 u16 tclass)
1586{
275bb41e
DH		 1587 const struct cred *cred = current_cred();
1588 const struct task_security_struct *tsec = cred->security;
1da177e4
LT		 1589 struct inode_security_struct *dsec;
1590 struct superblock_security_struct *sbsec;
275bb41e 1591 u32 sid, newsid;
2bf49690 1592 struct common_audit_data ad;
1da177e4
LT		 1593 int rc;
1594
1da177e4
LT		 1595 dsec = dir->i_security;
1596 sbsec = dir->i_sb->s_security;
1597
275bb41e
DH		 1598 sid = tsec->sid;
1599 newsid = tsec->create_sid;
1600
2bf49690 1601 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1602 ad.u.fs.path.dentry = dentry;
1da177e4 1603
275bb41e 1604 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1605 DIR__ADD_NAME | DIR__SEARCH,
1606 &ad);
1607 if (rc)
1608 return rc;
1609
cd89596f 1610 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
275bb41e 1611 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1da177e4
LT		 1612 if (rc)
1613 return rc;
1614 }
1615
275bb41e 1616 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1617 if (rc)
1618 return rc;
1619
1620 return avc_has_perm(newsid, sbsec->sid,
1621 SECCLASS_FILESYSTEM,
1622 FILESYSTEM__ASSOCIATE, &ad);
1623}
1624
4eb582cf
ML		 1625/* Check whether a task can create a key. */
1626static int may_create_key(u32 ksid,
1627 struct task_struct *ctx)
1628{
275bb41e 1629 u32 sid = task_sid(ctx);
4eb582cf 1630
275bb41e 1631 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1632}
1633
828dfe1d
EP		 1634#define MAY_LINK 0
1635#define MAY_UNLINK 1
1636#define MAY_RMDIR 2
1da177e4
LT		 1637
1638/* Check whether a task can link, unlink, or rmdir a file/directory. */
1639static int may_link(struct inode *dir,
1640 struct dentry *dentry,
1641 int kind)
1642
1643{
1da177e4 1644 struct inode_security_struct *dsec, *isec;
2bf49690 1645 struct common_audit_data ad;
275bb41e 1646 u32 sid = current_sid();
1da177e4
LT		 1647 u32 av;
1648 int rc;
1649
1da177e4
LT		 1650 dsec = dir->i_security;
1651 isec = dentry->d_inode->i_security;
1652
2bf49690 1653 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1654 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1655
1656 av = DIR__SEARCH;
1657 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1658 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1659 if (rc)
1660 return rc;
1661
1662 switch (kind) {
1663 case MAY_LINK:
1664 av = FILE__LINK;
1665 break;
1666 case MAY_UNLINK:
1667 av = FILE__UNLINK;
1668 break;
1669 case MAY_RMDIR:
1670 av = DIR__RMDIR;
1671 break;
1672 default:
744ba35e
EP		 1673 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1674 __func__, kind);
1da177e4
LT		 1675 return 0;
1676 }
1677
275bb41e 1678 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1679 return rc;
1680}
1681
1682static inline int may_rename(struct inode *old_dir,
1683 struct dentry *old_dentry,
1684 struct inode *new_dir,
1685 struct dentry *new_dentry)
1686{
1da177e4 1687 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1688 struct common_audit_data ad;
275bb41e 1689 u32 sid = current_sid();
1da177e4
LT		 1690 u32 av;
1691 int old_is_dir, new_is_dir;
1692 int rc;
1693
1da177e4
LT		 1694 old_dsec = old_dir->i_security;
1695 old_isec = old_dentry->d_inode->i_security;
1696 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1697 new_dsec = new_dir->i_security;
1698
2bf49690 1699 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4 1700
44707fdf 1701 ad.u.fs.path.dentry = old_dentry;
275bb41e 1702 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1703 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1704 if (rc)
1705 return rc;
275bb41e 1706 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1707 old_isec->sclass, FILE__RENAME, &ad);
1708 if (rc)
1709 return rc;
1710 if (old_is_dir && new_dir != old_dir) {
275bb41e 1711 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1712 old_isec->sclass, DIR__REPARENT, &ad);
1713 if (rc)
1714 return rc;
1715 }
1716
44707fdf 1717 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1718 av = DIR__ADD_NAME | DIR__SEARCH;
1719 if (new_dentry->d_inode)
1720 av |= DIR__REMOVE_NAME;
275bb41e 1721 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1722 if (rc)
1723 return rc;
1724 if (new_dentry->d_inode) {
1725 new_isec = new_dentry->d_inode->i_security;
1726 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1727 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1728 new_isec->sclass,
1729 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1730 if (rc)
1731 return rc;
1732 }
1733
1734 return 0;
1735}
1736
1737/* Check whether a task can perform a filesystem operation. */
88e67f3b 1738static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1739 struct super_block *sb,
1740 u32 perms,
2bf49690 1741 struct common_audit_data *ad)
1da177e4 1742{
1da177e4 1743 struct superblock_security_struct *sbsec;
88e67f3b 1744 u32 sid = cred_sid(cred);
1da177e4 1745
1da177e4 1746 sbsec = sb->s_security;
275bb41e 1747 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1748}
1749
1750/* Convert a Linux mode and permission mask to an access vector. */
1751static inline u32 file_mask_to_av(int mode, int mask)
1752{
1753 u32 av = 0;
1754
1755 if ((mode & S_IFMT) != S_IFDIR) {
1756 if (mask & MAY_EXEC)
1757 av |= FILE__EXECUTE;
1758 if (mask & MAY_READ)
1759 av |= FILE__READ;
1760
1761 if (mask & MAY_APPEND)
1762 av |= FILE__APPEND;
1763 else if (mask & MAY_WRITE)
1764 av |= FILE__WRITE;
1765
1766 } else {
1767 if (mask & MAY_EXEC)
1768 av |= DIR__SEARCH;
1769 if (mask & MAY_WRITE)
1770 av |= DIR__WRITE;
1771 if (mask & MAY_READ)
1772 av |= DIR__READ;
1773 }
1774
1775 return av;
1776}
1777
8b6a5a37
EP		 1778/* Convert a Linux file to an access vector. */
1779static inline u32 file_to_av(struct file *file)
1780{
1781 u32 av = 0;
1782
1783 if (file->f_mode & FMODE_READ)
1784 av |= FILE__READ;
1785 if (file->f_mode & FMODE_WRITE) {
1786 if (file->f_flags & O_APPEND)
1787 av |= FILE__APPEND;
1788 else
1789 av |= FILE__WRITE;
1790 }
1791 if (!av) {
1792 /*
1793 * Special file opened with flags 3 for ioctl-only use.
