]> Git Repo - linux.git/blame - security/selinux/hooks.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
CRED: Rename is_single_threaded() to is_wq_single_threaded()
[linux.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <[email protected]>
828dfe1d
EP		 7 * Chris Vance, <[email protected]>
8 * Wayne Salamon, <[email protected]>
9 * James Morris <[email protected]>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
2069f457
EP		 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <[email protected]>
13 * Eric Paris <[email protected]>
1da177e4 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 15 * <[email protected]>
effad8df 16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
828dfe1d 17 * Paul Moore <[email protected]>
788e7dd4 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 19 * Yuichi Nakamura <[email protected]>
1da177e4
LT		 20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
828dfe1d 23 * as published by the Free Software Foundation.
1da177e4
LT		 24 */
25
1da177e4
LT		 26#include <linux/init.h>
27#include <linux/kernel.h>
0d094efe 28#include <linux/tracehook.h>
1da177e4
LT		 29#include <linux/errno.h>
30#include <linux/sched.h>
31#include <linux/security.h>
32#include <linux/xattr.h>
33#include <linux/capability.h>
34#include <linux/unistd.h>
35#include <linux/mm.h>
36#include <linux/mman.h>
37#include <linux/slab.h>
38#include <linux/pagemap.h>
39#include <linux/swap.h>
1da177e4
LT		 40#include <linux/spinlock.h>
41#include <linux/syscalls.h>
42#include <linux/file.h>
9f3acc31 43#include <linux/fdtable.h>
1da177e4
LT		 44#include <linux/namei.h>
45#include <linux/mount.h>
1da177e4 46#include <linux/proc_fs.h>
1da177e4
LT		 47#include <linux/netfilter_ipv4.h>
48#include <linux/netfilter_ipv6.h>
49#include <linux/tty.h>
50#include <net/icmp.h>
227b60f5 51#include <net/ip.h> /* for local_port_range[] */
1da177e4 52#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 53#include <net/net_namespace.h>
d621d35e 54#include <net/netlabel.h>
f5269710 55#include <linux/uaccess.h>
1da177e4 56#include <asm/ioctls.h>
d621d35e 57#include <asm/atomic.h>
1da177e4
LT		 58#include <linux/bitops.h>
59#include <linux/interrupt.h>
60#include <linux/netdevice.h> /* for network interface checks */
61#include <linux/netlink.h>
62#include <linux/tcp.h>
63#include <linux/udp.h>
2ee92d46 64#include <linux/dccp.h>
1da177e4
LT		 65#include <linux/quota.h>
66#include <linux/un.h> /* for Unix socket types */
67#include <net/af_unix.h> /* for Unix socket types */
68#include <linux/parser.h>
69#include <linux/nfs_mount.h>
70#include <net/ipv6.h>
71#include <linux/hugetlb.h>
72#include <linux/personality.h>
73#include <linux/sysctl.h>
74#include <linux/audit.h>
6931dfc9 75#include <linux/string.h>
877ce7c1 76#include <linux/selinux.h>
23970741 77#include <linux/mutex.h>
f06febc9 78#include <linux/posix-timers.h>
1da177e4
LT		 79
80#include "avc.h"
81#include "objsec.h"
82#include "netif.h"
224dfbd8 83#include "netnode.h"
3e112172 84#include "netport.h"
d28d1e08 85#include "xfrm.h"
c60475bf 86#include "netlabel.h"
9d57a7f9 87#include "audit.h"
1da177e4
LT		 88
89#define XATTR_SELINUX_SUFFIX "selinux"
90#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
c9180a57
EP		 92#define NUM_SEL_MNT_OPTS 4
93
1da177e4
LT		 94extern unsigned int policydb_loaded_version;
95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 96extern int selinux_compat_net;
20510f2f 97extern struct security_operations *security_ops;
1da177e4 98
d621d35e
PM		 99/* SECMARK reference count */
100atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
1da177e4 102#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 103int selinux_enforcing;
1da177e4
LT		 104
105static int __init enforcing_setup(char *str)
106{
f5269710
EP		 107 unsigned long enforcing;
108 if (!strict_strtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 110 return 1;
111}
112__setup("enforcing=", enforcing_setup);
113#endif
114
115#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118static int __init selinux_enabled_setup(char *str)
119{
f5269710
EP		 120 unsigned long enabled;
121 if (!strict_strtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 123 return 1;
124}
125__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 126#else
127int selinux_enabled = 1;
1da177e4
LT		 128#endif
129
1da177e4 130
6f0f0fd4
JM		 131/*
132 * Minimal support for a secondary security module,
133 * just to allow the use of the capability module.
134 */
828dfe1d 135static struct security_operations *secondary_ops;
1da177e4
LT		 136
137/* Lists of inode and superblock security structures initialized
138 before the policy was loaded. */
139static LIST_HEAD(superblock_security_head);
140static DEFINE_SPINLOCK(sb_security_lock);
141
e18b890b 142static struct kmem_cache *sel_inode_cache;
7cae7e26 143
d621d35e
PM		 144/**
145 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
146 *
147 * Description:
148 * This function checks the SECMARK reference counter to see if any SECMARK
149 * targets are currently configured, if the reference counter is greater than
150 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
151 * enabled, false (0) if SECMARK is disabled.
152 *
153 */
154static int selinux_secmark_enabled(void)
155{
156 return (atomic_read(&selinux_secmark_refcount) > 0);
157}
158
1da177e4
LT		 159/* Allocate and free functions for each kind of security blob. */
160
f1752eec 161static int cred_alloc_security(struct cred *cred)
1da177e4
LT		 162{
163 struct task_security_struct *tsec;
164
89d155ef 165 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 166 if (!tsec)
167 return -ENOMEM;
168
0356357c 169 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
f1752eec 170 cred->security = tsec;
1da177e4
LT		 171
172 return 0;
173}
174
275bb41e
DH		 175/*
176 * get the security ID of a task
177 */
178static inline u32 task_sid(const struct task_struct *task)
179{
180 const struct task_security_struct *tsec;
181 u32 sid;
182
183 rcu_read_lock();
184 tsec = __task_cred(task)->security;
185 sid = tsec->sid;
186 rcu_read_unlock();
187 return sid;
188}
189
190/*
191 * get the security ID of the current task
192 */
193static inline u32 current_sid(void)
194{
195 const struct task_security_struct *tsec = current_cred()->security;
196
197 return tsec->sid;
198}
199
1da177e4
LT		 200static int inode_alloc_security(struct inode *inode)
201{
1da177e4 202 struct inode_security_struct *isec;
275bb41e 203 u32 sid = current_sid();
1da177e4 204
a02fe132 205 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 206 if (!isec)
207 return -ENOMEM;
208
23970741 209 mutex_init(&isec->lock);
1da177e4 210 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 211 isec->inode = inode;
212 isec->sid = SECINITSID_UNLABELED;
213 isec->sclass = SECCLASS_FILE;
275bb41e 214 isec->task_sid = sid;
1da177e4
LT		 215 inode->i_security = isec;
216
217 return 0;
218}
219
220static void inode_free_security(struct inode *inode)
221{
222 struct inode_security_struct *isec = inode->i_security;
223 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
224
1da177e4
LT		 225 spin_lock(&sbsec->isec_lock);
226 if (!list_empty(&isec->list))
227 list_del_init(&isec->list);
228 spin_unlock(&sbsec->isec_lock);
229
230 inode->i_security = NULL;
7cae7e26 231 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 232}
233
234static int file_alloc_security(struct file *file)
235{
1da177e4 236 struct file_security_struct *fsec;
275bb41e 237 u32 sid = current_sid();
1da177e4 238
26d2a4be 239 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 240 if (!fsec)
241 return -ENOMEM;
242
275bb41e
DH		 243 fsec->sid = sid;
244 fsec->fown_sid = sid;
1da177e4
LT		 245 file->f_security = fsec;
246
247 return 0;
248}
249
250static void file_free_security(struct file *file)
251{
252 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 253 file->f_security = NULL;
254 kfree(fsec);
255}
256
257static int superblock_alloc_security(struct super_block *sb)
258{
259 struct superblock_security_struct *sbsec;
260
89d155ef 261 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 262 if (!sbsec)
263 return -ENOMEM;
264
bc7e982b 265 mutex_init(&sbsec->lock);
1da177e4
LT		 266 INIT_LIST_HEAD(&sbsec->list);
267 INIT_LIST_HEAD(&sbsec->isec_head);
268 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 269 sbsec->sb = sb;
270 sbsec->sid = SECINITSID_UNLABELED;
271 sbsec->def_sid = SECINITSID_FILE;
c312feb2 272 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 273 sb->s_security = sbsec;
274
275 return 0;
276}
277
278static void superblock_free_security(struct super_block *sb)
279{
280 struct superblock_security_struct *sbsec = sb->s_security;
281
1da177e4
LT		 282 spin_lock(&sb_security_lock);
283 if (!list_empty(&sbsec->list))
284 list_del_init(&sbsec->list);
285 spin_unlock(&sb_security_lock);
286
287 sb->s_security = NULL;
288 kfree(sbsec);
289}
290
7d877f3b 291static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 292{
293 struct sk_security_struct *ssec;
294
89d155ef 295 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 296 if (!ssec)
297 return -ENOMEM;
298
1da177e4 299 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 300 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 301 sk->sk_security = ssec;
302
f74af6e8 303 selinux_netlbl_sk_security_reset(ssec, family);
99f59ed0 304
1da177e4
LT		 305 return 0;
306}
307
308static void sk_free_security(struct sock *sk)
309{
310 struct sk_security_struct *ssec = sk->sk_security;
311
1da177e4 312 sk->sk_security = NULL;
6c5b3fc0 313 selinux_netlbl_sk_security_free(ssec);
1da177e4
LT		 314 kfree(ssec);
315}
1da177e4
LT		 316
317/* The security server must be initialized before
318 any labeling or access decisions can be provided. */
319extern int ss_initialized;
320
321/* The file system's label must be initialized prior to use. */
322
323static char *labeling_behaviors[6] = {
324 "uses xattr",
325 "uses transition SIDs",
326 "uses task SIDs",
327 "uses genfs_contexts",
328 "not configured for labeling",
329 "uses mountpoint labeling",
330};
331
332static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
333
334static inline int inode_doinit(struct inode *inode)
335{
336 return inode_doinit_with_dentry(inode, NULL);
337}
338
339enum {
31e87930 340 Opt_error = -1,
1da177e4
LT		 341 Opt_context = 1,
342 Opt_fscontext = 2,
c9180a57
EP		 343 Opt_defcontext = 3,
344 Opt_rootcontext = 4,
1da177e4
LT		 345};
346
a447c093 347static const match_table_t tokens = {
832cbd9a
EP		 348 {Opt_context, CONTEXT_STR "%s"},
349 {Opt_fscontext, FSCONTEXT_STR "%s"},
350 {Opt_defcontext, DEFCONTEXT_STR "%s"},
351 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
31e87930 352 {Opt_error, NULL},
1da177e4
LT		 353};
354
355#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
356
c312feb2
EP		 357static int may_context_mount_sb_relabel(u32 sid,
358 struct superblock_security_struct *sbsec,
275bb41e 359 const struct cred *cred)
c312feb2 360{
275bb41e 361 const struct task_security_struct *tsec = cred->security;
c312feb2
EP		 362 int rc;
363
364 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
365 FILESYSTEM__RELABELFROM, NULL);
366 if (rc)
367 return rc;
368
369 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
370 FILESYSTEM__RELABELTO, NULL);
371 return rc;
372}
373
0808925e
EP		 374static int may_context_mount_inode_relabel(u32 sid,
375 struct superblock_security_struct *sbsec,
275bb41e 376 const struct cred *cred)
0808925e 377{
275bb41e 378 const struct task_security_struct *tsec = cred->security;
0808925e
EP		 379 int rc;
380 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
381 FILESYSTEM__RELABELFROM, NULL);
382 if (rc)
383 return rc;
384
385 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
386 FILESYSTEM__ASSOCIATE, NULL);
387 return rc;
388}
389
c9180a57 390static int sb_finish_set_opts(struct super_block *sb)
1da177e4 391{
1da177e4 392 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 393 struct dentry *root = sb->s_root;
394 struct inode *root_inode = root->d_inode;
395 int rc = 0;
1da177e4 396
c9180a57
EP		 397 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
398 /* Make sure that the xattr handler exists and that no
399 error other than -ENODATA is returned by getxattr on
400 the root directory. -ENODATA is ok, as this may be
401 the first boot of the SELinux kernel before we have
402 assigned xattr values to the filesystem. */
403 if (!root_inode->i_op->getxattr) {
404 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
405 "xattr support\n", sb->s_id, sb->s_type->name);
406 rc = -EOPNOTSUPP;
407 goto out;
408 }
409 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
410 if (rc < 0 && rc != -ENODATA) {
411 if (rc == -EOPNOTSUPP)
412 printk(KERN_WARNING "SELinux: (dev %s, type "
413 "%s) has no security xattr handler\n",
414 sb->s_id, sb->s_type->name);
415 else
416 printk(KERN_WARNING "SELinux: (dev %s, type "
417 "%s) getxattr errno %d\n", sb->s_id,
418 sb->s_type->name, -rc);
419 goto out;
420 }
421 }
1da177e4 422
c9180a57 423 sbsec->initialized = 1;
1da177e4 424
c9180a57
EP		 425 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
426 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
427 sb->s_id, sb->s_type->name);
428 else
429 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
430 sb->s_id, sb->s_type->name,
431 labeling_behaviors[sbsec->behavior-1]);
1da177e4 432
c9180a57
EP		 433 /* Initialize the root inode. */
434 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 435
c9180a57
EP		 436 /* Initialize any other inodes associated with the superblock, e.g.
