]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SELinux: remove crazy contortions around proc
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
828dfe1d
EP		 7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13 * Eric Paris <[email protected]>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <[email protected]>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <[email protected]>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <[email protected]>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
32#include <linux/security.h>
33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
ca10b9e9 54#include <net/sock.h>
1da177e4 55#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
11689d47 97#define NUM_SEL_MNT_OPTS 5
c9180a57 98
20510f2f 99extern struct security_operations *security_ops;
1da177e4 100
d621d35e 101/* SECMARK reference count */
56a4ca99 102static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 103
1da177e4 104#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 105int selinux_enforcing;
1da177e4
LT		 106
107static int __init enforcing_setup(char *str)
108{
f5269710
EP		 109 unsigned long enforcing;
110 if (!strict_strtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 112 return 1;
113}
114__setup("enforcing=", enforcing_setup);
115#endif
116
117#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119
120static int __init selinux_enabled_setup(char *str)
121{
f5269710
EP		 122 unsigned long enabled;
123 if (!strict_strtoul(str, 0, &enabled))
124 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 125 return 1;
126}
127__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 128#else
129int selinux_enabled = 1;
1da177e4
LT		 130#endif
131
e18b890b 132static struct kmem_cache *sel_inode_cache;
7cae7e26 133
d621d35e
PM		 134/**
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136 *
137 * Description:
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
141 * enabled, false (0) if SECMARK is disabled.
142 *
143 */
144static int selinux_secmark_enabled(void)
145{
146 return (atomic_read(&selinux_secmark_refcount) > 0);
147}
148
d84f4f99
DH		 149/*
150 * initialise the security for the init task
151 */
152static void cred_init_security(void)
1da177e4 153{
3b11a1de 154 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 155 struct task_security_struct *tsec;
156
89d155ef 157 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 158 if (!tsec)
d84f4f99 159 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 160
d84f4f99 161 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 162 cred->security = tsec;
1da177e4
LT		 163}
164
88e67f3b
DH		 165/*
166 * get the security ID of a set of credentials
167 */
168static inline u32 cred_sid(const struct cred *cred)
169{
170 const struct task_security_struct *tsec;
171
172 tsec = cred->security;
173 return tsec->sid;
174}
175
275bb41e 176/*
3b11a1de 177 * get the objective security ID of a task
275bb41e
DH		 178 */
179static inline u32 task_sid(const struct task_struct *task)
180{
275bb41e
DH		 181 u32 sid;
182
183 rcu_read_lock();
88e67f3b 184 sid = cred_sid(__task_cred(task));
275bb41e
DH		 185 rcu_read_unlock();
186 return sid;
187}
188
189/*
3b11a1de 190 * get the subjective security ID of the current task
275bb41e
DH		 191 */
192static inline u32 current_sid(void)
193{
5fb49870 194 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 195
196 return tsec->sid;
197}
198
88e67f3b
DH		 199/* Allocate and free functions for each kind of security blob. */
200
1da177e4
LT		 201static int inode_alloc_security(struct inode *inode)
202{
1da177e4 203 struct inode_security_struct *isec;
275bb41e 204 u32 sid = current_sid();
1da177e4 205
a02fe132 206 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 207 if (!isec)
208 return -ENOMEM;
209
23970741 210 mutex_init(&isec->lock);
1da177e4 211 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 212 isec->inode = inode;
213 isec->sid = SECINITSID_UNLABELED;
214 isec->sclass = SECCLASS_FILE;
275bb41e 215 isec->task_sid = sid;
1da177e4
LT		 216 inode->i_security = isec;
217
218 return 0;
219}
220
221static void inode_free_security(struct inode *inode)
222{
223 struct inode_security_struct *isec = inode->i_security;
224 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
225
1da177e4
LT		 226 spin_lock(&sbsec->isec_lock);
227 if (!list_empty(&isec->list))
228 list_del_init(&isec->list);
229 spin_unlock(&sbsec->isec_lock);
230
231 inode->i_security = NULL;
7cae7e26 232 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 233}
234
235static int file_alloc_security(struct file *file)
236{
1da177e4 237 struct file_security_struct *fsec;
275bb41e 238 u32 sid = current_sid();
1da177e4 239
26d2a4be 240 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 241 if (!fsec)
242 return -ENOMEM;
243
275bb41e
DH		 244 fsec->sid = sid;
245 fsec->fown_sid = sid;
1da177e4
LT		 246 file->f_security = fsec;
247
248 return 0;
249}
250
251static void file_free_security(struct file *file)
252{
253 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 254 file->f_security = NULL;
255 kfree(fsec);
256}
257
258static int superblock_alloc_security(struct super_block *sb)
259{
260 struct superblock_security_struct *sbsec;
261
89d155ef 262 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 263 if (!sbsec)
264 return -ENOMEM;
265
bc7e982b 266 mutex_init(&sbsec->lock);
1da177e4
LT		 267 INIT_LIST_HEAD(&sbsec->isec_head);
268 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 269 sbsec->sb = sb;
270 sbsec->sid = SECINITSID_UNLABELED;
271 sbsec->def_sid = SECINITSID_FILE;
c312feb2 272 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 273 sb->s_security = sbsec;
274
275 return 0;
276}
277
278static void superblock_free_security(struct super_block *sb)
279{
280 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 281 sb->s_security = NULL;
282 kfree(sbsec);
283}
284
1da177e4
LT		 285/* The file system's label must be initialized prior to use. */
286
634a539e 287static const char *labeling_behaviors[6] = {
1da177e4
LT		 288 "uses xattr",
289 "uses transition SIDs",
290 "uses task SIDs",
291 "uses genfs_contexts",
292 "not configured for labeling",
293 "uses mountpoint labeling",
294};
295
296static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
297
298static inline int inode_doinit(struct inode *inode)
299{
300 return inode_doinit_with_dentry(inode, NULL);
301}
302
303enum {
31e87930 304 Opt_error = -1,
1da177e4
LT		 305 Opt_context = 1,
306 Opt_fscontext = 2,
c9180a57
EP		 307 Opt_defcontext = 3,
308 Opt_rootcontext = 4,
11689d47 309 Opt_labelsupport = 5,
1da177e4
LT		 310};
311
a447c093 312static const match_table_t tokens = {
832cbd9a
EP		 313 {Opt_context, CONTEXT_STR "%s"},
314 {Opt_fscontext, FSCONTEXT_STR "%s"},
315 {Opt_defcontext, DEFCONTEXT_STR "%s"},
316 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 317 {Opt_labelsupport, LABELSUPP_STR},
31e87930 318 {Opt_error, NULL},
1da177e4
LT		 319};
320
321#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
322
c312feb2
EP		 323static int may_context_mount_sb_relabel(u32 sid,
324 struct superblock_security_struct *sbsec,
275bb41e 325 const struct cred *cred)
c312feb2 326{
275bb41e 327 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 328 int rc;
329
330 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
331 FILESYSTEM__RELABELFROM, NULL);
332 if (rc)
333 return rc;
334
335 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
336 FILESYSTEM__RELABELTO, NULL);
337 return rc;
338}
339
0808925e
EP		 340static int may_context_mount_inode_relabel(u32 sid,
341 struct superblock_security_struct *sbsec,
275bb41e 342 const struct cred *cred)
0808925e 343{
275bb41e 344 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 345 int rc;
346 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELFROM, NULL);
348 if (rc)
349 return rc;
350
351 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
352 FILESYSTEM__ASSOCIATE, NULL);
353 return rc;
354}
355
c9180a57 356static int sb_finish_set_opts(struct super_block *sb)
1da177e4 357{
1da177e4 358 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 359 struct dentry *root = sb->s_root;
360 struct inode *root_inode = root->d_inode;
361 int rc = 0;
1da177e4 362
c9180a57
EP		 363 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
364 /* Make sure that the xattr handler exists and that no
365 error other than -ENODATA is returned by getxattr on
366 the root directory. -ENODATA is ok, as this may be
367 the first boot of the SELinux kernel before we have
368 assigned xattr values to the filesystem. */
369 if (!root_inode->i_op->getxattr) {
370 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
371 "xattr support\n", sb->s_id, sb->s_type->name);
372 rc = -EOPNOTSUPP;
373 goto out;
374 }
375 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
376 if (rc < 0 && rc != -ENODATA) {
377 if (rc == -EOPNOTSUPP)
378 printk(KERN_WARNING "SELinux: (dev %s, type "
379 "%s) has no security xattr handler\n",
380 sb->s_id, sb->s_type->name);
381 else
382 printk(KERN_WARNING "SELinux: (dev %s, type "
383 "%s) getxattr errno %d\n", sb->s_id,
384 sb->s_type->name, -rc);
385 goto out;
386 }
387 }
1da177e4 388
11689d47 389 sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP);
1da177e4 390
c9180a57
EP		 391 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
392 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
393 sb->s_id, sb->s_type->name);
394 else
395 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
396 sb->s_id, sb->s_type->name,
397 labeling_behaviors[sbsec->behavior-1]);
1da177e4 398
11689d47
DQ		 399 if (sbsec->behavior == SECURITY_FS_USE_GENFS ||
400 sbsec->behavior == SECURITY_FS_USE_MNTPOINT ||
401 sbsec->behavior == SECURITY_FS_USE_NONE ||
402 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 sbsec->flags &= ~SE_SBLABELSUPP;
404
ddd29ec6
DQ		 405 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
406 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
407 sbsec->flags |= SE_SBLABELSUPP;
408
5c73fceb
SS		 409 /*
410 * Special handling for rootfs. Is genfs but supports
411 * setting SELinux context on in-core inodes.
412 */
413 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
414 sbsec->flags |= SE_SBLABELSUPP;
415
c9180a57
EP		 416 /* Initialize the root inode. */
417 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 418
c9180a57
EP		 419 /* Initialize any other inodes associated with the superblock, e.g.
420 inodes created prior to initial policy load or inodes created
421 during get_sb by a pseudo filesystem that directly
422 populates itself. */
423 spin_lock(&sbsec->isec_lock);
424next_inode:
425 if (!list_empty(&sbsec->isec_head)) {
426 struct inode_security_struct *isec =
427 list_entry(sbsec->isec_head.next,
428 struct inode_security_struct, list);
429 struct inode *inode = isec->inode;
430 spin_unlock(&sbsec->isec_lock);
431 inode = igrab(inode);
432 if (inode) {
433 if (!IS_PRIVATE(inode))
434 inode_doinit(inode);
435 iput(inode);
436 }
437 spin_lock(&sbsec->isec_lock);
438 list_del_init(&isec->list);
439 goto next_inode;
440 }
441 spin_unlock(&sbsec->isec_lock);
442out:
443 return rc;
444}
1da177e4 445
c9180a57
EP		 446/*
447 * This function should allow an FS to ask what it's mount security
448 * options were so it can use those later for submounts, displaying
449 * mount options, or whatever.
