]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
security: add ioctl specific auditing to lsm_audit
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
828dfe1d
EP		 7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13 * Eric Paris <[email protected]>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <[email protected]>
ed6d76e4 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
82c21bfa 17 * Paul Moore <[email protected]>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <[email protected]>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4 26#include <linux/init.h>
0b24dcb7 27#include <linux/kd.h>
1da177e4 28#include <linux/kernel.h>
0d094efe 29#include <linux/tracehook.h>
1da177e4
LT		 30#include <linux/errno.h>
31#include <linux/sched.h>
3c4ed7bd 32#include <linux/lsm_hooks.h>
1da177e4
LT		 33#include <linux/xattr.h>
34#include <linux/capability.h>
35#include <linux/unistd.h>
36#include <linux/mm.h>
37#include <linux/mman.h>
38#include <linux/slab.h>
39#include <linux/pagemap.h>
0b24dcb7 40#include <linux/proc_fs.h>
1da177e4 41#include <linux/swap.h>
1da177e4
LT		 42#include <linux/spinlock.h>
43#include <linux/syscalls.h>
2a7dba39 44#include <linux/dcache.h>
1da177e4 45#include <linux/file.h>
9f3acc31 46#include <linux/fdtable.h>
1da177e4
LT		 47#include <linux/namei.h>
48#include <linux/mount.h>
1da177e4
LT		 49#include <linux/netfilter_ipv4.h>
50#include <linux/netfilter_ipv6.h>
51#include <linux/tty.h>
52#include <net/icmp.h>
227b60f5 53#include <net/ip.h> /* for local_port_range[] */
1da177e4 54#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
47180068 55#include <net/inet_connection_sock.h>
220deb96 56#include <net/net_namespace.h>
d621d35e 57#include <net/netlabel.h>
f5269710 58#include <linux/uaccess.h>
1da177e4 59#include <asm/ioctls.h>
60063497 60#include <linux/atomic.h>
1da177e4
LT		 61#include <linux/bitops.h>
62#include <linux/interrupt.h>
63#include <linux/netdevice.h> /* for network interface checks */
77954983 64#include <net/netlink.h>
1da177e4
LT		 65#include <linux/tcp.h>
66#include <linux/udp.h>
2ee92d46 67#include <linux/dccp.h>
1da177e4
LT		 68#include <linux/quota.h>
69#include <linux/un.h> /* for Unix socket types */
70#include <net/af_unix.h> /* for Unix socket types */
71#include <linux/parser.h>
72#include <linux/nfs_mount.h>
73#include <net/ipv6.h>
74#include <linux/hugetlb.h>
75#include <linux/personality.h>
1da177e4 76#include <linux/audit.h>
6931dfc9 77#include <linux/string.h>
877ce7c1 78#include <linux/selinux.h>
23970741 79#include <linux/mutex.h>
f06febc9 80#include <linux/posix-timers.h>
00234592 81#include <linux/syslog.h>
3486740a 82#include <linux/user_namespace.h>
44fc7ea0 83#include <linux/export.h>
40401530
AV		 84#include <linux/msg.h>
85#include <linux/shm.h>
1da177e4
LT		 86
87#include "avc.h"
88#include "objsec.h"
89#include "netif.h"
224dfbd8 90#include "netnode.h"
3e112172 91#include "netport.h"
d28d1e08 92#include "xfrm.h"
c60475bf 93#include "netlabel.h"
9d57a7f9 94#include "audit.h"
7b98a585 95#include "avc_ss.h"
1da177e4 96
d621d35e 97/* SECMARK reference count */
56a4ca99 98static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
d621d35e 99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710 105 unsigned long enforcing;
29707b20 106 if (!kstrtoul(str, 0, &enforcing))
f5269710 107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710 118 unsigned long enabled;
29707b20 119 if (!kstrtoul(str, 0, &enabled))
f5269710 120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
e18b890b 128static struct kmem_cache *sel_inode_cache;
7cae7e26 129
d621d35e
PM		 130/**
131 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
132 *
133 * Description:
134 * This function checks the SECMARK reference counter to see if any SECMARK
135 * targets are currently configured, if the reference counter is greater than
136 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
2be4d74f
CP		 137 * enabled, false (0) if SECMARK is disabled. If the always_check_network
138 * policy capability is enabled, SECMARK is always considered enabled.
d621d35e
PM		 139 *
140 */
141static int selinux_secmark_enabled(void)
142{
2be4d74f
CP		 143 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
144}
145
146/**
147 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
148 *
149 * Description:
150 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
151 * (1) if any are enabled or false (0) if neither are enabled. If the
152 * always_check_network policy capability is enabled, peer labeling
153 * is always considered enabled.
154 *
155 */
156static int selinux_peerlbl_enabled(void)
157{
158 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
d621d35e
PM		 159}
160
615e51fd
PM		 161static int selinux_netcache_avc_callback(u32 event)
162{
163 if (event == AVC_CALLBACK_RESET) {
164 sel_netif_flush();
165 sel_netnode_flush();
166 sel_netport_flush();
167 synchronize_net();
168 }
169 return 0;
170}
171
d84f4f99
DH		 172/*
173 * initialise the security for the init task
174 */
175static void cred_init_security(void)
1da177e4 176{
3b11a1de 177 struct cred *cred = (struct cred *) current->real_cred;
1da177e4
LT		 178 struct task_security_struct *tsec;
179
89d155ef 180 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4 181 if (!tsec)
d84f4f99 182 panic("SELinux: Failed to initialize initial task.\n");
1da177e4 183
d84f4f99 184 tsec->osid = tsec->sid = SECINITSID_KERNEL;
f1752eec 185 cred->security = tsec;
1da177e4
LT		 186}
187
88e67f3b
DH		 188/*
189 * get the security ID of a set of credentials
190 */
191static inline u32 cred_sid(const struct cred *cred)
192{
193 const struct task_security_struct *tsec;
194
195 tsec = cred->security;
196 return tsec->sid;
197}
198
275bb41e 199/*
3b11a1de 200 * get the objective security ID of a task
275bb41e
DH		 201 */
202static inline u32 task_sid(const struct task_struct *task)
203{
275bb41e
DH		 204 u32 sid;
205
206 rcu_read_lock();
88e67f3b 207 sid = cred_sid(__task_cred(task));
275bb41e
DH		 208 rcu_read_unlock();
209 return sid;
210}
211
212/*
3b11a1de 213 * get the subjective security ID of the current task
275bb41e
DH		 214 */
215static inline u32 current_sid(void)
216{
5fb49870 217 const struct task_security_struct *tsec = current_security();
275bb41e
DH		 218
219 return tsec->sid;
220}
221
88e67f3b
DH		 222/* Allocate and free functions for each kind of security blob. */
223
1da177e4
LT		 224static int inode_alloc_security(struct inode *inode)
225{
1da177e4 226 struct inode_security_struct *isec;
275bb41e 227 u32 sid = current_sid();
1da177e4 228
a02fe132 229 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 230 if (!isec)
231 return -ENOMEM;
232
23970741 233 mutex_init(&isec->lock);
1da177e4 234 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 235 isec->inode = inode;
236 isec->sid = SECINITSID_UNLABELED;
237 isec->sclass = SECCLASS_FILE;
275bb41e 238 isec->task_sid = sid;
1da177e4
LT		 239 inode->i_security = isec;
240
241 return 0;
242}
243
3dc91d43
SR		 244static void inode_free_rcu(struct rcu_head *head)
245{
246 struct inode_security_struct *isec;
247
248 isec = container_of(head, struct inode_security_struct, rcu);
249 kmem_cache_free(sel_inode_cache, isec);
250}
251
1da177e4
LT		 252static void inode_free_security(struct inode *inode)
253{
254 struct inode_security_struct *isec = inode->i_security;
255 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
256
1da177e4
LT		 257 spin_lock(&sbsec->isec_lock);
258 if (!list_empty(&isec->list))
259 list_del_init(&isec->list);
260 spin_unlock(&sbsec->isec_lock);
261
3dc91d43
SR		 262 /*
263 * The inode may still be referenced in a path walk and
264 * a call to selinux_inode_permission() can be made
265 * after inode_free_security() is called. Ideally, the VFS
266 * wouldn't do this, but fixing that is a much harder
267 * job. For now, simply free the i_security via RCU, and
268 * leave the current inode->i_security pointer intact.
269 * The inode will be freed after the RCU grace period too.
270 */
271 call_rcu(&isec->rcu, inode_free_rcu);
1da177e4
LT		 272}
273
274static int file_alloc_security(struct file *file)
275{
1da177e4 276 struct file_security_struct *fsec;
275bb41e 277 u32 sid = current_sid();
1da177e4 278
26d2a4be 279 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 280 if (!fsec)
281 return -ENOMEM;
282
275bb41e
DH		 283 fsec->sid = sid;
284 fsec->fown_sid = sid;
1da177e4
LT		 285 file->f_security = fsec;
286
287 return 0;
288}
289
290static void file_free_security(struct file *file)
291{
292 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 293 file->f_security = NULL;
294 kfree(fsec);
295}
296
297static int superblock_alloc_security(struct super_block *sb)
298{
299 struct superblock_security_struct *sbsec;
300
89d155ef 301 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 302 if (!sbsec)
303 return -ENOMEM;
304
bc7e982b 305 mutex_init(&sbsec->lock);
1da177e4
LT		 306 INIT_LIST_HEAD(&sbsec->isec_head);
307 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 308 sbsec->sb = sb;
309 sbsec->sid = SECINITSID_UNLABELED;
310 sbsec->def_sid = SECINITSID_FILE;
c312feb2 311 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 312 sb->s_security = sbsec;
313
314 return 0;
315}
316
317static void superblock_free_security(struct super_block *sb)
318{
319 struct superblock_security_struct *sbsec = sb->s_security;
1da177e4
LT		 320 sb->s_security = NULL;
321 kfree(sbsec);
322}
323
1da177e4
LT		 324/* The file system's label must be initialized prior to use. */
325
eb9ae686 326static const char *labeling_behaviors[7] = {
1da177e4
LT		 327 "uses xattr",
328 "uses transition SIDs",
329 "uses task SIDs",
330 "uses genfs_contexts",
331 "not configured for labeling",
332 "uses mountpoint labeling",
eb9ae686 333 "uses native labeling",
1da177e4
LT		 334};
335
336static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
337
338static inline int inode_doinit(struct inode *inode)
339{
340 return inode_doinit_with_dentry(inode, NULL);
341}
342
343enum {
31e87930 344 Opt_error = -1,
1da177e4
LT		 345 Opt_context = 1,
346 Opt_fscontext = 2,
c9180a57
EP		 347 Opt_defcontext = 3,
348 Opt_rootcontext = 4,
11689d47 349 Opt_labelsupport = 5,
d355987f 350 Opt_nextmntopt = 6,
1da177e4
LT		 351};
352
d355987f
EP		 353#define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
354
a447c093 355static const match_table_t tokens = {
832cbd9a
EP		 356 {Opt_context, CONTEXT_STR "%s"},
357 {Opt_fscontext, FSCONTEXT_STR "%s"},
358 {Opt_defcontext, DEFCONTEXT_STR "%s"},
359 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
11689d47 360 {Opt_labelsupport, LABELSUPP_STR},
31e87930 361 {Opt_error, NULL},
1da177e4
LT		 362};
363
364#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
365
c312feb2
EP		 366static int may_context_mount_sb_relabel(u32 sid,
367 struct superblock_security_struct *sbsec,
275bb41e 368 const struct cred *cred)
c312feb2 369{
275bb41e 370 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 371 int rc;
372
373 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
374 FILESYSTEM__RELABELFROM, NULL);
375 if (rc)
376 return rc;
377
378 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
379 FILESYSTEM__RELABELTO, NULL);
380 return rc;
381}
382
0808925e
EP		 383static int may_context_mount_inode_relabel(u32 sid,
384 struct superblock_security_struct *sbsec,
275bb41e 385 const struct cred *cred)
0808925e 386{
275bb41e 387 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 388 int rc;
389 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
390 FILESYSTEM__RELABELFROM, NULL);
391 if (rc)
392 return rc;
393
394 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
395 FILESYSTEM__ASSOCIATE, NULL);
396 return rc;
397}
398
b43e725d
EP		 399static int selinux_is_sblabel_mnt(struct super_block *sb)
400{
401 struct superblock_security_struct *sbsec = sb->s_security;
402
d5f3a5f6
MS		 403 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
404 sbsec->behavior == SECURITY_FS_USE_TRANS ||
405 sbsec->behavior == SECURITY_FS_USE_TASK ||
9fc2b4b4 406 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
d5f3a5f6
MS		 407 /* Special handling. Genfs but also in-core setxattr handler */
408 !strcmp(sb->s_type->name, "sysfs") ||
409 !strcmp(sb->s_type->name, "pstore") ||
410 !strcmp(sb->s_type->name, "debugfs") ||
411 !strcmp(sb->s_type->name, "rootfs");
b43e725d
EP		 412}
413
c9180a57 414static int sb_finish_set_opts(struct super_block *sb)
1da177e4 415{
1da177e4 416 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57 417 struct dentry *root = sb->s_root;
c6f493d6 418 struct inode *root_inode = d_backing_inode(root);
c9180a57 419 int rc = 0;
1da177e4 420
c9180a57
EP		 421 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
422 /* Make sure that the xattr handler exists and that no
423 error other than -ENODATA is returned by getxattr on
424 the root directory. -ENODATA is ok, as this may be
425 the first boot of the SELinux kernel before we have
426 assigned xattr values to the filesystem. */
427 if (!root_inode->i_op->getxattr) {
29b1deb2
LT		 428 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
429 "xattr support\n", sb->s_id, sb->s_type->name);
c9180a57
EP		 430 rc = -EOPNOTSUPP;
431 goto out;
432 }
433 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
434 if (rc < 0 && rc != -ENODATA) {
435 if (rc == -EOPNOTSUPP)
436 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 437 "%s) has no security xattr handler\n",
438 sb->s_id, sb->s_type->name);
c9180a57
EP		 439 else
440 printk(KERN_WARNING "SELinux: (dev %s, type "
29b1deb2
LT		 441 "%s) getxattr errno %d\n", sb->s_id,
442 sb->s_type->name, -rc);
c9180a57
EP		 443 goto out;
444 }
445 }
1da177e4 446
c9180a57 447 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
29b1deb2
LT		 448 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
449 sb->s_id, sb->s_type->name);
1da177e4 450
eadcabc6 451 sbsec->flags |= SE_SBINITIALIZED;
b43e725d 452 if (selinux_is_sblabel_mnt(sb))
12f348b9 453 sbsec->flags |= SBLABEL_MNT;
ddd29ec6 454
c9180a57
EP		 455 /* Initialize the root inode. */
456 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 457
c9180a57
EP		 458 /* Initialize any other inodes associated with the superblock, e.g.