1794 */
1795 av = FILE__IOCTL;
1796 }
1797
1798 return av;
1799}
1800
b0c636b9 1801/*
8b6a5a37 1802 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1803 * open permission.
1804 */
8b6a5a37 1805static inline u32 open_file_to_av(struct file *file)
b0c636b9 1806{
8b6a5a37 1807 u32 av = file_to_av(file);
b0c636b9
EP		 1808
1809 if (selinux_policycap_openperm) {
8b6a5a37 1810 mode_t mode = file->f_path.dentry->d_inode->i_mode;
b0c636b9
EP		 1811 /*
1812 * lnk files and socks do not really have an 'open'
1813 */
1814 if (S_ISREG(mode))
1815 av |= FILE__OPEN;
1816 else if (S_ISCHR(mode))
1817 av |= CHR_FILE__OPEN;
1818 else if (S_ISBLK(mode))
1819 av |= BLK_FILE__OPEN;
1820 else if (S_ISFIFO(mode))
1821 av |= FIFO_FILE__OPEN;
1822 else if (S_ISDIR(mode))
1823 av |= DIR__OPEN;
6a25b27d
EP		 1824 else if (S_ISSOCK(mode))
1825 av |= SOCK_FILE__OPEN;
b0c636b9 1826 else
744ba35e 1827 printk(KERN_ERR "SELinux: WARNING: inside %s with "
8b6a5a37 1828 "unknown mode:%o\n", __func__, mode);
b0c636b9
EP		 1829 }
1830 return av;
1831}
1832
1da177e4
LT		 1833/* Hook functions begin here. */
1834
9e48858f 1835static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1836 unsigned int mode)
1da177e4 1837{
1da177e4
LT		 1838 int rc;
1839
9e48858f 1840 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1841 if (rc)
1842 return rc;
1843
006ebb40 1844 if (mode == PTRACE_MODE_READ) {
275bb41e
DH		 1845 u32 sid = current_sid();
1846 u32 csid = task_sid(child);
1847 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1848 }
1849
3b11a1de 1850 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 1851}
1852
1853static int selinux_ptrace_traceme(struct task_struct *parent)
1854{
1855 int rc;
1856
200ac532 1857 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 1858 if (rc)
1859 return rc;
1860
1861 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1862}
1863
1864static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1865 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1866{
1867 int error;
1868
3b11a1de 1869 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 1870 if (error)
1871 return error;
1872
200ac532 1873 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 1874}
1875
d84f4f99
DH		 1876static int selinux_capset(struct cred *new, const struct cred *old,
1877 const kernel_cap_t *effective,
1878 const kernel_cap_t *inheritable,
1879 const kernel_cap_t *permitted)
1da177e4
LT		 1880{
1881 int error;
1882
200ac532 1883 error = cap_capset(new, old,
d84f4f99 1884 effective, inheritable, permitted);
1da177e4
LT		 1885 if (error)
1886 return error;
1887
d84f4f99 1888 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 1889}
1890
5626d3e8
JM		 1891/*
1892 * (This comment used to live with the selinux_task_setuid hook,
1893 * which was removed).
1894 *
1895 * Since setuid only affects the current process, and since the SELinux
1896 * controls are not based on the Linux identity attributes, SELinux does not
1897 * need to control this operation. However, SELinux does control the use of
1898 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1899 */
1900
3699c53c
DH		 1901static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1902 int cap, int audit)
1da177e4
LT		 1903{
1904 int rc;
1905
200ac532 1906 rc = cap_capable(tsk, cred, cap, audit);
1da177e4
LT		 1907 if (rc)
1908 return rc;
1909
3699c53c 1910 return task_has_capability(tsk, cred, cap, audit);
1da177e4
LT		 1911}
1912
3fbfa981
EB		 1913static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1914{
1915 int buflen, rc;
1916 char *buffer, *path, *end;
1917
1918 rc = -ENOMEM;
828dfe1d 1919 buffer = (char *)__get_free_page(GFP_KERNEL);
3fbfa981
EB		 1920 if (!buffer)
1921 goto out;
1922
1923 buflen = PAGE_SIZE;
1924 end = buffer+buflen;
1925 *--end = '\0';
1926 buflen--;
1927 path = end-1;
1928 *path = '/';
1929 while (table) {
1930 const char *name = table->procname;
1931 size_t namelen = strlen(name);
1932 buflen -= namelen + 1;
1933 if (buflen < 0)
1934 goto out_free;
1935 end -= namelen;
1936 memcpy(end, name, namelen);
1937 *--end = '/';
1938 path = end;
1939 table = table->parent;
1940 }
b599fdfd
EB		 1941 buflen -= 4;
1942 if (buflen < 0)
1943 goto out_free;
1944 end -= 4;
1945 memcpy(end, "/sys", 4);
1946 path = end;
3fbfa981
EB		 1947 rc = security_genfs_sid("proc", path, tclass, sid);
1948out_free:
1949 free_page((unsigned long)buffer);
1950out:
1951 return rc;
1952}
1953
1da177e4
LT		 1954static int selinux_sysctl(ctl_table *table, int op)
1955{
1956 int error = 0;
1957 u32 av;
275bb41e 1958 u32 tsid, sid;
1da177e4
LT		 1959 int rc;
1960
275bb41e 1961 sid = current_sid();
1da177e4 1962
3fbfa981
EB		 1963 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1964 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1965 if (rc) {
1966 /* Default to the well-defined sysctl SID. */
1967 tsid = SECINITSID_SYSCTL;
1968 }
1969
1970 /* The op values are "defined" in sysctl.c, thereby creating
1971 * a bad coupling between this module and sysctl.c */
828dfe1d 1972 if (op == 001) {
275bb41e 1973 error = avc_has_perm(sid, tsid,
1da177e4
LT		 1974 SECCLASS_DIR, DIR__SEARCH, NULL);
1975 } else {
1976 av = 0;
1977 if (op & 004)
1978 av |= FILE__READ;
1979 if (op & 002)
1980 av |= FILE__WRITE;
1981 if (av)
275bb41e 1982 error = avc_has_perm(sid, tsid,
1da177e4 1983 SECCLASS_FILE, av, NULL);
828dfe1d 1984 }
1da177e4
LT		 1985
1986 return error;