437 inodes created prior to initial policy load or inodes created
438 during get_sb by a pseudo filesystem that directly
439 populates itself. */
440 spin_lock(&sbsec->isec_lock);
441next_inode:
442 if (!list_empty(&sbsec->isec_head)) {
443 struct inode_security_struct *isec =
444 list_entry(sbsec->isec_head.next,
445 struct inode_security_struct, list);
446 struct inode *inode = isec->inode;
447 spin_unlock(&sbsec->isec_lock);
448 inode = igrab(inode);
449 if (inode) {
450 if (!IS_PRIVATE(inode))
451 inode_doinit(inode);
452 iput(inode);
453 }
454 spin_lock(&sbsec->isec_lock);
455 list_del_init(&isec->list);
456 goto next_inode;
457 }
458 spin_unlock(&sbsec->isec_lock);
459out:
460 return rc;
461}
1da177e4 462
c9180a57
EP		 463/*
464 * This function should allow an FS to ask what it's mount security
465 * options were so it can use those later for submounts, displaying
466 * mount options, or whatever.
467 */
468static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 469 struct security_mnt_opts *opts)
c9180a57
EP		 470{
471 int rc = 0, i;
472 struct superblock_security_struct *sbsec = sb->s_security;
473 char *context = NULL;
474 u32 len;
475 char tmp;
1da177e4 476
e0007529 477 security_init_mnt_opts(opts);
1da177e4 478
c9180a57
EP		 479 if (!sbsec->initialized)
480 return -EINVAL;
1da177e4 481
c9180a57
EP		 482 if (!ss_initialized)
483 return -EINVAL;
1da177e4 484
c9180a57
EP		 485 /*
486 * if we ever use sbsec flags for anything other than tracking mount
487 * settings this is going to need a mask
488 */
489 tmp = sbsec->flags;
490 /* count the number of mount options for this sb */
491 for (i = 0; i < 8; i++) {
492 if (tmp & 0x01)
e0007529 493 opts->num_mnt_opts++;
c9180a57
EP		 494 tmp >>= 1;
495 }
1da177e4 496
e0007529
EP		 497 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
498 if (!opts->mnt_opts) {
c9180a57
EP		 499 rc = -ENOMEM;
500 goto out_free;
501 }
1da177e4 502
e0007529
EP		 503 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
504 if (!opts->mnt_opts_flags) {
c9180a57
EP		 505 rc = -ENOMEM;
506 goto out_free;
507 }
1da177e4 508
c9180a57
EP		 509 i = 0;
510 if (sbsec->flags & FSCONTEXT_MNT) {
511 rc = security_sid_to_context(sbsec->sid, &context, &len);
512 if (rc)
513 goto out_free;
e0007529
EP		 514 opts->mnt_opts[i] = context;
515 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 516 }
517 if (sbsec->flags & CONTEXT_MNT) {
518 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
519 if (rc)
520 goto out_free;
e0007529
EP		 521 opts->mnt_opts[i] = context;
522 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 523 }
524 if (sbsec->flags & DEFCONTEXT_MNT) {
525 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
526 if (rc)
527 goto out_free;
e0007529
EP		 528 opts->mnt_opts[i] = context;
529 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 530 }
531 if (sbsec->flags & ROOTCONTEXT_MNT) {
532 struct inode *root = sbsec->sb->s_root->d_inode;
533 struct inode_security_struct *isec = root->i_security;
0808925e 534
c9180a57
EP		 535 rc = security_sid_to_context(isec->sid, &context, &len);
536 if (rc)
537 goto out_free;
e0007529
EP		 538 opts->mnt_opts[i] = context;
539 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 540 }
1da177e4 541
e0007529 542 BUG_ON(i != opts->num_mnt_opts);
1da177e4 543
c9180a57
EP		 544 return 0;
545
546out_free:
e0007529 547 security_free_mnt_opts(opts);
c9180a57
EP		 548 return rc;
549}
1da177e4 550
c9180a57
EP		 551static int bad_option(struct superblock_security_struct *sbsec, char flag,
552 u32 old_sid, u32 new_sid)
553{
554 /* check if the old mount command had the same options */
555 if (sbsec->initialized)
556 if (!(sbsec->flags & flag) ||
557 (old_sid != new_sid))
558 return 1;
559
560 /* check if we were passed the same options twice,
561 * aka someone passed context=a,context=b
562 */
563 if (!sbsec->initialized)
564 if (sbsec->flags & flag)
565 return 1;
566 return 0;
567}
e0007529 568
c9180a57
EP		 569/*
570 * Allow filesystems with binary mount data to explicitly set mount point
571 * labeling information.
572 */
e0007529
EP		 573static int selinux_set_mnt_opts(struct super_block *sb,
574 struct security_mnt_opts *opts)
c9180a57 575{
275bb41e 576 const struct cred *cred = current_cred();
c9180a57 577 int rc = 0, i;
c9180a57
EP		 578 struct superblock_security_struct *sbsec = sb->s_security;
579 const char *name = sb->s_type->name;
089be43e
JM		 580 struct inode *inode = sbsec->sb->s_root->d_inode;
581 struct inode_security_struct *root_isec = inode->i_security;
c9180a57
EP		 582 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
583 u32 defcontext_sid = 0;
e0007529
EP		 584 char **mount_options = opts->mnt_opts;
585 int *flags = opts->mnt_opts_flags;
586 int num_opts = opts->num_mnt_opts;
c9180a57
EP		 587
588 mutex_lock(&sbsec->lock);
589
590 if (!ss_initialized) {
591 if (!num_opts) {
592 /* Defer initialization until selinux_complete_init,
593 after the initial policy is loaded and the security
594 server is ready to handle calls. */
595 spin_lock(&sb_security_lock);
596 if (list_empty(&sbsec->list))
597 list_add(&sbsec->list, &superblock_security_head);
598 spin_unlock(&sb_security_lock);
599 goto out;
600 }
601 rc = -EINVAL;
744ba35e
EP		 602 printk(KERN_WARNING "SELinux: Unable to set superblock options "
603 "before the security server is initialized\n");
1da177e4 604 goto out;
c9180a57 605 }
1da177e4 606
e0007529
EP		 607 /*
608 * Binary mount data FS will come through this function twice. Once
609 * from an explicit call and once from the generic calls from the vfs.
610 * Since the generic VFS calls will not contain any security mount data
611 * we need to skip the double mount verification.
612 *
613 * This does open a hole in which we will not notice if the first
614 * mount using this sb set explict options and a second mount using
615 * this sb does not set any security options. (The first options
616 * will be used for both mounts)
617 */
618 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
619 && (num_opts == 0))
f5269710 620 goto out;
e0007529 621
c9180a57
EP		 622 /*
623 * parse the mount options, check if they are valid sids.
624 * also check if someone is trying to mount the same sb more
625 * than once with different security options.
626 */
627 for (i = 0; i < num_opts; i++) {
628 u32 sid;
629 rc = security_context_to_sid(mount_options[i],
630 strlen(mount_options[i]), &sid);
1da177e4
LT		 631 if (rc) {
632 printk(KERN_WARNING "SELinux: security_context_to_sid"
633 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 634 mount_options[i], sb->s_id, name, rc);
635 goto out;
636 }
637 switch (flags[i]) {
638 case FSCONTEXT_MNT:
639 fscontext_sid = sid;
640
641 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
642 fscontext_sid))
643 goto out_double_mount;
644
645 sbsec->flags |= FSCONTEXT_MNT;
646 break;
647 case CONTEXT_MNT:
648 context_sid = sid;
649
650 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
651 context_sid))
652 goto out_double_mount;
653
654 sbsec->flags |= CONTEXT_MNT;
655 break;
656 case ROOTCONTEXT_MNT:
657 rootcontext_sid = sid;
658
659 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
660 rootcontext_sid))
661 goto out_double_mount;
662
663 sbsec->flags |= ROOTCONTEXT_MNT;
664
665 break;
666 case DEFCONTEXT_MNT:
667 defcontext_sid = sid;
668
669 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
670 defcontext_sid))
671 goto out_double_mount;
672
673 sbsec->flags |= DEFCONTEXT_MNT;
674
675 break;
676 default:
677 rc = -EINVAL;
678 goto out;
1da177e4 679 }
c9180a57
EP		 680 }
681
682 if (sbsec->initialized) {
683 /* previously mounted with options, but not on this attempt? */
684 if (sbsec->flags && !num_opts)
685 goto out_double_mount;
686 rc = 0;
687 goto out;
688 }
689
089be43e 690 if (strcmp(sb->s_type->name, "proc") == 0)
c9180a57
EP		 691 sbsec->proc = 1;
692
693 /* Determine the labeling behavior to use for this filesystem type. */
089be43e 694 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
c9180a57
EP		 695 if (rc) {
696 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
089be43e 697 __func__, sb->s_type->name, rc);
c9180a57
EP		 698 goto out;
699 }
1da177e4 700
c9180a57
EP		 701 /* sets the context of the superblock for the fs being mounted. */
702 if (fscontext_sid) {
275bb41e 703 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
1da177e4 704 if (rc)
c9180a57 705 goto out;
1da177e4 706
c9180a57 707 sbsec->sid = fscontext_sid;
c312feb2
EP		 708 }
709
710 /*
711 * Switch to using mount point labeling behavior.
712 * sets the label used on all file below the mountpoint, and will set
713 * the superblock context if not already set.