459 inodes created prior to initial policy load or inodes created
460 during get_sb by a pseudo filesystem that directly
461 populates itself. */
462 spin_lock(&sbsec->isec_lock);
463next_inode:
464 if (!list_empty(&sbsec->isec_head)) {
465 struct inode_security_struct *isec =
466 list_entry(sbsec->isec_head.next,
467 struct inode_security_struct, list);
468 struct inode *inode = isec->inode;
923190d3 469 list_del_init(&isec->list);
c9180a57
EP		 470 spin_unlock(&sbsec->isec_lock);
471 inode = igrab(inode);
472 if (inode) {
473 if (!IS_PRIVATE(inode))
474 inode_doinit(inode);
475 iput(inode);
476 }
477 spin_lock(&sbsec->isec_lock);
c9180a57
EP		 478 goto next_inode;
479 }
480 spin_unlock(&sbsec->isec_lock);
481out:
482 return rc;
483}
1da177e4 484
c9180a57
EP		 485/*
486 * This function should allow an FS to ask what it's mount security
487 * options were so it can use those later for submounts, displaying
488 * mount options, or whatever.
489 */
490static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 491 struct security_mnt_opts *opts)
c9180a57
EP		 492{
493 int rc = 0, i;
494 struct superblock_security_struct *sbsec = sb->s_security;
495 char *context = NULL;
496 u32 len;
497 char tmp;
1da177e4 498
e0007529 499 security_init_mnt_opts(opts);
1da177e4 500
0d90a7ec 501 if (!(sbsec->flags & SE_SBINITIALIZED))
c9180a57 502 return -EINVAL;
1da177e4 503
c9180a57
EP		 504 if (!ss_initialized)
505 return -EINVAL;
1da177e4 506
af8e50cc
EP		 507 /* make sure we always check enough bits to cover the mask */
508 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
509
0d90a7ec 510 tmp = sbsec->flags & SE_MNTMASK;
c9180a57 511 /* count the number of mount options for this sb */
af8e50cc 512 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
c9180a57 513 if (tmp & 0x01)
e0007529 514 opts->num_mnt_opts++;
c9180a57
EP		 515 tmp >>= 1;
516 }
11689d47 517 /* Check if the Label support flag is set */
0b4bdb35 518 if (sbsec->flags & SBLABEL_MNT)
11689d47 519 opts->num_mnt_opts++;
1da177e4 520
e0007529
EP		 521 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
522 if (!opts->mnt_opts) {
c9180a57
EP		 523 rc = -ENOMEM;
524 goto out_free;
525 }
1da177e4 526
e0007529
EP		 527 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
528 if (!opts->mnt_opts_flags) {
c9180a57
EP		 529 rc = -ENOMEM;
530 goto out_free;
531 }
1da177e4 532
c9180a57
EP		 533 i = 0;
534 if (sbsec->flags & FSCONTEXT_MNT) {
535 rc = security_sid_to_context(sbsec->sid, &context, &len);
536 if (rc)
537 goto out_free;
e0007529
EP		 538 opts->mnt_opts[i] = context;
539 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 540 }
541 if (sbsec->flags & CONTEXT_MNT) {
542 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
543 if (rc)
544 goto out_free;
e0007529
EP		 545 opts->mnt_opts[i] = context;
546 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 547 }
548 if (sbsec->flags & DEFCONTEXT_MNT) {
549 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
550 if (rc)
551 goto out_free;
e0007529
EP		 552 opts->mnt_opts[i] = context;
553 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 554 }
555 if (sbsec->flags & ROOTCONTEXT_MNT) {
c6f493d6 556 struct inode *root = d_backing_inode(sbsec->sb->s_root);
c9180a57 557 struct inode_security_struct *isec = root->i_security;
0808925e 558
c9180a57
EP		 559 rc = security_sid_to_context(isec->sid, &context, &len);
560 if (rc)
561 goto out_free;
e0007529
EP		 562 opts->mnt_opts[i] = context;
563 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 564 }
12f348b9 565 if (sbsec->flags & SBLABEL_MNT) {
11689d47 566 opts->mnt_opts[i] = NULL;
12f348b9 567 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
11689d47 568 }
1da177e4 569
e0007529 570 BUG_ON(i != opts->num_mnt_opts);
1da177e4 571
c9180a57
EP		 572 return 0;
573
574out_free:
e0007529 575 security_free_mnt_opts(opts);
c9180a57
EP		 576 return rc;
577}
1da177e4 578
c9180a57
EP		 579static int bad_option(struct superblock_security_struct *sbsec, char flag,
580 u32 old_sid, u32 new_sid)
581{
0d90a7ec
DQ		 582 char mnt_flags = sbsec->flags & SE_MNTMASK;
583
c9180a57 584 /* check if the old mount command had the same options */
0d90a7ec 585 if (sbsec->flags & SE_SBINITIALIZED)
c9180a57
EP		 586 if (!(sbsec->flags & flag) ||
587 (old_sid != new_sid))
588 return 1;
589
590 /* check if we were passed the same options twice,
591 * aka someone passed context=a,context=b
592 */
0d90a7ec
DQ		 593 if (!(sbsec->flags & SE_SBINITIALIZED))
594 if (mnt_flags & flag)
c9180a57
EP		 595 return 1;
596 return 0;
597}
e0007529 598
c9180a57
EP		 599/*
600 * Allow filesystems with binary mount data to explicitly set mount point
601 * labeling information.
602 */
e0007529 603static int selinux_set_mnt_opts(struct super_block *sb,
649f6e77
DQ		 604 struct security_mnt_opts *opts,
605 unsigned long kern_flags,
606 unsigned long *set_kern_flags)
c9180a57 607{
275bb41e 608 const struct cred *cred = current_cred();
c9180a57 609 int rc = 0, i;
c9180a57 610 struct superblock_security_struct *sbsec = sb->s_security;
29b1deb2 611 const char *name = sb->s_type->name;
c6f493d6 612 struct inode *inode = d_backing_inode(sbsec->sb->s_root);
089be43e 613 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 614 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
615 u32 defcontext_sid = 0;
e0007529
EP		 616 char **mount_options = opts->mnt_opts;
617 int *flags = opts->mnt_opts_flags;
618 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 619
620 mutex_lock(&sbsec->lock);
621
622 if (!ss_initialized) {
623 if (!num_opts) {
624 /* Defer initialization until selinux_complete_init,
625 after the initial policy is loaded and the security
626 server is ready to handle calls. */
c9180a57
EP		 627 goto out;
628 }
629 rc = -EINVAL;
744ba35e
EP		 630 printk(KERN_WARNING "SELinux: Unable to set superblock options "
631 "before the security server is initialized\n");
1da177e4 632 goto out;
c9180a57 633 }
649f6e77
DQ		 634 if (kern_flags && !set_kern_flags) {
635 /* Specifying internal flags without providing a place to
636 * place the results is not allowed */
637 rc = -EINVAL;
638 goto out;
639 }
1da177e4 640
e0007529
EP		 641 /*
642 * Binary mount data FS will come through this function twice. Once
643 * from an explicit call and once from the generic calls from the vfs.
644 * Since the generic VFS calls will not contain any security mount data
645 * we need to skip the double mount verification.
646 *
647 * This does open a hole in which we will not notice if the first
648 * mount using this sb set explict options and a second mount using
649 * this sb does not set any security options. (The first options
650 * will be used for both mounts)
651 */
0d90a7ec 652 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
e0007529 653 && (num_opts == 0))
f5269710 654 goto out;
e0007529 655
c9180a57
EP		 656 /*
657 * parse the mount options, check if they are valid sids.
658 * also check if someone is trying to mount the same sb more
659 * than once with different security options.
660 */
661 for (i = 0; i < num_opts; i++) {
662 u32 sid;
11689d47 663
12f348b9 664 if (flags[i] == SBLABEL_MNT)
11689d47 665 continue;
c9180a57 666 rc = security_context_to_sid(mount_options[i],
52a4c640 667 strlen(mount_options[i]), &sid, GFP_KERNEL);
1da177e4
LT		 668 if (rc) {
669 printk(KERN_WARNING "SELinux: security_context_to_sid"
29b1deb2
LT		 670 "(%s) failed for (dev %s, type %s) errno=%d\n",
671 mount_options[i], sb->s_id, name, rc);
c9180a57
EP		 672 goto out;
673 }
674 switch (flags[i]) {
675 case FSCONTEXT_MNT:
676 fscontext_sid = sid;
677
678 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
679 fscontext_sid))
680 goto out_double_mount;
681
682 sbsec->flags |= FSCONTEXT_MNT;
683 break;
684 case CONTEXT_MNT:
685 context_sid = sid;
686
687 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
688 context_sid))
689 goto out_double_mount;
690
691 sbsec->flags |= CONTEXT_MNT;
692 break;
693 case ROOTCONTEXT_MNT:
694 rootcontext_sid = sid;
695
696 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
697 rootcontext_sid))
698 goto out_double_mount;
699
700 sbsec->flags |= ROOTCONTEXT_MNT;
701
702 break;
703 case DEFCONTEXT_MNT:
704 defcontext_sid = sid;
705
706 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
707 defcontext_sid))
708 goto out_double_mount;
709
710 sbsec->flags |= DEFCONTEXT_MNT;
711
712 break;
713 default:
714 rc = -EINVAL;
715 goto out;
1da177e4 716 }
c9180a57
EP		 717 }
718
0d90a7ec 719 if (sbsec->flags & SE_SBINITIALIZED) {
c9180a57 720 /* previously mounted with options, but not on this attempt? */
0d90a7ec 721 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
c9180a57
EP		 722 goto out_double_mount;
723 rc = 0;
724 goto out;
725 }
726
089be43e 727 if (strcmp(sb->s_type->name, "proc") == 0)
134509d5
SS		 728 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
729
8e014720
SS		 730 if (!strcmp(sb->s_type->name, "debugfs") ||
731 !strcmp(sb->s_type->name, "sysfs") ||
732 !strcmp(sb->s_type->name, "pstore"))
134509d5 733 sbsec->flags |= SE_SBGENFS;
c9180a57 734
eb9ae686
DQ		 735 if (!sbsec->behavior) {
736 /*
737 * Determine the labeling behavior to use for this
738 * filesystem type.
739 */
98f700f3 740 rc = security_fs_use(sb);
eb9ae686
DQ		 741 if (rc) {
742 printk(KERN_WARNING
743 "%s: security_fs_use(%s) returned %d\n",
744 __func__, sb->s_type->name, rc);
745 goto out;
746 }
c9180a57 747 }
c9180a57
EP		 748 /* sets the context of the superblock for the fs being mounted. */
749 if (fscontext_sid) {
275bb41e 750 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 751 if (rc)
c9180a57 752 goto out;
1da177e4 753
c9180a57 754 sbsec->sid = fscontext_sid;
c312feb2
EP		 755 }
756
757 /*
758 * Switch to using mount point labeling behavior.
759 * sets the label used on all file below the mountpoint, and will set
760 * the superblock context if not already set.