450 */
451static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 452 struct security_mnt_opts *opts)
c9180a57
EP		 453{
454 int rc = 0, i;
455 struct superblock_security_struct *sbsec = sb->s_security;
456 char *context = NULL;
457 u32 len;
458 char tmp;
1da177e4 459
e0007529 460 security_init_mnt_opts(opts);
1da177e4 461
0d90a7ec 462 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 463 return -EINVAL;
1da177e4 464
c9180a57
EP		 465 if (!ss_initialized)
466 return -EINVAL;
1da177e4 467
0d90a7ec 468 tmp = sbsec->flags & SE_MNTMASK;
c9180a57
EP		 469 /* count the number of mount options for this sb */
470 for (i = 0; i < 8; i++) {
471 if (tmp & 0x01)
e0007529 472 opts->num_mnt_opts++;
c9180a57
EP		 473 tmp >>= 1;
474 }
11689d47
DQ		 475 /* Check if the Label support flag is set */
476 if (sbsec->flags & SE_SBLABELSUPP)
477 opts->num_mnt_opts++;
1da177e4 478
e0007529
EP		 479 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
480 if (!opts->mnt_opts) {
c9180a57
EP		 481 rc = -ENOMEM;
482 goto out_free;
483 }
1da177e4 484
e0007529
EP		 485 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
486 if (!opts->mnt_opts_flags) {
c9180a57
EP		 487 rc = -ENOMEM;
488 goto out_free;
489 }
1da177e4 490
c9180a57
EP		 491 i = 0;
492 if (sbsec->flags & FSCONTEXT_MNT) {
493 rc = security_sid_to_context(sbsec->sid, &context, &len);
494 if (rc)
495 goto out_free;
e0007529
EP		 496 opts->mnt_opts[i] = context;
497 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 498 }
499 if (sbsec->flags & CONTEXT_MNT) {
500 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
501 if (rc)
502 goto out_free;
e0007529
EP		 503 opts->mnt_opts[i] = context;
504 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 505 }
506 if (sbsec->flags & DEFCONTEXT_MNT) {
507 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
508 if (rc)
509 goto out_free;
e0007529
EP		 510 opts->mnt_opts[i] = context;
511 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 512 }
513 if (sbsec->flags & ROOTCONTEXT_MNT) {
514 struct inode *root = sbsec->sb->s_root->d_inode;
515 struct inode_security_struct *isec = root->i_security;
0808925e 516
c9180a57
EP		 517 rc = security_sid_to_context(isec->sid, &context, &len);
518 if (rc)
519 goto out_free;
e0007529
EP		 520 opts->mnt_opts[i] = context;
521 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 522 }
11689d47
DQ		 523 if (sbsec->flags & SE_SBLABELSUPP) {
524 opts->mnt_opts[i] = NULL;
525 opts->mnt_opts_flags[i++] = SE_SBLABELSUPP;
526 }
1da177e4 527
e0007529 528 BUG_ON(i != opts->num_mnt_opts);
1da177e4 529
c9180a57
EP		 530 return 0;
531
532out_free:
e0007529 533 security_free_mnt_opts(opts);
c9180a57
EP		 534 return rc;
535}
1da177e4 536
c9180a57
EP		 537static int bad_option(struct superblock_security_struct *sbsec, char flag,
538 u32 old_sid, u32 new_sid)
539{
0d90a7ec
DQ		 540 char mnt_flags = sbsec->flags & SE_MNTMASK;
541
c9180a57 542 /* check if the old mount command had the same options */
0d90a7ec 543 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 544 if (!(sbsec->flags & flag) ||
545 (old_sid != new_sid))
546 return 1;
547
548 /* check if we were passed the same options twice,
549 * aka someone passed context=a,context=b
550 */
0d90a7ec
DQ		 551 if (!(sbsec->flags & SE_SBINITIALIZED))
552 if (mnt_flags & flag)
c9180a57
EP		 553 return 1;
554 return 0;
555}
e0007529 556
c9180a57
EP		 557/*
558 * Allow filesystems with binary mount data to explicitly set mount point
559 * labeling information.
560 */
e0007529
EP		 561static int selinux_set_mnt_opts(struct super_block *sb,
562 struct security_mnt_opts *opts)
c9180a57 563{
275bb41e 564 const struct cred *cred = current_cred();
c9180a57 565 int rc = 0, i;
c9180a57
EP		 566 struct superblock_security_struct *sbsec = sb->s_security;
567 const char *name = sb->s_type->name;
089be43e
JM		 568 struct inode *inode = sbsec->sb->s_root->d_inode;
569 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 570 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
571 u32 defcontext_sid = 0;
e0007529
EP		 572 char **mount_options = opts->mnt_opts;
573 int *flags = opts->mnt_opts_flags;
574 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 575
576 mutex_lock(&sbsec->lock);
577
578 if (!ss_initialized) {
579 if (!num_opts) {
580 /* Defer initialization until selinux_complete_init,
581 after the initial policy is loaded and the security
582 server is ready to handle calls. */
c9180a57
EP		 583 goto out;
584 }
585 rc = -EINVAL;
744ba35e
EP		 586 printk(KERN_WARNING "SELinux: Unable to set superblock options "
587 "before the security server is initialized\n");
1da177e4 588 goto out;
c9180a57 589 }
1da177e4 590
e0007529
EP		 591 /*
592 * Binary mount data FS will come through this function twice. Once
593 * from an explicit call and once from the generic calls from the vfs.
594 * Since the generic VFS calls will not contain any security mount data
595 * we need to skip the double mount verification.
596 *
597 * This does open a hole in which we will not notice if the first
598 * mount using this sb set explict options and a second mount using
599 * this sb does not set any security options. (The first options
600 * will be used for both mounts)
601 */
0d90a7ec 602 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 603 && (num_opts == 0))
f5269710 604 goto out;
e0007529 605
c9180a57
EP		 606 /*
607 * parse the mount options, check if they are valid sids.
608 * also check if someone is trying to mount the same sb more
609 * than once with different security options.
610 */
611 for (i = 0; i < num_opts; i++) {
612 u32 sid;
11689d47
DQ		 613
614 if (flags[i] == SE_SBLABELSUPP)
615 continue;
c9180a57
EP		 616 rc = security_context_to_sid(mount_options[i],
617 strlen(mount_options[i]), &sid);
1da177e4
LT		 618 if (rc) {
619 printk(KERN_WARNING "SELinux: security_context_to_sid"
620 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 621 mount_options[i], sb->s_id, name, rc);
622 goto out;
623 }
624 switch (flags[i]) {
625 case FSCONTEXT_MNT:
626 fscontext_sid = sid;
627
628 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
629 fscontext_sid))
630 goto out_double_mount;
631
632 sbsec->flags |= FSCONTEXT_MNT;
633 break;
634 case CONTEXT_MNT:
635 context_sid = sid;
636
637 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
638 context_sid))
639 goto out_double_mount;
640
641 sbsec->flags |= CONTEXT_MNT;
642 break;
643 case ROOTCONTEXT_MNT:
644 rootcontext_sid = sid;
645
646 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
647 rootcontext_sid))
648 goto out_double_mount;
649
650 sbsec->flags |= ROOTCONTEXT_MNT;
651
652 break;
653 case DEFCONTEXT_MNT:
654 defcontext_sid = sid;
655
656 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
657 defcontext_sid))
658 goto out_double_mount;
659
660 sbsec->flags |= DEFCONTEXT_MNT;
661
662 break;
663 default:
664 rc = -EINVAL;
665 goto out;
1da177e4 666 }
c9180a57
EP		 667 }
668
0d90a7ec 669 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 670 /* previously mounted with options, but not on this attempt? */
0d90a7ec 671 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 672 goto out_double_mount;
673 rc = 0;
674 goto out;
675 }
676
089be43e 677 if (strcmp(sb->s_type->name, "proc") == 0)
0d90a7ec 678 sbsec->flags |= SE_SBPROC;
c9180a57
EP		 679
680 /* Determine the labeling behavior to use for this filesystem type. */
40d3d0b8 681 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
c9180a57
EP		 682 if (rc) {
683 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
089be43e 684 __func__, sb->s_type->name, rc);
c9180a57
EP		 685 goto out;
686 }
1da177e4 687
c9180a57
EP		 688 /* sets the context of the superblock for the fs being mounted. */
689 if (fscontext_sid) {
275bb41e 690 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 691 if (rc)
c9180a57 692 goto out;
1da177e4 693
c9180a57 694 sbsec->sid = fscontext_sid;
c312feb2
EP		 695 }
696
697 /*
698 * Switch to using mount point labeling behavior.
699 * sets the label used on all file below the mountpoint, and will set
700 * the superblock context if not already set.
701 */
c9180a57
EP		 702 if (context_sid) {
703 if (!fscontext_sid) {
275bb41e
DH		 704 rc = may_context_mount_sb_relabel(context_sid, sbsec,
705 cred);
b04ea3ce 706 if (rc)
c9180a57
EP		 707 goto out;
708 sbsec->sid = context_sid;
b04ea3ce 709 } else {
275bb41e
DH		 710 rc = may_context_mount_inode_relabel(context_sid, sbsec,
711 cred);
b04ea3ce 712 if (rc)
c9180a57 713 goto out;
b04ea3ce 714 }
c9180a57
EP		 715 if (!rootcontext_sid)
716 rootcontext_sid = context_sid;
1da177e4 717
c9180a57 718 sbsec->mntpoint_sid = context_sid;
c312feb2 719 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 720 }
721
c9180a57 722 if (rootcontext_sid) {
275bb41e
DH		 723 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
724 cred);
0808925e 725 if (rc)
c9180a57 726 goto out;
0808925e 727
c9180a57
EP		 728 root_isec->sid = rootcontext_sid;
729 root_isec->initialized = 1;
0808925e
EP		 730 }
731
c9180a57
EP		 732 if (defcontext_sid) {
733 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
734 rc = -EINVAL;
735 printk(KERN_WARNING "SELinux: defcontext option is "
736 "invalid for this filesystem type\n");
737 goto out;
1da177e4
LT		 738 }
739
c9180a57
EP		 740 if (defcontext_sid != sbsec->def_sid) {
741 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 742 sbsec, cred);
c9180a57
EP		 743 if (rc)
744 goto out;
745 }
1da177e4 746
c9180a57 747 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 748 }
749
c9180a57 750 rc = sb_finish_set_opts(sb);
1da177e4 751out:
c9180a57 752 mutex_unlock(&sbsec->lock);
1da177e4 753 return rc;
c9180a57
EP		 754out_double_mount:
755 rc = -EINVAL;
756 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
757 "security settings for (dev %s, type %s)\n", sb->s_id, name);
758 goto out;
1da177e4
LT		 759}
760
094f7b69
JL		 761static int selinux_cmp_sb_context(const struct super_block *oldsb,
762 const struct super_block *newsb)
763{
764 struct superblock_security_struct *old = oldsb->s_security;
765 struct superblock_security_struct *new = newsb->s_security;
766 char oldflags = old->flags & SE_MNTMASK;
767 char newflags = new->flags & SE_MNTMASK;
768
769 if (oldflags != newflags)
770 goto mismatch;
771 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
772 goto mismatch;
773 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
774 goto mismatch;
775 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
776 goto mismatch;
777 if (oldflags & ROOTCONTEXT_MNT) {
778 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
779 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
780 if (oldroot->sid != newroot->sid)
781 goto mismatch;
782 }
783 return 0;
784mismatch:
785 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
786 "different security settings for (dev %s, "
787 "type %s)\n", newsb->s_id, newsb->s_type->name);
788 return -EBUSY;
789}
790
791static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 792 struct super_block *newsb)
1da177e4 793{
c9180a57
EP		 794 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
795 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 796
c9180a57
EP		 797 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
798 int set_context = (oldsbsec->flags & CONTEXT_MNT);
799 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 800
0f5e6420
EP		 801 /*
802 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 803 * mount options. thus we can safely deal with this superblock later
0f5e6420 804 */
e8c26255 805 if (!ss_initialized)
094f7b69 806 return 0;
c9180a57 807
c9180a57 808 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 809 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 810