1987}
1988
1989static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1990{
88e67f3b 1991 const struct cred *cred = current_cred();
1da177e4
LT		 1992 int rc = 0;
1993
1994 if (!sb)
1995 return 0;
1996
1997 switch (cmds) {
828dfe1d
EP		 1998 case Q_SYNC:
1999 case Q_QUOTAON:
2000 case Q_QUOTAOFF:
2001 case Q_SETINFO:
2002 case Q_SETQUOTA:
88e67f3b 2003 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2004 break;
2005 case Q_GETFMT:
2006 case Q_GETINFO:
2007 case Q_GETQUOTA:
88e67f3b 2008 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2009 break;
2010 default:
2011 rc = 0; /* let the kernel handle invalid cmds */
2012 break;
1da177e4
LT		 2013 }
2014 return rc;
2015}
2016
2017static int selinux_quota_on(struct dentry *dentry)
2018{
88e67f3b
DH		 2019 const struct cred *cred = current_cred();
2020
2021 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1da177e4
LT		 2022}
2023
00234592 2024static int selinux_syslog(int type, bool from_file)
1da177e4
LT		 2025{
2026 int rc;
2027
00234592 2028 rc = cap_syslog(type, from_file);
1da177e4
LT		 2029 if (rc)
2030 return rc;
2031
2032 switch (type) {
d78ca3cd
KC		 2033 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2034 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2035 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2036 break;
d78ca3cd
KC		 2037 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2038 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2039 /* Set level of messages printed to console */
2040 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2041 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2042 break;
d78ca3cd
KC		 2043 case SYSLOG_ACTION_CLOSE: /* Close log */
2044 case SYSLOG_ACTION_OPEN: /* Open log */
2045 case SYSLOG_ACTION_READ: /* Read from log */
2046 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2047 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2048 default:
2049 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2050 break;
1da177e4
LT		 2051 }
2052 return rc;
2053}
2054
2055/*
2056 * Check that a process has enough memory to allocate a new virtual
2057 * mapping. 0 means there is enough memory for the allocation to
2058 * succeed and -ENOMEM implies there is not.
2059 *
1da177e4
LT		 2060 * Do not audit the selinux permission check, as this is applied to all
2061 * processes that allocate mappings.
2062 */
34b4e4aa 2063static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2064{
2065 int rc, cap_sys_admin = 0;
1da177e4 2066
3699c53c
DH		 2067 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2068 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2069 if (rc == 0)
2070 cap_sys_admin = 1;
2071
34b4e4aa 2072 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 2073}
2074
2075/* binprm security operations */
2076
a6f76f23 2077static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2078{
a6f76f23
DH		 2079 const struct task_security_struct *old_tsec;
2080 struct task_security_struct *new_tsec;
1da177e4 2081 struct inode_security_struct *isec;
2bf49690 2082 struct common_audit_data ad;
a6f76f23 2083 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 2084 int rc;
2085
200ac532 2086 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 2087 if (rc)
2088 return rc;
2089
a6f76f23
DH		 2090 /* SELinux context only depends on initial program or script and not
2091 * the script interpreter */
2092 if (bprm->cred_prepared)
1da177e4
LT		 2093 return 0;
2094
a6f76f23
DH		 2095 old_tsec = current_security();
2096 new_tsec = bprm->cred->security;
1da177e4
LT		 2097 isec = inode->i_security;
2098
2099 /* Default to the current task SID. */
a6f76f23
DH		 2100 new_tsec->sid = old_tsec->sid;
2101 new_tsec->osid = old_tsec->sid;
1da177e4 2102
28eba5bf 2103 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2104 new_tsec->create_sid = 0;
2105 new_tsec->keycreate_sid = 0;
2106 new_tsec->sockcreate_sid = 0;
1da177e4 2107
a6f76f23
DH		 2108 if (old_tsec->exec_sid) {
2109 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2110 /* Reset exec SID on execve. */
a6f76f23 2111 new_tsec->exec_sid = 0;
1da177e4
LT		 2112 } else {
2113 /* Check for a default transition on this program. */
a6f76f23
DH		 2114 rc = security_transition_sid(old_tsec->sid, isec->sid,
2115 SECCLASS_PROCESS, &new_tsec->sid);
1da177e4
LT		 2116 if (rc)
2117 return rc;
2118 }
2119
2bf49690 2120 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2121 ad.u.fs.path = bprm->file->f_path;
1da177e4 2122
3d5ff529 2123 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
a6f76f23 2124 new_tsec->sid = old_tsec->sid;
1da177e4 2125
a6f76f23
DH		 2126 if (new_tsec->sid == old_tsec->sid) {
2127 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2128 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2129 if (rc)
2130 return rc;
2131 } else {
2132 /* Check permissions for the transition. */
a6f76f23 2133 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2134 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2135 if (rc)
2136 return rc;
2137
a6f76f23 2138 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2139 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2140 if (rc)
2141 return rc;
2142
a6f76f23
DH		 2143 /* Check for shared state */
2144 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2145 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2146 SECCLASS_PROCESS, PROCESS__SHARE,