761 */
eb9ae686
DQ		 762 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
763 sbsec->behavior = SECURITY_FS_USE_NATIVE;
764 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
765 }
766
c9180a57
EP		 767 if (context_sid) {
768 if (!fscontext_sid) {
275bb41e
DH		 769 rc = may_context_mount_sb_relabel(context_sid, sbsec,
770 cred);
b04ea3ce 771 if (rc)
c9180a57
EP		 772 goto out;
773 sbsec->sid = context_sid;
b04ea3ce 774 } else {
275bb41e
DH		 775 rc = may_context_mount_inode_relabel(context_sid, sbsec,
776 cred);
b04ea3ce 777 if (rc)
c9180a57 778 goto out;
b04ea3ce 779 }
c9180a57
EP		 780 if (!rootcontext_sid)
781 rootcontext_sid = context_sid;
1da177e4 782
c9180a57 783 sbsec->mntpoint_sid = context_sid;
c312feb2 784 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 785 }
786
c9180a57 787 if (rootcontext_sid) {
275bb41e
DH		 788 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
789 cred);
0808925e 790 if (rc)
c9180a57 791 goto out;
0808925e 792
c9180a57
EP		 793 root_isec->sid = rootcontext_sid;
794 root_isec->initialized = 1;
0808925e
EP		 795 }
796
c9180a57 797 if (defcontext_sid) {
eb9ae686
DQ		 798 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
799 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
c9180a57
EP		 800 rc = -EINVAL;
801 printk(KERN_WARNING "SELinux: defcontext option is "
802 "invalid for this filesystem type\n");
803 goto out;
1da177e4
LT		 804 }
805
c9180a57
EP		 806 if (defcontext_sid != sbsec->def_sid) {
807 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 808 sbsec, cred);
c9180a57
EP		 809 if (rc)
810 goto out;
811 }
1da177e4 812
c9180a57 813 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 814 }
815
c9180a57 816 rc = sb_finish_set_opts(sb);
1da177e4 817out:
c9180a57 818 mutex_unlock(&sbsec->lock);
1da177e4 819 return rc;
c9180a57
EP		 820out_double_mount:
821 rc = -EINVAL;
822 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
29b1deb2 823 "security settings for (dev %s, type %s)\n", sb->s_id, name);
c9180a57 824 goto out;
1da177e4
LT		 825}
826
094f7b69
JL		 827static int selinux_cmp_sb_context(const struct super_block *oldsb,
828 const struct super_block *newsb)
829{
830 struct superblock_security_struct *old = oldsb->s_security;
831 struct superblock_security_struct *new = newsb->s_security;
832 char oldflags = old->flags & SE_MNTMASK;
833 char newflags = new->flags & SE_MNTMASK;
834
835 if (oldflags != newflags)
836 goto mismatch;
837 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
838 goto mismatch;
839 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
840 goto mismatch;
841 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
842 goto mismatch;
843 if (oldflags & ROOTCONTEXT_MNT) {
c6f493d6
DH		 844 struct inode_security_struct *oldroot = d_backing_inode(oldsb->s_root)->i_security;
845 struct inode_security_struct *newroot = d_backing_inode(newsb->s_root)->i_security;
094f7b69
JL		 846 if (oldroot->sid != newroot->sid)
847 goto mismatch;
848 }
849 return 0;
850mismatch:
851 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
852 "different security settings for (dev %s, "
853 "type %s)\n", newsb->s_id, newsb->s_type->name);
854 return -EBUSY;
855}
856
857static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
c9180a57 858 struct super_block *newsb)
1da177e4 859{
c9180a57
EP		 860 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
861 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 862
c9180a57
EP		 863 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
864 int set_context = (oldsbsec->flags & CONTEXT_MNT);
865 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 866
0f5e6420
EP		 867 /*
868 * if the parent was able to be mounted it clearly had no special lsm
e8c26255 869 * mount options. thus we can safely deal with this superblock later
0f5e6420 870 */
e8c26255 871 if (!ss_initialized)
094f7b69 872 return 0;
c9180a57 873
c9180a57 874 /* how can we clone if the old one wasn't set up?? */
0d90a7ec 875 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
c9180a57 876
094f7b69 877 /* if fs is reusing a sb, make sure that the contexts match */
0d90a7ec 878 if (newsbsec->flags & SE_SBINITIALIZED)
094f7b69 879 return selinux_cmp_sb_context(oldsb, newsb);
5a552617 880
c9180a57
EP		 881 mutex_lock(&newsbsec->lock);
882
883 newsbsec->flags = oldsbsec->flags;
884
885 newsbsec->sid = oldsbsec->sid;
886 newsbsec->def_sid = oldsbsec->def_sid;
887 newsbsec->behavior = oldsbsec->behavior;
888
889 if (set_context) {
890 u32 sid = oldsbsec->mntpoint_sid;
891
892 if (!set_fscontext)
893 newsbsec->sid = sid;
894 if (!set_rootcontext) {
c6f493d6 895 struct inode *newinode = d_backing_inode(newsb->s_root);
c9180a57
EP		 896 struct inode_security_struct *newisec = newinode->i_security;
897 newisec->sid = sid;
898 }
899 newsbsec->mntpoint_sid = sid;
1da177e4 900 }
c9180a57 901 if (set_rootcontext) {
c6f493d6 902 const struct inode *oldinode = d_backing_inode(oldsb->s_root);
c9180a57 903 const struct inode_security_struct *oldisec = oldinode->i_security;
c6f493d6 904 struct inode *newinode = d_backing_inode(newsb->s_root);
c9180a57 905 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 906
c9180a57 907 newisec->sid = oldisec->sid;
1da177e4
LT		 908 }
909
c9180a57
EP		 910 sb_finish_set_opts(newsb);
911 mutex_unlock(&newsbsec->lock);
094f7b69 912 return 0;
c9180a57
EP		 913}
914
2e1479d9
AB		 915static int selinux_parse_opts_str(char *options,
916 struct security_mnt_opts *opts)
c9180a57 917{
e0007529 918 char *p;
c9180a57
EP		 919 char *context = NULL, *defcontext = NULL;
920 char *fscontext = NULL, *rootcontext = NULL;
e0007529 921 int rc, num_mnt_opts = 0;
1da177e4 922
e0007529 923 opts->num_mnt_opts = 0;
1da177e4 924
c9180a57
EP		 925 /* Standard string-based options. */
926 while ((p = strsep(&options, "|")) != NULL) {
927 int token;
928 substring_t args[MAX_OPT_ARGS];
1da177e4 929
c9180a57
EP		 930 if (!*p)
931 continue;
1da177e4 932
c9180a57 933 token = match_token(p, tokens, args);
1da177e4 934
c9180a57
EP		 935 switch (token) {
936 case Opt_context:
937 if (context || defcontext) {
938 rc = -EINVAL;
939 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
940 goto out_err;
941 }
942 context = match_strdup(&args[0]);
943 if (!context) {
944 rc = -ENOMEM;
945 goto out_err;
946 }
947 break;
948
949 case Opt_fscontext:
950 if (fscontext) {
951 rc = -EINVAL;
952 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
953 goto out_err;
954 }
955 fscontext = match_strdup(&args[0]);
956 if (!fscontext) {
957 rc = -ENOMEM;
958 goto out_err;
959 }
960 break;
961
962 case Opt_rootcontext:
963 if (rootcontext) {
964 rc = -EINVAL;
965 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
966 goto out_err;
967 }
968 rootcontext = match_strdup(&args[0]);
969 if (!rootcontext) {
970 rc = -ENOMEM;
971 goto out_err;
972 }
973 break;
974
975 case Opt_defcontext:
976 if (context || defcontext) {
977 rc = -EINVAL;
978 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
979 goto out_err;
980 }
981 defcontext = match_strdup(&args[0]);
982 if (!defcontext) {
983 rc = -ENOMEM;
984 goto out_err;
985 }
986 break;
11689d47
DQ		 987 case Opt_labelsupport:
988 break;
c9180a57
EP		 989 default:
990 rc = -EINVAL;
991 printk(KERN_WARNING "SELinux: unknown mount option\n");
992 goto out_err;
1da177e4 993
1da177e4 994 }
1da177e4 995 }
c9180a57 996
e0007529
EP		 997 rc = -ENOMEM;
998 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
999 if (!opts->mnt_opts)
1000 goto out_err;
1001
1002 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1003 if (!opts->mnt_opts_flags) {
1004 kfree(opts->mnt_opts);
1005 goto out_err;
1006 }
1007
c9180a57 1008 if (fscontext) {
e0007529
EP		 1009 opts->mnt_opts[num_mnt_opts] = fscontext;
1010 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 1011 }
1012 if (context) {
e0007529
EP		 1013 opts->mnt_opts[num_mnt_opts] = context;
1014 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 1015 }
1016 if (rootcontext) {
e0007529
EP		 1017 opts->mnt_opts[num_mnt_opts] = rootcontext;
1018 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 1019 }
1020 if (defcontext) {
e0007529
EP		 1021 opts->mnt_opts[num_mnt_opts] = defcontext;
1022 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 1023 }
1024
e0007529
EP		 1025 opts->num_mnt_opts = num_mnt_opts;
1026 return 0;
1027
c9180a57
EP		 1028out_err:
1029 kfree(context);
1030 kfree(defcontext);
1031 kfree(fscontext);
1032 kfree(rootcontext);
1da177e4
LT		 1033 return rc;
1034}
e0007529
EP		 1035/*
1036 * string mount options parsing and call set the sbsec
1037 */
1038static int superblock_doinit(struct super_block *sb, void *data)
1039{
1040 int rc = 0;
1041 char *options = data;
1042 struct security_mnt_opts opts;
1043
1044 security_init_mnt_opts(&opts);
1045
1046 if (!data)
1047 goto out;
1048
1049 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1050
1051 rc = selinux_parse_opts_str(options, &opts);
1052 if (rc)
1053 goto out_err;
1054
1055out:
649f6e77 1056 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
e0007529
EP		 1057
1058out_err:
1059 security_free_mnt_opts(&opts);
1060 return rc;
1061}
1da177e4 1062
3583a711
AB		 1063static void selinux_write_opts(struct seq_file *m,
1064 struct security_mnt_opts *opts)
2069f457
EP		 1065{
1066 int i;
1067 char *prefix;
1068
1069 for (i = 0; i < opts->num_mnt_opts; i++) {
11689d47
DQ		 1070 char *has_comma;
1071
1072 if (opts->mnt_opts[i])
1073 has_comma = strchr(opts->mnt_opts[i], ',');
1074 else
1075 has_comma = NULL;
2069f457
EP		 1076
1077 switch (opts->mnt_opts_flags[i]) {
1078 case CONTEXT_MNT:
1079 prefix = CONTEXT_STR;
1080 break;
1081 case FSCONTEXT_MNT:
1082 prefix = FSCONTEXT_STR;
1083 break;
1084 case ROOTCONTEXT_MNT:
1085 prefix = ROOTCONTEXT_STR;
1086 break;
1087 case DEFCONTEXT_MNT:
1088 prefix = DEFCONTEXT_STR;
1089 break;
12f348b9 1090 case SBLABEL_MNT:
11689d47
DQ		 1091 seq_putc(m, ',');
1092 seq_puts(m, LABELSUPP_STR);
1093 continue;
2069f457
EP		 1094 default:
1095 BUG();
a35c6c83 1096 return;
2069f457
EP		 1097 };
1098 /* we need a comma before each option */
1099 seq_putc(m, ',');
1100 seq_puts(m, prefix);
1101 if (has_comma)
1102 seq_putc(m, '\"');
1103 seq_puts(m, opts->mnt_opts[i]);
1104 if (has_comma)
1105 seq_putc(m, '\"');
1106 }
1107}
1108
1109static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1110{
1111 struct security_mnt_opts opts;
1112 int rc;
1113
1114 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1115 if (rc) {
1116 /* before policy load we may get EINVAL, don't show anything */
1117 if (rc == -EINVAL)
1118 rc = 0;
2069f457 1119 return rc;
383795c2 1120 }
2069f457
EP		 1121
1122 selinux_write_opts(m, &opts);
1123
1124 security_free_mnt_opts(&opts);
1125
1126 return rc;
1127}
1128
1da177e4
LT		 1129static inline u16 inode_mode_to_security_class(umode_t mode)
1130{
1131 switch (mode & S_IFMT) {
1132 case S_IFSOCK:
1133 return SECCLASS_SOCK_FILE;
1134 case S_IFLNK:
1135 return SECCLASS_LNK_FILE;
1136 case S_IFREG:
1137 return SECCLASS_FILE;
1138 case S_IFBLK:
1139 return SECCLASS_BLK_FILE;
1140 case S_IFDIR:
1141 return SECCLASS_DIR;
1142 case S_IFCHR:
1143 return SECCLASS_CHR_FILE;
1144 case S_IFIFO:
1145 return SECCLASS_FIFO_FILE;
1146
1147 }
1148
1149 return SECCLASS_FILE;
1150}
1151
13402580
JM		 1152static inline int default_protocol_stream(int protocol)
1153{
1154 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1155}
1156
1157static inline int default_protocol_dgram(int protocol)
1158{
1159 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1160}
1161
1da177e4
LT		 1162static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1163{
1164 switch (family) {
1165 case PF_UNIX:
1166 switch (type) {
1167 case SOCK_STREAM:
1168 case SOCK_SEQPACKET:
1169 return SECCLASS_UNIX_STREAM_SOCKET;
1170 case SOCK_DGRAM:
1171 return SECCLASS_UNIX_DGRAM_SOCKET;
1172 }
1173 break;
1174 case PF_INET:
1175 case PF_INET6:
1176 switch (type) {
1177 case SOCK_STREAM:
13402580
JM		 1178 if (default_protocol_stream(protocol))
1179 return SECCLASS_TCP_SOCKET;
1180 else
1181 return SECCLASS_RAWIP_SOCKET;
1da177e4 1182 case SOCK_DGRAM:
13402580
JM		 1183 if (default_protocol_dgram(protocol))
1184 return SECCLASS_UDP_SOCKET;
1185 else
1186 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1187 case SOCK_DCCP:
1188 return SECCLASS_DCCP_SOCKET;
13402580 1189 default:
1da177e4
LT		 1190 return SECCLASS_RAWIP_SOCKET;
1191 }
1192 break;
1193 case PF_NETLINK:
1194 switch (protocol) {
1195 case NETLINK_ROUTE:
1196 return SECCLASS_NETLINK_ROUTE_SOCKET;
7f1fb60c 1197 case NETLINK_SOCK_DIAG:
1da177e4
LT		 1198 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1199 case NETLINK_NFLOG:
1200 return SECCLASS_NETLINK_NFLOG_SOCKET;
1201 case NETLINK_XFRM:
1202 return SECCLASS_NETLINK_XFRM_SOCKET;
1203 case NETLINK_SELINUX:
1204 return SECCLASS_NETLINK_SELINUX_SOCKET;
6c6d2e9b
SS		 1205 case NETLINK_ISCSI:
1206 return SECCLASS_NETLINK_ISCSI_SOCKET;
1da177e4
LT		 1207 case NETLINK_AUDIT:
1208 return SECCLASS_NETLINK_AUDIT_SOCKET;
6c6d2e9b
SS		 1209 case NETLINK_FIB_LOOKUP:
1210 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1211 case NETLINK_CONNECTOR:
1212 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1213 case NETLINK_NETFILTER:
1214 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1da177e4
LT		 1215 case NETLINK_DNRTMSG:
1216 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1217 case NETLINK_KOBJECT_UEVENT:
1218 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
6c6d2e9b
SS		 1219 case NETLINK_GENERIC:
1220 return SECCLASS_NETLINK_GENERIC_SOCKET;
1221 case NETLINK_SCSITRANSPORT:
1222 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1223 case NETLINK_RDMA:
1224 return SECCLASS_NETLINK_RDMA_SOCKET;
1225 case NETLINK_CRYPTO:
1226 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1da177e4
LT		 1227 default:
1228 return SECCLASS_NETLINK_SOCKET;
1229 }
1230 case PF_PACKET:
1231 return SECCLASS_PACKET_SOCKET;
1232 case PF_KEY:
1233 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1234 case PF_APPLETALK:
1235 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1236 }
1237
1238 return SECCLASS_SOCKET;
1239}
1240
134509d5
SS		 1241static int selinux_genfs_get_sid(struct dentry *dentry,
1242 u16 tclass,
1243 u16 flags,
1244 u32 *sid)
1da177e4 1245{
8e6c9693 1246 int rc;
134509d5 1247 struct super_block *sb = dentry->d_inode->i_sb;
8e6c9693 1248 char *buffer, *path;
1da177e4 1249
828dfe1d 1250 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1251 if (!buffer)
1252 return -ENOMEM;
1253
8e6c9693
LAG		 1254 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1255 if (IS_ERR(path))
1256 rc = PTR_ERR(path);
1257 else {
134509d5
SS		 1258 if (flags & SE_SBPROC) {
1259 /* each process gets a /proc/PID/ entry. Strip off the
1260 * PID part to get a valid selinux labeling.