714 */
c9180a57
EP		 715 if (context_sid) {
716 if (!fscontext_sid) {
275bb41e
DH		 717 rc = may_context_mount_sb_relabel(context_sid, sbsec,
718 cred);
b04ea3ce 719 if (rc)
c9180a57
EP		 720 goto out;
721 sbsec->sid = context_sid;
b04ea3ce 722 } else {
275bb41e
DH		 723 rc = may_context_mount_inode_relabel(context_sid, sbsec,
724 cred);
b04ea3ce 725 if (rc)
c9180a57 726 goto out;
b04ea3ce 727 }
c9180a57
EP		 728 if (!rootcontext_sid)
729 rootcontext_sid = context_sid;
1da177e4 730
c9180a57 731 sbsec->mntpoint_sid = context_sid;
c312feb2 732 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 733 }
734
c9180a57 735 if (rootcontext_sid) {
275bb41e
DH		 736 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
737 cred);
0808925e 738 if (rc)
c9180a57 739 goto out;
0808925e 740
c9180a57
EP		 741 root_isec->sid = rootcontext_sid;
742 root_isec->initialized = 1;
0808925e
EP		 743 }
744
c9180a57
EP		 745 if (defcontext_sid) {
746 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
747 rc = -EINVAL;
748 printk(KERN_WARNING "SELinux: defcontext option is "
749 "invalid for this filesystem type\n");
750 goto out;
1da177e4
LT		 751 }
752
c9180a57
EP		 753 if (defcontext_sid != sbsec->def_sid) {
754 rc = may_context_mount_inode_relabel(defcontext_sid,
275bb41e 755 sbsec, cred);
c9180a57
EP		 756 if (rc)
757 goto out;
758 }
1da177e4 759
c9180a57 760 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 761 }
762
c9180a57 763 rc = sb_finish_set_opts(sb);
1da177e4 764out:
c9180a57 765 mutex_unlock(&sbsec->lock);
1da177e4 766 return rc;
c9180a57
EP		 767out_double_mount:
768 rc = -EINVAL;
769 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
770 "security settings for (dev %s, type %s)\n", sb->s_id, name);
771 goto out;
1da177e4
LT		 772}
773
c9180a57
EP		 774static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
775 struct super_block *newsb)
1da177e4 776{
c9180a57
EP		 777 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
778 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 779
c9180a57
EP		 780 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
781 int set_context = (oldsbsec->flags & CONTEXT_MNT);
782 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 783
0f5e6420
EP		 784 /*
785 * if the parent was able to be mounted it clearly had no special lsm
786 * mount options. thus we can safely put this sb on the list and deal
787 * with it later
788 */
789 if (!ss_initialized) {
790 spin_lock(&sb_security_lock);
791 if (list_empty(&newsbsec->list))
792 list_add(&newsbsec->list, &superblock_security_head);
793 spin_unlock(&sb_security_lock);
794 return;
795 }
c9180a57 796
c9180a57
EP		 797 /* how can we clone if the old one wasn't set up?? */
798 BUG_ON(!oldsbsec->initialized);
799
5a552617
EP		 800 /* if fs is reusing a sb, just let its options stand... */
801 if (newsbsec->initialized)
802 return;
803
c9180a57
EP		 804 mutex_lock(&newsbsec->lock);
805
806 newsbsec->flags = oldsbsec->flags;
807
808 newsbsec->sid = oldsbsec->sid;
809 newsbsec->def_sid = oldsbsec->def_sid;
810 newsbsec->behavior = oldsbsec->behavior;
811
812 if (set_context) {
813 u32 sid = oldsbsec->mntpoint_sid;
814
815 if (!set_fscontext)
816 newsbsec->sid = sid;
817 if (!set_rootcontext) {
818 struct inode *newinode = newsb->s_root->d_inode;
819 struct inode_security_struct *newisec = newinode->i_security;
820 newisec->sid = sid;
821 }
822 newsbsec->mntpoint_sid = sid;
1da177e4 823 }
c9180a57
EP		 824 if (set_rootcontext) {
825 const struct inode *oldinode = oldsb->s_root->d_inode;
826 const struct inode_security_struct *oldisec = oldinode->i_security;
827 struct inode *newinode = newsb->s_root->d_inode;
828 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 829
c9180a57 830 newisec->sid = oldisec->sid;
1da177e4
LT		 831 }
832
c9180a57
EP		 833 sb_finish_set_opts(newsb);
834 mutex_unlock(&newsbsec->lock);
835}
836
2e1479d9
AB		 837static int selinux_parse_opts_str(char *options,
838 struct security_mnt_opts *opts)
c9180a57 839{
e0007529 840 char *p;
c9180a57
EP		 841 char *context = NULL, *defcontext = NULL;
842 char *fscontext = NULL, *rootcontext = NULL;
e0007529 843 int rc, num_mnt_opts = 0;
1da177e4 844
e0007529 845 opts->num_mnt_opts = 0;
1da177e4 846
c9180a57
EP		 847 /* Standard string-based options. */
848 while ((p = strsep(&options, "|")) != NULL) {
849 int token;
850 substring_t args[MAX_OPT_ARGS];
1da177e4 851
c9180a57
EP		 852 if (!*p)
853 continue;
1da177e4 854
c9180a57 855 token = match_token(p, tokens, args);
1da177e4 856
c9180a57
EP		 857 switch (token) {
858 case Opt_context:
859 if (context || defcontext) {
860 rc = -EINVAL;
861 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
862 goto out_err;
863 }
864 context = match_strdup(&args[0]);
865 if (!context) {
866 rc = -ENOMEM;
867 goto out_err;
868 }
869 break;
870
871 case Opt_fscontext:
872 if (fscontext) {
873 rc = -EINVAL;
874 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
875 goto out_err;
876 }
877 fscontext = match_strdup(&args[0]);
878 if (!fscontext) {
879 rc = -ENOMEM;
880 goto out_err;
881 }
882 break;
883
884 case Opt_rootcontext:
885 if (rootcontext) {
886 rc = -EINVAL;
887 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
888 goto out_err;
889 }
890 rootcontext = match_strdup(&args[0]);
891 if (!rootcontext) {
892 rc = -ENOMEM;
893 goto out_err;
894 }
895 break;
896
897 case Opt_defcontext:
898 if (context || defcontext) {
899 rc = -EINVAL;
900 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
901 goto out_err;
902 }
903 defcontext = match_strdup(&args[0]);
904 if (!defcontext) {
905 rc = -ENOMEM;
906 goto out_err;
907 }
908 break;
909
910 default:
911 rc = -EINVAL;
912 printk(KERN_WARNING "SELinux: unknown mount option\n");
913 goto out_err;
1da177e4 914
1da177e4 915 }
1da177e4 916 }
c9180a57 917
e0007529
EP		 918 rc = -ENOMEM;
919 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
920 if (!opts->mnt_opts)
921 goto out_err;
922
923 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
924 if (!opts->mnt_opts_flags) {
925 kfree(opts->mnt_opts);
926 goto out_err;
927 }
928
c9180a57 929 if (fscontext) {
e0007529
EP		 930 opts->mnt_opts[num_mnt_opts] = fscontext;
931 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 932 }
933 if (context) {
e0007529
EP		 934 opts->mnt_opts[num_mnt_opts] = context;
935 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 936 }
937 if (rootcontext) {
e0007529
EP		 938 opts->mnt_opts[num_mnt_opts] = rootcontext;
939 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 940 }
941 if (defcontext) {
e0007529
EP		 942 opts->mnt_opts[num_mnt_opts] = defcontext;
943 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 944 }
945
e0007529
EP		 946 opts->num_mnt_opts = num_mnt_opts;
947 return 0;
948
c9180a57
EP		 949out_err:
950 kfree(context);
951 kfree(defcontext);
952 kfree(fscontext);
953 kfree(rootcontext);
1da177e4
LT		 954 return rc;
955}
e0007529
EP		 956/*
957 * string mount options parsing and call set the sbsec
958 */
959static int superblock_doinit(struct super_block *sb, void *data)
960{
961 int rc = 0;
962 char *options = data;
963 struct security_mnt_opts opts;
964
965 security_init_mnt_opts(&opts);
966
967 if (!data)
968 goto out;
969
970 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
971
972 rc = selinux_parse_opts_str(options, &opts);
973 if (rc)
974 goto out_err;
975
976out:
977 rc = selinux_set_mnt_opts(sb, &opts);
978
979out_err:
980 security_free_mnt_opts(&opts);
981 return rc;
982}
1da177e4 983
3583a711
AB		 984static void selinux_write_opts(struct seq_file *m,
985 struct security_mnt_opts *opts)
2069f457
EP		 986{
987 int i;
988 char *prefix;
989
990 for (i = 0; i < opts->num_mnt_opts; i++) {
991 char *has_comma = strchr(opts->mnt_opts[i], ',');
992
993 switch (opts->mnt_opts_flags[i]) {
994 case CONTEXT_MNT:
995 prefix = CONTEXT_STR;
996 break;
997 case FSCONTEXT_MNT:
998 prefix = FSCONTEXT_STR;
999 break;
1000 case ROOTCONTEXT_MNT:
1001 prefix = ROOTCONTEXT_STR;
1002 break;
1003 case DEFCONTEXT_MNT:
1004 prefix = DEFCONTEXT_STR;
1005 break;
1006 default:
1007 BUG();
1008 };
1009 /* we need a comma before each option */
1010 seq_putc(m, ',');
1011 seq_puts(m, prefix);
1012 if (has_comma)
1013 seq_putc(m, '\"');
1014 seq_puts(m, opts->mnt_opts[i]);
1015 if (has_comma)
1016 seq_putc(m, '\"');
1017 }
1018}
1019
1020static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1021{
1022 struct security_mnt_opts opts;
1023 int rc;
1024
1025 rc = selinux_get_mnt_opts(sb, &opts);
383795c2
EP		 1026 if (rc) {
1027 /* before policy load we may get EINVAL, don't show anything */
1028 if (rc == -EINVAL)
1029 rc = 0;
2069f457 1030 return rc;
383795c2 1031 }
2069f457
EP		 1032
1033 selinux_write_opts(m, &opts);
1034
1035 security_free_mnt_opts(&opts);
1036
1037 return rc;
1038}
1039
1da177e4
LT		 1040static inline u16 inode_mode_to_security_class(umode_t mode)
1041{
1042 switch (mode & S_IFMT) {
1043 case S_IFSOCK:
1044 return SECCLASS_SOCK_FILE;
1045 case S_IFLNK:
1046 return SECCLASS_LNK_FILE;
1047 case S_IFREG:
1048 return SECCLASS_FILE;
1049 case S_IFBLK:
1050 return SECCLASS_BLK_FILE;
1051 case S_IFDIR:
1052 return SECCLASS_DIR;
1053 case S_IFCHR:
1054 return SECCLASS_CHR_FILE;
1055 case S_IFIFO:
1056 return SECCLASS_FIFO_FILE;
1057
1058 }
1059
1060 return SECCLASS_FILE;
1061}
1062
13402580
JM		 1063static inline int default_protocol_stream(int protocol)
1064{
1065 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1066}
1067
1068static inline int default_protocol_dgram(int protocol)
1069{
1070 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1071}
1072
1da177e4
LT		 1073static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1074{
1075 switch (family) {
1076 case PF_UNIX:
1077 switch (type) {
1078 case SOCK_STREAM:
1079 case SOCK_SEQPACKET:
1080 return SECCLASS_UNIX_STREAM_SOCKET;
1081 case SOCK_DGRAM:
1082 return SECCLASS_UNIX_DGRAM_SOCKET;
1083 }
1084 break;
1085 case PF_INET:
1086 case PF_INET6:
1087 switch (type) {
1088 case SOCK_STREAM:
13402580
JM		 1089 if (default_protocol_stream(protocol))
1090 return SECCLASS_TCP_SOCKET;
1091 else
1092 return SECCLASS_RAWIP_SOCKET;
1da177e4 1093 case SOCK_DGRAM:
13402580
JM		 1094 if (default_protocol_dgram(protocol))
1095 return SECCLASS_UDP_SOCKET;
1096 else
1097 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1098 case SOCK_DCCP:
1099 return SECCLASS_DCCP_SOCKET;
13402580 1100 default:
1da177e4
LT		 1101 return SECCLASS_RAWIP_SOCKET;
1102 }
1103 break;
1104 case PF_NETLINK:
1105 switch (protocol) {
1106 case NETLINK_ROUTE:
1107 return SECCLASS_NETLINK_ROUTE_SOCKET;
1108 case NETLINK_FIREWALL:
1109 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1110 case NETLINK_INET_DIAG:
1da177e4
LT		 1111 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1112 case NETLINK_NFLOG:
1113 return SECCLASS_NETLINK_NFLOG_SOCKET;
1114 case NETLINK_XFRM:
1115 return SECCLASS_NETLINK_XFRM_SOCKET;
1116 case NETLINK_SELINUX:
1117 return SECCLASS_NETLINK_SELINUX_SOCKET;
1118 case NETLINK_AUDIT:
1119 return SECCLASS_NETLINK_AUDIT_SOCKET;
1120 case NETLINK_IP6_FW:
1121 return SECCLASS_NETLINK_IP6FW_SOCKET;
1122 case NETLINK_DNRTMSG:
1123 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1124 case NETLINK_KOBJECT_UEVENT:
1125 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1126 default:
1127 return SECCLASS_NETLINK_SOCKET;
1128 }
1129 case PF_PACKET:
1130 return SECCLASS_PACKET_SOCKET;
1131 case PF_KEY:
1132 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1133 case PF_APPLETALK:
1134 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1135 }
1136
1137 return SECCLASS_SOCKET;
1138}
1139
1140#ifdef CONFIG_PROC_FS
1141static int selinux_proc_get_sid(struct proc_dir_entry *de,
1142 u16 tclass,
1143 u32 *sid)
1144{
1145 int buflen, rc;
1146 char *buffer, *path, *end;
1147
828dfe1d 1148 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1149 if (!buffer)
1150 return -ENOMEM;
1151
1152 buflen = PAGE_SIZE;
1153 end = buffer+buflen;
1154 *--end = '\0';
1155 buflen--;
1156 path = end-1;
1157 *path = '/';
1158 while (de && de != de->parent) {
1159 buflen -= de->namelen + 1;
1160 if (buflen < 0)
1161 break;
1162 end -= de->namelen;
1163 memcpy(end, de->name, de->namelen);
1164 *--end = '/';
1165 path = end;
1166 de = de->parent;
1167 }
1168 rc = security_genfs_sid("proc", path, tclass, sid);
1169 free_page((unsigned long)buffer);
1170 return rc;
1171}
1172#else
1173static int selinux_proc_get_sid(struct proc_dir_entry *de,
1174 u16 tclass,
1175 u32 *sid)
1176{
1177 return -EINVAL;
1178}
1179#endif
1180
1181/* The inode's security attributes must be initialized before first use. */
1182static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1183{
1184 struct superblock_security_struct *sbsec = NULL;
1185 struct inode_security_struct *isec = inode->i_security;
1186 u32 sid;
1187 struct dentry *dentry;
1188#define INITCONTEXTLEN 255
1189 char *context = NULL;
1190 unsigned len = 0;
1191 int rc = 0;
1da177e4
LT		 1192
1193 if (isec->initialized)
1194 goto out;
1195
23970741 1196 mutex_lock(&isec->lock);
1da177e4 1197 if (isec->initialized)
23970741 1198 goto out_unlock;
1da177e4
LT		 1199
1200 sbsec = inode->i_sb->s_security;
1201 if (!sbsec->initialized) {
1202 /* Defer initialization until selinux_complete_init,
1203 after the initial policy is loaded and the security
1204 server is ready to handle calls. */
1205 spin_lock(&sbsec->isec_lock);
1206 if (list_empty(&isec->list))
1207 list_add(&isec->list, &sbsec->isec_head);
1208 spin_unlock(&sbsec->isec_lock);
23970741 1209 goto out_unlock;
1da177e4
LT		 1210 }
1211
1212 switch (sbsec->behavior) {
1213 case SECURITY_FS_USE_XATTR:
1214 if (!inode->i_op->getxattr) {
1215 isec->sid = sbsec->def_sid;
1216 break;
1217 }
1218
1219 /* Need a dentry, since the xattr API requires one.