094f7b69 811 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 812 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 813 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 814
c9180a57
EP		 815 mutex_lock(&newsbsec->lock);
816
817 newsbsec->flags = oldsbsec->flags;
818
819 newsbsec->sid = oldsbsec->sid;
820 newsbsec->def_sid = oldsbsec->def_sid;
821 newsbsec->behavior = oldsbsec->behavior;
822
823 if (set_context) {
824 u32 sid = oldsbsec->mntpoint_sid;
825
826 if (!set_fscontext)
827 newsbsec->sid = sid;
828 if (!set_rootcontext) {
829 struct inode *newinode = newsb->s_root->d_inode;
830 struct inode_security_struct *newisec = newinode->i_security;
831 newisec->sid = sid;
832 }
833 newsbsec->mntpoint_sid = sid;
1da177e4 834 }
c9180a57
EP		 835 if (set_rootcontext) {
836 const struct inode *oldinode = oldsb->s_root->d_inode;
837 const struct inode_security_struct *oldisec = oldinode->i_security;
838 struct inode *newinode = newsb->s_root->d_inode;
839 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 840
c9180a57 841 newisec->sid = oldisec->sid;
1da177e4
LT		 842 }
843
c9180a57
EP		 844 sb_finish_set_opts(newsb);
845 mutex_unlock(&newsbsec->lock);
094f7b69 846 return 0;
c9180a57
EP		 847}
848
2e1479d9
AB		 849static int selinux_parse_opts_str(char *options,
850 struct security_mnt_opts *opts)
c9180a57 851{
e0007529 852 char *p;
c9180a57
EP		 853 char *context = NULL, *defcontext = NULL;
854 char *fscontext = NULL, *rootcontext = NULL;
e0007529 855 int rc, num_mnt_opts = 0;
1da177e4 856
e0007529 857 opts->num_mnt_opts = 0;
1da177e4 858
c9180a57
EP		 859 /* Standard string-based options. */
860 while ((p = strsep(&options, "|")) != NULL) {
861 int token;
862 substring_t args[MAX_OPT_ARGS];
1da177e4 863
c9180a57
EP		 864 if (!*p)
865 continue;
1da177e4 866
c9180a57 867 token = match_token(p, tokens, args);
1da177e4 868
c9180a57
EP		 869 switch (token) {
870 case Opt_context:
871 if (context || defcontext) {
872 rc = -EINVAL;
873 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
874 goto out_err;
875 }
876 context = match_strdup(&args[0]);
877 if (!context) {
878 rc = -ENOMEM;
879 goto out_err;
880 }
881 break;
882
883 case Opt_fscontext:
884 if (fscontext) {
885 rc = -EINVAL;
886 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
887 goto out_err;
888 }
889 fscontext = match_strdup(&args[0]);
890 if (!fscontext) {
891 rc = -ENOMEM;
892 goto out_err;
893 }
894 break;
895
896 case Opt_rootcontext:
897 if (rootcontext) {
898 rc = -EINVAL;
899 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
900 goto out_err;
901 }
902 rootcontext = match_strdup(&args[0]);
903 if (!rootcontext) {
904 rc = -ENOMEM;
905 goto out_err;
906 }
907 break;
908
909 case Opt_defcontext:
910 if (context || defcontext) {
911 rc = -EINVAL;
912 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
913 goto out_err;
914 }
915 defcontext = match_strdup(&args[0]);
916 if (!defcontext) {
917 rc = -ENOMEM;
918 goto out_err;
919 }
920 break;
11689d47
DQ		 921 case Opt_labelsupport:
922 break;
c9180a57
EP		 923 default:
924 rc = -EINVAL;
925 printk(KERN_WARNING "SELinux: unknown mount option\n");
926 goto out_err;
1da177e4 927
1da177e4 928 }
1da177e4 929 }
c9180a57 930
e0007529
EP		 931 rc = -ENOMEM;
932 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
933 if (!opts->mnt_opts)
934 goto out_err;
935
936 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
937 if (!opts->mnt_opts_flags) {
938 kfree(opts->mnt_opts);
939 goto out_err;
940 }
941
c9180a57 942 if (fscontext) {
e0007529
EP		 943 opts->mnt_opts[num_mnt_opts] = fscontext;
944 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 945 }
946 if (context) {
e0007529
EP		 947 opts->mnt_opts[num_mnt_opts] = context;
948 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 949 }
950 if (rootcontext) {
e0007529
EP		 951 opts->mnt_opts[num_mnt_opts] = rootcontext;
952 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 953 }
954 if (defcontext) {
e0007529
EP		 955 opts->mnt_opts[num_mnt_opts] = defcontext;
956 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 957 }
958
e0007529
EP		 959 opts->num_mnt_opts = num_mnt_opts;
960 return 0;
961
c9180a57
EP		 962out_err:
963 kfree(context);
964 kfree(defcontext);
965 kfree(fscontext);
966 kfree(rootcontext);
1da177e4
LT		 967 return rc;
968}
e0007529
EP		 969/*
970 * string mount options parsing and call set the sbsec
971 */
972static int superblock_doinit(struct super_block *sb, void *data)
973{
974 int rc = 0;
975 char *options = data;
976 struct security_mnt_opts opts;
977
978 security_init_mnt_opts(&opts);
979
980 if (!data)
981 goto out;
982
983 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
984
985 rc = selinux_parse_opts_str(options, &opts);
986 if (rc)
987 goto out_err;
988
989out:
990 rc = selinux_set_mnt_opts(sb, &opts);
991
992out_err:
993 security_free_mnt_opts(&opts);
994 return rc;
995}
1da177e4 996
3583a711
AB		 997static void selinux_write_opts(struct seq_file *m,
998 struct security_mnt_opts *opts)
2069f457
EP		 999{
1000 int i;
1001 char *prefix;
1002
1003 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1004 char *has_comma;
1005
1006 if (opts->mnt_opts[i])
1007 has_comma = strchr(opts->mnt_opts[i], ',');
1008 else
1009 has_comma = NULL;
2069f457
EP		 1010
1011 switch (opts->mnt_opts_flags[i]) {
1012 case CONTEXT_MNT:
1013 prefix = CONTEXT_STR;
1014 break;
1015 case FSCONTEXT_MNT:
1016 prefix = FSCONTEXT_STR;
1017 break;
1018 case ROOTCONTEXT_MNT:
1019 prefix = ROOTCONTEXT_STR;
1020 break;
1021 case DEFCONTEXT_MNT:
1022 prefix = DEFCONTEXT_STR;
1023 break;
11689d47
DQ		 1024 case SE_SBLABELSUPP:
1025 seq_putc(m, ',');
1026 seq_puts(m, LABELSUPP_STR);
1027 continue;
2069f457
EP		 1028 default:
1029 BUG();
a35c6c83 1030 return;
2069f457
EP		 1031 };
1032 /* we need a comma before each option */
1033 seq_putc(m, ',');
1034 seq_puts(m, prefix);
1035 if (has_comma)
1036 seq_putc(m, '\"');
1037 seq_puts(m, opts->mnt_opts[i]);
1038 if (has_comma)
1039 seq_putc(m, '\"');
1040 }
1041}
1042
1043static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1044{
1045 struct security_mnt_opts opts;
1046 int rc;
1047
1048 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1049 if (rc) {
1050 /* before policy load we may get EINVAL, don't show anything */
1051 if (rc == -EINVAL)
1052 rc = 0;
2069f457 1053 return rc;
383795c2 1054 }
2069f457
EP		 1055
1056 selinux_write_opts(m, &opts);
1057
1058 security_free_mnt_opts(&opts);
1059
1060 return rc;
1061}
1062
1da177e4
LT		 1063static inline u16 inode_mode_to_security_class(umode_t mode)
1064{
1065 switch (mode & S_IFMT) {
1066 case S_IFSOCK:
1067 return SECCLASS_SOCK_FILE;
1068 case S_IFLNK:
1069 return SECCLASS_LNK_FILE;
1070 case S_IFREG:
1071 return SECCLASS_FILE;
1072 case S_IFBLK:
1073 return SECCLASS_BLK_FILE;
1074 case S_IFDIR:
1075 return SECCLASS_DIR;
1076 case S_IFCHR:
1077 return SECCLASS_CHR_FILE;
1078 case S_IFIFO:
1079 return SECCLASS_FIFO_FILE;
1080
1081 }
1082
1083 return SECCLASS_FILE;
1084}
1085
13402580
JM		 1086static inline int default_protocol_stream(int protocol)
1087{
1088 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1089}
1090
1091static inline int default_protocol_dgram(int protocol)
1092{
1093 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1094}
1095
1da177e4
LT		 1096static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1097{
1098 switch (family) {
1099 case PF_UNIX:
1100 switch (type) {
1101 case SOCK_STREAM:
1102 case SOCK_SEQPACKET:
1103 return SECCLASS_UNIX_STREAM_SOCKET;
1104 case SOCK_DGRAM:
1105 return SECCLASS_UNIX_DGRAM_SOCKET;
1106 }
1107 break;
1108 case PF_INET:
1109 case PF_INET6:
1110 switch (type) {
1111 case SOCK_STREAM:
13402580
JM		 1112 if (default_protocol_stream(protocol))
1113 return SECCLASS_TCP_SOCKET;
1114 else
1115 return SECCLASS_RAWIP_SOCKET;
1da177e4 1116 case SOCK_DGRAM:
13402580
JM		 1117 if (default_protocol_dgram(protocol))
1118 return SECCLASS_UDP_SOCKET;
1119 else
1120 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1121 case SOCK_DCCP:
1122 return SECCLASS_DCCP_SOCKET;
13402580 1123 default:
1da177e4
LT		 1124 return SECCLASS_RAWIP_SOCKET;
1125 }
1126 break;
1127 case PF_NETLINK:
1128 switch (protocol) {
1129 case NETLINK_ROUTE:
1130 return SECCLASS_NETLINK_ROUTE_SOCKET;
1131 case NETLINK_FIREWALL:
1132 return SECCLASS_NETLINK_FIREWALL_SOCKET;
7f1fb60c 1133 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1134 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1135 case NETLINK_NFLOG:
1136 return SECCLASS_NETLINK_NFLOG_SOCKET;
1137 case NETLINK_XFRM:
1138 return SECCLASS_NETLINK_XFRM_SOCKET;
1139 case NETLINK_SELINUX:
1140 return SECCLASS_NETLINK_SELINUX_SOCKET;
1141 case NETLINK_AUDIT:
1142 return SECCLASS_NETLINK_AUDIT_SOCKET;
1143 case NETLINK_IP6_FW:
1144 return SECCLASS_NETLINK_IP6FW_SOCKET;
1145 case NETLINK_DNRTMSG:
1146 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1147 case NETLINK_KOBJECT_UEVENT:
1148 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1149 default:
1150 return SECCLASS_NETLINK_SOCKET;
1151 }
1152 case PF_PACKET:
1153 return SECCLASS_PACKET_SOCKET;
1154 case PF_KEY:
1155 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1156 case PF_APPLETALK:
1157 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1158 }
1159
1160 return SECCLASS_SOCKET;
1161}
1162
1163#ifdef CONFIG_PROC_FS
8e6c9693 1164static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1165 u16 tclass,
1166 u32 *sid)
1167{
8e6c9693
LAG		 1168 int rc;
1169 char *buffer, *path;
1da177e4 1170
828dfe1d 1171 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1172 if (!buffer)
1173 return -ENOMEM;
1174
8e6c9693
LAG		 1175 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1176 if (IS_ERR(path))
1177 rc = PTR_ERR(path);
1178 else {
1179 /* each process gets a /proc/PID/ entry. Strip off the
1180 * PID part to get a valid selinux labeling.
1181 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1182 while (path[1] >= '0' && path[1] <= '9') {
1183 path[1] = '/';
1184 path++;
1185 }
1186 rc = security_genfs_sid("proc", path, tclass, sid);
1da177e4 1187 }
1da177e4
LT		 1188 free_page((unsigned long)buffer);
1189 return rc;
1190}
1191#else
8e6c9693 1192static int selinux_proc_get_sid(struct dentry *dentry,
1da177e4
LT		 1193 u16 tclass,
1194 u32 *sid)
1195{
1196 return -EINVAL;
1197}
1198#endif
1199
1200/* The inode's security attributes must be initialized before first use. */
1201static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1202{
1203 struct superblock_security_struct *sbsec = NULL;
1204 struct inode_security_struct *isec = inode->i_security;
1205 u32 sid;
1206 struct dentry *dentry;
1207#define INITCONTEXTLEN 255
1208 char *context = NULL;
1209 unsigned len = 0;
1210 int rc = 0;
1da177e4
LT		 1211
1212 if (isec->initialized)
1213 goto out;
1214
23970741 1215 mutex_lock(&isec->lock);
1da177e4 1216 if (isec->initialized)
23970741 1217 goto out_unlock;
1da177e4
LT		 1218
1219 sbsec = inode->i_sb->s_security;
0d90a7ec 1220 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1221 /* Defer initialization until selinux_complete_init,
1222 after the initial policy is loaded and the security
1223 server is ready to handle calls. */
1224 spin_lock(&sbsec->isec_lock);
1225 if (list_empty(&isec->list))
1226 list_add(&isec->list, &sbsec->isec_head);
1227 spin_unlock(&sbsec->isec_lock);
23970741 1228 goto out_unlock;
1da177e4
LT		 1229 }
1230
1231 switch (sbsec->behavior) {
1232 case SECURITY_FS_USE_XATTR:
1233 if (!inode->i_op->getxattr) {
1234 isec->sid = sbsec->def_sid;
1235 break;
1236 }
1237
1238 /* Need a dentry, since the xattr API requires one.