1261 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1262 while (path[1] >= '0' && path[1] <= '9') {
1263 path[1] = '/';
1264 path++;
1265 }
8e6c9693 1266 }
134509d5 1267 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1da177e4 1268 }
1da177e4
LT		 1269 free_page((unsigned long)buffer);
1270 return rc;
1271}
1da177e4
LT		 1272
1273/* The inode's security attributes must be initialized before first use. */
1274static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1275{
1276 struct superblock_security_struct *sbsec = NULL;
1277 struct inode_security_struct *isec = inode->i_security;
1278 u32 sid;
1279 struct dentry *dentry;
1280#define INITCONTEXTLEN 255
1281 char *context = NULL;
1282 unsigned len = 0;
1283 int rc = 0;
1da177e4
LT		 1284
1285 if (isec->initialized)
1286 goto out;
1287
23970741 1288 mutex_lock(&isec->lock);
1da177e4 1289 if (isec->initialized)
23970741 1290 goto out_unlock;
1da177e4
LT		 1291
1292 sbsec = inode->i_sb->s_security;
0d90a7ec 1293 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1da177e4
LT		 1294 /* Defer initialization until selinux_complete_init,
1295 after the initial policy is loaded and the security
1296 server is ready to handle calls. */
1297 spin_lock(&sbsec->isec_lock);
1298 if (list_empty(&isec->list))
1299 list_add(&isec->list, &sbsec->isec_head);
1300 spin_unlock(&sbsec->isec_lock);
23970741 1301 goto out_unlock;
1da177e4
LT		 1302 }
1303
1304 switch (sbsec->behavior) {
eb9ae686
DQ		 1305 case SECURITY_FS_USE_NATIVE:
1306 break;
1da177e4
LT		 1307 case SECURITY_FS_USE_XATTR:
1308 if (!inode->i_op->getxattr) {
1309 isec->sid = sbsec->def_sid;
1310 break;
1311 }
1312
1313 /* Need a dentry, since the xattr API requires one.
1314 Life would be simpler if we could just pass the inode. */
1315 if (opt_dentry) {
1316 /* Called from d_instantiate or d_splice_alias. */
1317 dentry = dget(opt_dentry);
1318 } else {
1319 /* Called from selinux_complete_init, try to find a dentry. */
1320 dentry = d_find_alias(inode);
1321 }
1322 if (!dentry) {
df7f54c0
EP		 1323 /*
1324 * this is can be hit on boot when a file is accessed
1325 * before the policy is loaded. When we load policy we
1326 * may find inodes that have no dentry on the
1327 * sbsec->isec_head list. No reason to complain as these
1328 * will get fixed up the next time we go through
1329 * inode_doinit with a dentry, before these inodes could
1330 * be used again by userspace.
1331 */
23970741 1332 goto out_unlock;
1da177e4
LT		 1333 }
1334
1335 len = INITCONTEXTLEN;
4cb912f1 1336 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1337 if (!context) {
1338 rc = -ENOMEM;
1339 dput(dentry);
23970741 1340 goto out_unlock;
1da177e4 1341 }
4cb912f1 1342 context[len] = '\0';
1da177e4
LT		 1343 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1344 context, len);
1345 if (rc == -ERANGE) {
314dabb8
JM		 1346 kfree(context);
1347
1da177e4
LT		 1348 /* Need a larger buffer. Query for the right size. */
1349 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1350 NULL, 0);
1351 if (rc < 0) {
1352 dput(dentry);
23970741 1353 goto out_unlock;
1da177e4 1354 }
1da177e4 1355 len = rc;
4cb912f1 1356 context = kmalloc(len+1, GFP_NOFS);
1da177e4
LT		 1357 if (!context) {
1358 rc = -ENOMEM;
1359 dput(dentry);
23970741 1360 goto out_unlock;
1da177e4 1361 }
4cb912f1 1362 context[len] = '\0';
1da177e4
LT		 1363 rc = inode->i_op->getxattr(dentry,
1364 XATTR_NAME_SELINUX,
1365 context, len);
1366 }
1367 dput(dentry);
1368 if (rc < 0) {
1369 if (rc != -ENODATA) {
744ba35e 1370 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1371 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1372 -rc, inode->i_sb->s_id, inode->i_ino);
1373 kfree(context);
23970741 1374 goto out_unlock;
1da177e4
LT		 1375 }
1376 /* Map ENODATA to the default file SID */
1377 sid = sbsec->def_sid;
1378 rc = 0;
1379 } else {
f5c1d5b2 1380 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1381 sbsec->def_sid,
1382 GFP_NOFS);
1da177e4 1383 if (rc) {
4ba0a8ad
EP		 1384 char *dev = inode->i_sb->s_id;
1385 unsigned long ino = inode->i_ino;
1386
1387 if (rc == -EINVAL) {
1388 if (printk_ratelimit())
1389 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1390 "context=%s. This indicates you may need to relabel the inode or the "
1391 "filesystem in question.\n", ino, dev, context);
1392 } else {
1393 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1394 "returned %d for dev=%s ino=%ld\n",
1395 __func__, context, -rc, dev, ino);
1396 }
1da177e4
LT		 1397 kfree(context);
1398 /* Leave with the unlabeled SID */
1399 rc = 0;
1400 break;
1401 }
1402 }
1403 kfree(context);
1404 isec->sid = sid;
1405 break;
1406 case SECURITY_FS_USE_TASK:
1407 isec->sid = isec->task_sid;
1408 break;
1409 case SECURITY_FS_USE_TRANS:
1410 /* Default to the fs SID. */
1411 isec->sid = sbsec->sid;
1412
1413 /* Try to obtain a transition SID. */
1414 isec->sclass = inode_mode_to_security_class(inode->i_mode);
652bb9b0
EP		 1415 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1416 isec->sclass, NULL, &sid);
1da177e4 1417 if (rc)
23970741 1418 goto out_unlock;
1da177e4
LT		 1419 isec->sid = sid;
1420 break;
c312feb2
EP		 1421 case SECURITY_FS_USE_MNTPOINT:
1422 isec->sid = sbsec->mntpoint_sid;
1423 break;
1da177e4 1424 default:
c312feb2 1425 /* Default to the fs superblock SID. */
1da177e4
LT		 1426 isec->sid = sbsec->sid;
1427
134509d5 1428 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
f64410ec
PM		 1429 /* We must have a dentry to determine the label on
1430 * procfs inodes */
1431 if (opt_dentry)
1432 /* Called from d_instantiate or
1433 * d_splice_alias. */
1434 dentry = dget(opt_dentry);
1435 else
1436 /* Called from selinux_complete_init, try to
1437 * find a dentry. */
1438 dentry = d_find_alias(inode);
1439 /*
1440 * This can be hit on boot when a file is accessed
1441 * before the policy is loaded. When we load policy we
1442 * may find inodes that have no dentry on the
1443 * sbsec->isec_head list. No reason to complain as
1444 * these will get fixed up the next time we go through
1445 * inode_doinit() with a dentry, before these inodes
1446 * could be used again by userspace.
1447 */
1448 if (!dentry)
1449 goto out_unlock;
1450 isec->sclass = inode_mode_to_security_class(inode->i_mode);
134509d5
SS		 1451 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1452 sbsec->flags, &sid);
f64410ec
PM		 1453 dput(dentry);
1454 if (rc)
1455 goto out_unlock;
1456 isec->sid = sid;
1da177e4
LT		 1457 }
1458 break;
1459 }
1460
1461 isec->initialized = 1;
1462
23970741
EP		 1463out_unlock:
1464 mutex_unlock(&isec->lock);
1da177e4
LT		 1465out:
1466 if (isec->sclass == SECCLASS_FILE)
1467 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1468 return rc;
1469}
1470
1471/* Convert a Linux signal to an access vector. */
1472static inline u32 signal_to_av(int sig)
1473{
1474 u32 perm = 0;
1475
1476 switch (sig) {
1477 case SIGCHLD:
1478 /* Commonly granted from child to parent. */
1479 perm = PROCESS__SIGCHLD;
1480 break;
1481 case SIGKILL:
1482 /* Cannot be caught or ignored */
1483 perm = PROCESS__SIGKILL;
1484 break;
1485 case SIGSTOP:
1486 /* Cannot be caught or ignored */
1487 perm = PROCESS__SIGSTOP;
1488 break;
1489 default:
1490 /* All other signals. */
1491 perm = PROCESS__SIGNAL;
1492 break;
1493 }
1494
1495 return perm;
1496}
1497
d84f4f99
DH		 1498/*
1499 * Check permission between a pair of credentials
1500 * fork check, ptrace check, etc.
1501 */
1502static int cred_has_perm(const struct cred *actor,
1503 const struct cred *target,
1504 u32 perms)
1505{
1506 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1507
1508 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1509}
1510
275bb41e 1511/*
88e67f3b 1512 * Check permission between a pair of tasks, e.g. signal checks,
275bb41e
DH		 1513 * fork check, ptrace check, etc.
1514 * tsk1 is the actor and tsk2 is the target
3b11a1de 1515 * - this uses the default subjective creds of tsk1
275bb41e
DH		 1516 */
1517static int task_has_perm(const struct task_struct *tsk1,
1518 const struct task_struct *tsk2,
1da177e4
LT		 1519 u32 perms)
1520{
275bb41e
DH		 1521 const struct task_security_struct *__tsec1, *__tsec2;
1522 u32 sid1, sid2;
1da177e4 1523
275bb41e
DH		 1524 rcu_read_lock();
1525 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1526 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1527 rcu_read_unlock();
1528 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1529}
1530
3b11a1de
DH		 1531/*
1532 * Check permission between current and another task, e.g. signal checks,
1533 * fork check, ptrace check, etc.
1534 * current is the actor and tsk2 is the target
1535 * - this uses current's subjective creds
1536 */
1537static int current_has_perm(const struct task_struct *tsk,
1538 u32 perms)
1539{
1540 u32 sid, tsid;
1541
1542 sid = current_sid();
1543 tsid = task_sid(tsk);
1544 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1545}
1546
b68e418c
SS		 1547#if CAP_LAST_CAP > 63
1548#error Fix SELinux to handle capabilities > 63.
1549#endif
1550
1da177e4 1551/* Check whether a task is allowed to use a capability. */
6a9de491 1552static int cred_has_capability(const struct cred *cred,
06112163 1553 int cap, int audit)
1da177e4 1554{
2bf49690 1555 struct common_audit_data ad;
06112163 1556 struct av_decision avd;
b68e418c 1557 u16 sclass;
3699c53c 1558 u32 sid = cred_sid(cred);
b68e418c 1559 u32 av = CAP_TO_MASK(cap);
06112163 1560 int rc;
1da177e4 1561
50c205f5 1562 ad.type = LSM_AUDIT_DATA_CAP;
1da177e4
LT		 1563 ad.u.cap = cap;
1564
b68e418c
SS		 1565 switch (CAP_TO_INDEX(cap)) {
1566 case 0:
1567 sclass = SECCLASS_CAPABILITY;
1568 break;
1569 case 1:
1570 sclass = SECCLASS_CAPABILITY2;
1571 break;
1572 default:
1573 printk(KERN_ERR
1574 "SELinux: out of range capability %d\n", cap);
1575 BUG();
a35c6c83 1576 return -EINVAL;
b68e418c 1577 }
06112163 1578
275bb41e 1579 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
9ade0cf4 1580 if (audit == SECURITY_CAP_AUDIT) {
ab354062 1581 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
9ade0cf4
EP		 1582 if (rc2)
1583 return rc2;
1584 }
06112163 1585 return rc;
1da177e4
LT		 1586}
1587
1588/* Check whether a task is allowed to use a system operation. */
1589static int task_has_system(struct task_struct *tsk,
1590 u32 perms)
1591{
275bb41e 1592 u32 sid = task_sid(tsk);
1da177e4 1593
275bb41e 1594 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1595 SECCLASS_SYSTEM, perms, NULL);
1596}
1597
1598/* Check whether a task has a particular permission to an inode.
1599 The 'adp' parameter is optional and allows other audit
1600 data to be passed (e.g. the dentry). */
88e67f3b 1601static int inode_has_perm(const struct cred *cred,
1da177e4
LT		 1602 struct inode *inode,
1603 u32 perms,
19e49834 1604 struct common_audit_data *adp)
1da177e4 1605{
1da177e4 1606 struct inode_security_struct *isec;
275bb41e 1607 u32 sid;
1da177e4 1608
e0e81739
DH		 1609 validate_creds(cred);
1610
828dfe1d 1611 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1612 return 0;
1613
88e67f3b 1614 sid = cred_sid(cred);
1da177e4
LT		 1615 isec = inode->i_security;
1616
19e49834 1617 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1618}
1619
1620/* Same as inode_has_perm, but pass explicit audit data containing
1621 the dentry to help the auditing code to more easily generate the
1622 pathname if needed. */
88e67f3b 1623static inline int dentry_has_perm(const struct cred *cred,
1da177e4
LT		 1624 struct dentry *dentry,
1625 u32 av)
1626{
c6f493d6 1627 struct inode *inode = d_backing_inode(dentry);
2bf49690 1628 struct common_audit_data ad;
88e67f3b 1629
50c205f5 1630 ad.type = LSM_AUDIT_DATA_DENTRY;
2875fa00 1631 ad.u.dentry = dentry;
19e49834 1632 return inode_has_perm(cred, inode, av, &ad);
2875fa00
EP		 1633}
1634
1635/* Same as inode_has_perm, but pass explicit audit data containing
1636 the path to help the auditing code to more easily generate the
1637 pathname if needed. */
1638static inline int path_has_perm(const struct cred *cred,
3f7036a0 1639 const struct path *path,
2875fa00
EP		 1640 u32 av)
1641{
c6f493d6 1642 struct inode *inode = d_backing_inode(path->dentry);
2875fa00
EP		 1643 struct common_audit_data ad;
1644
50c205f5 1645 ad.type = LSM_AUDIT_DATA_PATH;
2875fa00 1646 ad.u.path = *path;
19e49834 1647 return inode_has_perm(cred, inode, av, &ad);
1da177e4
LT		 1648}
1649
13f8e981
DH		 1650/* Same as path_has_perm, but uses the inode from the file struct. */
1651static inline int file_path_has_perm(const struct cred *cred,
1652 struct file *file,
1653 u32 av)
1654{
1655 struct common_audit_data ad;
1656
1657 ad.type = LSM_AUDIT_DATA_PATH;
1658 ad.u.path = file->f_path;
19e49834 1659 return inode_has_perm(cred, file_inode(file), av, &ad);
13f8e981
DH		 1660}
1661
1da177e4
LT		 1662/* Check whether a task can use an open file descriptor to
1663 access an inode in a given way. Check access to the
1664 descriptor itself, and then use dentry_has_perm to
1665 check a particular permission to the file.