1220 Life would be simpler if we could just pass the inode. */
1221 if (opt_dentry) {
1222 /* Called from d_instantiate or d_splice_alias. */
1223 dentry = dget(opt_dentry);
1224 } else {
1225 /* Called from selinux_complete_init, try to find a dentry. */
1226 dentry = d_find_alias(inode);
1227 }
1228 if (!dentry) {
744ba35e 1229 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
dd6f953a 1230 "ino=%ld\n", __func__, inode->i_sb->s_id,
1da177e4 1231 inode->i_ino);
23970741 1232 goto out_unlock;
1da177e4
LT		 1233 }
1234
1235 len = INITCONTEXTLEN;
869ab514 1236 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1237 if (!context) {
1238 rc = -ENOMEM;
1239 dput(dentry);
23970741 1240 goto out_unlock;
1da177e4
LT		 1241 }
1242 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1243 context, len);
1244 if (rc == -ERANGE) {
1245 /* Need a larger buffer. Query for the right size. */
1246 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1247 NULL, 0);
1248 if (rc < 0) {
1249 dput(dentry);
23970741 1250 goto out_unlock;
1da177e4
LT		 1251 }
1252 kfree(context);
1253 len = rc;
869ab514 1254 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1255 if (!context) {
1256 rc = -ENOMEM;
1257 dput(dentry);
23970741 1258 goto out_unlock;
1da177e4
LT		 1259 }
1260 rc = inode->i_op->getxattr(dentry,
1261 XATTR_NAME_SELINUX,
1262 context, len);
1263 }
1264 dput(dentry);
1265 if (rc < 0) {
1266 if (rc != -ENODATA) {
744ba35e 1267 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1268 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1269 -rc, inode->i_sb->s_id, inode->i_ino);
1270 kfree(context);
23970741 1271 goto out_unlock;
1da177e4
LT		 1272 }
1273 /* Map ENODATA to the default file SID */
1274 sid = sbsec->def_sid;
1275 rc = 0;
1276 } else {
f5c1d5b2 1277 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1278 sbsec->def_sid,
1279 GFP_NOFS);
1da177e4 1280 if (rc) {
744ba35e 1281 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1da177e4 1282 "returned %d for dev=%s ino=%ld\n",
dd6f953a 1283 __func__, context, -rc,
1da177e4
LT		 1284 inode->i_sb->s_id, inode->i_ino);
1285 kfree(context);
1286 /* Leave with the unlabeled SID */
1287 rc = 0;
1288 break;
1289 }
1290 }
1291 kfree(context);
1292 isec->sid = sid;
1293 break;
1294 case SECURITY_FS_USE_TASK:
1295 isec->sid = isec->task_sid;
1296 break;
1297 case SECURITY_FS_USE_TRANS:
1298 /* Default to the fs SID. */
1299 isec->sid = sbsec->sid;
1300
1301 /* Try to obtain a transition SID. */
1302 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1303 rc = security_transition_sid(isec->task_sid,
1304 sbsec->sid,
1305 isec->sclass,
1306 &sid);
1307 if (rc)
23970741 1308 goto out_unlock;
1da177e4
LT		 1309 isec->sid = sid;
1310 break;
c312feb2
EP		 1311 case SECURITY_FS_USE_MNTPOINT:
1312 isec->sid = sbsec->mntpoint_sid;
1313 break;
1da177e4 1314 default:
c312feb2 1315 /* Default to the fs superblock SID. */
1da177e4
LT		 1316 isec->sid = sbsec->sid;
1317
ea6b184f 1318 if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1da177e4
LT		 1319 struct proc_inode *proci = PROC_I(inode);
1320 if (proci->pde) {
1321 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1322 rc = selinux_proc_get_sid(proci->pde,
1323 isec->sclass,
1324 &sid);
1325 if (rc)
23970741 1326 goto out_unlock;
1da177e4
LT		 1327 isec->sid = sid;
1328 }
1329 }
1330 break;
1331 }
1332
1333 isec->initialized = 1;
1334
23970741
EP		 1335out_unlock:
1336 mutex_unlock(&isec->lock);
1da177e4
LT		 1337out:
1338 if (isec->sclass == SECCLASS_FILE)
1339 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1340 return rc;
1341}
1342
1343/* Convert a Linux signal to an access vector. */
1344static inline u32 signal_to_av(int sig)
1345{
1346 u32 perm = 0;
1347
1348 switch (sig) {
1349 case SIGCHLD:
1350 /* Commonly granted from child to parent. */
1351 perm = PROCESS__SIGCHLD;
1352 break;
1353 case SIGKILL:
1354 /* Cannot be caught or ignored */
1355 perm = PROCESS__SIGKILL;
1356 break;
1357 case SIGSTOP:
1358 /* Cannot be caught or ignored */
1359 perm = PROCESS__SIGSTOP;
1360 break;
1361 default:
1362 /* All other signals. */
1363 perm = PROCESS__SIGNAL;
1364 break;
1365 }
1366
1367 return perm;
1368}
1369
275bb41e
DH		 1370/*
1371 * Check permission betweeen a pair of tasks, e.g. signal checks,
1372 * fork check, ptrace check, etc.
1373 * tsk1 is the actor and tsk2 is the target
1374 */
1375static int task_has_perm(const struct task_struct *tsk1,
1376 const struct task_struct *tsk2,
1da177e4
LT		 1377 u32 perms)
1378{
275bb41e
DH		 1379 const struct task_security_struct *__tsec1, *__tsec2;
1380 u32 sid1, sid2;
1da177e4 1381
275bb41e
DH		 1382 rcu_read_lock();
1383 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1384 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1385 rcu_read_unlock();
1386 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1da177e4
LT		 1387}
1388
b68e418c
SS		 1389#if CAP_LAST_CAP > 63
1390#error Fix SELinux to handle capabilities > 63.
1391#endif
1392
1da177e4
LT		 1393/* Check whether a task is allowed to use a capability. */
1394static int task_has_capability(struct task_struct *tsk,
06112163 1395 int cap, int audit)
1da177e4 1396{
1da177e4 1397 struct avc_audit_data ad;
06112163 1398 struct av_decision avd;
b68e418c 1399 u16 sclass;
275bb41e 1400 u32 sid = task_sid(tsk);
b68e418c 1401 u32 av = CAP_TO_MASK(cap);
06112163 1402 int rc;
1da177e4 1403
828dfe1d 1404 AVC_AUDIT_DATA_INIT(&ad, CAP);
1da177e4
LT		 1405 ad.tsk = tsk;
1406 ad.u.cap = cap;
1407
b68e418c
SS		 1408 switch (CAP_TO_INDEX(cap)) {
1409 case 0:
1410 sclass = SECCLASS_CAPABILITY;
1411 break;
1412 case 1:
1413 sclass = SECCLASS_CAPABILITY2;
1414 break;
1415 default:
1416 printk(KERN_ERR
1417 "SELinux: out of range capability %d\n", cap);
1418 BUG();
1419 }
06112163 1420
275bb41e 1421 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
06112163 1422 if (audit == SECURITY_CAP_AUDIT)
275bb41e 1423 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
06112163 1424 return rc;
1da177e4
LT		 1425}
1426
1427/* Check whether a task is allowed to use a system operation. */
1428static int task_has_system(struct task_struct *tsk,
1429 u32 perms)
1430{
275bb41e 1431 u32 sid = task_sid(tsk);
1da177e4 1432
275bb41e 1433 return avc_has_perm(sid, SECINITSID_KERNEL,
1da177e4
LT		 1434 SECCLASS_SYSTEM, perms, NULL);
1435}
1436
1437/* Check whether a task has a particular permission to an inode.
1438 The 'adp' parameter is optional and allows other audit
1439 data to be passed (e.g. the dentry). */
1440static int inode_has_perm(struct task_struct *tsk,
1441 struct inode *inode,
1442 u32 perms,
1443 struct avc_audit_data *adp)
1444{
1da177e4
LT		 1445 struct inode_security_struct *isec;
1446 struct avc_audit_data ad;
275bb41e 1447 u32 sid;
1da177e4 1448
828dfe1d 1449 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1450 return 0;
1451
275bb41e 1452 sid = task_sid(tsk);
1da177e4
LT		 1453 isec = inode->i_security;
1454
1455 if (!adp) {
1456 adp = &ad;
1457 AVC_AUDIT_DATA_INIT(&ad, FS);
1458 ad.u.fs.inode = inode;
1459 }
1460
275bb41e 1461 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1da177e4
LT		 1462}
1463
1464/* Same as inode_has_perm, but pass explicit audit data containing
1465 the dentry to help the auditing code to more easily generate the
1466 pathname if needed. */
1467static inline int dentry_has_perm(struct task_struct *tsk,
1468 struct vfsmount *mnt,
1469 struct dentry *dentry,
1470 u32 av)
1471{
1472 struct inode *inode = dentry->d_inode;
1473 struct avc_audit_data ad;
828dfe1d 1474 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf
JB		 1475 ad.u.fs.path.mnt = mnt;
1476 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1477 return inode_has_perm(tsk, inode, av, &ad);
1478}
1479
1480/* Check whether a task can use an open file descriptor to
1481 access an inode in a given way. Check access to the
1482 descriptor itself, and then use dentry_has_perm to
1483 check a particular permission to the file.