1239 Life would be simpler if we could just pass the inode. */
1240 if (opt_dentry) {
1241 /* Called from d_instantiate or d_splice_alias. */
1242 dentry = dget(opt_dentry);
1243 } else {
1244 /* Called from selinux_complete_init, try to find a dentry. */
1245 dentry = d_find_alias(inode);
1246 }
1247 if (!dentry) {
df7f54c0
EP		 1248 /*
1249 * this is can be hit on boot when a file is accessed
1250 * before the policy is loaded. When we load policy we
1251 * may find inodes that have no dentry on the
1252 * sbsec->isec_head list. No reason to complain as these
1253 * will get fixed up the next time we go through
1254 * inode_doinit with a dentry, before these inodes could
1255 * be used again by userspace.
1256 */
23970741 1257 goto out_unlock;
1da177e4
LT		 1258 }
1259
1260 len = INITCONTEXTLEN;
4cb912f1 1261 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1262 if (!context) {
1263 rc = -ENOMEM;
1264 dput(dentry);
23970741 1265 goto out_unlock;
1da177e4 1266 }
4cb912f1 1267 context[len] = '\0';
1da177e4
LT		 1268 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1269 context, len);
1270 if (rc == -ERANGE) {
314dabb8
JM		 1271 kfree(context);
1272
1da177e4
LT		 1273 /* Need a larger buffer. Query for the right size. */
1274 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1275 NULL, 0);
1276 if (rc < 0) {
1277 dput(dentry);
23970741 1278 goto out_unlock;
1da177e4 1279 }
1da177e4 1280 len = rc;
4cb912f1 1281 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1282 if (!context) {
1283 rc = -ENOMEM;
1284 dput(dentry);
23970741 1285 goto out_unlock;
1da177e4 1286 }
4cb912f1 1287 context[len] = '\0';
1da177e4
LT		 1288 rc = inode->i_op->getxattr(dentry,
1289 XATTR_NAME_SELINUX,
1290 context, len);
1291 }
1292 dput(dentry);
1293 if (rc < 0) {
1294 if (rc != -ENODATA) {
744ba35e 1295 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1296 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1297 -rc, inode->i_sb->s_id, inode->i_ino);
1298 kfree(context);
23970741 1299 goto out_unlock;
1da177e4
LT		 1300 }
1301 /* Map ENODATA to the default file SID */
1302 sid = sbsec->def_sid;
1303 rc = 0;
1304 } else {
f5c1d5b2 1305 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1306 sbsec->def_sid,
1307 GFP_NOFS);
1da177e4 1308 if (rc) {
4ba0a8ad
EP		 1309 char *dev = inode->i_sb->s_id;
1310 unsigned long ino = inode->i_ino;
1311
1312 if (rc == -EINVAL) {
1313 if (printk_ratelimit())
1314 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1315 "context=%s. This indicates you may need to relabel the inode or the "
1316 "filesystem in question.\n", ino, dev, context);
1317 } else {
1318 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1319 "returned %d for dev=%s ino=%ld\n",
1320 __func__, context, -rc, dev, ino);
1321 }
1da177e4
LT		 1322 kfree(context);
1323 /* Leave with the unlabeled SID */
1324 rc = 0;
1325 break;
1326 }
1327 }
1328 kfree(context);
1329 isec->sid = sid;
1330 break;
1331 case SECURITY_FS_USE_TASK:
1332 isec->sid = isec->task_sid;
1333 break;
1334 case SECURITY_FS_USE_TRANS:
1335 /* Default to the fs SID. */
1336 isec->sid = sbsec->sid;
1337
1338 /* Try to obtain a transition SID. */
1339 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1340 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1341 isec->sclass, NULL, &sid);
1da177e4 1342 if (rc)
23970741 1343 goto out_unlock;
1da177e4
LT		 1344 isec->sid = sid;
1345 break;
c312feb2
EP		 1346 case SECURITY_FS_USE_MNTPOINT:
1347 isec->sid = sbsec->mntpoint_sid;
1348 break;
1da177e4 1349 default:
c312feb2 1350 /* Default to the fs superblock SID. */
1da177e4
LT		 1351 isec->sid = sbsec->sid;
1352
0d90a7ec 1353 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
8e6c9693 1354 if (opt_dentry) {
1da177e4 1355 isec->sclass = inode_mode_to_security_class(inode->i_mode);
8e6c9693 1356 rc = selinux_proc_get_sid(opt_dentry,
1da177e4
LT		 1357 isec->sclass,
1358 &sid);
1359 if (rc)
23970741 1360 goto out_unlock;
1da177e4
LT		 1361 isec->sid = sid;
1362 }
1363 }
1364 break;
1365 }
1366
1367 isec->initialized = 1;
1368
23970741
EP		 1369out_unlock:
1370 mutex_unlock(&isec->lock);
1da177e4
LT		 1371out:
1372 if (isec->sclass == SECCLASS_FILE)
1373 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1374 return rc;
1375}
1376
1377/* Convert a Linux signal to an access vector. */
1378static inline u32 signal_to_av(int sig)
1379{
1380 u32 perm = 0;
1381
1382 switch (sig) {
1383 case SIGCHLD:
1384 /* Commonly granted from child to parent. */
1385 perm = PROCESS__SIGCHLD;
1386 break;
1387 case SIGKILL:
1388 /* Cannot be caught or ignored */
1389 perm = PROCESS__SIGKILL;
1390 break;
1391 case SIGSTOP:
1392 /* Cannot be caught or ignored */
1393 perm = PROCESS__SIGSTOP;
1394 break;
1395 default:
1396 /* All other signals. */
1397 perm = PROCESS__SIGNAL;
1398 break;
1399 }
1400
1401 return perm;
1402}
1403
d84f4f99
DH		 1404/*
1405 * Check permission between a pair of credentials
1406 * fork check, ptrace check, etc.
1407 */
1408static int cred_has_perm(const struct cred *actor,
1409 const struct cred *target,
1410 u32 perms)
1411{
1412 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1413
1414 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1415}
1416
275bb41e 1417/*
88e67f3b 1418 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1419 * fork check, ptrace check, etc.
1420 * tsk1 is the actor and tsk2 is the target
3b11a1de 1421 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1422 */
1423static int task_has_perm(const struct task_struct *tsk1,
1424 const struct task_struct *tsk2,
1da177e4
LT		 1425 u32 perms)
1426{
275bb41e
DH		 1427 const struct task_security_struct *__tsec1, *__tsec2;
1428 u32 sid1, sid2;
1da177e4 1429
275bb41e
DH		 1430 rcu_read_lock();
1431 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1432 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1433 rcu_read_unlock();
1434 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1435}
1436
3b11a1de
DH		 1437/*
1438 * Check permission between current and another task, e.g. signal checks,
1439 * fork check, ptrace check, etc.
1440 * current is the actor and tsk2 is the target
1441 * - this uses current's subjective creds
1442 */
1443static int current_has_perm(const struct task_struct *tsk,
1444 u32 perms)
1445{
1446 u32 sid, tsid;
1447
1448 sid = current_sid();
1449 tsid = task_sid(tsk);
1450 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1451}
1452
b68e418c
SS		 1453#if CAP_LAST_CAP > 63
1454#error Fix SELinux to handle capabilities > 63.
1455#endif
1456
1da177e4 1457/* Check whether a task is allowed to use a capability. */
6a9de491 1458static int cred_has_capability(const struct cred *cred,
06112163 1459 int cap, int audit)
1da177e4 1460{
2bf49690 1461 struct common_audit_data ad;
06112163 1462 struct av_decision avd;
b68e418c 1463 u16 sclass;
3699c53c 1464 u32 sid = cred_sid(cred);
b68e418c 1465 u32 av = CAP_TO_MASK(cap);
06112163 1466 int rc;
1da177e4 1467
50c205f5 1468 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1469 ad.u.cap = cap;
1470
b68e418c
SS		 1471 switch (CAP_TO_INDEX(cap)) {
1472 case 0:
1473 sclass = SECCLASS_CAPABILITY;
1474 break;
1475 case 1:
1476 sclass = SECCLASS_CAPABILITY2;
1477 break;
1478 default:
1479 printk(KERN_ERR
1480 "SELinux: out of range capability %d\n", cap);
1481 BUG();
a35c6c83 1482 return -EINVAL;
b68e418c 1483 }
06112163 1484
275bb41e 1485 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4
EP		 1486 if (audit == SECURITY_CAP_AUDIT) {
1487 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1488 if (rc2)
1489 return rc2;
1490 }
06112163 1491 return rc;
1da177e4
LT		 1492}
1493
1494/* Check whether a task is allowed to use a system operation. */
1495static int task_has_system(struct task_struct *tsk,
1496 u32 perms)
1497{
275bb41e 1498 u32 sid = task_sid(tsk);
1da177e4 1499
275bb41e 1500 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1501 SECCLASS_SYSTEM, perms, NULL);
1502}
1503
1504/* Check whether a task has a particular permission to an inode.
1505 The 'adp' parameter is optional and allows other audit
1506 data to be passed (e.g. the dentry). */
88e67f3b 1507static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1508 struct inode *inode,
1509 u32 perms,
9ade0cf4
EP		 1510 struct common_audit_data *adp,
1511 unsigned flags)
1da177e4 1512{
1da177e4 1513 struct inode_security_struct *isec;
275bb41e 1514 u32 sid;
1da177e4 1515
e0e81739
DH		 1516 validate_creds(cred);
1517
828dfe1d 1518 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1519 return 0;
1520
88e67f3b 1521 sid = cred_sid(cred);
1da177e4
LT		 1522 isec = inode->i_security;
1523
9ade0cf4 1524 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1da177e4
LT		 1525}
1526
1527/* Same as inode_has_perm, but pass explicit audit data containing
1528 the dentry to help the auditing code to more easily generate the
1529 pathname if needed. */
88e67f3b 1530static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1531 struct dentry *dentry,
1532 u32 av)
1533{
1534 struct inode *inode = dentry->d_inode;
2bf49690 1535 struct common_audit_data ad;
88e67f3b 1536
50c205f5 1537 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00
EP		 1538 ad.u.dentry = dentry;
1539 return inode_has_perm(cred, inode, av, &ad, 0);
1540}
1541
1542/* Same as inode_has_perm, but pass explicit audit data containing
1543 the path to help the auditing code to more easily generate the
1544 pathname if needed. */
1545static inline int path_has_perm(const struct cred *cred,
1546 struct path *path,
1547 u32 av)
1548{
1549 struct inode *inode = path->dentry->d_inode;
1550 struct common_audit_data ad;
1551
50c205f5 1552 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1553 ad.u.path = *path;
9ade0cf4 1554 return inode_has_perm(cred, inode, av, &ad, 0);
1da177e4
LT		 1555}
1556
1557/* Check whether a task can use an open file descriptor to
1558 access an inode in a given way. Check access to the
1559 descriptor itself, and then use dentry_has_perm to
1560 check a particular permission to the file.