2147 NULL);
2148 if (rc)
2149 return -EPERM;
2150 }
2151
2152 /* Make sure that anyone attempting to ptrace over a task that
2153 * changes its SID has the appropriate permit */
2154 if (bprm->unsafe &
2155 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2156 struct task_struct *tracer;
2157 struct task_security_struct *sec;
2158 u32 ptsid = 0;
2159
2160 rcu_read_lock();
2161 tracer = tracehook_tracer_task(current);
2162 if (likely(tracer != NULL)) {
2163 sec = __task_cred(tracer)->security;
2164 ptsid = sec->sid;
2165 }
2166 rcu_read_unlock();
2167
2168 if (ptsid != 0) {
2169 rc = avc_has_perm(ptsid, new_tsec->sid,
2170 SECCLASS_PROCESS,
2171 PROCESS__PTRACE, NULL);
2172 if (rc)
2173 return -EPERM;
2174 }
2175 }
1da177e4 2176
a6f76f23
DH		 2177 /* Clear any possibly unsafe personality bits on exec: */
2178 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2179 }
2180
1da177e4
LT		 2181 return 0;
2182}
2183
828dfe1d 2184static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2185{
275bb41e
DH		 2186 const struct cred *cred = current_cred();
2187 const struct task_security_struct *tsec = cred->security;
2188 u32 sid, osid;
1da177e4
LT		 2189 int atsecure = 0;
2190
275bb41e
DH		 2191 sid = tsec->sid;
2192 osid = tsec->osid;
2193
2194 if (osid != sid) {
1da177e4
LT		 2195 /* Enable secure mode for SIDs transitions unless
2196 the noatsecure permission is granted between
2197 the two SIDs, i.e. ahp returns 0. */
275bb41e 2198 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2199 SECCLASS_PROCESS,
2200 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2201 }
2202
200ac532 2203 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2204}
2205
1da177e4
LT		 2206extern struct vfsmount *selinuxfs_mount;
2207extern struct dentry *selinux_null;
2208
2209/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2210static inline void flush_unauthorized_files(const struct cred *cred,
2211 struct files_struct *files)
1da177e4 2212{
2bf49690 2213 struct common_audit_data ad;
1da177e4 2214 struct file *file, *devnull = NULL;
b20c8122 2215 struct tty_struct *tty;
badf1662 2216 struct fdtable *fdt;
1da177e4 2217 long j = -1;
24ec839c 2218 int drop_tty = 0;
1da177e4 2219
24ec839c 2220 tty = get_current_tty();
1da177e4
LT		 2221 if (tty) {
2222 file_list_lock();
37dd0bd0
EP		 2223 if (!list_empty(&tty->tty_files)) {
2224 struct inode *inode;
2225
1da177e4
LT		 2226 /* Revalidate access to controlling tty.
2227 Use inode_has_perm on the tty inode directly rather
2228 than using file_has_perm, as this particular open
2229 file may belong to another process and we are only
2230 interested in the inode-based check here. */
37dd0bd0
EP		 2231 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2232 inode = file->f_path.dentry->d_inode;
88e67f3b 2233 if (inode_has_perm(cred, inode,
1da177e4 2234 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2235 drop_tty = 1;
1da177e4
LT		 2236 }
2237 }
2238 file_list_unlock();
452a00d2 2239 tty_kref_put(tty);
1da177e4 2240 }
98a27ba4
EB		 2241 /* Reset controlling tty. */
2242 if (drop_tty)
2243 no_tty();
1da177e4
LT		 2244
2245 /* Revalidate access to inherited open files. */
2246
2bf49690 2247 COMMON_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 2248
2249 spin_lock(&files->file_lock);
2250 for (;;) {
2251 unsigned long set, i;
2252 int fd;
2253
2254 j++;
2255 i = j * __NFDBITS;
badf1662 2256 fdt = files_fdtable(files);
bbea9f69 2257 if (i >= fdt->max_fds)
1da177e4 2258 break;
badf1662 2259 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2260 if (!set)
2261 continue;
2262 spin_unlock(&files->file_lock);
828dfe1d 2263 for ( ; set ; i++, set >>= 1) {
1da177e4
LT		 2264 if (set & 1) {
2265 file = fget(i);
2266 if (!file)
2267 continue;
88e67f3b 2268 if (file_has_perm(cred,
1da177e4
LT		 2269 file,
2270 file_to_av(file))) {
2271 sys_close(i);
2272 fd = get_unused_fd();
2273 if (fd != i) {
2274 if (fd >= 0)
2275 put_unused_fd(fd);
2276 fput(file);
2277 continue;
2278 }
2279 if (devnull) {
095975da 2280 get_file(devnull);
1da177e4 2281 } else {
745ca247
DH		 2282 devnull = dentry_open(
2283 dget(selinux_null),
2284 mntget(selinuxfs_mount),
2285 O_RDWR, cred);
fc5d81e6
AM		 2286 if (IS_ERR(devnull)) {
2287 devnull = NULL;
1da177e4
LT		 2288 put_unused_fd(fd);
2289 fput(file);
2290 continue;
2291 }
2292 }
2293 fd_install(fd, devnull);
2294 }
2295 fput(file);
2296 }
2297 }
2298 spin_lock(&files->file_lock);
2299
2300 }
2301 spin_unlock(&files->file_lock);
2302}
2303
a6f76f23
DH		 2304/*
2305 * Prepare a process for imminent new credential changes due to exec
2306 */
2307static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2308{
a6f76f23
DH		 2309 struct task_security_struct *new_tsec;
2310 struct rlimit *rlim, *initrlim;
2311 int rc, i;
d84f4f99 2312
a6f76f23
DH		 2313 new_tsec = bprm->cred->security;
2314 if (new_tsec->sid == new_tsec->osid)
2315 return;
1da177e4 2316
a6f76f23
DH		 2317 /* Close files for which the new task SID is not authorized. */
2318 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2319
a6f76f23
DH		 2320 /* Always clear parent death signal on SID transitions. */
2321 current->pdeath_signal = 0;
0356357c 2322
a6f76f23
DH		 2323 /* Check whether the new SID can inherit resource limits from the old
2324 * SID. If not, reset all soft limits to the lower of the current
2325 * task's hard limit and the init task's soft limit.