1666 Access to the descriptor is implicitly granted if it
1667 has the same SID as the process. If av is zero, then
1668 access to the file is not checked, e.g. for cases
1669 where only the descriptor is affected like seek. */
88e67f3b
DH		 1670static int file_has_perm(const struct cred *cred,
1671 struct file *file,
1672 u32 av)
1da177e4 1673{
1da177e4 1674 struct file_security_struct *fsec = file->f_security;
496ad9aa 1675 struct inode *inode = file_inode(file);
2bf49690 1676 struct common_audit_data ad;
88e67f3b 1677 u32 sid = cred_sid(cred);
1da177e4
LT		 1678 int rc;
1679
50c205f5 1680 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 1681 ad.u.path = file->f_path;
1da177e4 1682
275bb41e
DH		 1683 if (sid != fsec->sid) {
1684 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1685 SECCLASS_FD,
1686 FD__USE,
1687 &ad);
1688 if (rc)
88e67f3b 1689 goto out;
1da177e4
LT		 1690 }
1691
1692 /* av is zero if only checking access to the descriptor. */
88e67f3b 1693 rc = 0;
1da177e4 1694 if (av)
19e49834 1695 rc = inode_has_perm(cred, inode, av, &ad);
1da177e4 1696
88e67f3b
DH		 1697out:
1698 return rc;
1da177e4
LT		 1699}
1700
1701/* Check whether a task can create a file. */
1702static int may_create(struct inode *dir,
1703 struct dentry *dentry,
1704 u16 tclass)
1705{
5fb49870 1706 const struct task_security_struct *tsec = current_security();
1da177e4
LT		 1707 struct inode_security_struct *dsec;
1708 struct superblock_security_struct *sbsec;
275bb41e 1709 u32 sid, newsid;
2bf49690 1710 struct common_audit_data ad;
1da177e4
LT		 1711 int rc;
1712
1da177e4
LT		 1713 dsec = dir->i_security;
1714 sbsec = dir->i_sb->s_security;
1715
275bb41e
DH		 1716 sid = tsec->sid;
1717 newsid = tsec->create_sid;
1718
50c205f5 1719 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1720 ad.u.dentry = dentry;
1da177e4 1721
275bb41e 1722 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1723 DIR__ADD_NAME | DIR__SEARCH,
1724 &ad);
1725 if (rc)
1726 return rc;
1727
12f348b9 1728 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
cb1e922f
EP		 1729 rc = security_transition_sid(sid, dsec->sid, tclass,
1730 &dentry->d_name, &newsid);
1da177e4
LT		 1731 if (rc)
1732 return rc;
1733 }
1734
275bb41e 1735 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1736 if (rc)
1737 return rc;
1738
1739 return avc_has_perm(newsid, sbsec->sid,
1740 SECCLASS_FILESYSTEM,
1741 FILESYSTEM__ASSOCIATE, &ad);
1742}
1743
4eb582cf
ML		 1744/* Check whether a task can create a key. */
1745static int may_create_key(u32 ksid,
1746 struct task_struct *ctx)
1747{
275bb41e 1748 u32 sid = task_sid(ctx);
4eb582cf 1749
275bb41e 1750 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1751}
1752
828dfe1d
EP		 1753#define MAY_LINK 0
1754#define MAY_UNLINK 1
1755#define MAY_RMDIR 2
1da177e4
LT		 1756
1757/* Check whether a task can link, unlink, or rmdir a file/directory. */
1758static int may_link(struct inode *dir,
1759 struct dentry *dentry,
1760 int kind)
1761
1762{
1da177e4 1763 struct inode_security_struct *dsec, *isec;
2bf49690 1764 struct common_audit_data ad;
275bb41e 1765 u32 sid = current_sid();
1da177e4
LT		 1766 u32 av;
1767 int rc;
1768
1da177e4 1769 dsec = dir->i_security;
c6f493d6 1770 isec = d_backing_inode(dentry)->i_security;
1da177e4 1771
50c205f5 1772 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 1773 ad.u.dentry = dentry;
1da177e4
LT		 1774
1775 av = DIR__SEARCH;
1776 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1777 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1778 if (rc)
1779 return rc;
1780
1781 switch (kind) {
1782 case MAY_LINK:
1783 av = FILE__LINK;
1784 break;
1785 case MAY_UNLINK:
1786 av = FILE__UNLINK;
1787 break;
1788 case MAY_RMDIR:
1789 av = DIR__RMDIR;
1790 break;
1791 default:
744ba35e
EP		 1792 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1793 __func__, kind);
1da177e4
LT		 1794 return 0;
1795 }
1796
275bb41e 1797 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1798 return rc;
1799}
1800
1801static inline int may_rename(struct inode *old_dir,
1802 struct dentry *old_dentry,
1803 struct inode *new_dir,
1804 struct dentry *new_dentry)
1805{
1da177e4 1806 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2bf49690 1807 struct common_audit_data ad;
275bb41e 1808 u32 sid = current_sid();
1da177e4
LT		 1809 u32 av;
1810 int old_is_dir, new_is_dir;
1811 int rc;
1812
1da177e4 1813 old_dsec = old_dir->i_security;
c6f493d6 1814 old_isec = d_backing_inode(old_dentry)->i_security;
e36cb0b8 1815 old_is_dir = d_is_dir(old_dentry);
1da177e4
LT		 1816 new_dsec = new_dir->i_security;
1817
50c205f5 1818 ad.type = LSM_AUDIT_DATA_DENTRY;
1da177e4 1819
a269434d 1820 ad.u.dentry = old_dentry;
275bb41e 1821 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1822 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1823 if (rc)
1824 return rc;
275bb41e 1825 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1826 old_isec->sclass, FILE__RENAME, &ad);
1827 if (rc)
1828 return rc;
1829 if (old_is_dir && new_dir != old_dir) {
275bb41e 1830 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1831 old_isec->sclass, DIR__REPARENT, &ad);
1832 if (rc)
1833 return rc;
1834 }
1835
a269434d 1836 ad.u.dentry = new_dentry;
1da177e4 1837 av = DIR__ADD_NAME | DIR__SEARCH;
2c616d4d 1838 if (d_is_positive(new_dentry))
1da177e4 1839 av |= DIR__REMOVE_NAME;
275bb41e 1840 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1841 if (rc)
1842 return rc;
2c616d4d 1843 if (d_is_positive(new_dentry)) {
c6f493d6 1844 new_isec = d_backing_inode(new_dentry)->i_security;
e36cb0b8 1845 new_is_dir = d_is_dir(new_dentry);
275bb41e 1846 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1847 new_isec->sclass,
1848 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1849 if (rc)
1850 return rc;
1851 }
1852
1853 return 0;
1854}
1855
1856/* Check whether a task can perform a filesystem operation. */
88e67f3b 1857static int superblock_has_perm(const struct cred *cred,
1da177e4
LT		 1858 struct super_block *sb,
1859 u32 perms,
2bf49690 1860 struct common_audit_data *ad)
1da177e4 1861{
1da177e4 1862 struct superblock_security_struct *sbsec;
88e67f3b 1863 u32 sid = cred_sid(cred);
1da177e4 1864
1da177e4 1865 sbsec = sb->s_security;
275bb41e 1866 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1867}
1868
1869/* Convert a Linux mode and permission mask to an access vector. */
1870static inline u32 file_mask_to_av(int mode, int mask)
1871{
1872 u32 av = 0;
1873
dba19c60 1874 if (!S_ISDIR(mode)) {
1da177e4
LT		 1875 if (mask & MAY_EXEC)
1876 av |= FILE__EXECUTE;
1877 if (mask & MAY_READ)
1878 av |= FILE__READ;
1879
1880 if (mask & MAY_APPEND)
1881 av |= FILE__APPEND;
1882 else if (mask & MAY_WRITE)
1883 av |= FILE__WRITE;
1884
1885 } else {
1886 if (mask & MAY_EXEC)
1887 av |= DIR__SEARCH;
1888 if (mask & MAY_WRITE)
1889 av |= DIR__WRITE;
1890 if (mask & MAY_READ)
1891 av |= DIR__READ;
1892 }
1893
1894 return av;
1895}
1896
8b6a5a37
EP		 1897/* Convert a Linux file to an access vector. */
1898static inline u32 file_to_av(struct file *file)
1899{
1900 u32 av = 0;
1901
1902 if (file->f_mode & FMODE_READ)
1903 av |= FILE__READ;
1904 if (file->f_mode & FMODE_WRITE) {
1905 if (file->f_flags & O_APPEND)
1906 av |= FILE__APPEND;
1907 else
1908 av |= FILE__WRITE;
1909 }
1910 if (!av) {
1911 /*
1912 * Special file opened with flags 3 for ioctl-only use.
1913 */
1914 av = FILE__IOCTL;
1915 }
1916
1917 return av;
1918}
1919
b0c636b9 1920/*
8b6a5a37 1921 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1922 * open permission.
1923 */
8b6a5a37 1924static inline u32 open_file_to_av(struct file *file)
b0c636b9 1925{
8b6a5a37 1926 u32 av = file_to_av(file);
b0c636b9 1927
49b7b8de
EP		 1928 if (selinux_policycap_openperm)
1929 av |= FILE__OPEN;
1930
b0c636b9
EP		 1931 return av;
1932}
1933
1da177e4
LT		 1934/* Hook functions begin here. */
1935
79af7307
SS		 1936static int selinux_binder_set_context_mgr(struct task_struct *mgr)
1937{
1938 u32 mysid = current_sid();
1939 u32 mgrsid = task_sid(mgr);
1940
1941 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
1942 BINDER__SET_CONTEXT_MGR, NULL);
1943}
1944
1945static int selinux_binder_transaction(struct task_struct *from,
1946 struct task_struct *to)
1947{
1948 u32 mysid = current_sid();
1949 u32 fromsid = task_sid(from);
1950 u32 tosid = task_sid(to);
1951 int rc;
1952
1953 if (mysid != fromsid) {
1954 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
1955 BINDER__IMPERSONATE, NULL);
1956 if (rc)
1957 return rc;
1958 }
1959
1960 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
1961 NULL);
1962}
1963
1964static int selinux_binder_transfer_binder(struct task_struct *from,
1965 struct task_struct *to)
1966{
1967 u32 fromsid = task_sid(from);
1968 u32 tosid = task_sid(to);
1969
1970 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
1971 NULL);
1972}
1973
1974static int selinux_binder_transfer_file(struct task_struct *from,
1975 struct task_struct *to,
1976 struct file *file)
1977{
1978 u32 sid = task_sid(to);
1979 struct file_security_struct *fsec = file->f_security;
c6f493d6 1980 struct inode *inode = d_backing_inode(file->f_path.dentry);
79af7307
SS		 1981 struct inode_security_struct *isec = inode->i_security;
1982 struct common_audit_data ad;
1983 int rc;
1984
1985 ad.type = LSM_AUDIT_DATA_PATH;
1986 ad.u.path = file->f_path;
1987
1988 if (sid != fsec->sid) {
1989 rc = avc_has_perm(sid, fsec->sid,
1990 SECCLASS_FD,
1991 FD__USE,
1992 &ad);
1993 if (rc)
1994 return rc;
1995 }
1996
1997 if (unlikely(IS_PRIVATE(inode)))
1998 return 0;
1999
2000 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2001 &ad);
2002}
2003
9e48858f 2004static int selinux_ptrace_access_check(struct task_struct *child,
5cd9c58f 2005 unsigned int mode)
1da177e4 2006{
69f594a3 2007 if (mode & PTRACE_MODE_READ) {
275bb41e
DH		 2008 u32 sid = current_sid();
2009 u32 csid = task_sid(child);
2010 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 2011 }
2012
3b11a1de 2013 return current_has_perm(child, PROCESS__PTRACE);
5cd9c58f
DH		 2014}
2015
2016static int selinux_ptrace_traceme(struct task_struct *parent)
2017{
5cd9c58f 2018 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 2019}
2020
2021static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 2022 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 2023{
b1d9e6b0 2024 return current_has_perm(target, PROCESS__GETCAP);
1da177e4
LT		 2025}
2026
d84f4f99
DH		 2027static int selinux_capset(struct cred *new, const struct cred *old,
2028 const kernel_cap_t *effective,
2029 const kernel_cap_t *inheritable,
2030 const kernel_cap_t *permitted)
1da177e4 2031{
d84f4f99 2032 return cred_has_perm(old, new, PROCESS__SETCAP);
1da177e4
LT		 2033}
2034
5626d3e8
JM		 2035/*
2036 * (This comment used to live with the selinux_task_setuid hook,
2037 * which was removed).
2038 *
2039 * Since setuid only affects the current process, and since the SELinux
2040 * controls are not based on the Linux identity attributes, SELinux does not
2041 * need to control this operation. However, SELinux does control the use of
2042 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2043 */
2044
6a9de491
EP		 2045static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2046 int cap, int audit)
1da177e4 2047{
6a9de491 2048 return cred_has_capability(cred, cap, audit);
1da177e4
LT		 2049}
2050
1da177e4
LT		 2051static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2052{
88e67f3b 2053 const struct cred *cred = current_cred();
1da177e4
LT		 2054 int rc = 0;
2055
2056 if (!sb)
2057 return 0;
2058
2059 switch (cmds) {
828dfe1d
EP		 2060 case Q_SYNC:
2061 case Q_QUOTAON:
2062 case Q_QUOTAOFF:
2063 case Q_SETINFO:
2064 case Q_SETQUOTA:
88e67f3b 2065 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
828dfe1d
EP		 2066 break;
2067 case Q_GETFMT:
2068 case Q_GETINFO:
2069 case Q_GETQUOTA:
88e67f3b 2070 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
828dfe1d
EP		 2071 break;
2072 default:
2073 rc = 0; /* let the kernel handle invalid cmds */
2074 break;
1da177e4
LT		 2075 }
2076 return rc;
2077}
2078
2079static int selinux_quota_on(struct dentry *dentry)
2080{
88e67f3b
DH		 2081 const struct cred *cred = current_cred();
2082
2875fa00 2083 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1da177e4
LT		 2084}
2085
12b3052c 2086static int selinux_syslog(int type)
1da177e4
LT		 2087{
2088 int rc;
2089
1da177e4 2090 switch (type) {
d78ca3cd
KC		 2091 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2092 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
828dfe1d
EP		 2093 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2094 break;
d78ca3cd
KC		 2095 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2096 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2097 /* Set level of messages printed to console */
2098 case SYSLOG_ACTION_CONSOLE_LEVEL:
828dfe1d
EP		 2099 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2100 break;
d78ca3cd
KC		 2101 case SYSLOG_ACTION_CLOSE: /* Close log */
2102 case SYSLOG_ACTION_OPEN: /* Open log */
2103 case SYSLOG_ACTION_READ: /* Read from log */
2104 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2105 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
828dfe1d
EP		 2106 default:
2107 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2108 break;
1da177e4
LT		 2109 }
2110 return rc;
2111}
2112
2113/*
2114 * Check that a process has enough memory to allocate a new virtual
2115 * mapping. 0 means there is enough memory for the allocation to
2116 * succeed and -ENOMEM implies there is not.