1561 Access to the descriptor is implicitly granted if it
1562 has the same SID as the process. If av is zero, then
1563 access to the file is not checked, e.g. for cases
1564 where only the descriptor is affected like seek. */
88e67f3b
DH		 1565static int file_has_perm(const struct cred *cred,
1566 struct file *file,
1567 u32 av)
1da177e4 1568{
1da177e4 1569 struct file_security_struct *fsec = file->f_security;
496ad9aa 1570 struct inode *inode = file_inode(file);
2bf49690 1571 struct common_audit_data ad;
88e67f3b 1572 u32 sid = cred_sid(cred);
1da177e4
LT		 1573 int rc;
1574
50c205f5 1575 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1576 ad.u.path = file->f_path;
1da177e4 1577
275bb41e
DH		 1578 if (sid != fsec->sid) {
1579 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1580 SECCLASS_FD,
1581 FD__USE,
1582 &ad);
1583 if (rc)
88e67f3b 1584 goto out;
1da177e4
LT		 1585 }
1586
1587 /* av is zero if only checking access to the descriptor. */
88e67f3b 1588 rc = 0;
1da177e4 1589 if (av)
9ade0cf4 1590 rc = inode_has_perm(cred, inode, av, &ad, 0);
1da177e4 1591
88e67f3b
DH		 1592out:
1593 return rc;
1da177e4
LT		 1594}
1595
1596/* Check whether a task can create a file. */
1597static int may_create(struct inode *dir,
1598 struct dentry *dentry,
1599 u16 tclass)
1600{
5fb49870 1601 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1602 struct inode_security_struct *dsec;
1603 struct superblock_security_struct *sbsec;
275bb41e 1604 u32 sid, newsid;
2bf49690 1605 struct common_audit_data ad;
1da177e4
LT		 1606 int rc;
1607
1da177e4
LT		 1608 dsec = dir->i_security;
1609 sbsec = dir->i_sb->s_security;
1610
275bb41e
DH		 1611 sid = tsec->sid;
1612 newsid = tsec->create_sid;
1613
50c205f5 1614 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1615 ad.u.dentry = dentry;
1da177e4 1616
275bb41e 1617 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1618 DIR__ADD_NAME | DIR__SEARCH,
1619 &ad);
1620 if (rc)
1621 return rc;
1622
cd89596f 1623 if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
cb1e922f
EP		 1624 rc = security_transition_sid(sid, dsec->sid, tclass,
1625 &dentry->d_name, &newsid);
1da177e4
LT		 1626 if (rc)
1627 return rc;
1628 }
1629
275bb41e 1630 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1631 if (rc)
1632 return rc;
1633
1634 return avc_has_perm(newsid, sbsec->sid,
1635 SECCLASS_FILESYSTEM,
1636 FILESYSTEM__ASSOCIATE, &ad);
1637}
1638
4eb582cf
ML		 1639/* Check whether a task can create a key. */
1640static int may_create_key(u32 ksid,
1641 struct task_struct *ctx)
1642{
275bb41e 1643 u32 sid = task_sid(ctx);
4eb582cf 1644
275bb41e 1645 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1646}
1647
828dfe1d
EP		 1648#define MAY_LINK 0
1649#define MAY_UNLINK 1
1650#define MAY_RMDIR 2
1da177e4
LT		 1651
1652/* Check whether a task can link, unlink, or rmdir a file/directory. */
1653static int may_link(struct inode *dir,
1654 struct dentry *dentry,
1655 int kind)
1656
1657{
1da177e4 1658 struct inode_security_struct *dsec, *isec;
2bf49690 1659 struct common_audit_data ad;
275bb41e 1660 u32 sid = current_sid();
1da177e4
LT		 1661 u32 av;
1662 int rc;
1663
1da177e4
LT		 1664 dsec = dir->i_security;
1665 isec = dentry->d_inode->i_security;
1666
50c205f5 1667 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1668 ad.u.dentry = dentry;
1da177e4
LT		 1669
1670 av = DIR__SEARCH;
1671 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1672 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1673 if (rc)
1674 return rc;
1675
1676 switch (kind) {
1677 case MAY_LINK:
1678 av = FILE__LINK;
1679 break;
1680 case MAY_UNLINK:
1681 av = FILE__UNLINK;
1682 break;
1683 case MAY_RMDIR:
1684 av = DIR__RMDIR;
1685 break;
1686 default:
744ba35e
EP		 1687 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1688 __func__, kind);
1da177e4
LT		 1689 return 0;
1690 }
1691
275bb41e 1692 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1693 return rc;
1694}
1695
1696static inline int may_rename(struct inode *old_dir,
1697 struct dentry *old_dentry,
1698 struct inode *new_dir,
1699 struct dentry *new_dentry)
1700{
1da177e4 1701 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1702 struct common_audit_data ad;
275bb41e 1703 u32 sid = current_sid();
1da177e4
LT		 1704 u32 av;
1705 int old_is_dir, new_is_dir;
1706 int rc;
1707
1da177e4
LT		 1708 old_dsec = old_dir->i_security;
1709 old_isec = old_dentry->d_inode->i_security;
1710 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1711 new_dsec = new_dir->i_security;
1712
50c205f5 1713 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1714
a269434d 1715 ad.u.dentry = old_dentry;
275bb41e 1716 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1717 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1718 if (rc)
1719 return rc;
275bb41e 1720 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1721 old_isec->sclass, FILE__RENAME, &ad);
1722 if (rc)
1723 return rc;
1724 if (old_is_dir && new_dir != old_dir) {
275bb41e 1725 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1726 old_isec->sclass, DIR__REPARENT, &ad);
1727 if (rc)
1728 return rc;
1729 }
1730
a269434d 1731 ad.u.dentry = new_dentry;
1da177e4
LT		 1732 av = DIR__ADD_NAME | DIR__SEARCH;
1733 if (new_dentry->d_inode)
1734 av |= DIR__REMOVE_NAME;
275bb41e 1735 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1736 if (rc)
1737 return rc;
1738 if (new_dentry->d_inode) {
1739 new_isec = new_dentry->d_inode->i_security;
1740 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1741 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1742 new_isec->sclass,
1743 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1744 if (rc)
1745 return rc;
1746 }
1747
1748 return 0;
1749}
1750
1751/* Check whether a task can perform a filesystem operation. */
88e67f3b 1752static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1753 struct super_block *sb,
1754 u32 perms,
2bf49690 1755 struct common_audit_data *ad)
1da177e4 1756{
1da177e4 1757 struct superblock_security_struct *sbsec;
88e67f3b 1758 u32 sid = cred_sid(cred);
1da177e4 1759
1da177e4 1760 sbsec = sb->s_security;
275bb41e 1761 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1762}
1763
1764/* Convert a Linux mode and permission mask to an access vector. */
1765static inline u32 file_mask_to_av(int mode, int mask)
1766{
1767 u32 av = 0;
1768
dba19c60 1769 if (!S_ISDIR(mode)) {
1da177e4
LT		 1770 if (mask & MAY_EXEC)
1771 av |= FILE__EXECUTE;
1772 if (mask & MAY_READ)
1773 av |= FILE__READ;
1774
1775 if (mask & MAY_APPEND)
1776 av |= FILE__APPEND;
1777 else if (mask & MAY_WRITE)
1778 av |= FILE__WRITE;
1779
1780 } else {
1781 if (mask & MAY_EXEC)
1782 av |= DIR__SEARCH;
1783 if (mask & MAY_WRITE)
1784 av |= DIR__WRITE;
1785 if (mask & MAY_READ)
1786 av |= DIR__READ;
1787 }
1788
1789 return av;
1790}
1791
8b6a5a37
EP		 1792/* Convert a Linux file to an access vector. */
1793static inline u32 file_to_av(struct file *file)
1794{
1795 u32 av = 0;
1796
1797 if (file->f_mode & FMODE_READ)
1798 av |= FILE__READ;
1799 if (file->f_mode & FMODE_WRITE) {
1800 if (file->f_flags & O_APPEND)
1801 av |= FILE__APPEND;
1802 else
1803 av |= FILE__WRITE;
1804 }
1805 if (!av) {
1806 /*
1807 * Special file opened with flags 3 for ioctl-only use.
1808 */
1809 av = FILE__IOCTL;
1810 }
1811
1812 return av;
1813}
1814
b0c636b9 1815/*
8b6a5a37 1816 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1817 * open permission.
1818 */
8b6a5a37 1819static inline u32 open_file_to_av(struct file *file)
b0c636b9 1820{
8b6a5a37 1821 u32 av = file_to_av(file);
b0c636b9 1822
49b7b8de
EP		 1823 if (selinux_policycap_openperm)
1824 av |= FILE__OPEN;
1825
b0c636b9
EP		 1826 return av;
1827}
1828
1da177e4
LT		 1829/* Hook functions begin here. */
1830
9e48858f 1831static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 1832 unsigned int mode)
1da177e4 1833{
1da177e4
LT		 1834 int rc;
1835
9e48858f 1836 rc = cap_ptrace_access_check(child, mode);
1da177e4
LT		 1837 if (rc)
1838 return rc;
1839
69f594a3 1840 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 1841 u32 sid = current_sid();
1842 u32 csid = task_sid(child);
1843 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1844 }
1845
3b11a1de 1846 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 1847}
1848
1849static int selinux_ptrace_traceme(struct task_struct *parent)
1850{
1851 int rc;
1852
200ac532 1853 rc = cap_ptrace_traceme(parent);
5cd9c58f
DH		 1854 if (rc)
1855 return rc;
1856
1857 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1858}
1859
1860static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1861 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1862{
1863 int error;
1864
3b11a1de 1865 error = current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 1866 if (error)
1867 return error;
1868
200ac532 1869 return cap_capget(target, effective, inheritable, permitted);
1da177e4
LT		 1870}
1871
d84f4f99
DH		 1872static int selinux_capset(struct cred *new, const struct cred *old,
1873 const kernel_cap_t *effective,
1874 const kernel_cap_t *inheritable,
1875 const kernel_cap_t *permitted)
1da177e4
LT		 1876{
1877 int error;
1878
200ac532 1879 error = cap_capset(new, old,
d84f4f99 1880 effective, inheritable, permitted);
1da177e4
LT		 1881 if (error)
1882 return error;
1883
d84f4f99 1884 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 1885}
1886
5626d3e8
JM		 1887/*
1888 * (This comment used to live with the selinux_task_setuid hook,
1889 * which was removed).
1890 *
1891 * Since setuid only affects the current process, and since the SELinux
1892 * controls are not based on the Linux identity attributes, SELinux does not
1893 * need to control this operation. However, SELinux does control the use of
1894 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1895 */
1896
6a9de491
EP		 1897static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
1898 int cap, int audit)
1da177e4
LT		 1899{
1900 int rc;
1901
6a9de491 1902 rc = cap_capable(cred, ns, cap, audit);
1da177e4
LT		 1903 if (rc)
1904 return rc;
1905
6a9de491 1906 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 1907}
1908
1da177e4
LT		 1909static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1910{
88e67f3b 1911 const struct cred *cred = current_cred();
1da177e4
LT		 1912 int rc = 0;
1913
1914 if (!sb)
1915 return 0;
1916
1917 switch (cmds) {
828dfe1d
EP		 1918 case Q_SYNC:
1919 case Q_QUOTAON:
1920 case Q_QUOTAOFF:
1921 case Q_SETINFO:
1922 case Q_SETQUOTA:
88e67f3b 1923 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 1924 break;
1925 case Q_GETFMT:
1926 case Q_GETINFO:
1927 case Q_GETQUOTA:
88e67f3b 1928 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 1929 break;
1930 default:
1931 rc = 0; /* let the kernel handle invalid cmds */
1932 break;
1da177e4
LT		 1933 }
1934 return rc;
1935}
1936
1937static int selinux_quota_on(struct dentry *dentry)
1938{
88e67f3b
DH		 1939 const struct cred *cred = current_cred();
1940
2875fa00 1941 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 1942}
1943
12b3052c 1944static int selinux_syslog(int type)
1da177e4
LT		 1945{
1946 int rc;
1947
1da177e4 1948 switch (type) {
d78ca3cd
KC		 1949 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1950 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 1951 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1952 break;
d78ca3cd
KC		 1953 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
1954 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
1955 /* Set level of messages printed to console */
1956 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 1957 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1958 break;
d78ca3cd
KC		 1959 case SYSLOG_ACTION_CLOSE: /* Close log */
1960 case SYSLOG_ACTION_OPEN: /* Open log */
1961 case SYSLOG_ACTION_READ: /* Read from log */
1962 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
1963 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 1964 default:
1965 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1966 break;
1da177e4
LT		 1967 }
1968 return rc;
1969}
1970
1971/*
1972 * Check that a process has enough memory to allocate a new virtual
1973 * mapping. 0 means there is enough memory for the allocation to
1974 * succeed and -ENOMEM implies there is not.
1975 *
1da177e4
LT		 1976 * Do not audit the selinux permission check, as this is applied to all
1977 * processes that allocate mappings.