2326 *
2327 * Note that the setting of hard limits (even to lower them) can be
2328 * controlled by the setrlimit check. The inclusion of the init task's
2329 * soft limit into the computation is to avoid resetting soft limits
2330 * higher than the default soft limit for cases where the default is
2331 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2332 */
2333 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2334 PROCESS__RLIMITINH, NULL);
2335 if (rc) {
2336 for (i = 0; i < RLIM_NLIMITS; i++) {
2337 rlim = current->signal->rlim + i;
2338 initrlim = init_task.signal->rlim + i;
2339 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2340 }
5ab46b34
JS		 2341 update_rlimit_cpu(current,
2342 current->signal->rlim[RLIMIT_CPU].rlim_cur);
1da177e4
LT		 2343 }
2344}
2345
2346/*
a6f76f23
DH		 2347 * Clean up the process immediately after the installation of new credentials
2348 * due to exec
1da177e4 2349 */
a6f76f23 2350static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2351{
a6f76f23 2352 const struct task_security_struct *tsec = current_security();
1da177e4 2353 struct itimerval itimer;
a6f76f23 2354 u32 osid, sid;
1da177e4
LT		 2355 int rc, i;
2356
a6f76f23
DH		 2357 osid = tsec->osid;
2358 sid = tsec->sid;
2359
2360 if (sid == osid)
1da177e4
LT		 2361 return;
2362
a6f76f23
DH		 2363 /* Check whether the new SID can inherit signal state from the old SID.
2364 * If not, clear itimers to avoid subsequent signal generation and
2365 * flush and unblock signals.
2366 *
2367 * This must occur _after_ the task SID has been updated so that any
2368 * kill done after the flush will be checked against the new SID.
2369 */
2370 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2371 if (rc) {
2372 memset(&itimer, 0, sizeof itimer);
2373 for (i = 0; i < 3; i++)
2374 do_setitimer(i, &itimer, NULL);
1da177e4 2375 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2376 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2377 __flush_signals(current);
2378 flush_signal_handlers(current, 1);
2379 sigemptyset(&current->blocked);
2380 }
1da177e4
LT		 2381 spin_unlock_irq(&current->sighand->siglock);
2382 }
2383
a6f76f23
DH		 2384 /* Wake up the parent if it is waiting so that it can recheck
2385 * wait permission to the new task SID. */
ecd6de3c 2386 read_lock(&tasklist_lock);
0b7570e7 2387 __wake_up_parent(current, current->real_parent);
ecd6de3c 2388 read_unlock(&tasklist_lock);
1da177e4
LT		 2389}
2390
2391/* superblock security operations */
2392
2393static int selinux_sb_alloc_security(struct super_block *sb)
2394{
2395 return superblock_alloc_security(sb);
2396}
2397
2398static void selinux_sb_free_security(struct super_block *sb)
2399{
2400 superblock_free_security(sb);
2401}
2402
2403static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2404{
2405 if (plen > olen)
2406 return 0;
2407
2408 return !memcmp(prefix, option, plen);
2409}
2410
2411static inline int selinux_option(char *option, int len)
2412{
832cbd9a
EP		 2413 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2414 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2415 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2416 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2417 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2418}
2419
2420static inline void take_option(char **to, char *from, int *first, int len)
2421{
2422 if (!*first) {
2423 **to = ',';
2424 *to += 1;
3528a953 2425 } else
1da177e4
LT		 2426 *first = 0;
2427 memcpy(*to, from, len);
2428 *to += len;
2429}
2430
828dfe1d
EP		 2431static inline void take_selinux_option(char **to, char *from, int *first,
2432 int len)
3528a953
CO		 2433{
2434 int current_size = 0;
2435
2436 if (!*first) {
2437 **to = '|';
2438 *to += 1;
828dfe1d 2439 } else
3528a953
CO		 2440 *first = 0;
2441
2442 while (current_size < len) {
2443 if (*from != '"') {
2444 **to = *from;
2445 *to += 1;
2446 }
2447 from += 1;
2448 current_size += 1;
2449 }
2450}
2451
e0007529 2452static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2453{
2454 int fnosec, fsec, rc = 0;
2455 char *in_save, *in_curr, *in_end;
2456 char *sec_curr, *nosec_save, *nosec;
3528a953 2457 int open_quote = 0;
1da177e4
LT		 2458
2459 in_curr = orig;
2460 sec_curr = copy;
2461
1da177e4
LT		 2462 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2463 if (!nosec) {
2464 rc = -ENOMEM;
2465 goto out;
2466 }
2467
2468 nosec_save = nosec;
2469 fnosec = fsec = 1;
2470 in_save = in_end = orig;
2471
2472 do {
3528a953
CO		 2473 if (*in_end == '"')
2474 open_quote = !open_quote;
2475 if ((*in_end == ',' && open_quote == 0) ||
2476 *in_end == '\0') {
1da177e4
LT		 2477 int len = in_end - in_curr;
2478
2479 if (selinux_option(in_curr, len))
3528a953 2480 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2481 else
2482 take_option(&nosec, in_curr, &fnosec, len);
2483
2484 in_curr = in_end + 1;
2485 }
2486 } while (*in_end++);
2487
6931dfc9 2488 strcpy(in_save, nosec_save);
da3caa20 2489 free_page((unsigned long)nosec_save);
1da177e4
LT		 2490out:
2491 return rc;
2492}
2493
12204e24 2494static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2495{
88e67f3b 2496 const struct cred *cred = current_cred();
2bf49690 2497 struct common_audit_data ad;
1da177e4
LT		 2498 int rc;
2499
2500 rc = superblock_doinit(sb, data);
2501 if (rc)
2502 return rc;
2503
74192246
JM		 2504 /* Allow all mounts performed by the kernel */
2505 if (flags & MS_KERNMOUNT)
2506 return 0;
2507
2bf49690 2508 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2509 ad.u.fs.path.dentry = sb->s_root;
88e67f3b 2510 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2511}
2512
726c3342 2513static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2514{
88e67f3b 2515 const struct cred *cred = current_cred();
2bf49690 2516 struct common_audit_data ad;
1da177e4 2517
2bf49690 2518 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2519 ad.u.fs.path.dentry = dentry->d_sb->s_root;
88e67f3b 2520 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2521}
2522
828dfe1d 2523static int selinux_mount(char *dev_name,
b5266eb4 2524 struct path *path,
828dfe1d
EP		 2525 char *type,
2526 unsigned long flags,
2527 void *data)
1da177e4 2528{
88e67f3b 2529 const struct cred *cred = current_cred();
1da177e4
LT		 2530