2117 *
1da177e4
LT		 2118 * Do not audit the selinux permission check, as this is applied to all
2119 * processes that allocate mappings.
2120 */
34b4e4aa 2121static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 2122{
2123 int rc, cap_sys_admin = 0;
1da177e4 2124
b1d9e6b0
CS		 2125 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2126 SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2127 if (rc == 0)
2128 cap_sys_admin = 1;
2129
b1d9e6b0 2130 return cap_sys_admin;
1da177e4
LT		 2131}
2132
2133/* binprm security operations */
2134
7b0d0b40
SS		 2135static int check_nnp_nosuid(const struct linux_binprm *bprm,
2136 const struct task_security_struct *old_tsec,
2137 const struct task_security_struct *new_tsec)
2138{
2139 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2140 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2141 int rc;
2142
2143 if (!nnp && !nosuid)
2144 return 0; /* neither NNP nor nosuid */
2145
2146 if (new_tsec->sid == old_tsec->sid)
2147 return 0; /* No change in credentials */
2148
2149 /*
2150 * The only transitions we permit under NNP or nosuid
2151 * are transitions to bounded SIDs, i.e. SIDs that are
2152 * guaranteed to only be allowed a subset of the permissions
2153 * of the current SID.
2154 */
2155 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2156 if (rc) {
2157 /*
2158 * On failure, preserve the errno values for NNP vs nosuid.
2159 * NNP: Operation not permitted for caller.
2160 * nosuid: Permission denied to file.
2161 */
2162 if (nnp)
2163 return -EPERM;
2164 else
2165 return -EACCES;
2166 }
2167 return 0;
2168}
2169
a6f76f23 2170static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1da177e4 2171{
a6f76f23
DH		 2172 const struct task_security_struct *old_tsec;
2173 struct task_security_struct *new_tsec;
1da177e4 2174 struct inode_security_struct *isec;
2bf49690 2175 struct common_audit_data ad;
496ad9aa 2176 struct inode *inode = file_inode(bprm->file);
1da177e4
LT		 2177 int rc;
2178
a6f76f23
DH		 2179 /* SELinux context only depends on initial program or script and not
2180 * the script interpreter */
2181 if (bprm->cred_prepared)
1da177e4
LT		 2182 return 0;
2183
a6f76f23
DH		 2184 old_tsec = current_security();
2185 new_tsec = bprm->cred->security;
1da177e4
LT		 2186 isec = inode->i_security;
2187
2188 /* Default to the current task SID. */
a6f76f23
DH		 2189 new_tsec->sid = old_tsec->sid;
2190 new_tsec->osid = old_tsec->sid;
1da177e4 2191
28eba5bf 2192 /* Reset fs, key, and sock SIDs on execve. */
a6f76f23
DH		 2193 new_tsec->create_sid = 0;
2194 new_tsec->keycreate_sid = 0;
2195 new_tsec->sockcreate_sid = 0;
1da177e4 2196
a6f76f23
DH		 2197 if (old_tsec->exec_sid) {
2198 new_tsec->sid = old_tsec->exec_sid;
1da177e4 2199 /* Reset exec SID on execve. */
a6f76f23 2200 new_tsec->exec_sid = 0;
259e5e6c 2201
7b0d0b40
SS		 2202 /* Fail on NNP or nosuid if not an allowed transition. */
2203 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2204 if (rc)
2205 return rc;
1da177e4
LT		 2206 } else {
2207 /* Check for a default transition on this program. */
a6f76f23 2208 rc = security_transition_sid(old_tsec->sid, isec->sid,
652bb9b0
EP		 2209 SECCLASS_PROCESS, NULL,
2210 &new_tsec->sid);
1da177e4
LT		 2211 if (rc)
2212 return rc;
7b0d0b40
SS		 2213
2214 /*
2215 * Fallback to old SID on NNP or nosuid if not an allowed
2216 * transition.
2217 */
2218 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2219 if (rc)
2220 new_tsec->sid = old_tsec->sid;
1da177e4
LT		 2221 }
2222
50c205f5 2223 ad.type = LSM_AUDIT_DATA_PATH;
f48b7399 2224 ad.u.path = bprm->file->f_path;
1da177e4 2225
a6f76f23
DH		 2226 if (new_tsec->sid == old_tsec->sid) {
2227 rc = avc_has_perm(old_tsec->sid, isec->sid,
1da177e4
LT		 2228 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2229 if (rc)
2230 return rc;
2231 } else {
2232 /* Check permissions for the transition. */
a6f76f23 2233 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
1da177e4
LT		 2234 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2235 if (rc)
2236 return rc;
2237
a6f76f23 2238 rc = avc_has_perm(new_tsec->sid, isec->sid,
1da177e4
LT		 2239 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2240 if (rc)
2241 return rc;
2242
a6f76f23
DH		 2243 /* Check for shared state */
2244 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2245 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2246 SECCLASS_PROCESS, PROCESS__SHARE,
2247 NULL);
2248 if (rc)
2249 return -EPERM;
2250 }
2251
2252 /* Make sure that anyone attempting to ptrace over a task that
2253 * changes its SID has the appropriate permit */
2254 if (bprm->unsafe &
2255 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2256 struct task_struct *tracer;
2257 struct task_security_struct *sec;
2258 u32 ptsid = 0;
2259
2260 rcu_read_lock();
06d98473 2261 tracer = ptrace_parent(current);
a6f76f23
DH		 2262 if (likely(tracer != NULL)) {
2263 sec = __task_cred(tracer)->security;
2264 ptsid = sec->sid;
2265 }
2266 rcu_read_unlock();
2267
2268 if (ptsid != 0) {
2269 rc = avc_has_perm(ptsid, new_tsec->sid,
2270 SECCLASS_PROCESS,
2271 PROCESS__PTRACE, NULL);
2272 if (rc)
2273 return -EPERM;
2274 }
2275 }
1da177e4 2276
a6f76f23
DH		 2277 /* Clear any possibly unsafe personality bits on exec: */
2278 bprm->per_clear |= PER_CLEAR_ON_SETID;
1da177e4
LT		 2279 }
2280
1da177e4
LT		 2281 return 0;
2282}
2283
828dfe1d 2284static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2285{
5fb49870 2286 const struct task_security_struct *tsec = current_security();
275bb41e 2287 u32 sid, osid;
1da177e4
LT		 2288 int atsecure = 0;
2289
275bb41e
DH		 2290 sid = tsec->sid;
2291 osid = tsec->osid;
2292
2293 if (osid != sid) {
1da177e4
LT		 2294 /* Enable secure mode for SIDs transitions unless
2295 the noatsecure permission is granted between
2296 the two SIDs, i.e. ahp returns 0. */
275bb41e 2297 atsecure = avc_has_perm(osid, sid,
a6f76f23
DH		 2298 SECCLASS_PROCESS,
2299 PROCESS__NOATSECURE, NULL);
1da177e4
LT		 2300 }
2301
b1d9e6b0 2302 return !!atsecure;
1da177e4
LT		 2303}
2304
c3c073f8
AV		 2305static int match_file(const void *p, struct file *file, unsigned fd)
2306{
2307 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2308}
2309
1da177e4 2310/* Derived from fs/exec.c:flush_old_files. */
745ca247
DH		 2311static inline void flush_unauthorized_files(const struct cred *cred,
2312 struct files_struct *files)
1da177e4 2313{
1da177e4 2314 struct file *file, *devnull = NULL;
b20c8122 2315 struct tty_struct *tty;
24ec839c 2316 int drop_tty = 0;
c3c073f8 2317 unsigned n;
1da177e4 2318
24ec839c 2319 tty = get_current_tty();
1da177e4 2320 if (tty) {
ee2ffa0d 2321 spin_lock(&tty_files_lock);
37dd0bd0 2322 if (!list_empty(&tty->tty_files)) {
d996b62a 2323 struct tty_file_private *file_priv;
37dd0bd0 2324
1da177e4 2325 /* Revalidate access to controlling tty.
13f8e981
DH		 2326 Use file_path_has_perm on the tty path directly
2327 rather than using file_has_perm, as this particular
2328 open file may belong to another process and we are
2329 only interested in the inode-based check here. */
d996b62a
NP		 2330 file_priv = list_first_entry(&tty->tty_files,
2331 struct tty_file_private, list);
2332 file = file_priv->file;
13f8e981 2333 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
24ec839c 2334 drop_tty = 1;
1da177e4 2335 }
ee2ffa0d 2336 spin_unlock(&tty_files_lock);
452a00d2 2337 tty_kref_put(tty);
1da177e4 2338 }
98a27ba4
EB		 2339 /* Reset controlling tty. */
2340 if (drop_tty)
2341 no_tty();
1da177e4
LT		 2342
2343 /* Revalidate access to inherited open files. */
c3c073f8
AV		 2344 n = iterate_fd(files, 0, match_file, cred);
2345 if (!n) /* none found? */
2346 return;
1da177e4 2347
c3c073f8 2348 devnull = dentry_open(&selinux_null, O_RDWR, cred);
45525b26
AV		 2349 if (IS_ERR(devnull))
2350 devnull = NULL;
2351 /* replace all the matching ones with this */
2352 do {
2353 replace_fd(n - 1, devnull, 0);
2354 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2355 if (devnull)
c3c073f8 2356 fput(devnull);
1da177e4
LT		 2357}
2358
a6f76f23
DH		 2359/*
2360 * Prepare a process for imminent new credential changes due to exec
2361 */
2362static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
1da177e4 2363{
a6f76f23
DH		 2364 struct task_security_struct *new_tsec;
2365 struct rlimit *rlim, *initrlim;
2366 int rc, i;
d84f4f99 2367
a6f76f23
DH		 2368 new_tsec = bprm->cred->security;
2369 if (new_tsec->sid == new_tsec->osid)
2370 return;
1da177e4 2371
a6f76f23
DH		 2372 /* Close files for which the new task SID is not authorized. */
2373 flush_unauthorized_files(bprm->cred, current->files);
0356357c 2374
a6f76f23
DH		 2375 /* Always clear parent death signal on SID transitions. */
2376 current->pdeath_signal = 0;
0356357c 2377
a6f76f23
DH		 2378 /* Check whether the new SID can inherit resource limits from the old
2379 * SID. If not, reset all soft limits to the lower of the current
2380 * task's hard limit and the init task's soft limit.
2381 *
2382 * Note that the setting of hard limits (even to lower them) can be
2383 * controlled by the setrlimit check. The inclusion of the init task's
2384 * soft limit into the computation is to avoid resetting soft limits
2385 * higher than the default soft limit for cases where the default is
2386 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2387 */
2388 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2389 PROCESS__RLIMITINH, NULL);
2390 if (rc) {
eb2d55a3
ON		 2391 /* protect against do_prlimit() */
2392 task_lock(current);
a6f76f23
DH		 2393 for (i = 0; i < RLIM_NLIMITS; i++) {
2394 rlim = current->signal->rlim + i;
2395 initrlim = init_task.signal->rlim + i;
2396 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2397 }
eb2d55a3
ON		 2398 task_unlock(current);
2399 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
1da177e4
LT		 2400 }
2401}
2402
2403/*
a6f76f23
DH		 2404 * Clean up the process immediately after the installation of new credentials
2405 * due to exec
1da177e4 2406 */
a6f76f23 2407static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
1da177e4 2408{
a6f76f23 2409 const struct task_security_struct *tsec = current_security();
1da177e4 2410 struct itimerval itimer;
a6f76f23 2411 u32 osid, sid;
1da177e4
LT		 2412 int rc, i;
2413
a6f76f23
DH		 2414 osid = tsec->osid;
2415 sid = tsec->sid;
2416
2417 if (sid == osid)
1da177e4
LT		 2418 return;
2419
a6f76f23
DH		 2420 /* Check whether the new SID can inherit signal state from the old SID.
2421 * If not, clear itimers to avoid subsequent signal generation and
2422 * flush and unblock signals.
2423 *
2424 * This must occur _after_ the task SID has been updated so that any
2425 * kill done after the flush will be checked against the new SID.