1978 */
34b4e4aa 1979static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1980{
1981 int rc, cap_sys_admin = 0;
1da177e4 1982
6a9de491 1983 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
3699c53c 1984 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 1985 if (rc == 0)
1986 cap_sys_admin = 1;
1987
34b4e4aa 1988 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1989}
1990
1991/* binprm security operations */
1992
a6f76f23 1993static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 1994{
a6f76f23
DH		 1995 const struct task_security_struct *old_tsec;
1996 struct task_security_struct *new_tsec;
1da177e4 1997 struct inode_security_struct *isec;
2bf49690 1998 struct common_audit_data ad;
496ad9aa 1999 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2000 int rc;
2001
200ac532 2002 rc = cap_bprm_set_creds(bprm);
1da177e4
LT		 2003 if (rc)
2004 return rc;
2005
a6f76f23
DH		 2006 /* SELinux context only depends on initial program or script and not
2007 * the script interpreter */
2008 if (bprm->cred_prepared)
1da177e4
LT		 2009 return 0;
2010
a6f76f23
DH		 2011 old_tsec = current_security();
2012 new_tsec = bprm->cred->security;
1da177e4
LT		 2013 isec = inode->i_security;
2014
2015 /* Default to the current task SID. */
a6f76f23
DH		 2016 new_tsec->sid = old_tsec->sid;
2017 new_tsec->osid = old_tsec->sid;
1da177e4 2018
28eba5bf 2019 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2020 new_tsec->create_sid = 0;
2021 new_tsec->keycreate_sid = 0;
2022 new_tsec->sockcreate_sid = 0;
1da177e4 2023
a6f76f23
DH		 2024 if (old_tsec->exec_sid) {
2025 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2026 /* Reset exec SID on execve. */
a6f76f23 2027 new_tsec->exec_sid = 0;
259e5e6c
AL		 2028
2029 /*
2030 * Minimize confusion: if no_new_privs and a transition is
2031 * explicitly requested, then fail the exec.
2032 */
2033 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2034 return -EPERM;
1da177e4
LT		 2035 } else {
2036 /* Check for a default transition on this program. */
a6f76f23 2037 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2038 SECCLASS_PROCESS, NULL,
2039 &new_tsec->sid);
1da177e4
LT		 2040 if (rc)
2041 return rc;
2042 }
2043
50c205f5 2044 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2045 ad.u.path = bprm->file->f_path;
1da177e4 2046
259e5e6c
AL		 2047 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2048 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
a6f76f23 2049 new_tsec->sid = old_tsec->sid;
1da177e4 2050
a6f76f23
DH		 2051 if (new_tsec->sid == old_tsec->sid) {
2052 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2053 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2054 if (rc)
2055 return rc;
2056 } else {
2057 /* Check permissions for the transition. */
a6f76f23 2058 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2059 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2060 if (rc)
2061 return rc;
2062
a6f76f23 2063 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2064 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2065 if (rc)
2066 return rc;
2067
a6f76f23
DH		 2068 /* Check for shared state */
2069 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2070 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2071 SECCLASS_PROCESS, PROCESS__SHARE,
2072 NULL);
2073 if (rc)
2074 return -EPERM;
2075 }
2076
2077 /* Make sure that anyone attempting to ptrace over a task that
2078 * changes its SID has the appropriate permit */
2079 if (bprm->unsafe &
2080 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2081 struct task_struct *tracer;
2082 struct task_security_struct *sec;
2083 u32 ptsid = 0;
2084
2085 rcu_read_lock();
06d98473 2086 tracer = ptrace_parent(current);
a6f76f23
DH		 2087 if (likely(tracer != NULL)) {
2088 sec = __task_cred(tracer)->security;
2089 ptsid = sec->sid;
2090 }
2091 rcu_read_unlock();
2092
2093 if (ptsid != 0) {
2094 rc = avc_has_perm(ptsid, new_tsec->sid,
2095 SECCLASS_PROCESS,
2096 PROCESS__PTRACE, NULL);
2097 if (rc)
2098 return -EPERM;
2099 }
2100 }
1da177e4 2101
a6f76f23
DH		 2102 /* Clear any possibly unsafe personality bits on exec: */
2103 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2104 }
2105
1da177e4
LT		 2106 return 0;
2107}
2108
828dfe1d 2109static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2110{
5fb49870 2111 const struct task_security_struct *tsec = current_security();
275bb41e 2112 u32 sid, osid;
1da177e4
LT		 2113 int atsecure = 0;
2114
275bb41e
DH		 2115 sid = tsec->sid;
2116 osid = tsec->osid;
2117
2118 if (osid != sid) {
1da177e4
LT		 2119 /* Enable secure mode for SIDs transitions unless
2120 the noatsecure permission is granted between
2121 the two SIDs, i.e. ahp returns 0. */
275bb41e 2122 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2123 SECCLASS_PROCESS,
2124 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2125 }
2126
200ac532 2127 return (atsecure || cap_bprm_secureexec(bprm));
1da177e4
LT		 2128}
2129
c3c073f8
AV		 2130static int match_file(const void *p, struct file *file, unsigned fd)
2131{
2132 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2133}
2134
1da177e4 2135/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2136static inline void flush_unauthorized_files(const struct cred *cred,
2137 struct files_struct *files)
1da177e4 2138{
1da177e4 2139 struct file *file, *devnull = NULL;
b20c8122 2140 struct tty_struct *tty;
24ec839c 2141 int drop_tty = 0;
c3c073f8 2142 unsigned n;
1da177e4 2143
24ec839c 2144 tty = get_current_tty();
1da177e4 2145 if (tty) {
ee2ffa0d 2146 spin_lock(&tty_files_lock);
37dd0bd0 2147 if (!list_empty(&tty->tty_files)) {
d996b62a 2148 struct tty_file_private *file_priv;
37dd0bd0 2149
1da177e4 2150 /* Revalidate access to controlling tty.
602a8dd6 2151 Use path_has_perm on the tty path directly rather
1da177e4
LT		 2152 than using file_has_perm, as this particular open
2153 file may belong to another process and we are only
2154 interested in the inode-based check here. */
d996b62a
NP		 2155 file_priv = list_first_entry(&tty->tty_files,
2156 struct tty_file_private, list);
2157 file = file_priv->file;
602a8dd6 2158 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
24ec839c 2159 drop_tty = 1;
1da177e4 2160 }
ee2ffa0d 2161 spin_unlock(&tty_files_lock);
452a00d2 2162 tty_kref_put(tty);
1da177e4 2163 }
98a27ba4
EB		 2164 /* Reset controlling tty. */
2165 if (drop_tty)
2166 no_tty();
1da177e4
LT		 2167
2168 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2169 n = iterate_fd(files, 0, match_file, cred);
2170 if (!n) /* none found? */
2171 return;
1da177e4 2172
c3c073f8 2173 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2174 if (IS_ERR(devnull))
2175 devnull = NULL;
2176 /* replace all the matching ones with this */
2177 do {
2178 replace_fd(n - 1, devnull, 0);
2179 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2180 if (devnull)
c3c073f8 2181 fput(devnull);
1da177e4
LT		 2182}
2183
a6f76f23
DH		 2184/*
2185 * Prepare a process for imminent new credential changes due to exec
2186 */
2187static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2188{
a6f76f23
DH		 2189 struct task_security_struct *new_tsec;
2190 struct rlimit *rlim, *initrlim;
2191 int rc, i;
d84f4f99 2192
a6f76f23
DH		 2193 new_tsec = bprm->cred->security;
2194 if (new_tsec->sid == new_tsec->osid)
2195 return;
1da177e4 2196
a6f76f23
DH		 2197 /* Close files for which the new task SID is not authorized. */
2198 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2199
a6f76f23
DH		 2200 /* Always clear parent death signal on SID transitions. */
2201 current->pdeath_signal = 0;
0356357c 2202
a6f76f23
DH		 2203 /* Check whether the new SID can inherit resource limits from the old
2204 * SID. If not, reset all soft limits to the lower of the current
2205 * task's hard limit and the init task's soft limit.
2206 *
2207 * Note that the setting of hard limits (even to lower them) can be
2208 * controlled by the setrlimit check. The inclusion of the init task's
2209 * soft limit into the computation is to avoid resetting soft limits
2210 * higher than the default soft limit for cases where the default is
2211 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2212 */
2213 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2214 PROCESS__RLIMITINH, NULL);
2215 if (rc) {
eb2d55a3
ON		 2216 /* protect against do_prlimit() */
2217 task_lock(current);
a6f76f23
DH		 2218 for (i = 0; i < RLIM_NLIMITS; i++) {
2219 rlim = current->signal->rlim + i;
2220 initrlim = init_task.signal->rlim + i;
2221 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2222 }
eb2d55a3
ON		 2223 task_unlock(current);
2224 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2225 }
2226}
2227
2228/*
a6f76f23
DH		 2229 * Clean up the process immediately after the installation of new credentials
2230 * due to exec
1da177e4 2231 */
a6f76f23 2232static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2233{
a6f76f23 2234 const struct task_security_struct *tsec = current_security();
1da177e4 2235 struct itimerval itimer;
a6f76f23 2236 u32 osid, sid;
1da177e4
LT		 2237 int rc, i;
2238
a6f76f23
DH		 2239 osid = tsec->osid;
2240 sid = tsec->sid;
2241
2242 if (sid == osid)
1da177e4
LT		 2243 return;
2244
a6f76f23
DH		 2245 /* Check whether the new SID can inherit signal state from the old SID.
2246 * If not, clear itimers to avoid subsequent signal generation and
2247 * flush and unblock signals.
2248 *
2249 * This must occur _after_ the task SID has been updated so that any
2250 * kill done after the flush will be checked against the new SID.