2531 if (flags & MS_REMOUNT)
88e67f3b 2532 return superblock_has_perm(cred, path->mnt->mnt_sb,
828dfe1d 2533 FILESYSTEM__REMOUNT, NULL);
1da177e4 2534 else
88e67f3b 2535 return dentry_has_perm(cred, path->mnt, path->dentry,
828dfe1d 2536 FILE__MOUNTON);
1da177e4
LT		 2537}
2538
2539static int selinux_umount(struct vfsmount *mnt, int flags)
2540{
88e67f3b 2541 const struct cred *cred = current_cred();
1da177e4 2542
88e67f3b 2543 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2544 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2545}
2546
2547/* inode security operations */
2548
2549static int selinux_inode_alloc_security(struct inode *inode)
2550{
2551 return inode_alloc_security(inode);
2552}
2553
2554static void selinux_inode_free_security(struct inode *inode)
2555{
2556 inode_free_security(inode);
2557}
2558
5e41ff9e
SS		 2559static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2560 char **name, void **value,
2561 size_t *len)
2562{
275bb41e
DH		 2563 const struct cred *cred = current_cred();
2564 const struct task_security_struct *tsec = cred->security;
5e41ff9e
SS		 2565 struct inode_security_struct *dsec;
2566 struct superblock_security_struct *sbsec;
275bb41e 2567 u32 sid, newsid, clen;
5e41ff9e 2568 int rc;
570bc1c2 2569 char *namep = NULL, *context;
5e41ff9e 2570
5e41ff9e
SS		 2571 dsec = dir->i_security;
2572 sbsec = dir->i_sb->s_security;
5e41ff9e 2573
275bb41e
DH		 2574 sid = tsec->sid;
2575 newsid = tsec->create_sid;
2576
cd89596f 2577 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
275bb41e 2578 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e
SS		 2579 inode_mode_to_security_class(inode->i_mode),
2580 &newsid);
2581 if (rc) {
2582 printk(KERN_WARNING "%s: "
2583 "security_transition_sid failed, rc=%d (dev=%s "
2584 "ino=%ld)\n",
dd6f953a 2585 __func__,
5e41ff9e
SS		 2586 -rc, inode->i_sb->s_id, inode->i_ino);
2587 return rc;
2588 }
2589 }
2590
296fddf7 2591 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2592 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2593 struct inode_security_struct *isec = inode->i_security;
2594 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2595 isec->sid = newsid;
2596 isec->initialized = 1;
2597 }
5e41ff9e 2598
cd89596f 2599 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
25a74f3b
SS		 2600 return -EOPNOTSUPP;
2601
570bc1c2 2602 if (name) {
a02fe132 2603 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2604 if (!namep)
2605 return -ENOMEM;
2606 *name = namep;
2607 }
5e41ff9e 2608
570bc1c2 2609 if (value && len) {
12b29f34 2610 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2611 if (rc) {
2612 kfree(namep);
2613 return rc;
2614 }
2615 *value = context;
2616 *len = clen;
5e41ff9e 2617 }
5e41ff9e 2618
5e41ff9e
SS		 2619 return 0;
2620}
2621
1da177e4
LT		 2622static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2623{
2624 return may_create(dir, dentry, SECCLASS_FILE);
2625}
2626
1da177e4
LT		 2627static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2628{
1da177e4
LT		 2629 return may_link(dir, old_dentry, MAY_LINK);
2630}
2631
1da177e4
LT		 2632static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2633{
1da177e4
LT		 2634 return may_link(dir, dentry, MAY_UNLINK);
2635}
2636
2637static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2638{
2639 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2640}
2641
1da177e4
LT		 2642static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2643{
2644 return may_create(dir, dentry, SECCLASS_DIR);
2645}
2646
1da177e4
LT		 2647static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2648{
2649 return may_link(dir, dentry, MAY_RMDIR);
2650}
2651
2652static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2653{
1da177e4
LT		 2654 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2655}
2656
1da177e4 2657static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2658 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2659{
2660 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2661}
2662
1da177e4
LT		 2663static int selinux_inode_readlink(struct dentry *dentry)
2664{
88e67f3b
DH		 2665 const struct cred *cred = current_cred();
2666
2667 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
1da177e4
LT		 2668}
2669
2670static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2671{
88e67f3b 2672 const struct cred *cred = current_cred();
1da177e4 2673
88e67f3b 2674 return dentry_has_perm(cred, NULL, dentry, FILE__READ);
1da177e4
LT		 2675}
2676
b77b0646 2677static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2678{
88e67f3b 2679 const struct cred *cred = current_cred();
1da177e4
LT		 2680
2681 if (!mask) {
2682 /* No permission to check. Existence test. */
2683 return 0;
2684 }
2685
88e67f3b 2686 return inode_has_perm(cred, inode,
8b6a5a37 2687 file_mask_to_av(inode->i_mode, mask), NULL);
1da177e4
LT		 2688}
2689
2690static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2691{
88e67f3b 2692 const struct cred *cred = current_cred();
bc6a6008 2693 unsigned int ia_valid = iattr->ia_valid;
1da177e4 2694
bc6a6008
AW		 2695 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2696 if (ia_valid & ATTR_FORCE) {
2697 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2698 ATTR_FORCE);
2699 if (!ia_valid)
2700 return 0;
2701 }
1da177e4 2702
bc6a6008
AW		 2703 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2704 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
88e67f3b 2705 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
1da177e4 2706
88e67f3b 2707 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
1da177e4
LT		 2708}
2709
2710static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2711{
88e67f3b
DH		 2712 const struct cred *cred = current_cred();
2713
2714 return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
1da177e4
LT		 2715}
2716
8f0cfa52 2717static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2718{
88e67f3b
DH		 2719 const struct cred *cred = current_cred();
2720
b5376771
SH		 2721 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2722 sizeof XATTR_SECURITY_PREFIX - 1)) {
2723 if (!strcmp(name, XATTR_NAME_CAPS)) {
2724 if (!capable(CAP_SETFCAP))
2725 return -EPERM;
2726 } else if (!capable(CAP_SYS_ADMIN)) {
2727 /* A different attribute in the security namespace.