2426 */
2427 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
1da177e4
LT		 2428 if (rc) {
2429 memset(&itimer, 0, sizeof itimer);
2430 for (i = 0; i < 3; i++)
2431 do_setitimer(i, &itimer, NULL);
1da177e4 2432 spin_lock_irq(&current->sighand->siglock);
9e7c8f8c
ON		 2433 if (!fatal_signal_pending(current)) {
2434 flush_sigqueue(&current->pending);
2435 flush_sigqueue(&current->signal->shared_pending);
3bcac026
DH		 2436 flush_signal_handlers(current, 1);
2437 sigemptyset(&current->blocked);
9e7c8f8c 2438 recalc_sigpending();
3bcac026 2439 }
1da177e4
LT		 2440 spin_unlock_irq(&current->sighand->siglock);
2441 }
2442
a6f76f23
DH		 2443 /* Wake up the parent if it is waiting so that it can recheck
2444 * wait permission to the new task SID. */
ecd6de3c 2445 read_lock(&tasklist_lock);
0b7570e7 2446 __wake_up_parent(current, current->real_parent);
ecd6de3c 2447 read_unlock(&tasklist_lock);
1da177e4
LT		 2448}
2449
2450/* superblock security operations */
2451
2452static int selinux_sb_alloc_security(struct super_block *sb)
2453{
2454 return superblock_alloc_security(sb);
2455}
2456
2457static void selinux_sb_free_security(struct super_block *sb)
2458{
2459 superblock_free_security(sb);
2460}
2461
2462static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2463{
2464 if (plen > olen)
2465 return 0;
2466
2467 return !memcmp(prefix, option, plen);
2468}
2469
2470static inline int selinux_option(char *option, int len)
2471{
832cbd9a
EP		 2472 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2473 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2474 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
11689d47
DQ		 2475 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2476 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
1da177e4
LT		 2477}
2478
2479static inline void take_option(char **to, char *from, int *first, int len)
2480{
2481 if (!*first) {
2482 **to = ',';
2483 *to += 1;
3528a953 2484 } else
1da177e4
LT		 2485 *first = 0;
2486 memcpy(*to, from, len);
2487 *to += len;
2488}
2489
828dfe1d
EP		 2490static inline void take_selinux_option(char **to, char *from, int *first,
2491 int len)
3528a953
CO		 2492{
2493 int current_size = 0;
2494
2495 if (!*first) {
2496 **to = '|';
2497 *to += 1;
828dfe1d 2498 } else
3528a953
CO		 2499 *first = 0;
2500
2501 while (current_size < len) {
2502 if (*from != '"') {
2503 **to = *from;
2504 *to += 1;
2505 }
2506 from += 1;
2507 current_size += 1;
2508 }
2509}
2510
e0007529 2511static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2512{
2513 int fnosec, fsec, rc = 0;
2514 char *in_save, *in_curr, *in_end;
2515 char *sec_curr, *nosec_save, *nosec;
3528a953 2516 int open_quote = 0;
1da177e4
LT		 2517
2518 in_curr = orig;
2519 sec_curr = copy;
2520
1da177e4
LT		 2521 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2522 if (!nosec) {
2523 rc = -ENOMEM;
2524 goto out;
2525 }
2526
2527 nosec_save = nosec;
2528 fnosec = fsec = 1;
2529 in_save = in_end = orig;
2530
2531 do {
3528a953
CO		 2532 if (*in_end == '"')
2533 open_quote = !open_quote;
2534 if ((*in_end == ',' && open_quote == 0) ||
2535 *in_end == '\0') {
1da177e4
LT		 2536 int len = in_end - in_curr;
2537
2538 if (selinux_option(in_curr, len))
3528a953 2539 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2540 else
2541 take_option(&nosec, in_curr, &fnosec, len);
2542
2543 in_curr = in_end + 1;
2544 }
2545 } while (*in_end++);
2546
6931dfc9 2547 strcpy(in_save, nosec_save);
da3caa20 2548 free_page((unsigned long)nosec_save);
1da177e4
LT		 2549out:
2550 return rc;
2551}
2552
026eb167
EP		 2553static int selinux_sb_remount(struct super_block *sb, void *data)
2554{
2555 int rc, i, *flags;
2556 struct security_mnt_opts opts;
2557 char *secdata, **mount_options;
2558 struct superblock_security_struct *sbsec = sb->s_security;
2559
2560 if (!(sbsec->flags & SE_SBINITIALIZED))
2561 return 0;
2562
2563 if (!data)
2564 return 0;
2565
2566 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2567 return 0;
2568
2569 security_init_mnt_opts(&opts);
2570 secdata = alloc_secdata();
2571 if (!secdata)
2572 return -ENOMEM;
2573 rc = selinux_sb_copy_data(data, secdata);
2574 if (rc)
2575 goto out_free_secdata;
2576
2577 rc = selinux_parse_opts_str(secdata, &opts);
2578 if (rc)
2579 goto out_free_secdata;
2580
2581 mount_options = opts.mnt_opts;
2582 flags = opts.mnt_opts_flags;
2583
2584 for (i = 0; i < opts.num_mnt_opts; i++) {
2585 u32 sid;
2586 size_t len;
2587
12f348b9 2588 if (flags[i] == SBLABEL_MNT)
026eb167
EP		 2589 continue;
2590 len = strlen(mount_options[i]);
52a4c640
NA		 2591 rc = security_context_to_sid(mount_options[i], len, &sid,
2592 GFP_KERNEL);
026eb167
EP		 2593 if (rc) {
2594 printk(KERN_WARNING "SELinux: security_context_to_sid"
29b1deb2
LT		 2595 "(%s) failed for (dev %s, type %s) errno=%d\n",
2596 mount_options[i], sb->s_id, sb->s_type->name, rc);
026eb167
EP		 2597 goto out_free_opts;
2598 }
2599 rc = -EINVAL;
2600 switch (flags[i]) {
2601 case FSCONTEXT_MNT:
2602 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2603 goto out_bad_option;
2604 break;
2605 case CONTEXT_MNT:
2606 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2607 goto out_bad_option;
2608 break;
2609 case ROOTCONTEXT_MNT: {
2610 struct inode_security_struct *root_isec;
c6f493d6 2611 root_isec = d_backing_inode(sb->s_root)->i_security;
026eb167
EP		 2612
2613 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2614 goto out_bad_option;
2615 break;
2616 }
2617 case DEFCONTEXT_MNT:
2618 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2619 goto out_bad_option;
2620 break;
2621 default:
2622 goto out_free_opts;
2623 }
2624 }
2625
2626 rc = 0;
2627out_free_opts:
2628 security_free_mnt_opts(&opts);
2629out_free_secdata:
2630 free_secdata(secdata);
2631 return rc;
2632out_bad_option:
2633 printk(KERN_WARNING "SELinux: unable to change security options "
29b1deb2
LT		 2634 "during remount (dev %s, type=%s)\n", sb->s_id,
2635 sb->s_type->name);
026eb167
EP		 2636 goto out_free_opts;
2637}
2638
12204e24 2639static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
1da177e4 2640{
88e67f3b 2641 const struct cred *cred = current_cred();
2bf49690 2642 struct common_audit_data ad;
1da177e4
LT		 2643 int rc;
2644
2645 rc = superblock_doinit(sb, data);
2646 if (rc)
2647 return rc;
2648
74192246
JM		 2649 /* Allow all mounts performed by the kernel */
2650 if (flags & MS_KERNMOUNT)
2651 return 0;
2652
50c205f5 2653 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2654 ad.u.dentry = sb->s_root;
88e67f3b 2655 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
1da177e4
LT		 2656}
2657
726c3342 2658static int selinux_sb_statfs(struct dentry *dentry)
1da177e4 2659{
88e67f3b 2660 const struct cred *cred = current_cred();
2bf49690 2661 struct common_audit_data ad;
1da177e4 2662
50c205f5 2663 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2664 ad.u.dentry = dentry->d_sb->s_root;
88e67f3b 2665 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2666}
2667
808d4e3c 2668static int selinux_mount(const char *dev_name,
b5266eb4 2669 struct path *path,
808d4e3c 2670 const char *type,
828dfe1d
EP		 2671 unsigned long flags,
2672 void *data)
1da177e4 2673{
88e67f3b 2674 const struct cred *cred = current_cred();
1da177e4
LT		 2675
2676 if (flags & MS_REMOUNT)
d8c9584e 2677 return superblock_has_perm(cred, path->dentry->d_sb,
828dfe1d 2678 FILESYSTEM__REMOUNT, NULL);
1da177e4 2679 else
2875fa00 2680 return path_has_perm(cred, path, FILE__MOUNTON);
1da177e4
LT		 2681}
2682
2683static int selinux_umount(struct vfsmount *mnt, int flags)
2684{
88e67f3b 2685 const struct cred *cred = current_cred();
1da177e4 2686
88e67f3b 2687 return superblock_has_perm(cred, mnt->mnt_sb,
828dfe1d 2688 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2689}
2690
2691/* inode security operations */
2692
2693static int selinux_inode_alloc_security(struct inode *inode)
2694{
2695 return inode_alloc_security(inode);
2696}
2697
2698static void selinux_inode_free_security(struct inode *inode)
2699{
2700 inode_free_security(inode);
2701}
2702
d47be3df
DQ		 2703static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2704 struct qstr *name, void **ctx,
2705 u32 *ctxlen)
2706{
2707 const struct cred *cred = current_cred();
2708 struct task_security_struct *tsec;
2709 struct inode_security_struct *dsec;
2710 struct superblock_security_struct *sbsec;
c6f493d6 2711 struct inode *dir = d_backing_inode(dentry->d_parent);
d47be3df
DQ		 2712 u32 newsid;
2713 int rc;
2714
2715 tsec = cred->security;
2716 dsec = dir->i_security;
2717 sbsec = dir->i_sb->s_security;
2718
2719 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2720 newsid = tsec->create_sid;
2721 } else {
2722 rc = security_transition_sid(tsec->sid, dsec->sid,
2723 inode_mode_to_security_class(mode),
2724 name,
2725 &newsid);
2726 if (rc) {
2727 printk(KERN_WARNING
2728 "%s: security_transition_sid failed, rc=%d\n",
2729 __func__, -rc);
2730 return rc;
2731 }
2732 }
2733
2734 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2735}
2736
5e41ff9e 2737static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
9548906b
TH		 2738 const struct qstr *qstr,
2739 const char **name,
2a7dba39 2740 void **value, size_t *len)
5e41ff9e 2741{
5fb49870 2742 const struct task_security_struct *tsec = current_security();
5e41ff9e
SS		 2743 struct inode_security_struct *dsec;
2744 struct superblock_security_struct *sbsec;
275bb41e 2745 u32 sid, newsid, clen;
5e41ff9e 2746 int rc;
9548906b 2747 char *context;
5e41ff9e 2748
5e41ff9e
SS		 2749 dsec = dir->i_security;
2750 sbsec = dir->i_sb->s_security;
5e41ff9e 2751
275bb41e
DH		 2752 sid = tsec->sid;
2753 newsid = tsec->create_sid;
2754
415103f9
EP		 2755 if ((sbsec->flags & SE_SBINITIALIZED) &&
2756 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2757 newsid = sbsec->mntpoint_sid;
12f348b9 2758 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
275bb41e 2759 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e 2760 inode_mode_to_security_class(inode->i_mode),
652bb9b0 2761 qstr, &newsid);
5e41ff9e
SS		 2762 if (rc) {
2763 printk(KERN_WARNING "%s: "
2764 "security_transition_sid failed, rc=%d (dev=%s "
2765 "ino=%ld)\n",
dd6f953a 2766 __func__,
5e41ff9e
SS		 2767 -rc, inode->i_sb->s_id, inode->i_ino);
2768 return rc;
2769 }
2770 }
2771
296fddf7 2772 /* Possibly defer initialization to selinux_complete_init. */
0d90a7ec 2773 if (sbsec->flags & SE_SBINITIALIZED) {
296fddf7
EP		 2774 struct inode_security_struct *isec = inode->i_security;
2775 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2776 isec->sid = newsid;
2777 isec->initialized = 1;
2778 }
5e41ff9e 2779
12f348b9 2780 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
25a74f3b
SS		 2781 return -EOPNOTSUPP;
2782
9548906b
TH		 2783 if (name)
2784 *name = XATTR_SELINUX_SUFFIX;
5e41ff9e 2785
570bc1c2 2786 if (value && len) {
12b29f34 2787 rc = security_sid_to_context_force(newsid, &context, &clen);
9548906b 2788 if (rc)
570bc1c2 2789 return rc;
570bc1c2
SS		 2790 *value = context;
2791 *len = clen;
5e41ff9e 2792 }
5e41ff9e 2793
5e41ff9e
SS		 2794 return 0;
2795}
2796
4acdaf27 2797static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
1da177e4
LT		 2798{
2799 return may_create(dir, dentry, SECCLASS_FILE);
2800}
2801
1da177e4
LT		 2802static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2803{
1da177e4
LT		 2804 return may_link(dir, old_dentry, MAY_LINK);
2805}
2806
1da177e4
LT		 2807static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2808{
1da177e4
LT		 2809 return may_link(dir, dentry, MAY_UNLINK);
2810}
2811
2812static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2813{
2814 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2815}
2816
18bb1db3 2817static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
1da177e4
LT		 2818{
2819 return may_create(dir, dentry, SECCLASS_DIR);
2820}
2821
1da177e4
LT		 2822static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2823{
2824 return may_link(dir, dentry, MAY_RMDIR);
2825}
2826
1a67aafb 2827static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1da177e4 2828{
1da177e4
LT		 2829 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2830}
2831
1da177e4 2832static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2833 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2834{
2835 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2836}
2837
1da177e4
LT		 2838static int selinux_inode_readlink(struct dentry *dentry)
2839{
88e67f3b
DH		 2840 const struct cred *cred = current_cred();
2841
2875fa00 2842 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2843}
2844
2845static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2846{
88e67f3b 2847 const struct cred *cred = current_cred();
1da177e4 2848
2875fa00 2849 return dentry_has_perm(cred, dentry, FILE__READ);
1da177e4
LT		 2850}
2851
d4cf970d
EP		 2852static noinline int audit_inode_permission(struct inode *inode,
2853 u32 perms, u32 audited, u32 denied,
626b9740 2854 int result,
d4cf970d 2855 unsigned flags)
1da177e4 2856{
b782e0a6 2857 struct common_audit_data ad;
d4cf970d
EP		 2858 struct inode_security_struct *isec = inode->i_security;
2859 int rc;
2860
50c205f5 2861 ad.type = LSM_AUDIT_DATA_INODE;
d4cf970d
EP		 2862 ad.u.inode = inode;
2863
2864 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
626b9740 2865 audited, denied, result, &ad, flags);
d4cf970d
EP		 2866 if (rc)
2867 return rc;
2868 return 0;
2869}
2870
e74f71eb 2871static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4 2872{
88e67f3b 2873 const struct cred *cred = current_cred();
b782e0a6
EP		 2874 u32 perms;
2875 bool from_access;
cf1dd1da 2876 unsigned flags = mask & MAY_NOT_BLOCK;
2e334057
EP		 2877 struct inode_security_struct *isec;
2878 u32 sid;
2879 struct av_decision avd;
2880 int rc, rc2;
2881 u32 audited, denied;
1da177e4 2882
b782e0a6 2883 from_access = mask & MAY_ACCESS;
d09ca739
EP		 2884 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2885
b782e0a6
EP		 2886 /* No permission to check. Existence test. */
2887 if (!mask)
1da177e4 2888 return 0;
1da177e4 2889
2e334057 2890 validate_creds(cred);
b782e0a6 2891
2e334057
EP		 2892 if (unlikely(IS_PRIVATE(inode)))
2893 return 0;
b782e0a6
EP		 2894
2895 perms = file_mask_to_av(inode->i_mode, mask);
2896
2e334057
EP		 2897 sid = cred_sid(cred);
2898 isec = inode->i_security;
2899
2900 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2901 audited = avc_audit_required(perms, &avd, rc,
2902 from_access ? FILE__AUDIT_ACCESS : 0,
2903 &denied);
2904 if (likely(!audited))
2905 return rc;
2906
626b9740 2907 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2e334057
EP		 2908 if (rc2)
2909 return rc2;
2910 return rc;
1da177e4
LT		 2911}
2912
2913static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2914{
88e67f3b 2915 const struct cred *cred = current_cred();
bc6a6008 2916 unsigned int ia_valid = iattr->ia_valid;
95dbf739 2917 __u32 av = FILE__WRITE;
1da177e4 2918
bc6a6008
AW		 2919 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2920 if (ia_valid & ATTR_FORCE) {
2921 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2922 ATTR_FORCE);
2923 if (!ia_valid)
2924 return 0;
2925 }
1da177e4 2926
bc6a6008
AW		 2927 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2928 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2875fa00 2929 return dentry_has_perm(cred, dentry, FILE__SETATTR);
1da177e4 2930
3d2195c3 2931 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
95dbf739
EP		 2932 av |= FILE__OPEN;
2933
2934 return dentry_has_perm(cred, dentry, av);
1da177e4
LT		 2935}
2936
3f7036a0 2937static int selinux_inode_getattr(const struct path *path)
1da177e4 2938{
3f7036a0 2939 return path_has_perm(current_cred(), path, FILE__GETATTR);
1da177e4
LT		 2940}
2941
8f0cfa52 2942static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771 2943{
88e67f3b
DH		 2944 const struct cred *cred = current_cred();
2945
b5376771
SH		 2946 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2947 sizeof XATTR_SECURITY_PREFIX - 1)) {
2948 if (!strcmp(name, XATTR_NAME_CAPS)) {
2949 if (!capable(CAP_SETFCAP))
2950 return -EPERM;
2951 } else if (!capable(CAP_SYS_ADMIN)) {
2952 /* A different attribute in the security namespace.