2251 */
2252 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2253 if (rc) {
2254 memset(&itimer, 0, sizeof itimer);
2255 for (i = 0; i < 3; i++)
2256 do_setitimer(i, &itimer, NULL);
1da177e4 2257 spin_lock_irq(&current->sighand->siglock);
3bcac026
DH		 2258 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2259 __flush_signals(current);
2260 flush_signal_handlers(current, 1);
2261 sigemptyset(&current->blocked);
2262 }
1da177e4
LT		 2263 spin_unlock_irq(&current->sighand->siglock);
2264 }
2265
a6f76f23
DH		 2266 /* Wake up the parent if it is waiting so that it can recheck
2267 * wait permission to the new task SID. */
ecd6de3c 2268 read_lock(&tasklist_lock);
0b7570e7 2269 __wake_up_parent(current, current->real_parent);
ecd6de3c 2270 read_unlock(&tasklist_lock);
1da177e4
LT		 2271}
2272
2273/* superblock security operations */
2274
2275static int selinux_sb_alloc_security(struct super_block *sb)
2276{
2277 return superblock_alloc_security(sb);
2278}
2279
2280static void selinux_sb_free_security(struct super_block *sb)
2281{
2282 superblock_free_security(sb);
2283}
2284
2285static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2286{
2287 if (plen > olen)
2288 return 0;
2289
2290 return !memcmp(prefix, option, plen);
2291}
2292
2293static inline int selinux_option(char *option, int len)
2294{
832cbd9a
EP		 2295 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2296 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2297 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2298 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2299 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2300}
2301
2302static inline void take_option(char **to, char *from, int *first, int len)
2303{
2304 if (!*first) {
2305 **to = ',';
2306 *to += 1;
3528a953 2307 } else
1da177e4
LT		 2308 *first = 0;
2309 memcpy(*to, from, len);
2310 *to += len;
2311}
2312
828dfe1d
EP		 2313static inline void take_selinux_option(char **to, char *from, int *first,
2314 int len)
3528a953
CO		 2315{
2316 int current_size = 0;
2317
2318 if (!*first) {
2319 **to = '|';
2320 *to += 1;
828dfe1d 2321 } else
3528a953
CO		 2322 *first = 0;
2323
2324 while (current_size < len) {
2325 if (*from != '"') {
2326 **to = *from;
2327 *to += 1;
2328 }
2329 from += 1;
2330 current_size += 1;
2331 }
2332}
2333
e0007529 2334static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2335{
2336 int fnosec, fsec, rc = 0;
2337 char *in_save, *in_curr, *in_end;
2338 char *sec_curr, *nosec_save, *nosec;
3528a953 2339 int open_quote = 0;
1da177e4
LT		 2340
2341 in_curr = orig;
2342 sec_curr = copy;
2343
1da177e4
LT		 2344 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2345 if (!nosec) {
2346 rc = -ENOMEM;
2347 goto out;
2348 }
2349
2350 nosec_save = nosec;
2351 fnosec = fsec = 1;
2352 in_save = in_end = orig;
2353
2354 do {
3528a953
CO		 2355 if (*in_end == '"')
2356 open_quote = !open_quote;
2357 if ((*in_end == ',' && open_quote == 0) ||
2358 *in_end == '\0') {
1da177e4
LT		 2359 int len = in_end - in_curr;
2360
2361 if (selinux_option(in_curr, len))
3528a953 2362 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2363 else
2364 take_option(&nosec, in_curr, &fnosec, len);
2365
2366 in_curr = in_end + 1;
2367 }
2368 } while (*in_end++);
2369
6931dfc9 2370 strcpy(in_save, nosec_save);
da3caa20 2371 free_page((unsigned long)nosec_save);
1da177e4
LT		 2372out:
2373 return rc;
2374}
2375
026eb167
EP		 2376static int selinux_sb_remount(struct super_block *sb, void *data)
2377{
2378 int rc, i, *flags;
2379 struct security_mnt_opts opts;
2380 char *secdata, **mount_options;
2381 struct superblock_security_struct *sbsec = sb->s_security;
2382
2383 if (!(sbsec->flags & SE_SBINITIALIZED))
2384 return 0;
2385
2386 if (!data)
2387 return 0;
2388
2389 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2390 return 0;
2391
2392 security_init_mnt_opts(&opts);
2393 secdata = alloc_secdata();
2394 if (!secdata)
2395 return -ENOMEM;
2396 rc = selinux_sb_copy_data(data, secdata);
2397 if (rc)
2398 goto out_free_secdata;
2399
2400 rc = selinux_parse_opts_str(secdata, &opts);
2401 if (rc)
2402 goto out_free_secdata;
2403
2404 mount_options = opts.mnt_opts;
2405 flags = opts.mnt_opts_flags;
2406
2407 for (i = 0; i < opts.num_mnt_opts; i++) {
2408 u32 sid;
2409 size_t len;
2410
2411 if (flags[i] == SE_SBLABELSUPP)
2412 continue;
2413 len = strlen(mount_options[i]);
2414 rc = security_context_to_sid(mount_options[i], len, &sid);
2415 if (rc) {
2416 printk(KERN_WARNING "SELinux: security_context_to_sid"
2417 "(%s) failed for (dev %s, type %s) errno=%d\n",
2418 mount_options[i], sb->s_id, sb->s_type->name, rc);
2419 goto out_free_opts;
2420 }
2421 rc = -EINVAL;
2422 switch (flags[i]) {
2423 case FSCONTEXT_MNT:
2424 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2425 goto out_bad_option;
2426 break;
2427 case CONTEXT_MNT:
2428 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2429 goto out_bad_option;
2430 break;
2431 case ROOTCONTEXT_MNT: {
2432 struct inode_security_struct *root_isec;
2433 root_isec = sb->s_root->d_inode->i_security;
2434
2435 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2436 goto out_bad_option;
2437 break;
2438 }
2439 case DEFCONTEXT_MNT:
2440 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2441 goto out_bad_option;
2442 break;
2443 default:
2444 goto out_free_opts;
2445 }
2446 }
2447
2448 rc = 0;
2449out_free_opts:
2450 security_free_mnt_opts(&opts);
2451out_free_secdata:
2452 free_secdata(secdata);
2453 return rc;
2454out_bad_option:
2455 printk(KERN_WARNING "SELinux: unable to change security options "
2456 "during remount (dev %s, type=%s)\n", sb->s_id,
2457 sb->s_type->name);
2458 goto out_free_opts;
2459}
2460
12204e24 2461static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2462{
88e67f3b 2463 const struct cred *cred = current_cred();
2bf49690 2464 struct common_audit_data ad;
1da177e4
LT		 2465 int rc;
2466
2467 rc = superblock_doinit(sb, data);
2468 if (rc)
2469 return rc;
2470
74192246
JM		 2471 /* Allow all mounts performed by the kernel */
2472 if (flags & MS_KERNMOUNT)
2473 return 0;
2474
50c205f5 2475 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2476 ad.u.dentry = sb->s_root;
88e67f3b 2477 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2478}
2479
726c3342 2480static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2481{
88e67f3b 2482 const struct cred *cred = current_cred();
2bf49690 2483 struct common_audit_data ad;
1da177e4 2484
50c205f5 2485 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2486 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2487 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2488}
2489
808d4e3c 2490static int selinux_mount(const char *dev_name,
b5266eb4 2491 struct path *path,
808d4e3c 2492 const char *type,
828dfe1d
EP		 2493 unsigned long flags,
2494 void *data)
1da177e4 2495{
88e67f3b 2496 const struct cred *cred = current_cred();
1da177e4
LT		 2497
2498 if (flags & MS_REMOUNT)
d8c9584e 2499 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2500 FILESYSTEM__REMOUNT, NULL);
1da177e4 2501 else
2875fa00 2502 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2503}
2504
2505static int selinux_umount(struct vfsmount *mnt, int flags)
2506{
88e67f3b 2507 const struct cred *cred = current_cred();
1da177e4 2508
88e67f3b 2509 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2510 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2511}
2512
2513/* inode security operations */
2514
2515static int selinux_inode_alloc_security(struct inode *inode)
2516{
2517 return inode_alloc_security(inode);
2518}
2519
2520static void selinux_inode_free_security(struct inode *inode)
2521{
2522 inode_free_security(inode);
2523}
2524
5e41ff9e 2525static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2a7dba39
EP		 2526 const struct qstr *qstr, char **name,
2527 void **value, size_t *len)
5e41ff9e 2528{
5fb49870 2529 const struct task_security_struct *tsec = current_security();
5e41ff9e
SS		 2530 struct inode_security_struct *dsec;
2531 struct superblock_security_struct *sbsec;
275bb41e 2532 u32 sid, newsid, clen;
5e41ff9e 2533 int rc;
570bc1c2 2534 char *namep = NULL, *context;
5e41ff9e 2535
5e41ff9e
SS		 2536 dsec = dir->i_security;
2537 sbsec = dir->i_sb->s_security;
5e41ff9e 2538
275bb41e
DH		 2539 sid = tsec->sid;
2540 newsid = tsec->create_sid;
2541
415103f9
EP		 2542 if ((sbsec->flags & SE_SBINITIALIZED) &&
2543 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2544 newsid = sbsec->mntpoint_sid;
2545 else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
275bb41e 2546 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e 2547 inode_mode_to_security_class(inode->i_mode),
652bb9b0 2548 qstr, &newsid);
5e41ff9e
SS		 2549 if (rc) {
2550 printk(KERN_WARNING "%s: "
2551 "security_transition_sid failed, rc=%d (dev=%s "
2552 "ino=%ld)\n",
dd6f953a 2553 __func__,
5e41ff9e
SS		 2554 -rc, inode->i_sb->s_id, inode->i_ino);
2555 return rc;
2556 }
2557 }
2558
296fddf7 2559 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2560 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2561 struct inode_security_struct *isec = inode->i_security;
2562 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2563 isec->sid = newsid;
2564 isec->initialized = 1;
2565 }
5e41ff9e 2566
cd89596f 2567 if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP))
25a74f3b
SS		 2568 return -EOPNOTSUPP;
2569
570bc1c2 2570 if (name) {
a02fe132 2571 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2572 if (!namep)
2573 return -ENOMEM;
2574 *name = namep;
2575 }
5e41ff9e 2576
570bc1c2 2577 if (value && len) {
12b29f34 2578 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2579 if (rc) {
2580 kfree(namep);
2581 return rc;
2582 }
2583 *value = context;
2584 *len = clen;
5e41ff9e 2585 }
5e41ff9e 2586
5e41ff9e
SS		 2587 return 0;
2588}
2589
4acdaf27 2590static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2591{
2592 return may_create(dir, dentry, SECCLASS_FILE);
2593}
2594
1da177e4
LT		 2595static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2596{
1da177e4
LT		 2597 return may_link(dir, old_dentry, MAY_LINK);
2598}
2599
1da177e4
LT		 2600static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2601{
1da177e4
LT		 2602 return may_link(dir, dentry, MAY_UNLINK);
2603}
2604
2605static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2606{
2607 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2608}
2609
18bb1db3 2610static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2611{
2612 return may_create(dir, dentry, SECCLASS_DIR);
2613}
2614
1da177e4
LT		 2615static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2616{
2617 return may_link(dir, dentry, MAY_RMDIR);
2618}
2619
1a67aafb 2620static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2621{
1da177e4
LT		 2622 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2623}
2624
1da177e4 2625static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2626 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2627{
2628 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2629}
2630
1da177e4
LT		 2631static int selinux_inode_readlink(struct dentry *dentry)
2632{
88e67f3b
DH		 2633 const struct cred *cred = current_cred();
2634
2875fa00 2635 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2636}
2637
2638static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2639{
88e67f3b 2640 const struct cred *cred = current_cred();
1da177e4 2641
2875fa00 2642 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2643}
2644
d4cf970d
EP		 2645static noinline int audit_inode_permission(struct inode *inode,
2646 u32 perms, u32 audited, u32 denied,
2647 unsigned flags)
1da177e4 2648{
b782e0a6 2649 struct common_audit_data ad;
d4cf970d
EP		 2650 struct inode_security_struct *isec = inode->i_security;
2651 int rc;
2652
50c205f5 2653 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2654 ad.u.inode = inode;
2655
2656 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2657 audited, denied, &ad, flags);
2658 if (rc)
2659 return rc;
2660 return 0;
2661}
2662
e74f71eb 2663static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2664{
88e67f3b 2665 const struct cred *cred = current_cred();
b782e0a6
EP		 2666 u32 perms;
2667 bool from_access;
cf1dd1da 2668 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2669 struct inode_security_struct *isec;
2670 u32 sid;
2671 struct av_decision avd;
2672 int rc, rc2;
2673 u32 audited, denied;
1da177e4 2674
b782e0a6 2675 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2676 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2677
b782e0a6
EP		 2678 /* No permission to check. Existence test. */
2679 if (!mask)
1da177e4 2680 return 0;
1da177e4 2681
2e334057 2682 validate_creds(cred);
b782e0a6 2683
2e334057
EP		 2684 if (unlikely(IS_PRIVATE(inode)))
2685 return 0;
b782e0a6
EP		 2686
2687 perms = file_mask_to_av(inode->i_mode, mask);
2688
2e334057
EP		 2689 sid = cred_sid(cred);
2690 isec = inode->i_security;
2691
2692 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2693 audited = avc_audit_required(perms, &avd, rc,
2694 from_access ? FILE__AUDIT_ACCESS : 0,
2695 &denied);
2696 if (likely(!audited))
2697 return rc;
2698
d4cf970d 2699 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2e334057
EP		 2700 if (rc2)
2701 return rc2;
2702 return rc;
1da177e4
LT		 2703}
2704
2705static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2706{
88e67f3b 2707 const struct cred *cred = current_cred();
bc6a6008 2708 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2709 __u32 av = FILE__WRITE;
1da177e4 2710
bc6a6008
AW		 2711 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2712 if (ia_valid & ATTR_FORCE) {
2713 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2714 ATTR_FORCE);
2715 if (!ia_valid)
2716 return 0;
2717 }
1da177e4 2718
bc6a6008
AW		 2719 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2720 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 2721 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 2722
3d2195c3 2723 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
95dbf739
EP		 2724 av |= FILE__OPEN;
2725
2726 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 2727}
2728
2729static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2730{
88e67f3b 2731 const struct cred *cred = current_cred();
2875fa00
EP		 2732 struct path path;
2733
2734 path.dentry = dentry;
2735 path.mnt = mnt;
88e67f3b 2736
2875fa00 2737 return path_has_perm(cred, &path, FILE__GETATTR);
1da177e4
LT		 2738}
2739
8f0cfa52 2740static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2741{
88e67f3b
DH		 2742 const struct cred *cred = current_cred();
2743
b5376771
SH		 2744 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2745 sizeof XATTR_SECURITY_PREFIX - 1)) {
2746 if (!strcmp(name, XATTR_NAME_CAPS)) {
2747 if (!capable(CAP_SETFCAP))
2748 return -EPERM;
2749 } else if (!capable(CAP_SYS_ADMIN)) {
2750 /* A different attribute in the security namespace.