1484 Access to the descriptor is implicitly granted if it
1485 has the same SID as the process. If av is zero, then
1486 access to the file is not checked, e.g. for cases
1487 where only the descriptor is affected like seek. */
858119e1 1488static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1489 struct file *file,
1490 u32 av)
1491{
1da177e4 1492 struct file_security_struct *fsec = file->f_security;
44707fdf 1493 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4 1494 struct avc_audit_data ad;
275bb41e 1495 u32 sid = task_sid(tsk);
1da177e4
LT		 1496 int rc;
1497
1498 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1499 ad.u.fs.path = file->f_path;
1da177e4 1500
275bb41e
DH		 1501 if (sid != fsec->sid) {
1502 rc = avc_has_perm(sid, fsec->sid,
1da177e4
LT		 1503 SECCLASS_FD,
1504 FD__USE,
1505 &ad);
1506 if (rc)
1507 return rc;
1508 }
1509
1510 /* av is zero if only checking access to the descriptor. */
1511 if (av)
1512 return inode_has_perm(tsk, inode, av, &ad);
1513
1514 return 0;
1515}
1516
1517/* Check whether a task can create a file. */
1518static int may_create(struct inode *dir,
1519 struct dentry *dentry,
1520 u16 tclass)
1521{
275bb41e
DH		 1522 const struct cred *cred = current_cred();
1523 const struct task_security_struct *tsec = cred->security;
1da177e4
LT		 1524 struct inode_security_struct *dsec;
1525 struct superblock_security_struct *sbsec;
275bb41e 1526 u32 sid, newsid;
1da177e4
LT		 1527 struct avc_audit_data ad;
1528 int rc;
1529
1da177e4
LT		 1530 dsec = dir->i_security;
1531 sbsec = dir->i_sb->s_security;
1532
275bb41e
DH		 1533 sid = tsec->sid;
1534 newsid = tsec->create_sid;
1535
1da177e4 1536 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1537 ad.u.fs.path.dentry = dentry;
1da177e4 1538
275bb41e 1539 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1540 DIR__ADD_NAME | DIR__SEARCH,
1541 &ad);
1542 if (rc)
1543 return rc;
1544
275bb41e
DH		 1545 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1546 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1da177e4
LT		 1547 if (rc)
1548 return rc;
1549 }
1550
275bb41e 1551 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1da177e4
LT		 1552 if (rc)
1553 return rc;
1554
1555 return avc_has_perm(newsid, sbsec->sid,
1556 SECCLASS_FILESYSTEM,
1557 FILESYSTEM__ASSOCIATE, &ad);
1558}
1559
4eb582cf
ML		 1560/* Check whether a task can create a key. */
1561static int may_create_key(u32 ksid,
1562 struct task_struct *ctx)
1563{
275bb41e 1564 u32 sid = task_sid(ctx);
4eb582cf 1565
275bb41e 1566 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
4eb582cf
ML		 1567}
1568
828dfe1d
EP		 1569#define MAY_LINK 0
1570#define MAY_UNLINK 1
1571#define MAY_RMDIR 2
1da177e4
LT		 1572
1573/* Check whether a task can link, unlink, or rmdir a file/directory. */
1574static int may_link(struct inode *dir,
1575 struct dentry *dentry,
1576 int kind)
1577
1578{
1da177e4
LT		 1579 struct inode_security_struct *dsec, *isec;
1580 struct avc_audit_data ad;
275bb41e 1581 u32 sid = current_sid();
1da177e4
LT		 1582 u32 av;
1583 int rc;
1584
1da177e4
LT		 1585 dsec = dir->i_security;
1586 isec = dentry->d_inode->i_security;
1587
1588 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1589 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1590
1591 av = DIR__SEARCH;
1592 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
275bb41e 1593 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1594 if (rc)
1595 return rc;
1596
1597 switch (kind) {
1598 case MAY_LINK:
1599 av = FILE__LINK;
1600 break;
1601 case MAY_UNLINK:
1602 av = FILE__UNLINK;
1603 break;
1604 case MAY_RMDIR:
1605 av = DIR__RMDIR;
1606 break;
1607 default:
744ba35e
EP		 1608 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1609 __func__, kind);
1da177e4
LT		 1610 return 0;
1611 }
1612
275bb41e 1613 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1da177e4
LT		 1614 return rc;
1615}
1616
1617static inline int may_rename(struct inode *old_dir,
1618 struct dentry *old_dentry,
1619 struct inode *new_dir,
1620 struct dentry *new_dentry)
1621{
1da177e4
LT		 1622 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1623 struct avc_audit_data ad;
275bb41e 1624 u32 sid = current_sid();
1da177e4
LT		 1625 u32 av;
1626 int old_is_dir, new_is_dir;
1627 int rc;
1628
1da177e4
LT		 1629 old_dsec = old_dir->i_security;
1630 old_isec = old_dentry->d_inode->i_security;
1631 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1632 new_dsec = new_dir->i_security;
1633
1634 AVC_AUDIT_DATA_INIT(&ad, FS);
1635
44707fdf 1636 ad.u.fs.path.dentry = old_dentry;
275bb41e 1637 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1da177e4
LT		 1638 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1639 if (rc)
1640 return rc;
275bb41e 1641 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1642 old_isec->sclass, FILE__RENAME, &ad);
1643 if (rc)
1644 return rc;
1645 if (old_is_dir && new_dir != old_dir) {
275bb41e 1646 rc = avc_has_perm(sid, old_isec->sid,
1da177e4
LT		 1647 old_isec->sclass, DIR__REPARENT, &ad);
1648 if (rc)
1649 return rc;
1650 }
1651
44707fdf 1652 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1653 av = DIR__ADD_NAME | DIR__SEARCH;
1654 if (new_dentry->d_inode)
1655 av |= DIR__REMOVE_NAME;
275bb41e 1656 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1da177e4
LT		 1657 if (rc)
1658 return rc;
1659 if (new_dentry->d_inode) {
1660 new_isec = new_dentry->d_inode->i_security;
1661 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
275bb41e 1662 rc = avc_has_perm(sid, new_isec->sid,
1da177e4
LT		 1663 new_isec->sclass,
1664 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1665 if (rc)
1666 return rc;
1667 }
1668
1669 return 0;
1670}
1671
1672/* Check whether a task can perform a filesystem operation. */
1673static int superblock_has_perm(struct task_struct *tsk,
1674 struct super_block *sb,
1675 u32 perms,
1676 struct avc_audit_data *ad)
1677{
1da177e4 1678 struct superblock_security_struct *sbsec;
275bb41e 1679 u32 sid = task_sid(tsk);
1da177e4 1680
1da177e4 1681 sbsec = sb->s_security;
275bb41e 1682 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1da177e4
LT		 1683}
1684
1685/* Convert a Linux mode and permission mask to an access vector. */
1686static inline u32 file_mask_to_av(int mode, int mask)
1687{
1688 u32 av = 0;
1689
1690 if ((mode & S_IFMT) != S_IFDIR) {
1691 if (mask & MAY_EXEC)
1692 av |= FILE__EXECUTE;
1693 if (mask & MAY_READ)
1694 av |= FILE__READ;
1695
1696 if (mask & MAY_APPEND)
1697 av |= FILE__APPEND;
1698 else if (mask & MAY_WRITE)
1699 av |= FILE__WRITE;
1700
1701 } else {
1702 if (mask & MAY_EXEC)
1703 av |= DIR__SEARCH;
1704 if (mask & MAY_WRITE)
1705 av |= DIR__WRITE;
1706 if (mask & MAY_READ)
1707 av |= DIR__READ;
1708 }
1709
1710 return av;
1711}
1712
8b6a5a37
EP		 1713/* Convert a Linux file to an access vector. */
1714static inline u32 file_to_av(struct file *file)
1715{
1716 u32 av = 0;
1717
1718 if (file->f_mode & FMODE_READ)
1719 av |= FILE__READ;
1720 if (file->f_mode & FMODE_WRITE) {
1721 if (file->f_flags & O_APPEND)
1722 av |= FILE__APPEND;
1723 else
1724 av |= FILE__WRITE;
1725 }
1726 if (!av) {
1727 /*
1728 * Special file opened with flags 3 for ioctl-only use.
1729 */
1730 av = FILE__IOCTL;
1731 }
1732
1733 return av;
1734}
1735
b0c636b9 1736/*
8b6a5a37 1737 * Convert a file to an access vector and include the correct open
b0c636b9
EP		 1738 * open permission.
1739 */
8b6a5a37 1740static inline u32 open_file_to_av(struct file *file)
b0c636b9 1741{
8b6a5a37 1742 u32 av = file_to_av(file);
b0c636b9
EP		 1743
1744 if (selinux_policycap_openperm) {
8b6a5a37 1745 mode_t mode = file->f_path.dentry->d_inode->i_mode;
b0c636b9
EP		 1746 /*
1747 * lnk files and socks do not really have an 'open'
1748 */
1749 if (S_ISREG(mode))
1750 av |= FILE__OPEN;
1751 else if (S_ISCHR(mode))
1752 av |= CHR_FILE__OPEN;
1753 else if (S_ISBLK(mode))
1754 av |= BLK_FILE__OPEN;
1755 else if (S_ISFIFO(mode))
1756 av |= FIFO_FILE__OPEN;
1757 else if (S_ISDIR(mode))
1758 av |= DIR__OPEN;
1759 else
744ba35e 1760 printk(KERN_ERR "SELinux: WARNING: inside %s with "
8b6a5a37 1761 "unknown mode:%o\n", __func__, mode);
b0c636b9
EP		 1762 }
1763 return av;
1764}
1765
1da177e4
LT		 1766/* Hook functions begin here. */
1767
5cd9c58f
DH		 1768static int selinux_ptrace_may_access(struct task_struct *child,
1769 unsigned int mode)
1da177e4 1770{
1da177e4
LT		 1771 int rc;
1772
5cd9c58f 1773 rc = secondary_ops->ptrace_may_access(child, mode);
1da177e4
LT		 1774 if (rc)
1775 return rc;
1776
006ebb40 1777 if (mode == PTRACE_MODE_READ) {
275bb41e
DH		 1778 u32 sid = current_sid();
1779 u32 csid = task_sid(child);
1780 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
006ebb40
SS		 1781 }
1782
5cd9c58f
DH		 1783 return task_has_perm(current, child, PROCESS__PTRACE);
1784}
1785
1786static int selinux_ptrace_traceme(struct task_struct *parent)
1787{
1788 int rc;
1789
1790 rc = secondary_ops->ptrace_traceme(parent);
1791 if (rc)
1792 return rc;
1793
1794 return task_has_perm(parent, current, PROCESS__PTRACE);
1da177e4
LT		 1795}
1796
1797static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1798 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1799{
1800 int error;
1801
1802 error = task_has_perm(current, target, PROCESS__GETCAP);
1803 if (error)
1804 return error;
1805
1806 return secondary_ops->capget(target, effective, inheritable, permitted);
1807}
1808
15a2460e
DH		 1809static int selinux_capset_check(const kernel_cap_t *effective,
1810 const kernel_cap_t *inheritable,
1811 const kernel_cap_t *permitted)
1da177e4
LT		 1812{
1813 int error;
1814
1cdcbec1 1815 error = secondary_ops->capset_check(effective, inheritable, permitted);
1da177e4
LT		 1816 if (error)
1817 return error;
1818
1cdcbec1 1819 return task_has_perm(current, current, PROCESS__SETCAP);
1da177e4
LT		 1820}
1821
15a2460e
DH		 1822static void selinux_capset_set(const kernel_cap_t *effective,
1823 const kernel_cap_t *inheritable,
1824 const kernel_cap_t *permitted)
1da177e4 1825{
1cdcbec1 1826 secondary_ops->capset_set(effective, inheritable, permitted);
1da177e4
LT		 1827}
1828
06112163 1829static int selinux_capable(struct task_struct *tsk, int cap, int audit)
1da177e4
LT		 1830{
1831 int rc;
1832
06112163 1833 rc = secondary_ops->capable(tsk, cap, audit);
1da177e4
LT		 1834 if (rc)
1835 return rc;
1836
06112163 1837 return task_has_capability(tsk, cap, audit);
1da177e4
LT		 1838}
1839
3fbfa981
EB		 1840static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1841{
1842 int buflen, rc;
1843 char *buffer, *path, *end;
1844
1845 rc = -ENOMEM;
828dfe1d 1846 buffer = (char *)__get_free_page(GFP_KERNEL);
3fbfa981
EB		 1847 if (!buffer)
1848 goto out;
1849
1850 buflen = PAGE_SIZE;
1851 end = buffer+buflen;
1852 *--end = '\0';
1853 buflen--;
1854 path = end-1;
1855 *path = '/';
1856 while (table) {
1857 const char *name = table->procname;
1858 size_t namelen = strlen(name);
1859 buflen -= namelen + 1;
1860 if (buflen < 0)
1861 goto out_free;
1862 end -= namelen;
1863 memcpy(end, name, namelen);
1864 *--end = '/';
1865 path = end;
1866 table = table->parent;
1867 }
b599fdfd
EB		 1868 buflen -= 4;
1869 if (buflen < 0)
1870 goto out_free;
1871 end -= 4;
1872 memcpy(end, "/sys", 4);
1873 path = end;
3fbfa981
EB		 1874 rc = security_genfs_sid("proc", path, tclass, sid);
1875out_free:
1876 free_page((unsigned long)buffer);
1877out:
1878 return rc;
1879}
1880
1da177e4
LT		 1881static int selinux_sysctl(ctl_table *table, int op)
1882{
1883 int error = 0;
1884 u32 av;
275bb41e 1885 u32 tsid, sid;
1da177e4
LT		 1886 int rc;
1887
1888 rc = secondary_ops->sysctl(table, op);
1889 if (rc)
1890 return rc;
1891
275bb41e 1892 sid = current_sid();
1da177e4 1893
3fbfa981
EB		 1894 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1895 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1896 if (rc) {
1897 /* Default to the well-defined sysctl SID. */
1898 tsid = SECINITSID_SYSCTL;
1899 }
1900
1901 /* The op values are "defined" in sysctl.c, thereby creating
1902 * a bad coupling between this module and sysctl.c */
828dfe1d 1903 if (op == 001) {
275bb41e 1904 error = avc_has_perm(sid, tsid,
1da177e4
LT		 1905 SECCLASS_DIR, DIR__SEARCH, NULL);
1906 } else {
1907 av = 0;
1908 if (op & 004)
1909 av |= FILE__READ;
1910 if (op & 002)
1911 av |= FILE__WRITE;
1912 if (av)
275bb41e 1913 error = avc_has_perm(sid, tsid,
1da177e4 1914 SECCLASS_FILE, av, NULL);
828dfe1d 1915 }
1da177e4
LT		 1916
1917 return error;
1918}
1919
1920static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1921{
1922 int rc = 0;
1923
1924 if (!sb)
1925 return 0;
1926
1927 switch (cmds) {
828dfe1d
EP		 1928 case Q_SYNC:
1929 case Q_QUOTAON:
1930 case Q_QUOTAOFF:
1931 case Q_SETINFO:
1932 case Q_SETQUOTA:
1933 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1934 NULL);
1935 break;
1936 case Q_GETFMT:
1937 case Q_GETINFO:
1938 case Q_GETQUOTA:
1939 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1940 NULL);
1941 break;
1942 default:
1943 rc = 0; /* let the kernel handle invalid cmds */
1944 break;
1da177e4
LT		 1945 }
1946 return rc;
1947}
1948
1949static int selinux_quota_on(struct dentry *dentry)
1950{
1951 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1952}
1953
1954static int selinux_syslog(int type)
1955{
1956 int rc;
1957
1958 rc = secondary_ops->syslog(type);
1959 if (rc)
1960 return rc;
1961
1962 switch (type) {
828dfe1d
EP		 1963 case 3: /* Read last kernel messages */
1964 case 10: /* Return size of the log buffer */
1965 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1966 break;
1967 case 6: /* Disable logging to console */
1968 case 7: /* Enable logging to console */
1969 case 8: /* Set level of messages printed to console */
1970 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1971 break;
1972 case 0: /* Close log */
1973 case 1: /* Open log */
1974 case 2: /* Read from log */
1975 case 4: /* Read/clear last kernel messages */
1976 case 5: /* Clear ring buffer */
1977 default:
1978 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1979 break;
1da177e4
LT		 1980 }
1981 return rc;
1982}
1983
1984/*
1985 * Check that a process has enough memory to allocate a new virtual
1986 * mapping. 0 means there is enough memory for the allocation to
1987 * succeed and -ENOMEM implies there is not.