2728 Restrict to administrator. */
2729 return -EPERM;
2730 }
2731 }
2732
2733 /* Not an attribute we recognize, so just check the
2734 ordinary setattr permission. */
88e67f3b 2735 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
b5376771
SH		 2736}
2737
8f0cfa52
DH		 2738static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2739 const void *value, size_t size, int flags)
1da177e4 2740{
1da177e4
LT		 2741 struct inode *inode = dentry->d_inode;
2742 struct inode_security_struct *isec = inode->i_security;
2743 struct superblock_security_struct *sbsec;
2bf49690 2744 struct common_audit_data ad;
275bb41e 2745 u32 newsid, sid = current_sid();
1da177e4
LT		 2746 int rc = 0;
2747
b5376771
SH		 2748 if (strcmp(name, XATTR_NAME_SELINUX))
2749 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2750
2751 sbsec = inode->i_sb->s_security;
cd89596f 2752 if (!(sbsec->flags & SE_SBLABELSUPP))
1da177e4
LT		 2753 return -EOPNOTSUPP;
2754
3bd858ab 2755 if (!is_owner_or_cap(inode))
1da177e4
LT		 2756 return -EPERM;
2757
2bf49690 2758 COMMON_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2759 ad.u.fs.path.dentry = dentry;
1da177e4 2760
275bb41e 2761 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2762 FILE__RELABELFROM, &ad);
2763 if (rc)
2764 return rc;
2765
2766 rc = security_context_to_sid(value, size, &newsid);
12b29f34
SS		 2767 if (rc == -EINVAL) {
2768 if (!capable(CAP_MAC_ADMIN))
2769 return rc;
2770 rc = security_context_to_sid_force(value, size, &newsid);
2771 }
1da177e4
LT		 2772 if (rc)
2773 return rc;
2774
275bb41e 2775 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2776 FILE__RELABELTO, &ad);
2777 if (rc)
2778 return rc;
2779
275bb41e 2780 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2781 isec->sclass);
1da177e4
LT		 2782 if (rc)
2783 return rc;
2784
2785 return avc_has_perm(newsid,
2786 sbsec->sid,
2787 SECCLASS_FILESYSTEM,
2788 FILESYSTEM__ASSOCIATE,
2789 &ad);
2790}
2791
8f0cfa52 2792static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2793 const void *value, size_t size,
8f0cfa52 2794 int flags)
1da177e4
LT		 2795{
2796 struct inode *inode = dentry->d_inode;
2797 struct inode_security_struct *isec = inode->i_security;
2798 u32 newsid;
2799 int rc;
2800
2801 if (strcmp(name, XATTR_NAME_SELINUX)) {
2802 /* Not an attribute we recognize, so nothing to do. */
2803 return;
2804 }
2805
12b29f34 2806 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2807 if (rc) {
12b29f34
SS		 2808 printk(KERN_ERR "SELinux: unable to map context to SID"
2809 "for (%s, %lu), rc=%d\n",
2810 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2811 return;
2812 }
2813
2814 isec->sid = newsid;
2815 return;
2816}
2817
8f0cfa52 2818static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2819{
88e67f3b
DH		 2820 const struct cred *cred = current_cred();
2821
2822 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
1da177e4
LT		 2823}
2824
828dfe1d 2825static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 2826{
88e67f3b
DH		 2827 const struct cred *cred = current_cred();
2828
2829 return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
1da177e4
LT		 2830}
2831
8f0cfa52 2832static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2833{
b5376771
SH		 2834 if (strcmp(name, XATTR_NAME_SELINUX))
2835 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2836
2837 /* No one is allowed to remove a SELinux security label.
2838 You can change the label, but all data must be labeled. */
2839 return -EACCES;
2840}
2841
d381d8a9 2842/*
abc69bb6 2843 * Copy the inode security context value to the user.
d381d8a9
JM		 2844 *
2845 * Permission check is handled by selinux_inode_getxattr hook.
2846 */
42492594 2847static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2848{
42492594
DQ		 2849 u32 size;
2850 int error;
2851 char *context = NULL;
1da177e4 2852 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2853
8c8570fb
DK		 2854 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2855 return -EOPNOTSUPP;
d381d8a9 2856
abc69bb6
SS		 2857 /*
2858 * If the caller has CAP_MAC_ADMIN, then get the raw context
2859 * value even if it is not defined by current policy; otherwise,
2860 * use the in-core value under current policy.
2861 * Use the non-auditing forms of the permission checks since
2862 * getxattr may be called by unprivileged processes commonly
2863 * and lack of permission just means that we fall back to the
2864 * in-core context value, not a denial.