2751 Restrict to administrator. */
2752 return -EPERM;
2753 }
2754 }
2755
2756 /* Not an attribute we recognize, so just check the
2757 ordinary setattr permission. */
2875fa00 2758 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 2759}
2760
8f0cfa52
DH		 2761static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2762 const void *value, size_t size, int flags)
1da177e4 2763{
1da177e4
LT		 2764 struct inode *inode = dentry->d_inode;
2765 struct inode_security_struct *isec = inode->i_security;
2766 struct superblock_security_struct *sbsec;
2bf49690 2767 struct common_audit_data ad;
275bb41e 2768 u32 newsid, sid = current_sid();
1da177e4
LT		 2769 int rc = 0;
2770
b5376771
SH		 2771 if (strcmp(name, XATTR_NAME_SELINUX))
2772 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2773
2774 sbsec = inode->i_sb->s_security;
cd89596f 2775 if (!(sbsec->flags & SE_SBLABELSUPP))
1da177e4
LT		 2776 return -EOPNOTSUPP;
2777
2e149670 2778 if (!inode_owner_or_capable(inode))
1da177e4
LT		 2779 return -EPERM;
2780
50c205f5 2781 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2782 ad.u.dentry = dentry;
1da177e4 2783
275bb41e 2784 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2785 FILE__RELABELFROM, &ad);
2786 if (rc)
2787 return rc;
2788
2789 rc = security_context_to_sid(value, size, &newsid);
12b29f34 2790 if (rc == -EINVAL) {
d6ea83ec
EP		 2791 if (!capable(CAP_MAC_ADMIN)) {
2792 struct audit_buffer *ab;
2793 size_t audit_size;
2794 const char *str;
2795
2796 /* We strip a nul only if it is at the end, otherwise the
2797 * context contains a nul and we should audit that */
e3fea3f7
AV		 2798 if (value) {
2799 str = value;
2800 if (str[size - 1] == '\0')
2801 audit_size = size - 1;
2802 else
2803 audit_size = size;
2804 } else {
2805 str = "";
2806 audit_size = 0;
2807 }
d6ea83ec
EP		 2808 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2809 audit_log_format(ab, "op=setxattr invalid_context=");
2810 audit_log_n_untrustedstring(ab, value, audit_size);
2811 audit_log_end(ab);
2812
12b29f34 2813 return rc;
d6ea83ec 2814 }
12b29f34
SS		 2815 rc = security_context_to_sid_force(value, size, &newsid);
2816 }
1da177e4
LT		 2817 if (rc)
2818 return rc;
2819
275bb41e 2820 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2821 FILE__RELABELTO, &ad);
2822 if (rc)
2823 return rc;
2824
275bb41e 2825 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2826 isec->sclass);
1da177e4
LT		 2827 if (rc)
2828 return rc;
2829
2830 return avc_has_perm(newsid,
2831 sbsec->sid,
2832 SECCLASS_FILESYSTEM,
2833 FILESYSTEM__ASSOCIATE,
2834 &ad);
2835}
2836
8f0cfa52 2837static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2838 const void *value, size_t size,
8f0cfa52 2839 int flags)
1da177e4
LT		 2840{
2841 struct inode *inode = dentry->d_inode;
2842 struct inode_security_struct *isec = inode->i_security;
2843 u32 newsid;
2844 int rc;
2845
2846 if (strcmp(name, XATTR_NAME_SELINUX)) {
2847 /* Not an attribute we recognize, so nothing to do. */
2848 return;
2849 }
2850
12b29f34 2851 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2852 if (rc) {
12b29f34
SS		 2853 printk(KERN_ERR "SELinux: unable to map context to SID"
2854 "for (%s, %lu), rc=%d\n",
2855 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2856 return;
2857 }
2858
2859 isec->sid = newsid;
2860 return;
2861}
2862
8f0cfa52 2863static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2864{
88e67f3b
DH		 2865 const struct cred *cred = current_cred();
2866
2875fa00 2867 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 2868}
2869
828dfe1d 2870static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 2871{
88e67f3b
DH		 2872 const struct cred *cred = current_cred();
2873
2875fa00 2874 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 2875}
2876
8f0cfa52 2877static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2878{
b5376771
SH		 2879 if (strcmp(name, XATTR_NAME_SELINUX))
2880 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2881
2882 /* No one is allowed to remove a SELinux security label.
2883 You can change the label, but all data must be labeled. */
2884 return -EACCES;
2885}
2886
d381d8a9 2887/*
abc69bb6 2888 * Copy the inode security context value to the user.
d381d8a9
JM		 2889 *
2890 * Permission check is handled by selinux_inode_getxattr hook.
2891 */
42492594 2892static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2893{
42492594
DQ		 2894 u32 size;
2895 int error;
2896 char *context = NULL;
1da177e4 2897 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2898
8c8570fb
DK		 2899 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2900 return -EOPNOTSUPP;
d381d8a9 2901
abc69bb6
SS		 2902 /*
2903 * If the caller has CAP_MAC_ADMIN, then get the raw context
2904 * value even if it is not defined by current policy; otherwise,
2905 * use the in-core value under current policy.
2906 * Use the non-auditing forms of the permission checks since
2907 * getxattr may be called by unprivileged processes commonly
2908 * and lack of permission just means that we fall back to the
2909 * in-core context value, not a denial.
2910 */
6a9de491 2911 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3699c53c 2912 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 2913 if (!error)
2914 error = security_sid_to_context_force(isec->sid, &context,
2915 &size);
2916 else
2917 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 2918 if (error)
2919 return error;
2920 error = size;
2921 if (alloc) {
2922 *buffer = context;
2923 goto out_nofree;
2924 }
2925 kfree(context);
2926out_nofree:
2927 return error;
1da177e4
LT		 2928}
2929
2930static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2931 const void *value, size_t size, int flags)
1da177e4
LT		 2932{
2933 struct inode_security_struct *isec = inode->i_security;
2934 u32 newsid;
2935 int rc;
2936
2937 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2938 return -EOPNOTSUPP;
2939
2940 if (!value || !size)
2941 return -EACCES;
2942
828dfe1d 2943 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2944 if (rc)
2945 return rc;
2946
2947 isec->sid = newsid;
ddd29ec6 2948 isec->initialized = 1;
1da177e4
LT		 2949 return 0;
2950}
2951
2952static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2953{
2954 const int len = sizeof(XATTR_NAME_SELINUX);
2955 if (buffer && len <= buffer_size)
2956 memcpy(buffer, XATTR_NAME_SELINUX, len);
2957 return len;
2958}
2959
713a04ae
AD		 2960static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2961{
2962 struct inode_security_struct *isec = inode->i_security;
2963 *secid = isec->sid;
2964}
2965
1da177e4
LT		 2966/* file security operations */
2967
788e7dd4 2968static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2969{
88e67f3b 2970 const struct cred *cred = current_cred();
496ad9aa 2971 struct inode *inode = file_inode(file);
1da177e4 2972
1da177e4
LT		 2973 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2974 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2975 mask |= MAY_APPEND;
2976
389fb800
PM		 2977 return file_has_perm(cred, file,
2978 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 2979}
2980
788e7dd4
YN		 2981static int selinux_file_permission(struct file *file, int mask)
2982{
496ad9aa 2983 struct inode *inode = file_inode(file);
20dda18b
SS		 2984 struct file_security_struct *fsec = file->f_security;
2985 struct inode_security_struct *isec = inode->i_security;
2986 u32 sid = current_sid();
2987
389fb800 2988 if (!mask)
788e7dd4
YN		 2989 /* No permission to check. Existence test. */
2990 return 0;
788e7dd4 2991
20dda18b
SS		 2992 if (sid == fsec->sid && fsec->isid == isec->sid &&
2993 fsec->pseqno == avc_policy_seqno())
83d49856 2994 /* No change since file_open check. */
20dda18b
SS		 2995 return 0;
2996
788e7dd4
YN		 2997 return selinux_revalidate_file_permission(file, mask);
2998}
2999
1da177e4
LT		 3000static int selinux_file_alloc_security(struct file *file)
3001{
3002 return file_alloc_security(file);
3003}
3004
3005static void selinux_file_free_security(struct file *file)
3006{
3007 file_free_security(file);
3008}
3009
3010static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3011 unsigned long arg)
3012{
88e67f3b 3013 const struct cred *cred = current_cred();
0b24dcb7 3014 int error = 0;
1da177e4 3015
0b24dcb7
EP		 3016 switch (cmd) {
3017 case FIONREAD:
3018 /* fall through */
3019 case FIBMAP:
3020 /* fall through */
3021 case FIGETBSZ:
3022 /* fall through */
2f99c369 3023 case FS_IOC_GETFLAGS:
0b24dcb7 3024 /* fall through */
2f99c369 3025 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3026 error = file_has_perm(cred, file, FILE__GETATTR);
3027 break;
1da177e4 3028
2f99c369 3029 case FS_IOC_SETFLAGS:
0b24dcb7 3030 /* fall through */
2f99c369 3031 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3032 error = file_has_perm(cred, file, FILE__SETATTR);
3033 break;
3034
3035 /* sys_ioctl() checks */
3036 case FIONBIO:
3037 /* fall through */
3038 case FIOASYNC:
3039 error = file_has_perm(cred, file, 0);
3040 break;
1da177e4 3041
0b24dcb7
EP		 3042 case KDSKBENT:
3043 case KDSKBSENT:
6a9de491
EP		 3044 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3045 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3046 break;
3047
3048 /* default case assumes that the command will go
3049 * to the file's ioctl() function.
3050 */
3051 default:
3052 error = file_has_perm(cred, file, FILE__IOCTL);
3053 }
3054 return error;
1da177e4
LT		 3055}
3056
fcaaade1
SS		 3057static int default_noexec;
3058
1da177e4
LT		 3059static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3060{
88e67f3b 3061 const struct cred *cred = current_cred();
d84f4f99 3062 int rc = 0;
88e67f3b 3063
fcaaade1
SS		 3064 if (default_noexec &&
3065 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3066 /*
3067 * We are making executable an anonymous mapping or a
3068 * private file mapping that will also be writable.
3069 * This has an additional check.
3070 */
d84f4f99 3071 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3072 if (rc)
d84f4f99 3073 goto error;
1da177e4 3074 }
1da177e4
LT		 3075
3076 if (file) {
3077 /* read access is always possible with a mapping */
3078 u32 av = FILE__READ;
3079
3080 /* write access only matters if the mapping is shared */
3081 if (shared && (prot & PROT_WRITE))
3082 av |= FILE__WRITE;
3083
3084 if (prot & PROT_EXEC)
3085 av |= FILE__EXECUTE;
3086
88e67f3b 3087 return file_has_perm(cred, file, av);
1da177e4 3088 }
d84f4f99
DH		 3089
3090error:
3091 return rc;
1da177e4
LT		 3092}
3093
e5467859 3094static int selinux_mmap_addr(unsigned long addr)
1da177e4 3095{
ed032189 3096 int rc = 0;
275bb41e 3097 u32 sid = current_sid();
1da177e4 3098
84336d1a
EP		 3099 /*
3100 * notice that we are intentionally putting the SELinux check before
3101 * the secondary cap_file_mmap check. This is such a likely attempt
3102 * at bad behaviour/exploit that we always want to get the AVC, even
3103 * if DAC would have also denied the operation.
3104 */
a2551df7 3105 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
ed032189
EP		 3106 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3107 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3108 if (rc)
3109 return rc;
3110 }
3111
3112 /* do DAC check on address space usage */
e5467859
AV		 3113 return cap_mmap_addr(addr);
3114}
1da177e4 3115
e5467859
AV		 3116static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3117 unsigned long prot, unsigned long flags)
3118{
1da177e4
LT		 3119 if (selinux_checkreqprot)
3120 prot = reqprot;
3121
3122 return file_map_prot_check(file, prot,
3123 (flags & MAP_TYPE) == MAP_SHARED);
3124}
3125
3126static int selinux_file_mprotect(struct vm_area_struct *vma,
3127 unsigned long reqprot,
3128 unsigned long prot)
3129{
88e67f3b 3130 const struct cred *cred = current_cred();
1da177e4
LT		 3131
3132 if (selinux_checkreqprot)
3133 prot = reqprot;
3134
fcaaade1
SS		 3135 if (default_noexec &&
3136 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3137 int rc = 0;
db4c9641
SS		 3138 if (vma->vm_start >= vma->vm_mm->start_brk &&
3139 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3140 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3141 } else if (!vma->vm_file &&
3142 vma->vm_start <= vma->vm_mm->start_stack &&
3143 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3144 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3145 } else if (vma->vm_file && vma->anon_vma) {
3146 /*
3147 * We are making executable a file mapping that has
3148 * had some COW done. Since pages might have been
3149 * written, check ability to execute the possibly
3150 * modified content. This typically should only
3151 * occur for text relocations.
3152 */
d84f4f99 3153 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3154 }