1988 *
1989 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1990 * if the capability is granted, but __vm_enough_memory requires 1 if
1991 * the capability is granted.
1992 *
1993 * Do not audit the selinux permission check, as this is applied to all
1994 * processes that allocate mappings.
1995 */
34b4e4aa 1996static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1997{
1998 int rc, cap_sys_admin = 0;
1da177e4 1999
06674679 2000 rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
1da177e4
LT		 2001 if (rc == 0)
2002 cap_sys_admin = 1;
2003
34b4e4aa 2004 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 2005}
2006
2007/* binprm security operations */
2008
2009static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
2010{
2011 struct bprm_security_struct *bsec;
2012
89d155ef 2013 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 2014 if (!bsec)
2015 return -ENOMEM;
2016
1da177e4
LT		 2017 bsec->sid = SECINITSID_UNLABELED;
2018 bsec->set = 0;
2019
2020 bprm->security = bsec;
2021 return 0;
2022}
2023
2024static int selinux_bprm_set_security(struct linux_binprm *bprm)
2025{
2026 struct task_security_struct *tsec;
3d5ff529 2027 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 2028 struct inode_security_struct *isec;
2029 struct bprm_security_struct *bsec;
2030 u32 newsid;
2031 struct avc_audit_data ad;
2032 int rc;
2033
2034 rc = secondary_ops->bprm_set_security(bprm);
2035 if (rc)
2036 return rc;
2037
2038 bsec = bprm->security;
2039
2040 if (bsec->set)
2041 return 0;
2042
275bb41e 2043 tsec = current_security();
1da177e4
LT		 2044 isec = inode->i_security;
2045
2046 /* Default to the current task SID. */
2047 bsec->sid = tsec->sid;
2048
28eba5bf 2049 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 2050 tsec->create_sid = 0;
28eba5bf 2051 tsec->keycreate_sid = 0;
42c3e03e 2052 tsec->sockcreate_sid = 0;
1da177e4
LT		 2053
2054 if (tsec->exec_sid) {
2055 newsid = tsec->exec_sid;
2056 /* Reset exec SID on execve. */
2057 tsec->exec_sid = 0;
2058 } else {
2059 /* Check for a default transition on this program. */
2060 rc = security_transition_sid(tsec->sid, isec->sid,
828dfe1d 2061 SECCLASS_PROCESS, &newsid);
1da177e4
LT		 2062 if (rc)
2063 return rc;
2064 }
2065
2066 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2067 ad.u.fs.path = bprm->file->f_path;
1da177e4 2068
3d5ff529 2069 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 2070 newsid = tsec->sid;
2071
828dfe1d 2072 if (tsec->sid == newsid) {
1da177e4
LT		 2073 rc = avc_has_perm(tsec->sid, isec->sid,
2074 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2075 if (rc)
2076 return rc;
2077 } else {
2078 /* Check permissions for the transition. */
2079 rc = avc_has_perm(tsec->sid, newsid,
2080 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2081 if (rc)
2082 return rc;
2083
2084 rc = avc_has_perm(newsid, isec->sid,
2085 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2086 if (rc)
2087 return rc;
2088
2089 /* Clear any possibly unsafe personality bits on exec: */
2090 current->personality &= ~PER_CLEAR_ON_SETID;
2091
2092 /* Set the security field to the new SID. */
2093 bsec->sid = newsid;
2094 }
2095
2096 bsec->set = 1;
2097 return 0;
2098}
2099
828dfe1d 2100static int selinux_bprm_check_security(struct linux_binprm *bprm)
1da177e4
LT		 2101{
2102 return secondary_ops->bprm_check_security(bprm);
2103}
2104
2105
828dfe1d 2106static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4 2107{
275bb41e
DH		 2108 const struct cred *cred = current_cred();
2109 const struct task_security_struct *tsec = cred->security;
2110 u32 sid, osid;
1da177e4
LT		 2111 int atsecure = 0;
2112
275bb41e
DH		 2113 sid = tsec->sid;
2114 osid = tsec->osid;
2115
2116 if (osid != sid) {
1da177e4
LT		 2117 /* Enable secure mode for SIDs transitions unless
2118 the noatsecure permission is granted between
2119 the two SIDs, i.e. ahp returns 0. */
275bb41e 2120 atsecure = avc_has_perm(osid, sid,
1da177e4
LT		 2121 SECCLASS_PROCESS,
2122 PROCESS__NOATSECURE, NULL);
2123 }
2124
2125 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2126}
2127
2128static void selinux_bprm_free_security(struct linux_binprm *bprm)
2129{
9a5f04bf 2130 kfree(bprm->security);
1da177e4 2131 bprm->security = NULL;
1da177e4
LT		 2132}
2133
2134extern struct vfsmount *selinuxfs_mount;
2135extern struct dentry *selinux_null;
2136
2137/* Derived from fs/exec.c:flush_old_files. */
828dfe1d 2138static inline void flush_unauthorized_files(struct files_struct *files)
1da177e4
LT		 2139{
2140 struct avc_audit_data ad;
2141 struct file *file, *devnull = NULL;
b20c8122 2142 struct tty_struct *tty;
badf1662 2143 struct fdtable *fdt;
1da177e4 2144 long j = -1;
24ec839c 2145 int drop_tty = 0;
1da177e4 2146
24ec839c 2147 tty = get_current_tty();
1da177e4
LT		 2148 if (tty) {
2149 file_list_lock();
37dd0bd0
EP		 2150 if (!list_empty(&tty->tty_files)) {
2151 struct inode *inode;
2152
1da177e4
LT		 2153 /* Revalidate access to controlling tty.
2154 Use inode_has_perm on the tty inode directly rather
2155 than using file_has_perm, as this particular open
2156 file may belong to another process and we are only
2157 interested in the inode-based check here. */
37dd0bd0
EP		 2158 file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2159 inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2160 if (inode_has_perm(current, inode,
2161 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2162 drop_tty = 1;
1da177e4
LT		 2163 }
2164 }
2165 file_list_unlock();
452a00d2 2166 tty_kref_put(tty);
1da177e4 2167 }
98a27ba4
EB		 2168 /* Reset controlling tty. */
2169 if (drop_tty)
2170 no_tty();
1da177e4
LT		 2171
2172 /* Revalidate access to inherited open files. */
2173
828dfe1d 2174 AVC_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 2175
2176 spin_lock(&files->file_lock);
2177 for (;;) {
2178 unsigned long set, i;
2179 int fd;
2180
2181 j++;
2182 i = j * __NFDBITS;
badf1662 2183 fdt = files_fdtable(files);
bbea9f69 2184 if (i >= fdt->max_fds)
1da177e4 2185 break;
badf1662 2186 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2187 if (!set)
2188 continue;
2189 spin_unlock(&files->file_lock);
828dfe1d 2190 for ( ; set ; i++, set >>= 1) {
1da177e4
LT		 2191 if (set & 1) {
2192 file = fget(i);
2193 if (!file)
2194 continue;
2195 if (file_has_perm(current,
2196 file,
2197 file_to_av(file))) {
2198 sys_close(i);
2199 fd = get_unused_fd();
2200 if (fd != i) {
2201 if (fd >= 0)
2202 put_unused_fd(fd);
2203 fput(file);
2204 continue;
2205 }
2206 if (devnull) {
095975da 2207 get_file(devnull);
1da177e4
LT		 2208 } else {
2209 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2210 if (IS_ERR(devnull)) {
2211 devnull = NULL;
1da177e4
LT		 2212 put_unused_fd(fd);
2213 fput(file);
2214 continue;
2215 }
2216 }
2217 fd_install(fd, devnull);
2218 }
2219 fput(file);
2220 }
2221 }
2222 spin_lock(&files->file_lock);
2223
2224 }
2225 spin_unlock(&files->file_lock);
2226}
2227
2228static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2229{
2230 struct task_security_struct *tsec;
2231 struct bprm_security_struct *bsec;
2232 u32 sid;
2233 int rc;
2234
2235 secondary_ops->bprm_apply_creds(bprm, unsafe);
2236
275bb41e 2237 tsec = current_security();
1da177e4
LT		 2238
2239 bsec = bprm->security;
2240 sid = bsec->sid;
2241
2242 tsec->osid = tsec->sid;
2243 bsec->unsafe = 0;
2244 if (tsec->sid != sid) {
2245 /* Check for shared state. If not ok, leave SID
2246 unchanged and kill. */
2247 if (unsafe & LSM_UNSAFE_SHARE) {
2248 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2249 PROCESS__SHARE, NULL);
2250 if (rc) {
2251 bsec->unsafe = 1;
2252 return;
2253 }
2254 }
2255
2256 /* Check for ptracing, and update the task SID if ok.