2953 Restrict to administrator. */
2954 return -EPERM;
2955 }
2956 }
2957
2958 /* Not an attribute we recognize, so just check the
2959 ordinary setattr permission. */
2875fa00 2960 return dentry_has_perm(cred, dentry, FILE__SETATTR);
b5376771
SH		 2961}
2962
8f0cfa52
DH		 2963static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2964 const void *value, size_t size, int flags)
1da177e4 2965{
c6f493d6 2966 struct inode *inode = d_backing_inode(dentry);
1da177e4
LT		 2967 struct inode_security_struct *isec = inode->i_security;
2968 struct superblock_security_struct *sbsec;
2bf49690 2969 struct common_audit_data ad;
275bb41e 2970 u32 newsid, sid = current_sid();
1da177e4
LT		 2971 int rc = 0;
2972
b5376771
SH		 2973 if (strcmp(name, XATTR_NAME_SELINUX))
2974 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2975
2976 sbsec = inode->i_sb->s_security;
12f348b9 2977 if (!(sbsec->flags & SBLABEL_MNT))
1da177e4
LT		 2978 return -EOPNOTSUPP;
2979
2e149670 2980 if (!inode_owner_or_capable(inode))
1da177e4
LT		 2981 return -EPERM;
2982
50c205f5 2983 ad.type = LSM_AUDIT_DATA_DENTRY;
a269434d 2984 ad.u.dentry = dentry;
1da177e4 2985
275bb41e 2986 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2987 FILE__RELABELFROM, &ad);
2988 if (rc)
2989 return rc;
2990
52a4c640 2991 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
12b29f34 2992 if (rc == -EINVAL) {
d6ea83ec
EP		 2993 if (!capable(CAP_MAC_ADMIN)) {
2994 struct audit_buffer *ab;
2995 size_t audit_size;
2996 const char *str;
2997
2998 /* We strip a nul only if it is at the end, otherwise the
2999 * context contains a nul and we should audit that */
e3fea3f7
AV		 3000 if (value) {
3001 str = value;
3002 if (str[size - 1] == '\0')
3003 audit_size = size - 1;
3004 else
3005 audit_size = size;
3006 } else {
3007 str = "";
3008 audit_size = 0;
3009 }
d6ea83ec
EP		 3010 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3011 audit_log_format(ab, "op=setxattr invalid_context=");
3012 audit_log_n_untrustedstring(ab, value, audit_size);
3013 audit_log_end(ab);
3014
12b29f34 3015 return rc;
d6ea83ec 3016 }
12b29f34
SS		 3017 rc = security_context_to_sid_force(value, size, &newsid);
3018 }
1da177e4
LT		 3019 if (rc)
3020 return rc;
3021
275bb41e 3022 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 3023 FILE__RELABELTO, &ad);
3024 if (rc)
3025 return rc;
3026
275bb41e 3027 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 3028 isec->sclass);
1da177e4
LT		 3029 if (rc)
3030 return rc;
3031
3032 return avc_has_perm(newsid,
3033 sbsec->sid,
3034 SECCLASS_FILESYSTEM,
3035 FILESYSTEM__ASSOCIATE,
3036 &ad);
3037}
3038
8f0cfa52 3039static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 3040 const void *value, size_t size,
8f0cfa52 3041 int flags)
1da177e4 3042{
c6f493d6 3043 struct inode *inode = d_backing_inode(dentry);
1da177e4
LT		 3044 struct inode_security_struct *isec = inode->i_security;
3045 u32 newsid;
3046 int rc;
3047
3048 if (strcmp(name, XATTR_NAME_SELINUX)) {
3049 /* Not an attribute we recognize, so nothing to do. */
3050 return;
3051 }
3052
12b29f34 3053 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 3054 if (rc) {
12b29f34
SS		 3055 printk(KERN_ERR "SELinux: unable to map context to SID"
3056 "for (%s, %lu), rc=%d\n",
3057 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 3058 return;
3059 }
3060
aa9c2669 3061 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3062 isec->sid = newsid;
aa9c2669
DQ		 3063 isec->initialized = 1;
3064
1da177e4
LT		 3065 return;
3066}
3067
8f0cfa52 3068static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 3069{
88e67f3b
DH		 3070 const struct cred *cred = current_cred();
3071
2875fa00 3072 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3073}
3074
828dfe1d 3075static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4 3076{
88e67f3b
DH		 3077 const struct cred *cred = current_cred();
3078
2875fa00 3079 return dentry_has_perm(cred, dentry, FILE__GETATTR);
1da177e4
LT		 3080}
3081
8f0cfa52 3082static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 3083{
b5376771
SH		 3084 if (strcmp(name, XATTR_NAME_SELINUX))
3085 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 3086
3087 /* No one is allowed to remove a SELinux security label.
3088 You can change the label, but all data must be labeled. */
3089 return -EACCES;
3090}
3091
d381d8a9 3092/*
abc69bb6 3093 * Copy the inode security context value to the user.
d381d8a9
JM		 3094 *
3095 * Permission check is handled by selinux_inode_getxattr hook.
3096 */
42492594 3097static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 3098{
42492594
DQ		 3099 u32 size;
3100 int error;
3101 char *context = NULL;
1da177e4 3102 struct inode_security_struct *isec = inode->i_security;
d381d8a9 3103
8c8570fb
DK		 3104 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3105 return -EOPNOTSUPP;
d381d8a9 3106
abc69bb6
SS		 3107 /*
3108 * If the caller has CAP_MAC_ADMIN, then get the raw context
3109 * value even if it is not defined by current policy; otherwise,
3110 * use the in-core value under current policy.
3111 * Use the non-auditing forms of the permission checks since
3112 * getxattr may be called by unprivileged processes commonly
3113 * and lack of permission just means that we fall back to the
3114 * in-core context value, not a denial.
3115 */
b1d9e6b0
CS		 3116 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3117 SECURITY_CAP_NOAUDIT);
3118 if (!error)
3119 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3120 SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 3121 if (!error)
3122 error = security_sid_to_context_force(isec->sid, &context,
3123 &size);
3124 else
3125 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 3126 if (error)
3127 return error;
3128 error = size;
3129 if (alloc) {
3130 *buffer = context;
3131 goto out_nofree;
3132 }
3133 kfree(context);
3134out_nofree:
3135 return error;
1da177e4
LT		 3136}
3137
3138static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 3139 const void *value, size_t size, int flags)
1da177e4
LT		 3140{
3141 struct inode_security_struct *isec = inode->i_security;
3142 u32 newsid;
3143 int rc;
3144
3145 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3146 return -EOPNOTSUPP;
3147
3148 if (!value || !size)
3149 return -EACCES;
3150
52a4c640 3151 rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
1da177e4
LT		 3152 if (rc)
3153 return rc;
3154
aa9c2669 3155 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4 3156 isec->sid = newsid;
ddd29ec6 3157 isec->initialized = 1;
1da177e4
LT		 3158 return 0;
3159}
3160
3161static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3162{
3163 const int len = sizeof(XATTR_NAME_SELINUX);
3164 if (buffer && len <= buffer_size)
3165 memcpy(buffer, XATTR_NAME_SELINUX, len);
3166 return len;
3167}
3168
713a04ae
AD		 3169static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3170{
3171 struct inode_security_struct *isec = inode->i_security;
3172 *secid = isec->sid;
3173}
3174
1da177e4
LT		 3175/* file security operations */
3176
788e7dd4 3177static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 3178{
88e67f3b 3179 const struct cred *cred = current_cred();
496ad9aa 3180 struct inode *inode = file_inode(file);
1da177e4 3181
1da177e4
LT		 3182 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3183 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3184 mask |= MAY_APPEND;
3185
389fb800
PM		 3186 return file_has_perm(cred, file,
3187 file_mask_to_av(inode->i_mode, mask));
1da177e4
LT		 3188}
3189
788e7dd4
YN		 3190static int selinux_file_permission(struct file *file, int mask)
3191{
496ad9aa 3192 struct inode *inode = file_inode(file);
20dda18b
SS		 3193 struct file_security_struct *fsec = file->f_security;
3194 struct inode_security_struct *isec = inode->i_security;
3195 u32 sid = current_sid();
3196
389fb800 3197 if (!mask)
788e7dd4
YN		 3198 /* No permission to check. Existence test. */
3199 return 0;
788e7dd4 3200
20dda18b
SS		 3201 if (sid == fsec->sid && fsec->isid == isec->sid &&
3202 fsec->pseqno == avc_policy_seqno())
83d49856 3203 /* No change since file_open check. */
20dda18b
SS		 3204 return 0;
3205
788e7dd4
YN		 3206 return selinux_revalidate_file_permission(file, mask);
3207}
3208
1da177e4
LT		 3209static int selinux_file_alloc_security(struct file *file)
3210{
3211 return file_alloc_security(file);
3212}
3213
3214static void selinux_file_free_security(struct file *file)
3215{
3216 file_free_security(file);
3217}
3218
3219static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3220 unsigned long arg)
3221{
88e67f3b 3222 const struct cred *cred = current_cred();
0b24dcb7 3223 int error = 0;
1da177e4 3224
0b24dcb7
EP		 3225 switch (cmd) {
3226 case FIONREAD:
3227 /* fall through */
3228 case FIBMAP:
3229 /* fall through */
3230 case FIGETBSZ:
3231 /* fall through */
2f99c369 3232 case FS_IOC_GETFLAGS:
0b24dcb7 3233 /* fall through */
2f99c369 3234 case FS_IOC_GETVERSION:
0b24dcb7
EP		 3235 error = file_has_perm(cred, file, FILE__GETATTR);
3236 break;
1da177e4 3237
2f99c369 3238 case FS_IOC_SETFLAGS:
0b24dcb7 3239 /* fall through */
2f99c369 3240 case FS_IOC_SETVERSION:
0b24dcb7
EP		 3241 error = file_has_perm(cred, file, FILE__SETATTR);
3242 break;
3243
3244 /* sys_ioctl() checks */
3245 case FIONBIO:
3246 /* fall through */
3247 case FIOASYNC:
3248 error = file_has_perm(cred, file, 0);
3249 break;
1da177e4 3250
0b24dcb7
EP		 3251 case KDSKBENT:
3252 case KDSKBSENT:
6a9de491
EP		 3253 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3254 SECURITY_CAP_AUDIT);
0b24dcb7
EP		 3255 break;
3256
3257 /* default case assumes that the command will go
3258 * to the file's ioctl() function.
3259 */
3260 default:
3261 error = file_has_perm(cred, file, FILE__IOCTL);
3262 }
3263 return error;
1da177e4
LT		 3264}
3265
fcaaade1
SS		 3266static int default_noexec;
3267
1da177e4
LT		 3268static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3269{
88e67f3b 3270 const struct cred *cred = current_cred();
d84f4f99 3271 int rc = 0;
88e67f3b 3272
fcaaade1 3273 if (default_noexec &&
892e8cac
SS		 3274 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3275 (!shared && (prot & PROT_WRITE)))) {
1da177e4
LT		 3276 /*
3277 * We are making executable an anonymous mapping or a
3278 * private file mapping that will also be writable.
3279 * This has an additional check.
3280 */
d84f4f99 3281 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
1da177e4 3282 if (rc)
d84f4f99 3283 goto error;
1da177e4 3284 }
1da177e4
LT		 3285
3286 if (file) {
3287 /* read access is always possible with a mapping */
3288 u32 av = FILE__READ;
3289
3290 /* write access only matters if the mapping is shared */
3291 if (shared && (prot & PROT_WRITE))
3292 av |= FILE__WRITE;
3293
3294 if (prot & PROT_EXEC)
3295 av |= FILE__EXECUTE;
3296
88e67f3b 3297 return file_has_perm(cred, file, av);
1da177e4 3298 }
d84f4f99
DH		 3299
3300error:
3301 return rc;
1da177e4
LT		 3302}
3303
e5467859 3304static int selinux_mmap_addr(unsigned long addr)
1da177e4 3305{
b1d9e6b0 3306 int rc = 0;
1da177e4 3307
a2551df7 3308 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
98883bfd 3309 u32 sid = current_sid();
ed032189
EP		 3310 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3311 MEMPROTECT__MMAP_ZERO, NULL);
84336d1a
EP		 3312 }
3313
98883bfd 3314 return rc;
e5467859 3315}
1da177e4 3316
e5467859
AV		 3317static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3318 unsigned long prot, unsigned long flags)
3319{
1da177e4
LT		 3320 if (selinux_checkreqprot)
3321 prot = reqprot;
3322
3323 return file_map_prot_check(file, prot,
3324 (flags & MAP_TYPE) == MAP_SHARED);
3325}
3326
3327static int selinux_file_mprotect(struct vm_area_struct *vma,
3328 unsigned long reqprot,
3329 unsigned long prot)
3330{
88e67f3b 3331 const struct cred *cred = current_cred();
1da177e4
LT		 3332
3333 if (selinux_checkreqprot)
3334 prot = reqprot;
3335
fcaaade1
SS		 3336 if (default_noexec &&
3337 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
d541bbee 3338 int rc = 0;
db4c9641
SS		 3339 if (vma->vm_start >= vma->vm_mm->start_brk &&
3340 vma->vm_end <= vma->vm_mm->brk) {
d84f4f99 3341 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
db4c9641
SS		 3342 } else if (!vma->vm_file &&
3343 vma->vm_start <= vma->vm_mm->start_stack &&
3344 vma->vm_end >= vma->vm_mm->start_stack) {
3b11a1de 3345 rc = current_has_perm(current, PROCESS__EXECSTACK);
db4c9641
SS		 3346 } else if (vma->vm_file && vma->anon_vma) {
3347 /*
3348 * We are making executable a file mapping that has
3349 * had some COW done. Since pages might have been
3350 * written, check ability to execute the possibly
3351 * modified content. This typically should only
3352 * occur for text relocations.
3353 */
d84f4f99 3354 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
db4c9641 3355 }