2865 */
3699c53c
DH		 2866 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2867 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 2868 if (!error)
2869 error = security_sid_to_context_force(isec->sid, &context,
2870 &size);
2871 else
2872 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 2873 if (error)
2874 return error;
2875 error = size;
2876 if (alloc) {
2877 *buffer = context;
2878 goto out_nofree;
2879 }
2880 kfree(context);
2881out_nofree:
2882 return error;
1da177e4
LT		 2883}
2884
2885static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2886 const void *value, size_t size, int flags)
1da177e4
LT		 2887{
2888 struct inode_security_struct *isec = inode->i_security;
2889 u32 newsid;
2890 int rc;
2891
2892 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2893 return -EOPNOTSUPP;
2894
2895 if (!value || !size)
2896 return -EACCES;
2897
828dfe1d 2898 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2899 if (rc)
2900 return rc;
2901
2902 isec->sid = newsid;
ddd29ec6 2903 isec->initialized = 1;
1da177e4
LT		 2904 return 0;
2905}
2906
2907static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2908{
2909 const int len = sizeof(XATTR_NAME_SELINUX);
2910 if (buffer && len <= buffer_size)
2911 memcpy(buffer, XATTR_NAME_SELINUX, len);
2912 return len;
2913}
2914
713a04ae
AD		 2915static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2916{
2917 struct inode_security_struct *isec = inode->i_security;
2918 *secid = isec->sid;
2919}
2920
1da177e4
LT		 2921/* file security operations */
2922
788e7dd4 2923static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2924{
88e67f3b 2925 const struct cred *cred = current_cred();
3d5ff529 2926 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4 2927
1da177e4
LT		 2928 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2929 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2930 mask |= MAY_APPEND;
2931
389fb800
PM		 2932 return file_has_perm(cred, file,
2933 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 2934}
2935
788e7dd4
YN		 2936static int selinux_file_permission(struct file *file, int mask)
2937{
20dda18b
SS		 2938 struct inode *inode = file->f_path.dentry->d_inode;
2939 struct file_security_struct *fsec = file->f_security;
2940 struct inode_security_struct *isec = inode->i_security;
2941 u32 sid = current_sid();
2942
389fb800 2943 if (!mask)
788e7dd4
YN		 2944 /* No permission to check. Existence test. */
2945 return 0;
788e7dd4 2946
20dda18b
SS		 2947 if (sid == fsec->sid && fsec->isid == isec->sid &&
2948 fsec->pseqno == avc_policy_seqno())
2949 /* No change since dentry_open check. */
2950 return 0;
2951
788e7dd4
YN		 2952 return selinux_revalidate_file_permission(file, mask);
2953}
2954
1da177e4
LT		 2955static int selinux_file_alloc_security(struct file *file)
2956{
2957 return file_alloc_security(file);
2958}
2959
2960static void selinux_file_free_security(struct file *file)
2961{
2962 file_free_security(file);
2963}
2964
2965static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2966 unsigned long arg)
2967{
88e67f3b 2968 const struct cred *cred = current_cred();
242631c4 2969 u32 av = 0;
1da177e4 2970
242631c4
SS		 2971 if (_IOC_DIR(cmd) & _IOC_WRITE)
2972 av |= FILE__WRITE;
2973 if (_IOC_DIR(cmd) & _IOC_READ)
2974 av |= FILE__READ;
2975 if (!av)
2976 av = FILE__IOCTL;
1da177e4 2977
88e67f3b 2978 return file_has_perm(cred, file, av);
1da177e4
LT		 2979}
2980
fcaaade1
SS		 2981static int default_noexec;
2982
1da177e4
LT		 2983static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2984{
88e67f3b 2985 const struct cred *cred = current_cred();
d84f4f99 2986 int rc = 0;
88e67f3b 2987
fcaaade1
SS		 2988 if (default_noexec &&
2989 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 2990 /*
2991 * We are making executable an anonymous mapping or a
2992 * private file mapping that will also be writable.
2993 * This has an additional check.
2994 */
d84f4f99 2995 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 2996 if (rc)
d84f4f99 2997 goto error;
1da177e4 2998 }
1da177e4
LT		 2999
3000 if (file) {
3001 /* read access is always possible with a mapping */
3002 u32 av = FILE__READ;
3003
3004 /* write access only matters if the mapping is shared */
3005 if (shared && (prot & PROT_WRITE))
3006 av |= FILE__WRITE;
3007
3008 if (prot & PROT_EXEC)
3009 av |= FILE__EXECUTE;
3010
88e67f3b 3011 return file_has_perm(cred, file, av);
1da177e4 3012 }
d84f4f99
DH		 3013
3014error:
3015 return rc;
1da177e4
LT		 3016}
3017
3018static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 3019 unsigned long prot, unsigned long flags,
3020 unsigned long addr, unsigned long addr_only)
1da177e4 3021{
ed032189 3022 int rc = 0;
275bb41e 3023 u32 sid = current_sid();
1da177e4 3024
84336d1a
EP		 3025 /*
3026 * notice that we are intentionally putting the SELinux check before
3027 * the secondary cap_file_mmap check. This is such a likely attempt
3028 * at bad behaviour/exploit that we always want to get the AVC, even
3029 * if DAC would have also denied the operation.
3030 */
a2551df7 3031 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
ed032189
EP		 3032 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3033 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3034 if (rc)
3035 return rc;
3036 }
3037
3038 /* do DAC check on address space usage */
3039 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
ed032189 3040 if (rc || addr_only)
1da177e4
LT		 3041 return rc;
3042
3043 if (selinux_checkreqprot)
3044 prot = reqprot;
3045
3046 return file_map_prot_check(file, prot,
3047 (flags & MAP_TYPE) == MAP_SHARED);
3048}
3049
3050static int selinux_file_mprotect(struct vm_area_struct *vma,
3051 unsigned long reqprot,
3052 unsigned long prot)
3053{
88e67f3b 3054 const struct cred *cred = current_cred();
1da177e4
LT		 3055
3056 if (selinux_checkreqprot)
3057 prot = reqprot;
3058
fcaaade1
SS		 3059 if (default_noexec &&
3060 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3061 int rc = 0;
db4c9641
SS		 3062 if (vma->vm_start >= vma->vm_mm->start_brk &&
3063 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3064 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3065 } else if (!vma->vm_file &&
3066 vma->vm_start <= vma->vm_mm->start_stack &&
3067 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3068 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3069 } else if (vma->vm_file && vma->anon_vma) {
3070 /*
3071 * We are making executable a file mapping that has
3072 * had some COW done. Since pages might have been
3073 * written, check ability to execute the possibly
3074 * modified content. This typically should only
3075 * occur for text relocations.
3076 */
d84f4f99 3077 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3078 }