2257 Otherwise, leave SID unchanged and kill. */
2258 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0356357c
RM		 2259 struct task_struct *tracer;
2260 struct task_security_struct *sec;
2261 u32 ptsid = 0;
2262
2263 rcu_read_lock();
0d094efe 2264 tracer = tracehook_tracer_task(current);
0356357c 2265 if (likely(tracer != NULL)) {
275bb41e 2266 sec = __task_cred(tracer)->security;
0356357c
RM		 2267 ptsid = sec->sid;
2268 }
2269 rcu_read_unlock();
2270
2271 if (ptsid != 0) {
2272 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2273 PROCESS__PTRACE, NULL);
2274 if (rc) {
2275 bsec->unsafe = 1;
2276 return;
2277 }
1da177e4
LT		 2278 }
2279 }
2280 tsec->sid = sid;
2281 }
2282}
2283
2284/*
2285 * called after apply_creds without the task lock held
2286 */
2287static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2288{
2289 struct task_security_struct *tsec;
2290 struct rlimit *rlim, *initrlim;
2291 struct itimerval itimer;
2292 struct bprm_security_struct *bsec;
41d9f9c5 2293 struct sighand_struct *psig;
1da177e4 2294 int rc, i;
41d9f9c5 2295 unsigned long flags;
1da177e4 2296
275bb41e 2297 tsec = current_security();
1da177e4
LT		 2298 bsec = bprm->security;
2299
2300 if (bsec->unsafe) {
2301 force_sig_specific(SIGKILL, current);
2302 return;
2303 }
2304 if (tsec->osid == tsec->sid)
2305 return;
2306
2307 /* Close files for which the new task SID is not authorized. */
2308 flush_unauthorized_files(current->files);
2309
2310 /* Check whether the new SID can inherit signal state
2311 from the old SID. If not, clear itimers to avoid
2312 subsequent signal generation and flush and unblock
2313 signals. This must occur _after_ the task SID has
2314 been updated so that any kill done after the flush
2315 will be checked against the new SID. */
2316 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2317 PROCESS__SIGINH, NULL);
2318 if (rc) {
2319 memset(&itimer, 0, sizeof itimer);
2320 for (i = 0; i < 3; i++)
2321 do_setitimer(i, &itimer, NULL);
2322 flush_signals(current);
2323 spin_lock_irq(&current->sighand->siglock);
2324 flush_signal_handlers(current, 1);
2325 sigemptyset(&current->blocked);
2326 recalc_sigpending();
2327 spin_unlock_irq(&current->sighand->siglock);
2328 }
2329
4ac212ad
SS		 2330 /* Always clear parent death signal on SID transitions. */
2331 current->pdeath_signal = 0;
2332
1da177e4
LT		 2333 /* Check whether the new SID can inherit resource limits
2334 from the old SID. If not, reset all soft limits to
2335 the lower of the current task's hard limit and the init
2336 task's soft limit. Note that the setting of hard limits
2337 (even to lower them) can be controlled by the setrlimit
2338 check. The inclusion of the init task's soft limit into
2339 the computation is to avoid resetting soft limits higher
2340 than the default soft limit for cases where the default
2341 is lower than the hard limit, e.g. RLIMIT_CORE or
2342 RLIMIT_STACK.*/
2343 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2344 PROCESS__RLIMITINH, NULL);
2345 if (rc) {
2346 for (i = 0; i < RLIM_NLIMITS; i++) {
2347 rlim = current->signal->rlim + i;
2348 initrlim = init_task.signal->rlim+i;
828dfe1d 2349 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4 2350 }
f06febc9 2351 update_rlimit_cpu(rlim->rlim_cur);
1da177e4
LT		 2352 }
2353
2354 /* Wake up the parent if it is waiting so that it can
2355 recheck wait permission to the new task SID. */
41d9f9c5
EP		 2356 read_lock_irq(&tasklist_lock);
2357 psig = current->parent->sighand;
2358 spin_lock_irqsave(&psig->siglock, flags);
1da177e4 2359 wake_up_interruptible(&current->parent->signal->wait_chldexit);
41d9f9c5
EP		 2360 spin_unlock_irqrestore(&psig->siglock, flags);
2361 read_unlock_irq(&tasklist_lock);
1da177e4
LT		 2362}
2363
2364/* superblock security operations */
2365
2366static int selinux_sb_alloc_security(struct super_block *sb)
2367{
2368 return superblock_alloc_security(sb);
2369}
2370
2371static void selinux_sb_free_security(struct super_block *sb)
2372{
2373 superblock_free_security(sb);
2374}
2375
2376static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2377{
2378 if (plen > olen)
2379 return 0;
2380
2381 return !memcmp(prefix, option, plen);
2382}
2383
2384static inline int selinux_option(char *option, int len)
2385{
832cbd9a
EP		 2386 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2387 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2388 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2389 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
1da177e4
LT		 2390}
2391
2392static inline void take_option(char **to, char *from, int *first, int len)
2393{
2394 if (!*first) {
2395 **to = ',';
2396 *to += 1;
3528a953 2397 } else
1da177e4
LT		 2398 *first = 0;
2399 memcpy(*to, from, len);
2400 *to += len;
2401}
2402
828dfe1d
EP		 2403static inline void take_selinux_option(char **to, char *from, int *first,
2404 int len)
3528a953
CO		 2405{
2406 int current_size = 0;
2407
2408 if (!*first) {
2409 **to = '|';
2410 *to += 1;
828dfe1d 2411 } else
3528a953
CO		 2412 *first = 0;
2413
2414 while (current_size < len) {
2415 if (*from != '"') {
2416 **to = *from;
2417 *to += 1;
2418 }
2419 from += 1;
2420 current_size += 1;
2421 }
2422}
2423
e0007529 2424static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2425{
2426 int fnosec, fsec, rc = 0;
2427 char *in_save, *in_curr, *in_end;
2428 char *sec_curr, *nosec_save, *nosec;
3528a953 2429 int open_quote = 0;
1da177e4
LT		 2430
2431 in_curr = orig;
2432 sec_curr = copy;
2433
1da177e4
LT		 2434 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2435 if (!nosec) {
2436 rc = -ENOMEM;
2437 goto out;
2438 }
2439
2440 nosec_save = nosec;
2441 fnosec = fsec = 1;
2442 in_save = in_end = orig;
2443
2444 do {
3528a953
CO		 2445 if (*in_end == '"')
2446 open_quote = !open_quote;
2447 if ((*in_end == ',' && open_quote == 0) ||
2448 *in_end == '\0') {
1da177e4
LT		 2449 int len = in_end - in_curr;
2450
2451 if (selinux_option(in_curr, len))
3528a953 2452 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2453 else
2454 take_option(&nosec, in_curr, &fnosec, len);
2455
2456 in_curr = in_end + 1;
2457 }
2458 } while (*in_end++);
2459
6931dfc9 2460 strcpy(in_save, nosec_save);
da3caa20 2461 free_page((unsigned long)nosec_save);
1da177e4
LT		 2462out:
2463 return rc;
2464}
2465
2466static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2467{
2468 struct avc_audit_data ad;
2469 int rc;
2470
2471 rc = superblock_doinit(sb, data);
2472 if (rc)
2473 return rc;
2474
828dfe1d 2475 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2476 ad.u.fs.path.dentry = sb->s_root;
1da177e4
LT		 2477 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2478}
2479
726c3342 2480static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2481{
2482 struct avc_audit_data ad;
2483
828dfe1d 2484 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2485 ad.u.fs.path.dentry = dentry->d_sb->s_root;
726c3342 2486 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2487}
2488
828dfe1d 2489static int selinux_mount(char *dev_name,
b5266eb4 2490 struct path *path,
828dfe1d
EP		 2491 char *type,
2492 unsigned long flags,
2493 void *data)
1da177e4
LT		 2494{
2495 int rc;
2496
b5266eb4 2497 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
1da177e4
LT		 2498 if (rc)
2499 return rc;
2500
2501 if (flags & MS_REMOUNT)
b5266eb4 2502 return superblock_has_perm(current, path->mnt->mnt_sb,
828dfe1d 2503 FILESYSTEM__REMOUNT, NULL);
1da177e4 2504 else
b5266eb4 2505 return dentry_has_perm(current, path->mnt, path->dentry,
828dfe1d 2506 FILE__MOUNTON);
1da177e4
LT		 2507}
2508
2509static int selinux_umount(struct vfsmount *mnt, int flags)
2510{
2511 int rc;
2512
2513 rc = secondary_ops->sb_umount(mnt, flags);
2514 if (rc)
2515 return rc;
2516
828dfe1d
EP		 2517 return superblock_has_perm(current, mnt->mnt_sb,
2518 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2519}
2520
2521/* inode security operations */
2522
2523static int selinux_inode_alloc_security(struct inode *inode)
2524{
2525 return inode_alloc_security(inode);
2526}
2527
2528static void selinux_inode_free_security(struct inode *inode)
2529{
2530 inode_free_security(inode);
2531}
2532
5e41ff9e
SS		 2533static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2534 char **name, void **value,
2535 size_t *len)
2536{
275bb41e
DH		 2537 const struct cred *cred = current_cred();
2538 const struct task_security_struct *tsec = cred->security;
5e41ff9e
SS		 2539 struct inode_security_struct *dsec;
2540 struct superblock_security_struct *sbsec;
275bb41e 2541 u32 sid, newsid, clen;
5e41ff9e 2542 int rc;
570bc1c2 2543 char *namep = NULL, *context;
5e41ff9e 2544
5e41ff9e
SS		 2545 dsec = dir->i_security;
2546 sbsec = dir->i_sb->s_security;
5e41ff9e 2547
275bb41e
DH		 2548 sid = tsec->sid;
2549 newsid = tsec->create_sid;
2550
2551 if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2552 rc = security_transition_sid(sid, dsec->sid,
5e41ff9e
SS		 2553 inode_mode_to_security_class(inode->i_mode),
2554 &newsid);
2555 if (rc) {
2556 printk(KERN_WARNING "%s: "
2557 "security_transition_sid failed, rc=%d (dev=%s "
2558 "ino=%ld)\n",
dd6f953a 2559 __func__,
5e41ff9e
SS		 2560 -rc, inode->i_sb->s_id, inode->i_ino);
2561 return rc;
2562 }
2563 }
2564
296fddf7
EP		 2565 /* Possibly defer initialization to selinux_complete_init. */
2566 if (sbsec->initialized) {
2567 struct inode_security_struct *isec = inode->i_security;
2568 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2569 isec->sid = newsid;
2570 isec->initialized = 1;
2571 }
5e41ff9e 2572
8aad3875 2573 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2574 return -EOPNOTSUPP;
2575
570bc1c2 2576 if (name) {
a02fe132 2577 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2578 if (!namep)
2579 return -ENOMEM;
2580 *name = namep;
2581 }
5e41ff9e 2582
570bc1c2 2583 if (value && len) {
12b29f34 2584 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2585 if (rc) {
2586 kfree(namep);
2587 return rc;
2588 }
2589 *value = context;
2590 *len = clen;
5e41ff9e 2591 }
5e41ff9e 2592
5e41ff9e
SS		 2593 return 0;
2594}
2595
1da177e4
LT		 2596static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2597{
2598 return may_create(dir, dentry, SECCLASS_FILE);
2599}
2600
1da177e4
LT		 2601static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2602{
2603 int rc;
2604
828dfe1d 2605 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
1da177e4
LT		 2606 if (rc)
2607 return rc;
2608 return may_link(dir, old_dentry, MAY_LINK);
2609}
2610
1da177e4
LT		 2611static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2612{
2613 int rc;
2614
2615 rc = secondary_ops->inode_unlink(dir, dentry);
2616 if (rc)
2617 return rc;
2618 return may_link(dir, dentry, MAY_UNLINK);
2619}
2620
2621static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2622{
2623 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2624}
2625
1da177e4
LT		 2626static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2627{
2628 return may_create(dir, dentry, SECCLASS_DIR);
2629}
2630
1da177e4
LT		 2631static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2632{
2633 return may_link(dir, dentry, MAY_RMDIR);
2634}
2635
2636static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2637{
2638 int rc;
2639
2640 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2641 if (rc)
2642 return rc;
2643
2644 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2645}
2646
1da177e4 2647static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2648 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2649{
2650 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2651}
2652
1da177e4
LT		 2653static int selinux_inode_readlink(struct dentry *dentry)
2654{
2655 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2656}
2657
2658static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2659{
2660 int rc;
2661
828dfe1d 2662 rc = secondary_ops->inode_follow_link(dentry, nameidata);
1da177e4
LT		 2663 if (rc)
2664 return rc;
2665 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2666}
2667
b77b0646 2668static int selinux_inode_permission(struct inode *inode, int mask)
1da177e4
LT		 2669{
2670 int rc;
2671
b77b0646 2672 rc = secondary_ops->inode_permission(inode, mask);
1da177e4
LT		 2673 if (rc)
2674 return rc;
2675
2676 if (!mask) {
2677 /* No permission to check. Existence test. */
2678 return 0;
2679 }
2680
2681 return inode_has_perm(current, inode,
8b6a5a37 2682 file_mask_to_av(inode->i_mode, mask), NULL);
1da177e4
LT		 2683}
2684
2685static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2686{
2687 int rc;
2688
2689 rc = secondary_ops->inode_setattr(dentry, iattr);
2690 if (rc)
2691 return rc;
2692
2693 if (iattr->ia_valid & ATTR_FORCE)
2694 return 0;
2695
2696 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2697 ATTR_ATIME_SET | ATTR_MTIME_SET))
2698 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2699
2700 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2701}
2702
2703static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2704{
2705 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2706}
2707
8f0cfa52 2708static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771
SH		 2709{
2710 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2711 sizeof XATTR_SECURITY_PREFIX - 1)) {
2712 if (!strcmp(name, XATTR_NAME_CAPS)) {
2713 if (!capable(CAP_SETFCAP))
2714 return -EPERM;
2715 } else if (!capable(CAP_SYS_ADMIN)) {
2716 /* A different attribute in the security namespace.
2717 Restrict to administrator. */
2718 return -EPERM;
2719 }
2720 }
2721
2722 /* Not an attribute we recognize, so just check the
2723 ordinary setattr permission. */
2724 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2725}
2726
8f0cfa52
DH		 2727static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2728 const void *value, size_t size, int flags)
1da177e4 2729{
1da177e4
LT		 2730 struct inode *inode = dentry->d_inode;
2731 struct inode_security_struct *isec = inode->i_security;
2732 struct superblock_security_struct *sbsec;
2733 struct avc_audit_data ad;
275bb41e 2734 u32 newsid, sid = current_sid();
1da177e4
LT		 2735 int rc = 0;
2736
b5376771
SH		 2737 if (strcmp(name, XATTR_NAME_SELINUX))
2738 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2739
2740 sbsec = inode->i_sb->s_security;
2741 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2742 return -EOPNOTSUPP;
2743
3bd858ab 2744 if (!is_owner_or_cap(inode))
1da177e4
LT		 2745 return -EPERM;
2746
828dfe1d 2747 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2748 ad.u.fs.path.dentry = dentry;
1da177e4 2749
275bb41e 2750 rc = avc_has_perm(sid, isec->sid, isec->sclass,
1da177e4
LT		 2751 FILE__RELABELFROM, &ad);
2752 if (rc)
2753 return rc;
2754
2755 rc = security_context_to_sid(value, size, &newsid);
12b29f34
SS		 2756 if (rc == -EINVAL) {
2757 if (!capable(CAP_MAC_ADMIN))
2758 return rc;
2759 rc = security_context_to_sid_force(value, size, &newsid);
2760 }
1da177e4
LT		 2761 if (rc)
2762 return rc;
2763
275bb41e 2764 rc = avc_has_perm(sid, newsid, isec->sclass,
1da177e4
LT		 2765 FILE__RELABELTO, &ad);
2766 if (rc)
2767 return rc;
2768
275bb41e 2769 rc = security_validate_transition(isec->sid, newsid, sid,
828dfe1d 2770 isec->sclass);
1da177e4
LT		 2771 if (rc)
2772 return rc;
2773
2774 return avc_has_perm(newsid,
2775 sbsec->sid,
2776 SECCLASS_FILESYSTEM,
2777 FILESYSTEM__ASSOCIATE,
2778 &ad);
2779}
2780
8f0cfa52 2781static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2782 const void *value, size_t size,
8f0cfa52 2783 int flags)
1da177e4
LT		 2784{
2785 struct inode *inode = dentry->d_inode;
2786 struct inode_security_struct *isec = inode->i_security;
2787 u32 newsid;
2788 int rc;
2789
2790 if (strcmp(name, XATTR_NAME_SELINUX)) {
2791 /* Not an attribute we recognize, so nothing to do. */
2792 return;
2793 }
2794
12b29f34 2795 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2796 if (rc) {
12b29f34
SS		 2797 printk(KERN_ERR "SELinux: unable to map context to SID"
2798 "for (%s, %lu), rc=%d\n",
2799 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2800 return;
2801 }
2802
2803 isec->sid = newsid;
2804 return;
2805}
2806
8f0cfa52 2807static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2808{
1da177e4
LT		 2809 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2810}
2811
828dfe1d 2812static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4
LT		 2813{
2814 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2815}
2816
8f0cfa52 2817static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2818{
b5376771
SH		 2819 if (strcmp(name, XATTR_NAME_SELINUX))
2820 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2821
2822 /* No one is allowed to remove a SELinux security label.
2823 You can change the label, but all data must be labeled. */
2824 return -EACCES;
2825}
2826
d381d8a9 2827/*
abc69bb6 2828 * Copy the inode security context value to the user.
d381d8a9
JM		 2829 *
2830 * Permission check is handled by selinux_inode_getxattr hook.
2831 */
42492594 2832static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2833{
42492594
DQ		 2834 u32 size;
2835 int error;
2836 char *context = NULL;
1da177e4 2837 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2838
8c8570fb
DK		 2839 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2840 return -EOPNOTSUPP;
d381d8a9 2841
abc69bb6
SS		 2842 /*
2843 * If the caller has CAP_MAC_ADMIN, then get the raw context
2844 * value even if it is not defined by current policy; otherwise,
2845 * use the in-core value under current policy.
2846 * Use the non-auditing forms of the permission checks since
2847 * getxattr may be called by unprivileged processes commonly
2848 * and lack of permission just means that we fall back to the
2849 * in-core context value, not a denial.
2850 */
06674679 2851 error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
abc69bb6
SS		 2852 if (!error)
2853 error = security_sid_to_context_force(isec->sid, &context,
2854 &size);
2855 else
2856 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 2857 if (error)
2858 return error;
2859 error = size;
2860 if (alloc) {
2861 *buffer = context;
2862 goto out_nofree;
2863 }
2864 kfree(context);
2865out_nofree:
2866 return error;
1da177e4
LT		 2867}
2868
2869static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2870 const void *value, size_t size, int flags)
1da177e4
LT		 2871{
2872 struct inode_security_struct *isec = inode->i_security;
2873 u32 newsid;
2874 int rc;
2875
2876 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2877 return -EOPNOTSUPP;
2878
2879 if (!value || !size)
2880 return -EACCES;
2881
828dfe1d 2882 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2883 if (rc)
2884 return rc;
2885
2886 isec->sid = newsid;
2887 return 0;
2888}
2889
2890static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2891{
2892 const int len = sizeof(XATTR_NAME_SELINUX);
2893 if (buffer && len <= buffer_size)
2894 memcpy(buffer, XATTR_NAME_SELINUX, len);
2895 return len;
2896}
2897
b5376771
SH		 2898static int selinux_inode_need_killpriv(struct dentry *dentry)
2899{
2900 return secondary_ops->inode_need_killpriv(dentry);
2901}
2902
2903static int selinux_inode_killpriv(struct dentry *dentry)
2904{
2905 return secondary_ops->inode_killpriv(dentry);
2906}
2907
713a04ae
AD		 2908static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2909{
2910 struct inode_security_struct *isec = inode->i_security;
2911 *secid = isec->sid;
2912}
2913
1da177e4
LT		 2914/* file security operations */
2915
788e7dd4 2916static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2917{
7420ed23 2918 int rc;
3d5ff529 2919 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2920
2921 if (!mask) {
2922 /* No permission to check. Existence test. */
2923 return 0;
2924 }
2925
2926 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2927 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2928 mask |= MAY_APPEND;
2929
7420ed23
VY		 2930 rc = file_has_perm(current, file,
2931 file_mask_to_av(inode->i_mode, mask));
2932 if (rc)
2933 return rc;
2934
2935 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2936}
2937
788e7dd4
YN		 2938static int selinux_file_permission(struct file *file, int mask)
2939{
2940 struct inode *inode = file->f_path.dentry->d_inode;
788e7dd4
YN		 2941 struct file_security_struct *fsec = file->f_security;
2942 struct inode_security_struct *isec = inode->i_security;
275bb41e 2943 u32 sid = current_sid();
788e7dd4
YN		 2944
2945 if (!mask) {
2946 /* No permission to check. Existence test. */
2947 return 0;
2948 }
2949
275bb41e 2950 if (sid == fsec->sid && fsec->isid == isec->sid
788e7dd4
YN		 2951 && fsec->pseqno == avc_policy_seqno())
2952 return selinux_netlbl_inode_permission(inode, mask);
2953
2954 return selinux_revalidate_file_permission(file, mask);
2955}
2956
1da177e4
LT		 2957static int selinux_file_alloc_security(struct file *file)
2958{
2959 return file_alloc_security(file);
2960}
2961
2962static void selinux_file_free_security(struct file *file)
2963{
2964 file_free_security(file);
2965}
2966
2967static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2968 unsigned long arg)
2969{
242631c4 2970 u32 av = 0;
1da177e4 2971
242631c4
SS		 2972 if (_IOC_DIR(cmd) & _IOC_WRITE)
2973 av |= FILE__WRITE;
2974 if (_IOC_DIR(cmd) & _IOC_READ)
2975 av |= FILE__READ;
2976 if (!av)
2977 av = FILE__IOCTL;
1da177e4 2978
242631c4 2979 return file_has_perm(current, file, av);
1da177e4
LT		 2980}
2981
2982static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2983{
2984#ifndef CONFIG_PPC32
2985 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2986 /*
2987 * We are making executable an anonymous mapping or a
2988 * private file mapping that will also be writable.
2989 * This has an additional check.
2990 */
2991 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2992 if (rc)
2993 return rc;
2994 }
2995#endif
2996
2997 if (file) {
2998 /* read access is always possible with a mapping */
2999 u32 av = FILE__READ;
3000
3001 /* write access only matters if the mapping is shared */
3002 if (shared && (prot & PROT_WRITE))
3003 av |= FILE__WRITE;
3004
3005 if (prot & PROT_EXEC)
3006 av |= FILE__EXECUTE;
3007
3008 return file_has_perm(current, file, av);
3009 }
3010 return 0;
3011}
3012
3013static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 3014 unsigned long prot, unsigned long flags,
3015 unsigned long addr, unsigned long addr_only)
1da177e4 3016{
ed032189 3017 int rc = 0;
275bb41e 3018 u32 sid = current_sid();
1da177e4 3019
ed032189
EP		 3020 if (addr < mmap_min_addr)
3021 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3022 MEMPROTECT__MMAP_ZERO, NULL);
3023 if (rc || addr_only)
1da177e4
LT		 3024 return rc;
3025
3026 if (selinux_checkreqprot)
3027 prot = reqprot;
3028
3029 return file_map_prot_check(file, prot,
3030 (flags & MAP_TYPE) == MAP_SHARED);
3031}
3032
3033static int selinux_file_mprotect(struct vm_area_struct *vma,
3034 unsigned long reqprot,
3035 unsigned long prot)
3036{
3037 int rc;
3038
3039 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3040 if (rc)
3041 return rc;
3042
3043 if (selinux_checkreqprot)
3044 prot = reqprot;
3045
3046#ifndef CONFIG_PPC32
db4c9641
SS		 3047 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3048 rc = 0;
3049 if (vma->vm_start >= vma->vm_mm->start_brk &&
3050 vma->vm_end <= vma->vm_mm->brk) {
3051 rc = task_has_perm(current, current,
3052 PROCESS__EXECHEAP);
3053 } else if (!vma->vm_file &&
3054 vma->vm_start <= vma->vm_mm->start_stack &&
3055 vma->vm_end >= vma->vm_mm->start_stack) {
3056 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3057 } else if (vma->vm_file && vma->anon_vma) {
3058 /*
3059 * We are making executable a file mapping that has
3060 * had some COW done. Since pages might have been
3061 * written, check ability to execute the possibly
3062 * modified content. This typically should only
3063 * occur for text relocations.
3064 */
3065 rc = file_has_perm(current, vma->vm_file,
3066 FILE__EXECMOD);
3067 }